problem configuring freeradius with ldap user database
Hello All I am experiencing a problem while trying to authenticate the username/password in LDAP through a freeradius server. While a regular telnet/ssh to the edge running a openLdap client / PAM module works fine (It is able to authenticate) but the problem arises when trying to authenticate using the freeradius server . This is what the log message looks like : User-Name = try User-Password = trialanderror NAS-IP-Address = 127.0.0.1 NAS-Port = 2 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = try, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 155 modcall[authorize]: module files returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for try radius_xlat: '(uid=try)' radius_xlat: 'ou=People,dc=example,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 30.0.0.2:389, authentication 0 rlm_ldap: bind as / to 30.0.0.2:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter (uid=try) rlm_ldap: Added password {crypt}$1$2Pl0Lm5O$ot8mrXYBaAg12RoBogNDK. in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user try authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type LDAP Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by try with password trialanderror rlm_ldap: user DN: uid=try,ou=People,dc=example,dc=com rlm_ldap: (re)connect to 30.0.0.2:389, authentication 1 rlm_ldap: bind as uid=try,ou=People,dc=example,dc=com/trialanderror to 30.0.0.2:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind failed with invalid credentials modcall[authenticate]: module ldap returns reject for request 0 modcall: group Auth-Type returns reject for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... Here you can see that the authorization of a user 'try' having password 'trialanderror' works fine but authentication fails. The host running the freeradius server is Fedora Core 5 running linux 2.6.25. Could you please suggest where we are going wrong. I am sending you a copy of the /etc/raddb/users file as well. DEFAULT Auth-Type = System Fall-Through = 1 DEFAULT Auth-Type := LDAP Fall-Through = 0 Any help would be gratefully appreciated. Thanks Sambuddho - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius resources
Hi all, just started delving into RADIUS and have begun to take the plunge with FreeRADIUS. Any suggested books on the subject? I see quite a few on the subject: http://tinyurl.com/4xudfm - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius resources
Rogelio wrote: Hi all, just started delving into RADIUS and have begun to take the plunge with FreeRADIUS. Any suggested books on the subject? I see quite a few on the subject: The O'Reilly book is good if you know absolutely nothing about RADIUS. But 1/3 is from the RFC's (paraphrased), and another 1/3 is from the FreeRADIUS documentation. The Wiley book has about 30 pages on RADIUS, the rest is about technologies that you don't use. And the RADIUS stuff is not that useful. Then, there's my book. It's at about 200 pages, and has been at that level for over a year. I'm trying to find time to either finish it, or to clean it up, and put it on the web. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem configuring freeradius with ldap user database
Sambuddho Chakravarty wrote: I am experiencing a problem while trying to authenticate the username/password in LDAP through a freeradius server. While a regular telnet/ssh to the edge running a openLdap client / PAM module works fine (It is able to authenticate) but the problem arises when trying to authenticate using the freeradius server . This is what the log message looks like : User-Name = try User-Password = trialanderror NAS-IP-Address = 127.0.0.1 ... rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter (uid=try) rlm_ldap: Added password {crypt}$1$2Pl0Lm5O$ot8mrXYBaAg12RoBogNDK. in check items If you do NOTHING more than configure ldap in the default configuration, this should work. modcall[authorize]: module ldap returns ok for request 0 modcall: group authorize returns ok for request 0 You're not using 2.0, and you've edited the default configuration. DO use a recent version. DON'T edit the configuration to re-arrange the modules in the authorize section. Here you can see that the authorization of a user 'try' having password 'trialanderror' works fine but authentication fails. The host running the freeradius server is Fedora Core 5 running linux 2.6.25. The OS doesn't matter. The version of FreeRADIUS does. It seems you're using 1.1.x. You should at LEAST upgrade to 1.1.7. Then, un-comment the references to LDAP, and configure the LDAP module. The test WILL work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Deploying Freeradius in a HA environment
Hi, I am working on deploying 2 load balancing freeradius in a HA environment. Could someone suggest the best way to do it? I am comfortable with using ldirector as the load balancer, but I am not sure how to do the check-alive for freeradius within ldirector. Any suggestion will be greatly appreciated. Regards, Pete - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Kicking off billing scipt in accounting block
Hi, I tried to execute a billing script as follows: accounting{ sql exec /etc/billing/bill } But, I am getting: /usr/local/etc/raddb/sites-enabled/default[350]: Expecting section start brace '{' after exec /home/billing/bill Errors reading /usr/local/etc/raddb/radiusd.conf What is wrong with my syntax? Is there any sample that I can refer to? I checked the unlan, but I could not find anything that mentions the variable that I can use to pass to the script. What I like to do is to call the script: exec /etc/billing/bill radacctid That way, I can know which line to process. Thanks for any suggestion. Regards, Pete - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Deploying Freeradius in a HA environment
Don't you think that you are asking this on a wrong list. All you need to know about radius is which ports it is using. Ivan Kalik Kalik Informatika ISP Dana 14/6/2008, Pete Kay [EMAIL PROTECTED] piše: Hi, I am working on deploying 2 load balancing freeradius in a HA environment. Could someone suggest the best way to do it? I am comfortable with using ldirector as the load balancer, but I am not sure how to do the check-alive for freeradius within ldirector. Any suggestion will be greatly appreciated. Regards, Pete - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: aaa with external script
Hi, I am starting my radius in debug mode with this command: radiusd -X when connecting from client machine i m getting this error ...radius tell me like this. rad_recv: Access-Request packet from host 127.0.0.1:32768, id=237 thats not an error - thats a bit of information being printed. why do you think this is an error? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Kicking off billing scipt in accounting block
acct_users file: DEFAULT Acct-Status-Type = Stop Exec-Program = /home/billing/bill %{Acct-Session-Id} You can't use radacctid as that is autogenerated by the database server and is not part of the accouning request. Ivan Kalik Kalik Informatika ISP Dana 14/6/2008, Pete Kay [EMAIL PROTECTED] piše: Hi, I tried to execute a billing script as follows: accounting{ sql exec /etc/billing/bill } But, I am getting: /usr/local/etc/raddb/sites-enabled/default[350]: Expecting section start brace '{' after exec /home/billing/bill Errors reading /usr/local/etc/raddb/radiusd.conf What is wrong with my syntax? Is there any sample that I can refer to? I checked the unlan, but I could not find anything that mentions the variable that I can use to pass to the script. What I like to do is to call the script: exec /etc/billing/bill radacctid That way, I can know which line to process. Thanks for any suggestion. Regards, Pete - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic clients from SQL.
As it seems to me: if (%{sqlnastype: SELECT nasname FROM nas WHERE nasname = %{Packet-Src-IP-Address}}) { misses some ': if (%{sqlnastype: SELECT nasname FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}) { works. Norbert Wegener Alan DeKok schrieb: $ cvs update $ more raddb/sites-available/dynamic-clients It Just Works. You can now manage clients in an SQL table. When the server receives packets from a new client, it looks up the IP in SQL. The clients can expire (so shared secrets can be changed). When 'readclients=yes' is set in sql.conf, you only need one client entry in the configuration files. The dynamic clients can be read from anywhere... not just from SQL. The configuration needs to be tested, as the SQL example in the dynamic-clients file may not be exactly correct. But it should be relatively easy to fix. Client lookups are rate-limited, so DoS attacks won't affect the server. The lookups are done NO MORE THAN once a second after the server starts. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Deploying Freeradius in a HA environment
Pete Kay wrote: I am working on deploying 2 load balancing freeradius in a HA environment. Could someone suggest the best way to do it? I am comfortable with using ldirector as the load balancer, but I am not sure how to do the check-alive for freeradius within ldirector. Any suggestion will be greatly appreciated. Pete, My recollection is that when this has been discussed in the past the consensus was that there's no advantage to running FreeRADIUS in an HA environment since RADIUS already supports redundant servers. Regards, Richard Siddall - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic clients from SQL.
Norbert Wegener wrote: As it seems to me: if (%{sqlnastype: SELECT nasname FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}) { works. Fixed, thanks. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem configuring freeradius with ldap user database
Hello Alan Thanks a lot! Ill check this out. Sambuddho On Sat, 2008-06-14 at 09:22 +0200, Alan DeKok wrote: Sambuddho Chakravarty wrote: I am experiencing a problem while trying to authenticate the username/password in LDAP through a freeradius server. While a regular telnet/ssh to the edge running a openLdap client / PAM module works fine (It is able to authenticate) but the problem arises when trying to authenticate using the freeradius server . This is what the log message looks like : User-Name = try User-Password = trialanderror NAS-IP-Address = 127.0.0.1 ... rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter (uid=try) rlm_ldap: Added password {crypt}$1$2Pl0Lm5O$ot8mrXYBaAg12RoBogNDK. in check items If you do NOTHING more than configure ldap in the default configuration, this should work. modcall[authorize]: module ldap returns ok for request 0 modcall: group authorize returns ok for request 0 You're not using 2.0, and you've edited the default configuration. DO use a recent version. DON'T edit the configuration to re-arrange the modules in the authorize section. Here you can see that the authorization of a user 'try' having password 'trialanderror' works fine but authentication fails. The host running the freeradius server is Fedora Core 5 running linux 2.6.25. The OS doesn't matter. The version of FreeRADIUS does. It seems you're using 1.1.x. You should at LEAST upgrade to 1.1.7. Then, un-comment the references to LDAP, and configure the LDAP module. The test WILL work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem configuring freeradius with ldap user database
rlm_ldap: Added password {crypt}$1$2Pl0Lm5O$ot8mrXYBaAg12RoBogNDK. in check items Are you sure that's crypt? It looks like MD5 to me. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Kicking off billing scipt in accounting block
Hi Ivan, Sorry to have to ask again. I think you have explain clear enough, but I am just too new to freeradius. I tried modifying in /sites-enable/default: accounting { detail radutmp sql sql_log DEFAULT Acct-Status-Type = Stop Exec-Program=/home/anne/bill %{Acct-Session-Id} attr_filter.accounting_response } But I am getting: /usr/local/etc/raddb/sites-enabled/default[349]: Expecting section start brace '{' after DEFAULT Acc-Status-Type Is this not the right place to add the code? Thanks alot for all your help. Pete 2008/6/14 Ivan Kalik [EMAIL PROTECTED]: acct_users file: DEFAULT Acct-Status-Type = Stop Exec-Program = /home/billing/bill %{Acct-Session-Id} You can't use radacctid as that is autogenerated by the database server and is not part of the accouning request. Ivan Kalik Kalik Informatika ISP Dana 14/6/2008, Pete Kay [EMAIL PROTECTED] piše: Hi, I tried to execute a billing script as follows: accounting{ sql exec /etc/billing/bill } But, I am getting: /usr/local/etc/raddb/sites-enabled/default[350]: Expecting section start brace '{' after exec /home/billing/bill Errors reading /usr/local/etc/raddb/radiusd.conf What is wrong with my syntax? Is there any sample that I can refer to? I checked the unlan, but I could not find anything that mentions the variable that I can use to pass to the script. What I like to do is to call the script: exec /etc/billing/bill radacctid That way, I can know which line to process. Thanks for any suggestion. Regards, Pete - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Kicking off billing scipt in accounting block
No. acct_users file. Ivan Kalik Kalik Informatika ISP Dana 14/6/2008, Pete Kay [EMAIL PROTECTED] piše: Hi Ivan, Sorry to have to ask again. I think you have explain clear enough, but I am just too new to freeradius. I tried modifying in /sites-enable/default: accounting { detail radutmp sql sql_log DEFAULT Acct-Status-Type = Stop Exec-Program=/home/anne/bill %{Acct-Session-Id} attr_filter.accounting_response } But I am getting: /usr/local/etc/raddb/sites-enabled/default[349]: Expecting section start brace '{' after DEFAULT Acc-Status-Type Is this not the right place to add the code? Thanks alot for all your help. Pete 2008/6/14 Ivan Kalik [EMAIL PROTECTED]: acct_users file: DEFAULT Acct-Status-Type = Stop Exec-Program = /home/billing/bill %{Acct-Session-Id} You can't use radacctid as that is autogenerated by the database server and is not part of the accouning request. Ivan Kalik Kalik Informatika ISP Dana 14/6/2008, Pete Kay [EMAIL PROTECTED] piše: Hi, I tried to execute a billing script as follows: accounting{ sql exec /etc/billing/bill } But, I am getting: /usr/local/etc/raddb/sites-enabled/default[350]: Expecting section start brace '{' after exec /home/billing/bill Errors reading /usr/local/etc/raddb/radiusd.conf What is wrong with my syntax? Is there any sample that I can refer to? I checked the unlan, but I could not find anything that mentions the variable that I can use to pass to the script. What I like to do is to call the script: exec /etc/billing/bill radacctid That way, I can know which line to process. Thanks for any suggestion. Regards, Pete - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius resources
and we as users of freeradius waiting for that . :) 2008/6/14 Alan DeKok [EMAIL PROTECTED]: Rogelio wrote: Hi all, just started delving into RADIUS and have begun to take the plunge with FreeRADIUS. Any suggested books on the subject? I see quite a few on the subject: The O'Reilly book is good if you know absolutely nothing about RADIUS. But 1/3 is from the RFC's (paraphrased), and another 1/3 is from the FreeRADIUS documentation. The Wiley book has about 30 pages on RADIUS, the rest is about technologies that you don't use. And the RADIUS stuff is not that useful. Then, there's my book. It's at about 200 pages, and has been at that level for over a year. I'm trying to find time to either finish it, or to clean it up, and put it on the web. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 2.0.5 Debian dpkg-buildpackage error
hi there. download freeradius as a non-root user. untar the archive. chmod +x -R the untared folder cd to the folder issue dpkg-buildpackage -b -uc as a non-root user. then su and install the deb packages created one directory up. 2008/6/13 Giovanni Lovato [EMAIL PROTECTED]: # dpkg-buildpackage -b -uc dpkg-buildpackage: source package is freeradius dpkg-buildpackage: source version is 2.0.5-0 dpkg-buildpackage: source changed by Alan DeKok [EMAIL PROTECTED] dpkg-buildpackage: host architecture i386 dpkg-buildpackage: source version without epoch 2.0.5-0 debian/rules clean dpatch deapply-all 02-dialupadmin-help not applied to ./ . 01-radiusd-to-freeradius not applied to ./ . rm -rf patch-stamp patch-stampT debian/patched dh_testdir dh_clean rm -f build-arch-stamp build-indep-stamp libltdl/stamp-h1 rm -f install-arch-stamp install-indep-stamp configure-stamp [ -f Make.inc ] make distclean || true # The make clean forgets to remove this build directory [ -d src/modules/lib ] rm -fr src/modules/lib || true # Put the original autotools files back in place [ -f config.sub.dist ] rm config.sub mv config.sub.dist config.sub || true [ -f config.guess.dist ] rm config.guess mv config.guess.dist config.guess || true debian/rules build test -d debian/patched || install -d debian/patched dpatch apply-all applying patch 01-radiusd-to-freeradius to ./ ... failed. make: *** [patch-stamp] Error 1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: simple web interface
vittore zen. daloradius is ok for your needs. search for it at sourceforge . 2008/6/3 Sascha Kiefer [EMAIL PROTECTED]: I use daloradius But it sucks also. Looks nicer and a little bit easier to use. I'm working on my own ... Regards, Sascha -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vittore Zen Sent: Dienstag, 3. Juni 2008 14:26 To: freeradius-users@lists.freeradius.org Subject: simple web interface Hi, anyone have a simple php web mysql users interface? More more more simple that dialup admin. The manager will do: 1. insert/modify a user account 2. give a password 3. setup start-end life (time) of account 4. setup a detail (name) Any? v. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Saludos lista
buscar google. 2008/6/2 Yurkis Isaac Ortiz (R) [EMAIL PROTECTED]: Saludos lista. Soy nuevo y necesito saber configurar mi freeradius quiero usar freeradius+portslave+ppp Estoy usando debian etch - Yurkis Isaac Ortiz (R) Administrador de Red Oficina Territorial de Normalización Stgo de Cuba e_mail: [EMAIL PROTECTED] Linux User: 446188 Tel: 641406, 642008, 642044 Ext 136 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html