Re: cannot connect to sql databse
Hi Liran
This is my log file i cant find any errors for cannot connect to sql
database
Thanks
Devinder
080124 14:48:58 mysqld ended
080124 14:48:58 mysqld started
080124 14:48:58 InnoDB: Started; log sequence number 0 43655
080124 14:48:58 [Note] /usr/sbin/mysqld: ready for connections.
Version: '5.0.45' socket: '/var/lib/mysql/mysql.sock' port: 3306 SUSE
MySQL RPM
080124 15:26:09 [Note] /usr/sbin/mysqld: Normal shutdown
080124 15:26:09 InnoDB: Starting shutdown...
080124 15:26:11 InnoDB: Shutdown completed; log sequence number 0 43655
080124 15:26:11 [Note] /usr/sbin/mysqld: Shutdown complete
080124 15:26:11 mysqld ended
080124 15:26:11 mysqld started
080124 15:26:11 InnoDB: Started; log sequence number 0 43655
080124 15:26:11 [Note] /usr/sbin/mysqld: ready for connections.
Version: '5.0.45' socket: '/var/lib/mysql/mysql.sock' port: 3306 SUSE
MySQL RPM
080124 15:40:56 [Note] /usr/sbin/mysqld: Normal shutdown
080124 15:40:56 InnoDB: Starting shutdown...
080124 15:40:57 InnoDB: Shutdown completed; log sequence number 0 43655
080124 15:40:57 [Note] /usr/sbin/mysqld: Shutdown complete
080124 15:40:57 mysqld ended
080124 15:40:57 mysqld started
080124 15:40:57 InnoDB: Started; log sequence number 0 43655
080124 15:40:58 [Note] /usr/sbin/mysqld: ready for connections.
Version: '5.0.45' socket: '/var/lib/mysql/mysql.sock' port: 3306 SUSE
MySQL RPM
On 29/01/2008, liran tal [EMAIL PROTECTED] wrote:
Hey Devinder,
On Jan 29, 2008 9:50 AM, Devinder Singh [EMAIL PROTECTED] wrote:
Hi Liran
The exact error message on Dial Up Admin is
cannot connec to sql database.
Well that's not too helpful now, is it?
I'm not too familiar with dialupadmin, maybe someone else can donate
his 2 cents if they had this problem as well. Like I said before, you
should
try debugging the problem by taking a look at log files instead of
trying to guess the problem into discovery.
Some thoughts to think about:
- is this working if you run it from console?
mysql -u freeradius -pmysuperpassword radius
- do you have the necessary php mysql package installed?
(php4-mysql or php5-mysql)
Regards,
Liran Tal.
On 29/01/2008, Liran Tal [EMAIL PROTECTED] wrote:
Hey Devinder,
On Jan 29, 2008 9:41 AM, Devinder Singh [EMAIL PROTECTED]
wrote:
Hi Liran
Where shoud i turn on the Logging in which file could you let me
know what files are involved to do logging.
Turning on the mysql logging is done in mysql's configuration
file (on debian it's found at /etc/mysql/my.cnf).
What is the exact error message you receive in the web page?
Dial Up admin page i get cannot connect to sql databse is too
ambiguous.
Copy and paste it here.
Regards,
Liran Tal.
On 29/01/2008, liran tal [EMAIL PROTECTED] wrote:
Hey Devinder,
On Jan 29, 2008 5:06 AM, Devinder Singh [EMAIL PROTECTED]
wrote:
Dear Liran
this is my dialup_admin.conf file
sql_type: mysql
sql_server: localhost
sql_port: 3306
sql_username: freeradius
sql_password: mysuperpassword
sql_database: radius
sql_accounting_table: radacct
sql_badusers_table: badusers
sql_check_table: radcheck
sql_reply_table: radreply
sql_user_info_table: userinfo
sql_groupcheck_table: radgroupcheck
sql_groupreply_table: radgroupreply
sql_usergroup_table: usergroup
and this is the /usr/raddb/sql.conf confihguration
sql {
# Database type
# Current supported are: rlm_sql_mysql,
rlm_sql_postgresql,
# rlm_sql_iodbc, rlm_sql_oracle, rlm_sql_unixodbc,
rlm_sql_freetds
driver = rlm_sql_mysql
# Connect info
server = localhost
login = freeradius
password = mysuperpassword
# Database table configuration
radius_db = radius
# If you want both stop and start records logged to the
# same SQL table, leave this as is. If you want them in
# different tables, put the start table in acct_table1
# and stop table in acct_table2
acct_table1 = radacct
acct_table2 = radacct
# Allow for storing data after authentication
postauth_table = radpostauth
Is there anything that i as missing pls advise.
I guess that looks alright but you haven't done any debugging like
I suggested. Turn on mysql logging and see if there's even a
connection
attempt and if there is you can track what query is going wrong.
You haven't detailed what is the exact error, it could just as
well be that
everything is configured fine but you haven't installed any
php-mysql
package and you have
Re: deactivate ldap.attrmap
Hello again,
Sebastian Heil wrote:
Is there a way to deactivate the ldap.attrmap file?
Edit the source code re-compile.
Maybe i will try it... never done before... :-)
thanks anyway.
i have got another problem. since the authentication via ldap works now quite
ok, i would like to try ldaps together with edirectory.
what do i have to configure?
i already imported the root certificate and configured the tls-section of the
ldap-section like this:
tls {
start_tls = yes
cacertfile = /etc/raddb/certs/tc_class2.pem
require_cert = demand
}
but i doesn't work like this...
i added the following lines to the ldap-section:
port = 636
tls_mode = yes
tls_require_cert = demand
and i doesn't work either...
part of the debug:
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to :636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert File to /etc/raddb/certs/tc_class2.pem
rlm_ldap: setting TLS Require Cert to demand
rlm_ldap: starting TLS
rlm_ldap: ldap_start_tls_s()
rlm_ldap: could not start TLS Can't contact LDAP server
rlm_ldap: (re)connection attempt failed
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
Any ideas?
Thanks.
Sebastian
--
GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS.
Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cannot connect to sql databse
On Jan 30, 2008 10:15 AM, Devinder Singh [EMAIL PROTECTED] wrote: Hi Liran This is my log file i cant find any errors for cannot connect to sql database Thanks Devinder 080124 14:48:58 mysqld ended 080124 14:48:58 mysqld started 080124 14:48:58 InnoDB: Started; log sequence number 0 43655 080124 14:48:58 [Note] /usr/sbin/mysqld: ready for connections. Version: '5.0.45' socket: '/var/lib/mysql/mysql.sock' port: 3306 SUSE MySQL RPM 080124 15:26:09 [Note] /usr/sbin/mysqld: Normal shutdown 080124 15:26:09 InnoDB: Starting shutdown... 080124 15:26:11 InnoDB: Shutdown completed; log sequence number 0 43655 080124 15:26:11 [Note] /usr/sbin/mysqld: Shutdown complete 080124 15:26:11 mysqld ended 080124 15:26:11 mysqld started 080124 15:26:11 InnoDB: Started; log sequence number 0 43655 080124 15:26:11 [Note] /usr/sbin/mysqld: ready for connections. Version: '5.0.45' socket: '/var/lib/mysql/mysql.sock' port: 3306 SUSE MySQL RPM 080124 15:40:56 [Note] /usr/sbin/mysqld: Normal shutdown 080124 15:40:56 InnoDB: Starting shutdown... 080124 15:40:57 InnoDB: Shutdown completed; log sequence number 0 43655 080124 15:40:57 [Note] /usr/sbin/mysqld: Shutdown complete 080124 15:40:57 mysqld ended 080124 15:40:57 mysqld started 080124 15:40:57 InnoDB: Started; log sequence number 0 43655 080124 15:40:58 [Note] /usr/sbin/mysqld: ready for connections. Version: '5.0.45' socket: '/var/lib/mysql/mysql.sock' port: 3306 SUSE MySQL RPM Does mysql actually keep running? What gives ps -ae | grep mysql Can you acces your database from the cli? kind regards, Y. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: trouble seting up freeradius :((
the certificate`s password in the eap.conf is wrong. On 30/01/2008, SnahaD00 [EMAIL PROTECTED] wrote: Hi, I really (desperatelly) need freeradius to work on my schools network - it's urgent. I've got server on Ubuntu 7.04. I setup freeradius accoring to some howtoos and tutorials, but with no luck. What I did was: - made deb package with tls support - installed deb freeradius package - did setup freeradius as told here http://ubuntuforums.org/showthread.php?t=478804highlight=freeradius+openssl - problems... When I issue command freeradius -x i got this: rlm_eap_tls: Loading the certificate file as a chain rlm_eap: SSL error error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt rlm_eap_tls: Error reading private key file rlm_eap: Failed to initialize type tls radiusd.conf[10]: eap: Module instantiation failed. radiusd.conf[1944] Unknown module eap. radiusd.conf[1891] Failed to parse authenticate section. Any idea ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: memory corruption when proxying accounting requests
Jørn Kostøl wrote: Local auth and acct works fine, and proxying auth works. But as soon as I try to proxy accounting then Freeradius crashes. The issue isn't proxying, but dealing with attributes that aren't in the dictionaries. Bug #514 was recently filed about this. The solution is in CVS. Grab the latest version of src/lib/valuepair.c, and it will be fixed. The file will work in 2.0.1 (if you re-build from source), or you can just install from CVS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cannot connect to sql databse
I have hard times with Dial Up Admin Shoud i proceed with daloradius do i install in in srv/www folder like dial up On 28/01/2008, liran tal [EMAIL PROTECTED] wrote: Hey Devinder, On Jan 28, 2008 4:35 AM, Devinder Singh [EMAIL PROTECTED] wrote: Hi I am using Dial Up Admin on Free radius Free Radius is Running but when i acccess Dial Up admin page i get cannot connect to sql databse I have done most of the configuration settings and followed the wiki tutorial on Free Radius. Did you check that your sql server is actually running? Did you import the radius database schema into the sql server? Did you configure all the required settings to connect to the sql server in dialupadmin? You also might want to take a look at daloRADIUS for easy web management of freeradius with sql servers: http://sourceforge.net/projects/daloradius/ Regards, Liran. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Devinder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cannot connect to sql databse
Yes i can access mysql rom CLI On 30/01/2008, YvesDM [EMAIL PROTECTED] wrote: On Jan 30, 2008 10:15 AM, Devinder Singh [EMAIL PROTECTED] wrote: Hi Liran This is my log file i cant find any errors for cannot connect to sql database Thanks Devinder 080124 14:48:58 mysqld ended 080124 14:48:58 mysqld started 080124 14:48:58 InnoDB: Started; log sequence number 0 43655 080124 14:48:58 [Note] /usr/sbin/mysqld: ready for connections. Version: '5.0.45' socket: '/var/lib/mysql/mysql.sock' port: 3306 SUSE MySQL RPM 080124 15:26:09 [Note] /usr/sbin/mysqld: Normal shutdown 080124 15:26:09 InnoDB: Starting shutdown... 080124 15:26:11 InnoDB: Shutdown completed; log sequence number 0 43655 080124 15:26:11 [Note] /usr/sbin/mysqld: Shutdown complete 080124 15:26:11 mysqld ended 080124 15:26:11 mysqld started 080124 15:26:11 InnoDB: Started; log sequence number 0 43655 080124 15:26:11 [Note] /usr/sbin/mysqld: ready for connections. Version: '5.0.45' socket: '/var/lib/mysql/mysql.sock' port: 3306 SUSE MySQL RPM 080124 15:40:56 [Note] /usr/sbin/mysqld: Normal shutdown 080124 15:40:56 InnoDB: Starting shutdown... 080124 15:40:57 InnoDB: Shutdown completed; log sequence number 0 43655 080124 15:40:57 [Note] /usr/sbin/mysqld: Shutdown complete 080124 15:40:57 mysqld ended 080124 15:40:57 mysqld started 080124 15:40:57 InnoDB: Started; log sequence number 0 43655 080124 15:40:58 [Note] /usr/sbin/mysqld: ready for connections. Version: '5.0.45' socket: '/var/lib/mysql/mysql.sock' port: 3306 SUSE MySQL RPM Does mysql actually keep running? What gives ps -ae | grep mysql Can you acces your database from the cli? kind regards, Y. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Devinder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: deactivate ldap.attrmap
Sebastian Heil wrote: ... i added the following lines to the ldap-section: ... rlm_ldap: could not start TLS Can't contact LDAP server Maybe you need to check that there is an LDAP server listening on that port? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap authentication problem
Mike Zoeteweij wrote: Can anyone tell me what I'm doing wrong here? Read eap.conf. Look for Windows. See also the wiki. Sending Access-Challenge of id 3 to 192.168.100.5:4855 ... Waking up in 6 seconds... --- Walking the entire request list --- This *exact* behavior is explained in eap.conf. If you edited the file to configure PEAP, you should have seen the comments explaining this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: one RADIUS server per realm setup
Wm. Josiah Erikson wrote:
I'm not sure what the syntax rules for the authorize{} section of the
config files are; I was unable to find any description in the docs of
how one goes about figuring out how to write these conditional
statements. What language is it?
$ man unlang
It seems C-like, but only kindof. Did I
miss this in the documentation? And the only way I could tell that I
could use the variable Realm is because it was in the debugging output
of freeradius. I couldn't find a list of available variables on the
wiki, other than
http://wiki.freeradius.org/Run-time_variables#Conditional_syntax , which
is very incomplete non self-explanatory.
The variables are attributes in a RADIUS packet. So there *is* no
complete list, because every site has different attributes.
I'm just confused as to how I was supposed to figure all this out
without doing what I did, which was bang my head against the wall for a
long time. I kinda figured there was some default way I was supposed to
be doing what I was doing, but I gave up and did what feels like a
hack to me. Is it OK? Am I missing a clear place where all of this is
described?
The comments at the top of radiusd.conf say:
# As of 2.0.0, FreeRADIUS supports a simple processing language
# in the authorize, authenticate, accounting, etc. sections.
# See man unlang for details.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cannot connect to sql databse
On Jan 30, 2008 10:15 AM, Devinder Singh [EMAIL PROTECTED] wrote:
Hi Liran
This is my log file i cant find any errors for cannot connect to sql
database
If you don't find any connection attempts information then it means
that dialupadmin isn't initiating a connection due to one of the reasons
I have mentioned before or something else. We've been exchanging
so many emails so far and you haven't checked what I've told you to.
I can't help you more with dialupadmin as I am not aware of its
common configuration issues, if daloradius is an appropriate
alternative for you I will be happy to assist you with it.
Regards,
Liran Tal.
On 29/01/2008, liran tal [EMAIL PROTECTED] wrote:
Hey Devinder,
On Jan 29, 2008 9:50 AM, Devinder Singh [EMAIL PROTECTED] wrote:
Hi Liran
The exact error message on Dial Up Admin is
cannot connec to sql database.
Well that's not too helpful now, is it?
I'm not too familiar with dialupadmin, maybe someone else can donate
his 2 cents if they had this problem as well. Like I said before, you
should
try debugging the problem by taking a look at log files instead of
trying to guess the problem into discovery.
Some thoughts to think about:
- is this working if you run it from console?
mysql -u freeradius -pmysuperpassword radius
- do you have the necessary php mysql package installed?
(php4-mysql or php5-mysql)
Regards,
Liran Tal.
On 29/01/2008, Liran Tal [EMAIL PROTECTED] wrote:
Hey Devinder,
On Jan 29, 2008 9:41 AM, Devinder Singh [EMAIL PROTECTED]
wrote:
Hi Liran
Where shoud i turn on the Logging in which file could you let me
know what files are involved to do logging.
Turning on the mysql logging is done in mysql's configuration
file (on debian it's found at /etc/mysql/my.cnf).
What is the exact error message you receive in the web page?
Dial Up admin page i get cannot connect to sql databse is too
ambiguous.
Copy and paste it here.
Regards,
Liran Tal.
On 29/01/2008, liran tal [EMAIL PROTECTED] wrote:
Hey Devinder,
On Jan 29, 2008 5:06 AM, Devinder Singh [EMAIL PROTECTED]
wrote:
Dear Liran
this is my dialup_admin.conf file
sql_type: mysql
sql_server: localhost
sql_port: 3306
sql_username: freeradius
sql_password: mysuperpassword
sql_database: radius
sql_accounting_table: radacct
sql_badusers_table: badusers
sql_check_table: radcheck
sql_reply_table: radreply
sql_user_info_table: userinfo
sql_groupcheck_table: radgroupcheck
sql_groupreply_table: radgroupreply
sql_usergroup_table: usergroup
and this is the /usr/raddb/sql.conf confihguration
sql {
# Database type
# Current supported are: rlm_sql_mysql,
rlm_sql_postgresql,
# rlm_sql_iodbc, rlm_sql_oracle, rlm_sql_unixodbc,
rlm_sql_freetds
driver = rlm_sql_mysql
# Connect info
server = localhost
login = freeradius
password = mysuperpassword
# Database table configuration
radius_db = radius
# If you want both stop and start records logged to
the
# same SQL table, leave this as is. If you want them
in
# different tables, put the start table in acct_table1
# and stop table in acct_table2
acct_table1 = radacct
acct_table2 = radacct
# Allow for storing data after authentication
postauth_table = radpostauth
Is there anything that i as missing pls advise.
I guess that looks alright but you haven't done any debugging
like
I suggested. Turn on mysql logging and see if there's even a
connection
attempt and if there is you can track what query is going wrong.
You haven't detailed what is the exact error, it could just as
well be that
everything is configured fine but you haven't installed any
php-mysql
package and you have error_reporting turned off and so you are
not seeing
the error.
Please check these things first.
Regards,
Liran Tal.
On 28/01/2008, Devinder Singh [EMAIL PROTECTED] wrote:
Hi Liran
Are the a lot of changes to be made on Dial Up Admin
admin.conf file
Could you suggest any specific changes as well in
etc/raddb/sql.conf
Regards
Devinder
On 28/01/2008, Liran Tal [EMAIL PROTECTED] wrote:
Re: trouble seting up freeradius :((
SnahaD00 wrote: When I issue command freeradius -x i got this: rlm_eap_tls: Loading the certificate file as a chain rlm_eap: SSL error error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt The password you put in the configuration file is not the same as the password used to create the private key. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cannot connect to sql databse
1. You are not sending login requests to this server, or at least they
are not getting there. Is server set up not to recieve auth requests
from the network (only local reqests)? Can you log into it from a
different machine?
2. Is this server restarting on it's own or are you doing that?
Ivan Kalik
Kalik Informatika ISP
Dana 30/1/2008, Devinder Singh [EMAIL PROTECTED] piše:
Hi Liran
This is my log file i cant find any errors for cannot connect to sql
database
Thanks
Devinder
080124 14:48:58 mysqld ended
080124 14:48:58 mysqld started
080124 14:48:58 InnoDB: Started; log sequence number 0 43655
080124 14:48:58 [Note] /usr/sbin/mysqld: ready for connections.
Version: '5.0.45' socket: '/var/lib/mysql/mysql.sock' port: 3306 SUSE
MySQL RPM
080124 15:26:09 [Note] /usr/sbin/mysqld: Normal shutdown
080124 15:26:09 InnoDB: Starting shutdown...
080124 15:26:11 InnoDB: Shutdown completed; log sequence number 0 43655
080124 15:26:11 [Note] /usr/sbin/mysqld: Shutdown complete
080124 15:26:11 mysqld ended
080124 15:26:11 mysqld started
080124 15:26:11 InnoDB: Started; log sequence number 0 43655
080124 15:26:11 [Note] /usr/sbin/mysqld: ready for connections.
Version: '5.0.45' socket: '/var/lib/mysql/mysql.sock' port: 3306 SUSE
MySQL RPM
080124 15:40:56 [Note] /usr/sbin/mysqld: Normal shutdown
080124 15:40:56 InnoDB: Starting shutdown...
080124 15:40:57 InnoDB: Shutdown completed; log sequence number 0 43655
080124 15:40:57 [Note] /usr/sbin/mysqld: Shutdown complete
080124 15:40:57 mysqld ended
080124 15:40:57 mysqld started
080124 15:40:57 InnoDB: Started; log sequence number 0 43655
080124 15:40:58 [Note] /usr/sbin/mysqld: ready for connections.
Version: '5.0.45' socket: '/var/lib/mysql/mysql.sock' port: 3306 SUSE
MySQL RPM
On 29/01/2008, liran tal [EMAIL PROTECTED] wrote:
Hey Devinder,
On Jan 29, 2008 9:50 AM, Devinder Singh [EMAIL PROTECTED] wrote:
Hi Liran
The exact error message on Dial Up Admin is
cannot connec to sql database.
Well that's not too helpful now, is it?
I'm not too familiar with dialupadmin, maybe someone else can donate
his 2 cents if they had this problem as well. Like I said before, you
should
try debugging the problem by taking a look at log files instead of
trying to guess the problem into discovery.
Some thoughts to think about:
- is this working if you run it from console?
mysql -u freeradius -pmysuperpassword radius
- do you have the necessary php mysql package installed?
(php4-mysql or php5-mysql)
Regards,
Liran Tal.
On 29/01/2008, Liran Tal [EMAIL PROTECTED] wrote:
Hey Devinder,
On Jan 29, 2008 9:41 AM, Devinder Singh [EMAIL PROTECTED]
wrote:
Hi Liran
Where shoud i turn on the Logging in which file could you let me
know what files are involved to do logging.
Turning on the mysql logging is done in mysql's configuration
file (on debian it's found at /etc/mysql/my.cnf).
What is the exact error message you receive in the web page?
Dial Up admin page i get cannot connect to sql databse is too
ambiguous.
Copy and paste it here.
Regards,
Liran Tal.
On 29/01/2008, liran tal [EMAIL PROTECTED] wrote:
Hey Devinder,
On Jan 29, 2008 5:06 AM, Devinder Singh [EMAIL PROTECTED]
wrote:
Dear Liran
this is my dialup_admin.conf file
sql_type: mysql
sql_server: localhost
sql_port: 3306
sql_username: freeradius
sql_password: mysuperpassword
sql_database: radius
sql_accounting_table: radacct
sql_badusers_table: badusers
sql_check_table: radcheck
sql_reply_table: radreply
sql_user_info_table: userinfo
sql_groupcheck_table: radgroupcheck
sql_groupreply_table: radgroupreply
sql_usergroup_table: usergroup
and this is the /usr/raddb/sql.conf confihguration
sql {
# Database type
# Current supported are: rlm_sql_mysql,
rlm_sql_postgresql,
# rlm_sql_iodbc, rlm_sql_oracle, rlm_sql_unixodbc,
rlm_sql_freetds
driver = rlm_sql_mysql
# Connect info
server = localhost
login = freeradius
password = mysuperpassword
# Database table configuration
radius_db = radius
# If you want both stop and start records logged to the
# same SQL table, leave this as is. If you want them in
# different tables, put the start table in acct_table1
# and stop table in acct_table2
acct_table1 = radacct
acct_table2 = radacct
# Allow for storing data after authentication
postauth_table = radpostauth
Is there anything that i as missing pls advise.
I guess that looks alright but you haven't done
Re: cannot connect to sql databse
Hi Liran
Do u have Yahoo IM or IRC channel to chat
Ok i will instal and configure daloradius
Will it work well with FreeRadius server
Where do i extract the tar file
i have srv/www folder
Thanks
Devinder
On 30/01/2008, Liran Tal [EMAIL PROTECTED] wrote:
On Jan 30, 2008 10:15 AM, Devinder Singh [EMAIL PROTECTED] wrote:
Hi Liran
This is my log file i cant find any errors for cannot connect to sql
database
If you don't find any connection attempts information then it means
that dialupadmin isn't initiating a connection due to one of the reasons
I have mentioned before or something else. We've been exchanging
so many emails so far and you haven't checked what I've told you to.
I can't help you more with dialupadmin as I am not aware of its
common configuration issues, if daloradius is an appropriate
alternative for you I will be happy to assist you with it.
Regards,
Liran Tal.
On 29/01/2008, liran tal [EMAIL PROTECTED] wrote:
Hey Devinder,
On Jan 29, 2008 9:50 AM, Devinder Singh [EMAIL PROTECTED]
wrote:
Hi Liran
The exact error message on Dial Up Admin is
cannot connec to sql database.
Well that's not too helpful now, is it?
I'm not too familiar with dialupadmin, maybe someone else can donate
his 2 cents if they had this problem as well. Like I said before, you
should
try debugging the problem by taking a look at log files instead of
trying to guess the problem into discovery.
Some thoughts to think about:
- is this working if you run it from console?
mysql -u freeradius -pmysuperpassword radius
- do you have the necessary php mysql package installed?
(php4-mysql or php5-mysql)
Regards,
Liran Tal.
On 29/01/2008, Liran Tal [EMAIL PROTECTED] wrote:
Hey Devinder,
On Jan 29, 2008 9:41 AM, Devinder Singh [EMAIL PROTECTED]
wrote:
Hi Liran
Where shoud i turn on the Logging in which file could you let me
know what files are involved to do logging.
Turning on the mysql logging is done in mysql's configuration
file (on debian it's found at /etc/mysql/my.cnf).
What is the exact error message you receive in the web page?
Dial Up admin page i get cannot connect to sql databse is too
ambiguous.
Copy and paste it here.
Regards,
Liran Tal.
On 29/01/2008, liran tal [EMAIL PROTECTED] wrote:
Hey Devinder,
On Jan 29, 2008 5:06 AM, Devinder Singh
[EMAIL PROTECTED] wrote:
Dear Liran
this is my dialup_admin.conf file
sql_type: mysql
sql_server: localhost
sql_port: 3306
sql_username: freeradius
sql_password: mysuperpassword
sql_database: radius
sql_accounting_table: radacct
sql_badusers_table: badusers
sql_check_table: radcheck
sql_reply_table: radreply
sql_user_info_table: userinfo
sql_groupcheck_table: radgroupcheck
sql_groupreply_table: radgroupreply
sql_usergroup_table: usergroup
and this is the /usr/raddb/sql.conf confihguration
sql {
# Database type
# Current supported are: rlm_sql_mysql,
rlm_sql_postgresql,
# rlm_sql_iodbc, rlm_sql_oracle, rlm_sql_unixodbc,
rlm_sql_freetds
driver = rlm_sql_mysql
# Connect info
server = localhost
login = freeradius
password = mysuperpassword
# Database table configuration
radius_db = radius
# If you want both stop and start records logged to
the
# same SQL table, leave this as is. If you want
them in
# different tables, put the start table in
acct_table1
# and stop table in acct_table2
acct_table1 = radacct
acct_table2 = radacct
# Allow for storing data after authentication
postauth_table = radpostauth
Is there anything that i as missing pls advise.
I guess that looks alright but you haven't done any debugging
like
I suggested. Turn on mysql logging and see if there's even a
connection
attempt and if there is you can track what query is going
wrong.
You haven't detailed what is the exact error, it could just as
well be that
everything is configured fine but you haven't installed any
php-mysql
package and you have error_reporting turned off and so you are
not seeing
the error.
Please check these things first.
Regards,
Liran Tal.
Re: Logging from another PC
Yes. Use VLANs and port based authentication and they won't be able to do that. If they manually change IP address to a different VLAN connection will become unusable. Ivan Kalik Kaliki Informatika ISP Dana 29/1/2008, [EMAIL PROTECTED] [EMAIL PROTECTED] piše: Hi, I have a question. When the user logs using own username and password into Radius server (ie, using 192.168.160.5), it is OK. When someone change IP address statically into logged IP (to 192.168.160.5), he can use the logged account. I mean he can use another one's account. How can I block another PC? And I don't want the user logs often in one day. User must logs once in a day. That's why I don't want to put Idle-Timeout attribute. I'm using FreeRadius 2.0.1 with Cisco'BBSM 5.3. Could you give some clarfication for this? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: deactivate ldap.attrmap
Sebastian Heil wrote: ... i added the following lines to the ldap-section: ... rlm_ldap: could not start TLS Can't contact LDAP server Maybe you need to check that there is an LDAP server listening on that port? Alan DeKok. thanks for your fast answer, alan. but i am afraid, this is not the solution... the ldap-server is listening and even responding to my ldap-request. i captured the communication between the freeradius and the edirectory with etherreal: Someone any idea about the Encrypted Alert in no. 14?? Thanks. - No. TimeSourceDestination Protocol Info 1 0.00radtestclient freeradius RADIUS Access-Request(1) (id=74, l=58) 3 0.000749freeradius edirectory TCP 56302 ldaps [SYN] Seq=0 Len=0 MSS=1460 TSV=445748676 TSER=0 WS=2 5 0.012986edirectory freeradius TCP ldaps 56302 [SYN, ACK] Seq=0 Ack=1 Win=4380 Len=0 MSS=1460 WS=0 TSV=3386151196 TSER=445748676 6 0.013057freeradius edirectory TCP 56302 ldaps [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSV=445748679 TSER=3386151196 7 0.013639freeradius edirectory SSLv2Client Hello 8 0.021887edirectory freeradius TLSv1Server Hello, 9 0.022035freeradius edirectory TCP 56302 ldaps [ACK] Seq=143 Ack=1449 Win=8736 Len=0 TSV=445748682 TSER=3386151206 10 0.030390edirectory freeradius TLSv1Certificate 11 0.030550freeradius edirectory TCP 56302 ldaps [ACK] Seq=143 Ack=1946 Win=11632 Len=0 TSV=445748684 TSER=3386151215 12 0.032263freeradius edirectory TLSv1Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message 13 0.048990edirectory freeradius TLSv1Change Cipher Spec, Encrypted Handshake Message 14 0.049652freeradius edirectory TLSv1Encrypted Alert 15 0.049923freeradius edirectory TCP 56302 ldaps [FIN, ACK] Seq=506 Ack=2005 Win=11632 Len=0 TSV=445748689 TSER=3386151237 17 0.057441edirectory freeradius TCP ldaps 56302 [ACK] Seq=2005 Ack=507 Win=4885 Len=0 TSV=3386151247 TSER=445748689 18 0.057774edirectory freeradius TLSv1Encrypted Alert 19 0.057807freeradius edirectory TCP 56302 ldaps [RST] Seq=507 Len=0 20 0.057880edirectory freeradius TCP ldaps 56302 [FIN, ACK] Seq=2042 Ack=507 Win=4885 Len=0 TSV=3386151247 TSER=445748689 21 0.057903freeradius edirectory TCP 56302 ldaps [RST] Seq=507 Len=0 -- Ist Ihr Browser Vista-kompatibel? Jetzt die neuesten Browser-Versionen downloaden: http://www.gmx.net/de/go/browser - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems using EAP-TLS with freeradius version 2
Stefan Puch wrote: Then some people came with their mobile devices which are running Windows Mobile 2003, Windows Mobile 5 (WM5) or Windows Mobile6 (WM6) and the problems began. The same EAP-TLS certificate which worked fine on a Windows XP machine doesn't work on e.g. Windows Mobile 6 PDA. You have to love Microsoft... Hmm, most of the time I'm using Linux, but 90% of the others only have a Microsoft system :-( The EAP-TLS code was substantially re-worked in 2.0.0. It was tested with Vista, XP SP1, XP SP2, Linux systems, MAC. It's working live in environments with many, may different OS's and architectures. So it *should* work. I was afraid that someone says that, because I didn't believe that a new version would be released without testing. By the way, when you have tested so many different Windows systems you will have to Microsoft as well, won't you ;-) ethereal packet traces of the RADIUS traffic would help. But I would first suggest trying to use the test certificates that come with 2.0.1. If those work, then the issue isn't 2.0.0 versus 1.1.7, it's that there is something special about the certificates you're using. OK, then I will start with the provided certificates, well knowing that if then do work I will have to make new certificates for all current users... If the certificates that come with 2.0.1 also fail I will provide some ethereal packet traces. Thanks for the quick response Stefan Puch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: memory corruption when proxying accounting requests
I tried the latest snapshot freeradius-server-snapshot-20080130.tar.bz2 but this has the same problem. -Opprinnelig melding- Fra: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] På vegne av Alan DeKok Sendt: 30. januar 2008 10:35 Til: FreeRadius users mailing list Emne: Re: memory corruption when proxying accounting requests Jørn Kostøl wrote: Local auth and acct works fine, and proxying auth works. But as soon as I try to proxy accounting then Freeradius crashes. The issue isn't proxying, but dealing with attributes that aren't in the dictionaries. Bug #514 was recently filed about this. The solution is in CVS. Grab the latest version of src/lib/valuepair.c, and it will be fixed. The file will work in 2.0.1 (if you re-build from source), or you can just install from CVS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: one RADIUS server per realm setup
Oh. Now I'm embarrassed. Thanks and sorry! :) -Josiah Alan DeKok wrote: # As of 2.0.0, FreeRADIUS supports a simple processing language # in the authorize, authenticate, accounting, etc. sections. # See man unlang for details. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Wm. Josiah Erikson Computing Support School of Cognitive Science Hampshire College Amherst, MA 01002 (413) 559-6091 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: memory corruption when proxying accounting requests
Jørn Kostøl wrote: I tried the latest snapshot freeradius-server-snapshot-20080130.tar.bz2 but this has the same problem. That's nice. Did you download it from CVS as instructed? The bug was fixed about 15 minutes before I sent my email. The fix is *not* in that snapshot. It *is* in CVS, as I said. Honestly, if you're told the fix is in a particular place, I don't understand why anyone would look for a fix anywhere else... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: deactivate ldap.attrmap
What struck me was that you need more attributes, but maybe I missed them: -cacertfile -certfile -keyfile -Josiah Sebastian Heil wrote: Sebastian Heil wrote: ... i added the following lines to the ldap-section: ... rlm_ldap: could not start TLS Can't contact LDAP server Maybe you need to check that there is an LDAP server listening on that port? Alan DeKok. thanks for your fast answer, alan. but i am afraid, this is not the solution... the ldap-server is listening and even responding to my ldap-request. i captured the communication between the freeradius and the edirectory with etherreal: Someone any idea about the Encrypted Alert in no. 14?? Thanks. - No. TimeSourceDestination Protocol Info 1 0.00radtestclient freeradius RADIUS Access-Request(1) (id=74, l=58) 3 0.000749freeradius edirectory TCP 56302 ldaps [SYN] Seq=0 Len=0 MSS=1460 TSV=445748676 TSER=0 WS=2 5 0.012986edirectory freeradius TCP ldaps 56302 [SYN, ACK] Seq=0 Ack=1 Win=4380 Len=0 MSS=1460 WS=0 TSV=3386151196 TSER=445748676 6 0.013057freeradius edirectory TCP 56302 ldaps [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSV=445748679 TSER=3386151196 7 0.013639freeradius edirectory SSLv2Client Hello 8 0.021887edirectory freeradius TLSv1Server Hello, 9 0.022035freeradius edirectory TCP 56302 ldaps [ACK] Seq=143 Ack=1449 Win=8736 Len=0 TSV=445748682 TSER=3386151206 10 0.030390edirectory freeradius TLSv1Certificate 11 0.030550freeradius edirectory TCP 56302 ldaps [ACK] Seq=143 Ack=1946 Win=11632 Len=0 TSV=445748684 TSER=3386151215 12 0.032263freeradius edirectory TLSv1Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message 13 0.048990edirectory freeradius TLSv1Change Cipher Spec, Encrypted Handshake Message 14 0.049652freeradius edirectory TLSv1Encrypted Alert 15 0.049923freeradius edirectory TCP 56302 ldaps [FIN, ACK] Seq=506 Ack=2005 Win=11632 Len=0 TSV=445748689 TSER=3386151237 17 0.057441edirectory freeradius TCP ldaps 56302 [ACK] Seq=2005 Ack=507 Win=4885 Len=0 TSV=3386151247 TSER=445748689 18 0.057774edirectory freeradius TLSv1Encrypted Alert 19 0.057807freeradius edirectory TCP 56302 ldaps [RST] Seq=507 Len=0 20 0.057880edirectory freeradius TCP ldaps 56302 [FIN, ACK] Seq=2042 Ack=507 Win=4885 Len=0 TSV=3386151247 TSER=445748689 21 0.057903freeradius edirectory TCP 56302 ldaps [RST] Seq=507 Len=0 -- Wm. Josiah Erikson Computing Support School of Cognitive Science Hampshire College Amherst, MA 01002 (413) 559-6091 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql accounting - no records - 2.0.1 RESOLVED
I expected to see some traffic too soon, now it's coming...
but where are the accounting queries?
Andrew
On Jan 30, 2008 8:52 AM, Andrew Long [EMAIL PROTECTED] wrote:
I've just installed 2.0.1 on CentOS 5 with MySQL 5.x. I can get the
clients to authenticate and I see accounting requests come in, also I
see the accounting query as it should be updated to mysql, i.e.,
expand: UPDATE radacct I also see the accounting response
returned to the client, but no accounting records are being updated in
radacct table. There are no errors in debug mode relevent to mysql:
rlm_sql (sql): received Acct On/Off packet
expand: %{Acct-Delay-Time} - 0
expand: UPDATE radacct SET
acctstoptime = '%S', acctsessiontime=
unix_timestamp('%S') -
unix_timestamp(acctstarttime), acctterminatecause =
'%{Acct-Terminate-Cause}', acctstopdelay =
%{%{Acct-Delay-Time}:-0} WHERE acctsessiontime = 0
AND acctstoptime = NULL AND nasipaddress =
'%{NAS-IP-Address}' AND acctstarttime = '%S' -
UPDATE radacct SET acctstoptime =
'2008-01-30 07:45:06', acctsessiontime=
unix_timestamp('2008-01-30 07:45:06') -
unix_timestamp(acctstarttime), acctterminatecause =
'', acctstopdelay = 0 WHERE
acctsessiontime = 0 AND acctstoptime = NULL
AND nasipaddress = '141.xxx.xxx.xxx' AND acctstarttime
= '2008-01-30 07:45:06'
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
expand: %{User-Name} - elmaroma_cn3000
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 33 to 141.xxx.xxx.xxx port 1025
I have tried this with 2 different clients and get the same NULL
result. Authentication is fine, but any features relying on data in
radacct clearly won't work, ie session-timout...
I've checked the default config, and all accounting is set to sql.
The one oddity I notice is that default has:
# See Accounting queries in sql.conf
sql
But I can see no accounting queries anywhere in the provided sql.conf ??
Thank You.
Andrew Long
EWS Solutions
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: memory corruption when proxying accounting requests
Sorry! The CVS fixed the problem. Thanks! -Opprinnelig melding- Fra: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] På vegne av Alan DeKok Sendt: 30. januar 2008 15:21 Til: FreeRadius users mailing list Emne: Re: memory corruption when proxying accounting requests Jørn Kostøl wrote: I tried the latest snapshot freeradius-server-snapshot-20080130.tar.bz2 but this has the same problem. That's nice. Did you download it from CVS as instructed? The bug was fixed about 15 minutes before I sent my email. The fix is *not* in that snapshot. It *is* in CVS, as I said. Honestly, if you're told the fix is in a particular place, I don't understand why anyone would look for a fix anywhere else... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: deactivate ldap.attrmap
Le mercredi 30 janvier 2008, Sebastian Heil a écrit : Sebastian Heil wrote: ... i added the following lines to the ldap-section: ... rlm_ldap: could not start TLS Can't contact LDAP server It doesn't seem that your TLS is well initiated. I don't think it is an ldap or freeradius issue. In a first time, perhaps you could try your conf without the TLS tunnel. 14 0.049652freeradius edirectory TLSv1 Encrypted Alert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems using EAP-TLS with freeradius version 2
Stefan Puch wrote on 30.01.2008 11:13: Hello everyone, I've got some problems with the new version of freeradius, but before I'm going to open a new bugreport or post long debugtraces from radiusd -X I want to ask here if someone else has made similar experiences. I've set up a freeradius server version 1.1.7 in our club to authenticate several Notebooks. This worked fine with Windows XP, Windows Vista and Linux clients using EAP-TLS certificates (many thanks for the good documentation of the OIDs in the TLS certificate). Then some people came with their mobile devices which are running Windows Mobile 2003, Windows Mobile 5 (WM5) or Windows Mobile6 (WM6) and the problems began. We know of problems with EE certificates in PDAs containing the non-repudiation flag. Additionally Windows build-in supplicants don't like EE certificates with the extendedKeyUsage Microsoft Smartcard Logon (1.3.6.1.4.1.311.20.2.2) when doing EAP-TLS. Apparently the latter issue can also be solved by just disabling the valid certificate usage of Microsoft Smartcard Logon in the issuing CAs trusted usages properties on the system. -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki 15 Jahre DFN-CERT + 15. DFN-Workshop Sicherheit in vernetzten Systemen am 13./14. Februar 2008 im CCH Hamburg - https://www.dfn-cert.de/ws2008/ -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 Sachsenstr. 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR2: combining round-robin and fail-over home server pools
Hello,
I am in the process of configuring FreeRADIUS 2.0.1. For some realms we
proxy the authentication request to three other servers (svr-1, svr-2,
svr-3). However, what we wanted was to, in effect, round-robin two of
the servers (svr1 and svr-2), and then only use the third server (svr-3)
if the other two were not available.
I have configured the proxy.conf 'home_server_pool's as:
home_server_pool local_IAS {
type = client-port-balance
home_server = svr-1
home_server = svr-2
}
home_server_pool local_proxies {
type = fail-over
home_server = local_IAS
home_server = svr-3
}
Note that 'local_IAS' is actually a home_server_pool name, and not an
actual home server. I was then going to configure FR to use
'local_proxies' for the relevant realms. However, starting FR gives an
error:
/usr/local/etc/raddb/proxy.conf[87]: Unknown home_server local_IAS.
Anyone any ideas how to mix round-robin servers with fail-over?
Thanks,
John.
--
---
John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914
E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql accounting - no records - 2.0.1 RESOLVED
Hi Andrew,
in mysql.conf, there should be another file included:
$INCLUDE sql/${database}/dialup.conf
So, in your case that would be $INCLUDE sql/mysql/dialup.conf
There you should find several accounting queries.
JB
Andrew Long (30.01.2008 15:49):
I expected to see some traffic too soon, now it's coming...
but where are the accounting queries?
Andrew
On Jan 30, 2008 8:52 AM, Andrew Long [EMAIL PROTECTED] wrote:
I've just installed 2.0.1 on CentOS 5 with MySQL 5.x. I can get the
clients to authenticate and I see accounting requests come in, also I
see the accounting query as it should be updated to mysql, i.e.,
expand: UPDATE radacct I also see the accounting response
returned to the client, but no accounting records are being updated
in
radacct table. There are no errors in debug mode relevent to mysql:
rlm_sql (sql): received Acct On/Off packet
expand: %{Acct-Delay-Time} - 0
expand: UPDATE radacct SET
acctstoptime = '%S', acctsessiontime=
unix_timestamp('%S') -
unix_timestamp(acctstarttime), acctterminatecause =
'%{Acct-Terminate-Cause}', acctstopdelay =
%{%{Acct-Delay-Time}:-0} WHERE acctsessiontime = 0
AND acctstoptime = NULL AND nasipaddress =
'%{NAS-IP-Address}' AND acctstarttime = '%S' -
UPDATE radacct SET acctstoptime =
'2008-01-30 07:45:06', acctsessiontime=
unix_timestamp('2008-01-30 07:45:06') -
unix_timestamp(acctstarttime), acctterminatecause =
'', acctstopdelay = 0 WHERE
acctsessiontime = 0 AND acctstoptime = NULL
AND nasipaddress = '141.xxx.xxx.xxx' AND
acctstarttime
= '2008-01-30 07:45:06'
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
expand: %{User-Name} - elmaroma_cn3000
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 33 to 141.xxx.xxx.xxx port 1025
I have tried this with 2 different clients and get the same NULL
result. Authentication is fine, but any features relying on data in
radacct clearly won't work, ie session-timout...
I've checked the default config, and all accounting is set to sql.
The one oddity I notice is that default has:
# See Accounting queries in sql.conf
sql
But I can see no accounting queries anywhere in the provided
sql.conf ??
Thank You.
Andrew Long
EWS Solutions
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
need help in using free radius
Hi,
When I first run the free Radius using the command
radtest test test localhost 0 testing123 i found the following errors.
Please help
rad_recv: Access-Request packet from host 127.0.0.1 port 32775, id=80,
length=56
User-Name = test
User-Password = test
NAS-IP-Address = 192.168.1.227
NAS-Port = 0
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
rlm_realm: No '@' in User-Name = test, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No known good password found for the user. Authentication
m ay fail because of this.
++[pap] returns noop
auth: No authenticate method (Auth-Type) configuration found for the
request: Re jecting the user
auth: Failed to validate the user.
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} - test
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 80 to 127.0.0.1 port 32775
Waking up in 4.9 seconds.
Cleaning up request 0 ID 80 with timestamp +31
Ready to process requests.
With Regards,
Elangbam Johnson
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help in using free radius
How do you want it to authenticate? Is there a username/password pair
somewhere of test/test or just you did expect it to work that way out of
the box for some reason?
I think it did what it was supposed to - it checked a bunch of different
authentication methods and didn't find a username/password of test/test
anywhere. The simplest way to get this to work would be to create an
account test with the password test on the local box, assuming
you're using a UNIX machine. It checked the unix modules, which will
check your local passwd/shadow file, so that should work.
-Josiah
johnson elangbam wrote:
Hi,
When I first run the free Radius using the command
radtest test test localhost 0 testing123 i found the following
errors. Please help
rad_recv: Access-Request packet from host 127.0.0.1 http://127.0.0.1
port 32775, id=80, length=56
User-Name = test
User-Password = test
NAS-IP-Address = 192.168.1.227 http://192.168.1.227
NAS-Port = 0
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
rlm_realm: No '@' in User-Name = test, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No known good password found for the user.
Authentication m ay fail because of this.
++[pap] returns noop
auth: No authenticate method (Auth-Type) configuration found for the
request: Re jecting the user
auth: Failed to validate the user.
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} - test
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 80 to 127.0.0.1 http://127.0.0.1 port 32775
Waking up in 4.9 seconds.
Cleaning up request 0 ID 80 with timestamp +31
Ready to process requests.
With Regards,
Elangbam Johnson
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Wm. Josiah Erikson
Computing Support
School of Cognitive Science
Hampshire College
Amherst, MA 01002
(413) 559-6091
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help in using free radius
rlm_pap: WARNING! No known good password found for the user. Authentication m ay fail because of this. So, where is your password stored? Ivan Kalik Kaliik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Setting radiusd user/cert permissions in Mac OSX
Good afternoon, When setting user/group to nobody in radiusd.conf, I get some permissions problems with loading the certs and just wanted to know how to properly set them to avoid this: rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied rlm_eap_tls: Error reading certificate file /opt/local/etc/raddb/ certs/server.pem rlm_eap: Failed to initialize type tls Thanks for answering the, no doubt, simplest of questions ! Jim P.S: The above output is from testing with radiusd -X ___ James H. Graham II, Creative Director • Spark Media Group 6511 Allegheny Avenue • Takoma Park, MD 20912-4737 Tel: 301.270.4810 • Fax: 301.270.4812 • www.sparkmediagroup.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
2.0.1 Segfault
Hi, I know that this post may not contain all of the required information, this is just to get things going while I investigate further. I have had a problem with FreeRADIUS segfaulting intermittently for a number of months which makes it hard to gather the required information. The only thing that I found in all cases was the numerous, empty Cisco-AVPair's in the packet. With it being a segfault I suspect accessing a null pointer somewhere. I have captured a packet that is causing this to occur and sure enough it contains the numerous, empty Cisco-AVPair's. I have started it in gdb now, the output of bt is below. rad_recv: Accounting-Request packet from host w.x.y.z port 2903, id=213, length=362 Service-Type = Framed-User Cisco-AVPair = Cisco-AVPair = Cisco-AVPair = Cisco-AVPair = Cisco-AVPair = Cisco-AVPair = Cisco-AVPair = Cisco-AVPair = Cisco-AVPair = Cisco-AVPair = Cisco-AVPair = Cisco-AVPair = Cisco-AVPair = Cisco-AVPair = Cisco-AVPair = Cisco-AVPair = Cisco-AVPair = Cisco-AVPair = NAS-Port-Type = Async Connect-Info = 3120 Calling-Station-Id = NPANXX X-Ascend-PreSession-Time = 41 X-Ascend-Disconnect-Cause = Remote-End-Hung-Up Acct-Session-Id = 4E39 Acct-Session-Time = 114 Framed-IP-Address = W.X.Y.Z Acct-Link-Count = 1 Acct-Authentic = RADIUS User-Name = [EMAIL PROTECTED] NAS-Port = 1060 Called-Station-Id = yyy Framed-Protocol = PPP Acct-Terminate-Cause = User-Request Acct-Input-Packets = 53 Acct-Output-Packets = 39 X-Ascend-Data-Rate = 26400 Acct-Delay-Time = 0 Acct-Input-Octets = 1431 Login-Service = PortMaster Acct-Output-Octets = 9084 X-Ascend-Modem-SlotNo = 6 X-Ascend-Xmit-Rate = 31200 Acct-Status-Type = Stop Segmentation fault 0x40297d8f in memcpy () from /lib/libc.so.6 (gdb) bt #0 0x40297d8f in memcpy () from /lib/libc.so.6 #1 0x400289c1 in rad_attr2vp (packet=0x8177678, original=0x0, secret=0x8169168 secret, attribute=90, length=0, data=0x817887c \004\006\n\001\001\226x\006\001\005) at radius.c:1953 #2 0x40028df4 in rad_decode (packet=0x8177678, original=0x0, secret=0x8169168 secret) at radius.c:2386 #3 0x080539d4 in client_socket_decode (listener=0x8174960, request=0x8178898) at listen.c:697 #4 0x0805faab in request_pre_handler (request=0x8178898) at event.c:995 #5 0x08061e2d in radius_handle_request (request=0x8178898, fun=0x804d2b0 rad_accounting) at event.c:2701 #6 0x0805ad21 in thread_pool_addrequest (request=0x, fun=0x8179f04) at threads.c:860 #7 0x08061510 in event_socket_handler (xel=0x8174f98, fd=13, ctx=0x8179f04) at event.c:2340 #8 0x40030c23 in fr_event_loop (el=0x8174f98) at event.c:412 #9 0x08061e03 in radius_event_process () at event.c:2696 #10 0x0805968f in main (argc=2, argv=0x2) at radiusd.c:381 #11 0x4022fd06 in __libc_start_main () from /lib/libc.so.6 I *think* that the problem might be the length=0 in the call to rad_attr2vp(). If that is the case then something like: if (length = 0) return NULL; at line 1928 or so of radius.c might resolve the problem. Before I go ahead and make that addition, am I on the right page or way off in left field on this? Michael -- Michael J. Hartwick, VE3SLQ [EMAIL PROTECTED] Hartwick Communications Consulting (519) 396-7719 Kincardine, ON, CA http://www.hartwick.com -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
anyone provide consulting services to setup a radius server?
Very simple setup - 1 server - novell suse enterprise 10.0, 1 nas - Lucent TNT, 700 or so users - all dialup. Would like to use a mysql database to store usernames and passwords and use the freeradius dialupdamin web tool for management of users. NAS is currently authenticating against a remote freeradius server that just uses unix passwd/shadow files. If anyone is interested in some light consulting work to do this, please let me know. Thanks -- Chad Whitten Metro Network Solutions (601) 366-6630 Phone (601) 366-6066 Fax (601) 842-6804 Cellular (601) 519-4172 Pager [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting radiusd user/cert permissions in Mac OSX
You could, as an account with sudo privs (administrator), from Terminal, type: sudo chown nobody /opt/local/etc/raddb/certs/server.pem or sudo chown -R nobody /opt/local/etc/raddb to change the ownership of that entire directory to nobody. HOWEVER: Nobody is not a secure system account. I would set up a new account for freeradius and have the server run under that, and set permissions on those files/folders for only that user. Letting the nobody user read those files might not be a good idea. -Josiah Info wrote: Good afternoon, When setting user/group to nobody in radiusd.conf, I get some permissions problems with loading the certs and just wanted to know how to properly set them to avoid this: rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied rlm_eap_tls: Error reading certificate file /opt/local/etc/raddb/certs/server.pem rlm_eap: Failed to initialize type tls Thanks for answering the, no doubt, simplest of questions ! Jim P.S: The above output is from testing with radiusd -X ___ James H. Graham II, Creative Director • *Spark Media Group* 6511 Allegheny Avenue • Takoma Park, MD 20912-4737 Tel: 301.270.4810 • Fax: 301.270.4812 • www.sparkmediagroup.com http://www.sparkmediagroup.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Wm. Josiah Erikson Computing Support School of Cognitive Science Hampshire College Amherst, MA 01002 (413) 559-6091 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pap Cleartext-Password, sql etc...
When I have (radcheck) attribute `User-Password', authentication
succeeds but we see the following:
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type CHAP
!!!
!!!Replacing User-Password in config items with Cleartext-Password. !!!
!!!
!!! Please update your configuration so that the known good !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!
auth: type CHAP
+- entering group CHAP
rlm_chap: login attempt by elmaroma_cn3000 with CHAP password
rlm_chap: Using clear text password aromaescape for user
elmaroma_cn3000 authentication.
rlm_chap: chap user elmaroma_cn3000 authenticated succesfully
++[chap] returns ok
If I change the attribute to `Cleartext-Password', authentication
fails and I see:
rlm_pap: WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
rad_check_password: Found Auth-Type CHAP
auth: type CHAP
+- entering group CHAP
rlm_chap: login attempt by elmaroma_cn3000 with CHAP password
rlm_chap: Cleartext-Password is required for authentication
++[chap] returns invalid
auth: Failed to validate the user.
Login incorrect (rlm_chap: Clear text password not available):
[elmaroma_cn3000/CHAP-Password] (from client cn3000_aroma port 0 cli
00-02-6F-xx-xx-92)
The users file
--
DEFAULT Fall-Through = 1
DEFAULT Service-Type == Framed-User
Framed-IP-Address = 255.255.255.254,
Framed-MTU = 576,
Service-Type = Framed-User,
Fall-Through = Yes
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
-
authorize {
preprocess
chap
mschap
suffix
unix
files
sql
expiration
logintime
noresetcounter
dailycounter
monthlycounter
daypasscounter
pap}
authenticate {
pap
chap
mschap}
Thanks muchly,
Andrew Long
EWS
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pap Cleartext-Password, sql etc...
On Wednesday 30 January 2008 15:31:51 Andrew Long wrote: If I change the attribute to `Cleartext-Password', authentication fails and I see: rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type CHAP auth: type CHAP +- entering group CHAP rlm_chap: login attempt by elmaroma_cn3000 with CHAP password rlm_chap: Cleartext-Password is required for authentication ++[chap] returns invalid auth: Failed to validate the user. Login incorrect (rlm_chap: Clear text password not available): [elmaroma_cn3000/CHAP-Password] (from client cn3000_aroma port 0 cli 00-02-6F-xx-xx-92) Thanks muchly, Andrew Long EWS Can you run the radcheck query manually and post the output? Is the operator correct? Does it do the same thing when you move the SQL entry to the users file and make the same attribute name changes? Kevin Bonner signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: trouble seting up freeradius :((
SnahaD00 wrote: When I issue command freeradius -x i got this: rlm_eap_tls: Loading the certificate file as a chain rlm_eap: SSL error error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt The password you put in the configuration file is not the same as the password used to create the private key. Alan DeKok. Ok. Got this part working. Now another thing or two: - installing certificates on windows xp box ? - creating my own cretificate - how to or better walk through ? Snaha - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cannot connect to sql databse
Thanks Liran On 30/01/2008, Liran Tal [EMAIL PROTECTED] wrote: On Jan 30, 2008 10:42 AM, Devinder Singh [EMAIL PROTECTED] wrote: I have hard times with Dial Up Admin Shoud i proceed with daloradius do i install in in srv/www folder like dial up Yes you install it wherever you usually place your web projects on your distribution which is configured with apache. Please let's continue this discussion in a new thread, the daloradius mailing list or the on the irc channel #daloradius on freenode. Regards, Liran Tal. On 28/01/2008, liran tal [EMAIL PROTECTED] wrote: Hey Devinder, On Jan 28, 2008 4:35 AM, Devinder Singh [EMAIL PROTECTED] wrote: Hi I am using Dial Up Admin on Free radius Free Radius is Running but when i acccess Dial Up admin page i get cannot connect to sql databse I have done most of the configuration settings and followed the wiki tutorial on Free Radius. Did you check that your sql server is actually running? Did you import the radius database schema into the sql server? Did you configure all the required settings to connect to the sql server in dialupadmin? You also might want to take a look at daloRADIUS for easy web management of freeradius with sql servers: http://sourceforge.net/projects/daloradius/ Regards, Liran. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Devinder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Devinder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pap Cleartext-Password, sql etc...
Can you post users entry in the database. it's quite likely that you
left == as the operator instead of using :=.
Ivan Kalik
Kalik Informatika ISP
Dana 30/1/2008, Andrew Long [EMAIL PROTECTED] piše:
When I have (radcheck) attribute `User-Password', authentication
succeeds but we see the following:
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type CHAP
!!!
!!!Replacing User-Password in config items with Cleartext-Password. !!!
!!!
!!! Please update your configuration so that the known good !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!
auth: type CHAP
+- entering group CHAP
rlm_chap: login attempt by elmaroma_cn3000 with CHAP password
rlm_chap: Using clear text password aromaescape for user
elmaroma_cn3000 authentication.
rlm_chap: chap user elmaroma_cn3000 authenticated succesfully
++[chap] returns ok
If I change the attribute to `Cleartext-Password', authentication
fails and I see:
rlm_pap: WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
rad_check_password: Found Auth-Type CHAP
auth: type CHAP
+- entering group CHAP
rlm_chap: login attempt by elmaroma_cn3000 with CHAP password
rlm_chap: Cleartext-Password is required for authentication
++[chap] returns invalid
auth: Failed to validate the user.
Login incorrect (rlm_chap: Clear text password not available):
[elmaroma_cn3000/CHAP-Password] (from client cn3000_aroma port 0 cli
00-02-6F-xx-xx-92)
The users file
--
DEFAULTFall-Through = 1
DEFAULTService-Type == Framed-User
Framed-IP-Address = 255.255.255.254,
Framed-MTU = 576,
Service-Type = Framed-User,
Fall-Through = Yes
DEFAULTFramed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
-
authorize {
preprocess
chap
mschap
suffix
unix
files
sql
expiration
logintime
noresetcounter
dailycounter
monthlycounter
daypasscounter
pap}
authenticate {
pap
chap
mschap}
Thanks muchly,
Andrew Long
EWS
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pap Cleartext-Password, sql etc...
With attribute `User-Password' and op = `==' we get this:
rlm_sql (sql): Reserving sql socket id: 4
expand: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = '%{SQL-User-Name}'
ORDER BY id -
SELECT id, username, attribute, value, op FROM radcheck WHERE
username = 'mainaroma_cn3200' ORDER BY id
WARNING: Found User-Password ==
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See man rlm_pap for more information.
rlm_sql (sql): User found in radcheck table
mysql SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'mainaroma_cn3200' ORDER BY id;
+-+--+---+-++
| id | username | attribute | value | op |
+-+--+---+-++
| 409 | mainaroma_cn3200 | User-Password | nicepassword | == |
+-+--+---+-++
1 row in set (0.01 sec)
Now, with `op' = `:=' rather than `==' as Ivan suggests :
we see the same error...
rad_check_password: Found Auth-Type CHAP
!!!
!!!Replacing User-Password in config items with Cleartext-Password. !!!
!!!
!!! Please update your configuration so that the known good !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!
auth: type CHAP
+- entering group CHAP
rlm_chap: login attempt by mainaroma_cn3200 with CHAP password
rlm_chap: Using clear text password aromaescape for user
mainaroma_cn3200 authentication.
rlm_chap: chap user mainaroma_cn3200 authenticated succesfully
++[chap] returns ok
The only difference is that when I use `:=' there are two
access-requests from the host and two access-accepts:
access-request id 40 -- access-accept id 40
and then immediately
access-request id 160 -- access-accept id 160.
None of this is in users file; we pass the info from sql.
Andrew
EWS Solutions
===
On Jan 30, 2008 5:21 PM, Kevin Bonner [EMAIL PROTECTED] wrote:
On Wednesday 30 January 2008 15:31:51 Andrew Long wrote:
If I change the attribute to `Cleartext-Password', authentication
fails and I see:
rlm_pap: WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
rad_check_password: Found Auth-Type CHAP
auth: type CHAP
+- entering group CHAP
rlm_chap: login attempt by elmaroma_cn3000 with CHAP password
rlm_chap: Cleartext-Password is required for authentication
++[chap] returns invalid
auth: Failed to validate the user.
Login incorrect (rlm_chap: Clear text password not available):
[elmaroma_cn3000/CHAP-Password] (from client cn3000_aroma port 0 cli
00-02-6F-xx-xx-92)
Thanks muchly,
Andrew Long
EWS
2008/1/30 Ivan Kalik [EMAIL PROTECTED]:
Can you post users entry in the database. it's quite likely that you
left == as the operator instead of using :=.
Ivan Kalik
Kalik Informatika ISP
Dana 30/1/2008, Andrew Long [EMAIL PROTECTED] piše:
When I have (radcheck) attribute `User-Password', authentication
succeeds but we see the following:
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type CHAP
!!!
!!!Replacing User-Password in config items with Cleartext-Password.
!!!
!!!
!!! Please update your configuration so that the known good
!!!
!!! clear text password is in Cleartext-Password, and not in User-Password.
!!!
!!!
auth: type CHAP
+- entering group CHAP
rlm_chap: login attempt by elmaroma_cn3000 with CHAP password
rlm_chap: Using clear text password aromaescape for user
elmaroma_cn3000 authentication.
rlm_chap: chap user elmaroma_cn3000 authenticated succesfully
++[chap] returns ok
If I change the attribute to `Cleartext-Password', authentication
fails and I see:
rlm_pap: WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
rad_check_password: Found Auth-Type CHAP
auth: type CHAP
+- entering group CHAP
rlm_chap: login attempt by elmaroma_cn3000 with CHAP password
rlm_chap: Cleartext-Password is required for authentication
++[chap] returns invalid
auth: Failed to validate the user.
Login incorrect (rlm_chap: Clear text password not available):
[elmaroma_cn3000/CHAP-Password] (from client cn3000_aroma port 0 cli
00-02-6F-xx-xx-92)
The users file
RE: radiusd service do not start [SEC=UNCLASSIFIED]
UNCLASSIFIED From: [EMAIL PROTECTED] g [mailto:[EMAIL PROTECTED] adius.org] On Behalf Of Nicolas Sent: Thursday, 31 January 2008 03:04 To: freeradius-users@lists.freeradius.org Subject: radiusd service do not start Hi, I installed freeradius to manage the wifi network of our organization (17 wifi ap) It works well when launched in command line (radiusd -X), but I can't make it work as a service, 'Service radiusd start' seems to work, but radius close immediately after, so a status will say that radiusd is dead, but subsys is locked. That indicates a permissions problem. When you run radiusd -X it runs as root. When you start as a service it switches to the user specified in radiusd.conf, usually radiusd. Try: strace -f -e open,stat radiusd and look for lines with EPERM indicating files that failed to open because of permission fails. These will probably be owned by root. regards, Frank Ranner Classification=UNCLASSIFIED Precedence=ROUTINE - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Issue reading from detail to sql (buffered-sql virtual server)
I've done some more digging as to why the database only gets one
update..
With no detail or detail.work file, freeradius will wake up every 1
second to check for creation - when it gets updated, it puts it into the
database fine.
However it never deletes or changes the detail.work file - so when I
send a second accounting packet, it will go into the detail file without
a problem (and will be the only packet in the file) but detail.work
seems to be locked with the first packet. No matter how many packets I
send it detail.work always sticks with the first packet, and nothing
ever gets written to the database.
The problem was originally with 2.0.0, I have tried with the latest CVS
with no luck either.
The end of the debug for the virtual server which does the DB writing is
below, nothing ever shows up after the last line:
rlm_sql (sql_logger1): Reserving sql socket id: 13
rlm_sql_postgresql: Status: PGRES_COMMAND_OK
rlm_sql_postgresql: query affected rows = 1
rlm_sql (sql_logger1): Released sql socket id: 13
++[sql_logger1] returns ok
++[ok] returns ok
} # server local_logger
RTT 38420 delay 153680
Finished request 0.
Going to the next request
Waking up in 0.9 seconds.
Cleaning up request 0 ID 37069 with timestamp +20
Ready to process requests.
Any help would be appreciated, thanks!
Nick
-Original Message-
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
s.org] On Behalf Of Nick Freeman
Sent: Wednesday, January 30, 2008 10:06 AM
To: freeradius-users@lists.freeradius.org
Subject: Issue reading from detail to sql (buffered-sql virtual server)
Hi,
I'm trying to get my detail file picked up by multiple virtual servers
and relayed to multiple PostgreSQL backends. The detail file writes
fine, however the detail reader will only ever write one entry to the
Postgres DB when it starts.
The config I have for the virtual server in question is below:
server local_logger {
listen {
type = detail
filename = ${radacctdir}/detail
load_factor = 20
}
preacct {
preprocess
acct_unique
files
}
accounting {
sql_logger1
}
}
I have verified that sql_logger1 isn't the problem, if I put that after
the detail directive in another virtual server data gets written to the
database every time. It looks like my local_logger never picks anything
up (except once on startup). Looking at server starting in debug mode I
see this:
listen {
type = detail
listen {
filename = /var/log/freeradius/radacct/detail
load_factor = 20
}
}
Is this normal? The listen directive is in the same format as the other
virtual servers but this is the only one which has nested listens in the
server startup.
Thanks in advance,
Nick
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems using EAP-TLS with freeradius version 2
Stefan Puch wrote: Then some people came with their mobile devices which are running Windows Mobile 2003, Windows Mobile 5 (WM5) or Windows Mobile6 (WM6) and the problems began. The same EAP-TLS certificate which worked fine on a Windows XP machine doesn't work on e.g. Windows Mobile 6 PDA. You have to love Microsoft... With the new version 2.0.1 the Windows and Linux Laptops are not able to authenticate any more with the freeradius server (the certificates are still the same). The server sends an ACCESS, but the behavior is like described in the FAQ PEAP or EAP-TLS Doesn't Work with a Windows machine. Downgrading to the previous version of freeradius 1.1.7 makes them work again, freeradius version 2.0.0 doesn't work either. The EAP-TLS code was substantially re-worked in 2.0.0. It was tested with Vista, XP SP1, XP SP2, Linux systems, MAC. It's working live in environments with many, may different OS's and architectures. So it *should* work. So, what would be helpful to analyze the problem? All config files or just the output from radiusd -X from both versions in order to make a diff or should I open a new bug in the tracking system as well? ethereal packet traces of the RADIUS traffic would help. But I would first suggest trying to use the test certificates that come with 2.0.1. If those work, then the issue isn't 2.0.0 versus 1.1.7, it's that there is something special about the certificates you're using. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cannot connect to sql databse
On Jan 30, 2008 10:41 AM, Devinder Singh [EMAIL PROTECTED] wrote: Yes i can access mysql rom CLI Did you try to create another mysql user account for dialupadmin and give him the correct rights on the radius database? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sql accounting - no records - 2.0.1
I've just installed 2.0.1 on CentOS 5 with MySQL 5.x. I can get the
clients to authenticate and I see accounting requests come in, also I
see the accounting query as it should be updated to mysql, i.e.,
expand: UPDATE radacct I also see the accounting response
returned to the client, but no accounting records are being updated in
radacct table. There are no errors in debug mode relevent to mysql:
rlm_sql (sql): received Acct On/Off packet
expand: %{Acct-Delay-Time} - 0
expand: UPDATE radacct SET
acctstoptime = '%S', acctsessiontime=
unix_timestamp('%S') -
unix_timestamp(acctstarttime), acctterminatecause =
'%{Acct-Terminate-Cause}', acctstopdelay =
%{%{Acct-Delay-Time}:-0} WHERE acctsessiontime = 0
AND acctstoptime = NULL AND nasipaddress =
'%{NAS-IP-Address}' AND acctstarttime = '%S' -
UPDATE radacct SET acctstoptime =
'2008-01-30 07:45:06', acctsessiontime=
unix_timestamp('2008-01-30 07:45:06') -
unix_timestamp(acctstarttime), acctterminatecause =
'', acctstopdelay = 0 WHERE
acctsessiontime = 0 AND acctstoptime = NULL
AND nasipaddress = '141.xxx.xxx.xxx' AND acctstarttime
= '2008-01-30 07:45:06'
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
expand: %{User-Name} - elmaroma_cn3000
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 33 to 141.xxx.xxx.xxx port 1025
I have tried this with 2 different clients and get the same NULL
result. Authentication is fine, but any features relying on data in
radacct clearly won't work, ie session-timout...
I've checked the default config, and all accounting is set to sql.
The one oddity I notice is that default has:
# See Accounting queries in sql.conf
sql
But I can see no accounting queries anywhere in the provided sql.conf ??
Thank You.
Andrew Long
EWS Solutions
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems using EAP-TLS with freeradius version 2
Hello everyone, I've got some problems with the new version of freeradius, but before I'm going to open a new bugreport or post long debugtraces from radiusd -X I want to ask here if someone else has made similar experiences. I've set up a freeradius server version 1.1.7 in our club to authenticate several Notebooks. This worked fine with Windows XP, Windows Vista and Linux clients using EAP-TLS certificates (many thanks for the good documentation of the OIDs in the TLS certificate). Then some people came with their mobile devices which are running Windows Mobile 2003, Windows Mobile 5 (WM5) or Windows Mobile6 (WM6) and the problems began. The same EAP-TLS certificate which worked fine on a Windows XP machine doesn't work on e.g. Windows Mobile 6 PDA. So first I updated the freeradius version to the latest release (2.0.1), checked and modified all configuration files and so on, but that didn't solve the problem, it made them getting worser. With the new version 2.0.1 the Windows and Linux Laptops are not able to authenticate any more with the freeradius server (the certificates are still the same). The server sends an ACCESS, but the behavior is like described in the FAQ PEAP or EAP-TLS Doesn't Work with a Windows machine. Downgrading to the previous version of freeradius 1.1.7 makes them work again, freeradius version 2.0.0 doesn't work either. Does anyone of the experts here know what could be the problem (a guess, perhaps what changed from version 1.1.7 to version 2.0.1)? My goal is first to make the clients using Windows XP, Vista and Linux work again with freeradius version2 and EAP-TLS. After fixing that it would be fine, if freeradius would also work the different Windows Mobile systems. So, what would be helpful to analyze the problem? All config files or just the output from radiusd -X from both versions in order to make a diff or should I open a new bug in the tracking system as well? I would like to provide USEFULL debug-traces, so that it is easier for the experts to solve the problem and not to much work for me when providing useless informations. Best regards and thanks in advance Stefan Puch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with XP Clients
Hello, I recently setup freeradius 1.1.7 to run a EAP-TLS authentication. My clients run on windows xp pro sp2, with microsoft hotfixes to be abble to use WPA2 and EAP. Encryption is WPA2-AES. All certificates (root and client) are installed in the computer storage and in the user storage, as documented on the Internet (root in trusted, client in personnal). When I log in with an administrator account, everything works fine. When I log in with a domain user account, I can't access to the network. A look at freeradius logs shows that it authenticate every 1 second, so the network connection does not stay up ... All access requests are accepted. Does anyone of you have an idea of what's happening ? Regards, -- *Hospices Civils de Beaune* *Patrice OLIVER* /Chef de Projet Ville Hôpital/ /Responsable Réseau Sécurité/ BP 104 21203 BEAUNE Cedex Tél. 03 80 24 44 09 Fax. 03 80 24 45 90 Ce message, y compris les pièces jointes, est établi à l'attention exclusive de son ou ses destinataires et est confidentiel. Toute utilisation non conforme à sa destination, toute diffusion ou publication, totale ou partielle, est interdite sauf autorisation expresse de l'expéditeur. Si vous n'êtes pas le destinataire de ce message, merci d'avertir l'expéditeur de l'erreur de distribution puis de le détruire. Tout message électronique est susceptible d'altération et son intégrité ne peut être assurée. L'expéditeur décline toute responsabilité dans l'hypothèse où il aurait été modifié ou falsifié. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radclient multihomed host
Hi Etienne, Use the configuration option: bind_address = IP.ADD.RE.SS Regards --jm On 30 Jan 2008, at 2:48 PM, Etienne Pretorius wrote: Hello list, Is there anyway that I could make radclient send a packet from a diffrent src ipaddress on a multihomed host -- Kind Regards Etienne Pretorius Network Administrator Kingsley Technologies Email: [EMAIL PROTECTED] Tel: 086 11 KTECH Local Fax: 086 611 5001 International Fax: +27 21 761 9930 Email Disclaimer Acceptable Use Policy 7czz5WbnOIzrjIsP8OX5DXPAH0jMUSXcxvQ6pzO1RszUsOQm2zQDv0yDz0gAQEAOw== 7czz5WbnOIzrjIsP8OX5DXPAH0jMUSXcxvQ6pzO1RszUsOQm2zQDv0yDz0gAQEAOw== - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html -- Jacques Marneweck http://www.powertrip.co.za/ http://www.powertrip.co.za/blog/ http://www.ataris.co.za/ http://www.dataarchitects.co.za/ #include std/disclaimer.h - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radiusd service do not start
Hi,
I installed freeradius to manage the wifi network of our organization (17
wifi ap)
It works well when launched in command line (radiusd X), but I cant make
it work as a service,
Service radiusd start seems to work, but radius close immediately after,
so a status will say that radiusd is dead, but subsys is locked.
Here is the output of the radius X :
# radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = /usr/local
main: localstatedir = /usr/local/var
main: logdir = /usr/local/var/log/radius
main: libdir = /usr/local/lib
main: radacctdir = /usr/local/var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 1812
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /usr/local/var/log/radius/radius.log
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /usr/local/var/run/radiusd/radiusd.pid
main: user = nobody
main: group = nobody
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/local/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
listen: port = 1812
listen: type = auth
listen: port = 1813
listen: type = acct
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = (null)
unix: group = (null)
unix: radwtmp = /usr/local/var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = tls
eap: timer_expire = 60
eap: ignore_unknown_eap_types = yes
eap: cisco_accounting_username_bug = no
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = (null)
tls: pem_file_type = yes
tls: private_key_file = /etc/raddb/certs/wifi.dasilva.int.pem
tls: certificate_file = /etc/raddb/certs/wifi.dasilva.int.pem
tls: CA_file = /etc/raddb/certs/root.pem
tls: private_key_password = whatever
tls: dh_file = /etc/raddb/certs/dh
tls: random_file = /etc/raddb/certs/random
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = (null)
rlm_eap: Loaded and initialized type tls
peap: default_eap_type = tls
peap: copy_request_to_tunnel = no
peap: use_tunneled_reply = no
peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = /etc/raddb/huntgroups
preprocess: hints = /etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded detail
detail: detailfile =
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (auth_log)
Module: Loaded files
files: usersfile = /etc/raddb/users
files: acctusersfile = /etc/raddb/acct_users
files: preproxy_usersfile = /etc/raddb/preproxy_users
files: compat = no
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port
Module: Instantiated acct_unique (acct_unique)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
realm: ignore_default = no
realm: ignore_null = no
Module:
Radclient multihomed host
Hello list, Is there anyway that I could make radclient send a packet from a diffrent src ipaddress on a multihomed host -- Kind Regards Etienne Pretorius Network Administrator Kingsley Technologies Email: [EMAIL PROTECTED] Tel: 086 11 KTECH Local Fax: 086 611 5001 International Fax: +27 21 761 9930 Email Disclaimer Acceptable Use Policy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: deactivate ldap.attrmap
Le mercredi 30 janvier 2008, Sebastian Heil a écrit : Sebastian Heil wrote: ... i added the following lines to the ldap-section: ... rlm_ldap: could not start TLS Can't contact LDAP server It doesn't seem that your TLS is well initiated. I don't think it is an ldap or freeradius issue. Maybe... maybe not... i dont know... the configuration-options for ldaps are not really good documented, i think. how can i confirm, which software produces this problem? In a first time, perhaps you could try your conf without the TLS tunnel. My configuration works with normal ldap. so i tried to upgrade to ldaps, which didn't work. 14 0.049652freeradius edirectory TLSv1 Encrypted Alert Any ideas which problem can produce this encrypted alert? Thanks a lot. Sebastian -- GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS. Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
