RE: Freeradius Usage
Hi Jess, Radius has nothing to do with controlling traffic, wireless -- Network Radius Network LDAP(AD)--- Network is more like it ... accesspoint just checks if it can allow the user/mac/workstation with the radius server. now if you need some sort of bandwidth controller(RAS) or your accesspoint can not use radius directly, you can use chillispot which has captive portal (Like wifi hotspots). Wireless---Private wireless Network---ChillispotRest of the network you can buy wifi accesspoints with chillispot(linksys wrt accesspoints). to give you a scenario on how we use radius in our company. In out company we employees access the internet through vpn(PPTP on cisco router) which authenticates with freeradius which in turn, pulls user's profile and authenticates them against LDAP(Active Directory) ... Cheers, PDB -Original Message- From: [EMAIL PROTECTED] on behalf of Jesse Stone Sent: Sun 9/7/2008 2:56 AM To: FreeRadius users mailing list Subject: Re: Freeradius Usage Thanks Alan. I'm going to start researching LDAP. I would like to add authenication for wireless though via FreeRadius. Are there any good sites/guides on how to do this? Does my network setup need to be like this for it to work: Internet - Router W/ Wireless - Nic1 of server running freeradius Nic2 Switch that connects rest of network -Jesse On Sat, Sep 6, 2008 at 3:14 AM, Alan DeKok [EMAIL PROTECTED]wrote: Jesse Stone wrote: What do large companies that have many users/linux machines use to handle user administration? LDAP. And they generally don't have complicated permissions policies. They're just too hard to maintain. RADIUS is mostly for dial-up or WiFi access. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html winmail.dat- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius not always denying invalid users
Thanks for all the help on this. I finally just added those 2-3 users to the users file with REJECT. I did notice that anytime it would allow them to connect there was a simultaneous attempt from another user at the exact time. That doesn't happen very often so it must have something to do with those customer constantly trying to login and finally hitting at the same time caused some sort of bug. Chris Moss VCI Internet and Telephone 523 South 3rd St Paducah, Ky 42003 Tel (270)442-0060 Fax (270)444-6734 1-800-755-1239 M-Th 8am - 8pm Fri 8am - 7pm Sat 9am - 4pm Alan DeKok wrote: Chris Moss wrote: No, cache was not enabled. Then your OS is buggy. Just a thought on the denying, I thought maybe it just couldn't get a good result one way or the other so it would just allow it. Absolutely not. Any other thoughts on would could be causing this issue? As I said, your OS. Like I said this only seems to be happening on dsl customers that constantly try to connect. Is there any other logs, configs, etc that would be of any help? I will try to get a debug of one that doesn't behave properly. Is there a way to make that debug log to the log file. So far it only outputs to terminal and it's very hard to capture it there, it it's in a log I should be able to get something worthwhile. Debugging the server is a waste of time. Your OS is buggy. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html . - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius not always denying invalid users
They are most likely still rejected by freeradius but your NAS lets them in. Debug NAS and see why is that happening. Ivan Kalik Kalik Informatika ISP Dana 8/9/2008, Chris Moss [EMAIL PROTECTED] piše: Thanks for all the help on this. I finally just added those 2-3 users to the users file with REJECT. I did notice that anytime it would allow them to connect there was a simultaneous attempt from another user at the exact time. That doesn't happen very often so it must have something to do with those customer constantly trying to login and finally hitting at the same time caused some sort of bug. Chris Moss VCI Internet and Telephone 523 South 3rd St Paducah, Ky 42003 Tel (270)442-0060 Fax (270)444-6734 1-800-755-1239 M-Th 8am - 8pm Fri 8am - 7pm Sat 9am - 4pm Alan DeKok wrote: Chris Moss wrote: No, cache was not enabled. Then your OS is buggy. Just a thought on the denying, I thought maybe it just couldn't get a good result one way or the other so it would just allow it. Absolutely not. Any other thoughts on would could be causing this issue? As I said, your OS. Like I said this only seems to be happening on dsl customers that constantly try to connect. Is there any other logs, configs, etc that would be of any help? I will try to get a debug of one that doesn't behave properly. Is there a way to make that debug log to the log file. So far it only outputs to terminal and it's very hard to capture it there, it it's in a log I should be able to get something worthwhile. Debugging the server is a waste of time. Your OS is buggy. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html . - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can´t compile version 2.1.0 !
Hi, I downloaded the new version 2.1.0 but I cannot compile it. ./configure runs fine but when I run make I got the following error: gmake[4]: Entering directory `/usr/local/src/freeradius-server-2.1.0/src/main' /usr/local/src/freeradius-server-2.1.0/libtool --mode=link gcc -o radmin radmin.lo gcc -o radmin .libs/radmin.o .libs/radmin.o: In function `main': /usr/local/src/freeradius-server-2.1.0/src/main/radmin.c:117: undefined reference to `using_history' /usr/local/src/freeradius-server-2.1.0/src/main/radmin.c:118: undefined reference to `rl_insert' /usr/local/src/freeradius-server-2.1.0/src/main/radmin.c:118: undefined reference to `rl_bind_key' /usr/local/src/freeradius-server-2.1.0/src/main/radmin.c:176: undefined reference to `readline' /usr/local/src/freeradius-server-2.1.0/src/main/radmin.c:185: undefined reference to `add_history' collect2: ld returned 1 exit status gmake[4]: *** [radmin] Error 1 gmake[4]: Leaving directory `/usr/local/src/freeradius-server-2.1.0/src/main' gmake[3]: *** [common] Error 2 gmake[3]: Leaving directory `/usr/local/src/freeradius-server-2.1.0/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/usr/local/src/freeradius-server-2.1.0/src' gmake[1]: *** [common] Error 2 gmake[1]: Leaving directory `/usr/local/src/freeradius-server-2.1.0' make: *** [all] Error 2 I´m using Linux Slackware 12.1. On this same machine I have version 2.0.5 working and compiling fine. I already try to compile in another machine and have the same error. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Can’t compile version 2.1.0 !
Hi, Have to link with -lncurses, see http://bugs.freeradius.org/show_bug.cgi?id=589 https://webmail.itsc.cuhk.edu.hk/exchweb/bin/redir.asp?URL=http://bugs.freeradius.org/show_bug.cgi?id=589 . Hope this helps. From: [EMAIL PROTECTED] 代理 Jose Franco Jr Sent: 8/9/2008 [Mon] 22:10 To: freeradius-users@lists.freeradius.org Subject: Can’t compile version 2.1.0 ! Hi, I downloaded the new version 2.1.0 but I cannot compile it. ./configure runs fine but when I run make I got the following error: gmake[4]: Entering directory `/usr/local/src/freeradius-server-2.1.0/src/main' /usr/local/src/freeradius-server-2.1.0/libtool --mode=link gcc -o radmin radmin.lo gcc -o radmin .libs/radmin.o .libs/radmin.o: In function `main': /usr/local/src/freeradius-server-2.1.0/src/main/radmin.c:117: undefined reference to `using_history' /usr/local/src/freeradius-server-2.1.0/src/main/radmin.c:118: undefined reference to `rl_insert' /usr/local/src/freeradius-server-2.1.0/src/main/radmin.c:118: undefined reference to `rl_bind_key' /usr/local/src/freeradius-server-2.1.0/src/main/radmin.c:176: undefined reference to `readline' /usr/local/src/freeradius-server-2.1.0/src/main/radmin.c:185: undefined reference to `add_history' collect2: ld returned 1 exit status gmake[4]: *** [radmin] Error 1 gmake[4]: Leaving directory `/usr/local/src/freeradius-server-2.1.0/src/main' gmake[3]: *** [common] Error 2 gmake[3]: Leaving directory `/usr/local/src/freeradius-server-2.1.0/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/usr/local/src/freeradius-server-2.1.0/src' gmake[1]: *** [common] Error 2 gmake[1]: Leaving directory `/usr/local/src/freeradius-server-2.1.0' make: *** [all] Error 2 I’m using Linux Slackware 12.1. On this same machine I have version 2.0.5 working and compiling fine. I already try to compile in another machine and have the same error. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Usage
Jesse Stone wrote: Thanks Alan. I'm going to start researching LDAP. I would like to add authenication for wireless though via FreeRadius. Are there any good sites/guides on how to do this? Lots. See my site: http://deployingradius.com Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unknown value specified for Post-Auth-Type
Hello all, I am running new 2.0.5 freeradius with mysql... This is running fine. I am trying to configure virtual servers but this is another question. I am testing this new version and I found this log (using radiusd -X): auth: Failed to validate the user. Found Post-Auth-Type Reject WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action. Sending Access-Reject of id 138 to 127.0.0.1 port 44881 Mikrotik-Rate-Limit = 100k/200k 200k/400k 80k/160k 180/180 8 60k/120k This only occurs when my client tries to authenticate using wrong password. The Mikrotik-Rate-Limit should only be sent when a client uses right calling-station-id, username and password. Anyone know how to make this option do not be sent when there is an error in client password? -- Att, NATANIEL KLUG [EMAIL PROTECTED] LEIA O DIA-A-DIA DO NATA http://nataklug.blogspot.com/ Cyber Nett - Internet Banda Larga www.cnett.com.br (42) 3635-2957 Rua Diogo Pinto, 1046, Centro Laranjeiras do Sul - PR Brasil - 85301-290 ... também os sábios possuem coração tangível e podem, por vezes, usar da ciência como meio de demonstrar impressões sentimentais de que muitos não os julgam suscetíveis. Visconde de Taunay - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unknown value specified for Post-Auth-Type
Virtual servers included with the server *do* have post-auth type Reject which filters out reply attributes. Copy it into yours. Ivan Kalik Kalik Informatika ISP Dana 8/9/2008, Nataniel Klug [EMAIL PROTECTED] piše: Hello all, I am running new 2.0.5 freeradius with mysql... This is running fine. I am trying to configure virtual servers but this is another question. I am testing this new version and I found this log (using radiusd -X): auth: Failed to validate the user. Found Post-Auth-Type Reject WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action. Sending Access-Reject of id 138 to 127.0.0.1 port 44881 Mikrotik-Rate-Limit = 100k/200k 200k/400k 80k/160k 180/180 8 60k/120k This only occurs when my client tries to authenticate using wrong password. The Mikrotik-Rate-Limit should only be sent when a client uses right calling-station-id, username and password. Anyone know how to make this option do not be sent when there is an error in client password? -- Att, NATANIEL KLUG [EMAIL PROTECTED] LEIA O DIA-A-DIA DO NATA http://nataklug.blogspot.com/ Cyber Nett - Internet Banda Larga www.cnett.com.br (42) 3635-2957 Rua Diogo Pinto, 1046, Centro Laranjeiras do Sul - PR Brasil - 85301-290 ... também os sábios possuem coraçăo tangível e podem, por vezes, usar da cięncia como meio de demonstrar impressőes sentimentais de que muitos năo os julgam suscetíveis. Visconde de Taunay - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unknown value specified for Post-Auth-Type
Can't understand what you mean? Copy what? Copy Where? [EMAIL PROTECTED] escreveu: Virtual servers included with the server *do* have post-auth type Reject which filters out reply attributes. Copy it into yours. Ivan Kalik Kalik Informatika ISP Dana 8/9/2008, Nataniel Klug [EMAIL PROTECTED] piše: Hello all, I am running new 2.0.5 freeradius with mysql... This is running fine. I am trying to configure virtual servers but this is another question. I am testing this new version and I found this log (using radiusd -X): auth: Failed to validate the user. Found Post-Auth-Type Reject WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action. Sending Access-Reject of id 138 to 127.0.0.1 port 44881 Mikrotik-Rate-Limit = 100k/200k 200k/400k 80k/160k 180/180 8 60k/120k This only occurs when my client tries to authenticate using wrong password. The Mikrotik-Rate-Limit should only be sent when a client uses right calling-station-id, username and password. Anyone know how to make this option do not be sent when there is an error in client password? -- Att, NATANIEL KLUG [EMAIL PROTECTED] LEIA O DIA-A-DIA DO NATA http://nataklug.blogspot.com/ Cyber Nett - Internet Banda Larga www.cnett.com.br (42) 3635-2957 Rua Diogo Pinto, 1046, Centro Laranjeiras do Sul - PR Brasil - 85301-290 ... também os sábios possuem coraçăo tangível e podem, por vezes, usar da cięncia como meio de demonstrar impressőes sentimentais de que muitos năo os julgam suscetíveis. Visconde de Taunay - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Att, NATANIEL KLUG [EMAIL PROTECTED] LEIA O DIA-A-DIA DO NATA http://nataklug.blogspot.com/ Cyber Nett - Internet Banda Larga www.cnett.com.br (42) 3635-2957 Rua Diogo Pinto, 1046, Centro Laranjeiras do Sul - PR Brasil - 85301-290 ... também os sábios possuem coraça~o tangível e podem, por vezes, usar da cie^ncia como meio de demonstrar impresso~es sentimentais de que muitos na~o os julgam suscetíveis. Visconde de Taunay - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to modify dialup.conf for each virtual server?
Hello again,
Now I have the other question I told in the post before. I have some
equipament (wireless) that authenticate the wireless client using MAC
over my radius database. I want that in one of my virtual servers I have
this kind of authentication. I need it to check MAC address that is,
already, in my radcheck table. this is a common user setup into radcheck
table:
+--+--+++---++--+
| id | UserName | Attribute | op | Value | numero
| obs |
+--+--+++---++--+
| 1613 | nataniel | MD5-Password | := | X |
01046 | |
| 1656 | nataniel | Calling-Station-Id | == | AA:AA:AA:AA:AA:AA | 01046
| NULL |
+--+--+++---++--+
So, MAC Address is set as Calling-Station-Id. This is ok for my
PPPoE setup but for my access points this is not ok. I need my access
point to verify if this MAC here is well listed and not bloked. I use
this to blok:
+--+--+++---++--+
| id | UserName | Attribute | op | Value | numero
| obs |
+--+--+++---++--+
| 1613 | nataniel | MD5-Password | := | X |
01046 | |
| 1656 | nataniel | Calling-Station-Id | == | AA:AA:AA:AA:AA:AA | 01046
| NULL |
| 1657 | nataniel | Auth-Type | := | Reject| 01046
| NULL |
+--+--+++---++--+
I have to change dialup.conf to meet this options and returno to my
access point. This is a common query comming from on of my APs:
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 172.30.0.142 port 6001, id=1,
length=69
User-Name = 00:19:79:0f:98:3d
User-Password = wireless
NAS-IP-Address = 172.30.0.142
NAS-Port = 0
+- entering group authorize
++[preprocess] returns ok
rlm_realm: No '@' in User-Name = 00:19:79:0f:98:3d, looking up
realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
expand: %{User-Name} - 00:19:79:0f:98:3d
rlm_sql (sql): sql_set_user escaped user -- '00:19:79:0f:98:3d'
rlm_sql (sql): Reserving sql socket id: 4
expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER
BY id - SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '00:19:79:0f:98:3d' ORDER
BY id
expand: SELECT groupname FROM usergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority -
SELECT groupname FROM usergroup WHERE username =
'00:19:79:0f:98:3d' ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
rlm_sql (sql): User 00:19:79:0f:98:3d not found
++[sql] returns notfound
rlm_pap: WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Found Post-Auth-Type Reject
WARNING: Unknown value specified for Post-Auth-Type. Cannot perform
requested action.
Sending Access-Reject of id 1 to 172.30.0.142 port 6001
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 1 with timestamp +274
Ready to process requests.
So, where I see WHERE username = '00:19:79:0f:98:3d' it should be
Attribute. But I need to be sure that this client is not rejected
somewhere in the database.
Can someone help me? I am not a guru of mysql but I can try some
changes... ;)
--
Att,
NATANIEL KLUG
[EMAIL PROTECTED]
LEIA O DIA-A-DIA DO NATA
http://nataklug.blogspot.com/
Cyber Nett - Internet Banda Larga
www.cnett.com.br
(42) 3635-2957
Rua Diogo Pinto, 1046, Centro
Laranjeiras do Sul - PR
Brasil - 85301-290
... também os sábios possuem coração tangível e podem, por vezes, usar da ciência
como meio de demonstrar impressões sentimentais de que muitos não os julgam
suscetíveis.
Visconde de Taunay
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to modify dialup.conf for each virtual server?
In mac authentication mac address is sent as User-Name not
Calling-Station-Id. You don't have to make any changes to dialup.conf -
just use database properly:
username: AA:AA:AA:AA:AA:AA
attribute: Auth-Type
op: :=
Value: Accept or Reject
Ivan Kalik
Kalik Informatika ISP
Dana 8/9/2008, Nataniel Klug [EMAIL PROTECTED] piše:
Hello again,
Now I have the other question I told in the post before. I have some
equipament (wireless) that authenticate the wireless client using MAC
over my radius database. I want that in one of my virtual servers I have
this kind of authentication. I need it to check MAC address that is,
already, in my radcheck table. this is a common user setup into radcheck
table:
+--+--+++---++--+
| id | UserName | Attribute | op | Value | numero
| obs |
+--+--+++---++--+
| 1613 | nataniel | MD5-Password | := | X |
01046 | |
| 1656 | nataniel | Calling-Station-Id | == | AA:AA:AA:AA:AA:AA | 01046
| NULL |
+--+--+++---++--+
So, MAC Address is set as Calling-Station-Id. This is ok for my
PPPoE setup but for my access points this is not ok. I need my access
point to verify if this MAC here is well listed and not bloked. I use
this to blok:
+--+--+++---++--+
| id | UserName | Attribute | op | Value | numero
| obs |
+--+--+++---++--+
| 1613 | nataniel | MD5-Password | := | X |
01046 | |
| 1656 | nataniel | Calling-Station-Id | == | AA:AA:AA:AA:AA:AA | 01046
| NULL |
| 1657 | nataniel | Auth-Type | := | Reject| 01046
| NULL |
+--+--+++---++--+
I have to change dialup.conf to meet this options and returno to my
access point. This is a common query comming from on of my APs:
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 172.30.0.142 port 6001, id=1,
length=69
User-Name = 00:19:79:0f:98:3d
User-Password = wireless
NAS-IP-Address = 172.30.0.142
NAS-Port = 0
+- entering group authorize
++[preprocess] returns ok
rlm_realm: No '@' in User-Name = 00:19:79:0f:98:3d, looking up
realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
expand: %{User-Name} - 00:19:79:0f:98:3d
rlm_sql (sql): sql_set_user escaped user -- '00:19:79:0f:98:3d'
rlm_sql (sql): Reserving sql socket id: 4
expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER
BY id - SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '00:19:79:0f:98:3d' ORDER
BY id
expand: SELECT groupname FROM usergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority -
SELECT groupname FROM usergroup WHERE username =
'00:19:79:0f:98:3d' ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
rlm_sql (sql): User 00:19:79:0f:98:3d not found
++[sql] returns notfound
rlm_pap: WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Found Post-Auth-Type Reject
WARNING: Unknown value specified for Post-Auth-Type. Cannot perform
requested action.
Sending Access-Reject of id 1 to 172.30.0.142 port 6001
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 1 with timestamp +274
Ready to process requests.
So, where I see WHERE username = '00:19:79:0f:98:3d' it should be
Attribute. But I need to be sure that this client is not rejected
somewhere in the database.
Can someone help me? I am not a guru of mysql but I can try some
changes... ;)
--
Att,
NATANIEL KLUG
[EMAIL PROTECTED]
LEIA O DIA-A-DIA DO NATA
http://nataklug.blogspot.com/
Cyber Nett - Internet Banda Larga
www.cnett.com.br
(42) 3635-2957
Rua Diogo Pinto, 1046, Centro
Laranjeiras do Sul - PR
Brasil - 85301-290
... também os sábios possuem coraçăo tangível e podem, por vezes, usar da
cięncia como meio de demonstrar impressőes sentimentais de que muitos năo os
julgam suscetíveis.
Visconde de Taunay
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting Reporting Tools
you can use daloradius or dialupadmin wich comes with freeradius. 2008/9/3 Marinko Tarlac [EMAIL PROTECTED]: I made my own tool. Sturgis, Grant wrote: Greetings List, I am curious what people have done to report on the RADIUS accounting files. Are there packages out there that read and report on radacct files? Connections, denies attempts, etc? Thanks in advance, Grant -- Pardon this rubbish: This electronic message transmission is a PRIVATE communication which contains information which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. Please notify the sender of the delivery error by replying to this message, or notify us by telephone (877-633-2436, ext. 0), and then delete it from your system. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS Administration interface
seems a good idea. 2008/9/3 Alan DeKok [EMAIL PROTECTED]: I've added a RADIUS administration interface to the latest git tree. It's experimental (i.e. VERY), and has little authentication or authorization. It's purpose is to test the concepts, and to see if it's what users want. Server configuration: raddb/sites-available/control-socket Client: radmin You get a prompt, and not much else. Typing help gets you some information: radmin help hup [module] - sends a HUP signal to the server, or optionally to one module terminate - terminates the server, and causes it to exit show command - do sub-command of show set command - do sub-command of set You can HUP the server, ask it to stop, see the configuration of a module, show the list of loaded modules. As an interesting note, you can also *change* parts of the configuration of a running system. And then hup *just* one module, rather than the whole server. And then maybe the server crashes. :) Don't use this in production. Once it's a little more developed, we'll add features like authentication of the users on the administration interface. And command authorization. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS Administration interface
maybe you can add a debug function/sub-command so we dont have to start the server in debug mode ( freeradius -X ) but to see the debugs on console ( radmin debug server ). 2008/9/8 orion [EMAIL PROTECTED]: seems a good idea. 2008/9/3 Alan DeKok [EMAIL PROTECTED]: I've added a RADIUS administration interface to the latest git tree. It's experimental (i.e. VERY), and has little authentication or authorization. It's purpose is to test the concepts, and to see if it's what users want. Server configuration: raddb/sites-available/control-socket Client: radmin You get a prompt, and not much else. Typing help gets you some information: radmin help hup [module] - sends a HUP signal to the server, or optionally to one module terminate - terminates the server, and causes it to exit show command - do sub-command of show set command - do sub-command of set You can HUP the server, ask it to stop, see the configuration of a module, show the list of loaded modules. As an interesting note, you can also *change* parts of the configuration of a running system. And then hup *just* one module, rather than the whole server. And then maybe the server crashes. :) Don't use this in production. Once it's a little more developed, we'll add features like authentication of the users on the administration interface. And command authorization. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to modify dialup.conf for each virtual server?
Ivan, I can't use User-Name as MAC becouse this is being used by another systema I run... I just need to change some settings in dialup.conf to meet my requirements, all said in other message. [EMAIL PROTECTED] escreveu: In mac authentication mac address is sent as User-Name not Calling-Station-Id. You don't have to make any changes to dialup.conf - just use database properly: username: AA:AA:AA:AA:AA:AA attribute: Auth-Type op: := Value: Accept or Reject Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco VPN Server 3000 + Radius + LDAP = heeelp!!
Hi people:
First of all, sorry but my english is not good.
I'm newie in FreeRadius and I am in a hurry with Cisco VPN Server 3000,
FreeRadius and LDAP, to permit vpn user's access.
When vpn users connect (with Cisco VPN Client), Radius consult to LDAP
if user exist. If exist, then user can connect to vpn. If not, can't
connect. This works well.
Now, also I should assign IP addresses according to an LDAP attribute.
For example, if attribute==1 assign 10.0.0.10/24, if attribute==2 assign
10.0.0.20/24.
I try to assign IP addresses with ippool module and filters in the
ldap module in FreeRadius, but it doesn't work.
How can I work with many ippool's according to a value of LDAP
attribute? Where should I ask for the attribute value in order to assign
the corresponding ippool?. Please, help me with that.
My config is something like that:
In the radius.conf file...
ldap vpnldap1 {
server = x.x.x.x
identity = cn=Directory Manager
password = **
basedn = ou=People, dc:blah, dc=cl
filter = ((uid=%u)(attribute=1))
authtype = ldap
set_asuth_type = yes
}
ldap vpnldap2 {
server = x.x.x.x
identity = cn=Directory Manager
password = **
basedn = ou=People, dc:blah, dc=cl
filter = ((uid=%u)(attribute=2))
authtype = ldap
set_asuth_type = yes
}
authorize {
files
Autz-Type LDAPVPN1 {
vpnldap1
}
Autz-Type LDAPVPN2 {
vpnldap2
}
}
authentication {
Auth-Type LDAPVPN1 {
vpnldap1
}
Auth-Type LDAPVPN2 {
vpnldap2
}
}
ippool vpnusers1 {
range-start= 10.0.0.10
range-stop= 10.0.0.19
netmask= 255.255.255.0
cache-size= 10
session-db= ${raddbdir}/db.vpnusers1-session
ip-index= ${raddbdir}/db.vpnusers1-index
override= yes
}
ippool vpnusers2 {
range-start= 10.0.0.20
range-stop= 10.0.0.29
netmask= 255.255.255.0
cache-size= 10
session-db= ${raddbdir}/db.vpnusers2-session
ip-index= ${raddbdir}/db.vpnusers2-index
override= yes
}
In the user file...
(i don`t know how to configure this file to several Ippool I think
that here's the problem)
DEFAULT NAS-IP-Address = y.y.y.y, Auth-Type :=LDAPVPN1, AUTZ-Type
:=LDAPVPN1, Pool-Name :=vpnusers1
DEFAULT NAS-IP-Address = y.y.y.y, Auth-Type :=LDAPVPN2, AUTZ-Type
:=LDAPVPN2, Pool-Name :=vpnusers2
# y.y.y.y= address of VPN Server
In the ldap.attrmap...
checkItemvpnusers1attribute
checkItemvpnusers2attribute
Please, help me with this config.
Thank's you...
Osvaldo H. Campos Molina
Administrador de Red
STI - Univ. de Chile
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to modify dialup.conf for each virtual server?
Well, you don't have much say in this because NAS sends it that way: rad_recv: Access-Request packet from host 172.30.0.142 port 6001, id=1, length=69 User-Name = 00:19:79:0f:98:3d User-Password = wireless NAS-IP-Address = 172.30.0.142 NAS-Port = 0 You see what is in the User-Name field? That's how mac authentication works. Ivan Kalik Kalik Informatika ISP Dana 8/9/2008, Nataniel Klug [EMAIL PROTECTED] piše: Ivan, I can't use User-Name as MAC becouse this is being used by another systema I run... I just need to change some settings in dialup.conf to meet my requirements, all said in other message. [EMAIL PROTECTED] escreveu: In mac authentication mac address is sent as User-Name not Calling-Station-Id. You don't have to make any changes to dialup.conf - just use database properly: username: AA:AA:AA:AA:AA:AA attribute: Auth-Type op: := Value: Accept or Reject Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius2 + MySQL: NAS x Usergroup
Sorry, but maybe I didn't understand how virtual servers really work.
I have one big users base. The users can be in one or more groups.
User:John - Group:dialup
User:John - Group:broadband
User:Jack - Group:dialup
User:Jack - Group: hotspot
John and Jack are in my radcheck and radusergroup tables.
Username: John Username: Jack
Attribute: Password Attribute: Password
Op: := Op: :=
Value: crypt('test')Value: crypt('test2')
My nas clients are in database too.
nasname: 192.168.2.2nasname: 192.168.2.3
shortname: dialup-nas shortname: broadband-nas
type: cisco type: cisco
secret: secret-password secret: secret-password
server: dialup server: broadband
My problem is here:
expand: %{User-Name} - John
rlm_sql (sql): sql_set_user escaped user -- 'John'
rlm_sql (sql): Reserving sql socket id: 2
expand: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = '%{SQL-User-Name}'
ORDER BY id - SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'John' ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id, username, attribute, value, op
FROM radreply WHERE username = '%{SQL-User-Name}'
ORDER BY id - SELECT id, username, attribute, value, op
FROM radreply WHERE username = 'John' ORDER BY id
expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority -
SELECT groupname FROM radusergroup WHERE username
= 'John' ORDER BY priority
expand: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '%{Sql-Group}'
ORDER BY id - SELECT id, groupname, attribute,
Value, op FROM radgroupcheck WHERE groupname =
'dialup' ORDER BY id
rlm_sql (sql): User found in group dialup
expand: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = '%{Sql-Group}'
ORDER BY id - SELECT id, groupname, attribute,
value, op FROM radgroupreply WHERE groupname =
'dialup' ORDER BY id
rlm_sql (sql): Released sql socket id: 2
John is connecting through broadband-nas, but freeradius is getting
dialup groupname and all its checks and replys.
Dialup and broadband has the same priority in radusergroup table.
I wish to 'force' something like 'dialup-nas'-'dialup group',
'broadband-nas'-'broadband group'.
Maybe I'm going through the wrong way.
I have separated into different virtual servers because each type of
service have different modules implemented by me. In freeradius1 I was
using the groupreply 'Exec-Program-Wait' and different radius servers
for each service. In each server I have modified the sql querys to get
only replys and checks for respectives groups (services).
How is the 'right' way to implement this scenario with freeradius 2?
Thank you for the help.
2008/9/6 [EMAIL PROTECTED]:
No. You define virtual home servers in proxy.conf.
Ivan Kalik
Kalik Informatika ISP
Dana 6/9/2008, Carlos Eduardo Tavares Terra [EMAIL PROTECTED]
piše:
Can I associate in groupcheck a groupname with a virtual server?
I have separated each type of services into different virtual servers,
because each one of then has different modules.
Thanks
On Fri, Sep 5, 2008 at 2:49 PM, Ivan Kalik [EMAIL PROTECTED] wrote:
Radgroupcheck table.
Ivan Kalik
Kalik Informatika ISP
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Carlos Eduardo Tavares Terra
Sent: 05 September 2008 02:42
To: freeradius-users@lists.freeradius.org
Subject: FreeRadius2 + MySQL: NAS x Usergroup
Dear freeradius users,
I have a special scenario. Today I have many freeradius servers, each
one responsible for differente services.
Now I want to group this freeradius servers into one master server, but I
have users in many differente usergroups (one for each service).
How can I associate an usergroup to a nas?
Example:
NAS (192.168.2.1) - Usergroup (Dialup)
NAS (192.168.2.2) - Usergroup (Broadband)
NAS (192.168.2.3) - Usergroup (Hotspot)
I saw how to do this using huntgroups, but I want to use a mysql database
with all clients.
There are another ways to implement this different services into one
radius server, maybe the right way? If not, how can I associate the
usergroups and nas using mysql?
Thank you
--
Carlos Eduardo Tavares Terra
GNU/Linux #413291 [http://counter.li.org]
Slackware Linux
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
No virus found in this incoming message.
Checked by AVG - http://www.avg.com
Version: 8.0.169 / Virus Database: 270.6.16/1652 - Release Date: 2008-09-04
18:54
Dynamic Clients with FreeRADIUS
Has anyone gotten dynamic-clients working with freeradius yet? I'm trying to accept clients from ANY IP, then looks up the IP in sql 'nas' table to see if it exists -- View this message in context: http://www.nabble.com/Dynamic-Clients-with-FreeRADIUS-tp19384912p19384912.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Clients with FreeRADIUS
jasoneswan wrote: Has anyone gotten dynamic-clients working with freeradius yet? I'm trying to accept clients from ANY IP, then looks up the IP in sql 'nas' table to see if it exists Dynamic clients have been tested, yes. Can you post *specific* examples of what you're doing, why you think that should work, and what is going wrong? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Clients with FreeRADIUS
aland wrote:
jasoneswan wrote:
Has anyone gotten dynamic-clients working with freeradius yet? I'm trying
to
accept clients from ANY IP, then looks up the IP in sql 'nas' table to
see
if it exists
Dynamic clients have been tested, yes.
Can you post *specific* examples of what you're doing, why you think
that should work, and what is going wrong?
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Hey alan, thank you for taking the time to reply...
I'm using sites-available/dynamic-clients config...
client dynamic {
ipaddr = 0.0.0.0
netmask = 0
dynamic_clients = dynamic_client_server
}
server dynamic_client_server {
authorize {
if (%{sql: SELECT nasname FROM nas WHERE nasname =
'%{Packet-Src-IP-Address}'}) {
update control {
FreeRADIUS-Client-Shortname = %{sql: SELECT
shortname FROM nas WHERE
nasname = '%{Packet-Src-IP-Address}'}
FreeRADIUS-Client-Secret = %{sql: SELECT
secret FROM nas WHERE nasname
= '%{Packet-Src-IP-Address}'}
FreeRADIUS-Client-NAS-Type = %{sql: SELECT
type FROM nas WHERE nasname
= '%{Packet-Src-IP-Address}'}
}
}
ok
}
}
What is happening is when a client connects it doesn't even check database
it simply says unknown client
--
View this message in context:
http://www.nabble.com/Dynamic-Clients-with-FreeRADIUS-tp19384912p19386279.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Want Signups? Need Sales?
Want signups? Need referrals? Need sales? They're all here waiting for YOU! Start getting unlimited affiliate traffic now. http://www.urlfreeze.com/rjm42/1on/ -- I Know How To Make Money On The Net www.urlfreeze.com/rjm42/Free/ --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups opportunities at home group. To post to this group, send email to opportunities-at-home@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/opportunities-at-home?hl=en -~--~~~~--~~--~--~---
