Re: R: Re: R: rlm_ippool: No available ip addresses in pool
Tabacchiera Stefano wrote: the fact is: not always we receive the acct-stop message from the NAS. And, slowly but certainly, the pool ends to be filled of active entries that will never be released. You already said that. I just tried this simple test: a pool of 5 ip's with maximum_timeout=10. I start to radclient'ing the auth port, with a random generated nas port. When i reach the 6th client, radiusd -X says no available ip address. Even if maximum_timeout expired since long time. You already said that. There is no way to deallocate ip's, but sending acct-stop packets. You already said that. Let me know if I can provide some other useful details. My previous message told you what information to provide. Please read it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
Hi.
After installing Radius. i try to do some exemple.I d'ont know if it is correct
because i'm new in it.
I add on Users:
sonia Auth-Type := Local, User-Password == salut
Reply-Message = Hello, %u,
Reply-Message = are you fine, %u
And i add on Clients.conf:
client 127.0.0.1 {
secret = testing123 # notre clé partagée
shortname = class
nastype = other
}
when i do this command, i have:
p...@pfe-laptop:~$ sudo radtest sonia salut 127.0.0.1:1812 1812 testing123
Sending Access-Request of id 11 to 127.0.0.1 port 1812
User-Name = sonia
User-Password = salut
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=11, length=20
What is the problem please.is there someting messing in my test?
Thank you
_
Hotmail: Trusted email with powerful SPAM protection.
https://signup.live.com/signup.aspx?id=60969-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:
Am 04.05.2010 um 13:34 schrieb dorra aa:
Hi.
After installing Radius. i try to do some exemple.I d'ont know if it
is correct because i'm new in it.
I add on Users:
sonia Auth-Type := Local, User-Password == salut
This should read
Cleartext-Password := salut
instead of
User-Password == salut
In Freeradius, passwords are assigned ( := ) and not compared ( == )
Have a nice day!
Reply-Message = Hello, %u,
Reply-Message = are you fine, %u
And i add on Clients.conf:
client 127.0.0.1 {
secret = testing123 # notre clé partagée
shortname = class
nastype = other
}
when i do this command, i have:
p...@pfe-laptop:~$ sudo radtest sonia salut 127.0.0.1:1812 1812
testing123
Sending Access-Request of id 11 to 127.0.0.1 port 1812
User-Name = sonia
User-Password = salut
NAS-IP-Address = 127.0.1.1
NAS-Port ! = 1812
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=11,
length=20
What is the problem please.is there someting messing in my test?
Thank you
Hotmail: Trusted email with powerful SPAM protection. Sign up now. -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Nicolas Goutte
extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany
Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Libtool / autoconf is evil
Aaron Turner wrote: It is annoying you need Cmake install to do a build, but I figure 95% of my users are installing pre-built packages and the other 5% are advanced enough to figure it out. 20 years ago when everyone was building everything from source rather then installing binary packages, it would of been a deal breaker for me too, but things have changed sufficiently that I'm willing to accept it. Good point. Honestly, if Auto* does what you need, then it's probably not worth moving to another system. I can't say I was happy with autoconf/automake but it worked and when I got bug reports from users I was able to fix them without too much effort. Pretty much. We're seeing more problems now with libtool libltdl. So those are the higher priority for removal. Luckily, that looks easy to do. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: your mail
Hi, After installing Radius. i try to do some exemple.I d'ont know if it is correct because i'm new in it. I add on Users: sonia Auth-Type := Local, User-Password == salut Reply-Message = Hello, %u, Reply-Message = are you fine, %u what version? with anything recent this should work sonia Cleartext-Password := salut Reply-Message = Hello, %u, Reply-Message += are you fine, %u p...@pfe-laptop:~$ sudo radtest sonia salut 127.0.0.1:1812 1812 testing123 Sending Access-Request of id 11 to 127.0.0.1 port 1812 User-Name = sonia User-Password = salut NAS-IP-Address = 127.0.1.1 NAS-Port ! = 1812 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=11, length=20 ..and this is just the client end - for real help, please post the output of radiusd -X alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: your mail
the output of my radiusd -X is :
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = auto
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = /usr/local/var/log/radius/radwtmp
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = md5
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = Password:
auth_type = PAP
}
Ignoring EAP-Type/tls because we do not have OpenSSL support.
Ignoring EAP-Type/ttls because we do not have OpenSSL support.
Ignoring EAP-Type/peap because we do not have OpenSSL support.
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = suffix
delimiter = @
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = /usr/local/etc/raddb/users
acctusersfile = /usr/local/etc/raddb/acct_users
preproxy_usersfile = /usr/local/etc/raddb/preproxy_users
compat = no
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = /usr/local/var/log/radius/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = /usr/local/etc/raddb/attrs.access_reject
key = %{User-Name}
}
} # modules
} # server
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = /usr/local/etc/raddb/huntgroups
hints = /usr/local/etc/raddb/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating detail
detail {
detailfile =
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
header = %t
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating attr_filter.accounting_response
attr_filter attr_filter.accounting_response {
attrsfile = /usr/local/etc/raddb/attrs.accounting_response
key = %{User-Name}
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: Opening IP addresses and Ports
listen {
type = auth
ipaddr = *
port = 0
Failed binding to authentication address * port 1812: Address already in use
/usr/local/etc/raddb/radiusd.conf[240]: Error binding to port for 0.0.0.0 port
1812
p...@pfe-laptop:~/freeradius-server-2.1.8$ killall radiusd
radiusd(4956): Opération non permise
radiusd: aucun processus tué
p...@pfe-laptop:~/freeradius-server-2.1.8$ sudo killall radiusd
p...@pfe-laptop:~/freeradius-server-2.1.8$ sudo radiusd -X
FreeRADIUS Version 2.1.8, for host i686-pc-linux-gnu, built on May 3 2010 at
23:42:10
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including
Re: your mail
On 05/04/2010 09:20 AM, dorra aa wrote: sonia Auth-Type := Local, User-Password == salut Don't set the Auth-Type, that's documented in many places, it's not in the example http://deployingradius.com/documents/configuration/pap.html User-Password == salut Is also incorrect, the documented attribute to use is Cleartext-Password and the documented operator is := not == -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Basic wifi config
Hi,
I set up the following config, tried to follow the advices of freeradius
website (don't touch anything you could break in the raddb directory ;-) )
The config (in french, sorry) i used :
http://www.openbsd-edu.net/index.php/FreeRadius
FreeRadius OS: OpenBSD 4.5
freeradius-2.1.3RADIUS server implementation
192.168.1.9 172.16.0.133
AP : Linksys WRT54G
WPA Entreprise TKIP
192.168.1.1
Client WinXP; SP2 DHCP
On the server :
pkg_add -v http://ftp.arcane-networks.fr/pub/OpenBSD/$(uname
-r)/packages/$(uname -m)/freeradius
echo if [ -x /usr/local/sbin/radiusd ]; then
install -d -o _freeradius /var/run/radiusd
echo -n ' radiusd'; /usr/local/sbin/radiusd
fi
/etc/rc.local
cp radius.pem /etc/raddb/certs/server.pem
chmod 744 /etc/raddb/certs/server.pem
cp ca.pem /etc/raddb/certs/ca.pem
chmod 744 /etc/raddb/certs/ca.pem
openssl verify -verbose -CApath /etc/raddb/certs/ -CAfile
/etc/raddb/certs/ca.pem /etc/raddb/certs/server.pem
= /etc/raddb/certs/server.pem: OK
dd if=/dev/urandom of=/etc/raddb/certs/random bs=1024 count=100
openssl dhparam -out /etc/raddb/certs/dh 1024
echo
usertest Cleartext-Password := \password\
/etc/raddb/users
echo
#Nagios
client Nagios {
secret = SECRETNAGIOS
shortname = Nagios
ipaddr = @IP NAgios
}
#Wifi AP3
client AP3 {
secret = \SECRET_AP3\
shortname = AP3
ipaddr = @IP AP3
nastype = other
}
# En local
client localhost {
ipaddr = 127.0.0.1
secret = \SECRETLOCAL\
require_message_authenticator = no
shortname = localhost
nastype = other
}
/etc/raddb/clients.conf
ifconfig em0 alias 192.168.1.9 netmask 255.255.255.0
ifconfig -a
=em0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
=inet 172.16.0.223 netmask 0x broadcast 172.16.255.255
=inet 192.168.1.9 netmask 0xff00 broadcast 192.168.1.255
/usr/local/sbin/radiusd -X
radtest local radtest remote are OK for the local and Nagios clients.
Let's go to the XP...
When i try to use the Wifi, the radiusd -X tells :
...I paste the logs to http://networkradius.com/freeradius.html
and only copied the neither white nor blue parts :
WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist!
Cancelling invalid proxy request.
No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
Failed to authenticate the user.
grep roxy * |grep -v #
attrs.access_reject:Proxy-State =* ANY
attrs.accounting_response: Proxy-State =* ANY
experimental.conf: mod_preproxy = radiusd_test
experimental.conf: func_preproxy = preproxy
experimental.conf: mod_postproxy = radiusd_test
experimental.conf: func_postproxy = postproxy
proxy.conf:proxy server {
radiusd.conf:proxy_requests = no
What is the missing magic command which could help me ??
Thanks.
Best regards.
--
Lycée polyvalent Alfred Nobel, Clichy sous Bois
http://www.lyceenobel.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
R: Re: R: Re: R: rlm_ippool: No available ip addresses in pool
Alan,
here's the content of gdbm db:
rlm_ippool_tool -v db.ippool db.ipindex
KEY: '9067fe4e396704b709d9cb2a592485fa' - ipaddr:192.168.1.5 active:1 cli:0
num:1
KEY: '3502b76273775d9a81147f003ee0c913' - ipaddr:192.168.1.3 active:1 cli:0
num:1
KEY: '7dfab3787e18fa9ac9aa1d29a364259b' - ipaddr:192.168.1.2 active:1 cli:0
num:1
KEY: '2e8e64b237e81be655e98029e4e746eb' - ipaddr:192.168.1.1 active:1 cli:0
num:1
KEY: '959f1236c1743765bd67472af2b043d4' - ipaddr:192.168.1.4 active:1 cli:0
num:1
And here's the output of radiusd -X:
FreeRADIUS Version 2.1.8, for host x86_64-unknown-linux-gnu, built on May 3
2010 at 08:21:55
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /home/test/etc/raddb/radiusd.conf
including configuration file /home/test/etc/raddb/clients.conf
including files in directory /home/test/etc/raddb/modules/
including configuration file /home/test/etc/raddb/modules/attr_filter
including configuration file /home/test/etc/raddb/modules/digest
including configuration file /home/test/etc/raddb/modules/mac2ip
including configuration file /home/test/etc/raddb/modules/preprocess
including configuration file /home/test/etc/raddb/modules/logintime
including configuration file /home/test/etc/raddb/modules/pap
including configuration file /home/test/etc/raddb/modules/detail.log
including configuration file /home/test/etc/raddb/modules/acct_unique
including configuration file /home/test/etc/raddb/modules/counter
including configuration file /home/test/etc/raddb/modules/expiration
including configuration file /home/test/etc/raddb/modules/linelog
including configuration file /home/test/etc/raddb/modules/realm
including configuration file /home/test/etc/raddb/modules/sradutmp
including configuration file /home/test/etc/raddb/modules/exec
including configuration file /home/test/etc/raddb/modules/krb5
including configuration file /home/test/etc/raddb/modules/detail
including configuration file
/home/test/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /home/test/etc/raddb/modules/radutmp
including configuration file /home/test/etc/raddb/modules/mschap
including configuration file /home/test/etc/raddb/modules/checkval
including configuration file /home/test/etc/raddb/modules/passwd
including configuration file /home/test/etc/raddb/modules/unix
including configuration file /home/test/etc/raddb/modules/etc_group
including configuration file /home/test/etc/raddb/modules/otp
including configuration file /home/test/etc/raddb/modules/sql_log
including configuration file /home/test/etc/raddb/modules/perl
including configuration file /home/test/etc/raddb/modules/inner-eap
including configuration file /home/test/etc/raddb/modules/policy
including configuration file /home/test/etc/raddb/modules/pam
including configuration file /home/test/etc/raddb/modules/files
including configuration file /home/test/etc/raddb/modules/echo
including configuration file /home/test/etc/raddb/modules/ippool
including configuration file /home/test/etc/raddb/modules/mac2vlan
including configuration file /home/test/etc/raddb/modules/cui
including configuration file /home/test/etc/raddb/modules/wimax
including configuration file /home/test/etc/raddb/modules/always
including configuration file /home/test/etc/raddb/modules/chap
including configuration file /home/test/etc/raddb/modules/ldap
including configuration file /home/test/etc/raddb/modules/detail.example.com
including configuration file /home/test/etc/raddb/modules/attr_rewrite
including configuration file /home/test/etc/raddb/modules/ntlm_auth
including configuration file /home/test/etc/raddb/modules/smbpasswd
including configuration file /home/test/etc/raddb/modules/expr
including configuration file /home/test/etc/raddb/modules/smsotp
including configuration file /home/test/etc/raddb/policy.conf
including files in directory /home/test/etc/raddb/sites-enabled/
including configuration file /home/test/etc/raddb/sites-enabled/control-socket
including configuration file /home/test/etc/raddb/sites-enabled/default
including dictionary file /home/test/etc/raddb/dictionary
main {
prefix = /home/test
localstatedir = /home/test/var
logdir = /home/test/var/log/radius
libdir = /home/test/lib
radacctdir = /home/test/var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = /home/test/var/run/radiusd/radiusd.pid
checkrad = /home/test/sbin/checkrad
debug_level = 0
proxy_requests = no
log {
stripped_names = no
auth = yes
auth_badpass = yes
auth_goodpass = yes
}
security {
max_attributes = 200
srpm build error
I am trying to build freeradius rpm by following the instructions at http://wiki.freeradius.org/Red_Hat_FAQ#How_to_build_an_SRPM I however get the follwing errors at the fist step # rpm -ivh freeradius-2.1.7-7.fc12.src.rpm 1:freeradius warning: user mockbuild does not exist - using root warning: group mockbuild does not exist - using root ### [100%] error: unpacking of archive failed on file /usr/src/redhat/SOURCES/freeradius-logrotate;4be01a23: cpio: MD5 sum mismatch I did a rpm -K which shows # rpm -K freeradius-2.1.7-7.fc12.src.rpm freeradius-2.1.7-7.fc12.src.rpm: sha1 md5 OK I installed all the rpm-build packages before hand so do not know why this is happening. I am using Centos 5.4 --Athiq - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: srpm build error
On Tue, May 04, 2010 at 02:46:04PM +0100, Athiqur Rahman wrote: I am trying to build freeradius rpm by following the instructions at http://wiki.freeradius.org/Red_Hat_FAQ#How_to_build_an_SRPM I however get the follwing errors at the fist step # rpm -ivh freeradius-2.1.7-7.fc12.src.rpm 1:freeradius warning: user mockbuild does not exist - using root warning: group mockbuild does not exist - using root ### [100%] error: unpacking of archive failed on file /usr/src/redhat/SOURCES/freeradius-logrotate;4be01a23: cpio: MD5 sum mismatch I did a rpm -K which shows # rpm -K freeradius-2.1.7-7.fc12.src.rpm freeradius-2.1.7-7.fc12.src.rpm: sha1 md5 OK I installed all the rpm-build packages before hand so do not know why this is happening. I am using Centos 5.4 I think this is related to the changes for RPM since F11. You can not unpack F11/F12 RPMs on F 11 and RHEL/CentOS 6. If this is the case, unpack the src.rpm with rpm2cpio on a F11+ system and copy the files to the appropriates places (SOURCES and SPECS) on your CentOS system. -- --Jos Vos j...@xos.nl --X/OS Experts in Open Systems BV | Phone: +31 20 6938364 --Amsterdam, The Netherlands| Fax: +31 20 6948204 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius freeze
Hi everyone, I'm using FreeRADIUS Version 1.1.7 with Mysql. I use for Hotspot system. All works fine, but after around one day without activity, the radius server don't answer. Therefore, if I restart (/etc/init.d/freeradius restart), all works ok!! I monitor with the command ps and just restart result: # ps ax | grep freeradius 26118 ?Ssl0:00 /usr/sbin/freeradius Immediately after the connection of a hotspot's user: # ps ax | grep freeradius 26118 ?Ssl0:00 /usr/sbin/freeradius 26158 ?Z 0:00 [freeradius] defunct What does this mean *_/[freeradius] defunct/_*? If hotspot's user disconnect, nothing changes!! Could you help me?? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: srpm build error
Jos Vos wrote: On Tue, May 04, 2010 at 02:46:04PM +0100, Athiqur Rahman wrote: I am trying to build freeradius rpm by following the instructions at http://wiki.freeradius.org/Red_Hat_FAQ#How_to_build_an_SRPM I however get the follwing errors at the fist step # rpm -ivh freeradius-2.1.7-7.fc12.src.rpm 1:freeradius warning: user mockbuild does not exist - using root warning: group mockbuild does not exist - using root ### [100%] error: unpacking of archive failed on file /usr/src/redhat/SOURCES/freeradius-logrotate;4be01a23: cpio: MD5 sum mismatch I did a rpm -K which shows # rpm -K freeradius-2.1.7-7.fc12.src.rpm freeradius-2.1.7-7.fc12.src.rpm: sha1 md5 OK I installed all the rpm-build packages before hand so do not know why this is happening. I am using Centos 5.4 I think this is related to the changes for RPM since F11. You can not unpack F11/F12 RPMs on F 11 and RHEL/CentOS 6. If this is the case, unpack the src.rpm with rpm2cpio on a F11+ system and copy the files to the appropriates places (SOURCES and SPECS) on your CentOS system. Thanks. You are right about about using old versions of Fedora. I didn't have old fedora machine so used the the following command rpm --nomd5 -ivh freeradius-2.1.7-7.fc12.src.rpm After that I followed the instructions as normal and ended up with the required RPMs. All except for freeradius-libs freeradius-devel Are these 2 RPMs essential to the core running of freeradius? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius freeze
On Tue, May 04, 2010 at 04:56:46PM +0200, Tokie wrote: Hi everyone, I'm using FreeRADIUS Version 1.1.7 with Mysql. I use for Hotspot system. All works fine, but after around one day without activity, the radius server don't answer. Therefore, if I restart (/etc/init.d/freeradius restart), all works ok!! I monitor with the command ps and just restart result: # ps ax | grep freeradius 26118 ?Ssl0:00 /usr/sbin/freeradius Immediately after the connection of a hotspot's user: # ps ax | grep freeradius 26118 ?Ssl0:00 /usr/sbin/freeradius 26158 ?Z 0:00 [freeradius] defunct What does this mean *_/[freeradius] defunct/_*? If hotspot's user disconnect, nothing changes!! Could you help me?? Retarting the server is the appropriate measure to use to address this problem. The better solution would be to upgrade to version 2.1.8 which fixes so many bugs... Cheers, Ken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: srpm build error
On 05/04/2010 11:01 AM, Athiqur Rahman wrote: After that I followed the instructions as normal and ended up with the required RPMs. All except for freeradius-libs freeradius-devel Are these 2 RPMs essential to the core running of freeradius? No, they've been deprecated. BTW, you should probably use the latest 2.1.8 SRPM's, they are more current. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic wifi config
Philippe Schwarz wrote: I set up the following config, tried to follow the advices of freeradius website (don't touch anything you could break in the raddb directory ;-) ) That's good. The config (in french, sorry) i used : http://www.openbsd-edu.net/index.php/FreeRadius Hmm.. that doesn't look all correct. The certificate stuff isn't necessary in 2.1.3. When i try to use the Wifi, the radiusd -X tells : ...I paste the logs to http://networkradius.com/freeradius.html and only copied the neither white nor blue parts : WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist! Cancelling invalid proxy request. No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. You didn't specify a password for the user. What is the missing magic command which could help me ?? Specify a password, as suggested in: Les fichiers importants users on the OpenBSD page you used. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R: Re: R: Re: R: rlm_ippool: No available ip addresses in pool
Tabacchiera Stefano wrote: Alan, here's the content of gdbm db: Ah... it's the DBM pools. Well.. use rlm_ippool_tool to manage the pool. Or, get your NAS to send accounting stop packets. It's *supposed* to send stop packets when a user session is cleared. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
openssl
hi
I'm starting with linux and freeradius with peap configuration.
I'm using debian lenny 2.6.26-2-686, when runnig freeradius -X
(FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on Sep 7
2008 at 23:35:34) i'm getting those errors
Module: Instantiating eap
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5*
rlm_eap: Ignoring EAP-Type/tls because we do not have OpenSSL support.
rlm_eap: Ignoring EAP-Type/peap because we do not have OpenSSL support.
rlm_eap: Ignoring EAP-Type/ttls because we do not have OpenSSL support.*
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
*rlm_eap: No such sub-type for default EAP type peap*
/etc/freeradius/eap.conf[1]: Instantiation failed for module eap
/etc/freeradius/sites-enabled/inner-tunnel[223]: Failed to find module
eap.
/etc/freeradius/sites-enabled/inner-tunnel[176]: Errors parsing
authenticate section.
}
}
*Errors initializing modules*
how should i install openssl ?? only compilation by hand will work here ??
Can anybody give needed advice please?
Thanks a lot for help! :)
Kornel
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openssl
Le mardi 04 mai 2010 à 19:51 +0200, ds14.kornel a écrit :
hi
I'm starting with linux and freeradius with peap configuration.
I'm using debian lenny 2.6.26-2-686, when runnig freeradius -X
(FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on Sep 7
2008 at 23:35:34) i'm getting those errors
Module: Instantiating eap
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
rlm_eap: Ignoring EAP-Type/tls because we do not have OpenSSL support.
rlm_eap: Ignoring EAP-Type/peap because we do not have OpenSSL
support.
rlm_eap: Ignoring EAP-Type/ttls because we do not have OpenSSL
support.
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
rlm_eap: No such sub-type for default EAP type peap
/etc/freeradius/eap.conf[1]: Instantiation failed for module eap
/etc/freeradius/sites-enabled/inner-tunnel[223]: Failed to find module
eap.
/etc/freeradius/sites-enabled/inner-tunnel[176]: Errors parsing
authenticate section.
}
}
Errors initializing modules
how should i install openssl ?? only compilation by hand will work
here ??
Can anybody give needed advice please?
Thanks a lot for help! :)
I would say you will have to install openssl developement headers and
recompile freeradius with the corrects switches to enable eap module.
sudo apt-get install libssl-dev
and then recompile with --with-rlm-eap
This is just a guess.
Kornel
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Alexandre Chapellon alexandre.chapel...@mana.pf
Mana SAS
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openssl
Hi, } rlm_eap: No such sub-type for default EAP type peap /etc/freeradius/eap.conf[1]: Instantiation failed for module eap /etc/freeradius/sites-enabled/inner-tunnel[223]: Failed to find module eap. /etc/freeradius/sites-enabled/inner-tunnel[176]: Errors parsing authenticate section. } } Errors initializing modules yep - the default debian install doesnt have OpenSSL support. http://wiki.freeradius.org/Build#Building_Debian_packages alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius 2.1.6: Store Cisco device enable password in Postgresql DB
Hey guys,
This should be a quick one.
When I enable on a Cisco device, it sends a request with username $enab15$.
rad_recv: Access-Request packet from host 172.17.254.100 port 1645, id=92,
length=84
NAS-IP-Address = 172.17.254.100
NAS-Port = 1
NAS-Port-Type = Virtual
User-Name = $enab15$
Calling-Station-Id = 172.17.1.1
User-Password = password
Service-Type = Administrative-User
I used to store the username and password in the users file and it was
working fine:
$enab15$ Cleartext-Password := password
Now I am trying to move this user from the file to the postgresql DB and my
radcheck table looks like:
radius=# select * from radcheck;
id | username | attribute | op | value
+--+++---
1 | $enab15$ | Cleartext-Password | := | password
And it doesn't work. Then I am checking the debug and I found that the $ in
the username was interpreted to something like =24:
[sql] expand: SELECT id, UserName, Attribute, Value, Op FROM radcheck
WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT id, UserName,
Attribute, Value, Op FROM radcheck WHERE Username = '=24enab15=24' ORDER
BY id
Then I changed the username to this =24enab15=24 and now it works.
I am just curious how freeradius or %{SQL-User-Name} treats special characters
in username... Is there a way to treat them AS-IS?
Thank you!
Difan Zhao, M.Eng
Network Engineer
Guest-Tek Interactive Entertainment Inc.
www.guest-tek.com
Email: difan.z...@guest-tek.com
Office: +1 (403) 509 1010 ext 3048
Cell: +1 (403) 689 7514
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sqlcounter and ldap backend
Hello I have installed freeradius + LDAP backend. I need to limit the connection time per user. I found sqlcounter as a solution but I have two problems: 1 - I need to take the values: Max-Daily-Session and Max-Monthly-Session from LDAP and not from mysql DB. 2 - I need to terminate the connection when it meets the maximum connection time. Best regards, Carlos A. Sorry my English, I speak Spanish. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R: Re: R: Re: R: rlm_ippool: No available ip addresses in pool
Tabacchiera Stefano wrote: Alan, here's the content of gdbm db: Ah... it's the DBM pools. I already stated that in the subject of my mail (did you notice the module name?). Well.. use rlm_ippool_tool to manage the pool. Great idea! Too bad that tool allow only to cleal *all* the entries in the DBM pool. Or am I just missing something? Or, get your NAS to send accounting stop packets. It's *supposed* to send stop packets when a user session is cleared. As I already said, I know the NAS sometimes doesn't send acct-stop pkts, but it's out of my control. My questions (still unanswered, let me say) are: 1) is maximum_timeout useless? 2) Is there a way to keep my dbm pool safe and updated (I mean no expired addresses), even in the case some acct-stop pkt are loss? 3) Should I switch to sql pool, 'cause dbm it's actually unreliable? Thanks again. ST __ La presente comunicazione ed i suoi allegati e' destinata esclusivamente ai destinatari. Qualsiasi suo utilizzo, comunicazione o diffusione non autorizzata e' proibita. Se ha ricevuto questa comunicazione per errore, la preghiamo di darne immediata comunicazione al mittente e di cancellare tutte le informazioni erroneamente acquisite. (Rif. D.Lgs. 196/2003). Grazie This message and its attachments are intended only for use by the addressees. Any use, re-transmission or dissemination not authorized of it is prohibited. If you received this e-mail in error, please inform the sender immediately and delete all the material. (Rif. D.Lgs. 196/2003). Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: R: Re: R: Re: R: rlm_ippool: No available ip addresses in pool
How is FreeRADIUS supposed to know when a user disconnects and frees up the IP address from the pool if the NAS doesn't tell it? Anything else is not exactly reliable. If you have a user with a long duration session that lasts longer than your timeout the IP could be put back into the pool when it is still in use. The best solution would be to fix the NAS to send the packets or fix the network to make sure they get delivered. Michael -- Michael J. Hartwick, VE3SLQ hartw...@hartwick.com Hartwick Communications Consulting (519) 396-7719 Kincardine, ON, CA http://www.hartwick.com -- From: freeradius-users-bounces+hartwick=hartwick@lists.freeradius.org [mailto:freeradius-users-bounces+hartwick=hartwick@lists.freeradius.org] On Behalf Of Tabacchiera Stefano Sent: Tuesday, May 04, 2010 15:39 To: freeradius-users@lists.freeradius.org Subject: Re: R: Re: R: Re: R: rlm_ippool: No available ip addresses in pool Tabacchiera Stefano wrote: Alan, here's the content of gdbm db: Ah... it's the DBM pools. I already stated that in the subject of my mail (did you notice the module name?). Well.. use rlm_ippool_tool to manage the pool. Great idea! Too bad that tool allow only to cleal *all* the entries in the DBM pool. Or am I just missing something? Or, get your NAS to send accounting stop packets. It's *supposed* to send stop packets when a user session is cleared. As I already said, I know the NAS sometimes doesn't send acct-stop pkts, but it's out of my control. My questions (still unanswered, let me say) are: 1) is maximum_timeout useless? 2) Is there a way to keep my dbm pool safe and updated (I mean no expired addresses), even in the case some acct-stop pkt are loss? 3) Should I switch to sql pool, 'cause dbm it's actually unreliable? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openssl
On Tue, May 04, 2010 at 07:58:03PM +0100, Alan Buxey wrote: rlm_eap: No such sub-type for default EAP type peap yep - the default debian install doesnt have OpenSSL support. http://wiki.freeradius.org/Build#Building_Debian_packages No, only the default build of 2.1.8 from original source on Debian lacks the libssl-dev build-dependency. The pre-built packages are fine, and that's what everyone, ESPECIALLY NEWBIES, should be using. Let me repeat the simple guide once again: 1.) Add Debian lenny-backports repository to your sources.list, for example: deb http://backports.org/debian lenny-backports main 2.) Update the package list, for example with: apt-get update 3.) Install the the main FreeRADIUS package from there, for example with: apt-get install -t lenny-backports freeradius -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openssl
Hi, yep - the default debian install doesnt have OpenSSL support. No, only the default build of 2.1.8 from original source on Debian lacks the libssl-dev build-dependency. The pre-built packages are fine, and that's yes, thats what I said...look above. 3.) Install the the main FreeRADIUS package from there, for example with: apt-get install -t lenny-backports freeradius alternatively, grab the source and build it yourself. the choice is yours. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R: Re: R: Re: R: rlm_ippool: No available ip addresses in pool
Tabacchiera Stefano wrote: Great idea! Too bad that tool allow only to cleal *all* the entries in the DBM pool. Or am I just missing something? shrug Then write a Perl script to manage the pool. It's just a DBM file. Or, get your NAS to send accounting stop packets. It's *supposed* to send stop packets when a user session is cleared. As I already said, I know the NAS sometimes doesn't send acct-stop pkts, but it's out of my control. Well... your NAS is broken. There's little we can do to fix that. My questions (still unanswered, let me say) are: 1) is maximum_timeout useless? No idea. I don't use that module. 2) Is there a way to keep my dbm pool safe and updated (I mean no expired addresses), even in the case some acct-stop pkt are loss? No. 3) Should I switch to sql pool, 'cause dbm it's actually unreliable? You should switch to the sqlippool module. It uses SQL features to automatically clear old entries, even if the NAS is broken. This isn't about an unreliable DBM file. The DBM file is reliable. It's your *NAS* that is broken. The additional features of SQL (which are missing in DBM) makes it easier for FreeRADIUS to work around a broken NAS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openssl
On Tue, May 04, 2010 at 09:39:30PM +0100, Alan Buxey wrote: 3.) Install the the main FreeRADIUS package from there, for example with: apt-get install -t lenny-backports freeradius alternatively, grab the source and build it yourself. the choice is yours. No, I think that is a false choice for these users. We should not be telling random newbies to take a route that has time and time again been demonstrated to be too complicated for them to handle, when they can easily use a more efficient method - install safe working binaries. That also has the benefit of keeping them in the loop for later updates from the same reliable channel. If they explicitly tell us that they already use Debian, then we can't have much reason to have them avoid these Debian-specific methods that accomplish our goals - to make these people happy users of FR. This is one fairly trivial bug, even if one knows very little about compiling source code - one just has to google, and/or read the official web site (wiki), and find that all they have to do is install that one package and restart the build process, and they're good - yet numerous users have sent an e-mail to the list saying it's been a showstopper for them. I do not see what is there to gain by telling these people to keep using a method they clearly do not understand enough to be able to solve a relatively easy problem with. Sure, they can apply this quick fix now, but will it help their FreeRADIUS experience, and in turn will it help FreeRADIUS? Isn't it better for all to get them past the installation phase as quickly as possible, and not have to rehash these tangential issues, when time could be better spent educating them about core issues such as FreeRADIUS configuration semantics, or RADIUS protocol issues? -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic wifi config
Le 04/05/2010 19:05, Alan DeKok a écrit : Philippe Schwarz wrote: The config (in french, sorry) i used : http://www.openbsd-edu.net/index.php/FreeRadius Hmm.. that doesn't look all correct. The certificate stuff isn't necessary in 2.1.3. Ok, but it's useless only; i can keep it that way , right ? .. Failed to authenticate the user. You didn't specify a password for the user. Oh! I should have read more carefully.. I thought i 'd have a popup for login,pass later.. What is the missing magic command which could help me ?? Specify a password, as suggested in: Les fichiers importants users OK, but my users are stored in a LDAP/samba Backend; i'll give it a try soon. BTW, the password is one-way encrypted, and tried echo -n 'user::Password' | md5 and paste the md5 to the users file, and did not work.. Maybe the null realm is the problem. Thanks. -- Lycée polyvalent Alfred Nobel, Clichy sous Bois http://www.lyceenobel.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Allow unlimited simultanious users ?
Hi Everbdody, Right off the bat I will tell you that this is my first experience with FreeRadius. I have a customer that wants to do be able to connect their laptops to a private network where we are running Edirectory as the authentication directory. Elements include - FreeRadius 2.1.6, Edirectory 8.7.x, SLES 11, LDAP authentication, Windows XP sp3, Novell Client32 4.91 sp5 I have this working Windows XP sp3 workstation and the user is prompted for username and passowrd for network access. Import of root CA from FreeRadius Server to Windows XP (SLES 11) PEAP and MSCHAP2 configuration on Windows XP The workstations only login to Edir to authtenicate and sync their local passwords all the applications are in a Citrx farm running off a Portal and the user has to login an extra time to access the portal. (Which could be a different username / password) Actually the certificate + username and password are only giving the user an IP address, there are no rights involved. I was wondering if it is possible to get rid of the pop-up with username and password by using a predefined username and password for all the users ? This could mean (worst case) 200-300 simultanious users with same FreeRadius username-password. This shouldn't be a problem for Edirectory but I am unsure in regard to FreeRadius. I can change the passowrd on the workstation at intervals by way of software distribution. All the users will be connecting by way of 1 Cisco controller connected to the APs by way of a VPN. Any thoughts - Experience with this ? Jim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Clark Wang has invited you to Dropbox
We're excited to let you know that Clark Wang has invited you to Dropbox! Clark Wang has been using Dropbox to sync and share files online and across computers, and thought you might want it too. Visit http://www.dropbox.com/link/20.Nk89gKs-aB/NjE2MzQ0ODgxNw to get started. - The Dropbox Team To stop receiving invites from Dropbox, please go to http://www.dropbox.com/bl/28952efc12b9/freeradius-users%40lists.freeradius.org- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
