Rlm_sql in freeradius 2
Hi, I have installed and tested freeradius-2 for a short while. I tested the behavior of the groups in the sql module, because this is what I am interested for right now. In general it works as described in the docs. However I still find some things that do not work as expected (or at least as I expect them to work). In case that somebody is interested in bug reports, this is what I have found out: * Setting the attribute User-Profile in the table radcheck or radreply doesn't work as described in the docs: 7. Finally, if the user has a User-Profile attribute set or the Default Profile option is set in the sql.conf, then steps 4-6 are repeated for the groups that the profile is a member of. * Setting the attribute Auth-Type:=Accept or Auth-Type:=Reject in the table radgroupreply doesn't work. Maybe it is not supposed to work, but why not? * Trying to set the password with Cleartext-Password:=xyz in radgroupcheck or radgroupreply doesn't work. Maybe it is not supposed to work, but why not? Regards, Dashamir Dashamir Hoxha wrote: Hi, Actually, what I am trying to do is this: I have several access points that have hotspot and use radius for AAA. I would like to register users in radius so that they are able to login using some of the access points, and not able to login using the others. The way that I was trying to do it is like this: Suppose that there are the access points A1, A2, A3 and the user 'test' should be able to access the internet only from A1 and A3. The data in radius that would make this scenario work, could be like this: radcheck: +--+--+--++---+ | id | UserName | Attribute | op | Value | +--+--+--++---+ | 5272 | test | User-Password | := | test | | 5262 | test | Simultaneous-Use | := | 5 | +--+--+--++---+ radreply: ++--+---++--+ | id | UserName | Attribute | op | Value | ++--+---++--+ | 42 | test | Auth-Type | := | Reject | | 43 | test | Fall-Through | := | Yes | ++--+---++--+ usergroup: +--+---+--+ | UserName | GroupName | priority | +--+---+--+ | test | A1 | 1 | | test | A2 | 1 | | test | A3 | 1 | +--+---+--+ radgroupcheck: ++---+++---+ | id | GroupName | Attribute | op | Value | ++---+++---+ | 42 | A1 | NAS-Identifier | == | ID-A1 | | 43 | A2 | NAS-Identifier | == | ID-A2 | | 44 | A2 | NAS-Identifier | == | ID-A3 | ++---+++---+ radgroupreply: ++---+---+++ | id | GroupName | Attribute | op | Value | ++---+---+++ | 52 | A1 | Auth-Type | := | Accept | | 53 | A1 | Fall-Through | := | No | | 54 | A2 | Auth-Type | := | Reject | | 55 | A2 | Fall-Through | := | Yes | | 56 | A3 | Auth-Type | := | Accept | | 57 | A3 | Fall-Through | := | No | ++---+---+++ However, if the radius does not follow the algorithm described in http://wiki.freeradius.org/Rlm_sql, then this setup should not work. Do you have any suggestion or idea on how to make the scenario above work? Regards, Dashamir Dashamir Hoxha wrote: I have installed freeradius-1.1.7 in fedora8. However I find that the module rlm_sql does not work as described in this page: http://wiki.freeradius.org/Rlm_sql - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Administering with MySQL DB
http://dev.mysql.com/doc/refman/5.0/en/data-manipulation.html Read at least insert, select, update and delete. Ivan Kalik Kalik Informatika ISP Dana 18/1/2008, Andy Smith [EMAIL PROTECTED] piše: Erm, thanks. But Im trying to work out how I Administer the data in MySQL. Are there no utilities for entering data? If I have to enter data manually with SQL insert etc can anyone point me at some docs explaining the format the information should be in?? Andy Smith wrote: Im completely new to freeradius, I have installed the server with MySQL and also got the dialup web GUI up and running. However its still not clear to me how I add new NAS devices, you dont appear to be able to do that in the GUI. I just want to add a system by IP address with a secret. Do I need to manually do an insert into mysql? If so can someone give me a pointer to how the data should be entered? Or any other help!! Edit the configuration files with a text editor. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rlm_sql in freeradius 2
* Setting the attribute Auth-Type:=Accept or Auth-Type:=Reject in the table radgroupreply doesn't work. Maybe it is not supposed to work, but why not? It's a check item, so it goes into radcheck or radgroupcheck. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl build on mac osx
Info wrote: Alan, Thanks for your quick response! Yes, I'm aware that apple has included FR into Leopard and am curious to see how it works in that version of the OS once I move to it eventually. However, for the Tiger users of which I'll remain for a while, I'd like to provide ease of installation via macports. FR 1.1.6 is included in leopard with patches from Apple to make it work with the open directory services/ server admin stuff. I ran into exactly the same issue as you when attempting to build on leopard server, works fine on a machine with exactly the same architecture running tiger... Though a build-able 1.1.7 is available via macports right now, it needs a patch -- which may be a moot point now that 2.0 is here and it fixes the trouble that stripping the binaries (i.e, the INSTALLSTRIP -s switch) caused. I'll look more into the PATH setting for building against 5.10. Perhaps adding the PERL5LIB variable in my env will do the trick. Jim ___ James H. Graham II, Creative Director • *Spark Media Group* 6511 Allegheny Avenue • Takoma Park, MD 20912-4737 Tel: 301.270.4810 • Fax: 301.270.4812 • www.sparkmediagroup.com http://www.sparkmediagroup.com On Jan 18, 2008, at 3:19 PM, [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Hi, several folk run FreeRADIUS on MacOSX already - and Apple even have added code themselves - I believe FR is the fundamental EAP system in eg latest airport/timecapsule product (though I may be wrong on that aspect of usage! ;-) ) It is, but apple include 1.1.6 not 2.0.0, very few people have attempted to build FR 2 on leopard server. 2] Is perl only a build dependency for rlm_perl, or does the module make runtime calls to external perl libs? correct. its only for rlm_perl 3] I've discovered with an install of perl 5.10 that, during configure (of freeradius 2), the linker chooses the /System/Library/5.8.6... over the new perl ( at {prefix}/lib/perl/5.10.0 ). The only thing I can guess is that when searching for perl libs/includes, the linker only expands to seek version n.n.n and does not recognize a two digit subversion n.nn.n. If that's what's happening, is that patchable? or likely its a PATH problem and you have to tell it where your 5.10.0 is living. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS list with MySQL
the script nas.sql has the mysql table schema. the file sql.conf at the end you can see : # Set to 'yes' to read radius clients from the database ('nas' table) # Clients will ONLY be read on server startup. For performance # and security reasons, finding clients via SQL queries CANNOT # be done live while the server is running. # #readclients = yes # Table to keep radius client info nas_table = nas As you can see the default table name is nas ( can you imagine :-) ). Uncoment readclients = yes Make configuration changes at radiusd.conf and enable sql module. On 19/01/2008, Pawel Cieplinski [EMAIL PROTECTED] wrote: Hi there... i am new to free radius. I already successfully installed freeradius 1.1.7 with mysql5.1. The point is NAS's IPs and secrets are configured in clients.conf. I cannot find anything how to put those data to SQL database. Sql.conf doesn't describe any table or value for clients, can anyone give any clue how to store those data in SQL database Pawel Cieplinski - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS list with MySQL
Hi, Hi there... i am new to free radius. I already successfully installed freeradius 1.1.7 with mysql5.1. The point is NAS's IPs and secrets are configured in clients.conf. I cannot find anything how to put those data to SQL database. Sql.conf doesn't describe any table or value for clients, can anyone give any clue how to store those data in SQL database sql.conf has the readclients directive and the sql schema clearly shows the nas table mysqldescribe nas; simply populate. enable the readclients directive. with 1.1.x i believe you still need a single entry in clients.conf - a fake entry - eg 127.0.0.2 or it barfs. 2.0.0 doesnt have this issue alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS Machine Authentication problems - Resolved
Well this was an embarrassing sort of problem. The CA certificate was in the Users Trusted Root store, once I moved it to the Machine Trusted Root store all was well. For anyone else ever hunting down this problem, the Windows RASTLS.log error messages I got were: [4968] 21:57:59:046: SecurityContextFunction [4968] 21:57:59:062: InitializeSecurityContext returned 0x80090325 [4968] 21:57:59:062: State change to RecdFinished. Error: 0x321 In freeradius it seemed like the login process just cycled forever, getting to the last message and the client just gave up. In the Windows Wireless Network Connection dialog box it hung in attempting to verify and never moved on. Thanks all for enduring my duh moment with me. v/r -- Mike Olson Michael Olson wrote: I tried upgrading to 2.0.0, very close to a stock default config and I'm getting the same symptoms, user works, computer doesn't. Makes me even more suspicious of my certificates. I updated the files listed below to new logs generated from 2.0.0. I saw the note to in certs/xpextensions to add 1.3.6.1.4.1.311.17.2 to the PKCS#12 file attribute bag. I hacked up OpenSSL a bit to get that to work and I posted the output from an openssl pkcs12 dump to http://www.cs.odu.edu/~olson/eap/computer.p12.txt , unfortunately that didn't seem to help. I'm pretty much dead on ideas at this point, besides Ivan Kaliks suggestion that I look into the $ appended to the machine name. (Which I'm pursuing next.) Thanks -- Mike Olson Michael Olson wrote: I'm attempting to use FreeRADIUS to do EAP-TLS with Windows XP using machine authentication. I set up FreeRADIUS following the guide at http://wiki.freeradius.org/WPA_HOWTO#Step_2:_Configure_FreeRADIUS and I'm using OpenSSL to generate the cetificates. I can authenticate using user certificates fine, so I'm pretty sure all the Certificates CA setup is right on the RADIUS server certificate, User certificate, and the Root Certificate. That leaves the Computer Certificate. I generated the computer certificate to have the common name be the machine name (I've tried it plain and FQDN) and I've put the FQDN is the altSubjectName field as well. It has the same usage extensions as the User certificates. (TLS Client Auth: 1.3.6.1.5.5.7.3.2) I set the AuthMode registry key to Computer Only (2), and it trys to authenticate which suggests that the workstation is okay with the certificate. Computer Certificate details: http://www.cs.odu.edu/~olson/eap/computer.crt.txt Other than that I can't think of where to look for a problem. Comparing logs between user and computer authentication I can see where it starts differing but I can't find anything I can interpret as to why. Nothing seems to fail for the computer, it just cycles endlessly. Successful User Authentication Log: http://www.cs.odu.edu/~olson/eap/eap-tls_user_auth.log Failed Computer Authentication Log: http://www.cs.odu.edu/~olson/eap/eap-tls_computer_auth.log I also tossed out the windows tracing logs for both user and computer auth and anything else that seemed useful in http://www.cs.odu.edu/~olson/eap/ Can anybody give me a pointer on where to look for problems? Thanks -- Mike Olson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Administering with MySQL DB
Hey Andy, There are other alternatives to dialup admin in terms of web management for freeradius. One of which is daloRADIUS (and yes it supports managing the nas entries for the database as well). Web: http://sourceforge.net/projects/daloradius/ Wiki: http://daloradius.wiki.sourceforge.net/ There's also an online demo of the latest development from SVN (trunk) which users can play around with to check out the new features Demo: http://daloradius.xdsl.by Username and Password: are administrator/radius Ofcourse the demo isn't fully functional and is only there for presentational reasons. Everyone else are ofcourse welcome to look around. Please be kind and share some feedback :-) Regards, Liran Tal. On Jan 18, 2008 8:18 PM, Andy Smith [EMAIL PROTECTED] wrote: Hi, thanks, Ive looked at this and its a good guide to initial install but doesnt seem to provide any detailed info on how to administer the data in the tables. IE there is a sample of some data from a test system but this doesnt even mention the NAS table, how are other people administering their systems? thanks! Andy. * FreeRadius Wiki is a good starting point. SQL Howto* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html