No MySQL queries with freeradius 2.x from Lenny
hi, i tried to get coopa chilli running, but i have problems with radius and mysql. Radius works with users from files, but not with mysql. I can only see on startup some mysql messages (connect) but no queries at all. The system Debian Lenny. sql.conf sql { database = mysql driver = rlm_sql_mysql server = localhost login = radius password = secret radius_db = radius acct_table1 = radacct acct_table2 = radacct postauth_table = radpostauth authcheck_table = radcheck authreply_table = radreply groupcheck_table = radgroupcheck groupreply_table = radgroupreply usergroup_table = radusergroup deletestalesessions = yes sqltrace = yes sqltracefile = ${logdir}/sqltrace.sql num_sql_socks = 5 connect_failure_retry_delay = 60 readclients = yes nas_table = nas } (from a small egrep command, hope, there is everything ok) Debug Output: rad_recv: Access-Request packet from host 127.0.0.1 port 51722, id=2, length=199 Vendor-14559-Attr-8 = 0x312e302e3132 User-Name = chillispot User-Password = chillispot Service-Type = Administrative-User NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 10.1.0.1 Called-Station-Id = 00-0C-29-98-FE-1D NAS-Identifier = nas01 WISPr-Location-ID = isocc=,cc=,ac=,network=Coova, WISPr-Location-Name = My_HotSpot Acct-Session-Id = 49aec18f Message-Authenticator = 0x21b6e2efd764dc022a55ff0b7ecd3072 Wed Mar 4 20:00:03 2009 : Debug: +- entering group authorize Wed Mar 4 20:00:03 2009 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 1 Wed Mar 4 20:00:03 2009 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 1 Wed Mar 4 20:00:03 2009 : Debug: ++[preprocess] returns ok Wed Mar 4 20:00:03 2009 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 1 Wed Mar 4 20:00:03 2009 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 1 Wed Mar 4 20:00:03 2009 : Debug: ++[chap] returns noop Wed Mar 4 20:00:03 2009 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 1 Wed Mar 4 20:00:03 2009 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 1 Wed Mar 4 20:00:03 2009 : Debug: ++[mschap] returns noop Wed Mar 4 20:00:03 2009 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 1 Wed Mar 4 20:00:03 2009 : Debug: rlm_realm: No '@' in User-Name = chillispot, looking up realm NULL Wed Mar 4 20:00:03 2009 : Debug: rlm_realm: No such realm NULL Wed Mar 4 20:00:03 2009 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 1 Wed Mar 4 20:00:03 2009 : Debug: ++[suffix] returns noop Wed Mar 4 20:00:03 2009 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 1 Wed Mar 4 20:00:03 2009 : Debug: rlm_eap: No EAP-Message, not doing EAP Wed Mar 4 20:00:03 2009 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 1 Wed Mar 4 20:00:03 2009 : Debug: ++[eap] returns noop Wed Mar 4 20:00:03 2009 : Debug: modsingle[authorize]: calling unix (rlm_unix) for request 1 Wed Mar 4 20:00:03 2009 : Debug: modsingle[authorize]: returned from unix (rlm_unix) for request 1 Wed Mar 4 20:00:03 2009 : Debug: ++[unix] returns notfound Wed Mar 4 20:00:03 2009 : Debug: modsingle[authorize]: calling sql (rlm_sql) for request 1 Wed Mar 4 20:00:03 2009 : Debug: rlm_sql (sql): Reserving sql socket id: 2 Wed Mar 4 20:00:03 2009 : Debug: expand: - Wed Mar 4 20:00:03 2009 : Error: rlm_sql (sql): Error generating query; rejecting user Wed Mar 4 20:00:03 2009 : Debug: rlm_sql (sql): Released sql socket id: 2 Wed Mar 4 20:00:03 2009 : Debug: modsingle[authorize]: returned from sql (rlm_sql) for request 1 Wed Mar 4 20:00:03 2009 : Debug: ++[sql] returns fail Wed Mar 4 20:00:03 2009 : Auth: Invalid user: [chillispot/chillispot] (from client localhost port 0) Wed Mar 4 20:00:03 2009 : Debug: Found Post-Auth-Type Reject Wed Mar 4 20:00:03 2009 : Debug: +- entering group REJECT Wed Mar 4 20:00:03 2009 : Debug: modsingle[post-auth]: calling attr_filter.access_reject (rlm_attr_filter) for request 1 Wed Mar 4 20:00:03 2009 : Debug: expand: %{User-Name} - chillispot Wed Mar 4 20:00:03 2009 : Debug: attr_filter: Matched entry DEFAULT at line 11 Wed Mar 4 20:00:03 2009 : Debug: modsingle[post-auth]: returned from attr_filter.access_reject (rlm_attr_filter) for request 1 Wed Mar 4 20:00:03 2009 : Debug: ++[attr_filter.access_reject] returns updated Wed Mar 4 20:00:03 2009 : Debug: Delaying reject of request 1 for 1 seconds Wed Mar 4 20:00:03 2009 : Debug: Going to the next request Wed Mar 4 20:00:03 2009 : Debug: Waking up in 0.9 seconds. Wed Mar 4 20:00:04 2009 : Debug:
RE: No MySQL queries with freeradius 2.x from Lenny
Denny, A couple of things: 1. Check the SQL How To at: http://wiki.freeradius.org/SQL_HOWTO 2. The radcheck table should have entries like: mysql select * from radcheck; ++++--+--+ | id | UserName | Attribute | Value| Op | ++++--+--+ | 1 | fredf | Cleartext-Password | wilma| := | | 2 | barney | Cleartext-Password | betty| := | | 2 | dialrouter | Cleartext-Password | dialup | := | ++++--+--+ 3 rows in set (0.01 sec) Your table has the Password attribute and Op is == 3. Send all of the debug output from the radius server. The useful information is missing from this section of the debug output: Wed Mar 4 20:00:03 2009 : Debug: ++[unix] returns notfound Wed Mar 4 20:00:03 2009 : Debug: modsingle[authorize]: calling sql (rlm_sql) for request 1 Wed Mar 4 20:00:03 2009 : Debug: rlm_sql (sql): Reserving sql socket id: 2 Wed Mar 4 20:00:03 2009 : Debug: expand: - Wed Mar 4 20:00:03 2009 : Error: rlm_sql (sql): Error generating query; rejecting user Wed Mar 4 20:00:03 2009 : Debug: rlm_sql (sql): Released sql socket id:2 Wed Mar 4 20:00:03 2009 : Debug: modsingle[authorize]: returned from sql (rlm_sql) for request 1 Wed Mar 4 20:00:03 2009 : Debug: ++[sql] returns fail Wed Mar 4 20:00:03 2009 : Auth: Invalid user: [chillispot/chillispot] (from client localhost port 0) Tim -Original Message- From: freeradius-users-bounces+tim.sylvester=networkradius@lists.freeradius.or g [mailto:freeradius-users-bounces+tim.sylvester=networkradius@lists.freer adius.org] On Behalf Of Denny Schierz Sent: Thursday, March 05, 2009 12:40 AM To: freeradius-users@lists.freeradius.org Subject: No MySQL queries with freeradius 2.x from Lenny hi, i tried to get coopa chilli running, but i have problems with radius and mysql. Radius works with users from files, but not with mysql. I can only see on startup some mysql messages (connect) but no queries at all. The system Debian Lenny. sql.conf sql { database = mysql driver = rlm_sql_mysql server = localhost login = radius password = secret radius_db = radius acct_table1 = radacct acct_table2 = radacct postauth_table = radpostauth authcheck_table = radcheck authreply_table = radreply groupcheck_table = radgroupcheck groupreply_table = radgroupreply usergroup_table = radusergroup deletestalesessions = yes sqltrace = yes sqltracefile = ${logdir}/sqltrace.sql num_sql_socks = 5 connect_failure_retry_delay = 60 readclients = yes nas_table = nas } (from a small egrep command, hope, there is everything ok) Debug Output: rad_recv: Access-Request packet from host 127.0.0.1 port 51722, id=2, length=199 Vendor-14559-Attr-8 = 0x312e302e3132 User-Name = chillispot User-Password = chillispot Service-Type = Administrative-User NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 10.1.0.1 Called-Station-Id = 00-0C-29-98-FE-1D NAS-Identifier = nas01 WISPr-Location-ID = isocc=,cc=,ac=,network=Coova, WISPr-Location-Name = My_HotSpot Acct-Session-Id = 49aec18f Message-Authenticator = 0x21b6e2efd764dc022a55ff0b7ecd3072 Wed Mar 4 20:00:03 2009 : Debug: +- entering group authorize Wed Mar 4 20:00:03 2009 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 1 Wed Mar 4 20:00:03 2009 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 1 Wed Mar 4 20:00:03 2009 : Debug: ++[preprocess] returns ok Wed Mar 4 20:00:03 2009 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 1 Wed Mar 4 20:00:03 2009 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 1 Wed Mar 4 20:00:03 2009 : Debug: ++[chap] returns noop Wed Mar 4 20:00:03 2009 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 1 Wed Mar 4 20:00:03 2009 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 1 Wed Mar 4 20:00:03 2009 : Debug: ++[mschap] returns noop Wed Mar 4 20:00:03 2009 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 1 Wed Mar 4 20:00:03 2009 : Debug: rlm_realm: No '@' in User-Name = chillispot, looking up realm NULL Wed Mar 4 20:00:03 2009 : Debug: rlm_realm: No such realm NULL Wed Mar 4 20:00:03 2009 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 1 Wed Mar 4 20:00:03 2009 : Debug: ++[suffix] returns noop Wed Mar 4 20:00:03 2009 : Debug: modsingle[authorize]: calling eap
Re: No MySQL queries with freeradius 2.x from Lenny
i tried to get coopa chilli running, but i have problems with radius and mysql. Radius works with users from files, but not with mysql. I can only see on startup some mysql messages (connect) but no queries at all. .. Wed Mar 4 20:00:03 2009 : Debug: modsingle[authorize]: calling sql (rlm_sql) for request 1 Wed Mar 4 20:00:03 2009 : Debug: rlm_sql (sql): Reserving sql socket id: 2 Wed Mar 4 20:00:03 2009 : Debug: expand: - Wed Mar 4 20:00:03 2009 : Error: rlm_sql (sql): Error generating query; rejecting user Queries are in raddb/sql/mysql/dialup.conf. Have you made changes to that file? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SV: SV: SV: SV: SV: No known good password
Given the circumstances, the company has now decided to go forward with a Linux solution. I'm going for Ubuntu, since I have a desktop version at home. If there are any problems with this brand, I guess you'll give me a warning. ;-) A big thanks to everone who responded. Best regards Ove -Opprinnelig melding- Fra: freeradius-users-bounces+ove.fagerheim=helgelandskraft...@lists.freeradius.org [mailto:freeradius-users-bounces+ove.fagerheim=helgelandskraft...@lists.freeradius.org] På vegne av John Dennis Sendt: 4. mars 2009 15:21 Til: FreeRadius users mailing list Emne: Re: SV: SV: SV: SV: No known good password Ove Fagerheim wrote: Hmm, that gives me a policy problem, my company *does not* use Linux. What a marvellous opportunity for you to become a respected and valued employee of your company by educating your peers on the many benefits of open source operating systems. Perhaps the money you save your company by avoiding licensing fees and the reduced cost of administration could be put towards a hefty pay raise for you. Seize the day! -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
openvpn client ip attrib
HI! Can you help me, I don't know how can i send back the client ip address to the openvpn client. The cisco vpn 3000 works correctly with cvpn3000 directory. Are there any directory for openvpn? or which return attrib name I can use? Thank you! Gabor - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can we do sql just once during eap-tls handshake
We are using eap-tls for authetication assisted with a database for filling in some attributes. FreeRADIUS Version 2.1.3 with minimal configuration will do a sql lookup for each round. (Four selects: radcheck, radusergroup, radgroupcheck and radgroupreply). There are 6-9 rounds depending on certificate chain sizes. Obviously performance would be better with only one database lookup. Part of the (attempted) configuration: authorize { preprocess eap if (I have tried some conditions here) { sql if (notfound) { fail } } } authenticate { eap } Is there som nice condition that will result in only one lookup in the database? A thing that complicates thing is that TLS (that declares Success I beleive) is run during authenticate which is later the the attempted database lookup. The TLS outcome is pretty well known in the second last round: There are logs saying [tls] (other): SSL negotiation finished successfully SSL Connection Established but there is still one Access-Challange. So if this fact could be tested in the last round that test would be a nice candidate for doing the sql update. As an aside: Is there a way to really inspect the client certificate (preferrably the entire chain) and let it affect some logic (in perl as an example)? -- View this message in context: http://www.nabble.com/Can-we-do-sql-just-once-during-eap-tls-handshake-tp22335348p22335348.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openvpn client ip attrib
Hegedus Gabor a écrit : HI! Can you help me, I don't know how can i send back the client ip address to the openvpn client. The cisco vpn 3000 works correctly with cvpn3000 directory. Are there any directory for openvpn? or which return attrib name I can use? This is a little off-topic for this list as this is related to your NAS (which is openvpn). Basically I do this by returning the standard Framed-IP-Address attribute to the openvpn server. This implies that your openvpn server is able to understand and process this attribute: I use the openvpn radius plugin for this (http://www.nongnu.org/radiusplugin/) as the simple pam_radius option for openvpn doesn't handle Framed-IP-Addtributes. For more information, I think the openvpn mailing list will be better suited. Regards, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: No MySQL queries with freeradius 2.x from Lenny
3. Send all of the debug output from the radius server. The useful information is missing from this section of the debug output: Wed Mar 4 20:00:03 2009 : Debug: ++[unix] returns notfound Wed Mar 4 20:00:03 2009 : Debug: modsingle[authorize]: calling sql (rlm_sql) for request 1 Wed Mar 4 20:00:03 2009 : Debug: rlm_sql (sql): Reserving sql socket id: 2 Wed Mar 4 20:00:03 2009 : Debug: expand: - Wed Mar 4 20:00:03 2009 : Error: rlm_sql (sql): Error generating query; rejecting user Yes, send the complete debug (include server startup - queries are listed there). I don't think information was removed from debug. I think that queries in dialup.conf are missing. Or he has done something to sql.conf and not included dialup.conf at all. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can we do sql just once during eap-tls handshake
Johan F2 wrote: We are using eap-tls for authetication assisted with a database for filling in some attributes. FreeRADIUS Version 2.1.3 with minimal configuration will do a sql lookup for each round. (Four selects: radcheck, radusergroup, radgroupcheck and radgroupreply). There are 6-9 rounds depending on certificate chain sizes. Obviously performance would be better with only one database lookup. Part of the (attempted) configuration: authorize { preprocess eap if (I have tried some conditions here) { The default FR 2.0 config has: authorize { eap { ok = return } } ...which will do what you want. As always, mangling the default config without understanding why it does what it does is a bad idea. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can we do sql just once during eap-tls handshake
Thanks Phil, I have tried that but regrettably it does not work. According to my logs eap returns updated every round when doing authorize. (During the authenticate stage eap returns handled except the last round where it returns ok) The comment preceeding eap in the default config says: # As of 2.0, the EAP module returns ok in the authorize stage # for TTLS and PEAP. In 1.x, it never returned ok here, so so there is no promise about any improvement when doing EAP-TLS . Sorry about the ...mangling the default config without understanding... I am porting an existing config (by someone else) from 1.x so I missed that. I did examine the log checking the return values from eap though. /Johan Phil Mayers wrote: Johan F2 wrote: We are using eap-tls for authetication assisted with a database for filling in some attributes. FreeRADIUS Version 2.1.3 with minimal configuration will do a sql lookup for each round. (Four selects: radcheck, radusergroup, radgroupcheck and radgroupreply). There are 6-9 rounds depending on certificate chain sizes. Obviously performance would be better with only one database lookup. Part of the (attempted) configuration: authorize { preprocess eap if (I have tried some conditions here) { The default FR 2.0 config has: authorize { eap { ok = return } } ...which will do what you want. As always, mangling the default config without understanding why it does what it does is a bad idea. -- View this message in context: http://www.nabble.com/Can-we-do-sql-just-once-during-eap-tls-handshake-tp22335348p22350726.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can we do sql just once during eap-tls handshake
Thanks Phil, I have tried that but regrettably it does not work. According to my logs eap returns updated every round when doing authorize. (During the authenticate stage eap returns handled except the last round where it returns ok) The comment preceeding eap in the default config says: # As of 2.0, the EAP module returns ok in the authorize stage # for TTLS and PEAP. In 1.x, it never returned ok here, so so there is no promise about any improvement when doing EAP-TLS . You can try adding updated = return to eap section in authorize. Not sure if that breaks anything. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can we do sql just once during eap-tls handshake
I have tested updated = return and it behaves as expected. That is authorize always returns without reading the database so the attributes are never set. Remeber that eap returns updated every round including the last one where the database should be consulted. I need a test that returns true when doing authorize in the same round as authenticate will return ok. /Johan You can try adding updated = return to eap section in authorize. Not sure if that breaks anything. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Can-we-do-sql-just-once-during-eap-tls-handshake-tp22335348p22352936.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Production servers num_sql_socks
I've read a few posts about increasing this value when There are no DB handles to use occur. Not sure if it's a good idea. Granted your DB is fast enough to query quickly. Upping this value on a slow DB will severely degrade performance. What's sort of values are you guys using for production servers? -- Regards Stelio Gouveia -- Skyrove Software Engineer, Skyrove (Pty) Ltd Technology Top 100 Award Winner (2006) Mobile: +27 82 34 09 120 Tel: +27 861 ROVERS (0861 768 377) Fax: +27 86 6204077 Email Gtalk: ste...@skyrove.com Skype: skyrove_sa Web: www.skyrove.com This message contains confidential information. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Production servers num_sql_socks
We set num_sql_socks to 25. We had them set to 10 but ran into issues when massive numbers of subscribers were attempting to enter the network at once - for example when we would power cycle a base station with 400 subscribers on it for maintenance. Ben Wiechman From: freeradius-users-bounces+ben=wisper-wireless@lists.freeradius.org [mailto:freeradius-users-bounces+ben=wisper-wireless@lists.freeradius.or g] On Behalf Of Stelio Gouveia Sent: Thursday, March 05, 2009 8:55 AM To: freeradius-users@lists.freeradius.org Subject: Production servers num_sql_socks I've read a few posts about increasing this value when There are no DB handles to use occur. Not sure if it's a good idea. Granted your DB is fast enough to query quickly. Upping this value on a slow DB will severely degrade performance. What's sort of values are you guys using for production servers? -- Regards Stelio Gouveia -- Skyrove Software Engineer, Skyrove (Pty) Ltd Technology Top 100 Award Winner (2006) Mobile: +27 82 34 09 120 Tel: +27 861 ROVERS (0861 768 377) Fax: +27 86 6204077 Email Gtalk: ste...@skyrove.com Skype: skyrove_sa Web: www.skyrove.com This message contains confidential information. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can we do sql just once during eap-tls handshake
I have tested updated = return and it behaves as expected. That is authorize always returns without reading the database so the attributes are never set. Remeber that eap returns updated every round including the last one where the database should be consulted. I need a test that returns true when doing authorize in the same round as authenticate will return ok. Try running authorize:sql in post-auth. Or was it sql:authorize? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can we do sql just once during eap-tls handshake
Both authorize:sql and sql:authorize cause an error Failed to find module. Plain sql or sql authorize { } lead to the documented post-auth behaviour of sql (that is writing to log). I have not found any documentation about forcing a module into running code for for another phase (authorize when doing post-auth). tnt-4 wrote: Try running authorize:sql in post-auth. Or was it sql:authorize? Ivan Kalik Kalik Informatika ISP -- View this message in context: http://www.nabble.com/Can-we-do-sql-just-once-during-eap-tls-handshake-tp22335348p22355079.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can we do sql just once during eap-tls handshake
Johan F2 wrote: Both authorize:sql and sql:authorize cause an error Failed to find module. Use sql.authorize I have not found any documentation about forcing a module into running code for for another phase (authorize when doing post-auth). It's not documented. It was a feature that got added semi-accidentally, and then turned out to be too useful to remove. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Exec-Program-Wait and FreeRadius 2.1.1
Hello, we're about to migrate from Freeradius 0.9 to 2.1. During this we're noticed, that the Atribute Exec-Progam-Wait and Exec-Program are deprecated. We used this feature to start a script (which generates special Cisco AV-Pairs). Our Freeradius backend is a mysql database. Now my Problem is that the attributes doesn't work. So we tried with the exec module. Thie works fine, but we want to execute different scripts depending on the the group the user is inserted and I want to manage this via Databse like it was in version 0.9. Can you give me a clue how to deal with, because didn't find anything about this in the documentation. Thanks a lot and best regards Michael Schramm - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait and FreeRadius 2.1.1
Michael Schramm wrote: we're about to migrate from Freeradius 0.9 to 2.1. During this we're noticed, that the Atribute Exec-Progam-Wait and Exec-Program are deprecated. We used this feature to start a script (which generates special Cisco AV-Pairs). They still work in 2.x. Now my Problem is that the attributes doesn't work. If you list exec in the post-auth section, then they work. This configuration is in the default configuration files in 2.x. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Solved Can we do sql just once during eap-tls handshake
It works! Now there is only one database access per authetication. The relevant part of the config is now: authorize { eap } authenticate { eap } post-auth { sql.authorize if (notfound) { fail } } Somewhat un-obvious but thanks alot for the help! (But I guess setting Auth-method to Reject in the database no longer works.) /Johan Alan DeKok-2 wrote: Johan F2 wrote: Both authorize:sql and sql:authorize cause an error Failed to find module. Use sql.authorize I have not found any documentation about forcing a module into running code for for another phase (authorize when doing post-auth). It's not documented. It was a feature that got added semi-accidentally, and then turned out to be too useful to remove. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Can-we-do-sql-just-once-during-eap-tls-handshake-tp22335348p22356130.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Production servers num_sql_socks
Hi, Granted your DB is fast enough to query quickly. Upping this value on a slow DB will severely degrade performance. What's sort of values are you guys using for production servers? we found that any value over 20 caused issues with mysql... we moved to postgresql anyway a year back. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
No known good password for NIS users
I am running FreeRADIUS 2.1.3 on a machine that is also a NIS client. Using radtest, I find that local user accounts are accepted, but NIS accounts are rejected. I have not changed anything from the default configuration other than adding client info and setting DEFAULT Auth-Type = System in the users file. NIS accounts are otherwise functional on the machine (able to login via console/SSH). Debugging output is below, showing two Access-Requests: testu is a local account, and wifi is a NIS account. Ultimately, I am trying to do EAP-TTLS/PAP but I need to get past this first... Thanks, --Drew FreeRADIUS Version 2.1.3, for host i486-pc-linux-gnu, built on Mar 4 2009 at 14:38:49 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/sql.conf including configuration file /etc/freeradius/sql/mysql/dialup.conf including configuration file /etc/freeradius/sql/mysql/counter.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/default group = freerad user = freerad including dictionary file /etc/freeradius/dictionary main { prefix = /usr localstatedir = /var logdir = /var/log/freeradius libdir = /usr/lib/freeradius radacctdir = /var/log/freeradius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = /var/run/freeradius/freeradius.pid checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1
Re: No known good password for NIS users
I am running FreeRADIUS 2.1.3 on a machine that is also a NIS client. Using radtest, I find that local user accounts are accepted, but NIS accounts are rejected. Well, yes. How is freeradius suposed to talk to NIS? Perhaps PAM? Or is there some ntlm_auth type script? I have not changed anything from the default configuration other than adding client info and setting DEFAULT Auth-Type = System in the users file. You don't need that in 2.x. And it will get in the way if you need to set Auth-Type PAM. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Production servers num_sql_socks
If it is not a secret, how many users do you have (active users in the same time) and how many connections per minute can your system handle without problems. a.l.m.bu...@lboro.ac.uk wrote: Hi, Granted your DB is fast enough to query quickly. Upping this value on a slow DB will severely degrade performance. What's sort of values are you guys using for production servers? we found that any value over 20 caused issues with mysql... we moved to postgresql anyway a year back. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Production servers num_sql_socks
Hi, If it is not a secret, how many users do you have (active users in the same time) and how many connections per minute can your system handle without problems. around 15k concurrent users, hundreds of thousand per minute could be handled (when we last did a load test) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Variables' content as a reply
Hello all! I've been trying unsuccessfully to get this setup to work, but unfortunately haven't been able so far. My need is to return the contents of three LDAP fields as replies on the Access-Accept package. The setup is for EAP/TTLS, mostly following eduRoam's setup guide (EduROAM Cookbook -- DJ 5.1.5,3). My config is as follows: on ldap.attrmap: checkItem cLDAPdepartmentNumber departmentNumber replyItem rLDAPdepartmentNumber departmentNumber checkItem cLDAPaffiliationeduPersonPrimaryAffiliation replyItem rLDAPaffiliationeduPersonPrimaryAffiliation checkItem cLDAPou ou replyItem rLDAPou ou on dictionary.university: VENDOR Unicamp 12345 BEGIN-VENDOR Unicamp ATTRIBUTE University-LDAP-departmentNumber 1 string ATTRIBUTE University-LDAP-affiliation 2 string ATTRIBUTE University-LDAP-organizationUnit 3 string END-VENDOR University (the attributes, at least, are recognized correctly on the reply). on the inner-tunnel configuration file:: post-auth { reply_log Post-Auth-Type REJECT { reply_log } redundant { sql-server1 sql-server2 } update outer.reply { User-Name := %{reply:User-Name} University-LDAP-departmentNumber := %{rLDAPdepartmentNumber} } radiusd -v is: radiusd: FreeRADIUS Version 2.1.3, for host i386-portbld-freebsd7.0, built on Jan 9 2009 at 07:02:31 but unfortunately, something does not translate right: From that I've gathered running on radiusd -X, the relevant parts are: - first, an error on rlm_ldap: ++- entering policy redundant {...} [ldap1] performing user authorization for u...@university [ldap1] expand: (eduPersonPrincipalName=%{User-Name}) - (edupersonprincipalname=u...@university) [ldap1] expand: dc=university - dc=university rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap1.university:389, authentication 0 rlm_ldap: starting TLS rlm_ldap: bind as / to ldap1.university:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=university, with filter (edupersonprincipalname=u...@university) [ldap1] checking if remote access for u...@university is allowed by dialupAccess [ldap1] looking for check items in directory... rlm_ldap: Failed to create the pair: Invalid octet string cc for attribute name cLDAPou rlm_ldap: Failed to create the pair: Invalid octet string staff for attribute name cLDAPaffiliation rlm_ldap: Failed to create the pair: Invalid octet string 20.5.2.4.0.0.0 for attribute name cLDAPdepartmentNumber rlm_ldap: radiusSimultaneousUse - Simultaneous-Use == 1 [ldap1] looking for reply items in directory... rlm_ldap: Failed to create the pair: Invalid octet string cc for attribute name rLDAPou rlm_ldap: Failed to create the pair: Invalid octet string staff for attribute name rLDAPaffiliation rlm_ldap: Failed to create the pair: Invalid octet string 20.5.2.4.0.0.0 for attribute name rLDAPdepartmentNumber WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap1] Setting Auth-Type = LDAP [ldap1] user u...@university authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ldap1] returns ok - second: the reply's content is not getting translated right. Instead of sending the content's of the variables, it just sends the variable names outright: Sending Access-Accept of id 235 to xxx.xxx.xxx.xxx port 32783 User-Name = %{reply:User-Name} University-LDAP-departmentNumber = %{rLDAPdepartmentNumber} MS-MPPE-Recv-Key = blah MS-MPPE-Send-Key = blah EAP-Message = 0x03050004 Message-Authenticator = 0x Finished request 5. So, the most important question is: how do i reference the content's of the variables on the post-auth update section? Second: what's causing the check and reply items not to get translated? could this be an LDAP error or is there an error on the ldap.attrmap file? By the way, the authentication, authorization, everything is working fine already (including the TTLS/PAP part). Thanks in advance for any thoughts.. smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius exceeding num_sql_socks
Hi All. Is there any reason why Freeradius would exceed the limit set by the num_sql_socks directive? -- Regards Stelio Gouveia -- Skyrove Software Engineer, Skyrove (Pty) Ltd Technology Top 100 Award Winner (2006) Mobile: +27 82 34 09 120 Tel: +27 861 ROVERS (0861 768 377) Fax: +27 86 6204077 Email Gtalk: ste...@skyrove.com Skype: skyrove_sa Web: www.skyrove.com This message contains confidential information. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rewrite attribute with perl module
Hi ALL i have attribute Session-Timeout with value 36 at radreply database and want to modify the value when the radius return it when radius replies, i enabled perl module and enable it at post-auth at the perl sub post-auth i added . print attr $RAD_REPLY{'Session-Timeout'} = 5 ; . print attr . return RLM_MODULE_UPDATED but that not affect the return vlaue : Thu Mar 5 23:22:30 2009 : Debug: rlm_perl: RAD_REPLY: Cisco-AVPair = throttle=55 Thu Mar 5 23:22:30 2009 : Debug: rlm_perl: RAD_REPLY: Session-Timeout = 36 Thu Mar 5 23:22:30 2009 : Debug: rlm_perl: RAD_REPLY: Framed-IP-Address = x Thu Mar 5 23:22:30 2009 : Debug: rlm_perl: RAD_REQUEST: SQL-User-Name = user ... Thu Mar 5 23:22:30 2009 : Debug: rlm_perl: RAD_REPLY: Cisco-AVPair = throttle=55 Thu Mar 5 23:22:30 2009 : Debug: rlm_perl: RAD_REPLY: Session-Timeout = 5 Thu Mar 5 23:22:30 2009 : Debug: rlm_perl: RAD_REPLY: Framed-IP-Address = xx but radius sent back Sending Access-Accept of id 1 to 192.168.100.10:32830 Framed-IP-Address := Cisco-AVPair = throttle=55 Session-Timeout = 36 with value of 36 not (5) and then i enabled the perl module on authorize and authentication section at radius.conf and put the same pervious code in the same subs (authorize and authentication ) at perl module , but i got the same result , value not changed and also the same result when change the return code to become RLM_MODULE_UPDATED any hint please ?!! , can i modify the value of reply attributes ? Thanks lot _ Windows Live™ Contacts: Organize your contact list. http://windowslive.com/connect/post/marcusatmicrosoft.spaces.live.com-Blog-cns!503D1D86EBB2B53C!2285.entry?ocid=TXT_TAGLM_WL_UGC_Contacts_032009- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
proxy acct records best practices
Hello, I am a new user of freeradius ( no experience with the 1.x version at all ). I am in the process of setting up radius for accounting of voip records. Due to the nature of my system blocking must be avoided at all costs. With this in mind I have configure FR to write accounting records locally to a file then I have the records proxied to a remote freeradius instance where the records are written to a database. My question revolves around best practices and speed. Reading and shipping the records off box is very slow ( somewhere around 5 - 10 records per second ). I believe this may be caused by the latency between the proxy and the master which is around 150ms. Of course I could just insert the records in the DB across the WAN but am not sure whether this would be any faster. I'm convinced latency is the issue because even when I turn off the databasing of records on the master and only write to flat files the speed remains in the same range. Keeping in mind my newness to freeradius I thought it might be a good idea to ask the community for suggestions. Thanks T - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rewrite attribute with perl module
any hint please ?!! , can i modify the value of reply attributes ? Are you using server version that is years out of date? This works in current version. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Variables' content as a reply
I've been trying unsuccessfully to get this setup to work, but unfortunately haven't been able so far. My need is to return the contents of three LDAP fields as replies on the Access-Accept package. The setup is for EAP/TTLS, mostly following eduRoam's setup guide (EduROAM Cookbook -- DJ 5.1.5,3). My config is as follows: on ldap.attrmap: checkItem cLDAPdepartmentNumber departmentNumber replyItem rLDAPdepartmentNumber departmentNumber checkItem cLDAPaffiliationeduPersonPrimaryAffiliation replyItem rLDAPaffiliationeduPersonPrimaryAffiliation checkItem cLDAPou ou replyItem rLDAPou ou Where does the cookbook say that you should put that in ldap.attrmap? Where are those radius attributes defined? Some additional dictionary? on dictionary.university: VENDOR Unicamp 12345 BEGIN-VENDOR Unicamp ATTRIBUTE University-LDAP-departmentNumber 1 string ATTRIBUTE University-LDAP-affiliation 2 string ATTRIBUTE University-LDAP-organizationUnit 3 string END-VENDOR University Why don't you map those in ldap.attrmap. (the attributes, at least, are recognized correctly on the reply). on the inner-tunnel configuration file:: post-auth { reply_log Post-Auth-Type REJECT { reply_log } redundant { sql-server1 sql-server2 } update outer.reply { User-Name := %{reply:User-Name} University-LDAP-departmentNumber := %{rLDAPdepartmentNumber} } That should be: User-Name := '%{reply:User-Name}' University-LDAP-departmentNumber := '%{rLDAPdepartmentNumber}' Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reject problems w/ v 2.1.3
Hi, I need to upgrade our freeRADIUS 1.1.7 config to 2.1.3 on an embedded Linux platform. I can build everything just fine but all our authentication attempts are rejected. I didn't do the 1.1.7 work so I am sure I am missing something simple. This is for a private wireless network using WPA2-PEAP. Looks like a config screwup somewhere but I can't figure out which specific config is causing this to fail. The users file is: 00093701a89d Cleartext-Password == 66e3c1cd773f487d (It used to be: 00093701a89d User-Password == 66e3c1cd773f487d) The log from 'radiusd -X' is below: (Apologies for the long log but I didn't know which stuff is important and which isn't) Thanks for your patience and help, - Harshal FreeRADIUS Version 2.1.3, for host arm-unknown-linux-gnu, built on Mar 5 2009 at 05:10:53 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/etc/raddb/radiusd.conf including configuration file /usr/etc/raddb/proxy.conf including configuration file /usr/etc/raddb/clients.conf including files in directory /usr/etc/raddb/modules/ including configuration file /usr/etc/raddb/modules/passwd including configuration file /usr/etc/raddb/modules/expiration including configuration file /usr/etc/raddb/modules/checkval including configuration file /usr/etc/raddb/modules/acct_unique including configuration file /usr/etc/raddb/modules/mac2vlan including configuration file /usr/etc/raddb/modules/echo including configuration file /usr/etc/raddb/modules/etc_group including configuration file /usr/etc/raddb/modules/perl including configuration file /usr/etc/raddb/modules/expr including configuration file /usr/etc/raddb/modules/krb5 including configuration file /usr/etc/raddb/modules/smbpasswd including configuration file /usr/etc/raddb/modules/exec including configuration file /usr/etc/raddb/modules/mschap including configuration file /usr/etc/raddb/modules/unix including configuration file /usr/etc/raddb/modules/linelog including configuration file /usr/etc/raddb/modules/pam including configuration file /usr/etc/raddb/modules/detail.example.com including configuration file /usr/etc/raddb/modules/policy including configuration file /usr/etc/raddb/modules/sql_log including configuration file /usr/etc/raddb/modules/always including configuration file /usr/etc/raddb/modules/logintime including configuration file /usr/etc/raddb/modules/chap including configuration file /usr/etc/raddb/modules/preprocess including configuration file /usr/etc/raddb/modules/attr_rewrite including configuration file /usr/etc/raddb/modules/inner-eap including configuration file /usr/etc/raddb/modules/wimax including configuration file /usr/etc/raddb/modules/mac2ip including configuration file /usr/etc/raddb/modules/radutmp including configuration file /usr/etc/raddb/modules/detail including configuration file /usr/etc/raddb/modules/ldap including configuration file /usr/etc/raddb/modules/detail.log including configuration file /usr/etc/raddb/modules/attr_filter including configuration file /usr/etc/raddb/modules/pap including configuration file /usr/etc/raddb/modules/ippool including configuration file /usr/etc/raddb/modules/realm including configuration file /usr/etc/raddb/modules/digest including configuration file /usr/etc/raddb/modules/counter including configuration file /usr/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/etc/raddb/modules/files including configuration file /usr/etc/raddb/modules/sradutmp including configuration file /usr/etc/raddb/eap.conf including configuration file /usr/etc/raddb/sql.conf including configuration file /usr/etc/raddb/sql/mysql/dialup.conf including configuration file /usr/etc/raddb/sql/mysql/counter.conf including configuration file /usr/etc/raddb/policy.conf including files in directory /usr/etc/raddb/sites-enabled/ including configuration file /usr/etc/raddb/sites-enabled/default including configuration file /usr/etc/raddb/sites-enabled/inner-tunnel including dictionary file /usr/etc/raddb/dictionary main { prefix = /usr localstatedir = /tmp logdir = /tmp libdir = /usr/lib radacctdir = /tmp/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = /tmp/radiusd.pid checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1
failed to receive Accounting Response
[IOS Version 12.1(22)EA11] [freeradius-2.1.3] -- Hello! I'm trying to accounting all commands on cisco in enable mode and other level, which user run: aaa accounting delay-start aaa accounting exec default start-stop group radius aaa accounting system default stop-only group radius aaa accounting connection default start-stop group radius aaa accounting network default start-stop group radius aaa accounting commands 1 default stop-only group radius aaa accounting commands 15 default stop-only group radius aaa accounting send stop-record authentication failure but cisco log about accounting evrytime send message like this Mar 6 08:57:48 192.168.255.10 210: 000207: Mar 6 08:57:48 MSK: %RADIUS-3-NOACCOUNTINGRESPONS Stop for session 0074 failed to receive Accounting Response. accounting section in radius config accounting { detail daily unix radutmp sradutmp attr_filter.accounting_response Acct-Type Status-Server { } } How can I resolve the problem? Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius exceeding num_sql_socks
Stelio Gouveia wrote: Is there any reason why Freeradius would exceed the limit set by the num_sql_socks directive? If you have one SQL modules, no. If you have two SQL modules, each will open up it's own sockets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy acct records best practices
TR Missner wrote: I am a new user of freeradius ( no experience with the 1.x version at all ). Don't use 1.x. Use the latest version. I am in the process of setting up radius for accounting of voip records. Due to the nature of my system blocking must be avoided at all costs. With this in mind I have configure FR to write accounting records locally to a file then I have the records proxied to a remote freeradius instance where the records are written to a database. My question revolves around best practices and speed. Reading and shipping the records off box is very slow ( somewhere around 5 - 10 records per second ). You've configured the server to use syslog. Don't. Syslog on some systems is limited to 5-10 log entries per second. This is because it syncs the logs to disk after each line of text. I believe this may be caused by the latency between the proxy and the master which is around 150ms. No. Of course I could just insert the records in the DB across the WAN but am not sure whether this would be any faster. I'm convinced latency is the issue because even when I turn off the databasing of records on the master and only write to flat files the speed remains in the same range. syslog. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No known good password for NIS users
Drew Johnson wrote: I am running FreeRADIUS 2.1.3 on a machine that is also a NIS client. Using radtest, I find that local user accounts are accepted, but NIS accounts are rejected. See the debug log for why. ... ++[unix] returns notfound That's pretty definitive. The server asks for a password file entry, and the system returns no entry for that user. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html