Re: ask for help on WiMAX + Freeradius + Disconnect
Xiaochen wrote: After packet.txt was sent to AGW, radclinet debug window said: “Unknown WiMAX-Session –ID or Unknown WiMAX-DM-Action-Code ” radclient doesn't produce that error message. Please post the *real* error message, and not anything else. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_ippool and assigning IP from different pools, depending on NAS attr.
Hi all. I have radius server, which assign ip-addresses to users. I use rlm_ippool, but I need to assign ip-address only from the pool, which is linked with radius packet parameter - NAS. If user comes with nas=xxx.xxx.xxx.xxx - it takes ip from pool1, if with nas=yyy.yyy.yyy.yyy - then from pool2. Is it possible?- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ippool and assigning IP from different pools, depending on NAS attr.
Does it correct solution? server allauth { #160;#160;#160;#160;#160;#160;#160; listen { #160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160; type = auth #160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160; ipaddr = * #160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160; port = 1812 #160;#160;#160;#160;#160;#160;#160; } #160;#160;#160;#160;#160;#160;#160; authorize { #160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160; auth_log #160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160; update control { #160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160; Auth-Type = 'Accept' #160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160; } #160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160; #160;#160;#160;#160;#160;#160;#160; } #160;#160;#160;#160;#160;#160;#160; post-auth { #160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160; if (control:NAS-IP-Address == '222.22.22.125') { #160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160; update control { #160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160; Pool-Name = 'pool_125' #160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160; } #160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160; redundant { #160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160; mysqlippool1 #160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160; mysqlippool2 #160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160; pool_125 #160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160; } #160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160; } #160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160; else { #160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160; update control { #160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160; Pool-Name = 'pool_126' #160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160; } #160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160; redundant { #160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160; mysqlippool1 #160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160; mysqlippool2 #160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160; pool_126 #160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160; } #160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160; } #160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160; #160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160; reply_log #160;#160;#160;#160;#160;#160;#160; } } Quoting *Konstantin Chekushin ko...@inbox.lv*: Hi all. I have radius server, which assign ip-addresses to users. I use rlm_ippool, but I need to assign ip-address only from the pool, which is linked with radius packet parameter - NAS. If user comes with nas=xxx.xxx.xxx.xxx - it takes ip from pool1, if with nas=yyy.yyy.yyy.yyy - then from pool2. Is it possible? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ippool and assigning IP from different pools, depending on NAS attr.
Hello Konstantin Chekushin, Am 2010-09-01 11:21:17, hacktest Du folgendes herunter: Does it correct solution? server allauth { #160;#160;#160;#160;#160;#160;#160; listen { #160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160; type = auth #160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160; No, because your encoding is wrong! Thanks, Greetings and nice Day/Evening Michelle Konzack -- # Debian GNU/Linux Consultant ## Development of Intranet and Embedded Systems with Debian GNU/Linux itsyst...@tdnet France EURL itsyst...@tdnet UG (limited liability) Owner Michelle KonzackOwner Michelle Konzack Apt. 917 (homeoffice) 50, rue de Soultz Kinzigstraße 17 67100 Strasbourg/France 77694 Kehl/Germany Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil Tel: +33-9-52705884 fix http://www.itsystems.tamay-dogan.net/ http://www.flexray4linux.org/ http://www.debian.tamay-dogan.net/ http://www.can4linux.org/ Jabber linux4miche...@jabber.ccc.de ICQ#328449886 Linux-User #280138 with the Linux Counter, http://counter.li.org/ signature.pgp Description: Digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:Re: ask for help on WiMAX + Freeradius + Disconnect (Alan DeKok)
Xiaochen wrote: After packet.txt was sent to AGW, radclinet debug window said: ?Unknown WiMAX-Session ?ID or Unknown WiMAX-DM-Action-Code ? radclient doesn't produce that error message. Please post the *real* error message, and not anything else. Alan DeKok. When content of packet.txt is as: Acct-Session-Id=0001 Calling-Station-Id=001E310008CC User-Name=wimax X-Ascend-Session-Svr-Key=0123456789 NAS-IP-Address=100.1.6.5 NAS-Identifier=100.1.6.5 WiMAX-DM-Action-Id= #WiMAX-Session-Id=02 Freeradius said: [r...@aaa bin]# cat packet.txt | radclient -x 100.1.6.4:3799 disconnect 0123456789 radclient: XUnknown attribute WiMAX-DM-Action-Id [r...@aaa bin]# When content of packet.txt is as: Acct-Session-Id=0001 Calling-Station-Id=001E310008CC User-Name=wimax X-Ascend-Session-Svr-Key=0123456789 NAS-IP-Address=100.1.6.5 NAS-Identifier=100.1.6.5 #WiMAX-DM-Action-Id= WiMAX-Session-Id=02 [r...@aaa bin]# cat packet.txt | radclient -x 100.1.6.4:3799 disconnect 0123456789 radclient: XUnknown attribute WiMAX-Session-Id [r...@aaa bin]# Thanks ! xiaochen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap/ttls proxy: No EAP session matching the State variable.
Kadlecsik Jozsef wrote: We have a working freeradius setup, with one exception: when guests try to authenticate (EduRoam) it always fails. You are trying to do EAP locally, *and* proxy EAP to another server. Here follows the output of eapol_test: That isn't necessary. And the debugging log of our freeradius server: That helps. rad_recv: Access-Request packet from host 127.0.0.1 port 43327, id=0, length=160 User-Name = anonym...@teszt.eduroam.hu The original packet from eapol_test. +- entering group pre-proxy {...} ... Sending Access-Request of id 135 to 195.111.98.4 port 1812 User-Name = anonym...@teszt.eduroam.hu Which is proxied. rad_recv: Access-Challenge packet from host 195.111.98.4 port 1812, id=67, length=67 i.e. received an Access-Challenge from the home server. Sending Access-Challenge of id 1 to 127.0.0.1 port 43327 i.e. it's being sent back to eapol_test. rad_recv: Access-Request packet from host 127.0.0.1 port 43327, id=2, length=240 And the NAS is continuing the EAP conversation. User-Name = anonym...@teszt.eduroam.hu And this packet isn't proxied. Why? rlm_eap: No EAP session matching the State variable. [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request Since it isn't proxied, it's handled locallt. If you simply configure a realm teszt.eduroam.hu, and tie it to the home server, it *will* work. You've clearly done something else, where the first packet is proxied (somehow), and the later ones aren't. i.e. you've spent time creating a *complicated* proxy decision that doesn't work, rather than using the *simple* proxying method that is included with the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ask for help on WiMAX + Freeradius + Disconnect (Alan DeKok)
Xiaochen wrote: [r...@aaa bin]# cat packet.txt | radclient -x 100.1.6.4:3799 disconnect 0123456789 radclient: XUnknown attribute WiMAX-Session-Id Use attributes that are defined in the WiMAX dictionary. Or, update the WiMAX dictionary to include the attributes you're using. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed (re-)authentification after some time...
Alan DeKok al...@deployingradius.com hat am 31. August 2010 um 13:18 geschrieben: Jan Zacharias wrote: Call me dump, but I have no idea what to look for. Neither do I. It's your system... One idea: is ntlm_auth referred to as child? Maybe I sould write a wrapper and see how long execution of this helper program takes, Possibly, yes. │ ├─┬◆ 65437 root sshd: r...@pts/4 (sshd) │ │ └─┬◆ 65440 root -bash (bash) │ │ └─┬◆ 76322 freeradius radiusd -s -X -xx -f │ │ └─┬─ 76421 freeradius /bin/sh /usr/local/bin/ntlm_auth_wrapper --request-nt-key --domain=DFKI --username=jan --challenge=xxx --nt-response=xxx So, yes :) The wrapper logged PID and time (real,sys,user) of ntlm_auth To speed up the debugging, I introduced a sleep of varying duration in the ntlm_auth_wrapper. I found that freeradius kills the ntlm stuff if it takes longer than ten seconds to complete. My suggestion is that we introduce a configuration variable ntlm_auth_retries so that freerad kills the process, but then tries again until the retry-count is reached. This would greatly improve reliability in stress/high load/failover scenarios :) What do you think, Alan? Anyone else? Best, Jan Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed (re-)authentification after some time...
Jan Zacharias wrote: To speed up the debugging, I introduced a sleep of varying duration in the ntlm_auth_wrapper. I found that freeradius kills the ntlm stuff if it takes longer than ten seconds to complete. Yes. Any child script which takes that long is broken. My suggestion is that we introduce a configuration variable ntlm_auth_retries so that freerad kills the process, No. You can write a shell script wrapper around ntlm_auth that does: - fork ntlm_auth - wait 1s for it to return - if it doesn't return, kill it - try to fork it again What do you think, Alan? Anyone else? This isn't a server problem, and changing the server isn't necessary. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap/ttls proxy: No EAP session matching the State variable.
On Wed, 1 Sep 2010, Alan DeKok wrote: Kadlecsik Jozsef wrote: rad_recv: Access-Request packet from host 127.0.0.1 port 43327, id=0, length=160 User-Name = anonym...@teszt.eduroam.hu The original packet from eapol_test. +- entering group pre-proxy {...} ... Sending Access-Request of id 135 to 195.111.98.4 port 1812 User-Name = anonym...@teszt.eduroam.hu Which is proxied. rad_recv: Access-Challenge packet from host 195.111.98.4 port 1812, id=67, length=67 i.e. received an Access-Challenge from the home server. Sending Access-Challenge of id 1 to 127.0.0.1 port 43327 i.e. it's being sent back to eapol_test. rad_recv: Access-Request packet from host 127.0.0.1 port 43327, id=2, length=240 And the NAS is continuing the EAP conversation. User-Name = anonym...@teszt.eduroam.hu And this packet isn't proxied. Why? rlm_eap: No EAP session matching the State variable. [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request Since it isn't proxied, it's handled locallt. I turned out that the default setting in the virtual server: authorize { ... eap { ok = return } files } prevented the daemon to process the users file. From the debug log: +[mschap] returns noop [eap] EAP packet type response id 2 length 93 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} i.e, the users file was skipped. Thanks for pointing out the local processing, somehow we did not realize it. Best regards, Jozsef -- E-mail : kad...@mail.kfki.hu, kad...@blackhole.kfki.hu PGP key: http://www.kfki.hu/~kadlec/pgp_public_key.txt Address: KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: ask for help on WiMAX + Freeradius + Disconnect
Step 1: Read the wimax dictionary file. It will help you understand what types of data you need to be putting into each attribute. update disconnect { User-Name = %{User-Name} Calling-Station-Id = %{Calling-Station-Id} WiMAX-AAA-Session-Id = %{WiMAX-AAA-Session-Id} WiMAX-DM-Action-Code = Deregister-MS } The session ID needs to be identical to the one returned to the ASN-GW during network entry. man unlang for more info. For testing from the CLI echo the required attributes into radclient. man radclient Ben From: freeradius-users-bounces+wiechman.lists=gmail@lists.freeradius.org [mailto:freeradius-users-bounces+wiechman.lists=gmail@lists.freeradius.o rg] On Behalf Of Xiaochen Sent: Tuesday, August 31, 2010 8:44 PM To: freeradius-users@lists.freeradius.org Subject: ask for help on WiMAX + Freeradius + Disconnect Hello, friends, As I met some problems when using Freeradius to send Disconnect Request. Hope you can give me any suggestions. Please let me describe my issue. First I created a packete.txt for radclinet.exe. The content of packet.txt is as: Acct-Session-Id=0001 Calling-Station-Id=001E310008CC User-Name=wimax X-Ascend-Session-Svr-Key=0123456789 NAS-IP-Address=100.1.6.5 NAS-Identifier=100.1.6.5 WiMAX-Session-ID=”XXX” WiMAX-DM-Action-Code=”” After packet.txt was sent to AGW, radclinet debug window said: “Unknown WiMAX-Session -ID or Unknown WiMAX-DM-Action-Code ” WiMAX NWG 1.3 says: 5.4.1.7 RADIUS Disconnect Request Message isconnect Request message should be defined with the following: User-Name、Calling-Station-Id、 WiMAX-Session-ID、 WiMAX-DM-Action-Code So I must add and make WiMAX-Session-ID and WiMAX-DM-Action-Code sent by Freeradius. Could you please give me any suggestions on how to add the attribute of WiMAX-Session-ID and WiMAX-DM-Action-Code into the sent message ? Thanks a lot for your help in advance! Xiaochen Chen @ WiMAX Test Lab Beiing , China - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
control-socket on freeradius 2.1.8
Hi all I'm trying to configure control-socket functionality on freeradius 2.1.8. Radius in debug mode shows: radiusd: Opening IP addresses and Ports listen { type = auth ipaddr = * port = 1645 } listen { type = acct ipaddr = * port = 1646 } listen { type = control listen { socket = /opt/freeradius/var/run/radiusd/radiusd.sock uid = testuser gid = users mode = rw } } Listening on authentication address * port 1645 Listening on accounting address * port 1646 Listening on command file /opt/freeradius/var/run/radiusd/radiusd.sock Ready to process requests. The socket is created with this permissions: ls -ltr /opt/freeradius/var/run/radiusd/radiusd.sock srw-rw 1 radius radius 0 2010-09-01 20:18 /opt/freeradius/var/run/radiusd/radiusd.sock When I try to connect to the socket with radmin I received a permission denied: /opt/freeradius/sbin ./radmin -d ../etc_devel/raddb/ radmin: Failed connecting to /opt/freeradius/var/run/radiusd/radiusd.sock: Permission denied radmin is launched with 'testuser' user. anyone know where is the problem? Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: control-socket on freeradius 2.1.8
The socket is created with this permissions: ls -ltr /opt/freeradius/var/run/radiusd/radiusd.sock srw-rw 1 radius radius 0 2010-09-01 20:18 /opt/freeradius/var/run/radiusd/radiusd.sock When I try to connect to the socket with radmin I received a permission denied: /opt/freeradius/sbin ./radmin -d ../etc_devel/raddb/ radmin: Failed connecting to /opt/freeradius/var/run/radiusd/radiusd.sock: Permission denied radmin is launched with 'testuser' user. anyone know where is the problem? The user 'testuser' does not have permission to access the socket. Add 'testuser' to the group 'radius' or run radmin as root. Tim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ..::Huntgroup Issues::..
Thanks for the advice to everyone. As per your recomendation we changed the users file with the following line: steve2Cleartext-Password := testing, Huntgroup-Name == arcsight but we got the same result access-reject. And we got the following output: rad_recv: Access-Request packet from host 127.0.0.1 port 6729, id=139, length=58 User-Name = steve2 User-Password = testing NAS-IP-Address = 192.168.2.251 NAS-Port = 10 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = steve2, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop _/No authenticate method (Auth-Type) configuration found for the request: Rejecting the user/_ Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - steve2 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 139 to 127.0.0.1 port 6729 Waking up in 4.9 seconds. Cleaning up request 0 ID 139 with timestamp +5 I have a question, we remove the autentication value and the debug shows that it is looking for it, why is that? May be someone that has the huntgroups running can send the examples of the users and huntgroups files, that may help a lot. Thanks in advance. Regards Alfonso. El 24/08/2010 04:46 a.m., Alan DeKok escribió: Alfonso Alejandro Reyes Jiménez wrote: Hi, I'm trying to use the huntgroup feature on the freeradius software with out luck. I think I'm missing something that's why I'm sending this email maybe you can help me. You should read the debug output of the server. The answer is in there. users file at the end: alfonso Auth-Type := Local, User-Password == testing, Huntgroup-Name == squid sigh Don't set Auth-Type. Use Cleartext-Password := ..., and not User-Password == ... Here's the output of the debug, it seems that it doesn't find the config file. No. It finds the DEFAULT entry earlier in the file. Why? This is documented. Read the comments at the top of the users file. Read the man users page. Read the FAQ for an example of how to configure a test user. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: control-socket on freeradius 2.1.8
On 9/1/10, Tim Sylvester tim.sylves...@networkradius.com wrote: The socket is created with this permissions: ls -ltr /opt/freeradius/var/run/radiusd/radiusd.sock srw-rw 1 radius radius 0 2010-09-01 20:18 /opt/freeradius/var/run/radiusd/radiusd.sock When I try to connect to the socket with radmin I received a permission denied: /opt/freeradius/sbin ./radmin -d ../etc_devel/raddb/ radmin: Failed connecting to /opt/freeradius/var/run/radiusd/radiusd.sock: Permission denied radmin is launched with 'testuser' user. anyone know where is the problem? The user 'testuser' does not have permission to access the socket. Add 'testuser' to the group 'radius' or run radmin as root. Tim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Is possible to connect to socket with a group different of 'radius'?. Regards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: control-socket on freeradius 2.1.8
The user 'testuser' does not have permission to access the socket. Add 'testuser' to the group 'radius' or run radmin as root. Tim Is possible to connect to socket with a group different of 'radius'?. Yes. Check the documentation in the raddb/sites-available/control-socket file for instructions on how to set the user and group that are allowed to access the socket using radmin. Also, check man radmin for more info. Tim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RE: ask for help on WiMAX + Freerad ius + Disconnect
Message: 4 Date: Wed, 1 Sep 2010 09:35:53 -0500 From: Ben Wiechman wiechman.li...@gmail.com Subject: RE: ask for help on WiMAX + Freeradius + Disconnect To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: 4c7e64c3.c84de70a.22a4.2...@mx.google.com Content-Type: text/plain; charset=iso-2022-jp Step 1: Read the wimax dictionary file. It will help you understand what types of data you need to be putting into each attribute. update disconnect { User-Name = %{User-Name} Calling-Station-Id = %{Calling-Station-Id} WiMAX-AAA-Session-Id = %{WiMAX-AAA-Session-Id} WiMAX-DM-Action-Code = Deregister-MS } The session ID needs to be identical to the one returned to the ASN-GW during network entry. man unlang for more info. For testing from the CLI echo the required attributes into radclient. man radclient Ben *** Use attributes that are defined in the WiMAX dictionary. Or, update the WiMAX dictionary to include the attributes you're using. Alan DeKok. Thanks Alan and Ben, I will try today and email the result in the mailing list. Xiaochen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
Hi all, We upgrade freeradius from 1.1.6 to 2.1.18 recently. Looks 2.1.8 will reply a Access-Reject when [ldap] return fail, but 1.1.6 is just keep silence. Is there a way to let 2.1.8 reply nothing in the case? Listening on authentication address * port 1812 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.155.20.85 port 32770, id=182, length=130 Service-Type = Authorize-Only NAS-Port-Type = Wireless-802.11 User-Name = test2008 MS-CHAP-Challenge = 0x766bb4f5ae93e28b4630b8fbc674e137 MS-CHAP2-Response = 0x3700e851effcf3aa3f7731204ca90dcbd9836c9248ca4d87e72d0b4a91dbd2672bb1f8f5b725187953ff NAS-IP-Address = 10.155.20.85 +- entering group authorize {...} ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok [eap] No EAP-Message, not doing EAP ++[eap] returns noop [ldap] performing user authorization for test2008 [ldap] expand: (sAMAccountName=%{mschap:User-Name}) - (sAMAccountName=test2008) [ldap] expand: OU=Domain Controllers,dc=aero-hz,dc=cn - OU=Domain Controllers,dc=aerohive-hz,dc=cn [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 10.155.3.2:389, authentication 0 [ldap] bind as h...@aero-hz.cn/w200h to 10.155.3.2:389 [ldap] h...@aero-hz.cn bind to 10.155.3.2:389 failed: Can't contact LDAP server [ldap] (re)connection attempt failed [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns fail Sending Access-Reject of id 182 to 10.155.20.85 port 32770 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 182 with timestamp +10 Ready to process requests. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
回复:
--- 10年9月2日,周四, John elmer_rad...@yahoo.com.cn 写道: 发件人: John elmer_rad...@yahoo.com.cn 主题: 收件人: freeradius-users@lists.freeradius.org 日期: 2010年9月2日,周四,下午12:45 Hi all, We upgrade freeradius from 1.1.6 to 2.1.18 recently. Looks 2.1.8 will reply a Access-Reject when [ldap] return fail, but 1.1.6 is just keep silence. Is there a way to let 2.1.8 reply nothing in the case? Listening on authentication address * port 1812 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.155.20.85 port 32770, id=182, length=130 Service-Type = Authorize-Only NAS-Port-Type = Wireless-802.11 User-Name = test2008 MS-CHAP-Challenge = 0x766bb4f5ae93e28b4630b8fbc674e137 MS-CHAP2-Response = 0x3700e851effcf3aa3f7731204ca90dcbd9836c9248ca4d87e72d0b4a91dbd2672bb1f8f5b725187953ff NAS-IP-Address = 10.155.20.85 +- entering group authorize {...} ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok [eap] No EAP-Message, not doing EAP ++[eap] returns noop [ldap] performing user authorization for test2008 [ldap] expand: (sAMAccountName=%{mschap:User-Name}) - (sAMAccountName=test2008) [ldap] expand: OU=Domain Controllers,dc=aero-hz,dc=cn - OU=Domain Controllers,dc=aerohive-hz,dc=cn [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 10.155.3.2:389, authentication 0 [ldap] bind as h...@aero-hz.cn/w200h to 10.155.3.2:389 [ldap] h...@aero-hz.cn bind to 10.155.3.2:389 failed: Can't contact LDAP server [ldap] (re)connection attempt failed [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns fail Sending Access-Reject of id 182 to 10.155.20.85 port 32770 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 182 with timestamp +10 Ready to process requests. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html