Re: Freeradius 2.0 with Activedirectory Integration Failed
Hi Ivan! Thanks so much! The problem has been resolved~ Just a bit of tweaking on samba... but overall, everything is fine... Thanks a million! Regards, Andy -- View this message in context: http://www.nabble.com/Freeradius-2.0-with-Activedirectory-Integration-Failed-tp20355701p20575360.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: again: 802.1x auto login with win login/pass
[EMAIL PROTECTED] wrote: User-Name = ROUTER\\Hege Create (local) ream ROUTER { } in proxy.conf. ok ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = ROUTER\Hege, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 Uncomment ntdomain in authorize in inner-tunnel virtual server (it's just below suffix). Sry but I don't know where is the authorize section... in the radiusd.conf it says in 2.0.0.0 version the authorise section is in a separate config file. it's ok, dut i don't find this file. If doesn't work, enable with-ntdomain-hack in mschap module. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: attribute filter
You say attr.filter is not working (and provide no debug) for you. Use unlang instead. Read man unlang and see what is -= for. Ok. But in which section of radiusd.conf or sites-available/file should I use unlang ? in post-proxy section ? Shall i use switch again to the corresponding realms ? man unlang says: -= Remove all matching attributes from the list I don't want to remove attributes, but to filter some attributes (Tunnel-Private-Group-id) which must have 2 possible values: VLAN1 or VLAN2 for a given realm. -- Mustapha BOUIKHIF Service Systèmes d'Information CNRS - DR4 tel: +33 1 69 82 33 97 fax: +33 1 69 82 33 39 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang?
Back in January Alan DeKok kindly helped me out with some config I needed, see below. I have only just go back to reviewing RADIUS as I have been involved in loads of other projects... and now can't get this working! Typical... On Fri, 2008-01-18 at 16:23 +0100, Alan DeKok wrote: authorize { ... if (%{User-Name} =~ /special/i) { update reply { Reply-Message = Cannot use this user account reject } } ... I added this to the authorize section of my config in sites-available/local-auth a file defining my policies for local users on our wireless etc and got the errors: ERROR: Unknown attribute reject Failed to parse update subsection.. Can't fathom that as it seems perfectly OK to me having read the unlang man page. I am using version 2.0.2. Any ideas? -- Barry Dean Networks Team Computing Services Department Web: http://pcwww.liv.ac.uk/~bvd/ --- Nice boy, but about as sharp as a sack of wet mice. -- Foghorn Leghorn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang?
Works of course! First class idiot for not spotting this... My head is full of DHCP configs and I am not thinking RADIUS! On Wed, 2008-11-19 at 11:20 +, Phil Mayers wrote: Barry Dean wrote: Back in January Alan DeKok kindly helped me out with some config I needed, see below. I have only just go back to reviewing RADIUS as I have been involved in loads of other projects... and now can't get this working! Typical... On Fri, 2008-01-18 at 16:23 +0100, Alan DeKok wrote: authorize { ... if (%{User-Name} =~ /special/i) { update reply { Reply-Message = Cannot use this user account reject } } ... I added this to the authorize section of my config in sites-available/local-auth a file defining my policies for local users on our wireless etc and got the errors: ERROR: Unknown attribute reject Failed to parse update subsection.. Can't fathom that as it seems perfectly OK to me having read the unlang man page. The only contents permitted in an update section are attributes and values ...from man unlang Move the reject to outside the update section (but inside the if) I am using version 2.0.2. Any ideas? -- Barry Dean Networks Team Computing Services Department Tel: 45641, Web: http://pcwww.liv.ac.uk/~bvd/ --- Nice boy, but about as sharp as a sack of wet mice. -- Foghorn Leghorn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang?
Barry Dean wrote: Back in January Alan DeKok kindly helped me out with some config I needed, see below. I have only just go back to reviewing RADIUS as I have been involved in loads of other projects... and now can't get this working! Typical... On Fri, 2008-01-18 at 16:23 +0100, Alan DeKok wrote: authorize { ... if (%{User-Name} =~ /special/i) { update reply { Reply-Message = Cannot use this user account reject } } ... I added this to the authorize section of my config in sites-available/local-auth a file defining my policies for local users on our wireless etc and got the errors: ERROR: Unknown attribute reject Failed to parse update subsection.. Can't fathom that as it seems perfectly OK to me having read the unlang man page. The only contents permitted in an update section are attributes and values ...from man unlang Move the reject to outside the update section (but inside the if) I am using version 2.0.2. Any ideas? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help needed --- urgent
I'm new to freeradius and i want to configure and test my server... I have installed server from cvs now when i run radiusd -X its output is like this: FreeRADIUS Version 2.0.6, for host i686-pc-linux-gnu, built on Nov 19 2008 at 17:00:09 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including configuration file /usr/local/etc/raddb/snmp.conf including configuration file /usr/local/etc/raddb/jradius.conf including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/sql.conf including dictionary file /usr/local/etc/raddb/dictionary That looks very wrong - no mention of modules or virtual servers. /usr/local/etc/raddb/jradius.conf[2]: Invalid version in module 'rlm_jradius' /usr/local/etc/raddb/radiusd.conf[1868]: Failed to find module jradius. /usr/local/etc/raddb/radiusd.conf[1776]: Errors parsing authorize section. } } Errors initializing modules Can anyone please help me... why im getting error ... how can i fix this. If you don't use jradius delete jradius.conf and $include in radiusd.conf. You should really get the stable version from git. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help needed --- urgent
Hi all, I'm new to freeradius and i want to configure and test my server... I have installed server from cvs now when i run radiusd -X its output is like this: FreeRADIUS Version 2.0.6, for host i686-pc-linux-gnu, built on Nov 19 2008 at 17:00:09 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including configuration file /usr/local/etc/raddb/snmp.conf including configuration file /usr/local/etc/raddb/jradius.conf including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/sql.conf including dictionary file /usr/local/etc/raddb/dictionary main { prefix = /usr/local localstatedir = /usr/local/var logdir = /usr/local/var/log/radius libdir = /usr/local/lib radacctdir = /usr/local/var/log/radius/radacct hostname_lookups = no . . . . Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = suffix delimiter = @ ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = /usr/local/etc/raddb/users acctusersfile = /usr/local/etc/raddb/acct_users preproxy_usersfile = /usr/local/etc/raddb/preproxy_users compat = no } /usr/local/etc/raddb/jradius.conf[2]: Invalid version in module 'rlm_jradius' /usr/local/etc/raddb/radiusd.conf[1868]: Failed to find module jradius. /usr/local/etc/raddb/radiusd.conf[1776]: Errors parsing authorize section. } } Errors initializing modules Can anyone please help me... why im getting error ... how can i fix this. Regards, Saeed Akhtar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: again: 802.1x auto login with win login/pass
[EMAIL PROTECTED] wrote: User-Name = ROUTER\\Hege Create (local) ream ROUTER { } in proxy.conf. ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = ROUTER\Hege, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 Uncomment ntdomain in authorize in inner-tunnel virtual server (it's just below suffix). If doesn't work, enable with-ntdomain-hack in mschap module. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thank you, it works fine with this options gl GH - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Phil Mayers wrote: Barry Dean wrote: Back in January Alan DeKok kindly helped me out with some config I needed, see below. I have only just go back to reviewing RADIUS as I have been involved in loads of other projects... and now can't get this working! Typical... On Fri, 2008-01-18 at 16:23 +0100, Alan DeKok wrote: authorize { ... if (%{User-Name} =~ /special/i) { update reply { Reply-Message = Cannot use this user account reject } } ... I added this to the authorize section of my config in sites-available/local-auth a file defining my policies for local users on our wireless etc and got the errors: ERROR: Unknown attribute reject Failed to parse update subsection.. Can't fathom that as it seems perfectly OK to me having read the unlang man page. The only contents permitted in an update section are attributes and values That should read attribute value pairs ... and reject in the context that you're using it is not a value or an attribute, it's a module call. ...from man unlang Move the reject to outside the update section (but inside the if) What you're doing when you list reject, is calling an instance of the 'always' module, which returns reject as it's return code. This percolates back up to the authorize stanza (reject has priority over most other return codes, unless you explicitly set it to be otherwise). authorize { } returns reject so server rejects the request... - --- I think you can achieve the same thing with: update control { Auth-Type := 'reject' } If you were really set on using update... In much the same way as you can do update control { Auth-Type := 'accept' } Regards, Arran - -- Arran Cudbard-Bell ([EMAIL PROTECTED]), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkkkHPkACgkQcaklux5oVKLw4gCdEqIPOAEzY1QEcJA2JAfftxpG g5gAmgMOTI3AtJuQVeX1bwvhNEO8PJCJ =/pVb -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help needed --- urgent
Thanks Ivan... I was not using jradius... and now it works thanks alot Regards, Saeed Akhtar On Wed, Nov 19, 2008 at 6:35 PM, [EMAIL PROTECTED] wrote: I'm new to freeradius and i want to configure and test my server... I have installed server from cvs now when i run radiusd -X its output is like this: FreeRADIUS Version 2.0.6, for host i686-pc-linux-gnu, built on Nov 19 2008 at 17:00:09 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including configuration file /usr/local/etc/raddb/snmp.conf including configuration file /usr/local/etc/raddb/jradius.conf including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/sql.conf including dictionary file /usr/local/etc/raddb/dictionary That looks very wrong - no mention of modules or virtual servers. /usr/local/etc/raddb/jradius.conf[2]: Invalid version in module 'rlm_jradius' /usr/local/etc/raddb/radiusd.conf[1868]: Failed to find module jradius. /usr/local/etc/raddb/radiusd.conf[1776]: Errors parsing authorize section. } } Errors initializing modules Can anyone please help me... why im getting error ... how can i fix this. If you don't use jradius delete jradius.conf and $include in radiusd.conf. You should really get the stable version from git. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: attribute filter
Ok. But in which section of radiusd.conf or sites-available/file should I use unlang ? in post-proxy section ? Yes, just like attribute filter. Shall i use switch again to the corresponding realms ? man unlang says: -= Remove all matching attributes from the list I don't want to remove attributes, but to filter some attributes (Tunnel-Private-Group-id) which must have 2 possible values: VLAN1 or VLAN2 for a given realm. Can you first post the debug and explain what did you expect to happen but didn't (or what you didn't expect to happen but did). If it is multiple values for same attribute over multiple realms you are better off with attribute filter. Ivan Kalik Kalik informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ssh cleartext-password ? INCORRECT ([EMAIL PROTECTED])
And the matching shared secret for the server and pam_radius_auth.conf .. Using 'ssh [EMAIL PROTECTED]' password: testing rad_recv: Access-Request packet from host 127.0.0.1 port 26561, id=106, length=83 User-Name = steve User-Password = \010\n\r\177INCORRECT .. WARNING: Unprintable characters in the password.Double-check the shared secret on the server and the NAS! Obviously, shared secrets don't match. Ivan Kalik Kalik Informatika ISP I don't that this the case, heres why, radiusd -X produces .. home_server localhost { ipaddr=127.0.0.1 port = 1812 type = auth * *secret = testing123 response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = status-server ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } .. and here is my /etc/pam_radius_auth.conf (i've tried space / tab delimited ) # server[:port] shared_secret timeout (s) 127.0.0.1 testing123 2 localhost testing123 1 So they are identical from what i can see. Also keep in mind that radtest works using the secret; testing123. Sorry if I'm missing the point. Thanks for your help so far. David Ly -Soma Networks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ssh cleartext-password ? INCORRECT ([EMAIL PROTECTED])
and here is my /etc/pam_radius_auth.conf (i've tried space / tab delimited ) # server[:port] shared_secret timeout (s) 127.0.0.1 testing123 2 localhost testing123 1 So they are identical from what i can see. Also keep in mind that radtest works using the secret; testing123. Sorry if I'm missing the point. Thanks for your help so far. Default localhost secret is testing123. And radtest confirms that. Something is wrong with the pam shared secret. Are you modifying the correct .conf file (should be in /etc/raddb/server)? Default password in pam_radius_auth.conf for localhost is secret. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ssh cleartext-password ? INCORRECT
David Ly wrote: Here is the relavent part of the log from radiusd -X Using 'radtest steve testing localhost 10 testing123' You've done some *very* weird editing or reformatting of the log. That makes it more difficult to understand. Using 'ssh [EMAIL PROTECTED]' password: testing rad_recv: Access-Request packet from host 127.0.0.1 port 26561, id=106, length=83User-Name = steve User-Password = \010\n\r\177INCORRECT Ah, yes. That's a PAM feature, I think. Or maybe SSH. It replaces the password the user entered with that string. Why? Damned if I know. I'd suggest asking the PAM people how to configure the system so that it doesn't mangle the password. In any case, this is what the RADIUS server receives, so there is *nothing* you can do to the RADIUS server to solve the problem. And the PAM RADIUS module doesn't do this stupid rewriting. So there's nothing you can do to that module, either. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap (sambaNtPassword) + peap-mschapV2 + freeradius : step by step question
Hello, I am trying to add a Wifi AP (aironet 1250). I am trying to use PEAP/MSCHAPV2 and SAMBA SambaNTpassword (LDAP Back-end). I read a lot of the question about the subject on the ML and cannot figure out all the steps. So here are all the steps I did : On the AP : I configured our radius server as the server manager. It thinks it is ok because the radius SRV receive request from it. for the AP I added a entry in clients.conf : client 192.168.4.8 { ipaddr = 192.168.4.8 shortname = wifi01 secret = mypassword } I edited the /modules/ldap : ldap { server = localhost identity = cn=manager,dc=lan,dc=lexum,dc=pri password = manager_password basedn = dc=lan,dc=lexum,dc=pri filter = (uid=%{Stripped-User-Name:-%{User-Name}}) base_filter = (objectclass=sambaSamAccount) password_attribute = NT-Password I edited the ldap.attrmap (to map NT-Pasword to sambaNtPassword) : #checkItem LM-Password lmPassword #checkItem NT-Password ntPassword checkItem LM-Password sambaLmPassword checkItem NT-Password sambaNtPassword I DID NOT touch radiusd.conf I DID NOT touch /etc/raddb/sites-enabled/default I know that I need to enable ldap somewhere but ... where :D I will not post the result of -X because I know I need other config. Regards, FM - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to filter accountings based on the value of a VSA attribute
Dear FreeRADIUS users, We configured FreeRADIUS to send accounting to 2 different servers, but for one of them I want to send only the accountings that have a VSA attribute equal to a give value. Does anyone know how to do this configuration? Thanks in advance. Regards, Cristina Miyata - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to filter accountings based on the value of a VSA attribute
Having more details about your conf would help but anyway unlang can do this (man unlang). if (attribute == value) { update control { Proxy-To-Realm := realm } } P.S: this cannot be done in proxy.conf file. Le 19.11.2008 08:55, cris miyata a écrit : Dear FreeRADIUS users, We configured FreeRADIUS to send accounting to 2 different servers, but for one of them I want to send only the accountings that have a VSA attribute equal to a give value. Does anyone know how to do this configuration? Thanks in advance. Regards, Cristina Miyata - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
configure error
Hi all, I downloaded version 2.1 from http://freeradius.org/download.html . When configuring ( ./configure) I got several errors on config.log. I pasted below part of the log. This a RedHat ES5 , 64 bits. Basically the errors are configure:21137: gcc -o conftest -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS conftest.c -lnsl -lresolv -lpthread -ledit -ltermcap 5 /usr/bin/ld: cannot find -ledit and conftest.c:8:28: error: ac_nonexistent.h: No such file or directory configure:3318: $? = 1 configure: failed program was: | /* confdefs.h. */ | #define PACKAGE_NAME | #define PACKAGE_TARNAME and configure:4488: gcc -c -g -O2 conftest.c 5 conftest.c: In function 'main': conftest.c:25: error: 'not' undeclared (first use in this function) conftest.c:25: error: (Each undeclared identifier is reported only once conftest.c:25: error: for each function it appears in.) conftest.c:25: error: expected ';' before 'big' configure:4494: $? = 1 Anybody can help thanks Olavo Parts of log below uname -m = x86_64 uname -r = 2.6.18-92.el5 uname -s = Linux uname -v = #1 SMP Tue Apr 29 13:16:15 EDT 2008 /usr/bin/uname -p = unknown /bin/uname -X = unknown /bin/arch = x86_64 conftest.c:8:28: error: ac_nonexistent.h: No such file or directory configure:3318: $? = 1 configure: failed program was: | /* confdefs.h. */ | #define PACKAGE_NAME | #define PACKAGE_TARNAME | #define PACKAGE_VERSION | #define PACKAGE_STRING | #define PACKAGE_BUGREPORT | /* end confdefs.h. */ | #include ac_nonexistent.h configure:3351: result: gcc -E configure:3380: gcc -E conftest.c configure:3386: $? = 0 configure:3417: gcc -E conftest.c conftest.c:8:28: error: ac_nonexistent.h: No such file or directory configure:3423: $? = 1 configure: failed program was: | /* confdefs.h. */ | #define PACKAGE_NAME | #define PACKAGE_TARNAME | #define PACKAGE_VERSION | #define PACKAGE_STRING | #define PACKAGE_BUGREPORT | /* end confdefs.h. */ | #include ac_nonexistent.h more stuf ... configure:4488: gcc -c -g -O2 conftest.c 5 conftest.c: In function 'main': conftest.c:25: error: 'not' undeclared (first use in this function) conftest.c:25: error: (Each undeclared identifier is reported only once conftest.c:25: error: for each function it appears in.) conftest.c:25: error: expected ';' before 'big' configure:4494: $? = 1 configure: failed program was: | /* confdefs.h. */ | #define PACKAGE_NAME | #define PACKAGE_TARNAME | #define PACKAGE_VERSION | #define PACKAGE_STRING | #define PACKAGE_BUGREPORT | #define STDC_HEADERS 1 | #define HAVE_SYS_TYPES_H 1 | #define HAVE_SYS_STAT_H 1 | #define HAVE_STDLIB_H 1 | #define HAVE_STRING_H 1 | #define HAVE_MEMORY_H 1 | #define HAVE_STRINGS_H 1 | #define HAVE_INTTYPES_H 1 | #define HAVE_STDINT_H 1 | #define HAVE_UNISTD_H 1 | /* end confdefs.h. */ | #include sys/types.h | #include sys/param.h | | int | main () | { | #if BYTE_ORDER != BIG_ENDIAN | not big endian | #endif | | ; | return 0; | } more stuuf ... conftest.cpp:19:28: error: ac_nonexistent.h: No such file or directory configure:5949: $? = 1 configure: failed program was: | /* confdefs.h. */ | #define PACKAGE_NAME | #define PACKAGE_TARNAME | #define PACKAGE_VERSION | #define PACKAGE_STRING | #define PACKAGE_BUGREPORT | #define STDC_HEADERS 1 | #define HAVE_SYS_TYPES_H 1 | #define HAVE_SYS_STAT_H 1 | #define HAVE_STDLIB_H 1 | #define HAVE_STRING_H 1 | #define HAVE_MEMORY_H 1 | #define HAVE_STRINGS_H 1 | #define HAVE_INTTYPES_H 1 | #define HAVE_STDINT_H 1 | #define HAVE_UNISTD_H 1 | #define HAVE_DLFCN_H 1 | /* end confdefs.h. */ | #include ac_nonexistent.h configure:5982: result: g++ -E configure:6011: g++ -E conftest.cpp configure:6017: $? = 0 configure:6048: g++ -E conftest.cpp conftest.cpp:19:28: error: ac_nonexistent.h: No such file or directory configure:6054: $? = 1 configure: failed program was: | /* confdefs.h. */ | #define PACKAGE_NAME | #define PACKAGE_TARNAME | #define PACKAGE_VERSION | #define PACKAGE_STRING | #define PACKAGE_BUGREPORT | #define STDC_HEADERS 1 | #define HAVE_SYS_TYPES_H 1 | #define HAVE_SYS_STAT_H 1 | #define HAVE_STDLIB_H 1 | #define HAVE_STRING_H 1 | #define HAVE_MEMORY_H 1 | #define HAVE_STRINGS_H 1 | #define HAVE_INTTYPES_H 1 | #define HAVE_STDINT_H 1 | #define HAVE_UNISTD_H 1 | #define HAVE_DLFCN_H 1 | /* end confdefs.h. */ | #include ac_nonexistent.h more stuff . configure:9596: $? = 1 configure: failed program was: | /* confdefs.h. */ | #define PACKAGE_NAME | #define PACKAGE_TARNAME | #define PACKAGE_VERSION | #define PACKAGE_STRING | #define PACKAGE_BUGREPORT | #define STDC_HEADERS 1 | #define HAVE_SYS_TYPES_H 1 | #define HAVE_SYS_STAT_H 1 | #define HAVE_STDLIB_H 1 | #define HAVE_STRING_H 1 | #define HAVE_MEMORY_H 1 | #define HAVE_STRINGS_H 1 | #define HAVE_INTTYPES_H 1 | #define HAVE_STDINT_H 1 | #define HAVE_UNISTD_H 1 | #define HAVE_DLFCN_H 1 | /* end confdefs.h. */ |
Re: How to filter accountings based on the value of a VSA attribute
Thanks a lot Alexandre! It worked perfectly! Cheers, Cristina Miyata -[ Received Mail Content ]-- Subject : Re: How to filter accountings based on the value of a VSA attribute Date : Wed, 19 Nov 2008 09:31:08 -1000 From : Alexandre Chapellon [EMAIL PROTECTED] To : FreeRadius users mailing list freeradius-users@lists.freeradius.org Having more details about your conf would help but anyway unlang can do this (man unlang). if (attribute == value) { update control { Proxy-To-Realm := realm } } P.S: this cannot be done in proxy.conf file. Le 19.11.2008 08:55, cris miyata a écrit : Dear FreeRADIUS users, We configured FreeRADIUS to send accounting to 2 different servers, but for one of them I want to send only the accountings that have a VSA attribute equal to a give value. Does anyone know how to do this configuration? Thanks in advance. Regards, Cristina Miyata - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ssh cleartext-password ? INCORRECT (Alan DeKok)
-- Message: 4 Date: Wed, 19 Nov 2008 10:49:06 -0600 From: Alan DeKok [EMAIL PROTECTED] Subject: Re: ssh cleartext-password ? INCORRECT To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-1 David Ly wrote: Here is the relavent part of the log from radiusd -X Using 'radtest steve testing localhost 10 testing123' You've done some *very* weird editing or reformatting of the log. That makes it more difficult to understand. Using 'ssh [EMAIL PROTECTED]' password: testing rad_recv: Access-Request packet from host 127.0.0.1 port 26561, id=106, length=83User-Name = steve User-Password = \010\n\r\177INCORRECT Ah, yes. That's a PAM feature, I think. Or maybe SSH. It replaces the password the user entered with that string. Why? Damned if I know. I'd suggest asking the PAM people how to configure the system so that it doesn't mangle the password. In any case, this is what the RADIUS server receives, so there is *nothing* you can do to the RADIUS server to solve the problem. And the PAM RADIUS module doesn't do this stupid rewriting. So there's nothing you can do to that module, either. Alan DeKok. I manged to find the problem, as you said, it WASNT the server but rather the PAM module that was causing this. It required a local user account (set with a blank password). As to why it needs that, I have no idea, but thats that. Thanks for the help, and I hope that others who come across this can avoid the grueling two days of troubleshooting and tinkering. Once agian thanks to all. Cheers David Ly - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configure error
Olavo wrote: I downloaded version 2.1 from http://freeradius.org/download.html . When configuring ( ./configure) I got several errors on config.log. The only reason to look at that file is to debug the configure scripts. The log is SUPPOSED to be full of errors, because it's testing for platforms other than the one you're using. Don't look at it. Perhaps you could explain if there are *other* errors. Like maybe you're trying to do something... ? Right now, all it looks like is you're trying to understand the contents of config.log, which is a complete waste of time. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap (sambaNtPassword) + peap-mschapV2 + freeradius : step by step question
FM wrote: I am trying to add a Wifi AP (aironet 1250). I am trying to use PEAP/MSCHAPV2 and SAMBA SambaNTpassword (LDAP Back-end). I read a lot of the question about the subject on the ML and cannot figure out all the steps. So here are all the steps I did : http://deployingradius.com/documents/configuration/active_directory.html That describes Active Directory, but some of the testing steps should be similar when using Samba. I will not post the result of -X because I know I need other config. To do what? See my web page for other instructions on configuring EAP, and doing step by step testing. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: configure error
Thank you Alan, So I'll go ahead and make/make install. Olavo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap (sambaNtPassword) + peap-mschapV2 + freeradius : step by stepquestion
I am trying to add a Wifi AP (aironet 1250). I am trying to use PEAP/MSCHAPV2 and SAMBA SambaNTpassword (LDAP Back-end). .. I know that I need to enable ldap somewhere but ... where :D Authorize section of /etc/raddb/sites-enabled/inner-tunnel. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
logging to stdout
I have already asked this question a few years ago, but it still seems to be impossible to log to stdout using Ubuntu's Freeradius-1.1.7 (I have worked around it by using a fifo) Am I overlooking something or is logging to stdout still an issue with 1.1.7? (for several reasons I'd like to stay with the original Ubuntu version) R. -- ___ It is better to remain silent and be thought a fool, than to speak aloud and remove all doubt. +--+ | Richard Lucassen, Utrecht| | Public key and email address:| | http://www.lucassen.org/mail-pubkey.html | +--+ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: logging to stdout
richard lucassen wrote: I have already asked this question a few years ago, but it still seems to be impossible to log to stdout using Ubuntu's Freeradius-1.1.7 (I have worked around it by using a fifo) Am I overlooking something or is logging to stdout still an issue with 1.1.7? (for several reasons I'd like to stay with the original Ubuntu version) There have been no changes to 1.1.7 since 1.1.7 was released. It's still the same version of software: 1.1.7. The latest version (2.1.1) has major updates from 1.x, and can log to stdout. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: logging to stdout
On Wed, 19 Nov 2008 16:37:22 -0600 Alan DeKok [EMAIL PROTECTED] wrote: I have already asked this question a few years ago, but it still seems to be impossible to log to stdout using Ubuntu's Freeradius-1.1.7 (I have worked around it by using a fifo) Am I overlooking something or is logging to stdout still an issue with 1.1.7? (for several reasons I'd like to stay with the original Ubuntu version) There have been no changes to 1.1.7 since 1.1.7 was released. It's still the same version of software: 1.1.7. Uhhh, a few years ago I was using 1.0.2 or 0.9 or something like that ;-) The latest version (2.1.1) has major updates from 1.x, and can log to stdout. Ok, thnx for your reply Alan. I'll continue to use the fifo workaround (which works like a charm btw :) R. -- ___ It is better to remain silent and be thought a fool, than to speak aloud and remove all doubt. +--+ | Richard Lucassen, Utrecht| | Public key and email address:| | http://www.lucassen.org/mail-pubkey.html | +--+ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: configure error
Hi again, It didn't make . It has returned errors. .libs/radmin.o: In function `main': /usr/src/freeradius-server-2.1.1/src/main/radmin.c:489: undefined reference to `readline' /usr/src/freeradius-server-2.1.1/src/main/radmin.c:411: undefined reference to `using_history' /usr/src/freeradius-server-2.1.1/src/main/radmin.c:412: undefined reference to `rl_insert' /usr/src/freeradius-server-2.1.1/src/main/radmin.c:412: undefined reference to `rl_bind_key' /usr/src/freeradius-server-2.1.1/src/main/radmin.c:498: undefined reference to `add_history' collect2: ld returned 1 exit status gmake[4]: *** [radmin] Error 1 gmake[4]: Leaving directory `/usr/src/freeradius-server-2.1.1/src/main' gmake[3]: *** [common] Error 2 gmake[3]: Leaving directory `/usr/src/freeradius-server-2.1.1/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/usr/src/freeradius-server-2.1.1/src' gmake[1]: *** [common] Error 2 gmake[1]: Leaving directory `/usr/src/freeradius-server-2.1.1' make: *** [all] Error 2 Olavo -Original Message- From: [EMAIL PROTECTED] s.org [mailto:[EMAIL PROTECTED] reeradius.org] On Behalf Of Alan DeKok Sent: Wednesday, November 19, 2008 1:14 PM To: FreeRadius users mailing list Subject: Re: configure error Olavo wrote: I downloaded version 2.1 from http://freeradius.org/download.html . When configuring ( ./configure) I got several errors on config.log. The only reason to look at that file is to debug the configure scripts. The log is SUPPOSED to be full of errors, because it's testing for platforms other than the one you're using. Don't look at it. Perhaps you could explain if there are *other* errors. Like maybe you're trying to do something... ? Right now, all it looks like is you're trying to understand the contents of config.log, which is a complete waste of time. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
free RADIUS client + CHAP + PAM
Hi there There are a lot of places on the net which talk about how PAM cannot work with CHAP on the RADIUS server. Will an implementation of freeRADIUS client with CHAP and PAM(pam_radius_auth) module work? Please point me to the appropriate link. Thanks -Vinay - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html