simultaneous-use check via sql
Hello I am trying to run Simultaneous-Use parameter on freeradius 2.0.5 which i have 2 virtual servers on. There can be same usernames on both virtual servers, so im not sure about how it works but i prefer to use sql instead of radutmp file for simultaneous check. Anyway, I added the following lines to users file as it is said /usr/share/doc/freeradius/Simultaneous-Use file. DEFAULT Simultaneous-Use := 0 Fall-Through = 1 I made the value 0 for testing purposes.. But no success.It still authenticates the user without any sim. check parameter. And I also wonder where did the Simul.Use queries in sql.conf in 1.1.7 version dissapeared? My virtual server config as follows..: server dormnet { authorize { preprocess files sql_dormnet } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix eap } accounting { unix radutmp sql_dormnet } session { radutmp sql_dormnet } post-auth { exec Post-Auth-Type REJECT { attr_filter.access_reject } } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: simultaneous-use check via sql
Oguzhan Kayhan wrote: I am trying to run Simultaneous-Use parameter on freeradius 2.0.5 which i have 2 virtual servers on. There can be same usernames on both virtual servers, so im not sure about how it works but i prefer to use sql instead of radutmp file for simultaneous check. The same username will be treated as the same user... unless you update the SQL schema queries to make them different. e.g. keying off of virtual server, too. Anyway, I added the following lines to users file as it is said /usr/share/doc/freeradius/Simultaneous-Use file. DEFAULT Simultaneous-Use := 0 This won't work. It's pointless. Fall-Through = 1 I made the value 0 for testing purposes.. Why? Why not 1, as documented? Setting it to 0 is a waste of time. And I also wonder where did the Simul.Use queries in sql.conf in 1.1.7 version dissapeared? No. Go READ sql.conf. The queries got moved to another file. See the bottom few lines. This is documented... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: simultaneous-use check via sql
Oguzhan Kayhan wrote: I am trying to run Simultaneous-Use parameter on freeradius 2.0.5 which i have 2 virtual servers on. There can be same usernames on both virtual servers, so im not sure about how it works but i prefer to use sql instead of radutmp file for simultaneous check. The same username will be treated as the same user... unless you update the SQL schema queries to make them different. e.g. keying off of virtual server, too. Different virtual servers using different sql databases, so it wont be a problem to use same username i think (or am i wrong?) Anyway, I added the following lines to users file as it is said /usr/share/doc/freeradius/Simultaneous-Use file. DEFAULT Simultaneous-Use := 0 This won't work. It's pointless. In 1.1.7 version to test the sim-use i was using this setting so without loggin in i was able to test simultaneous-use with radtest command.(ıt gives ou already logged in message as expected even in a single connection) If i make it 1, i need to login permanently from a client, then i need to test. Fall-Through = 1 I made the value 0 for testing purposes.. Why? Why not 1, as documented? Setting it to 0 is a waste of time. And I also wonder where did the Simul.Use queries in sql.conf in 1.1.7 version dissapeared? No. Go READ sql.conf. The queries got moved to another file. See the bottom few lines. This is documented... Ok i will check it.. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: simultaneous-use check via sql
Oguzhan Kayhan wrote: Different virtual servers using different sql databases, so it wont be a problem to use same username i think (or am i wrong?) If you do that, yes, it should work. In 1.1.7 version to test the sim-use i was using this setting so without loggin in i was able to test simultaneous-use with radtest command.(ıt gives ou already logged in message as expected even in a single connection) Hmm... that code wasn't changed in 2.0, so I'm not sure why the behavior changed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radacct insert issue.
Ok, thanks, I got the latest git .. and I get this upon compilation :| gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG -DEAPLIB -I. -I.. -I/root/radiusd/src -DOPENSSL_NO_KRB5 -c eap_tls.c -o eap_tls.o /dev/null 21 /usr/bin/libtool --mode=link gcc -release 2.0.6 \ -export-dynamic -o libfreeradius-eap.la -rpath /usr/local/lib eapcommon.lo eapcrypto.lo eapsimlib.lo fips186prf.lo cb.lo eap_tls.lo mppe_keys.lo tls.lo \ /root/radiusd/src/lib/libfreeradius-radius.la -lnsl -lresolv -lpthread libtool: link: `eapcommon.lo' is not a valid libtool object gmake[7]: *** [libfreeradius-eap.la] Error 1 gmake[7]: Leaving directory `/root/radiusd/src/modules/rlm_eap/libeap' gmake[6]: *** [common] Error 2 /usr/bin/libtool --mode=link gcc -release 2.0.6 \ -export-dynamic -o libfreeradius-eap.la -rpath /usr/local/lib eapcommon.lo eapcrypto.lo eapsimlib.lo fips186prf.lo cb.lo eap_tls.lo mppe_keys.lo tls.lo \ /root/radiusd/src/lib/libfreeradius-radius.la -lnsl -lresolv -lpthread libtool: link: `eapcommon.lo' is not a valid libtool object gmake[7]: *** [libfreeradius-eap.la] Error 1 gmake[7]: Leaving directory `/root/radiusd/src/modules/rlm_eap/libeap' gmake[6]: *** [libeap/freeradius-eap.la] Error 2 gmake[6]: Leaving directory `/root/radiusd/src/modules/rlm_eap' gmake[5]: *** [common] Error 2 gmake[5]: Leaving directory `/root/radiusd/src/modules' gmake[4]: *** [all] Error 2 which isn't good .. but still regarding my initial issue .. is the rp-pppoe server sending 2 accounting requests ? :| why would he do that ?! Thanks again for the quick answer. Adrian. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: groupmembership and vlan assignment
Would it make more sense then to use a Perl program instead for the authorization and then have that program: - verify credentials against ldap. - do the regexp matching on the entitlement field? Thanks, Matt [EMAIL PROTECTED] -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Friday, August 01, 2008 8:27 AM To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: Re: groupmembership and vlan assignment Matt Ashfield wrote: Hmmm...welll I was hoping for another way to assign vlans based on ldap attributes, but I don't figure on rewriting rlm_ldap. You don't have to rewrite the whole module. Just change 100 lines in one function. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radacct insert issue.
S Adrian wrote: Ok, thanks, I got the latest git .. and I get this upon compilation :| ... libtool: link: `eapcommon.lo' is not a valid libtool object It looks like you built it partly with one version of libtool, and partly with another version. which isn't good .. but still regarding my initial issue .. is the rp-pppoe server sending 2 accounting requests ? :| why would he do that ?! Go ask the author. I've known him for a long time... he's at least as friendly as I am. :) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy default_fallback
Hi everybody! I am using freeradius 2.0.5, and i have a problem whith the proxy option default_fallback, my server do proxy to 3 providers and i have a default realm configured to fallback, but when home servers die the proxy set them died, but don`t do the fallback. Anyone have a sugestion? Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy default_fallback
Marcelo Henique Cabral Ariza wrote: I am using freeradius 2.0.5, and i have a problem whith the proxy option default_fallback, my server do proxy to 3 providers and i have a default realm configured to fallback, but when home servers die the proxy set them died, but don`t do the fallback. Anyone have a sugestion? It *should* work... as in, it worked for me the last time I tried it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Seek through several RADIUS severs without realms
Unfortunately I lost the previous message of this thread, where Alan Dekok's respond is presented. Anyway, the content of it was he offered to use groups membership. He also gave a specific file: rlm_passwd which should be configured in order to achieve groups membership as an indication which IAS server would respond each authentication request. No. You configure groups on the FREERADIUS server. The thing is, though went over the help file of rlm_passwd a couple of times, I didn't see clear explanation how to configure it when working in IAS-Active Directory environment. If you're using IAS and not FreeRADIUS, don't ask questions here. If you're using FreeRADIUS a proxy to IAS, you can configure groups on FreeRADIUS, and apply policies there. Alan DeKok. Ronen Kfir: I would like to use FreeRADIUS as proxy to IAS servers. The question now is how do I create those FreeRADIUS groups and how do I manage the groups membership within FreeRADIUS. smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Seek through several RADIUS severs without realms
Ronen Kfir wrote: I would like to use FreeRADIUS as proxy to IAS servers. The question now is how do I create those FreeRADIUS groups and how do I manage the groups membership within FreeRADIUS. Read man rlm_passwd? This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to link radiusd statically?
[EMAIL PROTECTED] wrote: I would like to build radiusd with all necessary libraries statically linked in. I have tried the following command ./configure --enable-shared=no --enable-static=yes That should work *if* you have static libraries available. During linking phase, there are a bunch of problems; 1. libperl.a is not found (that has been fixed by downloading Perl 5.8.8 and building it locally); 2. many undefined functions, mainly in libkrb5.a Exactly. Your OS has not supplied static libraries. I suggest removing the modules you don't need, as that may help. i.e. If you don't need kerberos, just rm -rf src/modules/rlm_krb5. Is this a way to go? Has anyone successfully built freeradius 2.0.5 with static linkage? A number of times. Usually with various amounts of fighting the OS. I have no idea why vendors don't supply static libraries. It's not like disk space is expensive these days. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to link radiusd statically?
On Tue, Aug 05, 2008 at 04:40:05PM +0200, Alan DeKok wrote: [EMAIL PROTECTED] wrote: I would like to build radiusd with all necessary libraries statically linked in. I have tried the following command ./configure --enable-shared=no --enable-static=yes That should work *if* you have static libraries available. During linking phase, there are a bunch of problems; 1. libperl.a is not found (that has been fixed by downloading Perl 5.8.8 and building it locally); 2. many undefined functions, mainly in libkrb5.a Exactly. Your OS has not supplied static libraries. I suggest removing the modules you don't need, as that may help. i.e. If you don't need kerberos, just rm -rf src/modules/rlm_krb5. Is this a way to go? Has anyone successfully built freeradius 2.0.5 with static linkage? A number of times. Usually with various amounts of fighting the OS. I have no idea why vendors don't supply static libraries. It's not like disk space is expensive these days. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html One big benefit of dynamic libraries is the ability to update a single library and not need to recompile all the dependent software again. Also, for completely valid reasons static libraries that use similar software sub-components (zlib for example) will cause the statically linked application to segfault if the version differs. Using the dynamic libraries also allows the system to share common libraries amongst all running programs and make more efficient use of machine resources. In the worst cases, a static executable can cause a machine to swap/page where a dynamic version has no problems with the same resources. I think for a combination of these and other reasons, many vendors prefer dynamic libraries. Good luck with your static build, as Alan states it may take some trial-and-error to get it to work. Our approach here has been to localize all of the dependent dynamic libraries within the software application directory. This simplifies the build/update process by compartmentalizing the software from the normal system libraries and makes it less susceptible to failure following an OS update. My two cents, Ken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius does not assign IP from main_pool
Hello all, I want to use Freeradius to assign IP addresses to clients from main_pool. After all set up (I think), L2tp tunnel is established but user cannot get an IP from Freeradius. From the Reply message, I see no IP is replied to user. Could anyone take a look at the debug and give me a hint? Debug: radiusd: Loading Virtual Servers server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = auto auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = /usr/local/var/log/radius/radwtmp } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = md5 timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = Password: auth_type = PAP } rlm_eap: Ignoring EAP-Type/tls because we do not have OpenSSL support. rlm_eap: Ignoring EAP-Type/ttls because we do not have OpenSSL support. rlm_eap: Ignoring EAP-Type/peap because we do not have OpenSSL support. Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = suffix delimiter = @ ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = /usr/local/etc/raddb/users acctusersfile = /usr/local/etc/raddb/acct_users preproxy_usersfile = /usr/local/etc/raddb/preproxy_users compat = no } [/usr/local/etc/raddb/users]:107 WARNING! Check item Groupfound in reply i tem list for user testuser. This attribute MUST go on the first line with th e other check items [/usr/local/etc/raddb/users]:107 WARNING! Check item Pool-Name found in reply item list for user testuser. This attribute MUST go on the first line with the other check items Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = /usr/local/var/log/radius/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = /usr/local/etc/raddb/attrs.access_reject key = %{User-Name} } } } server { modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = /usr/local/etc/raddb/huntgroups hints = /usr/local/etc/raddb/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NA S-Port } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = /usr/local/var/log/radius/radacct/%{Client-IP-Address}/det ail-%Y%m%d header = %t detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_ippool Module: Instantiating main_pool ippool main_pool { session-db = /usr/local/etc/raddb/db.ippool ip-index = /usr/local/etc/raddb/db.ipindex key = %{NAS-IP-Address} %{NAS-Port} range-start = 192.168.1.1 range-stop = 192.168.3.254 netmask = 255.255.255.0
Re: How to link radiusd statically?
On Tue, 2008-08-05 at 16:40 +0200, Alan DeKok wrote: I have no idea why vendors don't supply static libraries. It's not like disk space is expensive these days. Many of them do supply static libraries, but they are part of a different package. At least on Red Hat-based systems, if you have a libblotto package, it only installs the dynamic libraries. If you want to link statically, then you need libblotto-devel. So you may just need some -devel packages. The problems with statically linking have already been pretty well covered here by someone else. --Greg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question
Hello my name is martin and I'm from Argentina. I'm trying to configure for use with FreeRADIUS eap + tls and ldap, but recently started doing this and I am wrong in the first configurations, what I did was set a cleinte which is a AP's and when I run radiusd-X -x strip me this mistake even if the PATH're ok. Can someone could give me a hand please? Tue Aug 5 11:00:31 2008 : Error: rlm_eap: SSL error error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt Tue Aug 5 11:00:31 2008 : Error: rlm_eap_tls: Error reading private key file /usr/local/etc/raddb/certs/server.pem Tue Aug 5 11:00:31 2008 : Error: rlm_eap: Failed to initialize type tls Tue Aug 5 11:00:31 2008 : Error: /usr/local/etc/raddb/eap.conf[17]: Instantiation failed for module eap Tue Aug 5 11:00:31 2008 : Error: /usr/local/etc/raddb/sites-enabled/inner-tunnel[223]: Failed to find module eap. Tue Aug 5 11:00:31 2008 : Error: /usr/local/etc/raddb/sites-enabled/inner-tunnel[176]: Errors parsing authenticate section. Tue Aug 5 11:00:31 2008 : Debug: } Tue Aug 5 11:00:31 2008 : Debug: } Tue Aug 5 11:00:31 2008 : Error: Errors initializing modules thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius does not assign IP from main_pool
Xiaochen Jing wrote: I want to use Freeradius to assign IP addresses to clients from main_pool. After all set up (I think), L2tp tunnel is established but user cannot get an IP from Freeradius. From the Reply message, I see no IP is replied to user. And the debug log says why. Could anyone take a look at the debug and give me a hint? You need to read the debug log, not just the Access-Accept. And it would be good to READ the configuration for the ippool module. The comments give examples for how to configure it. ... +- entering group post-auth rlm_ippool: Could not find Pool-Name attribute. Read the comments for the ippool module. Look for Pool-Name. This is documented [1]. Alan DeKok. [1] This is becoming the new mantra. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question
it seems to me like a certificate`s password problem. take a look at server.cnf ca.cnf and clients.cnf. or read the document that came with the package how to remove all certificates and create the 3some ( :) ) of them. 2008/8/5 Martin Silvero [EMAIL PROTECTED]: Hello my name is martin and I'm from Argentina. I'm trying to configure for use with FreeRADIUS eap + tls and ldap, but recently started doing this and I am wrong in the first configurations, what I did was set a cleinte which is a AP's and when I run radiusd-X -x strip me this mistake even if the PATH're ok. Can someone could give me a hand please? Tue Aug 5 11:00:31 2008 : Error: rlm_eap: SSL error error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt Tue Aug 5 11:00:31 2008 : Error: rlm_eap_tls: Error reading private key file /usr/local/etc/raddb/certs/ server.pem Tue Aug 5 11:00:31 2008 : Error: rlm_eap: Failed to initialize type tls Tue Aug 5 11:00:31 2008 : Error: /usr/local/etc/raddb/eap.conf[17]: Instantiation failed for module eap Tue Aug 5 11:00:31 2008 : Error: /usr/local/etc/raddb/sites-enabled/inner-tunnel[223]: Failed to find module eap. Tue Aug 5 11:00:31 2008 : Error: /usr/local/etc/raddb/sites-enabled/inner-tunnel[176]: Errors parsing authenticate section. Tue Aug 5 11:00:31 2008 : Debug: } Tue Aug 5 11:00:31 2008 : Debug: } Tue Aug 5 11:00:31 2008 : Error: Errors initializing modules thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with FREERADIUS configurations
Hello im from Argentina and im configure freeradius with eap+tls but give me one error: Tue Aug 5 13:11:37 2008 : Error: rlm_eap: SSL error error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt Tue Aug 5 13:11:37 2008 : Error: rlm_eap_tls: Error reading private key file /usr/local/etc/raddb/certs/server.pem Tue Aug 5 13:11:37 2008 : Error: rlm_eap: Failed to initialize type tls Tue Aug 5 13:11:37 2008 : Error: /usr/local/etc/raddb/eap.conf[17]: Instantiation failed for module eap Tue Aug 5 13:11:37 2008 : Error: /usr/local/etc/raddb/sites-enabled/inner-tunnel[223]: Failed to find module eap. Tue Aug 5 13:11:37 2008 : Error: /usr/local/etc/raddb/sites-enabled/inner-tunnel[176]: Errors parsing authenticate section. Tue Aug 5 13:11:37 2008 : Debug: } Tue Aug 5 13:11:37 2008 : Debug: } Tue Aug 5 13:11:37 2008 : Error: Errors initializing modules im need help please!! many thanks!!! -- -- Silvero Martin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RES: Installation problem
Alan Thanks for the tip. After running /sbin/ldconfig -v , I was able to execute radiusd. The only weird thing is that the daemon is not showing when I type ps aux. Even after running /usr/sbin/radiusd, nothing happens. My ps aux | grep radiusd shows only the following: root 25770 0.0 0.0 2112 660 pts/1R+ 13:33 0:00 grep radiusd I tried installing using YAST and now I get the following error: ns1:~ # /etc/init.d/freeradius start Starting RADIUS daemon startproc: exit status of parent of /usr/sbin/radiusd: 1 failed This error message is probably not related to freeradius, but maybe someone has seen this error before and could clue me in on how to solve it. Thank you, Fred Pohl -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome de [EMAIL PROTECTED] Enviada em: segunda-feira, 4 de agosto de 2008 18:26 Para: FreeRadius users mailing list Assunto: Re: Installation problem Hi, I am rather new to freeradius and I´m having trouble running the server after installation I installed using: ./configure --sysconfdir=/etc okay - and the libraries have gone into /usr/local/lib as per the stuff that spews out when you do make install you need to ensure this is in your LDPATH can be done eg by adding /usr/local/lib to /etc/ld.so.conf and then running /sbin/ldconfig -v alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Esta mensagem, incluindo seus anexos, pode conter informações privilegiadas e/ou de caráter confidencial, não podendo ser retransmitida sem autorização do remetente. Se você não é o destinatário ou pessoa autorizada a recebê-la, informamos que o seu uso, divulgação, cópia ou arquivamento são proibidos. Portanto, se você recebeu esta mensagem por engano, por favor, nos informe respondendo imediatamente a este e-mail e em seguida apague-a. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RES: Installation problem
Hi, After running /sbin/ldconfig -v , I was able to execute radiusd. The only weird thing is that the daemon is not showing when I type ps aux. Even after running /usr/sbin/radiusd, nothing happens. yep - at this point you run radiusd -X to see whats wrong alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Server not responding to requests
Hi All, I have freeradius 1.1.7 running on RHEL 5. radtest works with a local user setup, and also with authentication via Active Directory. However, anything outside the radius server host does not get a reply. I have configured a Multitech MA820 and also tried ntradping, and both get the same results - Could not receive a response from server is the message when I use ntradping, and Server did not respond in a timely manner is the response when I try to connect from the Multitech. Is there some setting I need to check to make sure external access is enabled? Thanks in advance ~ Cindy Yoho Systems Engineer United Methodist Publishing House Nashville, TN - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Server not responding to requests
Hi, Hi All, I have freeradius 1.1.7 running on RHEL 5. radtest works with a local user setup, and also with authentication via Active Directory. However, anything outside the radius server host does not get a reply. I have configured a Multitech MA820 and also tried ntradping, and both get the same results - Could not receive a response from server is the message when I use ntradping, and Server did not respond in a timely manner is the response when I try to connect from the Multitech. Is there some setting I need to check to make sure external access is enabled? iptables? your host is firewalled and therefore FR doesnt see the packet at all? tcpdump -eqntl -i eth0 port 1812 (if eth0 is your NIC) then do some stuff. do you see anything? iptables -L -n are there entries? if so, ensure there are 1812/1813/1814 UDP entries too! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Server not responding to requests
take a look at client file. there you can specify which clients ( IP addresses ) are allowed . add the public ip of your outside clients/nas. 2008/8/5 Yoho, Cindy [EMAIL PROTECTED]: Hi All, I have freeradius 1.1.7 running on RHEL 5. radtest works with a local user setup, and also with authentication via Active Directory. However, anything outside the radius server host does not get a reply. I have configured a Multitech MA820 and also tried ntradping, and both get the same results - Could not receive a response from server is the message when I use ntradping, and Server did not respond in a timely manner is the response when I try to connect from the Multitech. Is there some setting I need to check to make sure external access is enabled? Thanks in advance ~ Cindy Yoho Systems Engineer United Methodist Publishing House Nashville, TN - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Server not responding to requests
On Tue, 2008-08-05 at 18:17 +0100, [EMAIL PROTECTED] wrote: your host is firewalled and therefore FR doesnt see the packet at all? Also, if the server host is multihomed, then the response packet may be coming from a different source IP than the original request was sent to, in which case the client may ignore it. The fix for this is to have the radius server listen on a single IP, which will cause that IP to be used as the source and avoid this problem. tcpdump is your friend here too. --Greg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
question
regarding this settlement, and delete certificates and regenerate, but remains the same mistake: Tue Aug 5 15:01:28 2008 : Error: rlm_eap: SSL error error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt Tue Aug 5 15:01:28 2008 : Error: rlm_eap_tls: Error reading private key file /usr/local/etc/raddb/certs/server.pem Tue Aug 5 15:01:28 2008 : Error: rlm_eap: Failed to initialize type tls Tue Aug 5 15:01:28 2008 : Error: /usr/local/etc/raddb/eap.conf[17]: Instantiation failed for module eap Tue Aug 5 15:01:28 2008 : Error: /usr/local/etc/raddb/sites-enabled/inner-tunnel[223]: Failed to find module eap. Tue Aug 5 15:01:28 2008 : Error: /usr/local/etc/raddb/sites-enabled/inner-tunnel[176]: Errors parsing authenticate section. Tue Aug 5 15:01:28 2008 : Debug: } Tue Aug 5 15:01:28 2008 : Debug: } Tue Aug 5 15:01:28 2008 : Error: Errors initializing modules it seems to me like a certificate`s password problem. take a look at server.cnf ca.cnf and clients.cnf. or read the document that came with the package how to remove all certificates and create the 3some ( :) ) of them. 2008/8/5 Martin Silvero [EMAIL PROTECTED]: Hello my name is martin and I'm from Argentina. I'm trying to configure for use with FreeRADIUS eap + tls and ldap, but recently started doing this and I am wrong in the first configurations, what I did was set a cleinte which is a AP's and when I run radiusd-X -x strip me this mistake even if the PATH're ok. Can someone could give me a hand please? Tue Aug 5 11:00:31 2008 : Error: rlm_eap: SSL error error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt Tue Aug 5 11:00:31 2008 : Error: rlm_eap_tls: Error reading private key file /usr/local/etc/raddb/certs/ server.pem Tue Aug 5 11:00:31 2008 : Error: rlm_eap: Failed to initialize type tls Tue Aug 5 11:00:31 2008 : Error: /usr/local/etc/raddb/eap.conf[17]: Instantiation failed for module eap Tue Aug 5 11:00:31 2008 : Error: /usr/local/etc/raddb/sites-enabled/inner-tunnel[223]: Failed to find module eap. Tue Aug 5 11:00:31 2008 : Error: /usr/local/etc/raddb/sites-enabled/inner-tunnel[176]: Errors parsing authenticate section. Tue Aug 5 11:00:31 2008 : Debug: } Tue Aug 5 11:00:31 2008 : Debug: } Tue Aug 5 11:00:31 2008 : Error: Errors initializing modules thanks! -- -- Silvero Martin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius server request from new server.
Hello, We are trying to figure out how to do an auth from one client but not from another. Let me explain: For our DSL clients we use a separate radius server and backup server. For everything else (dialup, news) we use other servers. Our problem comes in that we set all DSL clients on these other servers to Auth-Type := Reject for each DSL customer, unless they subscribe to discounted dialup service as well. The problem is if the DSL client wants to use the news servers, the other radius servers will not auth the client for news. Question?? How can we direct the authentication for a news server but not the dialup servers without using separate radius servers. Did that make any sense? Thanks, Ken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Does Avenda use freeradius?
Hi, I've been looking at getting an appliance from a company called Avenda Systems (www.avendasystems.com). Its a RADIUS appliance with a nice GUI, but I think FreeRADIUS offers all the features that it does. Does anyone have any experience of it? Or a comparison between it and FreeRADIUS? Also I think it may be FreeRADIUS underneath, does anyone know if that is the case? thanks, paul - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to set accounting with inner-tunnel Virtual server
Hi Alan/Ivan: Thanks for your great work of helps/guides that makes us progress step by step. Now my question is how I can set accounting work within inner-tunnel as I need to use eap-ttls/pap to autho/authen users via wireless AP. In fact I read this message: There are no accounting requests inside of EAP-TTLS or PEAP tunnels. but My project needs me to have an accounting records and should keep them for a while. I use freeradius2.0.5 with mysql as the accounting backend. Thanks. -- Andy An Junior Programmer Information Technology Services Emily Carr University of Art and Design Tel: 604-630-4556 Fax: 604-844-3801 SB Room 341 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html