Re: cannot connect to sql databse
Hi Liran This is my log file i cant find any errors for cannot connect to sql database Thanks Devinder 080124 14:48:58 mysqld ended 080124 14:48:58 mysqld started 080124 14:48:58 InnoDB: Started; log sequence number 0 43655 080124 14:48:58 [Note] /usr/sbin/mysqld: ready for connections. Version: '5.0.45' socket: '/var/lib/mysql/mysql.sock' port: 3306 SUSE MySQL RPM 080124 15:26:09 [Note] /usr/sbin/mysqld: Normal shutdown 080124 15:26:09 InnoDB: Starting shutdown... 080124 15:26:11 InnoDB: Shutdown completed; log sequence number 0 43655 080124 15:26:11 [Note] /usr/sbin/mysqld: Shutdown complete 080124 15:26:11 mysqld ended 080124 15:26:11 mysqld started 080124 15:26:11 InnoDB: Started; log sequence number 0 43655 080124 15:26:11 [Note] /usr/sbin/mysqld: ready for connections. Version: '5.0.45' socket: '/var/lib/mysql/mysql.sock' port: 3306 SUSE MySQL RPM 080124 15:40:56 [Note] /usr/sbin/mysqld: Normal shutdown 080124 15:40:56 InnoDB: Starting shutdown... 080124 15:40:57 InnoDB: Shutdown completed; log sequence number 0 43655 080124 15:40:57 [Note] /usr/sbin/mysqld: Shutdown complete 080124 15:40:57 mysqld ended 080124 15:40:57 mysqld started 080124 15:40:57 InnoDB: Started; log sequence number 0 43655 080124 15:40:58 [Note] /usr/sbin/mysqld: ready for connections. Version: '5.0.45' socket: '/var/lib/mysql/mysql.sock' port: 3306 SUSE MySQL RPM On 29/01/2008, liran tal [EMAIL PROTECTED] wrote: Hey Devinder, On Jan 29, 2008 9:50 AM, Devinder Singh [EMAIL PROTECTED] wrote: Hi Liran The exact error message on Dial Up Admin is cannot connec to sql database. Well that's not too helpful now, is it? I'm not too familiar with dialupadmin, maybe someone else can donate his 2 cents if they had this problem as well. Like I said before, you should try debugging the problem by taking a look at log files instead of trying to guess the problem into discovery. Some thoughts to think about: - is this working if you run it from console? mysql -u freeradius -pmysuperpassword radius - do you have the necessary php mysql package installed? (php4-mysql or php5-mysql) Regards, Liran Tal. On 29/01/2008, Liran Tal [EMAIL PROTECTED] wrote: Hey Devinder, On Jan 29, 2008 9:41 AM, Devinder Singh [EMAIL PROTECTED] wrote: Hi Liran Where shoud i turn on the Logging in which file could you let me know what files are involved to do logging. Turning on the mysql logging is done in mysql's configuration file (on debian it's found at /etc/mysql/my.cnf). What is the exact error message you receive in the web page? Dial Up admin page i get cannot connect to sql databse is too ambiguous. Copy and paste it here. Regards, Liran Tal. On 29/01/2008, liran tal [EMAIL PROTECTED] wrote: Hey Devinder, On Jan 29, 2008 5:06 AM, Devinder Singh [EMAIL PROTECTED] wrote: Dear Liran this is my dialup_admin.conf file sql_type: mysql sql_server: localhost sql_port: 3306 sql_username: freeradius sql_password: mysuperpassword sql_database: radius sql_accounting_table: radacct sql_badusers_table: badusers sql_check_table: radcheck sql_reply_table: radreply sql_user_info_table: userinfo sql_groupcheck_table: radgroupcheck sql_groupreply_table: radgroupreply sql_usergroup_table: usergroup and this is the /usr/raddb/sql.conf confihguration sql { # Database type # Current supported are: rlm_sql_mysql, rlm_sql_postgresql, # rlm_sql_iodbc, rlm_sql_oracle, rlm_sql_unixodbc, rlm_sql_freetds driver = rlm_sql_mysql # Connect info server = localhost login = freeradius password = mysuperpassword # Database table configuration radius_db = radius # If you want both stop and start records logged to the # same SQL table, leave this as is. If you want them in # different tables, put the start table in acct_table1 # and stop table in acct_table2 acct_table1 = radacct acct_table2 = radacct # Allow for storing data after authentication postauth_table = radpostauth Is there anything that i as missing pls advise. I guess that looks alright but you haven't done any debugging like I suggested. Turn on mysql logging and see if there's even a connection attempt and if there is you can track what query is going wrong. You haven't detailed what is the exact error, it could just as well be that everything is configured fine but you haven't installed any php-mysql package and you have
Re: deactivate ldap.attrmap
Hello again, Sebastian Heil wrote: Is there a way to deactivate the ldap.attrmap file? Edit the source code re-compile. Maybe i will try it... never done before... :-) thanks anyway. i have got another problem. since the authentication via ldap works now quite ok, i would like to try ldaps together with edirectory. what do i have to configure? i already imported the root certificate and configured the tls-section of the ldap-section like this: tls { start_tls = yes cacertfile = /etc/raddb/certs/tc_class2.pem require_cert = demand } but i doesn't work like this... i added the following lines to the ldap-section: port = 636 tls_mode = yes tls_require_cert = demand and i doesn't work either... part of the debug: rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to :636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /etc/raddb/certs/tc_class2.pem rlm_ldap: setting TLS Require Cert to demand rlm_ldap: starting TLS rlm_ldap: ldap_start_tls_s() rlm_ldap: could not start TLS Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 Any ideas? Thanks. Sebastian -- GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS. Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cannot connect to sql databse
On Jan 30, 2008 10:15 AM, Devinder Singh [EMAIL PROTECTED] wrote: Hi Liran This is my log file i cant find any errors for cannot connect to sql database Thanks Devinder 080124 14:48:58 mysqld ended 080124 14:48:58 mysqld started 080124 14:48:58 InnoDB: Started; log sequence number 0 43655 080124 14:48:58 [Note] /usr/sbin/mysqld: ready for connections. Version: '5.0.45' socket: '/var/lib/mysql/mysql.sock' port: 3306 SUSE MySQL RPM 080124 15:26:09 [Note] /usr/sbin/mysqld: Normal shutdown 080124 15:26:09 InnoDB: Starting shutdown... 080124 15:26:11 InnoDB: Shutdown completed; log sequence number 0 43655 080124 15:26:11 [Note] /usr/sbin/mysqld: Shutdown complete 080124 15:26:11 mysqld ended 080124 15:26:11 mysqld started 080124 15:26:11 InnoDB: Started; log sequence number 0 43655 080124 15:26:11 [Note] /usr/sbin/mysqld: ready for connections. Version: '5.0.45' socket: '/var/lib/mysql/mysql.sock' port: 3306 SUSE MySQL RPM 080124 15:40:56 [Note] /usr/sbin/mysqld: Normal shutdown 080124 15:40:56 InnoDB: Starting shutdown... 080124 15:40:57 InnoDB: Shutdown completed; log sequence number 0 43655 080124 15:40:57 [Note] /usr/sbin/mysqld: Shutdown complete 080124 15:40:57 mysqld ended 080124 15:40:57 mysqld started 080124 15:40:57 InnoDB: Started; log sequence number 0 43655 080124 15:40:58 [Note] /usr/sbin/mysqld: ready for connections. Version: '5.0.45' socket: '/var/lib/mysql/mysql.sock' port: 3306 SUSE MySQL RPM Does mysql actually keep running? What gives ps -ae | grep mysql Can you acces your database from the cli? kind regards, Y. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: trouble seting up freeradius :((
the certificate`s password in the eap.conf is wrong. On 30/01/2008, SnahaD00 [EMAIL PROTECTED] wrote: Hi, I really (desperatelly) need freeradius to work on my schools network - it's urgent. I've got server on Ubuntu 7.04. I setup freeradius accoring to some howtoos and tutorials, but with no luck. What I did was: - made deb package with tls support - installed deb freeradius package - did setup freeradius as told here http://ubuntuforums.org/showthread.php?t=478804highlight=freeradius+openssl - problems... When I issue command freeradius -x i got this: rlm_eap_tls: Loading the certificate file as a chain rlm_eap: SSL error error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt rlm_eap_tls: Error reading private key file rlm_eap: Failed to initialize type tls radiusd.conf[10]: eap: Module instantiation failed. radiusd.conf[1944] Unknown module eap. radiusd.conf[1891] Failed to parse authenticate section. Any idea ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: memory corruption when proxying accounting requests
Jørn Kostøl wrote: Local auth and acct works fine, and proxying auth works. But as soon as I try to proxy accounting then Freeradius crashes. The issue isn't proxying, but dealing with attributes that aren't in the dictionaries. Bug #514 was recently filed about this. The solution is in CVS. Grab the latest version of src/lib/valuepair.c, and it will be fixed. The file will work in 2.0.1 (if you re-build from source), or you can just install from CVS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cannot connect to sql databse
I have hard times with Dial Up Admin Shoud i proceed with daloradius do i install in in srv/www folder like dial up On 28/01/2008, liran tal [EMAIL PROTECTED] wrote: Hey Devinder, On Jan 28, 2008 4:35 AM, Devinder Singh [EMAIL PROTECTED] wrote: Hi I am using Dial Up Admin on Free radius Free Radius is Running but when i acccess Dial Up admin page i get cannot connect to sql databse I have done most of the configuration settings and followed the wiki tutorial on Free Radius. Did you check that your sql server is actually running? Did you import the radius database schema into the sql server? Did you configure all the required settings to connect to the sql server in dialupadmin? You also might want to take a look at daloRADIUS for easy web management of freeradius with sql servers: http://sourceforge.net/projects/daloradius/ Regards, Liran. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Devinder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cannot connect to sql databse
Yes i can access mysql rom CLI On 30/01/2008, YvesDM [EMAIL PROTECTED] wrote: On Jan 30, 2008 10:15 AM, Devinder Singh [EMAIL PROTECTED] wrote: Hi Liran This is my log file i cant find any errors for cannot connect to sql database Thanks Devinder 080124 14:48:58 mysqld ended 080124 14:48:58 mysqld started 080124 14:48:58 InnoDB: Started; log sequence number 0 43655 080124 14:48:58 [Note] /usr/sbin/mysqld: ready for connections. Version: '5.0.45' socket: '/var/lib/mysql/mysql.sock' port: 3306 SUSE MySQL RPM 080124 15:26:09 [Note] /usr/sbin/mysqld: Normal shutdown 080124 15:26:09 InnoDB: Starting shutdown... 080124 15:26:11 InnoDB: Shutdown completed; log sequence number 0 43655 080124 15:26:11 [Note] /usr/sbin/mysqld: Shutdown complete 080124 15:26:11 mysqld ended 080124 15:26:11 mysqld started 080124 15:26:11 InnoDB: Started; log sequence number 0 43655 080124 15:26:11 [Note] /usr/sbin/mysqld: ready for connections. Version: '5.0.45' socket: '/var/lib/mysql/mysql.sock' port: 3306 SUSE MySQL RPM 080124 15:40:56 [Note] /usr/sbin/mysqld: Normal shutdown 080124 15:40:56 InnoDB: Starting shutdown... 080124 15:40:57 InnoDB: Shutdown completed; log sequence number 0 43655 080124 15:40:57 [Note] /usr/sbin/mysqld: Shutdown complete 080124 15:40:57 mysqld ended 080124 15:40:57 mysqld started 080124 15:40:57 InnoDB: Started; log sequence number 0 43655 080124 15:40:58 [Note] /usr/sbin/mysqld: ready for connections. Version: '5.0.45' socket: '/var/lib/mysql/mysql.sock' port: 3306 SUSE MySQL RPM Does mysql actually keep running? What gives ps -ae | grep mysql Can you acces your database from the cli? kind regards, Y. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Devinder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: deactivate ldap.attrmap
Sebastian Heil wrote: ... i added the following lines to the ldap-section: ... rlm_ldap: could not start TLS Can't contact LDAP server Maybe you need to check that there is an LDAP server listening on that port? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap authentication problem
Mike Zoeteweij wrote: Can anyone tell me what I'm doing wrong here? Read eap.conf. Look for Windows. See also the wiki. Sending Access-Challenge of id 3 to 192.168.100.5:4855 ... Waking up in 6 seconds... --- Walking the entire request list --- This *exact* behavior is explained in eap.conf. If you edited the file to configure PEAP, you should have seen the comments explaining this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: one RADIUS server per realm setup
Wm. Josiah Erikson wrote: I'm not sure what the syntax rules for the authorize{} section of the config files are; I was unable to find any description in the docs of how one goes about figuring out how to write these conditional statements. What language is it? $ man unlang It seems C-like, but only kindof. Did I miss this in the documentation? And the only way I could tell that I could use the variable Realm is because it was in the debugging output of freeradius. I couldn't find a list of available variables on the wiki, other than http://wiki.freeradius.org/Run-time_variables#Conditional_syntax , which is very incomplete non self-explanatory. The variables are attributes in a RADIUS packet. So there *is* no complete list, because every site has different attributes. I'm just confused as to how I was supposed to figure all this out without doing what I did, which was bang my head against the wall for a long time. I kinda figured there was some default way I was supposed to be doing what I was doing, but I gave up and did what feels like a hack to me. Is it OK? Am I missing a clear place where all of this is described? The comments at the top of radiusd.conf say: # As of 2.0.0, FreeRADIUS supports a simple processing language # in the authorize, authenticate, accounting, etc. sections. # See man unlang for details. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cannot connect to sql databse
On Jan 30, 2008 10:15 AM, Devinder Singh [EMAIL PROTECTED] wrote: Hi Liran This is my log file i cant find any errors for cannot connect to sql database If you don't find any connection attempts information then it means that dialupadmin isn't initiating a connection due to one of the reasons I have mentioned before or something else. We've been exchanging so many emails so far and you haven't checked what I've told you to. I can't help you more with dialupadmin as I am not aware of its common configuration issues, if daloradius is an appropriate alternative for you I will be happy to assist you with it. Regards, Liran Tal. On 29/01/2008, liran tal [EMAIL PROTECTED] wrote: Hey Devinder, On Jan 29, 2008 9:50 AM, Devinder Singh [EMAIL PROTECTED] wrote: Hi Liran The exact error message on Dial Up Admin is cannot connec to sql database. Well that's not too helpful now, is it? I'm not too familiar with dialupadmin, maybe someone else can donate his 2 cents if they had this problem as well. Like I said before, you should try debugging the problem by taking a look at log files instead of trying to guess the problem into discovery. Some thoughts to think about: - is this working if you run it from console? mysql -u freeradius -pmysuperpassword radius - do you have the necessary php mysql package installed? (php4-mysql or php5-mysql) Regards, Liran Tal. On 29/01/2008, Liran Tal [EMAIL PROTECTED] wrote: Hey Devinder, On Jan 29, 2008 9:41 AM, Devinder Singh [EMAIL PROTECTED] wrote: Hi Liran Where shoud i turn on the Logging in which file could you let me know what files are involved to do logging. Turning on the mysql logging is done in mysql's configuration file (on debian it's found at /etc/mysql/my.cnf). What is the exact error message you receive in the web page? Dial Up admin page i get cannot connect to sql databse is too ambiguous. Copy and paste it here. Regards, Liran Tal. On 29/01/2008, liran tal [EMAIL PROTECTED] wrote: Hey Devinder, On Jan 29, 2008 5:06 AM, Devinder Singh [EMAIL PROTECTED] wrote: Dear Liran this is my dialup_admin.conf file sql_type: mysql sql_server: localhost sql_port: 3306 sql_username: freeradius sql_password: mysuperpassword sql_database: radius sql_accounting_table: radacct sql_badusers_table: badusers sql_check_table: radcheck sql_reply_table: radreply sql_user_info_table: userinfo sql_groupcheck_table: radgroupcheck sql_groupreply_table: radgroupreply sql_usergroup_table: usergroup and this is the /usr/raddb/sql.conf confihguration sql { # Database type # Current supported are: rlm_sql_mysql, rlm_sql_postgresql, # rlm_sql_iodbc, rlm_sql_oracle, rlm_sql_unixodbc, rlm_sql_freetds driver = rlm_sql_mysql # Connect info server = localhost login = freeradius password = mysuperpassword # Database table configuration radius_db = radius # If you want both stop and start records logged to the # same SQL table, leave this as is. If you want them in # different tables, put the start table in acct_table1 # and stop table in acct_table2 acct_table1 = radacct acct_table2 = radacct # Allow for storing data after authentication postauth_table = radpostauth Is there anything that i as missing pls advise. I guess that looks alright but you haven't done any debugging like I suggested. Turn on mysql logging and see if there's even a connection attempt and if there is you can track what query is going wrong. You haven't detailed what is the exact error, it could just as well be that everything is configured fine but you haven't installed any php-mysql package and you have error_reporting turned off and so you are not seeing the error. Please check these things first. Regards, Liran Tal. On 28/01/2008, Devinder Singh [EMAIL PROTECTED] wrote: Hi Liran Are the a lot of changes to be made on Dial Up Admin admin.conf file Could you suggest any specific changes as well in etc/raddb/sql.conf Regards Devinder On 28/01/2008, Liran Tal [EMAIL PROTECTED] wrote:
Re: trouble seting up freeradius :((
SnahaD00 wrote: When I issue command freeradius -x i got this: rlm_eap_tls: Loading the certificate file as a chain rlm_eap: SSL error error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt The password you put in the configuration file is not the same as the password used to create the private key. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cannot connect to sql databse
1. You are not sending login requests to this server, or at least they are not getting there. Is server set up not to recieve auth requests from the network (only local reqests)? Can you log into it from a different machine? 2. Is this server restarting on it's own or are you doing that? Ivan Kalik Kalik Informatika ISP Dana 30/1/2008, Devinder Singh [EMAIL PROTECTED] piše: Hi Liran This is my log file i cant find any errors for cannot connect to sql database Thanks Devinder 080124 14:48:58 mysqld ended 080124 14:48:58 mysqld started 080124 14:48:58 InnoDB: Started; log sequence number 0 43655 080124 14:48:58 [Note] /usr/sbin/mysqld: ready for connections. Version: '5.0.45' socket: '/var/lib/mysql/mysql.sock' port: 3306 SUSE MySQL RPM 080124 15:26:09 [Note] /usr/sbin/mysqld: Normal shutdown 080124 15:26:09 InnoDB: Starting shutdown... 080124 15:26:11 InnoDB: Shutdown completed; log sequence number 0 43655 080124 15:26:11 [Note] /usr/sbin/mysqld: Shutdown complete 080124 15:26:11 mysqld ended 080124 15:26:11 mysqld started 080124 15:26:11 InnoDB: Started; log sequence number 0 43655 080124 15:26:11 [Note] /usr/sbin/mysqld: ready for connections. Version: '5.0.45' socket: '/var/lib/mysql/mysql.sock' port: 3306 SUSE MySQL RPM 080124 15:40:56 [Note] /usr/sbin/mysqld: Normal shutdown 080124 15:40:56 InnoDB: Starting shutdown... 080124 15:40:57 InnoDB: Shutdown completed; log sequence number 0 43655 080124 15:40:57 [Note] /usr/sbin/mysqld: Shutdown complete 080124 15:40:57 mysqld ended 080124 15:40:57 mysqld started 080124 15:40:57 InnoDB: Started; log sequence number 0 43655 080124 15:40:58 [Note] /usr/sbin/mysqld: ready for connections. Version: '5.0.45' socket: '/var/lib/mysql/mysql.sock' port: 3306 SUSE MySQL RPM On 29/01/2008, liran tal [EMAIL PROTECTED] wrote: Hey Devinder, On Jan 29, 2008 9:50 AM, Devinder Singh [EMAIL PROTECTED] wrote: Hi Liran The exact error message on Dial Up Admin is cannot connec to sql database. Well that's not too helpful now, is it? I'm not too familiar with dialupadmin, maybe someone else can donate his 2 cents if they had this problem as well. Like I said before, you should try debugging the problem by taking a look at log files instead of trying to guess the problem into discovery. Some thoughts to think about: - is this working if you run it from console? mysql -u freeradius -pmysuperpassword radius - do you have the necessary php mysql package installed? (php4-mysql or php5-mysql) Regards, Liran Tal. On 29/01/2008, Liran Tal [EMAIL PROTECTED] wrote: Hey Devinder, On Jan 29, 2008 9:41 AM, Devinder Singh [EMAIL PROTECTED] wrote: Hi Liran Where shoud i turn on the Logging in which file could you let me know what files are involved to do logging. Turning on the mysql logging is done in mysql's configuration file (on debian it's found at /etc/mysql/my.cnf). What is the exact error message you receive in the web page? Dial Up admin page i get cannot connect to sql databse is too ambiguous. Copy and paste it here. Regards, Liran Tal. On 29/01/2008, liran tal [EMAIL PROTECTED] wrote: Hey Devinder, On Jan 29, 2008 5:06 AM, Devinder Singh [EMAIL PROTECTED] wrote: Dear Liran this is my dialup_admin.conf file sql_type: mysql sql_server: localhost sql_port: 3306 sql_username: freeradius sql_password: mysuperpassword sql_database: radius sql_accounting_table: radacct sql_badusers_table: badusers sql_check_table: radcheck sql_reply_table: radreply sql_user_info_table: userinfo sql_groupcheck_table: radgroupcheck sql_groupreply_table: radgroupreply sql_usergroup_table: usergroup and this is the /usr/raddb/sql.conf confihguration sql { # Database type # Current supported are: rlm_sql_mysql, rlm_sql_postgresql, # rlm_sql_iodbc, rlm_sql_oracle, rlm_sql_unixodbc, rlm_sql_freetds driver = rlm_sql_mysql # Connect info server = localhost login = freeradius password = mysuperpassword # Database table configuration radius_db = radius # If you want both stop and start records logged to the # same SQL table, leave this as is. If you want them in # different tables, put the start table in acct_table1 # and stop table in acct_table2 acct_table1 = radacct acct_table2 = radacct # Allow for storing data after authentication postauth_table = radpostauth Is there anything that i as missing pls advise. I guess that looks alright but you haven't done
Re: cannot connect to sql databse
Hi Liran Do u have Yahoo IM or IRC channel to chat Ok i will instal and configure daloradius Will it work well with FreeRadius server Where do i extract the tar file i have srv/www folder Thanks Devinder On 30/01/2008, Liran Tal [EMAIL PROTECTED] wrote: On Jan 30, 2008 10:15 AM, Devinder Singh [EMAIL PROTECTED] wrote: Hi Liran This is my log file i cant find any errors for cannot connect to sql database If you don't find any connection attempts information then it means that dialupadmin isn't initiating a connection due to one of the reasons I have mentioned before or something else. We've been exchanging so many emails so far and you haven't checked what I've told you to. I can't help you more with dialupadmin as I am not aware of its common configuration issues, if daloradius is an appropriate alternative for you I will be happy to assist you with it. Regards, Liran Tal. On 29/01/2008, liran tal [EMAIL PROTECTED] wrote: Hey Devinder, On Jan 29, 2008 9:50 AM, Devinder Singh [EMAIL PROTECTED] wrote: Hi Liran The exact error message on Dial Up Admin is cannot connec to sql database. Well that's not too helpful now, is it? I'm not too familiar with dialupadmin, maybe someone else can donate his 2 cents if they had this problem as well. Like I said before, you should try debugging the problem by taking a look at log files instead of trying to guess the problem into discovery. Some thoughts to think about: - is this working if you run it from console? mysql -u freeradius -pmysuperpassword radius - do you have the necessary php mysql package installed? (php4-mysql or php5-mysql) Regards, Liran Tal. On 29/01/2008, Liran Tal [EMAIL PROTECTED] wrote: Hey Devinder, On Jan 29, 2008 9:41 AM, Devinder Singh [EMAIL PROTECTED] wrote: Hi Liran Where shoud i turn on the Logging in which file could you let me know what files are involved to do logging. Turning on the mysql logging is done in mysql's configuration file (on debian it's found at /etc/mysql/my.cnf). What is the exact error message you receive in the web page? Dial Up admin page i get cannot connect to sql databse is too ambiguous. Copy and paste it here. Regards, Liran Tal. On 29/01/2008, liran tal [EMAIL PROTECTED] wrote: Hey Devinder, On Jan 29, 2008 5:06 AM, Devinder Singh [EMAIL PROTECTED] wrote: Dear Liran this is my dialup_admin.conf file sql_type: mysql sql_server: localhost sql_port: 3306 sql_username: freeradius sql_password: mysuperpassword sql_database: radius sql_accounting_table: radacct sql_badusers_table: badusers sql_check_table: radcheck sql_reply_table: radreply sql_user_info_table: userinfo sql_groupcheck_table: radgroupcheck sql_groupreply_table: radgroupreply sql_usergroup_table: usergroup and this is the /usr/raddb/sql.conf confihguration sql { # Database type # Current supported are: rlm_sql_mysql, rlm_sql_postgresql, # rlm_sql_iodbc, rlm_sql_oracle, rlm_sql_unixodbc, rlm_sql_freetds driver = rlm_sql_mysql # Connect info server = localhost login = freeradius password = mysuperpassword # Database table configuration radius_db = radius # If you want both stop and start records logged to the # same SQL table, leave this as is. If you want them in # different tables, put the start table in acct_table1 # and stop table in acct_table2 acct_table1 = radacct acct_table2 = radacct # Allow for storing data after authentication postauth_table = radpostauth Is there anything that i as missing pls advise. I guess that looks alright but you haven't done any debugging like I suggested. Turn on mysql logging and see if there's even a connection attempt and if there is you can track what query is going wrong. You haven't detailed what is the exact error, it could just as well be that everything is configured fine but you haven't installed any php-mysql package and you have error_reporting turned off and so you are not seeing the error. Please check these things first. Regards, Liran Tal.
Re: Logging from another PC
Yes. Use VLANs and port based authentication and they won't be able to do that. If they manually change IP address to a different VLAN connection will become unusable. Ivan Kalik Kaliki Informatika ISP Dana 29/1/2008, [EMAIL PROTECTED] [EMAIL PROTECTED] piše: Hi, I have a question. When the user logs using own username and password into Radius server (ie, using 192.168.160.5), it is OK. When someone change IP address statically into logged IP (to 192.168.160.5), he can use the logged account. I mean he can use another one's account. How can I block another PC? And I don't want the user logs often in one day. User must logs once in a day. That's why I don't want to put Idle-Timeout attribute. I'm using FreeRadius 2.0.1 with Cisco'BBSM 5.3. Could you give some clarfication for this? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: deactivate ldap.attrmap
Sebastian Heil wrote: ... i added the following lines to the ldap-section: ... rlm_ldap: could not start TLS Can't contact LDAP server Maybe you need to check that there is an LDAP server listening on that port? Alan DeKok. thanks for your fast answer, alan. but i am afraid, this is not the solution... the ldap-server is listening and even responding to my ldap-request. i captured the communication between the freeradius and the edirectory with etherreal: Someone any idea about the Encrypted Alert in no. 14?? Thanks. - No. TimeSourceDestination Protocol Info 1 0.00radtestclient freeradius RADIUS Access-Request(1) (id=74, l=58) 3 0.000749freeradius edirectory TCP 56302 ldaps [SYN] Seq=0 Len=0 MSS=1460 TSV=445748676 TSER=0 WS=2 5 0.012986edirectory freeradius TCP ldaps 56302 [SYN, ACK] Seq=0 Ack=1 Win=4380 Len=0 MSS=1460 WS=0 TSV=3386151196 TSER=445748676 6 0.013057freeradius edirectory TCP 56302 ldaps [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSV=445748679 TSER=3386151196 7 0.013639freeradius edirectory SSLv2Client Hello 8 0.021887edirectory freeradius TLSv1Server Hello, 9 0.022035freeradius edirectory TCP 56302 ldaps [ACK] Seq=143 Ack=1449 Win=8736 Len=0 TSV=445748682 TSER=3386151206 10 0.030390edirectory freeradius TLSv1Certificate 11 0.030550freeradius edirectory TCP 56302 ldaps [ACK] Seq=143 Ack=1946 Win=11632 Len=0 TSV=445748684 TSER=3386151215 12 0.032263freeradius edirectory TLSv1Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message 13 0.048990edirectory freeradius TLSv1Change Cipher Spec, Encrypted Handshake Message 14 0.049652freeradius edirectory TLSv1Encrypted Alert 15 0.049923freeradius edirectory TCP 56302 ldaps [FIN, ACK] Seq=506 Ack=2005 Win=11632 Len=0 TSV=445748689 TSER=3386151237 17 0.057441edirectory freeradius TCP ldaps 56302 [ACK] Seq=2005 Ack=507 Win=4885 Len=0 TSV=3386151247 TSER=445748689 18 0.057774edirectory freeradius TLSv1Encrypted Alert 19 0.057807freeradius edirectory TCP 56302 ldaps [RST] Seq=507 Len=0 20 0.057880edirectory freeradius TCP ldaps 56302 [FIN, ACK] Seq=2042 Ack=507 Win=4885 Len=0 TSV=3386151247 TSER=445748689 21 0.057903freeradius edirectory TCP 56302 ldaps [RST] Seq=507 Len=0 -- Ist Ihr Browser Vista-kompatibel? Jetzt die neuesten Browser-Versionen downloaden: http://www.gmx.net/de/go/browser - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems using EAP-TLS with freeradius version 2
Stefan Puch wrote: Then some people came with their mobile devices which are running Windows Mobile 2003, Windows Mobile 5 (WM5) or Windows Mobile6 (WM6) and the problems began. The same EAP-TLS certificate which worked fine on a Windows XP machine doesn't work on e.g. Windows Mobile 6 PDA. You have to love Microsoft... Hmm, most of the time I'm using Linux, but 90% of the others only have a Microsoft system :-( The EAP-TLS code was substantially re-worked in 2.0.0. It was tested with Vista, XP SP1, XP SP2, Linux systems, MAC. It's working live in environments with many, may different OS's and architectures. So it *should* work. I was afraid that someone says that, because I didn't believe that a new version would be released without testing. By the way, when you have tested so many different Windows systems you will have to Microsoft as well, won't you ;-) ethereal packet traces of the RADIUS traffic would help. But I would first suggest trying to use the test certificates that come with 2.0.1. If those work, then the issue isn't 2.0.0 versus 1.1.7, it's that there is something special about the certificates you're using. OK, then I will start with the provided certificates, well knowing that if then do work I will have to make new certificates for all current users... If the certificates that come with 2.0.1 also fail I will provide some ethereal packet traces. Thanks for the quick response Stefan Puch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: memory corruption when proxying accounting requests
I tried the latest snapshot freeradius-server-snapshot-20080130.tar.bz2 but this has the same problem. -Opprinnelig melding- Fra: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] På vegne av Alan DeKok Sendt: 30. januar 2008 10:35 Til: FreeRadius users mailing list Emne: Re: memory corruption when proxying accounting requests Jørn Kostøl wrote: Local auth and acct works fine, and proxying auth works. But as soon as I try to proxy accounting then Freeradius crashes. The issue isn't proxying, but dealing with attributes that aren't in the dictionaries. Bug #514 was recently filed about this. The solution is in CVS. Grab the latest version of src/lib/valuepair.c, and it will be fixed. The file will work in 2.0.1 (if you re-build from source), or you can just install from CVS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: one RADIUS server per realm setup
Oh. Now I'm embarrassed. Thanks and sorry! :) -Josiah Alan DeKok wrote: # As of 2.0.0, FreeRADIUS supports a simple processing language # in the authorize, authenticate, accounting, etc. sections. # See man unlang for details. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Wm. Josiah Erikson Computing Support School of Cognitive Science Hampshire College Amherst, MA 01002 (413) 559-6091 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: memory corruption when proxying accounting requests
Jørn Kostøl wrote: I tried the latest snapshot freeradius-server-snapshot-20080130.tar.bz2 but this has the same problem. That's nice. Did you download it from CVS as instructed? The bug was fixed about 15 minutes before I sent my email. The fix is *not* in that snapshot. It *is* in CVS, as I said. Honestly, if you're told the fix is in a particular place, I don't understand why anyone would look for a fix anywhere else... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: deactivate ldap.attrmap
What struck me was that you need more attributes, but maybe I missed them: -cacertfile -certfile -keyfile -Josiah Sebastian Heil wrote: Sebastian Heil wrote: ... i added the following lines to the ldap-section: ... rlm_ldap: could not start TLS Can't contact LDAP server Maybe you need to check that there is an LDAP server listening on that port? Alan DeKok. thanks for your fast answer, alan. but i am afraid, this is not the solution... the ldap-server is listening and even responding to my ldap-request. i captured the communication between the freeradius and the edirectory with etherreal: Someone any idea about the Encrypted Alert in no. 14?? Thanks. - No. TimeSourceDestination Protocol Info 1 0.00radtestclient freeradius RADIUS Access-Request(1) (id=74, l=58) 3 0.000749freeradius edirectory TCP 56302 ldaps [SYN] Seq=0 Len=0 MSS=1460 TSV=445748676 TSER=0 WS=2 5 0.012986edirectory freeradius TCP ldaps 56302 [SYN, ACK] Seq=0 Ack=1 Win=4380 Len=0 MSS=1460 WS=0 TSV=3386151196 TSER=445748676 6 0.013057freeradius edirectory TCP 56302 ldaps [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSV=445748679 TSER=3386151196 7 0.013639freeradius edirectory SSLv2Client Hello 8 0.021887edirectory freeradius TLSv1Server Hello, 9 0.022035freeradius edirectory TCP 56302 ldaps [ACK] Seq=143 Ack=1449 Win=8736 Len=0 TSV=445748682 TSER=3386151206 10 0.030390edirectory freeradius TLSv1Certificate 11 0.030550freeradius edirectory TCP 56302 ldaps [ACK] Seq=143 Ack=1946 Win=11632 Len=0 TSV=445748684 TSER=3386151215 12 0.032263freeradius edirectory TLSv1Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message 13 0.048990edirectory freeradius TLSv1Change Cipher Spec, Encrypted Handshake Message 14 0.049652freeradius edirectory TLSv1Encrypted Alert 15 0.049923freeradius edirectory TCP 56302 ldaps [FIN, ACK] Seq=506 Ack=2005 Win=11632 Len=0 TSV=445748689 TSER=3386151237 17 0.057441edirectory freeradius TCP ldaps 56302 [ACK] Seq=2005 Ack=507 Win=4885 Len=0 TSV=3386151247 TSER=445748689 18 0.057774edirectory freeradius TLSv1Encrypted Alert 19 0.057807freeradius edirectory TCP 56302 ldaps [RST] Seq=507 Len=0 20 0.057880edirectory freeradius TCP ldaps 56302 [FIN, ACK] Seq=2042 Ack=507 Win=4885 Len=0 TSV=3386151247 TSER=445748689 21 0.057903freeradius edirectory TCP 56302 ldaps [RST] Seq=507 Len=0 -- Wm. Josiah Erikson Computing Support School of Cognitive Science Hampshire College Amherst, MA 01002 (413) 559-6091 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql accounting - no records - 2.0.1 RESOLVED
I expected to see some traffic too soon, now it's coming... but where are the accounting queries? Andrew On Jan 30, 2008 8:52 AM, Andrew Long [EMAIL PROTECTED] wrote: I've just installed 2.0.1 on CentOS 5 with MySQL 5.x. I can get the clients to authenticate and I see accounting requests come in, also I see the accounting query as it should be updated to mysql, i.e., expand: UPDATE radacct I also see the accounting response returned to the client, but no accounting records are being updated in radacct table. There are no errors in debug mode relevent to mysql: rlm_sql (sql): received Acct On/Off packet expand: %{Acct-Delay-Time} - 0 expand: UPDATE radacct SET acctstoptime = '%S', acctsessiontime= unix_timestamp('%S') - unix_timestamp(acctstarttime), acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = %{%{Acct-Delay-Time}:-0} WHERE acctsessiontime = 0 AND acctstoptime = NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime = '%S' - UPDATE radacct SET acctstoptime = '2008-01-30 07:45:06', acctsessiontime= unix_timestamp('2008-01-30 07:45:06') - unix_timestamp(acctstarttime), acctterminatecause = '', acctstopdelay = 0 WHERE acctsessiontime = 0 AND acctstoptime = NULL AND nasipaddress = '141.xxx.xxx.xxx' AND acctstarttime = '2008-01-30 07:45:06' rlm_sql (sql): Reserving sql socket id: 2 rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok expand: %{User-Name} - elmaroma_cn3000 attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 33 to 141.xxx.xxx.xxx port 1025 I have tried this with 2 different clients and get the same NULL result. Authentication is fine, but any features relying on data in radacct clearly won't work, ie session-timout... I've checked the default config, and all accounting is set to sql. The one oddity I notice is that default has: # See Accounting queries in sql.conf sql But I can see no accounting queries anywhere in the provided sql.conf ?? Thank You. Andrew Long EWS Solutions - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: memory corruption when proxying accounting requests
Sorry! The CVS fixed the problem. Thanks! -Opprinnelig melding- Fra: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] På vegne av Alan DeKok Sendt: 30. januar 2008 15:21 Til: FreeRadius users mailing list Emne: Re: memory corruption when proxying accounting requests Jørn Kostøl wrote: I tried the latest snapshot freeradius-server-snapshot-20080130.tar.bz2 but this has the same problem. That's nice. Did you download it from CVS as instructed? The bug was fixed about 15 minutes before I sent my email. The fix is *not* in that snapshot. It *is* in CVS, as I said. Honestly, if you're told the fix is in a particular place, I don't understand why anyone would look for a fix anywhere else... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: deactivate ldap.attrmap
Le mercredi 30 janvier 2008, Sebastian Heil a écrit : Sebastian Heil wrote: ... i added the following lines to the ldap-section: ... rlm_ldap: could not start TLS Can't contact LDAP server It doesn't seem that your TLS is well initiated. I don't think it is an ldap or freeradius issue. In a first time, perhaps you could try your conf without the TLS tunnel. 14 0.049652freeradius edirectory TLSv1 Encrypted Alert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems using EAP-TLS with freeradius version 2
Stefan Puch wrote on 30.01.2008 11:13: Hello everyone, I've got some problems with the new version of freeradius, but before I'm going to open a new bugreport or post long debugtraces from radiusd -X I want to ask here if someone else has made similar experiences. I've set up a freeradius server version 1.1.7 in our club to authenticate several Notebooks. This worked fine with Windows XP, Windows Vista and Linux clients using EAP-TLS certificates (many thanks for the good documentation of the OIDs in the TLS certificate). Then some people came with their mobile devices which are running Windows Mobile 2003, Windows Mobile 5 (WM5) or Windows Mobile6 (WM6) and the problems began. We know of problems with EE certificates in PDAs containing the non-repudiation flag. Additionally Windows build-in supplicants don't like EE certificates with the extendedKeyUsage Microsoft Smartcard Logon (1.3.6.1.4.1.311.20.2.2) when doing EAP-TLS. Apparently the latter issue can also be solved by just disabling the valid certificate usage of Microsoft Smartcard Logon in the issuing CAs trusted usages properties on the system. -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki 15 Jahre DFN-CERT + 15. DFN-Workshop Sicherheit in vernetzten Systemen am 13./14. Februar 2008 im CCH Hamburg - https://www.dfn-cert.de/ws2008/ -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 Sachsenstr. 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR2: combining round-robin and fail-over home server pools
Hello, I am in the process of configuring FreeRADIUS 2.0.1. For some realms we proxy the authentication request to three other servers (svr-1, svr-2, svr-3). However, what we wanted was to, in effect, round-robin two of the servers (svr1 and svr-2), and then only use the third server (svr-3) if the other two were not available. I have configured the proxy.conf 'home_server_pool's as: home_server_pool local_IAS { type = client-port-balance home_server = svr-1 home_server = svr-2 } home_server_pool local_proxies { type = fail-over home_server = local_IAS home_server = svr-3 } Note that 'local_IAS' is actually a home_server_pool name, and not an actual home server. I was then going to configure FR to use 'local_proxies' for the relevant realms. However, starting FR gives an error: /usr/local/etc/raddb/proxy.conf[87]: Unknown home_server local_IAS. Anyone any ideas how to mix round-robin servers with fail-over? Thanks, John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql accounting - no records - 2.0.1 RESOLVED
Hi Andrew, in mysql.conf, there should be another file included: $INCLUDE sql/${database}/dialup.conf So, in your case that would be $INCLUDE sql/mysql/dialup.conf There you should find several accounting queries. JB Andrew Long (30.01.2008 15:49): I expected to see some traffic too soon, now it's coming... but where are the accounting queries? Andrew On Jan 30, 2008 8:52 AM, Andrew Long [EMAIL PROTECTED] wrote: I've just installed 2.0.1 on CentOS 5 with MySQL 5.x. I can get the clients to authenticate and I see accounting requests come in, also I see the accounting query as it should be updated to mysql, i.e., expand: UPDATE radacct I also see the accounting response returned to the client, but no accounting records are being updated in radacct table. There are no errors in debug mode relevent to mysql: rlm_sql (sql): received Acct On/Off packet expand: %{Acct-Delay-Time} - 0 expand: UPDATE radacct SET acctstoptime = '%S', acctsessiontime= unix_timestamp('%S') - unix_timestamp(acctstarttime), acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = %{%{Acct-Delay-Time}:-0} WHERE acctsessiontime = 0 AND acctstoptime = NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime = '%S' - UPDATE radacct SET acctstoptime = '2008-01-30 07:45:06', acctsessiontime= unix_timestamp('2008-01-30 07:45:06') - unix_timestamp(acctstarttime), acctterminatecause = '', acctstopdelay = 0 WHERE acctsessiontime = 0 AND acctstoptime = NULL AND nasipaddress = '141.xxx.xxx.xxx' AND acctstarttime = '2008-01-30 07:45:06' rlm_sql (sql): Reserving sql socket id: 2 rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok expand: %{User-Name} - elmaroma_cn3000 attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 33 to 141.xxx.xxx.xxx port 1025 I have tried this with 2 different clients and get the same NULL result. Authentication is fine, but any features relying on data in radacct clearly won't work, ie session-timout... I've checked the default config, and all accounting is set to sql. The one oddity I notice is that default has: # See Accounting queries in sql.conf sql But I can see no accounting queries anywhere in the provided sql.conf ?? Thank You. Andrew Long EWS Solutions - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
need help in using free radius
Hi, When I first run the free Radius using the command radtest test test localhost 0 testing123 i found the following errors. Please help rad_recv: Access-Request packet from host 127.0.0.1 port 32775, id=80, length=56 User-Name = test User-Password = test NAS-IP-Address = 192.168.1.227 NAS-Port = 0 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound rlm_realm: No '@' in User-Name = test, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No known good password found for the user. Authentication m ay fail because of this. ++[pap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Re jecting the user auth: Failed to validate the user. Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - test attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 80 to 127.0.0.1 port 32775 Waking up in 4.9 seconds. Cleaning up request 0 ID 80 with timestamp +31 Ready to process requests. With Regards, Elangbam Johnson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help in using free radius
How do you want it to authenticate? Is there a username/password pair somewhere of test/test or just you did expect it to work that way out of the box for some reason? I think it did what it was supposed to - it checked a bunch of different authentication methods and didn't find a username/password of test/test anywhere. The simplest way to get this to work would be to create an account test with the password test on the local box, assuming you're using a UNIX machine. It checked the unix modules, which will check your local passwd/shadow file, so that should work. -Josiah johnson elangbam wrote: Hi, When I first run the free Radius using the command radtest test test localhost 0 testing123 i found the following errors. Please help rad_recv: Access-Request packet from host 127.0.0.1 http://127.0.0.1 port 32775, id=80, length=56 User-Name = test User-Password = test NAS-IP-Address = 192.168.1.227 http://192.168.1.227 NAS-Port = 0 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound rlm_realm: No '@' in User-Name = test, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No known good password found for the user. Authentication m ay fail because of this. ++[pap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Re jecting the user auth: Failed to validate the user. Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - test attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 80 to 127.0.0.1 http://127.0.0.1 port 32775 Waking up in 4.9 seconds. Cleaning up request 0 ID 80 with timestamp +31 Ready to process requests. With Regards, Elangbam Johnson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Wm. Josiah Erikson Computing Support School of Cognitive Science Hampshire College Amherst, MA 01002 (413) 559-6091 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help in using free radius
rlm_pap: WARNING! No known good password found for the user. Authentication m ay fail because of this. So, where is your password stored? Ivan Kalik Kaliik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Setting radiusd user/cert permissions in Mac OSX
Good afternoon, When setting user/group to nobody in radiusd.conf, I get some permissions problems with loading the certs and just wanted to know how to properly set them to avoid this: rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied rlm_eap_tls: Error reading certificate file /opt/local/etc/raddb/ certs/server.pem rlm_eap: Failed to initialize type tls Thanks for answering the, no doubt, simplest of questions ! Jim P.S: The above output is from testing with radiusd -X ___ James H. Graham II, Creative Director • Spark Media Group 6511 Allegheny Avenue • Takoma Park, MD 20912-4737 Tel: 301.270.4810 • Fax: 301.270.4812 • www.sparkmediagroup.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
2.0.1 Segfault
Hi, I know that this post may not contain all of the required information, this is just to get things going while I investigate further. I have had a problem with FreeRADIUS segfaulting intermittently for a number of months which makes it hard to gather the required information. The only thing that I found in all cases was the numerous, empty Cisco-AVPair's in the packet. With it being a segfault I suspect accessing a null pointer somewhere. I have captured a packet that is causing this to occur and sure enough it contains the numerous, empty Cisco-AVPair's. I have started it in gdb now, the output of bt is below. rad_recv: Accounting-Request packet from host w.x.y.z port 2903, id=213, length=362 Service-Type = Framed-User Cisco-AVPair = Cisco-AVPair = Cisco-AVPair = Cisco-AVPair = Cisco-AVPair = Cisco-AVPair = Cisco-AVPair = Cisco-AVPair = Cisco-AVPair = Cisco-AVPair = Cisco-AVPair = Cisco-AVPair = Cisco-AVPair = Cisco-AVPair = Cisco-AVPair = Cisco-AVPair = Cisco-AVPair = Cisco-AVPair = NAS-Port-Type = Async Connect-Info = 3120 Calling-Station-Id = NPANXX X-Ascend-PreSession-Time = 41 X-Ascend-Disconnect-Cause = Remote-End-Hung-Up Acct-Session-Id = 4E39 Acct-Session-Time = 114 Framed-IP-Address = W.X.Y.Z Acct-Link-Count = 1 Acct-Authentic = RADIUS User-Name = [EMAIL PROTECTED] NAS-Port = 1060 Called-Station-Id = yyy Framed-Protocol = PPP Acct-Terminate-Cause = User-Request Acct-Input-Packets = 53 Acct-Output-Packets = 39 X-Ascend-Data-Rate = 26400 Acct-Delay-Time = 0 Acct-Input-Octets = 1431 Login-Service = PortMaster Acct-Output-Octets = 9084 X-Ascend-Modem-SlotNo = 6 X-Ascend-Xmit-Rate = 31200 Acct-Status-Type = Stop Segmentation fault 0x40297d8f in memcpy () from /lib/libc.so.6 (gdb) bt #0 0x40297d8f in memcpy () from /lib/libc.so.6 #1 0x400289c1 in rad_attr2vp (packet=0x8177678, original=0x0, secret=0x8169168 secret, attribute=90, length=0, data=0x817887c \004\006\n\001\001\226x\006\001\005) at radius.c:1953 #2 0x40028df4 in rad_decode (packet=0x8177678, original=0x0, secret=0x8169168 secret) at radius.c:2386 #3 0x080539d4 in client_socket_decode (listener=0x8174960, request=0x8178898) at listen.c:697 #4 0x0805faab in request_pre_handler (request=0x8178898) at event.c:995 #5 0x08061e2d in radius_handle_request (request=0x8178898, fun=0x804d2b0 rad_accounting) at event.c:2701 #6 0x0805ad21 in thread_pool_addrequest (request=0x, fun=0x8179f04) at threads.c:860 #7 0x08061510 in event_socket_handler (xel=0x8174f98, fd=13, ctx=0x8179f04) at event.c:2340 #8 0x40030c23 in fr_event_loop (el=0x8174f98) at event.c:412 #9 0x08061e03 in radius_event_process () at event.c:2696 #10 0x0805968f in main (argc=2, argv=0x2) at radiusd.c:381 #11 0x4022fd06 in __libc_start_main () from /lib/libc.so.6 I *think* that the problem might be the length=0 in the call to rad_attr2vp(). If that is the case then something like: if (length = 0) return NULL; at line 1928 or so of radius.c might resolve the problem. Before I go ahead and make that addition, am I on the right page or way off in left field on this? Michael -- Michael J. Hartwick, VE3SLQ [EMAIL PROTECTED] Hartwick Communications Consulting (519) 396-7719 Kincardine, ON, CA http://www.hartwick.com -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
anyone provide consulting services to setup a radius server?
Very simple setup - 1 server - novell suse enterprise 10.0, 1 nas - Lucent TNT, 700 or so users - all dialup. Would like to use a mysql database to store usernames and passwords and use the freeradius dialupdamin web tool for management of users. NAS is currently authenticating against a remote freeradius server that just uses unix passwd/shadow files. If anyone is interested in some light consulting work to do this, please let me know. Thanks -- Chad Whitten Metro Network Solutions (601) 366-6630 Phone (601) 366-6066 Fax (601) 842-6804 Cellular (601) 519-4172 Pager [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting radiusd user/cert permissions in Mac OSX
You could, as an account with sudo privs (administrator), from Terminal, type: sudo chown nobody /opt/local/etc/raddb/certs/server.pem or sudo chown -R nobody /opt/local/etc/raddb to change the ownership of that entire directory to nobody. HOWEVER: Nobody is not a secure system account. I would set up a new account for freeradius and have the server run under that, and set permissions on those files/folders for only that user. Letting the nobody user read those files might not be a good idea. -Josiah Info wrote: Good afternoon, When setting user/group to nobody in radiusd.conf, I get some permissions problems with loading the certs and just wanted to know how to properly set them to avoid this: rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied rlm_eap_tls: Error reading certificate file /opt/local/etc/raddb/certs/server.pem rlm_eap: Failed to initialize type tls Thanks for answering the, no doubt, simplest of questions ! Jim P.S: The above output is from testing with radiusd -X ___ James H. Graham II, Creative Director • *Spark Media Group* 6511 Allegheny Avenue • Takoma Park, MD 20912-4737 Tel: 301.270.4810 • Fax: 301.270.4812 • www.sparkmediagroup.com http://www.sparkmediagroup.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Wm. Josiah Erikson Computing Support School of Cognitive Science Hampshire College Amherst, MA 01002 (413) 559-6091 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pap Cleartext-Password, sql etc...
When I have (radcheck) attribute `User-Password', authentication succeeds but we see the following: rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type CHAP !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the known good !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! auth: type CHAP +- entering group CHAP rlm_chap: login attempt by elmaroma_cn3000 with CHAP password rlm_chap: Using clear text password aromaescape for user elmaroma_cn3000 authentication. rlm_chap: chap user elmaroma_cn3000 authenticated succesfully ++[chap] returns ok If I change the attribute to `Cleartext-Password', authentication fails and I see: rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type CHAP auth: type CHAP +- entering group CHAP rlm_chap: login attempt by elmaroma_cn3000 with CHAP password rlm_chap: Cleartext-Password is required for authentication ++[chap] returns invalid auth: Failed to validate the user. Login incorrect (rlm_chap: Clear text password not available): [elmaroma_cn3000/CHAP-Password] (from client cn3000_aroma port 0 cli 00-02-6F-xx-xx-92) The users file -- DEFAULT Fall-Through = 1 DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP - authorize { preprocess chap mschap suffix unix files sql expiration logintime noresetcounter dailycounter monthlycounter daypasscounter pap} authenticate { pap chap mschap} Thanks muchly, Andrew Long EWS - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pap Cleartext-Password, sql etc...
On Wednesday 30 January 2008 15:31:51 Andrew Long wrote: If I change the attribute to `Cleartext-Password', authentication fails and I see: rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type CHAP auth: type CHAP +- entering group CHAP rlm_chap: login attempt by elmaroma_cn3000 with CHAP password rlm_chap: Cleartext-Password is required for authentication ++[chap] returns invalid auth: Failed to validate the user. Login incorrect (rlm_chap: Clear text password not available): [elmaroma_cn3000/CHAP-Password] (from client cn3000_aroma port 0 cli 00-02-6F-xx-xx-92) Thanks muchly, Andrew Long EWS Can you run the radcheck query manually and post the output? Is the operator correct? Does it do the same thing when you move the SQL entry to the users file and make the same attribute name changes? Kevin Bonner signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: trouble seting up freeradius :((
SnahaD00 wrote: When I issue command freeradius -x i got this: rlm_eap_tls: Loading the certificate file as a chain rlm_eap: SSL error error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt The password you put in the configuration file is not the same as the password used to create the private key. Alan DeKok. Ok. Got this part working. Now another thing or two: - installing certificates on windows xp box ? - creating my own cretificate - how to or better walk through ? Snaha - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cannot connect to sql databse
Thanks Liran On 30/01/2008, Liran Tal [EMAIL PROTECTED] wrote: On Jan 30, 2008 10:42 AM, Devinder Singh [EMAIL PROTECTED] wrote: I have hard times with Dial Up Admin Shoud i proceed with daloradius do i install in in srv/www folder like dial up Yes you install it wherever you usually place your web projects on your distribution which is configured with apache. Please let's continue this discussion in a new thread, the daloradius mailing list or the on the irc channel #daloradius on freenode. Regards, Liran Tal. On 28/01/2008, liran tal [EMAIL PROTECTED] wrote: Hey Devinder, On Jan 28, 2008 4:35 AM, Devinder Singh [EMAIL PROTECTED] wrote: Hi I am using Dial Up Admin on Free radius Free Radius is Running but when i acccess Dial Up admin page i get cannot connect to sql databse I have done most of the configuration settings and followed the wiki tutorial on Free Radius. Did you check that your sql server is actually running? Did you import the radius database schema into the sql server? Did you configure all the required settings to connect to the sql server in dialupadmin? You also might want to take a look at daloRADIUS for easy web management of freeradius with sql servers: http://sourceforge.net/projects/daloradius/ Regards, Liran. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Devinder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Devinder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pap Cleartext-Password, sql etc...
Can you post users entry in the database. it's quite likely that you left == as the operator instead of using :=. Ivan Kalik Kalik Informatika ISP Dana 30/1/2008, Andrew Long [EMAIL PROTECTED] piše: When I have (radcheck) attribute `User-Password', authentication succeeds but we see the following: rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type CHAP !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the known good !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! auth: type CHAP +- entering group CHAP rlm_chap: login attempt by elmaroma_cn3000 with CHAP password rlm_chap: Using clear text password aromaescape for user elmaroma_cn3000 authentication. rlm_chap: chap user elmaroma_cn3000 authenticated succesfully ++[chap] returns ok If I change the attribute to `Cleartext-Password', authentication fails and I see: rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type CHAP auth: type CHAP +- entering group CHAP rlm_chap: login attempt by elmaroma_cn3000 with CHAP password rlm_chap: Cleartext-Password is required for authentication ++[chap] returns invalid auth: Failed to validate the user. Login incorrect (rlm_chap: Clear text password not available): [elmaroma_cn3000/CHAP-Password] (from client cn3000_aroma port 0 cli 00-02-6F-xx-xx-92) The users file -- DEFAULTFall-Through = 1 DEFAULTService-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes DEFAULTFramed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP - authorize { preprocess chap mschap suffix unix files sql expiration logintime noresetcounter dailycounter monthlycounter daypasscounter pap} authenticate { pap chap mschap} Thanks muchly, Andrew Long EWS - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pap Cleartext-Password, sql etc...
With attribute `User-Password' and op = `==' we get this: rlm_sql (sql): Reserving sql socket id: 4 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'mainaroma_cn3200' ORDER BY id WARNING: Found User-Password == WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See man rlm_pap for more information. rlm_sql (sql): User found in radcheck table mysql SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'mainaroma_cn3200' ORDER BY id; +-+--+---+-++ | id | username | attribute | value | op | +-+--+---+-++ | 409 | mainaroma_cn3200 | User-Password | nicepassword | == | +-+--+---+-++ 1 row in set (0.01 sec) Now, with `op' = `:=' rather than `==' as Ivan suggests : we see the same error... rad_check_password: Found Auth-Type CHAP !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the known good !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! auth: type CHAP +- entering group CHAP rlm_chap: login attempt by mainaroma_cn3200 with CHAP password rlm_chap: Using clear text password aromaescape for user mainaroma_cn3200 authentication. rlm_chap: chap user mainaroma_cn3200 authenticated succesfully ++[chap] returns ok The only difference is that when I use `:=' there are two access-requests from the host and two access-accepts: access-request id 40 -- access-accept id 40 and then immediately access-request id 160 -- access-accept id 160. None of this is in users file; we pass the info from sql. Andrew EWS Solutions === On Jan 30, 2008 5:21 PM, Kevin Bonner [EMAIL PROTECTED] wrote: On Wednesday 30 January 2008 15:31:51 Andrew Long wrote: If I change the attribute to `Cleartext-Password', authentication fails and I see: rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type CHAP auth: type CHAP +- entering group CHAP rlm_chap: login attempt by elmaroma_cn3000 with CHAP password rlm_chap: Cleartext-Password is required for authentication ++[chap] returns invalid auth: Failed to validate the user. Login incorrect (rlm_chap: Clear text password not available): [elmaroma_cn3000/CHAP-Password] (from client cn3000_aroma port 0 cli 00-02-6F-xx-xx-92) Thanks muchly, Andrew Long EWS 2008/1/30 Ivan Kalik [EMAIL PROTECTED]: Can you post users entry in the database. it's quite likely that you left == as the operator instead of using :=. Ivan Kalik Kalik Informatika ISP Dana 30/1/2008, Andrew Long [EMAIL PROTECTED] piše: When I have (radcheck) attribute `User-Password', authentication succeeds but we see the following: rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type CHAP !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the known good !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! auth: type CHAP +- entering group CHAP rlm_chap: login attempt by elmaroma_cn3000 with CHAP password rlm_chap: Using clear text password aromaescape for user elmaroma_cn3000 authentication. rlm_chap: chap user elmaroma_cn3000 authenticated succesfully ++[chap] returns ok If I change the attribute to `Cleartext-Password', authentication fails and I see: rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type CHAP auth: type CHAP +- entering group CHAP rlm_chap: login attempt by elmaroma_cn3000 with CHAP password rlm_chap: Cleartext-Password is required for authentication ++[chap] returns invalid auth: Failed to validate the user. Login incorrect (rlm_chap: Clear text password not available): [elmaroma_cn3000/CHAP-Password] (from client cn3000_aroma port 0 cli 00-02-6F-xx-xx-92) The users file
RE: radiusd service do not start [SEC=UNCLASSIFIED]
UNCLASSIFIED From: [EMAIL PROTECTED] g [mailto:[EMAIL PROTECTED] adius.org] On Behalf Of Nicolas Sent: Thursday, 31 January 2008 03:04 To: freeradius-users@lists.freeradius.org Subject: radiusd service do not start Hi, I installed freeradius to manage the wifi network of our organization (17 wifi ap) It works well when launched in command line (radiusd -X), but I can't make it work as a service, 'Service radiusd start' seems to work, but radius close immediately after, so a status will say that radiusd is dead, but subsys is locked. That indicates a permissions problem. When you run radiusd -X it runs as root. When you start as a service it switches to the user specified in radiusd.conf, usually radiusd. Try: strace -f -e open,stat radiusd and look for lines with EPERM indicating files that failed to open because of permission fails. These will probably be owned by root. regards, Frank Ranner Classification=UNCLASSIFIED Precedence=ROUTINE - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Issue reading from detail to sql (buffered-sql virtual server)
I've done some more digging as to why the database only gets one update.. With no detail or detail.work file, freeradius will wake up every 1 second to check for creation - when it gets updated, it puts it into the database fine. However it never deletes or changes the detail.work file - so when I send a second accounting packet, it will go into the detail file without a problem (and will be the only packet in the file) but detail.work seems to be locked with the first packet. No matter how many packets I send it detail.work always sticks with the first packet, and nothing ever gets written to the database. The problem was originally with 2.0.0, I have tried with the latest CVS with no luck either. The end of the debug for the virtual server which does the DB writing is below, nothing ever shows up after the last line: rlm_sql (sql_logger1): Reserving sql socket id: 13 rlm_sql_postgresql: Status: PGRES_COMMAND_OK rlm_sql_postgresql: query affected rows = 1 rlm_sql (sql_logger1): Released sql socket id: 13 ++[sql_logger1] returns ok ++[ok] returns ok } # server local_logger RTT 38420 delay 153680 Finished request 0. Going to the next request Waking up in 0.9 seconds. Cleaning up request 0 ID 37069 with timestamp +20 Ready to process requests. Any help would be appreciated, thanks! Nick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] s.org] On Behalf Of Nick Freeman Sent: Wednesday, January 30, 2008 10:06 AM To: freeradius-users@lists.freeradius.org Subject: Issue reading from detail to sql (buffered-sql virtual server) Hi, I'm trying to get my detail file picked up by multiple virtual servers and relayed to multiple PostgreSQL backends. The detail file writes fine, however the detail reader will only ever write one entry to the Postgres DB when it starts. The config I have for the virtual server in question is below: server local_logger { listen { type = detail filename = ${radacctdir}/detail load_factor = 20 } preacct { preprocess acct_unique files } accounting { sql_logger1 } } I have verified that sql_logger1 isn't the problem, if I put that after the detail directive in another virtual server data gets written to the database every time. It looks like my local_logger never picks anything up (except once on startup). Looking at server starting in debug mode I see this: listen { type = detail listen { filename = /var/log/freeradius/radacct/detail load_factor = 20 } } Is this normal? The listen directive is in the same format as the other virtual servers but this is the only one which has nested listens in the server startup. Thanks in advance, Nick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems using EAP-TLS with freeradius version 2
Stefan Puch wrote: Then some people came with their mobile devices which are running Windows Mobile 2003, Windows Mobile 5 (WM5) or Windows Mobile6 (WM6) and the problems began. The same EAP-TLS certificate which worked fine on a Windows XP machine doesn't work on e.g. Windows Mobile 6 PDA. You have to love Microsoft... With the new version 2.0.1 the Windows and Linux Laptops are not able to authenticate any more with the freeradius server (the certificates are still the same). The server sends an ACCESS, but the behavior is like described in the FAQ PEAP or EAP-TLS Doesn't Work with a Windows machine. Downgrading to the previous version of freeradius 1.1.7 makes them work again, freeradius version 2.0.0 doesn't work either. The EAP-TLS code was substantially re-worked in 2.0.0. It was tested with Vista, XP SP1, XP SP2, Linux systems, MAC. It's working live in environments with many, may different OS's and architectures. So it *should* work. So, what would be helpful to analyze the problem? All config files or just the output from radiusd -X from both versions in order to make a diff or should I open a new bug in the tracking system as well? ethereal packet traces of the RADIUS traffic would help. But I would first suggest trying to use the test certificates that come with 2.0.1. If those work, then the issue isn't 2.0.0 versus 1.1.7, it's that there is something special about the certificates you're using. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cannot connect to sql databse
On Jan 30, 2008 10:41 AM, Devinder Singh [EMAIL PROTECTED] wrote: Yes i can access mysql rom CLI Did you try to create another mysql user account for dialupadmin and give him the correct rights on the radius database? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sql accounting - no records - 2.0.1
I've just installed 2.0.1 on CentOS 5 with MySQL 5.x. I can get the clients to authenticate and I see accounting requests come in, also I see the accounting query as it should be updated to mysql, i.e., expand: UPDATE radacct I also see the accounting response returned to the client, but no accounting records are being updated in radacct table. There are no errors in debug mode relevent to mysql: rlm_sql (sql): received Acct On/Off packet expand: %{Acct-Delay-Time} - 0 expand: UPDATE radacct SET acctstoptime = '%S', acctsessiontime= unix_timestamp('%S') - unix_timestamp(acctstarttime), acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = %{%{Acct-Delay-Time}:-0} WHERE acctsessiontime = 0 AND acctstoptime = NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime = '%S' - UPDATE radacct SET acctstoptime = '2008-01-30 07:45:06', acctsessiontime= unix_timestamp('2008-01-30 07:45:06') - unix_timestamp(acctstarttime), acctterminatecause = '', acctstopdelay = 0 WHERE acctsessiontime = 0 AND acctstoptime = NULL AND nasipaddress = '141.xxx.xxx.xxx' AND acctstarttime = '2008-01-30 07:45:06' rlm_sql (sql): Reserving sql socket id: 2 rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok expand: %{User-Name} - elmaroma_cn3000 attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 33 to 141.xxx.xxx.xxx port 1025 I have tried this with 2 different clients and get the same NULL result. Authentication is fine, but any features relying on data in radacct clearly won't work, ie session-timout... I've checked the default config, and all accounting is set to sql. The one oddity I notice is that default has: # See Accounting queries in sql.conf sql But I can see no accounting queries anywhere in the provided sql.conf ?? Thank You. Andrew Long EWS Solutions - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems using EAP-TLS with freeradius version 2
Hello everyone, I've got some problems with the new version of freeradius, but before I'm going to open a new bugreport or post long debugtraces from radiusd -X I want to ask here if someone else has made similar experiences. I've set up a freeradius server version 1.1.7 in our club to authenticate several Notebooks. This worked fine with Windows XP, Windows Vista and Linux clients using EAP-TLS certificates (many thanks for the good documentation of the OIDs in the TLS certificate). Then some people came with their mobile devices which are running Windows Mobile 2003, Windows Mobile 5 (WM5) or Windows Mobile6 (WM6) and the problems began. The same EAP-TLS certificate which worked fine on a Windows XP machine doesn't work on e.g. Windows Mobile 6 PDA. So first I updated the freeradius version to the latest release (2.0.1), checked and modified all configuration files and so on, but that didn't solve the problem, it made them getting worser. With the new version 2.0.1 the Windows and Linux Laptops are not able to authenticate any more with the freeradius server (the certificates are still the same). The server sends an ACCESS, but the behavior is like described in the FAQ PEAP or EAP-TLS Doesn't Work with a Windows machine. Downgrading to the previous version of freeradius 1.1.7 makes them work again, freeradius version 2.0.0 doesn't work either. Does anyone of the experts here know what could be the problem (a guess, perhaps what changed from version 1.1.7 to version 2.0.1)? My goal is first to make the clients using Windows XP, Vista and Linux work again with freeradius version2 and EAP-TLS. After fixing that it would be fine, if freeradius would also work the different Windows Mobile systems. So, what would be helpful to analyze the problem? All config files or just the output from radiusd -X from both versions in order to make a diff or should I open a new bug in the tracking system as well? I would like to provide USEFULL debug-traces, so that it is easier for the experts to solve the problem and not to much work for me when providing useless informations. Best regards and thanks in advance Stefan Puch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with XP Clients
Hello, I recently setup freeradius 1.1.7 to run a EAP-TLS authentication. My clients run on windows xp pro sp2, with microsoft hotfixes to be abble to use WPA2 and EAP. Encryption is WPA2-AES. All certificates (root and client) are installed in the computer storage and in the user storage, as documented on the Internet (root in trusted, client in personnal). When I log in with an administrator account, everything works fine. When I log in with a domain user account, I can't access to the network. A look at freeradius logs shows that it authenticate every 1 second, so the network connection does not stay up ... All access requests are accepted. Does anyone of you have an idea of what's happening ? Regards, -- *Hospices Civils de Beaune* *Patrice OLIVER* /Chef de Projet Ville Hôpital/ /Responsable Réseau Sécurité/ BP 104 21203 BEAUNE Cedex Tél. 03 80 24 44 09 Fax. 03 80 24 45 90 Ce message, y compris les pièces jointes, est établi à l'attention exclusive de son ou ses destinataires et est confidentiel. Toute utilisation non conforme à sa destination, toute diffusion ou publication, totale ou partielle, est interdite sauf autorisation expresse de l'expéditeur. Si vous n'êtes pas le destinataire de ce message, merci d'avertir l'expéditeur de l'erreur de distribution puis de le détruire. Tout message électronique est susceptible d'altération et son intégrité ne peut être assurée. L'expéditeur décline toute responsabilité dans l'hypothèse où il aurait été modifié ou falsifié. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radclient multihomed host
Hi Etienne, Use the configuration option: bind_address = IP.ADD.RE.SS Regards --jm On 30 Jan 2008, at 2:48 PM, Etienne Pretorius wrote: Hello list, Is there anyway that I could make radclient send a packet from a diffrent src ipaddress on a multihomed host -- Kind Regards Etienne Pretorius Network Administrator Kingsley Technologies Email: [EMAIL PROTECTED] Tel: 086 11 KTECH Local Fax: 086 611 5001 International Fax: +27 21 761 9930 Email Disclaimer Acceptable Use Policy 7czz5WbnOIzrjIsP8OX5DXPAH0jMUSXcxvQ6pzO1RszUsOQm2zQDv0yDz0gAQEAOw== 7czz5WbnOIzrjIsP8OX5DXPAH0jMUSXcxvQ6pzO1RszUsOQm2zQDv0yDz0gAQEAOw== - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html -- Jacques Marneweck http://www.powertrip.co.za/ http://www.powertrip.co.za/blog/ http://www.ataris.co.za/ http://www.dataarchitects.co.za/ #include std/disclaimer.h - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radiusd service do not start
Hi, I installed freeradius to manage the wifi network of our organization (17 wifi ap) It works well when launched in command line (radiusd X), but I cant make it work as a service, Service radiusd start seems to work, but radius close immediately after, so a status will say that radiusd is dead, but subsys is locked. Here is the output of the radius X : # radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 1812 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = nobody main: group = nobody main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms listen: port = 1812 listen: type = auth listen: port = 1813 listen: type = acct radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = (null) unix: group = (null) unix: radwtmp = /usr/local/var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = tls eap: timer_expire = 60 eap: ignore_unknown_eap_types = yes eap: cisco_accounting_username_bug = no tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /etc/raddb/certs/wifi.dasilva.int.pem tls: certificate_file = /etc/raddb/certs/wifi.dasilva.int.pem tls: CA_file = /etc/raddb/certs/root.pem tls: private_key_password = whatever tls: dh_file = /etc/raddb/certs/dh tls: random_file = /etc/raddb/certs/random tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = (null) rlm_eap: Loaded and initialized type tls peap: default_eap_type = tls peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /etc/raddb/huntgroups preprocess: hints = /etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded detail detail: detailfile = /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (auth_log) Module: Loaded files files: usersfile = /etc/raddb/users files: acctusersfile = /etc/raddb/acct_users files: preproxy_usersfile = /etc/raddb/preproxy_users files: compat = no Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port Module: Instantiated acct_unique (acct_unique) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module:
Radclient multihomed host
Hello list, Is there anyway that I could make radclient send a packet from a diffrent src ipaddress on a multihomed host -- Kind Regards Etienne Pretorius Network Administrator Kingsley Technologies Email: [EMAIL PROTECTED] Tel: 086 11 KTECH Local Fax: 086 611 5001 International Fax: +27 21 761 9930 Email Disclaimer Acceptable Use Policy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: deactivate ldap.attrmap
Le mercredi 30 janvier 2008, Sebastian Heil a écrit : Sebastian Heil wrote: ... i added the following lines to the ldap-section: ... rlm_ldap: could not start TLS Can't contact LDAP server It doesn't seem that your TLS is well initiated. I don't think it is an ldap or freeradius issue. Maybe... maybe not... i dont know... the configuration-options for ldaps are not really good documented, i think. how can i confirm, which software produces this problem? In a first time, perhaps you could try your conf without the TLS tunnel. My configuration works with normal ldap. so i tried to upgrade to ldaps, which didn't work. 14 0.049652freeradius edirectory TLSv1 Encrypted Alert Any ideas which problem can produce this encrypted alert? Thanks a lot. Sebastian -- GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS. Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html