RE: Freeradius Usage
Hi Jess, Radius has nothing to do with controlling traffic, wireless -- Network Radius Network LDAP(AD)--- Network is more like it ... accesspoint just checks if it can allow the user/mac/workstation with the radius server. now if you need some sort of bandwidth controller(RAS) or your accesspoint can not use radius directly, you can use chillispot which has captive portal (Like wifi hotspots). Wireless---Private wireless Network---ChillispotRest of the network you can buy wifi accesspoints with chillispot(linksys wrt accesspoints). to give you a scenario on how we use radius in our company. In out company we employees access the internet through vpn(PPTP on cisco router) which authenticates with freeradius which in turn, pulls user's profile and authenticates them against LDAP(Active Directory) ... Cheers, PDB -Original Message- From: [EMAIL PROTECTED] on behalf of Jesse Stone Sent: Sun 9/7/2008 2:56 AM To: FreeRadius users mailing list Subject: Re: Freeradius Usage Thanks Alan. I'm going to start researching LDAP. I would like to add authenication for wireless though via FreeRadius. Are there any good sites/guides on how to do this? Does my network setup need to be like this for it to work: Internet - Router W/ Wireless - Nic1 of server running freeradius Nic2 Switch that connects rest of network -Jesse On Sat, Sep 6, 2008 at 3:14 AM, Alan DeKok [EMAIL PROTECTED]wrote: Jesse Stone wrote: What do large companies that have many users/linux machines use to handle user administration? LDAP. And they generally don't have complicated permissions policies. They're just too hard to maintain. RADIUS is mostly for dial-up or WiFi access. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html winmail.dat- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius not always denying invalid users
Thanks for all the help on this. I finally just added those 2-3 users to the users file with REJECT. I did notice that anytime it would allow them to connect there was a simultaneous attempt from another user at the exact time. That doesn't happen very often so it must have something to do with those customer constantly trying to login and finally hitting at the same time caused some sort of bug. Chris Moss VCI Internet and Telephone 523 South 3rd St Paducah, Ky 42003 Tel (270)442-0060 Fax (270)444-6734 1-800-755-1239 M-Th 8am - 8pm Fri 8am - 7pm Sat 9am - 4pm Alan DeKok wrote: Chris Moss wrote: No, cache was not enabled. Then your OS is buggy. Just a thought on the denying, I thought maybe it just couldn't get a good result one way or the other so it would just allow it. Absolutely not. Any other thoughts on would could be causing this issue? As I said, your OS. Like I said this only seems to be happening on dsl customers that constantly try to connect. Is there any other logs, configs, etc that would be of any help? I will try to get a debug of one that doesn't behave properly. Is there a way to make that debug log to the log file. So far it only outputs to terminal and it's very hard to capture it there, it it's in a log I should be able to get something worthwhile. Debugging the server is a waste of time. Your OS is buggy. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html . - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius not always denying invalid users
They are most likely still rejected by freeradius but your NAS lets them in. Debug NAS and see why is that happening. Ivan Kalik Kalik Informatika ISP Dana 8/9/2008, Chris Moss [EMAIL PROTECTED] piše: Thanks for all the help on this. I finally just added those 2-3 users to the users file with REJECT. I did notice that anytime it would allow them to connect there was a simultaneous attempt from another user at the exact time. That doesn't happen very often so it must have something to do with those customer constantly trying to login and finally hitting at the same time caused some sort of bug. Chris Moss VCI Internet and Telephone 523 South 3rd St Paducah, Ky 42003 Tel (270)442-0060 Fax (270)444-6734 1-800-755-1239 M-Th 8am - 8pm Fri 8am - 7pm Sat 9am - 4pm Alan DeKok wrote: Chris Moss wrote: No, cache was not enabled. Then your OS is buggy. Just a thought on the denying, I thought maybe it just couldn't get a good result one way or the other so it would just allow it. Absolutely not. Any other thoughts on would could be causing this issue? As I said, your OS. Like I said this only seems to be happening on dsl customers that constantly try to connect. Is there any other logs, configs, etc that would be of any help? I will try to get a debug of one that doesn't behave properly. Is there a way to make that debug log to the log file. So far it only outputs to terminal and it's very hard to capture it there, it it's in a log I should be able to get something worthwhile. Debugging the server is a waste of time. Your OS is buggy. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html . - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can´t compile version 2.1.0 !
Hi, I downloaded the new version 2.1.0 but I cannot compile it. ./configure runs fine but when I run make I got the following error: gmake[4]: Entering directory `/usr/local/src/freeradius-server-2.1.0/src/main' /usr/local/src/freeradius-server-2.1.0/libtool --mode=link gcc -o radmin radmin.lo gcc -o radmin .libs/radmin.o .libs/radmin.o: In function `main': /usr/local/src/freeradius-server-2.1.0/src/main/radmin.c:117: undefined reference to `using_history' /usr/local/src/freeradius-server-2.1.0/src/main/radmin.c:118: undefined reference to `rl_insert' /usr/local/src/freeradius-server-2.1.0/src/main/radmin.c:118: undefined reference to `rl_bind_key' /usr/local/src/freeradius-server-2.1.0/src/main/radmin.c:176: undefined reference to `readline' /usr/local/src/freeradius-server-2.1.0/src/main/radmin.c:185: undefined reference to `add_history' collect2: ld returned 1 exit status gmake[4]: *** [radmin] Error 1 gmake[4]: Leaving directory `/usr/local/src/freeradius-server-2.1.0/src/main' gmake[3]: *** [common] Error 2 gmake[3]: Leaving directory `/usr/local/src/freeradius-server-2.1.0/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/usr/local/src/freeradius-server-2.1.0/src' gmake[1]: *** [common] Error 2 gmake[1]: Leaving directory `/usr/local/src/freeradius-server-2.1.0' make: *** [all] Error 2 I´m using Linux Slackware 12.1. On this same machine I have version 2.0.5 working and compiling fine. I already try to compile in another machine and have the same error. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Can’t compile version 2.1.0 !
Hi, Have to link with -lncurses, see http://bugs.freeradius.org/show_bug.cgi?id=589 https://webmail.itsc.cuhk.edu.hk/exchweb/bin/redir.asp?URL=http://bugs.freeradius.org/show_bug.cgi?id=589 . Hope this helps. From: [EMAIL PROTECTED] 代理 Jose Franco Jr Sent: 8/9/2008 [Mon] 22:10 To: freeradius-users@lists.freeradius.org Subject: Can’t compile version 2.1.0 ! Hi, I downloaded the new version 2.1.0 but I cannot compile it. ./configure runs fine but when I run make I got the following error: gmake[4]: Entering directory `/usr/local/src/freeradius-server-2.1.0/src/main' /usr/local/src/freeradius-server-2.1.0/libtool --mode=link gcc -o radmin radmin.lo gcc -o radmin .libs/radmin.o .libs/radmin.o: In function `main': /usr/local/src/freeradius-server-2.1.0/src/main/radmin.c:117: undefined reference to `using_history' /usr/local/src/freeradius-server-2.1.0/src/main/radmin.c:118: undefined reference to `rl_insert' /usr/local/src/freeradius-server-2.1.0/src/main/radmin.c:118: undefined reference to `rl_bind_key' /usr/local/src/freeradius-server-2.1.0/src/main/radmin.c:176: undefined reference to `readline' /usr/local/src/freeradius-server-2.1.0/src/main/radmin.c:185: undefined reference to `add_history' collect2: ld returned 1 exit status gmake[4]: *** [radmin] Error 1 gmake[4]: Leaving directory `/usr/local/src/freeradius-server-2.1.0/src/main' gmake[3]: *** [common] Error 2 gmake[3]: Leaving directory `/usr/local/src/freeradius-server-2.1.0/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/usr/local/src/freeradius-server-2.1.0/src' gmake[1]: *** [common] Error 2 gmake[1]: Leaving directory `/usr/local/src/freeradius-server-2.1.0' make: *** [all] Error 2 I’m using Linux Slackware 12.1. On this same machine I have version 2.0.5 working and compiling fine. I already try to compile in another machine and have the same error. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Usage
Jesse Stone wrote: Thanks Alan. I'm going to start researching LDAP. I would like to add authenication for wireless though via FreeRadius. Are there any good sites/guides on how to do this? Lots. See my site: http://deployingradius.com Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unknown value specified for Post-Auth-Type
Hello all, I am running new 2.0.5 freeradius with mysql... This is running fine. I am trying to configure virtual servers but this is another question. I am testing this new version and I found this log (using radiusd -X): auth: Failed to validate the user. Found Post-Auth-Type Reject WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action. Sending Access-Reject of id 138 to 127.0.0.1 port 44881 Mikrotik-Rate-Limit = 100k/200k 200k/400k 80k/160k 180/180 8 60k/120k This only occurs when my client tries to authenticate using wrong password. The Mikrotik-Rate-Limit should only be sent when a client uses right calling-station-id, username and password. Anyone know how to make this option do not be sent when there is an error in client password? -- Att, NATANIEL KLUG [EMAIL PROTECTED] LEIA O DIA-A-DIA DO NATA http://nataklug.blogspot.com/ Cyber Nett - Internet Banda Larga www.cnett.com.br (42) 3635-2957 Rua Diogo Pinto, 1046, Centro Laranjeiras do Sul - PR Brasil - 85301-290 ... também os sábios possuem coração tangível e podem, por vezes, usar da ciência como meio de demonstrar impressões sentimentais de que muitos não os julgam suscetíveis. Visconde de Taunay - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unknown value specified for Post-Auth-Type
Virtual servers included with the server *do* have post-auth type Reject which filters out reply attributes. Copy it into yours. Ivan Kalik Kalik Informatika ISP Dana 8/9/2008, Nataniel Klug [EMAIL PROTECTED] piše: Hello all, I am running new 2.0.5 freeradius with mysql... This is running fine. I am trying to configure virtual servers but this is another question. I am testing this new version and I found this log (using radiusd -X): auth: Failed to validate the user. Found Post-Auth-Type Reject WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action. Sending Access-Reject of id 138 to 127.0.0.1 port 44881 Mikrotik-Rate-Limit = 100k/200k 200k/400k 80k/160k 180/180 8 60k/120k This only occurs when my client tries to authenticate using wrong password. The Mikrotik-Rate-Limit should only be sent when a client uses right calling-station-id, username and password. Anyone know how to make this option do not be sent when there is an error in client password? -- Att, NATANIEL KLUG [EMAIL PROTECTED] LEIA O DIA-A-DIA DO NATA http://nataklug.blogspot.com/ Cyber Nett - Internet Banda Larga www.cnett.com.br (42) 3635-2957 Rua Diogo Pinto, 1046, Centro Laranjeiras do Sul - PR Brasil - 85301-290 ... também os sábios possuem coraçăo tangível e podem, por vezes, usar da cięncia como meio de demonstrar impressőes sentimentais de que muitos năo os julgam suscetíveis. Visconde de Taunay - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unknown value specified for Post-Auth-Type
Can't understand what you mean? Copy what? Copy Where? [EMAIL PROTECTED] escreveu: Virtual servers included with the server *do* have post-auth type Reject which filters out reply attributes. Copy it into yours. Ivan Kalik Kalik Informatika ISP Dana 8/9/2008, Nataniel Klug [EMAIL PROTECTED] piše: Hello all, I am running new 2.0.5 freeradius with mysql... This is running fine. I am trying to configure virtual servers but this is another question. I am testing this new version and I found this log (using radiusd -X): auth: Failed to validate the user. Found Post-Auth-Type Reject WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action. Sending Access-Reject of id 138 to 127.0.0.1 port 44881 Mikrotik-Rate-Limit = 100k/200k 200k/400k 80k/160k 180/180 8 60k/120k This only occurs when my client tries to authenticate using wrong password. The Mikrotik-Rate-Limit should only be sent when a client uses right calling-station-id, username and password. Anyone know how to make this option do not be sent when there is an error in client password? -- Att, NATANIEL KLUG [EMAIL PROTECTED] LEIA O DIA-A-DIA DO NATA http://nataklug.blogspot.com/ Cyber Nett - Internet Banda Larga www.cnett.com.br (42) 3635-2957 Rua Diogo Pinto, 1046, Centro Laranjeiras do Sul - PR Brasil - 85301-290 ... também os sábios possuem coraçăo tangível e podem, por vezes, usar da cięncia como meio de demonstrar impressőes sentimentais de que muitos năo os julgam suscetíveis. Visconde de Taunay - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Att, NATANIEL KLUG [EMAIL PROTECTED] LEIA O DIA-A-DIA DO NATA http://nataklug.blogspot.com/ Cyber Nett - Internet Banda Larga www.cnett.com.br (42) 3635-2957 Rua Diogo Pinto, 1046, Centro Laranjeiras do Sul - PR Brasil - 85301-290 ... também os sábios possuem coraça~o tangível e podem, por vezes, usar da cie^ncia como meio de demonstrar impresso~es sentimentais de que muitos na~o os julgam suscetíveis. Visconde de Taunay - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to modify dialup.conf for each virtual server?
Hello again, Now I have the other question I told in the post before. I have some equipament (wireless) that authenticate the wireless client using MAC over my radius database. I want that in one of my virtual servers I have this kind of authentication. I need it to check MAC address that is, already, in my radcheck table. this is a common user setup into radcheck table: +--+--+++---++--+ | id | UserName | Attribute | op | Value | numero | obs | +--+--+++---++--+ | 1613 | nataniel | MD5-Password | := | X | 01046 | | | 1656 | nataniel | Calling-Station-Id | == | AA:AA:AA:AA:AA:AA | 01046 | NULL | +--+--+++---++--+ So, MAC Address is set as Calling-Station-Id. This is ok for my PPPoE setup but for my access points this is not ok. I need my access point to verify if this MAC here is well listed and not bloked. I use this to blok: +--+--+++---++--+ | id | UserName | Attribute | op | Value | numero | obs | +--+--+++---++--+ | 1613 | nataniel | MD5-Password | := | X | 01046 | | | 1656 | nataniel | Calling-Station-Id | == | AA:AA:AA:AA:AA:AA | 01046 | NULL | | 1657 | nataniel | Auth-Type | := | Reject| 01046 | NULL | +--+--+++---++--+ I have to change dialup.conf to meet this options and returno to my access point. This is a common query comming from on of my APs: Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 172.30.0.142 port 6001, id=1, length=69 User-Name = 00:19:79:0f:98:3d User-Password = wireless NAS-IP-Address = 172.30.0.142 NAS-Port = 0 +- entering group authorize ++[preprocess] returns ok rlm_realm: No '@' in User-Name = 00:19:79:0f:98:3d, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop expand: %{User-Name} - 00:19:79:0f:98:3d rlm_sql (sql): sql_set_user escaped user -- '00:19:79:0f:98:3d' rlm_sql (sql): Reserving sql socket id: 4 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = '00:19:79:0f:98:3d' ORDER BY id expand: SELECT groupname FROM usergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM usergroup WHERE username = '00:19:79:0f:98:3d' ORDER BY priority rlm_sql (sql): Released sql socket id: 4 rlm_sql (sql): User 00:19:79:0f:98:3d not found ++[sql] returns notfound rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Found Post-Auth-Type Reject WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action. Sending Access-Reject of id 1 to 172.30.0.142 port 6001 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 1 with timestamp +274 Ready to process requests. So, where I see WHERE username = '00:19:79:0f:98:3d' it should be Attribute. But I need to be sure that this client is not rejected somewhere in the database. Can someone help me? I am not a guru of mysql but I can try some changes... ;) -- Att, NATANIEL KLUG [EMAIL PROTECTED] LEIA O DIA-A-DIA DO NATA http://nataklug.blogspot.com/ Cyber Nett - Internet Banda Larga www.cnett.com.br (42) 3635-2957 Rua Diogo Pinto, 1046, Centro Laranjeiras do Sul - PR Brasil - 85301-290 ... também os sábios possuem coração tangível e podem, por vezes, usar da ciência como meio de demonstrar impressões sentimentais de que muitos não os julgam suscetíveis. Visconde de Taunay - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to modify dialup.conf for each virtual server?
In mac authentication mac address is sent as User-Name not Calling-Station-Id. You don't have to make any changes to dialup.conf - just use database properly: username: AA:AA:AA:AA:AA:AA attribute: Auth-Type op: := Value: Accept or Reject Ivan Kalik Kalik Informatika ISP Dana 8/9/2008, Nataniel Klug [EMAIL PROTECTED] piše: Hello again, Now I have the other question I told in the post before. I have some equipament (wireless) that authenticate the wireless client using MAC over my radius database. I want that in one of my virtual servers I have this kind of authentication. I need it to check MAC address that is, already, in my radcheck table. this is a common user setup into radcheck table: +--+--+++---++--+ | id | UserName | Attribute | op | Value | numero | obs | +--+--+++---++--+ | 1613 | nataniel | MD5-Password | := | X | 01046 | | | 1656 | nataniel | Calling-Station-Id | == | AA:AA:AA:AA:AA:AA | 01046 | NULL | +--+--+++---++--+ So, MAC Address is set as Calling-Station-Id. This is ok for my PPPoE setup but for my access points this is not ok. I need my access point to verify if this MAC here is well listed and not bloked. I use this to blok: +--+--+++---++--+ | id | UserName | Attribute | op | Value | numero | obs | +--+--+++---++--+ | 1613 | nataniel | MD5-Password | := | X | 01046 | | | 1656 | nataniel | Calling-Station-Id | == | AA:AA:AA:AA:AA:AA | 01046 | NULL | | 1657 | nataniel | Auth-Type | := | Reject| 01046 | NULL | +--+--+++---++--+ I have to change dialup.conf to meet this options and returno to my access point. This is a common query comming from on of my APs: Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 172.30.0.142 port 6001, id=1, length=69 User-Name = 00:19:79:0f:98:3d User-Password = wireless NAS-IP-Address = 172.30.0.142 NAS-Port = 0 +- entering group authorize ++[preprocess] returns ok rlm_realm: No '@' in User-Name = 00:19:79:0f:98:3d, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop expand: %{User-Name} - 00:19:79:0f:98:3d rlm_sql (sql): sql_set_user escaped user -- '00:19:79:0f:98:3d' rlm_sql (sql): Reserving sql socket id: 4 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = '00:19:79:0f:98:3d' ORDER BY id expand: SELECT groupname FROM usergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM usergroup WHERE username = '00:19:79:0f:98:3d' ORDER BY priority rlm_sql (sql): Released sql socket id: 4 rlm_sql (sql): User 00:19:79:0f:98:3d not found ++[sql] returns notfound rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Found Post-Auth-Type Reject WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action. Sending Access-Reject of id 1 to 172.30.0.142 port 6001 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 1 with timestamp +274 Ready to process requests. So, where I see WHERE username = '00:19:79:0f:98:3d' it should be Attribute. But I need to be sure that this client is not rejected somewhere in the database. Can someone help me? I am not a guru of mysql but I can try some changes... ;) -- Att, NATANIEL KLUG [EMAIL PROTECTED] LEIA O DIA-A-DIA DO NATA http://nataklug.blogspot.com/ Cyber Nett - Internet Banda Larga www.cnett.com.br (42) 3635-2957 Rua Diogo Pinto, 1046, Centro Laranjeiras do Sul - PR Brasil - 85301-290 ... também os sábios possuem coraçăo tangível e podem, por vezes, usar da cięncia como meio de demonstrar impressőes sentimentais de que muitos năo os julgam suscetíveis. Visconde de Taunay - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting Reporting Tools
you can use daloradius or dialupadmin wich comes with freeradius. 2008/9/3 Marinko Tarlac [EMAIL PROTECTED]: I made my own tool. Sturgis, Grant wrote: Greetings List, I am curious what people have done to report on the RADIUS accounting files. Are there packages out there that read and report on radacct files? Connections, denies attempts, etc? Thanks in advance, Grant -- Pardon this rubbish: This electronic message transmission is a PRIVATE communication which contains information which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. Please notify the sender of the delivery error by replying to this message, or notify us by telephone (877-633-2436, ext. 0), and then delete it from your system. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS Administration interface
seems a good idea. 2008/9/3 Alan DeKok [EMAIL PROTECTED]: I've added a RADIUS administration interface to the latest git tree. It's experimental (i.e. VERY), and has little authentication or authorization. It's purpose is to test the concepts, and to see if it's what users want. Server configuration: raddb/sites-available/control-socket Client: radmin You get a prompt, and not much else. Typing help gets you some information: radmin help hup [module] - sends a HUP signal to the server, or optionally to one module terminate - terminates the server, and causes it to exit show command - do sub-command of show set command - do sub-command of set You can HUP the server, ask it to stop, see the configuration of a module, show the list of loaded modules. As an interesting note, you can also *change* parts of the configuration of a running system. And then hup *just* one module, rather than the whole server. And then maybe the server crashes. :) Don't use this in production. Once it's a little more developed, we'll add features like authentication of the users on the administration interface. And command authorization. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS Administration interface
maybe you can add a debug function/sub-command so we dont have to start the server in debug mode ( freeradius -X ) but to see the debugs on console ( radmin debug server ). 2008/9/8 orion [EMAIL PROTECTED]: seems a good idea. 2008/9/3 Alan DeKok [EMAIL PROTECTED]: I've added a RADIUS administration interface to the latest git tree. It's experimental (i.e. VERY), and has little authentication or authorization. It's purpose is to test the concepts, and to see if it's what users want. Server configuration: raddb/sites-available/control-socket Client: radmin You get a prompt, and not much else. Typing help gets you some information: radmin help hup [module] - sends a HUP signal to the server, or optionally to one module terminate - terminates the server, and causes it to exit show command - do sub-command of show set command - do sub-command of set You can HUP the server, ask it to stop, see the configuration of a module, show the list of loaded modules. As an interesting note, you can also *change* parts of the configuration of a running system. And then hup *just* one module, rather than the whole server. And then maybe the server crashes. :) Don't use this in production. Once it's a little more developed, we'll add features like authentication of the users on the administration interface. And command authorization. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to modify dialup.conf for each virtual server?
Ivan, I can't use User-Name as MAC becouse this is being used by another systema I run... I just need to change some settings in dialup.conf to meet my requirements, all said in other message. [EMAIL PROTECTED] escreveu: In mac authentication mac address is sent as User-Name not Calling-Station-Id. You don't have to make any changes to dialup.conf - just use database properly: username: AA:AA:AA:AA:AA:AA attribute: Auth-Type op: := Value: Accept or Reject Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco VPN Server 3000 + Radius + LDAP = heeelp!!
Hi people: First of all, sorry but my english is not good. I'm newie in FreeRadius and I am in a hurry with Cisco VPN Server 3000, FreeRadius and LDAP, to permit vpn user's access. When vpn users connect (with Cisco VPN Client), Radius consult to LDAP if user exist. If exist, then user can connect to vpn. If not, can't connect. This works well. Now, also I should assign IP addresses according to an LDAP attribute. For example, if attribute==1 assign 10.0.0.10/24, if attribute==2 assign 10.0.0.20/24. I try to assign IP addresses with ippool module and filters in the ldap module in FreeRadius, but it doesn't work. How can I work with many ippool's according to a value of LDAP attribute? Where should I ask for the attribute value in order to assign the corresponding ippool?. Please, help me with that. My config is something like that: In the radius.conf file... ldap vpnldap1 { server = x.x.x.x identity = cn=Directory Manager password = ** basedn = ou=People, dc:blah, dc=cl filter = ((uid=%u)(attribute=1)) authtype = ldap set_asuth_type = yes } ldap vpnldap2 { server = x.x.x.x identity = cn=Directory Manager password = ** basedn = ou=People, dc:blah, dc=cl filter = ((uid=%u)(attribute=2)) authtype = ldap set_asuth_type = yes } authorize { files Autz-Type LDAPVPN1 { vpnldap1 } Autz-Type LDAPVPN2 { vpnldap2 } } authentication { Auth-Type LDAPVPN1 { vpnldap1 } Auth-Type LDAPVPN2 { vpnldap2 } } ippool vpnusers1 { range-start= 10.0.0.10 range-stop= 10.0.0.19 netmask= 255.255.255.0 cache-size= 10 session-db= ${raddbdir}/db.vpnusers1-session ip-index= ${raddbdir}/db.vpnusers1-index override= yes } ippool vpnusers2 { range-start= 10.0.0.20 range-stop= 10.0.0.29 netmask= 255.255.255.0 cache-size= 10 session-db= ${raddbdir}/db.vpnusers2-session ip-index= ${raddbdir}/db.vpnusers2-index override= yes } In the user file... (i don`t know how to configure this file to several Ippool I think that here's the problem) DEFAULT NAS-IP-Address = y.y.y.y, Auth-Type :=LDAPVPN1, AUTZ-Type :=LDAPVPN1, Pool-Name :=vpnusers1 DEFAULT NAS-IP-Address = y.y.y.y, Auth-Type :=LDAPVPN2, AUTZ-Type :=LDAPVPN2, Pool-Name :=vpnusers2 # y.y.y.y= address of VPN Server In the ldap.attrmap... checkItemvpnusers1attribute checkItemvpnusers2attribute Please, help me with this config. Thank's you... Osvaldo H. Campos Molina Administrador de Red STI - Univ. de Chile - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to modify dialup.conf for each virtual server?
Well, you don't have much say in this because NAS sends it that way: rad_recv: Access-Request packet from host 172.30.0.142 port 6001, id=1, length=69 User-Name = 00:19:79:0f:98:3d User-Password = wireless NAS-IP-Address = 172.30.0.142 NAS-Port = 0 You see what is in the User-Name field? That's how mac authentication works. Ivan Kalik Kalik Informatika ISP Dana 8/9/2008, Nataniel Klug [EMAIL PROTECTED] piše: Ivan, I can't use User-Name as MAC becouse this is being used by another systema I run... I just need to change some settings in dialup.conf to meet my requirements, all said in other message. [EMAIL PROTECTED] escreveu: In mac authentication mac address is sent as User-Name not Calling-Station-Id. You don't have to make any changes to dialup.conf - just use database properly: username: AA:AA:AA:AA:AA:AA attribute: Auth-Type op: := Value: Accept or Reject Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius2 + MySQL: NAS x Usergroup
Sorry, but maybe I didn't understand how virtual servers really work. I have one big users base. The users can be in one or more groups. User:John - Group:dialup User:John - Group:broadband User:Jack - Group:dialup User:Jack - Group: hotspot John and Jack are in my radcheck and radusergroup tables. Username: John Username: Jack Attribute: Password Attribute: Password Op: := Op: := Value: crypt('test')Value: crypt('test2') My nas clients are in database too. nasname: 192.168.2.2nasname: 192.168.2.3 shortname: dialup-nas shortname: broadband-nas type: cisco type: cisco secret: secret-password secret: secret-password server: dialup server: broadband My problem is here: expand: %{User-Name} - John rlm_sql (sql): sql_set_user escaped user -- 'John' rlm_sql (sql): Reserving sql socket id: 2 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'John' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radreply WHERE username = 'John' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = 'John' ORDER BY priority expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'dialup' ORDER BY id rlm_sql (sql): User found in group dialup expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'dialup' ORDER BY id rlm_sql (sql): Released sql socket id: 2 John is connecting through broadband-nas, but freeradius is getting dialup groupname and all its checks and replys. Dialup and broadband has the same priority in radusergroup table. I wish to 'force' something like 'dialup-nas'-'dialup group', 'broadband-nas'-'broadband group'. Maybe I'm going through the wrong way. I have separated into different virtual servers because each type of service have different modules implemented by me. In freeradius1 I was using the groupreply 'Exec-Program-Wait' and different radius servers for each service. In each server I have modified the sql querys to get only replys and checks for respectives groups (services). How is the 'right' way to implement this scenario with freeradius 2? Thank you for the help. 2008/9/6 [EMAIL PROTECTED]: No. You define virtual home servers in proxy.conf. Ivan Kalik Kalik Informatika ISP Dana 6/9/2008, Carlos Eduardo Tavares Terra [EMAIL PROTECTED] piše: Can I associate in groupcheck a groupname with a virtual server? I have separated each type of services into different virtual servers, because each one of then has different modules. Thanks On Fri, Sep 5, 2008 at 2:49 PM, Ivan Kalik [EMAIL PROTECTED] wrote: Radgroupcheck table. Ivan Kalik Kalik Informatika ISP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Eduardo Tavares Terra Sent: 05 September 2008 02:42 To: freeradius-users@lists.freeradius.org Subject: FreeRadius2 + MySQL: NAS x Usergroup Dear freeradius users, I have a special scenario. Today I have many freeradius servers, each one responsible for differente services. Now I want to group this freeradius servers into one master server, but I have users in many differente usergroups (one for each service). How can I associate an usergroup to a nas? Example: NAS (192.168.2.1) - Usergroup (Dialup) NAS (192.168.2.2) - Usergroup (Broadband) NAS (192.168.2.3) - Usergroup (Hotspot) I saw how to do this using huntgroups, but I want to use a mysql database with all clients. There are another ways to implement this different services into one radius server, maybe the right way? If not, how can I associate the usergroups and nas using mysql? Thank you -- Carlos Eduardo Tavares Terra GNU/Linux #413291 [http://counter.li.org] Slackware Linux - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.169 / Virus Database: 270.6.16/1652 - Release Date: 2008-09-04 18:54
Dynamic Clients with FreeRADIUS
Has anyone gotten dynamic-clients working with freeradius yet? I'm trying to accept clients from ANY IP, then looks up the IP in sql 'nas' table to see if it exists -- View this message in context: http://www.nabble.com/Dynamic-Clients-with-FreeRADIUS-tp19384912p19384912.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Clients with FreeRADIUS
jasoneswan wrote: Has anyone gotten dynamic-clients working with freeradius yet? I'm trying to accept clients from ANY IP, then looks up the IP in sql 'nas' table to see if it exists Dynamic clients have been tested, yes. Can you post *specific* examples of what you're doing, why you think that should work, and what is going wrong? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Clients with FreeRADIUS
aland wrote: jasoneswan wrote: Has anyone gotten dynamic-clients working with freeradius yet? I'm trying to accept clients from ANY IP, then looks up the IP in sql 'nas' table to see if it exists Dynamic clients have been tested, yes. Can you post *specific* examples of what you're doing, why you think that should work, and what is going wrong? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hey alan, thank you for taking the time to reply... I'm using sites-available/dynamic-clients config... client dynamic { ipaddr = 0.0.0.0 netmask = 0 dynamic_clients = dynamic_client_server } server dynamic_client_server { authorize { if (%{sql: SELECT nasname FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}) { update control { FreeRADIUS-Client-Shortname = %{sql: SELECT shortname FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'} FreeRADIUS-Client-Secret = %{sql: SELECT secret FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'} FreeRADIUS-Client-NAS-Type = %{sql: SELECT type FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'} } } ok } } What is happening is when a client connects it doesn't even check database it simply says unknown client -- View this message in context: http://www.nabble.com/Dynamic-Clients-with-FreeRADIUS-tp19384912p19386279.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Want Signups? Need Sales?
Want signups? Need referrals? Need sales? They're all here waiting for YOU! Start getting unlimited affiliate traffic now. http://www.urlfreeze.com/rjm42/1on/ -- I Know How To Make Money On The Net www.urlfreeze.com/rjm42/Free/ --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups opportunities at home group. To post to this group, send email to opportunities-at-home@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/opportunities-at-home?hl=en -~--~~~~--~~--~--~---