How to calling-station-id attribute in check item
Hi, I am using free radius version 2.1.1-7. I am using free radius + user database in Mysql + PPPoE server. I am done with authentication but i want to bind + log mac addr with username but i am not getting the attribute Calling-station-id. Please guide how to get it there. Access-Request as below. rad_recv: Access-Request packet from host 127.0.0.1 port 55229, id=248, length=90 Service-Type = Framed-User Framed-Protocol = PPP User-Name = spark CHAP-Challenge = 0xaa7ad2fc8f118f0184dcdaa5c6fb2929f78f CHAP-Password = 0x79237be1217344f61fe5a6972daaf9f93c NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Thanks and regards Nirmal Patel | Mumbai - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to calling-station-id attribute in check item
Nirmal wrote: I am using free radius + user database in Mysql + PPPoE server. I am done with authentication but i want to bind + log mac addr with username but i am not getting the attribute Calling-station-id. Please guide how to get it there. Fix the PPPoE server to send it. FreeRADIUS can't magically invent a value for Calling-Station-Id. The RADIUS client has the value, and it needs to send the attribute to FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MsCHAP with freeradius-server-2.1.3
Hello, I am using freeradius with Active Directory.I want to use mschap for authentication but the users are all rejected for no known good password.It seems that only PAP authentication works. Any help will be appreciated. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MsCHAP with freeradius-server-2.1.3
Hello, I am using freeradius with Active Directory.I want to use mschap for authentication but the users are all rejected for no known good password.It seems that only PAP authentication works. Any help will be appreciated. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html http://deployingradius.com/documents/configuration/active_directory.html Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to calling-station-id attribute in check item
:-D Thanks Alan. --- On Tue, 4/21/09, Alan DeKok al...@deployingradius.com wrote: From: Alan DeKok al...@deployingradius.com Subject: Re: How to calling-station-id attribute in check item To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Date: Tuesday, April 21, 2009, 1:41 PM Nirmal wrote: I am using free radius + user database in Mysql + PPPoE server. I am done with authentication but i want to bind + log mac addr with username but i am not getting the attribute Calling-station-id. Please guide how to get it there. Fix the PPPoE server to send it. FreeRADIUS can't magically invent a value for Calling-Station-Id. The RADIUS client has the value, and it needs to send the attribute to FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Possible bug in rlm_perl
I think I may have found a bug in rlm_perl? No, you broke it. #The following line cleans two of the slashes \\ out of the user-name before we return from the #perl module. These two slashes get added in. I'm not sure how or why. $RAD_REQUEST{'User-Name'} =~ s/^$domain\\/$domain/; Extra slashes are escaping slashes in the username. Leave them alone. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap filter depending on NAS
Hello, My freeRadius setup works very well using PEAP/TLS binding on the ldap using only one filter. Now I have two very different types of NAS and I need to filter users that may have access to one NAS or the other or both. My idea was to use the unlang in the ldap module to write my policy, but it's not working. in /etc/freeradius/modules/ldap we have: ldap { # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = 127.0.0.1 identity = __snipped__ password = __snipped__ basedn = dc=__snipped__,dc=com #WORKING : #filter = ((|(accessTo=WIFI_FR)(accessTo=WIFI_ALL))(uid=%{Stripped-User-Name:-%{User-Name}})) #NOT working: if (NAS-IP-Address == 10.1.1.2) { filter = ((|(accessTo=WIFI_XX)(accessTo=WIFI_YY))(uid=%{Stripped-User-Name:-%{User-Name}})) } else { filter = ((accessTo=VPN)(uid=%{Stripped-User-Name:-%{User-Name}})) } base_filter = (objectclass=radiusprofile) ___snipped-the rest of this section is OK___ } It all happens as if the if () { ... } else { ... } is completely ignored (and thus it defaults to check if the uid exists) (ie: neither filter1 nor filter2 appears when debugging. But when we only put filter, it appears when debugging) I think I'm missing a lot of details in the configuration and I have not figured out how to do this with hints|huntgroups|clients files. Any help on why this is not working or an other simple solution is welcome. Best Regards, Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_linelog locking
It appears rlm_linelog doesn't lock the file before writing to it. Should it? Won't lines get interspersed at high logging rates if not? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap filter depending on NAS
My freeRadius setup works very well using PEAP/TLS binding on the ldap using only one filter. Now I have two very different types of NAS and I need to filter users that may have access to one NAS or the other or both. My idea was to use the unlang in the ldap module to write my policy, but it's not working. No. It works in server, not module configuration. Use group membership filter as well. Then use unlang in authorize to check Ldap-Group. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_linelog locking
Phil Mayers wrote: It appears rlm_linelog doesn't lock the file before writing to it. Should it? Won't lines get interspersed at high logging rates if not? IIRC, using O_APPEND, and writing small amounts means that the writes are all or nothing. i.e. The OS takes care of ensuring that the write succeeds. This means that lines from different threads will get put into the log file in arbitrary order. But the lines *won't* be split in the middle. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
User-Name Attribute Lost When Reading Listener File
I have found a problem when FR reads back accounting data from the listener server. It seems that the User-Name attribute is being lost under certain circumstances. My guess is that it is related to the := operator that is being user since the User-Name was rewritten by the hints file prior to accounting. Snip from detail.work file. User-Name := x...@myfol.com NAS-Port = 84082688 Service-Type = Framed-User Framed-Protocol = PPP ... Snip from radiusd -X detail_recv: Read packet from /var/log/radius/radacct/ImagineNet/detail.work NAS-Port = 84082688 Service-Type = Framed-User Framed-Protocol = PPP ... Notice that the User-Name attribute is missing. It is not out of order either (further down in the debug file). I shut down FR and modified the User-Name operator on all of the listener files to be = and it seems to work fine. detail_recv: Read packet from /var/log/radius/radacct/ImagineNet/detail.work User-Name = x...@myfol.com NAS-Port = 84082688 Service-Type = Framed-User Framed-Protocol = PPP ... I have tried FreeRADIUS 2.1.4 and a 2.1.5 pre release running on CentOS 5.3. Jim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_linelog locking
Alan DeKok wrote: Phil Mayers wrote: It appears rlm_linelog doesn't lock the file before writing to it. Should it? Won't lines get interspersed at high logging rates if not? IIRC, using O_APPEND, and writing small amounts means that the writes are all or nothing. i.e. The OS takes care of ensuring that the write succeeds. Ah - I see man 2 write says: If the file was open(2)ed with O_APPEND, the file offset is first set to the end of the file before writing. The adjustment of the file offset and the write operation are performed as an atomic step... ...and goes on to list the (few) circumstances under which the number of bytes written is number of bytes in buffer - basically, signals or out of disk space. Cool - thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql.conf failover readclients=yes
Guys, Please tell me not to change code and ignore SQL errors during startup time when your read NAS table. Could you please take a look at this question again? We need functionality when one of the redundant databases is down to still continue and be able to start RADIUS dameon and read NAS information from another redundant database Thanks a lot! -- View this message in context: http://www.nabble.com/sql.conf-failover-readclients%3Dyes-tp23103617p23158513.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql.conf failover readclients=yes
leopold wrote: Please tell me not to change code and ignore SQL errors during startup time when your read NAS table. The only way to fix this is to change the source code of the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radiusd only sending a NAK after a retransmission
We are having an issue with failed logins with FreeRADIUS. The problem is that FreeRADIUS doesn't appear to actually send a RADIUS Reject until the second authentication request comes in. I have an IOS Router authenticating ssh logins against freeradius. The example packets above I am using a static username/password in the users file. I see that if I enter the wrong password, radiusd doesn't send a NAK until the IOS router transmits the request. There are not any delay issues with ACKs coming out of freeradius. TCP Dump output: 10:38:22.703456 IP 172.16.1.8.1645 172.16.2.60.1645: RADIUS, Access Request (1), id: 0xf1 length: 103 10:38:38.008371 IP 172.16.1.8.1645 172.16.2.60.1645: RADIUS, Access Request (1), id: 0xf1 length: 103 10:38:38.008588 IP 172.16.2.60.1645 172.16.1.8.1645: RADIUS, Access Reject (3), id: 0xf1 length: 20 Does this sound familiar to anyone? Ideas? -- -- Jeremy M. Guthrie jeremy.guth...@cdw.com Hosting and Managed Services Managed Cisco Security Services Technical ArchitectPhone: 608-298-1061 CDW Fax: 608-288-3007 5520 Research Park Drive NOC: 608-298-1102 Madison, WI 53711 NOC Email: hmsh...@cdw.com signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Possible bug in rlm_perl
On Apr 21, 2009, at 5:21 AM, t...@kalik.net wrote: I think I may have found a bug in rlm_perl? No, you broke it. #The following line cleans two of the slashes \\ out of the user-name before we return from the #perl module. These two slashes get added in. I'm not sure how or why. $RAD_REQUEST{'User-Name'} =~ s/^$domain\\/ $domain/; Extra slashes are escaping slashes in the username. Leave them alone. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Ok, but if I do not filter out the extra slashes then after the perl module returns, freeradius gives the error that the User-Name field does not match the peap identity. Then it shows the User-Name with too many slashes (four slashes). If, in my perl module, I filter out two slashes then everything works fine except for usernames that begin with t. If I just use regular usernames (without the domain name ISD\\) then the perl module works fine. Since windows XP machines send the domain with the username by default, I must find some way to cope with the slashes. My perl module is very short. If I eliminate everything but a simple return_ok I STILL get the error that the User-Name does not match the eap identity. So, if I simply enter the module and immediately return and still get an error that user-name does not match the eap identity is this still me? I always must filter out the extra slashes ONLY if the username contains a domain. Thanks! -Josh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Possible bug in rlm_perl
Hi, Ok, but if I do not filter out the extra slashes then after the perl module returns, freeradius gives the error that the User-Name field does not match the peap identity. Then it shows the User-Name with too many slashes (four slashes). If, in my perl module, I filter out two slashes then everything works fine except for usernames that begin with t. If I just use regular usernames (without the domain name ISD\\) then the perl module works fine. Since windows XP machines send the domain with the username by default, I must find some way to cope with the slashes. My perl module is very short. If I eliminate everything but a simple return_ok I STILL get the error that the User-Name does not match the eap identity. So, if I simply enter the module and immediately return and still get an error that user-name does not match the eap identity is this still me? I always must filter out the extra slashes ONLY if the username contains a domain. Stripped-User-Name - the code should deal with domains and stuff at the beginning and give you what you want. you can then proxy etc off that other info if you need (or use it during the NTLM stuff if you use that. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Exec-Program-Wait problem
Hello all, I' running FreeRADIUS Version 2.1.5, and I'm trying to execute an external script when users authenticate. I have included the exec module. The script is executed in this form (in the users file): DEFAULT Simultaneous-Use := 1 Idle-Timeout = 600, Session-Timeout = 5400, Framed-IP-Address = 255.255.255.254, Framed-Compression = Van-Jacobson-TCP-IP, Exec-Program-Wait = /etc/freeradius/somescript, Fall-Through = Yes but I want that the output of it to append to the AV pair reply that goes back to the client. So I have the problem that when the script is executed, its output doesn't append to the AV pair reply. (For example: Reply-Message=Email Only Account) I can post here my configuration files, if you tell me which. Thanks in advance ! -- View this message in context: http://www.nabble.com/Exec-Program-Wait-problem-tp23161038p23161038.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql.conf failover readclients=yes
Alan, Could you please add this as a feature request for the next release and solve it properly? The major issue is that if we ignore error of NAS table loading at startup time then it will never recover and load NAS when DB becomes availlable again in runtime. But al least in this case if it succeeds to read NAS info from the redundant database then it will cache it and continue loading other modules. As far as I understand to add/modify NAS information in runtime we still need to recycle radiusd process as even HUP does not help. What do you think if we comment out this code until the real solution comes? rlm_sql.c if (inst-config-do_clients){ if (generate_sql_clients(inst) == -1){ radlog(L_ERR, Failed to load clients from SQL.); #if 0 /* ignore DB connect failure */ rlm_sql_detach(inst); return -1; #endif } } Alan DeKok-2 wrote: leopold wrote: Please tell me not to change code and ignore SQL errors during startup time when your read NAS table. The only way to fix this is to change the source code of the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/sql.conf-failover-readclients%3Dyes-tp23103617p23162460.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait problem
enid wrote: DEFAULT Simultaneous-Use := 1 Idle-Timeout = 600, Session-Timeout = 5400, Framed-IP-Address = 255.255.255.254, Framed-Compression = Van-Jacobson-TCP-IP, Exec-Program-Wait = /etc/freeradius/somescript, Fall-Through = Yes but I want that the output of it to append to the AV pair reply that goes back to the client. So I have the problem that when the script is executed, its output doesn't append to the AV pair reply. (For example: Reply-Message=Email Only Account) I can post here my configuration files, if you tell me which. Use the exec module instead. It gives you a much more fine-grained control over the behavior of the program. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql.conf failover readclients=yes
leopold wrote: Could you please add this as a feature request for the next release and solve it properly? I have a long list of new features, and a short amount of time. The major issue is that if we ignore error of NAS table loading at startup time then it will never recover and load NAS when DB becomes availlable again in runtime. That requires *more* code. try to load at startup, but if that fails, try to load again later. The main problem is that if it can't load the clients at startup, then there is the chance that it will ignore *all* clients. I understand that you want this feature, but will you answer all of the questions from people who configure one SQL server.. and then get surprised when they have no RADIUS clients, because the SQL server is down? But al least in this case if it succeeds to read NAS info from the redundant database then it will cache it and continue loading other modules. As far as I understand to add/modify NAS information in runtime we still need to recycle radiusd process as even HUP does not help. No. You can dynamically add clients. See raddb/sites-available/dynamic-clients. What do you think if we comment out this code until the real solution comes? rlm_sql.c shrug If it works for you, use it. You have access to the source code. And with git, it is *trivial* to keep local branches with your local changes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd only sending a NAK after a retransmission
Jeremy M. Guthrie wrote: We are having an issue with failed logins with FreeRADIUS. The problem is that FreeRADIUS doesn't appear to actually send a RADIUS Reject until the second authentication request comes in. You are running version 1.1.x. Upgrade. Or, set reject_delay = 0. And then is a NAS misbehaves, your RADIUS server will melt. Alan Dekok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User-Name Attribute Lost When Reading Listener File
JDL wrote: I have found a problem when FR reads back accounting data from the listener server. It seems that the User-Name attribute is being lost under certain circumstances. My guess is that it is related to the := operator that is being user since the User-Name was rewritten by the hints file prior to accounting. The code that reads the detail file is the same as the code that reads the users file, and is used by radclient. All of which work with = or :=. I'm a little surprised at this, and I find it a little hard to see how this can happen. I shut down FR and modified the User-Name operator on all of the listener files to be = and it seems to work fine. Well, that seems reproducible at least. But I'm again a little surprised that it happens at all, and that no one has run into it before. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to calling-station-id attribute in check item
i setup same you and got problem the same with pppoe-server calling-station-id not sent. i ask uncle google, he said you must run rp-pppoe in -k mode, kernel mode. but when i type -k . error says unknow option -- k i can do not thing and wait for the new version on rp-pppoe or pppoe. regards. Chuan - Original Message - From: EasyHorpak.com To: FreeRadius users mailing list Sent: Tuesday, April 21, 2009 8:35 PM Subject: Re: How to calling-station-id attribute in check item i setup same you and got problem the same with pppoe-server calling-station-id not sent. i ask uncle google, he said you must run rp-pppoe in -k mode, kernel mode. but when i type -k . error says unknow option -- k i can do not thing and wait for the new version on rp-pppoe or pppoe. regards. Chuan - Original Message - From: EasyHorpak.com To: FreeRadius users mailing list Sent: Tuesday, April 21, 2009 8:29 PM Subject: Re: How to calling-station-id attribute in check item i setup same you and got problem the same with pppoe-server calling-station-id not sent. i ask uncle google, he said you must run rp-pppoe in -k mode, kernel mode. but when i type -k . error says unknow option -- k i can do not thing and wait for the new version on rp-pppoe or pppoe. regards. Chuan - Original Message - From: Nirmal To: freeradius-users@lists.freeradius.org Sent: Tuesday, April 21, 2009 2:39 PM Subject: How to calling-station-id attribute in check item Hi, I am using free radius version 2.1.1-7. I am using free radius + user database in Mysql + PPPoE server. I am done with authentication but i want to bind + log mac addr with username but i am not getting the attribute Calling-station-id. Please guide how to get it there. Access-Request as below. rad_recv: Access-Request packet from host 127.0.0.1 port 55229, id=248, length=90 Service-Type = Framed-User Framed-Protocol = PPP User-Name = spark CHAP-Challenge = 0xaa7ad2fc8f118f0184dcdaa5c6fb2929f78f CHAP-Password = 0x79237be1217344f61fe5a6972daaf9f93c NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Thanks and regards Nirmal Patel | Mumbai -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html