Re: Hmm... 2.1.0 radmin
[EMAIL PROTECTED] wrote: I was about to email you about this. it loads, then it doesnt do anything (hangs after eg 'help' being typed) I can't help but feel at least partially responsible... rather than rely on knowing the radiusd.sock location, could it read the /etc/raddb/* config to find where it should look? That can be done. It's only a bit of work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_unix
Mark Jones wrote: Was there any particular reason to remove the ability to specify what passwd and shadow file to use with the unix module? It didn't work on some systems, and it duplicated the functionality of the passwd module. Unless I misunderstand. the unix module can me used in the authenticate section where the passwd module can only be used in the authorize section. Exactly. The passwd module is essentially a simple database. Databases don't do authentication. You're probably forcing Auth-Type to each of the individual unix modules in 1.1.x. In 2.x, you don't need to do this. Just list the various passwd modules in the authorize section, and be sure that the pap module is listed last. Then, the server will figure it out. You can even do that in 1.1.4 or later. Just ensure that pap is listed last in authorize, that it's also in authenticate. Then, delete of the places where you set Auth-Type to the various unix modules. And in 2.x, the authenticate method has been removed from the unix module. So don't use unix for authentication. Use pap. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlcounters for traffic
Alexandre Chapellon wrote:
Here is the full debug outputed during the auth query/reply
...
rlm_sqlcounter: Sent Reply-Item for user scott,
Type=Session-Traffic-Limit, value=12694
...
Sending Access-Accept of id 201 to 127.0.0.1 port 37792
Session-Traffic-Limit =
That's the problem. Looking at dictionary.redback,
Session-Traffic-Limit is a string. It's not an integer counter.
If you do really want to use Session-Traffic-Limit, you will have to
change sqlcounter to use a *different* attribute in the reply, such as
Tmp-Integer-0, which is a server-side attribute. Then use unlang in
post-auth to copy it to Session-Traffic-Limit:
update reply {
Session-Traffic-Limit = %{reply:Tmp-Integer-0}
}
That should work.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows Login
Kirk Wallace wrote: I have a fresh install of Freeradius 1.1.7build4 on my Ubuntu 8.04 system. I used this link to do the bob test: .. which was successful. Then I created myself (kwallace) as a user and tested with radtest, again with success. Then I went to my Windows 2000 notebook with a wifi link through a WRT54GL and OpenWRT as a bridge, using the notebook's VPN connection feature and the same username and password and got Error 691:Access was denied because the username and/or password was invalid on the domain. Below should be the relevant files. Ok... http://www.bumpernipple.com/freeradius-X And looking at that, you're not doing WiFi. You're doing PPP. And the PPP server isn't sending *any* password in the request. No PAP, CHAP, MS-CHAP, or EAP. Fix the PPP/VPN server so that it sends a password. Only then can FreeRADIUS authenticate the user. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Window domain (win server 2k3) ----- Free-Radius ----- NAS -------Access Point )))) ((((( STA
Dear All, I'm sorry I forgot attach file debug-info. Here is the debugging output: [EMAIL PROTECTED] ~]# radiusd -x Starting - reading configuration files ... Using deprecated naslist file. Support for this will go away soon. Module: Loaded exec rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Instantiated exec (ntlm_auth) Module: Loaded PAP Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded System Module: Instantiated unix (unix) Module: Loaded eap rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap rlm_eap: Loaded and initialized type gtc rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess Module: Instantiated preprocess (preprocess) Module: Loaded realm Module: Instantiated realm (suffix) Module: Loaded files Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id Module: Instantiated acct_unique (acct_unique) Module: Loaded detail Module: Instantiated detail (detail) Module: Loaded radutmp Module: Instantiated radutmp (radutmp) Initializing the thread pool... Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 192.168.200.100:32775, id=1, length=62 User-Name = user User-Password = lab4man1 Message-Authenticator = 0x1631bbb58aed9a05ef6b72e282e28282 rad_recv: Access-Request packet from host 192.168.200.100:32775, id=1, length=62 Sending Access-Reject of id 1 to 192.168.200.100 port 32775 Can anybody help me on this behavior? Thanks. --- On Fri, 9/5/08, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: From: [EMAIL PROTECTED] [EMAIL PROTECTED] Subject: Re: Window domain (win server 2k3) - Free-Radius - NAS ---Access Point ( STA To: freeradius-users@lists.freeradius.org Date: Friday, September 5, 2008, 1:18 PM Can anybody please help me on this problem? Not unless you post the debug. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Window domain (win server 2k3) ----- Free-Radius ----- NAS -------Access Point )))) ((((( STA
Le Sang wrote: Here is the debugging output: [EMAIL PROTECTED] ~]# radiusd -x radiusd -X. Capital X. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
peap without client side certificate
Dear All, Finally i run freeradius 2.0.5 + mysql +wpa with peap mode by your helps i choose peap because in documents says peap doesnt need clint side ceritficate still i cant understand the certificate types i create it by /etc/raddb/certs make is there other way to build only server side certificates or other type mode like peap i dont want to give my custemers client certificates, i will use freeradius in a hotel like a hotspot, so they will need only user name and pass they will se my ssid and try to login by user name and password, they shouldnt change any configiration or install anythink else, this is my project ,how can i do it simply thanks everyone best regards. _ Windows Live Messenger'ın için Ücretsiz 30 İfadeyi yükle http://www.livemessenger-emoticons.com/funfamily/tr-tr/- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: peap without client side certificate
Ahmet DÜLGAR wrote: Finally i run freeradius 2.0.5 + mysql +wpa with peap mode by your helps i choose peap because in documents says peap doesnt need clint side ceritficate Yes. still i cant understand the certificate types i create it by /etc/raddb/certs make is there other way to build only server side certificates or other type mode like peap Huh? The certificates created by the Makefile in raddb/certs can be used by the server. It produces a client certificate, but there's no requirement for you to use it. i dont want to give my custemers client certificates, Then don't. i will use freeradius in a hotel like a hotspot, so they will need only user name and pass they will se my ssid and try to login by user name and password, they shouldnt change any configiration or install anythink else, this is my project ,how can i do it simply Follow the instructions on my web site. Don't give the clients a certificate. It's that easy. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Usage
Jesse Stone wrote: I then have to have the user login via SSH (after having them download Putty) so that they can change their password. Then, I have to disallow them access to SSH (because they shouldn't be logging directly into the servers). You will need to write scripts to do that. It has nothing to do with RADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Usage
Jesse Stone wrote: What do large companies that have many users/linux machines use to handle user administration? LDAP. And they generally don't have complicated permissions policies. They're just too hard to maintain. RADIUS is mostly for dial-up or WiFi access. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius2 + MySQL: NAS x Usergroup
Can I associate in groupcheck a groupname with a virtual server? I have separated each type of services into different virtual servers, because each one of then has different modules. Thanks On Fri, Sep 5, 2008 at 2:49 PM, Ivan Kalik [EMAIL PROTECTED] wrote: Radgroupcheck table. Ivan Kalik Kalik Informatika ISP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Eduardo Tavares Terra Sent: 05 September 2008 02:42 To: freeradius-users@lists.freeradius.org Subject: FreeRadius2 + MySQL: NAS x Usergroup Dear freeradius users, I have a special scenario. Today I have many freeradius servers, each one responsible for differente services. Now I want to group this freeradius servers into one master server, but I have users in many differente usergroups (one for each service). How can I associate an usergroup to a nas? Example: NAS (192.168.2.1) - Usergroup (Dialup) NAS (192.168.2.2) - Usergroup (Broadband) NAS (192.168.2.3) - Usergroup (Hotspot) I saw how to do this using huntgroups, but I want to use a mysql database with all clients. There are another ways to implement this different services into one radius server, maybe the right way? If not, how can I associate the usergroups and nas using mysql? Thank you -- Carlos Eduardo Tavares Terra GNU/Linux #413291 [http://counter.li.org] Slackware Linux - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.169 / Virus Database: 270.6.16/1652 - Release Date: 2008-09-04 18:54 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Carlos Eduardo Tavares Terra Analista de Sistemas Petróleo Brasileiro S/A GNU/Linux #413291 [http://counter.li.org] Slackware Linux - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius2 + MySQL: NAS x Usergroup
No. You define virtual home servers in proxy.conf. Ivan Kalik Kalik Informatika ISP Dana 6/9/2008, Carlos Eduardo Tavares Terra [EMAIL PROTECTED] piše: Can I associate in groupcheck a groupname with a virtual server? I have separated each type of services into different virtual servers, because each one of then has different modules. Thanks On Fri, Sep 5, 2008 at 2:49 PM, Ivan Kalik [EMAIL PROTECTED] wrote: Radgroupcheck table. Ivan Kalik Kalik Informatika ISP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Eduardo Tavares Terra Sent: 05 September 2008 02:42 To: freeradius-users@lists.freeradius.org Subject: FreeRadius2 + MySQL: NAS x Usergroup Dear freeradius users, I have a special scenario. Today I have many freeradius servers, each one responsible for differente services. Now I want to group this freeradius servers into one master server, but I have users in many differente usergroups (one for each service). How can I associate an usergroup to a nas? Example: NAS (192.168.2.1) - Usergroup (Dialup) NAS (192.168.2.2) - Usergroup (Broadband) NAS (192.168.2.3) - Usergroup (Hotspot) I saw how to do this using huntgroups, but I want to use a mysql database with all clients. There are another ways to implement this different services into one radius server, maybe the right way? If not, how can I associate the usergroups and nas using mysql? Thank you -- Carlos Eduardo Tavares Terra GNU/Linux #413291 [http://counter.li.org] Slackware Linux - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.169 / Virus Database: 270.6.16/1652 - Release Date: 2008-09-04 18:54 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Carlos Eduardo Tavares Terra Analista de Sistemas Petróleo Brasileiro S/A GNU/Linux #413291 [http://counter.li.org] Slackware Linux - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Usage
Thanks Alan. I'm going to start researching LDAP. I would like to add authenication for wireless though via FreeRadius. Are there any good sites/guides on how to do this? Does my network setup need to be like this for it to work: Internet - Router W/ Wireless - Nic1 of server running freeradius Nic2 Switch that connects rest of network -Jesse On Sat, Sep 6, 2008 at 3:14 AM, Alan DeKok [EMAIL PROTECTED]wrote: Jesse Stone wrote: What do large companies that have many users/linux machines use to handle user administration? LDAP. And they generally don't have complicated permissions policies. They're just too hard to maintain. RADIUS is mostly for dial-up or WiFi access. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hmm... 2.1.0 radmin
John Horne wrote: Under CentOS 5.2 I'm having difficulty getting it to compile. It throws up errors such as 'undefined reference to `using_history''. Ah, the joys of different dependencies on different systems. Why can't we just have inter-library dependencies that work? It looks like the 'configure' test needs to include '-lcurses' as well as '-lreadline' when checking for readline. Then if the test passes set the libraries to include '-lreadline -lhistory -lcurses'. I did that and then both configure and make worked okay. OK. I'll fix configure, thanks. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows Login
Kirk Wallace wrote: Solved (so far). I found the PoPToP cookbook link: ... The dictionary file edit: INCLUDE /etc/radiusclient/dictionary.merit INCLUDE /etc/radiusclient/dictionary.microsoft seems to have made the difference. This bit is missing from my usual instructions: It's arguably a fairly serious bug on the part of the client software. RADIUS clients do NOT need dictionaries. Their functionality is hard-coded in. e.g. If the client does MS-CHAP, then they know the name, number, and properties of the MS-CHAP attributes. Those properties shouldn't change. Ever. So having the client *require* a dictionary to define those properties is useless. RADIUS servers need dictionaries because new clients define all sorts of new attributes, that the server needs to understand without code changes. This is described in more detail in an upcoming RADIUS RFC which has my name on it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
