RE: Re: Free radius 2.1.4 Installation
Hi I have installed the python package python-2.2.3-26.i386.rpm with redhat linux 9 Regards Anoop -Original Message- From: anoop c [mailto:anoop.cherilth...@sifycorp.com] Sent: Tuesday, May 12, 2009 10:52 AM To: 'freeradius-users@lists.freeradius.org' Subject: Re: Free radius 2.1.4 Installation Hi Thanks for the response. I have installed Python-3.1a1 in redhat linux 9. Which version I should install for FREERADIUS or which file I should look for? Thanks in advance Anoop Get your world in your inbox! Mail, widgets, documents, spreadsheets, organizer and much more with your Sifymail WIYI id! Log on to http://www.sify.com ** DISCLAIMER ** Information contained and transmitted by this E-MAIL is proprietary to Sify Limited and is intended for use only by the individual or entity to which it is addressed, and may contain information that is privileged, confidential or exempt from disclosure under applicable law. If this is a forwarded message, the content of this E-MAIL may not have been sent with the authority of the Company. If you are not the intended recipient, an agent of the intended recipient or a person responsible for delivering the information to the named recipient, you are notified that any use, distribution, transmission, printing, copying or dissemination of this information in any way or in any manner is strictly prohibited. If you have received this communication in error, please delete this mail notify us immediately at ad...@sifycorp.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free radius 2.1.4 Installation
Hi, Thanks for the response. I have installed Python-3.1a1 in redhat linux 9. Which version I should install for FREERADIUS or which file I should look for? redhat linux 9 ? as in pre-Fedora, pre-ES ? I've running okay with python 2.4.3 - you have to have the python-devel RPM installed alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP - Intermediate CA
CJ O wrote:
I am having an issue where FreeRadius is not handing the intermediate CA
to a windows WPA2 client. We are in the process of deploying WPA2/AES
with PEAP. So we purchased a certificate from a company that has a
Trusted Root CA in Windows, Mac OSX, and Linux. However, it was signed
with there intermediate CA, so the OS will not vailded the certificate
during authentication.
So long as the CA chain is intact, this should work.
The only solution seems to be installing the intermediate CA certifcate
on all my clients (2,000-3,000). If it possible to chain the
certificates together like you can in Apache?
Yes. But you need to install the CA chain on the RADIUS server. See
eap.conf:
# If CA_file (below) is not used, then the
# certificate_file below MUST include not
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# server certificate.
certificate_file = ${certdir}/server.pem
Odds are you didn't include the intermediate certificates in the
RADIUS configuration.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Implementing a logout sqlcounter
--- On Tue, 5/12/09, Ming-Ching Tiew mct...@yahoo.com wrote: Whereas the radclient continually sending accounting info to the server, I thought doing the reject at accouting will also some what accomplishing the same purpose. Any comments ? Further readings seems to indicate this this could possible implemented using unlang 'update disconnect' in preacct section ? Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP - Intermediate CA
I was having this exact same problem for a significant period of time when I bought a new Verisign cert for our servers which was chained (the old one being directly root signed, which Verisign no longer do). It would appear to be a bug/security patch in XP sometime after SP2 that causes this. Odds are, assuming you have set it up right (I used this exact same list with some setup issues I was having) that FreeRadius *is* sending your Intermediate CA to the client, but the client is ignoring it. Using Wireshark or similar to packet dump should show you how may certs you are being passed. I am reliably informed by networking staff at another University who had the same issue that if you try with a vanilla install of SP2 with no additional security patches or similar then it will work correctly. At some point after SP2 (They were not sure exactly which patch causes it) certificate chaining for PEAP stops working. Windows Vista follows the chain fine, as do various non-Microsoft OSes I tried. I didn't have a vanilla XP SP2 to test and wasn't sufficiently bothered to make one, as we weren't going to advise our users to remove security patches. The setup I have is, in eap.conf under the tls section, certificate_file points to a file which actually contains both the server cert and the intermediate cert. The server cert is at the top of the file, with the intermediate cert below. Very simple to do this, just cat the contents of the intermediate cert file to be appended to the server cert file (make sure both are the same file type. I had an issue initially where one was DOS and one was Unix, so I go a lot of metacharacter rubbish when I cat-ed one into the other). Wireshark shows FreeRadius is passing both certs, and anything that isn't XP SP2 works fine. For XP SP2 we had to supply the intermediate cert on our website and ask our users to install it from the wired network in the connect instructions for using wireless (which is where we were using PEAP). Dan I am having an issue where FreeRadius is not handing the intermediate CA to a windows WPA2 client. We are in the process of deploying WPA2/AES with PEAP. So we purchased a certificate from a company that has a Trusted Root CA in Windows, Mac OSX, and Linux. However, it was signed with there intermediate CA, so the OS will not vailded the certificate during authentication. The only solution seems to be installing the intermediate CA certifcate on all my clients (2,000-3,000). If it possible to chain the certificates together like you can in Apache? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Implementing a logout sqlcounter
I am thinking of using sqlcounter to implement a logout counter, ie whenever I want to logout a particular user, I set something into the database, then the sqlcounter will pick it up, and drop the existing session. Dropping sessions on radius server will have no impact on users connection to the NAS. OK I read in some of the older posts, one way people have implemented this feature is via then spin off radclient. This has the disadvantage in that, if the radius client is behind somekind of firewall, the server initiated radclient will have problem sending this to the radius client. Use Packet-Src-IP-Address. Whereas the radclient continually sending accounting info to the server, I thought doing the reject at accouting will also some what accomplishing the same purpose. Disconnecting users on accounting packets is not straightforward. NAS features will dictate if this is at all possible. Many don't support CoA and PoD and with some you can't remotely disconnect the user even using SNMP. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP - Intermediate CA
Meyers, Dan wrote: I was having this exact same problem for a significant period of time when I bought a new Verisign cert for our servers which was chained (the old one being directly root signed, which Verisign no longer do). It would appear to be a bug/security patch in XP sometime after SP2 that causes this. Ouch. That is evil. I've updated raddb/certs/README with various rants about this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NAS or supplicant, pam_radius or xsupplicant
Hi All I have to install a FreeRADIUS to authenticate some users on network equipement (like a Catalyst cisco). I just want to authenticate users on the cisco switch, no vlan attribution ... So i conclude that I don't have to install/configure supplicant on my computer (windows XP), the computer I use to contact the switch via telnet/ssh. Could you confirm me that I'm right ? I would like also to authenticate users on UNIX servers. Also, I just need to authenticate the users on servers, So I conclude that I configure pam_radius on these servers and no install/configure xsupllicant. Servers are RADIUS client/NAS and no supplicant. Of course I would like to have a safe communication beetween NAS and FreeRADIUS. Could you say me if I selected the good configuration, or if I am totally wrong. I read comments in files configuration and a lot of documentation on the web, but the case described are often with supplicant - NAS - FreeRADIUS, with Authentication on the supplicant for vlan attribution. I don't understand wery well when I have to install xsupplicant or pam_radius on my server UNIX, if my Server is a supplicant or a NAS. Thanks for your help François - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: check-item NAS-IP-ADdress Calling-Station-ID with openldap
Hi All,
I want to use FreeRadius to administer network equipement. I use also OpenLDAP
to stock information about users. FreeRADIUS and OpenLDAP are installed on the
same server FreeBSD 7.0.
I contact a Network equipement (like catalyst cisco 2950 v12.1) with putty
(ssh/telnet).
To resume :
Windows XP - ssh or telnet - Cisco 2950 (client radius/authenticator/NAS) -
EAPoRadius (I suppose) - FreeRADIUS OpenLDAP
For the moment, I don't install/configure supplicant on the Windows XP, I don't
know if it's require because I don't want to use FreeRADIUS to auhtenticate my
Windows session. I have an active directory to do this.
I configure slapd.conf, radius.conf, clients.conf, module ldap etc ... and it's
works. And now I would like to add some check-item like NAS-IP-Address and
Caliing-Station-ID. But I don't succeed :s, I use checkval to do this.
I have 2 questions :
- Why my calling-station-id in the request is a IP and not a MAC ?
- When I authenticate on the cisco 2950, I have in my log «
rlm_checkval: Item Name: NAS-IP-Address, Value: À¨ » instead of 192.168.0.50,
what is the problem ???
I think I have numerous problem, If you see one of them, could you inform me ?
I am a novice with freeradius (and openldap also :s ). I could give you all
information you need to help me to fix my problem.
Thanks for your help,
Regards
Francçois MEHAULT
On my cisco 2950 :
aaa new-model
aaa authentication login default local group radius
aaa authorization exec default group radius local
aaa authorization network default group radius
My ldap.attrmap :
checkItem Calling-Station-Id radiusCallingStationId
checkItem NAS-IP-Address radiusNASIpAddress
Extract of my openldap :
dn: cn=Francois MEHAULT,ou=Utilisateurs,dc=netplus,dc=fr
givenName:: RnJhbsOnb2lz
sn: MEHAULT
uid: fmehault
cn: Francois MEHAULT
homeDirectory: /home/admins/fmehault
loginShell: /usr/local/bin/zsh
gidNumber: 1203
uidNumber: 1203
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: radiusprofile
radiusGroupName: stagiaire
radiusCallingStationId: 192.168.0.80 - I put a IP address and not a Mac
address because in the request it's a IP and not a mac, I don't know why...
radiusNASIpAddress: 192.168.0.60 - in fact, the NAS IP is 192.168.0.50, but
I put .60 to have Access-Reject
userPassword: {SSHA}tOoPUvtVW5O3+StoxScmQLiGFTO5l/+z
12:34[labobe2:~]# radiusd -X
FreeRADIUS Version 2.1.4, for host i386-portbld-freebsd7.0, built on Apr 16
2009 at 12:03:36
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
[...]
radiusd: Loading Clients
client 192.168.0.50 {
require_message_authenticator = no
secret = cherche
shortname = swlabo
nastype = cisco
}
radiusd: Instantiating modules
[...]
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_ldap
Module: Instantiating ldap
ldap {
server = 127.0.0.1
port = 389
password = secret
identity = cn=root,dc=netplus,dc=fr
net_timeout = 1
timeout = 4
timelimit = 3
tls_mode = no
start_tls = no
tls_require_cert = allow
tls {
start_tls = no
require_cert = allow
}
basedn = dc=netplus,dc=fr
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
base_filter = (objectclass=radiusprofile)
auto_header = no
access_attr_used_for_allow = yes
groupname_attribute = cn
groupmembership_filter =
(|((objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
groupmembership_attribute = radiusGroupName
dictionary_mapping = /usr/local/etc/raddb/ldap.attrmap
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
set_auth_type = yes
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
[...]
rlm_ldap: LDAP radiusVSA mapped to RADIUS Cisco-AVPair
conns: 0x2852c240
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = /usr/local/etc/raddb/huntgroups
hints = /usr/local/etc/raddb/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_checkval
Module: Instantiating station-check
checkval station-check {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
notfound-reject = no
}
rlm_checkval: Registered name Calling-Station-Id for attribute 31
test
De : François Mehault
Envoyé : mardi 12 mai 2009 11:27
À : 'freeradius-users@lists.freeradius.org'
Cc : François Mehault
Objet : RE: check-item NAS-IP-ADdress Calling-Station-ID with openldap
Hi All,
I want to use FreeRadius to administer network equipement. I use also OpenLDAP
to stock information about users. FreeRADIUS and OpenLDAP are installed on the
same server FreeBSD 7.0.
I contact a Network equipement (like catalyst cisco 2950 v12.1) with putty
(ssh/telnet).
To resume :
Windows XP - ssh or telnet - Cisco 2950 (client radius/authenticator/NAS) -
EAPoRadius (I suppose) - FreeRADIUS OpenLDAP
For the moment, I don't install/configure supplicant on the Windows XP, I don't
know if it's require because I don't want to use FreeRADIUS to auhtenticate my
Windows session. I have an active directory to do this.
I configure slapd.conf, radius.conf, clients.conf, module ldap etc ... and it's
works. And now I would like to add some check-item like NAS-IP-Address and
Caliing-Station-ID. But I don't succeed :s, I use checkval to do this.
I have 2 questions :
- Why my calling-station-id in the request is a IP and not a MAC ?
- When I authenticate on the cisco 2950, I have in my log «
rlm_checkval: Item Name: NAS-IP-Address, Value: À¨ » instead of 192.168.0.50,
what is the problem ???
I think I have numerous problem, If you see one of them, could you inform me ?
I am a novice with freeradius (and openldap also :s ). I could give you all
information you need to help me to fix my problem.
Thanks for your help,
Regards
Francçois MEHAULT
On my cisco 2950 :
aaa new-model
aaa authentication login default local group radius
aaa authorization exec default group radius local
aaa authorization network default group radius
My ldap.attrmap :
checkItem Calling-Station-Id radiusCallingStationId
checkItem NAS-IP-Address radiusNASIpAddress
Extract of my openldap :
dn: cn=Francois MEHAULT,ou=Utilisateurs,dc=netplus,dc=fr
givenName:: RnJhbsOnb2lz
sn: MEHAULT
uid: fmehault
cn: Francois MEHAULT
homeDirectory: /home/admins/fmehault
loginShell: /usr/local/bin/zsh
gidNumber: 1203
uidNumber: 1203
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: radiusprofile
radiusGroupName: stagiaire
radiusCallingStationId: 192.168.0.80 - I put a IP address and not a Mac
address because in the request it's a IP and not a mac, I don't know why...
radiusNASIpAddress: 192.168.0.60 - in fact, the NAS IP is 192.168.0.50, but
I put .60 to have Access-Reject
userPassword: {SSHA}tOoPUvtVW5O3+StoxScmQLiGFTO5l/+z
12:34[labobe2:~]# radiusd -X
FreeRADIUS Version 2.1.4, for host i386-portbld-freebsd7.0, built on Apr 16
2009 at 12:03:36
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
[...]
radiusd: Loading Clients
client 192.168.0.50 {
require_message_authenticator = no
secret = cherche
shortname = swlabo
nastype = cisco
}
radiusd: Instantiating modules
[...]
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_ldap
Module: Instantiating ldap
ldap {
server = 127.0.0.1
port = 389
password = secret
identity = cn=root,dc=netplus,dc=fr
net_timeout = 1
timeout = 4
timelimit = 3
tls_mode = no
start_tls = no
tls_require_cert = allow
tls {
start_tls = no
require_cert = allow
}
basedn = dc=netplus,dc=fr
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
base_filter = (objectclass=radiusprofile)
auto_header = no
access_attr_used_for_allow = yes
groupname_attribute = cn
groupmembership_filter =
(|((objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
groupmembership_attribute = radiusGroupName
dictionary_mapping = /usr/local/etc/raddb/ldap.attrmap
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
set_auth_type = yes
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
[...]
rlm_ldap: LDAP radiusVSA mapped to RADIUS Cisco-AVPair
conns: 0x2852c240
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = /usr/local/etc/raddb/huntgroups
hints = /usr/local/etc/raddb/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_checkval
Module: Instantiating station-check
checkval station-check {
OpenLDAP check item
Hi All,
I want to use FreeRadius to administer network equipement. I use also OpenLDAP
to stock information about users. FreeRADIUS and OpenLDAP are installed on the
same server FreeBSD 7.0.
I contact a Network equipement (like catalyst cisco 2950 v12.1) with putty
(ssh/telnet).
To resume :
Windows XP - ssh or telnet - Cisco 2950 (client radius/authenticator/NAS) -
EAPoRadius (I suppose) - FreeRADIUS OpenLDAP
For the moment, I don't install/configure supplicant on the Windows XP, I don't
know if it's require because I don't want to use FreeRADIUS to auhtenticate my
Windows session. I have an active directory to do this.
I configure slapd.conf, radius.conf, clients.conf, module ldap etc ... and it's
works. And now I would like to add some check-item like NAS-IP-Address and
Caliing-Station-ID. But I don't succeed :s, I use checkval to do this.
I have 2 questions :
- Why my calling-station-id in the request is a IP and not a MAC ?
- When I authenticate on the cisco 2950, I have in my log «
rlm_checkval: Item Name: NAS-IP-Address, Value: À¨ » instead of 192.168.0.50,
what is the problem ???
I think I have numerous problem, If you see one of them, could you inform me ?
I am a novice with freeradius (and openldap also :s ). I could give you all
information you need to help me to fix my problem.
Thanks for your help,
Regards
Francçois MEHAULT
On my cisco 2950 :
aaa new-model
aaa authentication login default local group radius
aaa authorization exec default group radius local
aaa authorization network default group radius
My ldap.attrmap :
checkItem Calling-Station-Id radiusCallingStationId
checkItem NAS-IP-Address radiusNASIpAddress
Extract of my openldap :
dn: cn=Francois MEHAULT,ou=Utilisateurs,dc=netplus,dc=fr
givenName:: RnJhbsOnb2lz
sn: MEHAULT
uid: fmehault
cn: Francois MEHAULT
homeDirectory: /home/admins/fmehault
loginShell: /usr/local/bin/zsh
gidNumber: 1203
uidNumber: 1203
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: radiusprofile
radiusGroupName: stagiaire
radiusCallingStationId: 192.168.0.80 - I put a IP address and not a Mac
address because in the request it's a IP and not a mac, I don't know why...
radiusNASIpAddress: 192.168.0.60 - in fact, the NAS IP is 192.168.0.50, but
I put .60 to have Access-Reject
userPassword: {SSHA}tOoPUvtVW5O3+StoxScmQLiGFTO5l/+z
12:34[labobe2:~]# radiusd -X
FreeRADIUS Version 2.1.4, for host i386-portbld-freebsd7.0, built on Apr 16
2009 at 12:03:36
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
[...]
radiusd: Loading Clients
client 192.168.0.50 {
require_message_authenticator = no
secret = cherche
shortname = swlabo
nastype = cisco
}
radiusd: Instantiating modules
[...]
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_ldap
Module: Instantiating ldap
ldap {
server = 127.0.0.1
port = 389
password = secret
identity = cn=root,dc=netplus,dc=fr
net_timeout = 1
timeout = 4
timelimit = 3
tls_mode = no
start_tls = no
tls_require_cert = allow
tls {
start_tls = no
require_cert = allow
}
basedn = dc=netplus,dc=fr
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
base_filter = (objectclass=radiusprofile)
auto_header = no
access_attr_used_for_allow = yes
groupname_attribute = cn
groupmembership_filter =
(|((objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
groupmembership_attribute = radiusGroupName
dictionary_mapping = /usr/local/etc/raddb/ldap.attrmap
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
set_auth_type = yes
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
[...]
rlm_ldap: LDAP radiusVSA mapped to RADIUS Cisco-AVPair
conns: 0x2852c240
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = /usr/local/etc/raddb/huntgroups
hints = /usr/local/etc/raddb/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_checkval
Module: Instantiating station-check
checkval station-check {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
notfound-reject = no
}
rlm_checkval: Registered name Calling-Station-Id for attribute 31
Re: test
Am 12.05.2009 um 11:31 schrieb François Mehault: De : François Mehault Envoyé : mardi 12 mai 2009 11:27 À : 'freeradius-users@lists.freeradius.org' Cc : François Mehault Objet : RE: check-item NAS-IP-ADdress Calling-Station-ID with openldap Hi All, Don't worry. We do receive your emails. See also http:// lists.freeradius.org/pipermail/freeradius-users/2009-May/date.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
users authentication problem
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
...we recently upgraded vom freeradius 0.9 to freeradius 2.1.4. Unfortunately
local users cannot be authenticated anymore.
This morning I used the default configuration files from 2.1.4 and started
from scratch. My first objective was to get any valid response from the
freeradiusd - but unluckily, without success.
In the users file, I enabled the following line:
lameuserAuth-Type := Reject
Reply-Message = Your account has been disabled.
one entry in clients.conf for localhost testing:
client localhost {
ipaddr = 127.0.0.1
secret = testing123
require_message_authenticator = no
nastype = other
virtual_server = default
}
sites-enabled/default:
authorize {
chap
suffix
eap {
ok = return
}
files
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
eap
files
}
I think that must be the main configuration items for my very basic test. Then
I run freeradiusd -X -xx and test the user via radclient:
echo User-Name=lameuser, Password=bla, NAS-IP-Address=127.0.0.1 | radclient
- -r 1 -x -s 127.0.0.1 auth 'testing123'
results in:
Sending Access-Request of id 20 to 127.0.0.1 port 1812
User-Name = lameuser
Password = bla
NAS-IP-Address = 127.0.0.1
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=20, length=20
Total approved auths: 0
Total denied auths: 1
Total lost auths: 0
The radiusd logs the following:
Tue May 12 11:31:58 2009 : Debug: Listening on authentication address * port
1812
Tue May 12 11:31:58 2009 : Debug: Listening on accounting address * port 1813
Tue May 12 11:31:58 2009 : Debug: Listening on command file
/var/run/freeradius/run/radiusd/radiusd.sock
Tue May 12 11:31:58 2009 : Debug: Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 33013, id=5,
length=54
User-Name = lameuser
User-Password = bla
NAS-IP-Address = 127.0.0.1
Tue May 12 11:32:04 2009 : Info: server default {
Tue May 12 11:32:04 2009 : Info: No authenticate method (Auth-Type)
configuration found for the request: Rejecting the user
Tue May 12 11:32:04 2009 : Info: Failed to authenticate the user.
Tue May 12 11:32:04 2009 : Info: } # server default
- - the user gets rejected, but not because of the Auth-Type := Reject setting
in the users file. This is the same behaviour we observer when configuring
real user accounts having a password associated, like the following:
testuser Auth-Type := Local, Cleartext-Password == blabla
server log says:
Tue May 12 11:35:50 2009 : Info: server default {
Tue May 12 11:35:50 2009 : Info: No authenticate method (Auth-Type)
configuration found for the request: Rejecting the user
Tue May 12 11:35:50 2009 : Info: Failed to authenticate the user.
Tue May 12 11:35:50 2009 : Info: } # server default
Thanks for any hints troubleshooting this!
Regards,
Andy
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkoJQ+MACgkQRrny/uOBVy7sggCfRfAjnhIkHwQbElEUwwZWPM4L
DIEAniJziPLwpdyQKAWpa/vJvGAftmq1
=4Tih
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Upgrading freeradius from source
I have done some testing on 2.1.4 and I like the flexibility comparing to 1.x. Unfortunately, I am using for production a pretty old distribution 1.1.7. For such an old distro, it's almost impossible to do an upgrade and still maintaining the rpm package info and what not, so I am considering upgrading by compiling from source, ie configure and make install. Any thing I should consider before I have go down to this path ? Cheers. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
apologize
Hi All Sorry about my mails, I check the pipermail now. Thanks Nicolas Goutte. Regards, François De : freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org [mailto:freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org] De la part de Nicolas Goutte Envoyé : mardi 12 mai 2009 11:36 À : FreeRadius users mailing list Cc : François Mehault Objet : Re: test Am 12.05.2009 um 11:31 schrieb François Mehault: De : François Mehault Envoyé : mardi 12 mai 2009 11:27 À : 'freeradius-users@lists.freeradius.orgmailto:freeradius-users@lists.freeradius.org' Cc : François Mehault Objet : RE: check-item NAS-IP-ADdress Calling-Station-ID with openldap Hi All, Don't worry. We do receive your emails. See also http://lists.freeradius.org/pipermail/freeradius-users/2009-May/date.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Upgrading freeradius from source
mct...@yahoo.com wrote: Unfortunately, I am using for production a pretty old distribution 1.1.7. For such an old distro, it's almost impossible to do an upgrade and still maintaining the rpm package info and what not, so I am considering upgrading by compiling from source, ie configure and make install. Any thing I should consider before I have go down to this path ? It won't over-write your existing configuration. Ensure that you're using Cleartext-Password := ..., and not User-Password == It may be safer to *migrate* your existing configuration. The configuration files are relatively small, so this shouldn't take long. i.e. go through the configuration files, comparing the old to the new (default) files. Where they are different, add your configuration, OR examine your configuration to see if it's still necessary. The goal of 2.x is to have it *largely* compatible with 1.x, but there are differences. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: users authentication problem
Andreas Bourges wrote: - the user gets rejected, but not because of the Auth-Type := Reject setting in the users file. This is the same behaviour we observer when configuring real user accounts having a password associated, like the following: testuser Auth-Type := Local, Cleartext-Password == blabla See the FAQ for the *CORRECT* configuration: testuserCleartext-Password := blabla Do NOT set Auth-Type. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radiusd -X solaris eap error
Helo there Am in solaris 5.10 Generic_138889-02 i86pc
i386 i86pc I installed openssl and mysql from blastwave then
installed freeradius. I cannot get it to initialize via radiusd -X here is
the output FreeRADIUS Version 2.1.5, for host i386-pc-solaris2.10,
built on May 11 2009 at 09:54:37 Copyright (C) 1999-2008 The FreeRADIUS
server project and contributors. There is NO warranty; not even for
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may
redistribute copies of FreeRADIUS under the terms of the GNU General
Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/smsotp including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file
/usr/local/etc/raddb/modules/detail.example.com including configuration
file /usr/local/etc/raddb/modules/acct_unique including configuration file
/usr/local/etc/raddb/modules/sqlcounter_expire_on_login including
configuration file /usr/local/etc/raddb/modules/otp including
configuration file /usr/local/etc/raddb/modules/policy including
configuration file /usr/local/etc/raddb/modules/perl including
configuration file /usr/local/etc/raddb/modules/counter including
configuration file /usr/local/etc/raddb/modules/expiration including
configuration file /usr/local/etc/raddb/modules/logintime including
configuration file /usr/local/etc/raddb/modules/pam including
configuration file /usr/local/etc/raddb/modules/mac2vlan including
configuration file /usr/local/etc/raddb/modules/expr including
configuration file /usr/local/etc/raddb/modules/sql_log including
configuration file /usr/local/etc/raddb/modules/chap including
configuration file /usr/local/etc/raddb/modules/realm including
configuration file /usr/local/etc/raddb/modules/linelog including
configuration file /usr/local/etc/raddb/modules/ippool including
configuration file /usr/local/etc/raddb/modules/smbpasswd including
configuration file /usr/local/etc/raddb/modules/files including
configuration file /usr/local/etc/raddb/modules/inner-eap including
configuration file /usr/local/etc/raddb/modules/radutmp including
configuration file /usr/local/etc/raddb/modules/mac2ip including
configuration file /usr/local/etc/raddb/modules/ldap including
configuration file /usr/local/etc/raddb/modules/pap including
configuration file /usr/local/etc/raddb/modules/always including
configuration file /usr/local/etc/raddb/modules/attr_filter including
configuration file /usr/local/etc/raddb/modules/krb5 including
configuration file /usr/local/etc/raddb/modules/passwd including
configuration file /usr/local/etc/raddb/modules/attr_rewrite including
configuration file /usr/local/etc/raddb/modules/unix including
configuration file /usr/local/etc/raddb/modules/exec including
configuration file /usr/local/etc/raddb/eap.conf including
configuration file /usr/local/etc/raddb/policy.conf including files
in directory /usr/local/etc/raddb/sites-enabled/ including
configuration file /usr/local/etc/raddb/sites-enabled/control-socket
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file
/usr/local/etc/raddb/sites-enabled/inner-tunnel including dictionary file
/usr/local/etc/raddb/dictionary main { prefix =
/usr/local localstatedir =
/usr/local/var logdir =
/usr/local/var/log/radius libdir =
/usr/local/lib radacctdir =
/usr/local/var/log/radius/radacct hostname_lookups =
no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = /usr/local/var/run/radiusd/radiusd.pid
checkrad = /usr/local/sbin/checkrad
debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no
auth_badpass = no auth_goodpass = no } security { max_attributes = 200
reject_delay = 1 status_server = yes } } radiusd: Loading Realms and Home Servers proxy server {
retry_delay = 5 retry_count = 3
default_fallback = no dead_time = 120
wake_all_if_all_dead
Re: Upgrade to latest freeradius release
p...@canoemail.com wrote: Freeradius Server v2.1.4. All clients are authenticating properly, except for clients that pass a ntdomain\userid. I have configured proxy.conf, realm and inner-tunnel in the past (i.e. v2.0.5) to handle these requests without issue. As of v2.0.6 and greater, clients are no longer authenticating. The debug logs seem to indicate login success. WinXP SP3 wireless client using latest IBM Thinkvantage software. ... Sending Access-Challenge of id 191 to 10.5.251.2 port 1645 EAP-Message = 0x010a002b19001703010020b5c3cd4e27abb67bc4536c0829ed6f45c07edbfb2f42c758649472d7b8857cb2 Message-Authenticator = 0x State = 0xb2e30b4dbae9124aad52ba89ddbd4668 Finished request 8. --- end debug log --- This is in the FAQ. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: users authentication problem
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
On Tuesday 12 May 2009 11:57:14 Alan DeKok wrote:
Andreas Bourges wrote:
- the user gets rejected, but not because of the Auth-Type := Reject
setting in the users file. This is the same behaviour we observer when
configuring real user accounts having a password associated, like the
following:
testuser Auth-Type := Local, Cleartext-Password == blabla
See the FAQ for the *CORRECT* configuration:
Jep, sorry - should have had a look there, first. But even the simplest
example from the FAQ doesn't work:
bob Cleartext-Password := bob
Reply-Message = Hello, bob
rad_recv: Access-Request packet from host 127.0.0.1 port 33026, id=225,
length=55
User-Name = bob
User-Password = bob
NAS-IP-Address = 10.0.0.206
NAS-Port = 0
Tue May 12 13:25:55 2009 : Info: server default {
Tue May 12 13:25:55 2009 : Info: No authenticate method (Auth-Type)
configuration found for the request: Rejecting the user
Tue May 12 13:25:55 2009 : Info: Failed to authenticate the user.
Tue May 12 13:25:55 2009 : Info: } # server default
testuser Cleartext-Password := blabla
Thanks for the tip, but it didn't help, same msg from radiusd as before.
Do NOT set Auth-Type.
I must be doing something very basic wrong, I guess. Could it be a build
problem (compiled freeradius from source on my own). Where can I look further?
thanks for any hint,
Andy
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkoJXb4ACgkQRrny/uOBVy4iAwCdHRdd3Kk8bZe+Fb1QfKCar1V2
A7oAoMKKJFqTYyr47Mx/nTbAH+K41ihs
=PYiY
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: users authentication problem
sites-enabled/default:
authorize {
chap
suffix
eap {
ok = return
}
files
expiration
logintime
pap
}
...
Tue May 12 11:35:50 2009 : Info: server default {
Tue May 12 11:35:50 2009 : Info: No authenticate method (Auth-Type)
configuration found for the request: Rejecting the user
I can't see any of the authorize modules being used. Why don't you first
use the default configuration. Just add the user entry at the top of the
users file.
Ivan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: users authentication problem
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
...I would have bet that I had done exactly these steps this morning. But
nevertheless I tried it another time and - succeeded.
Thanks for pushing my nose on this again and again - it finally helped :) I
will try to find the differences between the two versions...
thanks and regards,
Andy
On Tuesday 12 May 2009 13:37:07 Ivan Kalik wrote:
sites-enabled/default:
authorize {
chap
suffix
eap {
ok = return
}
files
expiration
logintime
pap
}
...
Tue May 12 11:35:50 2009 : Info: server default {
Tue May 12 11:35:50 2009 : Info: No authenticate method (Auth-Type)
configuration found for the request: Rejecting the user
I can't see any of the authorize modules being used. Why don't you first
use the default configuration. Just add the user entry at the top of the
users file.
Ivan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkoJZQMACgkQRrny/uOBVy57hACgjlsNGxq8naeWGD7W6tY3JvSq
5dkAoJhatzqx9IJR0LjvVg9amIK6WCIr
=ek/G
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd -X solaris eap error
t...@urugn.com wrote: Errors initializing modules I thot may be ad trace the problem and directly executed /usr/local/etc/raddb/certs/bootstrap Here is the output sh: test: argument expected *** Error code 1 The following command caused the error: if [ -e /dev/urandom ] ; then \ dd if=/dev/urandom of=./random count=10 /dev/null 21; \ else \ date ./random; \ fi make: Fatal error: Command failed for target `random' ./bootstrap: test: unknown operator == Just re-run the server in debug mode. There's a typo in the script that will be fixed in 2.1.6. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to define ACL like things in RADIUS
Hi I have configure Radius server with LDAP authentication, for performing AAA for Cisco Routers and Firwalls. Currently all users created in LDAP are getting equal priviledge of accessing all devices (NAS) configured with AAA. I want to allow a set of users to let access some devices (say only few routers) while to allow other set of users with access permission of all devices (including Routers and Firwalls). I am aware of following: root Auth-Type := Accept Reply-Message = Your account has been disabled. which deny all access to user root. But I want some modification, i.e. root user will able to authenticate to only two NAS, 192.168.1.178 192.168.1.179. Pls suggest some solution. Please guide me and help me to implement above scenario. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to define ACL like things in RADIUS
I have configure Radius server with LDAP authentication, for performing AAA for Cisco Routers and Firwalls. Currently all users created in LDAP are getting equal priviledge of accessing all devices (NAS) configured with AAA. I want to allow a set of users to let access some devices (say only few routers) while to allow other set of users with access permission of all devices (including Routers and Firwalls). I am aware of following: root Auth-Type := Accept Reply-Message = Your account has been disabled. which deny all access to user root. That allows access even without the password. Reject denies it. But I want some modification, i.e. root user will able to authenticate to only two NAS, 192.168.1.178 192.168.1.179. Read about huntgroups/sqlhuntgroups. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proposed release of 2.1.6
We plan on releasing 2.1.6 this week. Please test the pre release at: http://git.freeradius.org/pre/ If there are any concerns, problems, errors, etc., please let us know before we release the final version. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free radius 2.1.4 Installation
anoop c wrote: Hi Thanks for the response. I have installed Python-3.1a1 in redhat linux 9. Which version I should install for FREERADIUS or which file I should look for? There's your problem. The currently shipping major version of Python is 2. The next major version of Python is 3 and it's in beta. Python2 and Python3 are *not* compatible and require source code changes. It's going to take a while before the vast body of Python code get's ported from Python2 to Python3, you're way ahead of the curve if you're expecting code written for Python2 to work with Python3. The fact you were getting an error with PyGILState suggested to me you might be trying to work with Python3 because I vaguely recall that had been removed in Python3. Now, as to redhat linux 9, I hope you actually mean Fedora Core 9 (FC-9) because redhat linux 9 AKA Shrike is quite old and hit end of life in April of 2004, over 5 years ago. Whereas FC-9 is only slightly more than a year old. I suggest you straighten out your version problems. We aren't even shipping a 3.0 version of Python and won't for a while, not until everything gets ported. My recommendation is to be running FC-10 (but FC-9 is O.K. too) and use yum to install prebuilt packages that are known to work. The current version of FreeRADIUS is 2.1.3 (2.1.4 is not an official version because of release problems). Both FC-9 and FC-10 have the current 2.1.3 versions available for easy installation via yum. The next release of FreeRADIUS will be 2.1.6 and if all goes well should be available quite soon (depending on Alan's schedule but I expect measured in days, not months). I can pretty much guarantee when 2.1.6 does officially release FC-11 (now in beta), FC-10, and FC-9 will have 2.1.6 updates within a few days. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Upgrading freeradius from source
mct...@yahoo.com wrote: I have done some testing on 2.1.4 and I like the flexibility comparing to 1.x. Unfortunately, I am using for production a pretty old distribution 1.1.7. For such an old distro, it's almost impossible to do an upgrade and still maintaining the rpm package info and what not, so I am considering upgrading by compiling from source, ie configure and make install. Hmm... 1.1.7 RPM makes it sound like an old Fedora release. Alan gave you some good suggestions about the 1.x to 2.x upgrade, I have a suggestion about building and packages. It's always possible to build from source, but it has some downsides, you'll need to make sure all your build prerequisites are satisfied, you've passed all the right values to configure, not the least of which is to assure the install path information is correct, you've fully removed the old RPM so there aren't conflicts and then when you're done you'll have lost all the advantages of having a package manager (e.g. rpm) which tracks dependencies, watches for conflicts, and knows the version of software installed on the system, sets the right file permissions and SELinux labeling. Plus the source RPM (SRPM) will have any patches applied which are necessary. I think you'll save yourself a lot of headaches if you stick with RPM based packages. If the version of FreeRADIUS is not available as an RPM for the version of the distro you're using then you can find instructions for how to download, build and install the *RPM* for a current version here: http://wiki.freeradius.org/Red_Hat_FAQ Any thing I should consider before I have go down to this path ? -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proposed release of 2.1.6
On 12/5/09 14:33, Alan DeKok wrote: We plan on releasing 2.1.6 this week. Please test the pre release at: http://git.freeradius.org/pre/ If there are any concerns, problems, errors, etc., please let us know before we release the final version. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html /usr/local/tmp-src/freeradius-server-2.1.6/libtool --mode=link gcc -export-dynamic -dlopen self \ -o radiusd acct.lo auth.lo client.lo conffile.lo crypt.lo exec.lo files.lo listen.lo log.lo mainconfig.lo modules.lo modcall.l /usr/local/tmp-src/freeradius-server-2.1.6/src/lib/libfreeradius-radius.la -framework DirectoryService -lresolv -lpthread \ -lltdl -lcrypto -lssl -lcrypto rm -f .libs/radiusd.nm .libs/radiusd.nmS .libs/radiusd.nmT creating .libs/radiusdS.c (cd .libs gcc -g -O2 -c -fno-builtin radiusdS.c) rm -f .libs/radiusdS.c .libs/radiusd.nm .libs/radiusd.nmS .libs/radiusd.nmT gcc .libs/radiusdS.o -o .libs/radiusd .libs/acct.o .libs/auth.o .libs/client.o .libs/conffile.o .libs/crypt.o .libs/exec.o .libs/files.o /usr/libexec/gcc/powerpc-apple-darwin8/4.0.1/ld: Undefined symbols: _lt__PROGRAM__LTX_preloaded_symbols collect2: ld returned 1 exit status make[4]: *** [radiusd] Error 1 make[3]: *** [common] Error 2 make[2]: *** [all] Error 2 make[1]: *** [common] Error 2 make: *** [all] Error 2 Hmm maybe the directory services stuff only compiles correctly in 10.5 -- Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proposed release of 2.1.6
Dear Alan Same issue as 2.1.5 (debian OS), $INCLUDE sql.conf is commented by default. Hope you can take look on this. Thanks - Original Message From: Alan DeKok al...@deployingradius.com To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, May 12, 2009 9:33:04 PM Subject: Proposed release of 2.1.6 We plan on releasing 2.1.6 this week. Please test the pre release at: http://git.freeradius.org/pre/ If there are any concerns, problems, errors, etc., please let us know before we release the final version. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proposed release of 2.1.6
piston wrote: Dear Alan Same issue as 2.1.5 (debian OS), $INCLUDE sql.conf is commented by default. Hope you can take look on this. I think there is a good argument for not including sql.conf by default. You can't use sql until you've configured and set up a sql backend which requires active participatory configuration by the admin on multiple levels. In addition some users may not wish to install FreeRADIUS with any SQL support whatsoever, they might be using flat files or LDAP. Packagers may wish to offer user's lite versions which do not pull in any external dependencies on SQL. The default sql.conf defaults to MySQL. All of a sudden you now have to have MySQL installed and configured. But what if MySQL isn't installed and configured? Then the first time you run FreeRADIUS it fails. Then the clueless admin thinks he has to install MySQL because he doesn't understand SQL support is optional, and in particular MySQL is optional. I think we should leave SQL support turned off by default, those which need it will have the knowledge to enable it and those which don't will be spared headaches and package bloat. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proposed release of 2.1.6
piston wrote: Dear Alan Same issue as 2.1.5 (debian OS), $INCLUDE sql.conf is commented by default. Hope you can take look on this. Perhaps you could explain why this is a problem, and what you would like me to do about it. Again... it's only a *DEFAULT* configuration. It is not meant to use used when you upgrade from one version to another. If you want to enable SQL, you already have to un-comment the various sql entries in raddb/sites-enabled/default, and raddb/sites-enabled/inner-tunnel. Is uncommenting one more in radiusd.conf that much of an issue? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proposed release of 2.1.6
Hi, We plan on releasing 2.1.6 this week. Please test the pre release at: http://git.freeradius.org/pre/ If there are any concerns, problems, errors, etc., please let us know before we release the final version. no showstopper just yet... however, noted error in Makefile (spotted when doing the install) sed: can't read pool.h: No such file or directory sed: can't read smodule.h: No such file or directory indeed, Makefile mentions pool.h and smodule.h but they dont seem to exist anymore alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proposed release of 2.1.6
Arran Cudbard-Bell wrote: /usr/local/tmp-src/freeradius-server-2.1.6/libtool --mode=link gcc ... .libs/client.o .libs/conffile.o .libs/crypt.o .libs/exec.o .libs/files.o /usr/libexec/gcc/powerpc-apple-darwin8/4.0.1/ld: Undefined symbols: _lt__PROGRAM__LTX_preloaded_symbols Libtool and libltld need to be taken out back and put out of my misery. If it would be possible, their developers should be re-educated into something useful... like basket weaving. There were reports on multiple systems of the same error. Apparently doing autoreconf fixes those problems. Which it did, for those systems. And now it has broken other systems. I'm inclined to look seriously at removing libltdl entirely, and therefore libtool. They are disgusting arcane complex fragile, and picky as all get out. I'm not sure what to do here... it works on my Mac, on the Ubuntu systems I have access to, and on Solaris. Anyone else see the same issue? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proposed release of 2.1.6
Hi,
crash bang boom. after a successful auth, things go wonky in SQL logging land
+- entering group post-auth {...}
[reply_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -
/var/log/radius/radacct/192.168.5.13/reply-detail-20090512
[reply_log] /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.5.13/reply-detail-20090512
[reply_log] expand: %t - Tue May 12 19:52:39 2009
++[reply_log] returns ok
radiusd: symbol lookup error: /usr/lib/rlm_sql_log-2.1.6.so: undefined symbol:
rad_assert
the daemon crashes out
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proposed release of 2.1.6
Arran Cudbard-Bell wrote: /usr/local/tmp-src/freeradius-server-2.1.6/libtool --mode=link gcc ... .libs/client.o .libs/conffile.o .libs/crypt.o .libs/exec.o .libs/files.o /usr/libexec/gcc/powerpc-apple-darwin8/4.0.1/ld: Undefined symbols: _lt__PROGRAM__LTX_preloaded_symbols Libtool and libltld need to be taken out back and put out of my misery. If it would be possible, their developers should be re-educated into something useful... like basket weaving. There were reports on multiple systems of the same error. Apparently doing autoreconf fixes those problems. Which it did, for those systems. And now it has broken other systems. I'm inclined to look seriously at removing libltdl entirely, and therefore libtool. They are disgusting arcane complex fragile, and picky as all get out. I'm not sure what to do here... it works on my Mac, on the Ubuntu systems I have access to, and on Solaris. Works on Slackware as well. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Add users without restarting radiusd
Is there a way to add entries to or modify the users file in /etc/raddb without having to restart radiusd to apply the changes? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proposed release of 2.1.6
a.l.m.bu...@lboro.ac.uk wrote: crash bang boom. after a successful auth, things go wonky in SQL logging land radiusd: symbol lookup error: /usr/lib/rlm_sql_log-2.1.6.so: undefined symbol: rad_assert the daemon crashes out Hah! I already caught that and committed a fix before you sent your message. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proposed release of 2.1.6
Hi, a.l.m.bu...@lboro.ac.uk wrote: crash bang boom. after a successful auth, things go wonky in SQL logging land radiusd: symbol lookup error: /usr/lib/rlm_sql_log-2.1.6.so: undefined symbol: rad_assert the daemon crashes out Hah! I already caught that and committed a fix before you sent your message. damn and drat! I'll refresh sources and try again! ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Add users without restarting radiusd
ournixnat...@gmail.com wrote: Is there a way to add entries to or modify the users file in /etc/raddb without having to restart radiusd to apply the changes? In 2.1.x, you can HUP the server, and it will reload the users file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAP password
V 2.1.5. I am having a problem with PAP not using the proper user id. IF the user id is just a plain user_id then it works properly. However, I have some realms setup that have prefixes and suffixes e.g., DUB+user_id@lafn. PAP is trying to find the user_id DUB+user_id@lafn rather than the stripped user id user_id and hence it doesn't find a password for the user. Everything works just fine if I add Auth-Type := Accept to the users file, but thats not a great way to run a railroad. Obviously I missed something. hints has: DEFAULT Prefix == DUB+, Suffix == @lafn, Strip-User-Name = Yes Hint = SlipStream What have I missed? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proposed release of 2.1.6
True... And not only SQL support... Good idea is just like it is now. Simple with basic options and good comments in config files... If you need something, uncomment it :) John Dennis wrote: piston wrote: Dear Alan Same issue as 2.1.5 (debian OS), $INCLUDE sql.conf is commented by default. Hope you can take look on this. .. I think we should leave SQL support turned off by default, those which need it will have the knowledge to enable it and those which don't will be spared headaches and package bloat. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Upgrading freeradius from source
--- On Tue, 5/12/09, John Dennis jden...@redhat.com wrote: I think you'll save yourself a lot of headaches if you stick with RPM based packages. If the version of FreeRADIUS is not available as an RPM for the version of the distro you're using then you can find instructions for how to download, build and install the *RPM* for a current version here: http://wiki.freeradius.org/Red_Hat_FAQ I can't find a SOURCE RPM for 2.1.4 yet for fedora. I tried one of those 2.1.3 rpm, it works perfectly on my older fedora distro, even though it seem to indicate that they are for newer fedora. So I guess I have to wait a little longer. Regards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
help on OpenSUSE installation
Team, I'm trying to set up freeradius 2.1.4 in a AMD 64 X2 system with an OpenSUSE 11.1 (x86_64.iso) OS. I must tell you that I'm new to Linux and Freeradius. According to the instructions on freeradius.org/radiusd/install I can either: 1. Get a pre-installed binary package (Peter Nixon) 2. get the FreeRADIUS tarball When I try to get the binary package (http://download.opensuse.org/repositories/network:/aaa/openSUSE_11.1/), I get a list of files/folders which I dont know what to do with them: i586/ network:aaa.repo repodata/ src/ x86_64/ As I got stuck, I tried to build it (? new term to me), by placing the tarball in usr/src/packages/SOURCES; extracting the freeradius.spec and placing it in usr/src/packages/SPECS. Then I run from the terminal prompt: rpmbuild -ba usr/src/packages/SPECS/ freeradius.spec However I got the message: mar...@win-219e0010bba:~ rpmbuild -ba /usr/src/packages/SPECS/freeradius.spec sh: apxs2-prefork: command not found sh: apxs2-prefork: command not found sh: apxs2-prefork: command not found error: Failed build dependencies: db-devel is needed by freeradius-server-2.1.4-0.x86_64 e2fsprogs-devel is needed by freeradius-server-2.1.4-0.x86_64 gcc-c++ is needed by freeradius-server-2.1.4-0.x86_64 gdbm-devel is needed by freeradius-server-2.1.4-0.x86_64 gettext-devel is needed by freeradius-server-2.1.4-0.x86_64 glibc-devel is needed by freeradius-server-2.1.4-0.x86_64 libtool is needed by freeradius-server-2.1.4-0.x86_64 ncurses-devel is needed by freeradius-server-2.1.4-0.x86_64 openldap2-devel is needed by freeradius-server-2.1.4-0.x86_64 openssl-devel is needed by freeradius-server-2.1.4-0.x86_64 pam-devel is needed by freeradius-server-2.1.4-0.x86_64 postgresql-devel is needed by freeradius-server-2.1.4-0.x86_64 python-devel is needed by freeradius-server-2.1.4-0.x86_64 unixODBC-devel is needed by freeradius-server-2.1.4-0.x86_64 zlib-devel is needed by freeradius-server-2.1.4-0.x86_64 apache2-devel is needed by freeradius-server-2.1.4-0.x86_64 cyrus-sasl-devel is needed by freeradius-server-2.1.4-0.x86_64 krb5-devel is needed by freeradius-server-2.1.4-0.x86_64 libapr1-devel is needed by freeradius-server-2.1.4-0.x86_64 libmysqlclient-devel is needed by freeradius-server-2.1.4-0.x86_64 mar...@win-219e0010bba:~ I read about this and regarding the dependencies it seems that some features are not installed and that I need the OpenSUSE disk to load them from the YAST. However I can not seem to find what the sh: apxs2-prefork: command not found message is about or how to fix that. I'm stuck again. Could you help with this? Thanks in advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Add users without restarting radiusd
I am fairly new to radius and would like to know if you could explain how I would go about this: In 2.1.x, you can HUP the server, and it will reload the users file. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proposed release of 2.1.6
Hi, It's not a major concern, just happen it is ucommented for previous version (from 1.x to 2.1.3), and the change log wasn't mention this changes. So for those less experiance freeradius users might have some issue, if you guys think it is fine as it is just ignore it, or atleast put a line on the change log. Thanks - Original Message From: Alan DeKok al...@deployingradius.com To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, May 13, 2009 2:17:50 AM Subject: Re: Proposed release of 2.1.6 piston wrote: Dear Alan Same issue as 2.1.5 (debian OS), $INCLUDE sql.conf is commented by default. Hope you can take look on this. Perhaps you could explain why this is a problem, and what you would like me to do about it. Again... it's only a *DEFAULT* configuration. It is not meant to use used when you upgrade from one version to another. If you want to enable SQL, you already have to un-comment the various sql entries in raddb/sites-enabled/default, and raddb/sites-enabled/inner-tunnel. Is uncommenting one more in radiusd.conf that much of an issue? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Add users without restarting radiusd
I may have figured it out myself. Will this work: service radiusd reload If so, what exactly is it doing? Just reloading the users file or more? On Tue, May 12, 2009 at 8:17 PM, ournixnat...@gmail.com ournixnat...@gmail.com wrote: I am fairly new to radius and would like to know if you could explain how I would go about this: In 2.1.x, you can HUP the server, and it will reload the users file. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP password
On 12 May 2009, at 13:29, Doug Hardie wrote: V 2.1.5. I am having a problem with PAP not using the proper user id. IF the user id is just a plain user_id then it works properly. However, I have some realms setup that have prefixes and suffixes e.g., DUB+user_id@lafn. PAP is trying to find the user_id DUB+user_id@lafn rather than the stripped user id user_id and hence it doesn't find a password for the user. Everything works just fine if I add Auth-Type := Accept to the users file, but thats not a great way to run a railroad. Obviously I missed something. hints has: DEFAULT Prefix == DUB+, Suffix == @lafn, Strip-User-Name = Yes Hint = SlipStream What have I missed? I seem to have reached a dead end with this. Version 1.x would strip both the prefix and the suffix in Stripped-User-Name and then use that to find the password. Version 2.x will strip one or the other, but not both. From what I can see in presufcmp there appears to be no easy way to get it to strip both. I have tried a number of kludges in hints to try and get that done. None seem to work. I am having to run a production server with Auth-Type := Accept to keep things up and running, but this is not really acceptable. One kludge that appears might work is in paircmp.c at line 142 add: for (len=0; lenstrlen(rest); len++) if (rest[len] == '\@') rest[len] = '\0'; I believe that would work since when both a prefix and suffix are present the prefix is removed and the suffix remains. All my suffixes have a @. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Add users without restarting radiusd
you could also use SQL or another database for storing users. This doesn't require HUP ing of the server. On Tue, May 12, 2009 at 8:25 PM, ournixnat...@gmail.com ournixnat...@gmail.com wrote: I may have figured it out myself. Will this work: service radiusd reload If so, what exactly is it doing? Just reloading the users file or more? On Tue, May 12, 2009 at 8:17 PM, ournixnat...@gmail.com ournixnat...@gmail.com wrote: I am fairly new to radius and would like to know if you could explain how I would go about this: In 2.1.x, you can HUP the server, and it will reload the users file. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Random quote of the week/month/whenever i get to updating it: Quis custodiet ipsos custodes?: who shall watch the watchers themselves? - Juvenal - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP password
On 12 May 2009, at 20:28, Doug Hardie wrote:
On 12 May 2009, at 13:29, Doug Hardie wrote:
V 2.1.5. I am having a problem with PAP not using the proper user
id. IF the user id is just a plain
user_id then it works properly. However, I have some realms
setup that have prefixes and suffixes e.g., DUB+user_id@lafn.
PAP is trying to find the user_id DUB+user_id@lafn rather than
the stripped user id user_id and hence it doesn't find a password
for the user. Everything works just fine if I add Auth-Type :=
Accept to the users file, but thats not a great way to run a
railroad. Obviously I missed something.
hints has:
DEFAULT Prefix == DUB+, Suffix == @lafn, Strip-User-Name = Yes
Hint = SlipStream
What have I missed?
I seem to have reached a dead end with this. Version 1.x would
strip both the prefix and the suffix in Stripped-User-Name and then
use that to find the password. Version 2.x will strip one or the
other, but not both. From what I can see in presufcmp there appears
to be no easy way to get it to strip both. I have tried a number of
kludges in hints to try and get that done. None seem to work. I am
having to run a production server with Auth-Type := Accept to keep
things up and running, but this is not really acceptable.
One kludge that appears might work is in paircmp.c at line 142 add:
for (len=0; lenstrlen(rest); len++)
if (rest[len] == '\@') rest[len] = '\0';
I believe that would work since when both a prefix and suffix are
present the prefix is removed and the suffix remains. All my
suffixes have a @.
The above method works for striped-user-name but authentication still
has DUB+user_id. There is a most interesting worked example in the
wiki that I adapted:
DEFAULT User-Name =~ DUB+([...@]+)@*
User-Name := %{1},
Hint = SlipStream
This almost works. The authentication is done using +user_id so
the basic problem has a solution but the regex needs some help. I
don't need to retain the suffix or prefix but there are several
different prefixes so I need to check for each separately. I don't
have a lot of experience with regex so it should be simple, but
haven't found it yet.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
