Re: Acct Input and Output gigaword
Eric wrote: any suggestion? Maybe this? http://bugs.gentoo.org/attachment.cgi?id=102981 Can anyone comment on the quality of this patch? -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unable to run radtest
On Sat, Jul 4, 2009 at 10:41 PM, Alan DeKok al...@deployingradius.comwrote: ramesh p wrote: I tried to run the following: r...@parsa-laptop:/etc/freeradius# radtest sqltest testpwd localhost 1812 testing123 radclient: socket: cannot initialize udpfromto: Function not implemented. You've configured with --with-udpfromto, which is not the default. It's not supported on your system. Re-configure, build, and install the server without that option. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco ignores Framed-IP-Address from freeradius
Hello, I use freeradius 2.1.1-7 and a CISCO router (IOS 12.4(6)T9) to provide VPN connections. I would like my CISCO router to assign static IP address to remote VPN users thanks to the Freeradius server. My freeradius server is configured to give static ip address to users. I can check it with radtest : [r...@host ~]# radtest t...@domain.com mypassword 127.0.0.1 0 testing123 Sending Access-Request of id 152 to 127.0.0.1 port 1812 User-Name = t...@domain.com User-Password = mypassword NAS-IP-Address = 127.0.0.1 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=152, length=69 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 15.1.1.99 Framed-IP-Netmask = 255.255.255.0 and the CISCO router gets it ... Log Buffer (32768 bytes): Jul 3 17:50:35.368: RADIUS/ENCODE(0058):Orig. component type = VPN_IPSEC Jul 3 17:50:35.368: RADIUS: AAA Unsupported Attr: interface [158] 13 Jul 3 17:50:35.368: RADIUS: 32 31 33 2E 34 31 2E 31 33 33 2E Jul 3 17:50:35.368: RADIUS/ENCODE(0058): dropping service type, radius-ser ver attribute 6 on-for-login-auth is off Jul 3 17:50:35.368: RADIUS(0058): Config NAS IP: 0.0.0.0 Jul 3 17:50:35.368: RADIUS/ENCODE(0058): acct_session_id: 72 Jul 3 17:50:35.368: RADIUS(0058): sending Jul 3 17:50:35.368: RADIUS/ENCODE: Best Local IP-Address X.X.X.X for Radius -Server Y.Y.Y.Y Jul 3 17:50:35.368: RADIUS(0058): Send Access-Request to Y.Y.Y.Y:1812 i d 1645/50, len 112 Jul 3 17:50:35.368: RADIUS: authenticator 73 C3 A8 1F E5 ED BA C6 - B0 39 12 7 4 33 3C 80 A7 Jul 3 17:50:35.372: RADIUS: User-Name [1] 25 t...@domain.com Jul 3 17:50:35.372: RADIUS: User-Password [2] 18 * Jul 3 17:50:35.372: RADIUS: Calling-Station-Id [31] 16 A.B.C.D Jul 3 17:50:35.372: RADIUS: NAS-Port-Type [61] 6 Virtual [5] Jul 3 17:50:35.372: RADIUS: NAS-Port [5] 6 3 Jul 3 17:50:35.372: RADIUS: NAS-Port-Id [87] 15 E.F.G.H Jul 3 17:50:35.372: RADIUS: NAS-IP-Address [4] 6 X.X.X.X Jul 3 17:50:35.440: RADIUS: Received from id 1645/50 Y.Y.Y.Y:1812, Access-A ccept, len 44 Jul 3 17:50:35.444: RADIUS: authenticator 86 A5 0A EA BE DF 30 E0 - 11 E3 24 5 4 9B 2C C6 77 Jul 3 17:50:35.444: RADIUS: Service-Type [6] 6 Framed [2] Jul 3 17:50:35.444: RADIUS: Framed-Protocol [7] 6 PPP [1] Jul 3 17:50:35.444: RADIUS: Framed-IP-Address [8] 6 15.1.1.99 Jul 3 17:50:35.444: RADIUS: Framed-IP-Netmask [9] 6 255.255.255.0 Jul 3 17:50:35.444: RADIUS(0058): Received from id 1645/50 Jul 3 17:50:35.444: RADIUS: Constructed ppp negotiate Jul 3 17:50:37.852: RADIUS/ENCODE(0058):Orig.. component type = VPN_IPSEC Jul 3 17:50:37.852: RADIUS(0058): Config NAS IP: 0.0.0.0 Jul 3 17:50:37.852: RADIUS(0058): sending Jul 3 17:50:37.852: RADIUS/ENCODE: Best Local IP-Address X.X.X.X for Radius -Server Y.Y.Y.Y Jul 3 17:50:37.852: RADIUS(0058): Send Accounting-Request to Y.Y.Y.Y:18 13 id 1646/33, len 112 Jul 3 17:50:37.852: RADIUS: authenticator AE 34 03 31 02 D0 C3 19 - 16 B0 6F D D 1E 26 FE 66 Jul 3 17:50:37.852: RADIUS: Acct-Session-Id [44] 10 0048 Jul 3 17:50:37.852: RADIUS: Framed-IP-Address [8] 6 15.1.1.18 Jul 3 17:50:37.852: RADIUS: User-Name [1] 25 t...@domain.com Jul 3 17:50:37.852: RADIUS: Acct-Authentic [45] 6 RADIUS [1] Jul 3 17:50:37.852: RADIUS: Acct-Status-Type [40] 6 Start [1] Jul 3 17:50:37.852: RADIUS: NAS-Port-Type [61] 6 Virtual [5] Jul 3 17:50:37.852: RADIUS: NAS-Port [5] 6 3 Jul 3 17:50:37.852: RADIUS: NAS-Port-Id [87] 15 E.F.G.H Jul 3 17:50:37.852: RADIUS: NAS-IP-Address [4] 6 X.X.X.X Jul 3 17:50:37.852: RADIUS: Acct-Delay-Time [41] 6 0 Jul 3 17:50:37.856: RADIUS: Received from id 1646/33 Y.Y.Y.Y:1813, Accounti ng-response, len 20 Jul 3 17:50:37.856: RADIUS: authenticator B8 26 8E 14 AE AB AF AA - 67 C3 3C 1 F 62 4D 70 5B .. but never assign it to remote users, the cisco router assigns an IP address from its local pool. The interesting lines of my cisco configuration are : aaa new-model ! ! aaa authentication login ClientAuth group radius aaa authorization network ClienAuth group radius local aaa accounting delay-start aaa accounting network ClientAuth start-stop group radius crypto isakmp client configuration address-pool local vpnpool crypto map rasvpn client authentication list ClientAuth crypto map rasvpn client accounting list ClientAuth crypto map rasvpn isakmp authorization list ClientAuth crypto map rasvpn client configuration address respond crypto map rasvpn 10 ipsec-isakmp dynamic dynmap I also tried with the cisco av-pair attribute with no luck ... Does anybody know what the problem could be ? Thanks! Fred - List info/subscribe/unsubscribe? See
Re: Syslog and FreeRADIUS
Further to my previous query I've got global server messages being
syslogged to my log hosts.
However, all of my radius magic happens inside virtual servers, which
live in sites-available. I haven't been able to get any syslog packets
sent from within these virtual servers.
I've tried creating a log{} section at the top of the virtual server
containing the same directives as radiusd.conf but this didn't work.
I created a module again with the same directives as radiusd.conf - this
also didn't work.
I referenced the stuff in both cases in the normal places in my virtual
server
The server doesn't give any error messages and starts normally with
these directives in place - it just doesn't send any syslog packets.
Has anyone on the list sent syslog packets from within radius virtual
servers? Any guidance would be much appreciated.
Thanks,
Jonathan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Syslog and FreeRADIUS
Jonathan Gazeley wrote: However, all of my radius magic happens inside virtual servers, which live in sites-available. I haven't been able to get any syslog packets sent from within these virtual servers. The log section is global. See raddb/sites-available/README for a definitive list of which sections can appear inside of a server section. Has anyone on the list sent syslog packets from within radius virtual servers? Any guidance would be much appreciated. Doing this will require source code changes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco ignores Framed-IP-Address from freeradius
On Mon, 6 Jul 2009, Gilloteau Frederic wrote: Hello, I use freeradius 2.1.1-7 and a CISCO router (IOS 12.4(6)T9) to provide VPN connections. and the CISCO router gets it ... .. but never assign it to remote users, the cisco router assigns an IP address from its local pool. The interesting lines of my cisco configuration are : aaa new-model ! ! aaa authentication login ClientAuth group radius aaa authorization network ClienAuth group radius local aaa accounting delay-start aaa accounting network ClientAuth start-stop group radius I had a similar problem...it was with my aaa config. Try: aaa authentication login default local group radius aaa authentication ppp default group radius local aaa authorization exec default local aaa authorization network default group radius local James Smallacombe PlantageNet, Inc. CEO and Janitor u...@3.am http://3.am = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Syslog and FreeRADIUS
On 07/06/2009 04:35 PM, Alan DeKok wrote: Jonathan Gazeley wrote: However, all of my radius magic happens inside virtual servers, which live in sites-available. I haven't been able to get any syslog packets sent from within these virtual servers. The log section is global. See raddb/sites-available/README for a definitive list of which sections can appear inside of a server section. OK, thanks. If the log section is global, should I simply be able to insert the word log into my virtual servers? Doing so causes the server to not start: radiusd[9868]: /usr/local/etc/raddb/sites-enabled/uobresnet[34]: Failed to find module log. radiusd[9868]: /usr/local/etc/raddb/sites-enabled/uobresnet[20]: Errors parsing authorize section. Ultimately what I'm after is the ability to send detail logs to syslog rather than have them written to a file. Perhaps I've been asking the wrong questions so far, or in the wrong way :) Cheers, Jonathan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Syslog and FreeRADIUS
Hi, The log section is global. See raddb/sites-available/README for a definitive list of which sections can appear inside of a server section. OK, thanks. If the log section is global, should I simply be able to insert the word log into my virtual servers? Doing so causes the server to not start: no, the log section is global - and therefore cannot go into a virtual server - it fails if you do that (as you've seen) Ultimately what I'm after is the ability to send detail logs to syslog rather than have them written to a file. Perhaps I've been asking the wrong questions so far, or in the wrong way :) whoa. thats completely different to what the current server does, virtual or not. what details do you want to syslog? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Syslog and FreeRADIUS
On 07/06/2009 05:02 PM, a.l.m.bu...@lboro.ac.uk wrote: Ultimately what I'm after is the ability to send detail logs to syslog rather than have them written to a file. Perhaps I've been asking the wrong questions so far, or in the wrong way :) whoa. thats completely different to what the current server does, virtual or not. what details do you want to syslog? For a start I want to syslog the stuff that usually goes into radius.log - so the messages when the server starts (which are already being syslogged successfully) and the summary line (Auth: Login OK) printed after an authentication (which are currently not being sent to syslog). I also want to syslog the stuff that normally gets filed away under /var/log/radius/radacct - so details of radius packets for debugging. The reason for wanting to send everything to a log host on the network is that the new generation of radius servers we are preparing are all virtualised and only have a few GB of disk - so no room for logs. Cheers, Jonathan -- Jonathan Gazeley Systems Support Specialist ResNet | Wireless VPN Team Information Services University of Bristol - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Syslog and FreeRADIUS
Jonathan, I'm actually planning to roll out RADIUS on a virtualization platform too, probably Xen. Could you share what VM platform you're using? Thanks! Ted From: freeradius-users-bounces+ted.behling=htc.hargray@lists.freeradius.or g [mailto:freeradius-users-bounces+ted.behling=htc.hargray@lists.freer adius.org] On Behalf Of Jonathan Gazeley Sent: Monday, July 06, 2009 12:15 PM To: FreeRadius users mailing list Subject: Re: Syslog and FreeRADIUS On 07/06/2009 05:02 PM, a.l.m.bu...@lboro.ac.uk wrote: Ultimately what I'm after is the ability to send detail logs to syslog rather than have them written to a file. Perhaps I've been asking the wrong questions so far, or in the wrong way :) whoa. thats completely different to what the current server does, virtual or not. what details do you want to syslog? For a start I want to syslog the stuff that usually goes into radius.log - so the messages when the server starts (which are already being syslogged successfully) and the summary line (Auth: Login OK) printed after an authentication (which are currently not being sent to syslog). I also want to syslog the stuff that normally gets filed away under /var/log/radius/radacct - so details of radius packets for debugging. The reason for wanting to send everything to a log host on the network is that the new generation of radius servers we are preparing are all virtualised and only have a few GB of disk - so no room for logs. Cheers, Jonathan -- Jonathan Gazeley Systems Support Specialist ResNet | Wireless VPN Team Information Services University of Bristol - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Syslog and FreeRADIUS
Hi Ted, We are using VMWare ESXi on our hypervisors. There's no need to run a host OS and it's easy to set up. We haven't encountered any problems to speak of. The guest OS that the radius servers run is CentOS. Cheers, Jonathan On 07/06/2009 05:16 PM, Ted Behling wrote: Jonathan, I'm actually planning to roll out RADIUS on a virtualization platform too, probably Xen. Could you share what VM platform you're using? Thanks! Ted *From:* freeradius-users-bounces+ted.behling=htc.hargray@lists.freeradius.org [mailto:freeradius-users-bounces+ted.behling=htc.hargray@lists.freeradius.org] *On Behalf Of *Jonathan Gazeley *Sent:* Monday, July 06, 2009 12:15 PM *To:* FreeRadius users mailing list *Subject:* Re: Syslog and FreeRADIUS On 07/06/2009 05:02 PM, a.l.m.bu...@lboro.ac.uk wrote: Ultimately what I'm after is the ability to send detail logs to syslog rather than have them written to a file. Perhaps I've been asking the wrong questions so far, or in the wrong way :) whoa. thats completely different to what the current server does, virtual or not. what details do you want to syslog? For a start I want to syslog the stuff that usually goes into radius.log - so the messages when the server starts (which are already being syslogged successfully) and the summary line (Auth: Login OK) printed after an authentication (which are currently not being sent to syslog). I also want to syslog the stuff that normally gets filed away under /var/log/radius/radacct - so details of radius packets for debugging. The reason for wanting to send everything to a log host on the network is that the new generation of radius servers we are preparing are all virtualised and only have a few GB of disk - so no room for logs. Cheers, Jonathan -- Jonathan Gazeley Systems Support Specialist ResNet | Wireless VPN Team Information Services University of Bristol - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Jonathan Gazeley Systems Support Specialist ResNet | Wireless VPN Team Information Services University of Bristol - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Syslog and FreeRADIUS
Hi, The reason for wanting to send everything to a log host on the network is that the new generation of radius servers we are preparing are all virtualised and only have a few GB of disk - so no room for logs. there are so many ways of having proper disk access via a virtualised host that i dont know why you'd want to cripple your config by relying on syslog and such dumb technologies for transfer of such details. FoE, FC, ATAoE, NFSv4, iSCSI etc however, ANOTHER way would be to have a backend RADIUS server that sites on a system with the big fat disksthis RADIUS server would do no authentication/authorisation etc and would simply be an accounting relay - proxy all your accouting details to it for storage - check the various supplied virtual servers to see the ways this can be done. virtualisation of a RADIUS server isnt a problem - I've used FreeRADIUS in VMWare Fusion, Xen, and ESX - as you say, its the big files that are the killer - so dish such stuff elsewhere if you arent using the network to transit storage. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius active directory integration fails with no such realm
Hello all, I tried to configure freeradius 2.0.4 on debian 5.0.2 (after recompiling with openssl support, as instructed in the debian readme) for authenticating wireless connections with wpa2-enterprise, using active directory user/password (windows xp as clients, d-link dwl 2200ap as ap's). I followed the how-to from http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO , but somehow i seem to fail. I know i should post here the configurations and the output of freeradius -X , but they are very long and i don't know what i should select. One thing stands out though in the output of freeradius -X (only after changing the order of suffix and ntdomain in sites-available/default and radiusd.conf: ++[mschap] returns noop rlm_realm: Looking up realm IPSO0 for User-Name = IPSO0\andrei.staicu rlm_realm: No such realm IPSO0 ++[ntdomain] returns noop rlm_realm: No '@' in User-Name = IPSO0\andrei.staicu, looking up realm NULL rlm_realm: No such realm NULL IPSO0 is the realm name for the domain ipso.biz (not the public site; this is internal and resolved as such by our dns) I've tried for about two weeks now, but i still have no ideea on how to define the realm IPSO0. ntlm_auth works on that server: ntlm_auth --request-nt-key --username andrei.staicu --domain IPSO0 password: NT_STATUS_OK: Success (0x0) (note on this: using ntlm_auth –-request-nt-key –-domain=your domain –-username= your username as in the howto doesen't seem to work, but ntlm_auth –-request-nt-key –-domain your domain –-username your username works) Could you give me some pointers on how to continue? I've ran out of options with this one. If all the configuration files and all the output of freeradius -X are required, i'll post them in a pastebin and link here. Thanks in advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius active directory integration fails with no such realm
Hi, One thing stands out though in the output of freeradius -X (only after changing the order of suffix and ntdomain in sites-available/default and radiusd.conf: ++[mschap] returns noop ensure that preprocess module is called first and then ensure that with_ntdomain_hack is set to on alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: set absolute lifetimes
Use Expiration attribute. And where? radcheck? What should I check? If Expiration is... what is CurrentTime as Value in SQL? it's a check item, FreeRadius will use it to allow or deny access and to set Session-Timeout if needed. -- damjan | дамјан This is my jabber ID -- dam...@bagra.net.mk -- not my mail address, it's a Jabber ID --^ :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius active directory integration fails with no such realm
One thing stands out though in the output of freeradius -X (only after changing the order of suffix and ntdomain in sites-available/default and radiusd.conf: ++[mschap] returns noop rlm_realm: Looking up realm IPSO0 for User-Name = IPSO0\andrei.staicu rlm_realm: No such realm IPSO0 ++[ntdomain] returns noop rlm_realm: No '@' in User-Name = IPSO0\andrei.staicu, looking up realm NULL rlm_realm: No such realm NULL IPSO0 is the realm name for the domain ipso.biz (not the public site; this is internal and resolved as such by our dns) I've tried for about two weeks now, but i still have no ideea on how to define the realm IPSO0. Look at proxy.conf. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco ignores Framed-IP-Address from freeradius
I would like my CISCO router to assign static IP address to remote VPN users thanks to the Freeradius server. My freeradius server is configured to give static ip address to users. Fine, how about Cisco? and the CISCO router gets it ... .. but never assign it to remote users, the cisco router assigns an IP address from its local pool. The interesting lines of my cisco configuration are : ... crypto isakmp client configuration address-pool local vpnpool ... So, just as you have configured it! Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Syslog and FreeRADIUS
Jonathan Gazeley wrote: For a start I want to syslog the stuff that usually goes into radius.log - so the messages when the server starts (which are already being syslogged successfully) and the summary line (Auth: Login OK) printed after an authentication (which are currently not being sent to syslog). That can be done. Just edit the log section of radiusd.conf. I also want to syslog the stuff that normally gets filed away under /var/log/radius/radacct - so details of radius packets for debugging. I'll echo Alan Buxey here... you don't want to do this. See the raddb/sites-available/robust-proxy-accounting for the RADIUS way of doing it. i.e. you're trying to replicate RADIUS traffic. So replicate it as RADIUS traffic. The reason for wanting to send everything to a log host on the network is that the new generation of radius servers we are preparing are all virtualised and only have a few GB of disk - so no room for logs. There's enough room for a few days worth of detail logs, unless your systems are very, very, busy. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
David Suarez De Lis/UN24956/OPERACION Y MANTENIMIENTO /TSM está ausente de la oficina.
Estaré ausente de la oficina desde el 06/07/2009 y no volveré hasta el 22/07/2009. Responderé a su mensaje cuando regrese. Si tiene alguna emergencia, puede contactar con Jose Manuel Gomez Perez (jmgo...@telefonica.es) o Juan Orea Hernandez (juan.oreahernan...@telefonica.es). ___ Este mensaje se dirige exclusivamente a su destinatario y puede contener información privilegiada o confidencial. Si no es vd. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización está prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción. El correo electrónico vía Internet no permite asegurar la confidencialidad de los mensajes que se transmiten ni su integridad o correcta recepción. Telefónica no asume ninguna responsabilidad por estas circunstancias. This message is intended exclusively for its addressee and may contain information that is CONFIDENTIAL and protected by a professional privilege or whose disclosure is prohibited by law.If you are not the intended recipient you are hereby notified that any read, dissemination, copy or disclosure of this communication is strictly prohibited by law. If this message has been received in error, please immediately notify us via e-mail and delete it. Internet e-mail neither guarantees the confidentiality nor the integrity or proper receipt of the messages sent. Telefónica does not assume any liability for those circumstances. ___ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
