dialup-admin sql table creation error
I was making some tests with the freeradius 2 install, and found that the creation schema for the badusers table for dialupadmin (in the /dialup_admin/sql/mysql folder) has 2 problems: # # Table structure for table 'badusers' # CREATE TABLE badusers ( id int(10) DEFAULT '0' NOT NULL auto_increment, UserName varchar(30), IncidentDate datetime DEFAULT '-00-00 00:00:00' NOT NULL, Reason varchar(200), Admin varchar(30) DEFAULT '-', PRIMARY KEY (id), KEY UserName (UserName), KEY Date (Date) ); The first is in the 'id' creation line. Starting with version 4.11 (I think its this version), MySQL does not accept having a default value when you use auto_increment. So, id int(10) NOT NULL auto_increment would be the correct entry. The second problem is in the last line. There is a reference to 'Date' beeing used as key, but the 'Date' was not created. There is no reference creating it. Checking version 1.1.7, the line was Date datetime DEFAULT '-00-00 00:00:00' NOT NULL,. Now, was it removed because it's no longer used, or was it removed by accident, ir should it be renamed to the IncidentDate field? I guess it would be the last option Thanks, Roberto -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how can I change freeradius logs in other format?
Niki, On Jan 17, 2008 12:53 PM, Niki Petrov [EMAIL PROTECTED] wrote: I'd like to save my freeradius log(accounting) format in other (an example: table) format. Can I do that, and if YES, how? (OS FreBSD 7.0RC1, freeradius version 1.1.7) Thanks! what do you mean table format? If you'd like a better way to manage it you can setup accounting to work with an sql database server and have all accounting records populated in a database table (radacct). You can later analyze it or do whatever you'd like with it. Regards, Liran Tal. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius attributes for cisco ip phone
The phone doesn't seem to receive an ip. Is there an error in my config? Depends. Where is IP address suposed to come from? radius? dhcp? If PC has static configuration all it needs is a correct VLAN and it will work. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius attributes for cisco ip phone
I have hp procurve 3500yl switches for which i use mac based authentication against radius server. The radius server should assign the vlan's. The pc that hangs behind the phone get the correct vlan, but the phone doesn't. The radius userfile contains this for the phone(for the pc i have the same structure, only different vlan): 001c13d6b06f User-Password == 001c13d6b06f Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-id = 20 The phone doesn't seem to receive an ip. Is there an error in my config? Stieven Struyf M.I.S. Division - System Operations Komatsu Europe International NV Mechelsesteenweg 586 B-1800 Vilvoorde [EMAIL PROTECTED] Tel. +32 (0)2 2552551 The question of whether a computer can think is no more interesting than the question of whether a submarine can swim. -- E. W. Dijkstra This e-mail is property of the company and is supposed to contain only professional content. The company can at all times consult the content of this e-mail and the reply to this e-mail. By replying to this e-mail, you confirm your explicit agreement with the preceding. Deze e-mail is het eigendom van de Vennootschap en wordt verondersteld enkel beroepsmatige informatie te bevatten. De Vennootschap kan ten allen tijden de inhoud van deze e-mail en van het antwoord daarop raadplegen. Door het beantwoorden van deze e-mail bevestigt U uitdrukkelijk uw akkoord met het voorafgaande. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rlm_sql in freeradius-1.1.7
Hi, Actually, what I am trying to do is this: I have several access points that have hotspot and use radius for AAA. I would like to register users in radius so that they are able to login using some of the access points, and not able to login using the others. The way that I was trying to do it is like this: Suppose that there are the access points A1, A2, A3 and the user 'test' should be able to access the internet only from A1 and A3. The data in radius that would make this scenario work, could be like this: radcheck: +--+--+--++---+ | id | UserName | Attribute| op | Value | +--+--+--++---+ | 5272 | test | User-Password| := | test | | 5262 | test | Simultaneous-Use | := | 5 | +--+--+--++---+ radreply: ++--+---++--+ | id | UserName | Attribute | op | Value| ++--+---++--+ | 42 | test | Auth-Type | := | Reject | | 43 | test | Fall-Through | := | Yes | ++--+---++--+ usergroup: +--+---+--+ | UserName | GroupName | priority | +--+---+--+ | test | A1|1 | | test | A2|1 | | test | A3|1 | +--+---+--+ radgroupcheck: ++---+++---+ | id | GroupName | Attribute | op | Value | ++---+++---+ | 42 | A1| NAS-Identifier | == | ID-A1 | | 43 | A2| NAS-Identifier | == | ID-A2 | | 44 | A2| NAS-Identifier | == | ID-A3 | ++---+++---+ radgroupreply: ++---+---+++ | id | GroupName | Attribute | op | Value | ++---+---+++ | 52 | A1| Auth-Type | := | Accept | | 53 | A1| Fall-Through | := | No | | 54 | A2| Auth-Type | := | Reject | | 55 | A2| Fall-Through | := | Yes| | 56 | A3| Auth-Type | := | Accept | | 57 | A3| Fall-Through | := | No | ++---+---+++ However, if the radius does not follow the algorithm described in http://wiki.freeradius.org/Rlm_sql, then this setup should not work. Do you have any suggestion or idea on how to make the scenario above work? Regards, Dashamir Dashamir Hoxha wrote: I have installed freeradius-1.1.7 in fedora8. However I find that the module rlm_sql does not work as described in this page: http://wiki.freeradius.org/Rlm_sql - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius attributes for cisco ip phone
On 17/01/2008, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I have hp procurve 3500yl switches for which i use mac based authentication against radius server. The radius server should assign the vlan's. The pc that hangs behind the phone get the correct vlan, but the phone doesn't. Are you connecting the phone to the wall socket, and then the PC to the link socket on the phone? If this is the case then it's working as it should do.. the HP switch NAS is authenticating the PC's MAC, and opening the switchport on the correct VLAN for the PC, and so the phone will be on that VLAN too - they're on the same ethernet segment. If you've got a PC linked via the phone, and you want the phone to be on one VLAN, and the PC on the other I believe you have to configure the switch-port as a trunk, and then configure the phone accordingly. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Upgrading from 1.0.2 to 2.0.0 problems
On Thursday 17 January 2008 02:44:13 Alan DeKok wrote: [EMAIL PROTECTED] wrote: you are calling the unix auth module before suffix - therefore the magic hasnt yet happened. I'd try putting the unix module after the modules that play around with User-Name i.e. the order in the default configuration is wrong, too. I've fixed it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks to both you and Alan Buxey for the help. That was exactly the problem. Now I need to deal with the old legacy users file entries. *ick!* Wm - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius LDAP at RHEL 5.1
Hi all,
I'm trying to configure freeradius to authenticate at LDAP Database. I have a
poor knowledgement about freeradius and need help :) ...
What i need to do to configure correctly my freeradius to authenticate at ldap
database? how do i can test it?
today i have the following structure at my ldap tree, OU, and user example:
###
dn: dc=peixotoradius,dc=com,dc=br
objectClass: top
objectClass: dcObject
objectClass: organization
o: Peixoto
dc: peixotoradius
dn: ou=usuarios,dc=peixotoradius,dc=com,dc=br
objectClass: top
objectClass: organizationalUnit
ou: usuarios
dn: uid=1015,ou=Usuarios,dc=peixotoradius,dc=com,dc=br
uid: 1015
cn: 1015
userPassword: {crypt}$1$1gLC/3mY$aEsZ9ckW6FvyNkUrWDtv0.
objectClass: radiusObjectProfile
###
and at my /etc/raddb/radiusd.conf i have the following at ldap:
###
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = /usr/lib64
pidfile = ${run_dir}/radiusd.pid
user = radiusd
group = radiusd
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp = no
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
shadow = /etc/shadow
radwtmp = ${logdir}/radwtmp
}
$INCLUDE ${confdir}/eap.conf
ldap {
server = localhost
identity = cn=admin,dc=peixotoradius,dc=com,dc=br
password = My_password
basedn = dc=peixotoradius,dc=com,dc=br
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
base_filter = (objectclass=radiusprofile)
start_tls = no
access_attr = dialupAccess
dictionary_mapping = ${raddbdir}/ldap.attrmap
timeout = 4
timelimit = 3
net_timeout = 1
}
###
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius +LDAP + Active Directory + Authenticate Only questions
I am trying to setup Freeradius to authenticate against an active
directory server. I do not want it to do a ldapsearch to get
authorization. I have looked on the mailing lists but have not found how
to do this in my situation. I did read the rlm_ldap manual and am aware
of the ldap-UserDN variable. I am unable to get Freeradius to set the
bind DN to what I attempt to set the ldap-userdn variable to in the
authentication phase. It insists on setting DN to the entire CN.
Any clues?
Thanks.
Here are the relevant files:
/etc/raddb/radiusd.conf
*
prefix = /usr
exec_prefix = ${prefix}
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = /usr/lib64
pidfile = ${run_dir}/radiusd.pid
user = radiusd
group = radiusd
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions= yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp= no
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
auto_header = yes
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
radwtmp = ${logdir}/radwtmp
}
$INCLUDE ${confdir}/eap.conf
mschap {
}
ldap {
server = ldaps://ad-ldap.subdomain.domain.com
port = 636
identity = username
password = password
basedn = ou=North America,dc=subdomain,dc=domain,dc=com
ldap_debug = 0x0028
binddn = (SamAccountName=%u)
base_filter = (objectclass=*)
filter = (SamAccountName=%u)
start_tls = no
tls_require_cert= never
password_radius_attribute = NT-Password
password_attribute = userPassword
password_header = {clear}
#access_attr = telephoneNumber
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
edir_account_policy_check=no
#default_profile = ladp-userdn
#groupname_attribute = cn
#groupmembership_filter =
(|((objectClass=GroupOfNames)(member=
%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=
%{Ldap-UserDn})))
#groupmembership_attribute = memberOf
timeout = 4
timelimit = 3
net_timeout = 1
}
realm IPASS {
format = prefix
delimiter = /
ignore_default = no
ignore_null = no
}
realm suffix {
format = suffix
delimiter = @
ignore_default = no
ignore_null = no
}
realm realmpercent {
format = suffix
delimiter = %
ignore_default = no
ignore_null = no
}
realm ntdomain {
format = prefix
delimiter = \\
ignore_default = no
ignore_null = no
}
checkval {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
preproxy_usersfile = ${confdir}/preproxy_users
compat = no
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm =
Re: eap-mschapv2
Hello Alan, I finally got it working. I missed the reply to the second access-challenge. One thing I am still not sure is about MPPE keys. For us we are using only EAP-MSCHAPv2 without peap. The authenticator needs the MPPE keys to authenticate the peer. But in the EAP-MSCAHPv2 Access-Challenge or Access-accept don't see the keys. I see that the keys are generated for MSCHAPv2 but are deleted before the request is sent. Help is very much appreciated. Thank you Indi On Jan 16, 2008 12:09 PM, Alan DeKok [EMAIL PROTECTED] wrote: indira kolli wrote: What is the expected callflow for EAP-MSCAHPv2 Read the specification, or the source code. Access-request Access-Challenge Access-request Access-Accept Why am I getting Access-challenge again You're not saying which supplicant you're using. Let me guess: you're writing your own, and trying to debug it using FreeRADIUS. If that's true, I suggest that you go read the wpa_supplicant source code. It implements EAP-MSCHAPv2 correctly. If you're not writing your own supplicant, then the server is working correctly. You may be surprised that more than one Access-Challenge is being sent, but that is the Way It Works. If you care to know why, go read the source code in rlm_eap_mschapv2.c Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rlm_sql in freeradius-1.1.7
sorry for mistakes at first example of mysql table. ( missed a 'i' and 'calling' istead of 'called' ) the correct one is this : ---++--+++--+- | id | username | attribute | op | value| ++--+++--+ | 1 | orioni| Called-Station-Id | == | 001bd136e285 | | 2 | orioni | Cleartext-Password | := | test| | 3 | orioni| Simultaneous-Use | := | 2| ++--+++--+ . you can put to record for 'Called-Station-Id' with the mac addresses of the Access Points from wich the client is allowed to login. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Not sending a reply packet from proxy
Hi, We have quite extensive proxy step up. With a few dozens of realms and a small army of home servers. Some of those home servers belong to our wholesale customers. Normally devices send packets to to the geographically closest proxy servers, which in turn use the closest (geographically again) home servers. When the proxies don't get reply from the home servers (because for example the link went down) they return a 'Reject' - as expected. Some customers of ours are not entirely happy with that approach as they would like to get those packets answered by a different home servers farm in a different city. Our proxies do not forward packets between cities (mainly for efficiency and manageability reasons), but our devices can fall back to a different proxy farm (in a different city) if the primary IP for that customer (freeradius farm load balanced by a SLB) goes down. Is it possible to discard the packet on the proxy if the home server doesn't reply and let the device to fall back to a different proxy? Currently we use radius 1.1.7, but looking into upgrading it to 2.0.0. kind regards Pshem - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
