[mysql+freeradius]add attribute for freeradius
Hi All I would like to create radcheck table and new attribute as below. How do I configure the freeradius server to recognize and send the attribute value? -- id | username | attribute | op | value| -- 1 | gary | Expiration | := | 30 Aug 2012 12:00:00| --- 10001 | gary | Cleartext-Password | := | 12345678 | -- 10002 | gary | Download-Stream | := | 100 | -- 10003 | gary | Upload-Stream | := | 512000 | -- Best Regards Gary - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [mysql+freeradius]add attribute for freeradius
2011/7/28 gary gary.y...@browan.com: Hi All I would like to create radcheck table and new attribute as below. How do I configure the freeradius server to recognize and send the attribute value? -- id | username | attribute | op | value | -- 1 | gary | Expiration | := | 30 Aug 2012 12:00:00| --- 10001 | gary | Cleartext-Password | := | 12345678 | -- 10002 | gary | Download-Stream | := | 100 | -- 10003 | gary | Upload-Stream | := | 512000 | -- Let'see. First, FR must recognize the attribute. Look at where dictionary files are installed (usually /usr/share/freeradius or /usr/local/share/freeradius), make sure the attribute is listed there. If it's not, you need to get the right dictionary file (usually from your NAS vendor). First look says Upload-Stream and Download-Stream is not a valid radius attribute (or at least you need an additional dictionary file). Second, about attributes in SQL. See doc/rlm_sql. You need to understand the difference between check items and reply items. Third, about expiration, see raddb/modules/expiration. It should be self-explanatory. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL check in XOR
Hi to all, I have more SQL in which check for accounting infos. In my sites-enabled/default file I have in my accounting section: {... sql1 sql2 sql3 ... } I notice that in this way the process check if AT LEAST one of above tables returns ok, but I'd want accounting module returns OK iff exactly ONE of that returns ok. Is there a way to configure in this XOR way? Thanks in advance. Regards -- Rosario L. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [mysql+freeradius]add attribute for freeradius
Hi Fajar Thanks for your information. Best Regards Gary BROWAN COMMUNICATIONS INC. Tel:886-3-600-6899 ext.4842 Fax:886-3-597-2970 e-mail:gary.y...@browan.com - Original Message - From: Fajar A. Nugraha l...@fajar.net To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thursday, July 28, 2011 3:45 PM Subject: Re: [mysql+freeradius]add attribute for freeradius 2011/7/28 gary gary.y...@browan.com: Hi All I would like to create radcheck table and new attribute as below. How do I configure the freeradius server to recognize and send the attribute value? -- id | username | attribute | op | value | -- 1 | gary | Expiration | := | 30 Aug 2012 12:00:00| --- 10001 | gary | Cleartext-Password | := | 12345678 | -- 10002 | gary | Download-Stream | := | 100 | -- 10003 | gary | Upload-Stream | := | 512000 | -- Let'see. First, FR must recognize the attribute. Look at where dictionary files are installed (usually /usr/share/freeradius or /usr/local/share/freeradius), make sure the attribute is listed there. If it's not, you need to get the right dictionary file (usually from your NAS vendor). First look says Upload-Stream and Download-Stream is not a valid radius attribute (or at least you need an additional dictionary file). Second, about attributes in SQL. See doc/rlm_sql. You need to understand the difference between check items and reply items. Third, about expiration, see raddb/modules/expiration. It should be self-explanatory. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius closes
Alexander Clouter a...@digriz.org.uk wrote: I am though currently trying to pin down a bug where FreeRADIUS just closes it's-self down for no reason at all. I have run tcpdump during the clean shutdown, and see it is not malformed traffic causing the problem, RAM usage is normal, open FD's is sane, etc etc. Caught the event many times with gdb, but it's not a SIG, just a regular exit(). Currently now running FreeRADIUS in production with -X to see if there is anything in the full debug logs... Caught it! [snipped] rlm_sql (sql.dot1x): Reserving sql socket id: 1 rlm_sql_postgresql: Status: PGRES_COMMAND_OK rlm_sql_postgresql: query affected rows = 1 rlm_sql (sql.dot1x): Released sql socket id: 1 ++[sql.dot1x] returns ok ++? if (invalid) ? Evaluating (invalid) - FALSE ++? if (invalid) - FALSE ++? if (failed) ? Evaluating (failed) - TRUE ++? if (failed) - TRUE ++- entering if (failed) {...} +++? if (Acct-Status-Type == Stop (!(Acct-Session-Time) || Acct-Session-Time == 0) Packet-Transmit-Counter 5) ? Evaluating (Acct-Status-Type == Stop ) - FALSE ??? Skipping (Acct-Session-Time) ?? Skipping (Acct-Session-Time == 0) ? Skipping (Packet-Transmit-Counter 5) +++? if (Acct-Status-Type == Stop (!(Acct-Session-Time) || Acct-Session-Time == 0) Packet-Transmit-Counter 5) - FALSE ++- if (failed) returns ok } # server dot1x.decoupled-accounting Finished request 10642. Cleaning up request 10642 ID 25817 with timestamp +5748 Going to the next request Detail listener /var/log/freeradius/radacct/journal/dot1x/detail.acct.* state replied signalled 0 waiting 0.214551 sec Waking up in 0.1 seconds. Waking up in 0.1 seconds. rad_recv: Status-Server packet from host 127.0.0.1 port 50412, id=38, length=38 [event.c:3002] Failed to insert event There seem to be a bunch of malloc()'s where it could fail lurking behind INSERT_EVENT(). I am pretty sure that the system is not running out of RAM (it is a 512MB box) but I am now priming up snmpd and RRD to track this over time. Any ideas? Cheers -- Alexander Clouter .sigmonster says: The faster we go, the rounder we get. -- The Grateful Dead - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius closes
On Thu, Jul 28, 2011 at 4:42 PM, Alexander Clouter a...@digriz.org.uk wrote: rad_recv: Status-Server packet from host 127.0.0.1 port 50412, id=38, length=38 [event.c:3002] Failed to insert event There seem to be a bunch of malloc()'s where it could fail lurking behind INSERT_EVENT(). I am pretty sure that the system is not running out of RAM (it is a 512MB box) but I am now priming up snmpd and RRD to track this over time. Any ideas? What happens when you send Status-Server packet manually (see man radclient for example)? Does the failure happen? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: segmentation fault freeradius 2.1.7 using rlm_sql
I did, from 1.1.7 And still I get the exact same result (segmentation faults) -Original Message- From: freeradius-users-bounces+amir=ccc.co...@lists.freeradius.org [mailto:freeradius-users-bounces+amir=ccc.co...@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Wednesday, July 27, 2011 4:33 PM To: FreeRadius users mailing list Subject: Re: segmentation fault freeradius 2.1.7 using rlm_sql Amir Tal wrote: For some unknown reason radiusd keeps getting segmentation faults, every few days and even after several hours of work. Upgrade. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL check in XOR
Rosario Lumia wrote: I have more SQL in which check for accounting infos. In my sites-enabled/default file I have in my accounting section: .. I notice that in this way the process check if AT LEAST one of above tables returns ok, but I'd want accounting module returns OK iff exactly ONE of that returns ok. Is there a way to configure in this XOR way? $ man unlang This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: segmentation fault freeradius 2.1.7 using rlm_sql
On Thu, Jul 28, 2011 at 7:04 PM, Amir Tal a...@ccc.co.il wrote: I did, from 1.1.7 And still I get the exact same result (segmentation faults) I think what Allan means is upgrade to latest FR version, as (presumably) the bug is fixed in later version. Since RHEL/Centos 5 only comes with freeradius2-2.1.7, you need to either compile from source (latest git snapshot of v.2.1.x branch would be good, see https://github.com/alandekok/freeradius-server/tree/v2.1.x) or build your own RPM (see http://wiki.freeradius.org/Red_Hat_FAQ#How+to+build+an+SRPM) -- Fajar -Original Message- From: freeradius-users-bounces+amir=ccc.co...@lists.freeradius.org [mailto:freeradius-users-bounces+amir=ccc.co...@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Wednesday, July 27, 2011 4:33 PM To: FreeRadius users mailing list Subject: Re: segmentation fault freeradius 2.1.7 using rlm_sql Amir Tal wrote: For some unknown reason radiusd keeps getting segmentation faults, every few days and even after several hours of work. Upgrade. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius closes
Fajar A. Nugraha l...@fajar.net wrote: On Thu, Jul 28, 2011 at 4:42 PM, Alexander Clouter a...@digriz.org.uk wrote: rad_recv: Status-Server packet from host 127.0.0.1 port 50412, id=38, length=38 [event.c:3002] Failed to insert event There seem to be a bunch of malloc()'s where it could fail lurking behind INSERT_EVENT(). I am pretty sure that the system is not running out of RAM (it is a 512MB box) but I am now priming up snmpd and RRD to track this over time. Any ideas? What happens when you send Status-Server packet manually (see man radclient for example)? Does the failure happen? Status-Server is sent from localhost once a second as part of the failover system I use: http://www.digriz.org.uk/ha-ospf-anycast The script used is: http://www.digriz.org.uk/ha-ospf-anycast?action=AttachFiledo=gettarget=radius-probe I do not think it is related to it as sometimes days can pass between the daemon exiting and on this occasion it was only an hour or two. If it was related to the cumulative number of requests being processed, I would expect a roughly regular 'death' interval. I do not think it is load related either as we have had the system die at all hours of the day. Cheers -- Alexander Clouter .sigmonster says: Unix soit qui mal y pense [Unix to him who evil thinks?] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius closes
Alexander Clouter wrote: rad_recv: Status-Server packet from host 127.0.0.1 port 50412, id=38, length=38 [event.c:3002] Failed to insert event Ouch. There seem to be a bunch of malloc()'s where it could fail lurking behind INSERT_EVENT(). I am pretty sure that the system is not running out of RAM (it is a 512MB box) but I am now priming up snmpd and RRD to track this over time. Any ideas? Hmm... 512MB isn't a lot for a modern system. And on Linux, malloc() never fails. The other alternative is some kind of internal API problem. But those should all be fixed in git head. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unlang issue
I'm running FR 2.1.6 (I know - I plan to upgrade later this year). Is there anything wrong syntactically with the following code or is this a bug that was fixed since 2.1.6? if (Client-IP-Address == 172.20.16.28 || Client-IP-Address == 172.20.204.10)) { update request { Huntgroup-Name := GlobalRoaming } } # # If NAS is an autonomous AP, get SSID from Cisco-AVPair # if (Huntgroup-Name == EEProdAP || \ Huntgroup-Name == EETestAP) { if (Cisco-AVPair =~ /ssid=(.*)/) { update request { SSID-Name = %{1} } } } I ask because the first if statement only works if the Client-IP-Address matches the first address listed (172.20.16.28). I would expect that it would evaluate to true if Client-IP-Address matches either of the addresses. Here's a snippet of debug output that illustrates the problem - it doesn't appear to finish the logical or comparison: Info: ++? if (Called-Station-Id (Client-IP-Address == 172.20.16.28 || Client-IP-Address == 172.20.204.10)) Info: ? Evaluating (Called-Station-Id ) - TRUE Info:expand: %{Client-IP-Address} - 172.20.204.10 Info: ++? if (Huntgroup-Name == EEProdAP || Huntgroup-Name == EETestAP) Info: (Attribute Huntgroup-Name was not found) When I switch the order of the addresses for the logical or, I see the following in debug (it does the comparison and returns TRUE): Info: ++? if (Called-Station-Id (Client-IP-Address == 172.20.204.10 || Client-IP-Address == 172.20.16.28)) Info: ? Evaluating (Called-Station-Id ) - TRUE Info:expand: %{Client-IP-Address} - 172.20.204.10 Info: ?? Evaluating (Client-IP-Address == 172.20.204.10 ) - TRUE Info: ?? Skipping (Client-IP-Address == 172.20.16.28) Info: ++? if (Called-Station-Id (Client-IP-Address == 172.20.204.10 || Client-IP-Address == 172.20.16.28)) - TRUE Info: ++- entering if (Called-Station-Id (Client-IP-Address == 172.20.204.10 || Client-IP-Address == 172.20.16.28)) {...} Info: +++[request] returns ok Info: ++- if (Called-Station-Id (Client-IP-Address == 172.20.204.10 || Client-IP-Address == 172.20.16.28)) returns ok Info: ++? if (Huntgroup-Name == EEProdAP || Huntgroup-Name == EETestAP) Info: ? Evaluating (Huntgroup-Name == EEProdAP ) - FALSE Info: ? Evaluating (Huntgroup-Name == EETestAP) - FALSE Info: ++? if (Huntgroup-Name == EEProdAP || Huntgroup-Name == EETestAP) - FALSE - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
chilli + freeradius + opendirectory
Hi, I'm moving step by step to get my system working... My architecture is: WEB.CLIENT---CHILLI(captive.portal)---FREERADIUS---OPENLDAP My problem now is between chilli and opendirectory THRU freeradius. Chilli supports chap or pap. I'm not able to use chap because, it's not compatible with openldap and I get as message error that I need a text-plain password. I'm not sure that using pap, it could be working. If I'm right, I'm able to convert the password to plain-text after chilli and before radius..., or am I wronging? Is there a way, I can authenticate my users from web-interface on opendirectory thru FREERADIUS? The other way could be kerberos but, if i have well understood, I'll get the same problem. Give me some help, please. Regards, Max - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unlang issue
Garber, Neal wrote: I’m running FR 2.1.6 (I know - I plan to upgrade later this year). Is there anything wrong syntactically with the following code or is this a bug that was fixed since 2.1.6? I think it's fixed in a later version. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unlang issue
On 28/07/11 16:12, Garber, Neal wrote: I’m running FR 2.1.6 (I know - I plan to upgrade later this year). Is there anything wrong syntactically with the following code or is this a bug that was fixed since 2.1.6? if (Client-IP-Address == 172.20.16.28 || Client-IP-Address == 172.20.204.10)) { update request { Huntgroup-Name := GlobalRoaming } Try: if ((Client-IP-Address == x) || (Client-IP-Address == y)) { } } # # If NAS is an autonomous AP, get SSID from Cisco-AVPair # if (Huntgroup-Name == EEProdAP || \ Huntgroup-Name == EETestAP) { Again; group the sub-conditions. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Unlang issue
Ok, thanks Alan. I'll split it into two if stmts as a workaround for now.. BTW, when posting the code and trying to make it look nicer, I mangled it. The original code really looked like this: if (Called-Station-Id (Client-IP-Address == 172.20.16.28 || \ Client-IP-Address == 172.20.204.10)) { update request { Huntgroup-Name := GlobalRoaming } } Sorry for the confusion.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: chilli + freeradius + opendirectory
I forgot to say that LDAP is on MAC OSX, so it's Opendirectory, not the standard OPENLDAP... WEB.CLIENT--CHILLI--FREERADIUS--OPENDIRECTORY With radtest it works amazingly but not passing to chilli :( Regards. Hi, I'm moving step by step to get my system working... My architecture is: WEB.CLIENT---CHILLI(captive.portal)---FREERADIUS---OPENLDAP My problem now is between chilli and opendirectory THRU freeradius. Chilli supports chap or pap. I'm not able to use chap because, it's not compatible with openldap and I get as message error that I need a text-plain password. I'm not sure that using pap, it could be working. If I'm right, I'm able to convert the password to plain-text after chilli and before radius..., or am I wronging? Is there a way, I can authenticate my users from web-interface on opendirectory thru FREERADIUS? The other way could be kerberos but, if i have well understood, I'll get the same problem. Give me some help, please. Regards, Max - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Unlang issue
Try: if ((Client-IP-Address == x) || (Client-IP-Address == y)) { } Thanks for the suggestion Phil. I'll give that a try.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: chilli + freeradius + opendirectory
Massimiliano Tommasi wrote: If I'm right, I'm able to convert the password to plain-text after chilli and before radius..., or am I wronging? No. It's impossible. Is there a way, I can authenticate my users from web-interface on opendirectory thru FREERADIUS? Fix Chillispot so that it sends User-Password, not CHAP-Password. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: chilli + freeradius + opendirectory
Chilli supports PAP and, if I'm right, the password is in clear-text. CHAP isn't invertible, this is clear. My only question is ... if it's possible to move from pap to opendirectory. The only way I have to authenticate is to pass clear-text to opendirectory but this doesn't happend :( Isn't enough PAP, Alan? Do you have any idea, where it's the mistake? Thanks Max Il 28/07/11 18.30, Alan DeKok ha scritto: Massimiliano Tommasi wrote: If I'm right, I'm able to convert the password to plain-text after chilli and before radius..., or am I wronging? No. It's impossible. Is there a way, I can authenticate my users from web-interface on opendirectory thru FREERADIUS? Fix Chillispot so that it sends User-Password, not CHAP-Password. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: chilli + freeradius + opendirectory
Massimiliano Tommasi wrote: My only question is ... if it's possible to move from pap to opendirectory. The only way I have to authenticate is to pass clear-text to opendirectory but this doesn't happend :( Isn't enough PAP, Alan? Yes. Do you have any idea, where it's the mistake? No. Perhaps the debug log might help? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius closes
Alan DeKok al...@deployingradius.com wrote: Alexander Clouter wrote: rad_recv: Status-Server packet from host 127.0.0.1 port 50412, id=38, length=38 [event.c:3002] Failed to insert event Ouch. Indeed. It did only start to happen once I upgraded to 2.1.11 from 2.1.10. Of course I was originally plagued by the OP's problem of the memory leak when using git v2.1.x between these releases; which might have hidden this particular problem. Before 2.1.11, FreeRADIUS ran fine for weeks. There seem to be a bunch of malloc()'s where it could fail lurking behind INSERT_EVENT(). I am pretty sure that the system is not running out of RAM (it is a 512MB box) but I am now priming up snmpd and RRD to track this over time. Any ideas? Hmm... 512MB isn't a lot for a modern system. And on Linux, malloc() never fails. ...plenty though. Over nearly 12 hours of use, RAM usaged for FreeRADIUS is still at 15MB for one of my nodes and the other is 17MB. Linux is using the 280MB for filesystem cache and still has 180MB free! The other alternative is some kind of internal API problem. But those should all be fixed in git head. If you think there is something relevent in v2.1.x since 2.1.11 then I'll give it a go sooner rather than later. Can you think of something that might not be system RAM related but maybe caused by another possible RAM limit, heap, stack whatever it is (not quite my forte)? Cheers -- Alexander Clouter .sigmonster says: Money may buy friendship but money cannot buy love. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius mysql (problem)
Hi, i have the exact same problem here with a Linksys access point. The Access list to the AP works fine allowing the client to connect. But the authentication fails. When i enter the client with it's login in the users file like this myclientuser Cleartext-Password := myclientspassword it works fine. As soon as i try this on the mysql System i do not get the access. The Allowd hosts access still works fine -- View this message in context: http://freeradius.1045715.n5.nabble.com/Freeradius-mysql-problem-tp4638453p4643540.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: can policy.conf be used to create an access control list
I finally upgraded to freeradius 2.1.11, but am seeing the same problem of the same policy not working. Any additional info/insight? -- View this message in context: http://freeradius.1045715.n5.nabble.com/can-policy-conf-be-used-to-create-an-access-control-list-tp4375205p4643550.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius closes
Alexander Clouter wrote: Indeed. It did only start to happen once I upgraded to 2.1.11 from 2.1.10. Of course I was originally plagued by the OP's problem of the memory leak when using git v2.1.x between these releases; which might have hidden this particular problem. Before 2.1.11, FreeRADIUS ran fine for weeks. Hmm... looking at the changes, I don't see much that could have caused this. I'll see if I can come up with a patch to help narrow it down. If you think there is something relevent in v2.1.x since 2.1.11 then I'll give it a go sooner rather than later. Can you think of something that might not be system RAM related but maybe caused by another possible RAM limit, heap, stack whatever it is (not quite my forte)? If the crash is consistently in the same place, then it's a coding bug, not an overflow. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Yet another multiple SSID setup question
Ok, I've gotten a little bit further with setting up my multiple SSID stuff. I'm still working with just the test SSID, trying to get PEAP/MSCHAP working, but running into problems with the inner virtual server and would appreciate any further help. It's failing on the inner tunnel with an error that it has no value specified for the auth type, but shouldn't that be set by the eap module? eap.conf excerpt (left out the rest which is mostly default): eap eap_cuesta { default_eap_type = peap peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = inner-tunnel-cuesta } } default: authorize { preprocess auth_log rewrite_called_station_id switch Called-Station-Ssid { case test { eap_cuesta } } } authenticate { Auth-Type eap_cuesta { eap_cuesta } } inner tunnel: authorize { suffix eap_cuesta { ok = return } } authenticate { mschap_cuesta } debug output: rad_recv: Access-Request packet from host 10.32.33.1 port 32769, id=198, length=199 User-Name = nicholas_kartsioukas Calling-Station-Id = 00-23-4e-ba-6b-f4 Called-Station-Id = 00-1a-a2-c1-2c-30:test NAS-Port = 29 NAS-IP-Address = 10.32.33.1 NAS-Identifier = slo-wlc-1 Airespace-Wlan-Id = 5 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 17 EAP-Message = 0x02010019016e6963686f6c61735f6b61727473696f756b6173 Message-Authenticator = 0x87ae80681a5d9a1624592e7a03d518a5 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /var/log/freeradius/radacct/10.32.33.1/auth-detail-20110728 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.32.33.1/auth-detail-20110728 [auth_log] expand: %t - Thu Jul 28 17:04:57 2011 ++[auth_log] returns ok ++- entering policy rewrite_called_station_id {...} +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) ? Evaluating (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) - TRUE +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) - TRUE +++- entering if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) {...} expand: %{1}%{2}%{3}%{4}%{5}%{6} - 001aa2c12c30 expand: %{7} - test [request] returns ok +++- if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) returns ok +++ ... skipping else for request 0: Preceding if was taken ++- policy rewrite_called_station_id returns ok ++- entering switch Called-Station-Ssid {...} +++- entering case test {...} [eap_cuesta] EAP packet type response id 1 length 25 [eap_cuesta] No EAP Start, assuming it's an on-going EAP conversation [eap_cuesta] returns updated +++- case test returns updated ++- switch Called-Station-Ssid returns updated Found Auth-Type = eap_cuesta # Executing group from file /etc/freeradius/sites-enabled/default +- entering group eap_cuesta {...} [eap_cuesta] EAP Identity [eap_cuesta] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap_cuesta] returns handled Sending Access-Challenge of id 198 to 10.32.33.1 port 32769 EAP-Message = 0x010200061920 Message-Authenticator = 0x State = 0x0b294f320b2b565e0f7fc7d47ec4907c Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.32.33.1 port 32769, id=199, length=297 User-Name = nicholas_kartsioukas Calling-Station-Id = 00-23-4e-ba-6b-f4 Called-Station-Id = 00-1a-a2-c1-2c-30:test NAS-Port = 29 NAS-IP-Address = 10.32.33.1 NAS-Identifier = slo-wlc-1 Airespace-Wlan-Id = 5 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group
RE: Yet another multiple SSID setup question
It's failing on the inner tunnel with an error that it has no value specified for the auth type, but shouldn't that be set by the eap module? It didn't say no value, it said unknown value. The debug output showed the value of Auth-Type as eap_cuesta: Found Auth-Type = eap_cuesta WARNING: Unknown value specified for Auth-Type. Cannot perform requested action. The problem is that the Auth-Type (eap_cuesta) doesn't exist in your inner-tunnel-cuesta authenticate section. You are also missing mschap_cuesta in the authorize section. Try this: inner tunnel: authorize { suffix mschap_cuesta eap_cuesta { ok = return } } authenticate { mschap_cuesta eap_cuesta } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html