Re: Voip database
Hello,
in wireshark I can see now that the first request for access goes throught
but the second one for accounting is rejected.
Can you help me out why?
What about encryption ? The secret on the nas server and on the radius is
100% same.
Where can I look for this?
I have chacked everything you said for now.
Thanks!
Miha
Cleaning up request 1 ID 176 with timestamp +12
Ready to process requests.
rad_recv: Access-Request packet from host 1.2.3.4 port 55983, id=139,
length=206
Acct-Multi-Session-Id = 1292574457509
Cisco-Attr-130 =
0x683332332d63616c6c696e672d656e74657270726973652d69643d656e74504258
Calling-Station-Id = 81609000
NAS-Identifier = intraswitch
NAS-IP-Address = 1.2.3.4
3GPP2-Prepaid-acct-Capability = 0x01060002
3GPP2-Session-Termination-Capability = 1
h323-conf-id = h323-conf-id=1292574457509
Vendor-Specific = 0x0009
Event-Timestamp = Dec 17 2010 09:27:37 CET
User-Name = 081609000
User-Password = 1122
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = 081609000, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[pgsql-voip]expand: %{User-Name} - 081609000
[pgsql-voip] sql_set_user escaped user -- '081609000'
rlm_sql (pgsql-voip): Reserving sql socket id: 22
[pgsql-voip]expand: SELECT id, UserName, Attribute, Value, Op FROM
radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT id,
UserName, Attribute, Value, Op FROM radcheck WHERE Username =
'081609000' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 3 , fields = 5
[pgsql-voip] User found in radcheck table
[pgsql-voip]expand: SELECT id, UserName, Attribute, Value, Op FROM
radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT id,
UserName, Attribute, Value, Op FROM radreply WHERE Username =
'081609000' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 5
[pgsql-voip]expand: SELECT GroupName FROM radusergroup WHERE
UserName='%{SQL-User-Name}' ORDER BY priority - SELECT GroupName FROM
radusergroup WHERE UserName='081609000' ORDER BY priority
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 1
[pgsql-voip]expand: SELECT id, GroupName, Attribute, Value, op FROM
radgroupcheck WHERE GroupName = '%{Sql-Group}' ORDER BY id - SELECT id,
GroupName, Attribute, Value, op FROM radgroupcheck WHERE GroupName =
'dynamic' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 5
[pgsql-voip] User found in group dynamic
[pgsql-voip]expand: SELECT id, GroupName, Attribute, Value, op FROM
radgroupreply WHERE GroupName = '%{Sql-Group}' ORDER BY id - SELECT id,
GroupName, Attribute, Value, op FROM radgroupreply WHERE GroupName =
'dynamic' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 4 , fields = 5
rlm_sql (pgsql-voip): Released sql socket id: 22
++[pgsql-voip] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing MD5-Password from hex encoding
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = PAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password 1122
[pap] Using MD5 encryption.
[pap] User authenticated successfully
++[pap] returns ok
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 139 to 1.2.3.4 port 55983
Vendor-Specific := 0x3347505032
3GPP2-Prepaid-acct-Capability := 0x303130363030303030303032
3GPP2-Session-Termination-Capability := 1
3GPP2-Release-Indicator := 0
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 1.2.3.4 port 55121, id=193,
length=335
User-Name = 081609000
User-Password = \022\312w\014
Cisco-Attr-130 =
0x683332332d63616c6c696e672d656e74657270726973652d69643d656e74504258
Acct-Multi-Session-Id = 1292574457509
Calling-Station-Id = 81609000
Called-Station-Id = 38651357952
Cisco-AVPair = h323-called-enterprise-id=External
h323-remote-address = h323-remote-address=unknown
Acct-Session-Id = 129257445750920
h323-conf-id = h323-conf-id=1292574457509
h323-incoming-conf-id = h323-incoming-conf-id=1292574457509
3GPP2-Prepaid-Acct-Quota = 0x0a06564f495008040002
Event-Timestamp = Dec 17
Re: query
karnik jain wrote: *- I understood that ones who wants to use text other than ASCII than that is up him to convert into UTF-8 first and send it to RADIUS server.* *- But then How can free RADIUS server can performed the job of varrifying credentials in above UTF-8 case, because it is not going to understand UTF-8? * If you don't understand how ASCII and UTF-8 work, got read the specifications. This is not a question for FreeRADIUS. - *Can you please focus some more on this point?, I am not at all understood your point sir.* Read the regular expression documentation for how it handles UTF-8. This is not a question for FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip database
On 12/17/2010 08:58 AM, miha- wrote:
Hello,
in wireshark I can see now that the first request for access goes throught
but the second one for accounting is rejected.
Can you help me out why?
What about encryption ? The secret on the nas server and on the radius is
100% same.
Lots of people say this, and they're always wrong:
rad_recv: Access-Request packet from host 1.2.3.4 port 55121, id=193,
length=335
User-Name = 081609000
User-Password = \022\312w\014
Does that look like a valid password to you?
[pap] Normalizing MD5-Password from hex encoding
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = PAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password ?Êw?
[pap] Using MD5 encryption.
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
WARNING: Unprintable characters in the password.Double-check the
shared secret on the server and the NAS!
Check it again. Change the shared-secret to something simple and new.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
send radius.log to mysql
Dear all, I'm looking for possibility to inject the log from radius.log into mysql DB for some monitoring purpose. Any better suggestion? I tried with Syslog-NG and it just won't send radius.log to my syslog server but only system log... Regards CK -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: send radius.log to mysql
The main reason is to monitor the login activity for my radius server i.e. Login Accept, Reject or Deny. cktan wrote: Dear all, I'm looking for possibility to inject the log from radius.log into mysql DB for some monitoring purpose. Any better suggestion? I tried with Syslog-NG and it just won't send radius.log to my syslog server but only system log... Regards CK -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: send radius.log to mysql
On 17 Dec 2010, at 11:13 AM, cktan wrote: I'm looking for possibility to inject the log from radius.log into mysql DB for some monitoring purpose. Any better suggestion? I tried with Syslog-NG and it just won't send radius.log to my syslog server but only system log... Have a look at rsyslog http://www.rsyslog.com/ G - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip database
Hello,
this is user-name and password for phone that is registered on NAS. NAS is
sending authentication to freeradius server.
Is not shared secret different thing? I have shared secret entered in
clients.conf and in sql NAS table.
First he is trying with password 1122 for user name 081609000 and this is
accepted:
+- entering group PAP {...}
[pap] login attempt with password 1122
[pap] Using MD5 encryption.
[pap] User authenticated successfully
++[pap] returns ok
# Executing section post
Than he is trying with User-Password = \022\312w\014 but the password is
set on 1122
Why?
Thank you
p.s.: if I try with radtest everything goes throught!
miha
User-Password = \022\312w\014
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Voip-database-tp3295546p3309176.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip database
miha- wrote: this is user-name and password for phone that is registered on NAS. NAS is sending authentication to freeradius server. We all know that. Stating the obvious is not helpful. Is not shared secret different thing? I have shared secret entered in clients.conf and in sql NAS table. In two places? Why? And re-enter it on the NAS. *Not* clients.conf, and *not* SQL. You have been told this many times, and have totally failed to understand. First he is trying with password 1122 for user name 081609000 and this is accepted: ... Why? You have been told. If you're not going to follow instructions, you should stop posting messages to this list. If you keep posting the same messages, *everyone* here will ignore you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS exiting with Signal 11 on FreeBSD
Ok. I've been able to monitor another Exiting normally event: Fri Dec 17 06:38:39 2010 : Info: Exiting normally. Alan DeKok-2 wrote: Watch the CPU and memory usage by the server. I've been monitoring the server using Cacti for the last few days. Memory usage shows plenty of free memory. CPU usage and Load averages were next to nothing. If you can, monitor any signals being sent to the server. I've had a tcpdump session running and have been trying to analyse it. As stated above, FreeRadius exited at 06:38:39. Prior to this, between 06:38:36.427 and 06:38:37.419, there was a successful Accounting-Request (type Stop), followed by this request being successfully proxied twice - behaviour as expected. (Marked by red square in attached image). Then, at 06:38:39.264, there's a Accounting-Request (type Stop), followed by another Accounting-Request (type Start), at 06:38:39.294, and a third Accounting-Request (type Start), at 06:38:41.023. The ip addresses in the image attached are: .46 is the radius server .61 is where the radius requests are sent from. .106 is where the requests are proxied to. http://freeradius.1045715.n5.nabble.com/file/n3309272/radius.jpg The failover radius server received the first request at 06:38:54. Is this helpful in any way? -- View this message in context: http://freeradius.1045715.n5.nabble.com/FreeRADIUS-exiting-with-Signal-11-on-FreeBSD-tp3293576p3309272.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip database
On 2010/12/17 11:41 AM, miha- wrote: Hello, this is user-name and password for phone that is registered on NAS. NAS is sending authentication to freeradius server. Please do NOT confuse the shared secret and the password that the phone uses. The shares secret is a secret between the NAS and Freeradius. The Phones password (in access-request) is encrypted using the shared secret. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Possible memory leak in rlm_sql?
I noticed something in rlm_sql.c function rlm_sql_process_groups(). group_list is allocated at the top of the function, but sql_grouplist_free(group_list) is only called at the end. All the various error exits don't call it. ISTM that's going to leak memory in event of errors, but perhaps I have overlooked something which prevents that. Regards, Brian. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Possible memory leak in rlm_sql?
Brian Candler wrote: I noticed something in rlm_sql.c function rlm_sql_process_groups(). group_list is allocated at the top of the function, but sql_grouplist_free(group_list) is only called at the end. All the various error exits don't call it. ISTM that's going to leak memory in event of errors, but perhaps I have overlooked something which prevents that. Nope. You're right. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unable to Authenticate users
john decot wrote: Hi, I am planing to use freeradius for authentication for lan users. The following are the radcheck parameters: mysql select * from radcheck; ++--++++ | id | username | attribute | op | value | ++--++++ | 17 | test1 | User-Password | := | $1$q79.qtrm$gD6D4znw2uBGIU0K3mt/1/ | The data is a Crypt-Password, not a User-Password. | 9 | test | Cleartext-Password | := | password1234 | ++--++++ Why the heck do you have *two* passwords? Just use Cleartext-Password. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS exiting with Signal 11 on FreeBSD
Danial wrote: If you can, monitor any signals being sent to the server. I've had a tcpdump session running Uh... packets are not signals. Use ktrace to monitor signals sent to a process. See http://www.gsp.com/cgi-bin/man.cgi?section=1topic=ktrace Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
No authenticate method (Auth-Type) configuration found for the request:
Installed FreeRadius 2.1.8 to authenticate to an LDAP back end (eDirectory)
Set it up per the document link below:
http://www.novell.com/communities/node/11321/freeradius-218-edirectory-integration
Now I'm getting a No authenticate method error. Output of radiusd -X below:
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.1.0.12 port 3915, id=9,
length=48
User-Name = radadmin
User-Password = thepassword
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = radadmin, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication
may fail because of this.
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - radadmin
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 9 to 10.1.0.12 port 3915
Waking up in 4.9 seconds.
Cleaning up request 0 ID 9 with timestamp +3
Ready to process requests.
In the Novell Cool Solution link, they say to un-comment ldap in the
authorize section of /etc/raddb/sites-enabled/inner-tunnel but I had a
question on this. Attached is my inner-tunnel config. My question is do I
also need to un-comment the following in the authenticate section or am I
missing something else entirely?
#Auth-Type LDAP {
# ldap
#}
# -*- text -*-
##
#
# This is a virtual server that handles *only* inner tunnel
# requests for EAP-TTLS and PEAP types.
#
# $Id$
#
##
server inner-tunnel {
#
# Un-comment the next section to perform test on the inner tunnel
# without needing an outer tunnel session. The tests will not be
# exactly the same as when TTLS or PEAP are used, but they will
# be close enough for many tests.
#
#listen {
# ipaddr = 127.0.0.1
# port = 18120
# type = auth
#}
# Authorization. First preprocess (hints and huntgroups files),
# then realms, and finally look in the users file.
#
# The order of the realm modules will determine the order that
# we try to find a matching realm.
#
# Make *sure* that 'preprocess' comes before any realm if you
# need to setup hints for the remote radius server
authorize {
#
# The chap module will set 'Auth-Type := CHAP' if we are
# handling a CHAP request and Auth-Type has not already been set
chap
#
# If the users are logging in with an MS-CHAP-Challenge
# attribute for authentication, the mschap module will find
# the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
# to the request, which will cause the server to then use
# the mschap module for authentication.
mschap
#
# Pull crypt'd passwords from /etc/passwd or /etc/shadow,
# using the system API's to get the password. If you want
# to read /etc/passwd or /etc/shadow directly, see the
# passwd module, above.
#
unix
#
# Look for IPASS style 'realm/', and if not found, look for
# '@realm', and decide whether or not to proxy, based on
# that.
# IPASS
#
# If you are using multiple kinds of realms, you probably
# want to set ignore_null = yes for all of them.
# Otherwise, when the first style of realm doesn't match,
# the other styles won't be checked.
#
# Note that proxying the inner tunnel authentication means
# that the user MAY use one identity in the outer session
# (e.g. anonymous, and a different one here
# (e.g. u...@example.com). The inner session will then be
# proxied elsewhere for authentication. If you are not
# careful, this means that the user can cause you to forward
# the authentication to another RADIUS server, and have the
# accounting logs *not* sent to the other server. This makes
# it difficult to bill people for their network activity.
#
suffix
# ntdomain
#
# The suffix module takes care of stripping the domain
# (e.g. @example.com) from the User-Name attribute, and the
# next few
Re: No authenticate method (Auth-Type) configuration found for the request:
On 17/12/10 14:40, discgolfer72 wrote:
Installed FreeRadius 2.1.8 to authenticate to an LDAP back end (eDirectory)
Set it up per the document link below:
http://www.novell.com/communities/node/11321/freeradius-218-edirectory-integration
Now I'm getting a No authenticate method error. Output of radiusd -X below:
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.1.0.12 port 3915, id=9,
length=48
User-Name = radadmin
User-Password = thepassword
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = radadmin, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication
may fail because of this.
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the request:
Note: the ldap module doesn't appear above.
In the Novell Cool Solution link, they say to un-comment ldap in the
authorize section of /etc/raddb/sites-enabled/inner-tunnel but I had a
inner-tunnel is used for the 2nd phase of EAP. Your debug above shows
a PAP request, which is not EAP, so inner-tunnel isn't used.
If you are setting up to support EAP, use an EAP client for testing
(google for eapol_test)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unable to Authenticate users
Thanks for your reply Alan . --- On Fri, 12/17/10, Alan DeKok al...@deployingradius.com wrote: From: Alan DeKok al...@deployingradius.com Subject: Re: Unable to Authenticate users To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Date: Friday, December 17, 2010, 6:33 AM john decot wrote: Hi, I am planing to use freeradius for authentication for lan users. The following are the radcheck parameters: mysql select * from radcheck; ++--++++ | id | username | attribute | op | value | ++--++++ | 17 | test1 | User-Password | := | $1$q79.qtrm$gD6D4znw2uBGIU0K3mt/1/ | The data is a Crypt-Password, not a User-Password. | 9 | test | Cleartext-Password | := | password1234 | ++--++++ Why the heck do you have *two* passwords? Just use Cleartext-Password. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No authenticate method (Auth-Type) configuration found for the request:
What would be the proper service to use for eDirectory? Can I assume
from the document that EAP is the one to use for authenticating to
eDirectory or is another one better for that? Ultimately, we want to
set up a Wireless Access Point to send it's request to the Radius Server
which then queries eDirectory to authenticate the user to the WAP.
Thanks!
Ben
On 12/17/2010 9:00 AM, Phil Mayers wrote:
On 17/12/10 14:40, discgolfer72 wrote:
Installed FreeRadius 2.1.8 to authenticate to an LDAP back end
(eDirectory)
Set it up per the document link below:
http://www.novell.com/communities/node/11321/freeradius-218-edirectory-integration
Now I'm getting a No authenticate method error. Output of radiusd -X
below:
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.1.0.12 port 3915, id=9,
length=48
User-Name = radadmin
User-Password = thepassword
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = radadmin, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user.
Authentication
may fail because of this.
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the request:
Note: the ldap module doesn't appear above.
In the Novell Cool Solution link, they say to un-comment ldap in the
authorize section of /etc/raddb/sites-enabled/inner-tunnel but I had a
inner-tunnel is used for the 2nd phase of EAP. Your debug above
shows a PAP request, which is not EAP, so inner-tunnel isn't used.
If you are setting up to support EAP, use an EAP client for testing
(google for eapol_test)
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Ben Lewis
b...@lewisit.net
615.517.4538
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No authenticate method (Auth-Type) configuration found for the request:
Ben Lewis wrote: What would be the proper service to use for eDirectory? ldap. Read raddb/sites-available/default. Look for ldap. Can I assume from the document that EAP is the one to use for authenticating to eDirectory No. or is another one better for that? Ultimately, we want to set up a Wireless Access Point to send it's request to the Radius Server which then queries eDirectory to authenticate the user to the WAP. Run 2.1.10, and read raddb/sites-available/inner-tunnel. And also look for ldap there. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Reals Based Upon Port
Thanks for the reply, here is what I am trying to do External Servers Send Requests To - 1812,1813 --- FreeRadiusd -- Backend_Servers_Set01 (1812,1813) External Servers Send Requests To - 1815,1816 -- FreeRadiusd -- Backend_Servers_Set02 (1815,1816) I guess I am not sure where the listen section goes? Maybe I removed it from my proxy.conf file? -Original Message- From: freeradius-users-bounces+bcarpio=broadhop@lists.freeradius.org [mailto:freeradius-users-bounces+bcarpio=broadhop@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Thursday, December 16, 2010 3:07 AM To: FreeRadius users mailing list Subject: Re: Reals Based Upon Port Brian Carpio wrote: I'm pretty clear on how I would add a new home_server_pool called like alt-server-balance with the other two home_servers defined which listen on the 1815,1816 the part I am confused about is how to define the new realm, since I'm using DEFAULT to send all traffic to server-balance how do I define a new realm which will accept traffic on 1815,1816 and send it to alt-server-balance. I hope that makes sense. No. You've confused *incoming* connections with *outgoing* connections. Realms allow you to send packets to outgoing connections. Realms do *not* accept traffic. You're stuck on implementing a particular solution. Instead, focus on the problem. It will usually be easier than you think. Draw a diagram of how you want packets to flow in/out of the server. Incoming packets require a listen section. Outgoing packets require a home_server definition. The glue in between is the realms, and/or the policies you want to configure. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No authenticate method (Auth-Type) configuration found for the request:
That did the trick. Thanks Alan and Phil!!! On 12/17/2010 9:20 AM, Alan DeKok wrote: Ben Lewis wrote: What would be the proper service to use for eDirectory? ldap. Read raddb/sites-available/default. Look for ldap. Can I assume from the document that EAP is the one to use for authenticating to eDirectory No. or is another one better for that? Ultimately, we want to set up a Wireless Access Point to send it's request to the Radius Server which then queries eDirectory to authenticate the user to the WAP. Run 2.1.10, and read raddb/sites-available/inner-tunnel. And also look for ldap there. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Ben Lewis b...@lewisit.net 615.517.4538 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Reals Based Upon Port
Hmm my line breaks where removed from my email External Servers Send Requests To - 1812,1813 --- FreeRadiusd -- Backend_Servers_Set01 (1812,1813) External Servers Send Requests To - 1815,1816 -- FreeRadiusd -- Backend_Servers_Set02 (1815,1816) Lets try agian -Original Message- From: freeradius-users-bounces+bcarpio=broadhop@lists.freeradius.org [mailto:freeradius-users-bounces+bcarpio=broadhop@lists.freeradius.org] On Behalf Of Brian Carpio Sent: Friday, December 17, 2010 9:10 AM To: FreeRadius users mailing list Subject: RE: Reals Based Upon Port Thanks for the reply, here is what I am trying to do External Servers Send Requests To - 1812,1813 --- FreeRadiusd -- Backend_Servers_Set01 (1812,1813) External Servers Send Requests To - 1815,1816 -- FreeRadiusd -- Backend_Servers_Set02 (1815,1816) I guess I am not sure where the listen section goes? Maybe I removed it from my proxy.conf file? -Original Message- From: freeradius-users-bounces+bcarpio=broadhop@lists.freeradius.org [mailto:freeradius-users-bounces+bcarpio=broadhop@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Thursday, December 16, 2010 3:07 AM To: FreeRadius users mailing list Subject: Re: Reals Based Upon Port Brian Carpio wrote: I'm pretty clear on how I would add a new home_server_pool called like alt-server-balance with the other two home_servers defined which listen on the 1815,1816 the part I am confused about is how to define the new realm, since I'm using DEFAULT to send all traffic to server-balance how do I define a new realm which will accept traffic on 1815,1816 and send it to alt-server-balance. I hope that makes sense. No. You've confused *incoming* connections with *outgoing* connections. Realms allow you to send packets to outgoing connections. Realms do *not* accept traffic. You're stuck on implementing a particular solution. Instead, focus on the problem. It will usually be easier than you think. Draw a diagram of how you want packets to flow in/out of the server. Incoming packets require a listen section. Outgoing packets require a home_server definition. The glue in between is the realms, and/or the policies you want to configure. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reals Based Upon Port
Brian Carpio wrote: Thanks for the reply, here is what I am trying to do External Servers Send Requests To - 1812,1813 --- FreeRadiusd -- Backend_Servers_Set01 (1812,1813) External Servers Send Requests To - 1815,1816 -- FreeRadiusd -- Backend_Servers_Set02 (1815,1816) I guess I am not sure where the listen section goes? radiusd.conf.Or, read raddb/sites-available/README Maybe I removed it from my proxy.conf file? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No authenticate method (Auth-Type) configuration found for therequest:
Ben, its sounds like you have everything going, to you still need the screencast? Congradulations if you have it all worked out ;) Matthew Stavert ITSM, ACMT Information Systems Analyst NLSD. 69 PH:780-826-3145 Cell: 780-207-1146 Ben Lewis b...@lewisit.net 12/17/2010 9:17 AM That did the trick. Thanks Alan and Phil!!!On 12/17/2010 9:20 AM, Alan DeKok wrote: Ben Lewis wrote: What would be the proper service to use for eDirectory? ldap. Read raddb/sites-available/default. Look for "ldap". Can I assume from the document that EAP is the one to use for authenticating to eDirectory No. or is another one better for that? Ultimately, we want to set up a Wireless Access Point to send it's request to the Radius Server which then queries eDirectory to authenticate the user to the WAP. Run 2.1.10, and read raddb/sites-available/inner-tunnel. And also look for "ldap" there. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html-- Ben Lewisb...@lewisit.net615.517.4538-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No authenticate method (Auth-Type) configuration found for therequest:
I think we're good now. Thanks for offering the screencast though! On 12/17/2010 10:38 AM, Matthew Stavert [via FreeRadius] wrote: HTMLHEAD /HEAD BODY style=MARGIN: 4px 4px 1px; FONT: 10pt Tahoma Ben, its sounds like you have everything going, to you still need the screencast? Congradulations if you have it all worked out ;) * * * Matthew Stavert ITSM, ACMT Information Systems Analyst NLSD. 69 PH:780-826-3145 Cell: 780-207-1146 * Ben Lewis [hidden email] /user/SendEmail.jtp?type=nodenode=3309666i=0 12/17/2010 9:17 AM That did the trick. Thanks Alan and Phil!!! On 12/17/2010 9:20 AM, Alan DeKok wrote: Ben Lewis wrote: What would be the proper service to use for eDirectory? ldap. Read raddb/sites-available/default. Look for ldap. Can I assume from the document that EAP is the one to use for authenticating to eDirectory No. or is another one better for that? Ultimately, we want to set up a Wireless Access Point to send it's request to the Radius Server which then queries eDirectory to authenticate the user to the WAP. Run 2.1.10, and read raddb/sites-available/inner-tunnel. And also look for ldap there. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Ben Lewis [hidden email] /user/SendEmail.jtp?type=nodenode=3309666i=1 615.517.4538 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html /BODY/HTML - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html *PIMTVUARQOFV.IMAGE_1.jpg* (21K) Download Attachment /attachment/3309666/0/PIMTVUARQOFV.IMAGE_1.jpg View message @ http://freeradius.1045715.n5.nabble.com/No-authenticate-method-Auth-Type-configuration-found-for-the-request-tp3309472p3309666.html To unsubscribe from No authenticate method (Auth-Type) configuration found for the request:, click here http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_codenode=3309472code=YmVuQGxld2lzaXQubmV0fDMzMDk0NzJ8MTgxNTY1MDM5. -- Ben Lewis b...@lewisit.net 615.517.4538 -- View this message in context: http://freeradius.1045715.n5.nabble.com/No-authenticate-method-Auth-Type-configuration-found-for-the-request-tp3309472p3309669.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Reals Based Upon Port
Thanks for your help Alan, but I think I am not giving you the right
information.. (that or I don't understand the README)
So we are using freeradius for proxying requests to different backend servers
only (basically using freeradius as a load balancer), we aren't using it to
actually authenticate users at all, when we simply wanted to listen on 1812 and
1813 and proxy to multiple home_servers on 1812 and 1813 everything works fine
initial simple radiusd.conf
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
name = radiusd
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/lib64/freeradius
pidfile = ${run_dir}/${name}.pid
user = radiusd
group = radiusd
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
type = auth
ipaddr = *
port = 0
}
listen {
ipaddr = *
port = 0
type = acct
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions= yes
log {
destination = files
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
proxy_requests = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
$INCLUDE ${confdir}/modules/
$INCLUDE eap.conf
}
instantiate {
exec
expr
expiration
logintime
}
$INCLUDE policy.conf
$INCLUDE sites-enabled/
- end radiusd.conf --
start simply proxy.conf
proxy server {
default_fallback = no
}
home_server server01 {
type = auth+acct
ipaddr = server01
port = 1812,1813
virtual_server = default
secret = s3cret
require_message_authenticator = no
response_window = 20
zombie_period = 10
status_check = request
username = deadb...@broadhop.com
password = s3cret
check_interval = 5
num_answers_to_alive = 3
}
home_server server02 {
type = auth+acct
ipaddr = server02
port = 1812,1813
virtual_server = default
secret = s3cret
require_message_authenticator = no
response_window = 20
zombie_period = 10
status_check = request
username = deadb...@broadhop.com
password = s3cret
check_interval = 5
num_answers_to_alive = 3
}
home_server_pool server-balance {
type = load-balance
home_server = server01
home_server = server02
}
realm DEFAULT {
pool = qns-balance
nostrip
}
- end proxy.conf --
So then I tried to edit the radiusd.conf with virtual servers and that broke
our basic setup;
start new radiusd.conf with virtual servers ---
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
name = radiusd
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/lib64/freeradius
pidfile = ${run_dir}/${name}.pid
user = radiusd
group = radiusd
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
server default {
listen {
type = auth
ipaddr = *
port = 0
}
listen {
ipaddr = *
port = 0
type = acct
}
proxy_requests = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf
}
server alt {
listen {
type = auth
ipaddr = *
port = 1815
}
listen {
ipaddr = *
port = 1816
type = acct
}
proxy_requests = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions= yes
log {
destination = files
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
proxy_requests = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
$INCLUDE ${confdir}/modules/
$INCLUDE eap.conf
}
instantiate {
exec
expr
expiration
logintime
}
$INCLUDE policy.conf
$INCLUDE
Re: Reals Based Upon Port
Brian Carpio wrote:
Thanks for your help Alan, but I think I am not giving you the right
information.. (that or I don't understand the README)
So we are using freeradius for proxying requests to different backend servers
only (basically using freeradius as a load balancer), we aren't using it to
actually authenticate users at all, when we simply wanted to listen on 1812
and 1813 and proxy to multiple home_servers on 1812 and 1813 everything works
fine
So set Proxy-To-Realm manually. The virtual server sections need
to be little more than:
server x {
listen {
type = ...
ipaddr = ...
}
authorize {
update control {
Proxy-To-Realm := 'x
}
}
preacct {
update control {
Proxy-To-Realm := 'x
}
}
}
Really. That's *it*. Fill in the listen config. Define the
realms, and use the ~20 lines of text above.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Reals Based Upon Port
Thanks this is working perfectly now!
-Original Message-
From: freeradius-users-bounces+bcarpio=broadhop@lists.freeradius.org
[mailto:freeradius-users-bounces+bcarpio=broadhop@lists.freeradius.org] On
Behalf Of Alan DeKok
Sent: Friday, December 17, 2010 1:32 PM
To: FreeRadius users mailing list
Subject: Re: Reals Based Upon Port
Brian Carpio wrote:
Thanks for your help Alan, but I think I am not giving you the right
information.. (that or I don't understand the README)
So we are using freeradius for proxying requests to different backend
servers only (basically using freeradius as a load balancer), we
aren't using it to actually authenticate users at all, when we simply
wanted to listen on 1812 and 1813 and proxy to multiple home_servers
on 1812 and 1813 everything works fine
So set Proxy-To-Realm manually. The virtual server sections need to be
little more than:
server x {
listen {
type = ...
ipaddr = ...
}
authorize {
update control {
Proxy-To-Realm := 'x
}
}
preacct {
update control {
Proxy-To-Realm := 'x
}
}
}
Really. That's *it*. Fill in the listen config. Define the realms, and
use the ~20 lines of text above.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + mysql Auth-Type error...
I changed the /etc/raddb/sites-available/default to the following and
changed Auth-Type to SQL in the radcheck table, and it still rejects the
user.
authorize {
preprocess
mschap
sql
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
}
preacct {
account_unique
}
accounting {
radutmp
sql
}
session {
sql
}
post-auth {
Post-Auth-Type REJECT {
sql
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
}
and add the information to clients.conf and sql.conf, and it seems to
be working for I get database requests when I run radiusd -X and run
radtest. My mysql tables look like the following:
mysql select * from radcheck;
++--+--++--+
| id | username | attribute| op | value|
++--+--++--+
| 1 | testuser | MD5-Password | := | 179ad45c6ce2cb97cf1029e212046e81 |
++--+--++--+
1 row in set (0.00 sec)
I have also tried this with Attribute set to Cleartext-Password and op
set to == with the same result.
mysql select * from radgroupcheck;
++-+---++-+
| id | groupname | attribute | op | value |
++-+---++-+
| 1 | normalusers | Auth-Type | := | MS-CHAP |
++-+---++-+
1 row in set (0.00 sec)
Changed Auth-Tyle to SQL
mysql select * from radgroupreply;
++-+++-+
| id | groupname | attribute | op | value |
++-+++-+
| 1 | normalusers | Framed-Compression | = | Van-Jacobson-TCP-IP |
++-+++-+
1 row in set (0.00 sec)
mysql select * from radpostauth;
++--+--+---+-+
| id | username | pass | reply | authdate|
++--+--+---+-+
| 1 | testuser | testuserpass | Access-Reject | 2010-12-16 23:45:22 |
| 2 | testuser | testuserpass | Access-Reject | 2010-12-16 23:52:18 |
| 3 | testuser | testuserpass | Access-Reject | 2010-12-17 00:24:07 |
| 4 | root | changed | Access-Accept | 2010-12-17 01:28:43 |
| 5 | user1| password1| Access-Reject | 2010-12-17 01:29:01 |
| 6 | root | changed | Access-Accept | 2010-12-17 01:38:59 |
| 7 | todd | changed | Access-Accept | 2010-12-17 01:41:16 |
| 8 | user1| password1| Access-Reject | 2010-12-17 02:06:47 |
| 9 | user1| password1| Access-Reject | 2010-12-17 02:18:37 |
| 10 | testuser | testpass | Access-Reject | 2010-12-17 05:05:05 |
| 11 | testuser | testpass | Access-Reject | 2010-12-17 05:10:04 |
| 12 | testuser | testpass | Access-Reject | 2010-12-17 05:24:06 |
| 13 | testuser | testpass | Access-Reject | 2010-12-17 05:35:10 |
| 14 | testuser | testpass | Access-Reject | 2010-12-17 06:09:40 |
| 15 | testuser | testpass | Access-Reject | 2010-12-17 06:28:45 |
| 16 | testuser | testpass | Access-Reject | 2010-12-17 06:43:24 |
++--+--+---+-+
16 rows in set (0.00 sec)
The Access-Accepts that I got here is when I switched it to use the
/etc/passwd file.
mysql select * from radreply;
++--+---++---+
| id | username | attribute | op | value |
++--+---++---+
| 1 | testuser | Framed-IP-Address | = | 127.0.0.1 |
++--+---++---+
1 row in set (0.00 sec)
mysql select * from radusergroup;
+--+-+--+
| username | groupname | priority |
+--+-+--+
| testuser | normalusers |1 |
+--+-+--+
1 row in set (0.00 sec)
When I start radiusd in debug mode and test from another window I get
this output.
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 58605, id=234,
length=60
User-Name = testuser
User-Password = testpass
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[sql] expand: %{Stripped-User-Name} -
[sql] sql_set_user escaped user -- ''
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER
BY id - SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute,
Re: send radius.log to mysql
Hi G, thank for your suggestion. Just noticed I can log a post-auth reject message into sql and it was work fine for me. However, it is only for Reject message but for the Denied message where is the user account's attribute is set to deny. Is that possible the post-auth can log for Denied message? Regards cK Gideon le Grange wrote: On 17 Dec 2010, at 11:13 AM, cktan wrote: I'm looking for possibility to inject the log from radius.log into mysql DB for some monitoring purpose. Any better suggestion? I tried with Syslog-NG and it just won't send radius.log to my syslog server but only system log... Have a look at rsyslog http://www.rsyslog.com/ G - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + mysql Auth-Type error...
Todd Bateman wrote: I have been trying to get freeradius + mysql to play nice together for the past few days and no mater what HOW TO or Tutorial I follow the end result is the same when I run radtest from the command line I get Access-Reject. In the HOW TO/Tutorials I have followed I was told to make my /etc/raddb/sites-available/default like the following: i.e. you've butchered the default configuration by following some un-named, out-dated, and entirely *wrong* third-party documentation. Is there any reason you don't use the documentation that's included with the server? Or read the Wiki? Honestly. The Wiki contains *explicit* instructions for what to do. *None* of that includes destroying the configuration. Use the default configuration. Follow the FreeRADIUS documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
