Re: ask for help on WiMAX + Freeradius + Disconnect
Xiaochen wrote: After packet.txt was sent to AGW, radclinet debug window said: “Unknown WiMAX-Session –ID or Unknown WiMAX-DM-Action-Code ” radclient doesn't produce that error message. Please post the *real* error message, and not anything else. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_ippool and assigning IP from different pools, depending on NAS attr.
Hi all. I have radius server, which assign ip-addresses to users. I use rlm_ippool, but I need to assign ip-address only from the pool, which is linked with radius packet parameter - NAS. If user comes with nas=xxx.xxx.xxx.xxx - it takes ip from pool1, if with nas=yyy.yyy.yyy.yyy - then from pool2. Is it possible?- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ippool and assigning IP from different pools, depending on NAS attr.
Does it correct solution?
server allauth {
#160;#160;#160;#160;#160;#160;#160; listen {
#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;
type = auth
#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;
ipaddr = *
#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;
port = 1812
#160;#160;#160;#160;#160;#160;#160; }
#160;#160;#160;#160;#160;#160;#160; authorize {
#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;
auth_log
#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;
update control {
#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;
Auth-Type = 'Accept'
#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;
}
#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;
#160;#160;#160;#160;#160;#160;#160; }
#160;#160;#160;#160;#160;#160;#160; post-auth {
#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;
if (control:NAS-IP-Address == '222.22.22.125') {
#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;
update control {
#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;
Pool-Name = 'pool_125'
#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;
}
#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;
redundant {
#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;
mysqlippool1
#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;
mysqlippool2
#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;
pool_125
#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;
}
#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;
}
#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;
else {
#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;
update control {
#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;
Pool-Name = 'pool_126'
#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;
}
#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;
redundant {
#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;
mysqlippool1
#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;
mysqlippool2
#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;
pool_126
#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;
}
#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;
}
#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;
#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;
reply_log
#160;#160;#160;#160;#160;#160;#160; }
}
Quoting *Konstantin Chekushin ko...@inbox.lv*:
Hi all. I have radius server, which assign ip-addresses to users. I
use rlm_ippool, but I need to assign ip-address only from the pool,
which is linked with radius packet parameter - NAS. If user comes
with nas=xxx.xxx.xxx.xxx - it takes ip from pool1, if with
nas=yyy.yyy.yyy.yyy - then from pool2.
Is it possible?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ippool and assigning IP from different pools, depending on NAS attr.
Hello Konstantin Chekushin,
Am 2010-09-01 11:21:17, hacktest Du folgendes herunter:
Does it correct solution?
server allauth {
#160;#160;#160;#160;#160;#160;#160; listen {
#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;
type = auth
#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;
No, because your encoding is wrong!
Thanks, Greetings and nice Day/Evening
Michelle Konzack
--
# Debian GNU/Linux Consultant ##
Development of Intranet and Embedded Systems with Debian GNU/Linux
itsyst...@tdnet France EURL itsyst...@tdnet UG (limited liability)
Owner Michelle KonzackOwner Michelle Konzack
Apt. 917 (homeoffice)
50, rue de Soultz Kinzigstraße 17
67100 Strasbourg/France 77694 Kehl/Germany
Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil
Tel: +33-9-52705884 fix
http://www.itsystems.tamay-dogan.net/ http://www.flexray4linux.org/
http://www.debian.tamay-dogan.net/ http://www.can4linux.org/
Jabber linux4miche...@jabber.ccc.de
ICQ#328449886
Linux-User #280138 with the Linux Counter, http://counter.li.org/
signature.pgp
Description: Digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:Re: ask for help on WiMAX + Freeradius + Disconnect (Alan DeKok)
Xiaochen wrote: After packet.txt was sent to AGW, radclinet debug window said: ?Unknown WiMAX-Session ?ID or Unknown WiMAX-DM-Action-Code ? radclient doesn't produce that error message. Please post the *real* error message, and not anything else. Alan DeKok. When content of packet.txt is as: Acct-Session-Id=0001 Calling-Station-Id=001E310008CC User-Name=wimax X-Ascend-Session-Svr-Key=0123456789 NAS-IP-Address=100.1.6.5 NAS-Identifier=100.1.6.5 WiMAX-DM-Action-Id= #WiMAX-Session-Id=02 Freeradius said: [r...@aaa bin]# cat packet.txt | radclient -x 100.1.6.4:3799 disconnect 0123456789 radclient: XUnknown attribute WiMAX-DM-Action-Id [r...@aaa bin]# When content of packet.txt is as: Acct-Session-Id=0001 Calling-Station-Id=001E310008CC User-Name=wimax X-Ascend-Session-Svr-Key=0123456789 NAS-IP-Address=100.1.6.5 NAS-Identifier=100.1.6.5 #WiMAX-DM-Action-Id= WiMAX-Session-Id=02 [r...@aaa bin]# cat packet.txt | radclient -x 100.1.6.4:3799 disconnect 0123456789 radclient: XUnknown attribute WiMAX-Session-Id [r...@aaa bin]# Thanks ! xiaochen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap/ttls proxy: No EAP session matching the State variable.
Kadlecsik Jozsef wrote:
We have a working freeradius setup, with one exception: when guests try to
authenticate (EduRoam) it always fails.
You are trying to do EAP locally, *and* proxy EAP to another server.
Here follows the output of eapol_test:
That isn't necessary.
And the debugging log of our freeradius server:
That helps.
rad_recv: Access-Request packet from host 127.0.0.1 port 43327, id=0,
length=160
User-Name = anonym...@teszt.eduroam.hu
The original packet from eapol_test.
+- entering group pre-proxy {...}
...
Sending Access-Request of id 135 to 195.111.98.4 port 1812
User-Name = anonym...@teszt.eduroam.hu
Which is proxied.
rad_recv: Access-Challenge packet from host 195.111.98.4 port 1812, id=67,
length=67
i.e. received an Access-Challenge from the home server.
Sending Access-Challenge of id 1 to 127.0.0.1 port 43327
i.e. it's being sent back to eapol_test.
rad_recv: Access-Request packet from host 127.0.0.1 port 43327, id=2,
length=240
And the NAS is continuing the EAP conversation.
User-Name = anonym...@teszt.eduroam.hu
And this packet isn't proxied.
Why?
rlm_eap: No EAP session matching the State variable.
[eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request
Since it isn't proxied, it's handled locallt.
If you simply configure a realm teszt.eduroam.hu, and tie it to the
home server, it *will* work. You've clearly done something else, where
the first packet is proxied (somehow), and the later ones aren't.
i.e. you've spent time creating a *complicated* proxy decision that
doesn't work, rather than using the *simple* proxying method that is
included with the server.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ask for help on WiMAX + Freeradius + Disconnect (Alan DeKok)
Xiaochen wrote: [r...@aaa bin]# cat packet.txt | radclient -x 100.1.6.4:3799 disconnect 0123456789 radclient: XUnknown attribute WiMAX-Session-Id Use attributes that are defined in the WiMAX dictionary. Or, update the WiMAX dictionary to include the attributes you're using. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed (re-)authentification after some time...
Alan DeKok al...@deployingradius.com hat am 31. August 2010 um 13:18 geschrieben: Jan Zacharias wrote: Call me dump, but I have no idea what to look for. Neither do I. It's your system... One idea: is ntlm_auth referred to as child? Maybe I sould write a wrapper and see how long execution of this helper program takes, Possibly, yes. │ ├─┬◆ 65437 root sshd: r...@pts/4 (sshd) │ │ └─┬◆ 65440 root -bash (bash) │ │ └─┬◆ 76322 freeradius radiusd -s -X -xx -f │ │ └─┬─ 76421 freeradius /bin/sh /usr/local/bin/ntlm_auth_wrapper --request-nt-key --domain=DFKI --username=jan --challenge=xxx --nt-response=xxx So, yes :) The wrapper logged PID and time (real,sys,user) of ntlm_auth To speed up the debugging, I introduced a sleep of varying duration in the ntlm_auth_wrapper. I found that freeradius kills the ntlm stuff if it takes longer than ten seconds to complete. My suggestion is that we introduce a configuration variable ntlm_auth_retries so that freerad kills the process, but then tries again until the retry-count is reached. This would greatly improve reliability in stress/high load/failover scenarios :) What do you think, Alan? Anyone else? Best, Jan Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed (re-)authentification after some time...
Jan Zacharias wrote: To speed up the debugging, I introduced a sleep of varying duration in the ntlm_auth_wrapper. I found that freeradius kills the ntlm stuff if it takes longer than ten seconds to complete. Yes. Any child script which takes that long is broken. My suggestion is that we introduce a configuration variable ntlm_auth_retries so that freerad kills the process, No. You can write a shell script wrapper around ntlm_auth that does: - fork ntlm_auth - wait 1s for it to return - if it doesn't return, kill it - try to fork it again What do you think, Alan? Anyone else? This isn't a server problem, and changing the server isn't necessary. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap/ttls proxy: No EAP session matching the State variable.
On Wed, 1 Sep 2010, Alan DeKok wrote:
Kadlecsik Jozsef wrote:
rad_recv: Access-Request packet from host 127.0.0.1 port 43327, id=0,
length=160
User-Name = anonym...@teszt.eduroam.hu
The original packet from eapol_test.
+- entering group pre-proxy {...}
...
Sending Access-Request of id 135 to 195.111.98.4 port 1812
User-Name = anonym...@teszt.eduroam.hu
Which is proxied.
rad_recv: Access-Challenge packet from host 195.111.98.4 port 1812, id=67,
length=67
i.e. received an Access-Challenge from the home server.
Sending Access-Challenge of id 1 to 127.0.0.1 port 43327
i.e. it's being sent back to eapol_test.
rad_recv: Access-Request packet from host 127.0.0.1 port 43327, id=2,
length=240
And the NAS is continuing the EAP conversation.
User-Name = anonym...@teszt.eduroam.hu
And this packet isn't proxied.
Why?
rlm_eap: No EAP session matching the State variable.
[eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request
Since it isn't proxied, it's handled locallt.
I turned out that the default setting in the virtual server:
authorize {
...
eap {
ok = return
}
files
}
prevented the daemon to process the users file. From the debug log:
+[mschap] returns noop
[eap] EAP packet type response id 2 length 93
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
i.e, the users file was skipped.
Thanks for pointing out the local processing, somehow we did not realize
it.
Best regards,
Jozsef
--
E-mail : kad...@mail.kfki.hu, kad...@blackhole.kfki.hu
PGP key: http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address: KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: ask for help on WiMAX + Freeradius + Disconnect
Step 1: Read the wimax dictionary file. It will help you understand what
types of data you need to be putting into each attribute.
update disconnect {
User-Name = %{User-Name}
Calling-Station-Id = %{Calling-Station-Id}
WiMAX-AAA-Session-Id = %{WiMAX-AAA-Session-Id}
WiMAX-DM-Action-Code = Deregister-MS
}
The session ID needs to be identical to the one returned to the ASN-GW
during network entry.
man unlang for more info.
For testing from the CLI echo the required attributes into radclient. man
radclient
Ben
From: freeradius-users-bounces+wiechman.lists=gmail@lists.freeradius.org
[mailto:freeradius-users-bounces+wiechman.lists=gmail@lists.freeradius.o
rg] On Behalf Of Xiaochen
Sent: Tuesday, August 31, 2010 8:44 PM
To: freeradius-users@lists.freeradius.org
Subject: ask for help on WiMAX + Freeradius + Disconnect
Hello, friends,
As I met some problems when using Freeradius to send Disconnect Request.
Hope you can give me any suggestions.
Please let me describe my issue.
First I created a packete.txt for radclinet.exe.
The content of packet.txt is as:
Acct-Session-Id=0001
Calling-Station-Id=001E310008CC
User-Name=wimax
X-Ascend-Session-Svr-Key=0123456789
NAS-IP-Address=100.1.6.5
NAS-Identifier=100.1.6.5
WiMAX-Session-ID=”XXX”
WiMAX-DM-Action-Code=””
After packet.txt was sent to AGW, radclinet debug window said: “Unknown
WiMAX-Session -ID or Unknown WiMAX-DM-Action-Code ”
WiMAX NWG 1.3 says:
5.4.1.7 RADIUS Disconnect Request Message
isconnect Request message should be defined with the following:
User-Name、Calling-Station-Id、 WiMAX-Session-ID、 WiMAX-DM-Action-Code
So I must add and make WiMAX-Session-ID and WiMAX-DM-Action-Code sent by
Freeradius.
Could you please give me any suggestions on how to add the attribute of
WiMAX-Session-ID and WiMAX-DM-Action-Code into the sent message ?
Thanks a lot for your help in advance!
Xiaochen Chen @ WiMAX Test Lab
Beiing , China
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
control-socket on freeradius 2.1.8
Hi all
I'm trying to configure control-socket functionality on freeradius
2.1.8. Radius in debug mode shows:
radiusd: Opening IP addresses and Ports
listen {
type = auth
ipaddr = *
port = 1645
}
listen {
type = acct
ipaddr = *
port = 1646
}
listen {
type = control
listen {
socket = /opt/freeradius/var/run/radiusd/radiusd.sock
uid = testuser
gid = users
mode = rw
}
}
Listening on authentication address * port 1645
Listening on accounting address * port 1646
Listening on command file /opt/freeradius/var/run/radiusd/radiusd.sock
Ready to process requests.
The socket is created with this permissions:
ls -ltr /opt/freeradius/var/run/radiusd/radiusd.sock
srw-rw 1 radius radius 0 2010-09-01 20:18
/opt/freeradius/var/run/radiusd/radiusd.sock
When I try to connect to the socket with radmin I received a permission denied:
/opt/freeradius/sbin ./radmin -d ../etc_devel/raddb/
radmin: Failed connecting to
/opt/freeradius/var/run/radiusd/radiusd.sock: Permission denied
radmin is launched with 'testuser' user.
anyone know where is the problem?
Regards
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: control-socket on freeradius 2.1.8
The socket is created with this permissions: ls -ltr /opt/freeradius/var/run/radiusd/radiusd.sock srw-rw 1 radius radius 0 2010-09-01 20:18 /opt/freeradius/var/run/radiusd/radiusd.sock When I try to connect to the socket with radmin I received a permission denied: /opt/freeradius/sbin ./radmin -d ../etc_devel/raddb/ radmin: Failed connecting to /opt/freeradius/var/run/radiusd/radiusd.sock: Permission denied radmin is launched with 'testuser' user. anyone know where is the problem? The user 'testuser' does not have permission to access the socket. Add 'testuser' to the group 'radius' or run radmin as root. Tim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ..::Huntgroup Issues::..
Thanks for the advice to everyone.
As per your recomendation we changed the users file with the following line:
steve2Cleartext-Password := testing, Huntgroup-Name == arcsight
but we got the same result access-reject.
And we got the following output:
rad_recv: Access-Request packet from host 127.0.0.1 port 6729, id=139,
length=58
User-Name = steve2
User-Password = testing
NAS-IP-Address = 192.168.2.251
NAS-Port = 10
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = steve2, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
_/No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user/_
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - steve2
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 139 to 127.0.0.1 port 6729
Waking up in 4.9 seconds.
Cleaning up request 0 ID 139 with timestamp +5
I have a question, we remove the autentication value and the debug shows
that it is looking for it, why is that?
May be someone that has the huntgroups running can send the examples of
the users and huntgroups files, that may help a lot.
Thanks in advance.
Regards
Alfonso.
El 24/08/2010 04:46 a.m., Alan DeKok escribió:
Alfonso Alejandro Reyes Jiménez wrote:
Hi, I'm trying to use the huntgroup feature on the freeradius software
with out luck. I think I'm missing something that's why I'm sending this
email maybe you can help me.
You should read the debug output of the server. The answer is in there.
users file at the end:
alfonso Auth-Type := Local, User-Password == testing, Huntgroup-Name
== squid
sigh Don't set Auth-Type. Use Cleartext-Password := ..., and not
User-Password == ...
Here's the output of the debug, it seems that it doesn't find the config
file.
No. It finds the DEFAULT entry earlier in the file.
Why? This is documented. Read the comments at the top of the users
file. Read the man users page. Read the FAQ for an example of how to
configure a test user.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: control-socket on freeradius 2.1.8
On 9/1/10, Tim Sylvester tim.sylves...@networkradius.com wrote: The socket is created with this permissions: ls -ltr /opt/freeradius/var/run/radiusd/radiusd.sock srw-rw 1 radius radius 0 2010-09-01 20:18 /opt/freeradius/var/run/radiusd/radiusd.sock When I try to connect to the socket with radmin I received a permission denied: /opt/freeradius/sbin ./radmin -d ../etc_devel/raddb/ radmin: Failed connecting to /opt/freeradius/var/run/radiusd/radiusd.sock: Permission denied radmin is launched with 'testuser' user. anyone know where is the problem? The user 'testuser' does not have permission to access the socket. Add 'testuser' to the group 'radius' or run radmin as root. Tim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Is possible to connect to socket with a group different of 'radius'?. Regards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: control-socket on freeradius 2.1.8
The user 'testuser' does not have permission to access the socket. Add 'testuser' to the group 'radius' or run radmin as root. Tim Is possible to connect to socket with a group different of 'radius'?. Yes. Check the documentation in the raddb/sites-available/control-socket file for instructions on how to set the user and group that are allowed to access the socket using radmin. Also, check man radmin for more info. Tim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RE: ask for help on WiMAX + Freerad ius + Disconnect
Message: 4
Date: Wed, 1 Sep 2010 09:35:53 -0500
From: Ben Wiechman wiechman.li...@gmail.com
Subject: RE: ask for help on WiMAX + Freeradius + Disconnect
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Message-ID: 4c7e64c3.c84de70a.22a4.2...@mx.google.com
Content-Type: text/plain; charset=iso-2022-jp
Step 1: Read the wimax dictionary file. It will help you understand what
types of data you need to be putting into each attribute.
update disconnect {
User-Name = %{User-Name}
Calling-Station-Id = %{Calling-Station-Id}
WiMAX-AAA-Session-Id = %{WiMAX-AAA-Session-Id}
WiMAX-DM-Action-Code = Deregister-MS
}
The session ID needs to be identical to the one returned to the ASN-GW
during network entry.
man unlang for more info.
For testing from the CLI echo the required attributes into radclient. man
radclient
Ben
***
Use attributes that are defined in the WiMAX dictionary.
Or, update the WiMAX dictionary to include the attributes you're using.
Alan DeKok.
Thanks Alan and Ben,
I will try today and email the result in the mailing list.
Xiaochen
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
Hi all, We upgrade freeradius from 1.1.6 to 2.1.18 recently. Looks 2.1.8 will
reply a Access-Reject when [ldap] return fail, but 1.1.6 is just keep silence.
Is there a way to let 2.1.8 reply nothing in the case?
Listening on authentication address * port 1812
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.155.20.85 port 32770, id=182,
length=130
Service-Type = Authorize-Only
NAS-Port-Type = Wireless-802.11
User-Name = test2008
MS-CHAP-Challenge = 0x766bb4f5ae93e28b4630b8fbc674e137
MS-CHAP2-Response =
0x3700e851effcf3aa3f7731204ca90dcbd9836c9248ca4d87e72d0b4a91dbd2672bb1f8f5b725187953ff
NAS-IP-Address = 10.155.20.85
+- entering group authorize {...}
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[ldap] performing user authorization for test2008
[ldap] expand: (sAMAccountName=%{mschap:User-Name}) -
(sAMAccountName=test2008)
[ldap] expand: OU=Domain Controllers,dc=aero-hz,dc=cn - OU=Domain
Controllers,dc=aerohive-hz,dc=cn
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to 10.155.3.2:389, authentication 0
[ldap] bind as h...@aero-hz.cn/w200h to 10.155.3.2:389
[ldap] h...@aero-hz.cn bind to 10.155.3.2:389 failed: Can't contact LDAP
server
[ldap] (re)connection attempt failed
[ldap] search failed
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns fail
Sending Access-Reject of id 182 to 10.155.20.85 port 32770
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 182 with timestamp +10
Ready to process requests.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
回复:
--- 10年9月2日,周四, John elmer_rad...@yahoo.com.cn 写道:
发件人: John elmer_rad...@yahoo.com.cn
主题:
收件人: freeradius-users@lists.freeradius.org
日期: 2010年9月2日,周四,下午12:45
Hi all, We upgrade freeradius from 1.1.6 to 2.1.18 recently. Looks 2.1.8 will
reply a Access-Reject when [ldap] return fail, but 1.1.6 is just keep silence.
Is there a way to let 2.1.8 reply nothing in the case?
Listening on authentication address * port 1812
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.155.20.85 port 32770, id=182,
length=130
Service-Type = Authorize-Only
NAS-Port-Type = Wireless-802.11
User-Name = test2008
MS-CHAP-Challenge = 0x766bb4f5ae93e28b4630b8fbc674e137
MS-CHAP2-Response =
0x3700e851effcf3aa3f7731204ca90dcbd9836c9248ca4d87e72d0b4a91dbd2672bb1f8f5b725187953ff
NAS-IP-Address = 10.155.20.85
+- entering group authorize {...}
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[ldap] performing user authorization for test2008
[ldap] expand: (sAMAccountName=%{mschap:User-Name}) -
(sAMAccountName=test2008)
[ldap] expand: OU=Domain Controllers,dc=aero-hz,dc=cn - OU=Domain
Controllers,dc=aerohive-hz,dc=cn
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to 10.155.3.2:389, authentication 0
[ldap] bind as h...@aero-hz.cn/w200h to 10.155.3.2:389
[ldap] h...@aero-hz.cn bind to 10.155.3.2:389 failed: Can't contact LDAP
server
[ldap] (re)connection attempt failed
[ldap] search failed
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns fail
Sending Access-Reject of id 182 to 10.155.20.85 port 32770
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 182 with timestamp +10
Ready to process requests.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
