Re: Need help to store user details
Store them how, where, and for what purposes? On 9/19/2011 23:07, Rajkumar balaji wrote: Hi All, I just want to store user details like, The user name is ABC and the user belongs to XYZ group and PQR group. Thanks Regards Rajkumar Balaji -- View this message in context: http://freeradius.1045715.n5.nabble.com/Need-help-to-store-user-details-tp4821498p4821498.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help to store user details
On Tue, Sep 20, 2011 at 1:07 PM, Rajkumar balaji rajkumar.balaj...@gmail.com wrote: Hi All, I just want to store user details like, The user name is ABC and the user belongs to XYZ group and PQR group. LDAP/files/SQL/whatever? e.g. https://github.com/alandekok/freeradius-server/blob/v2.1.x/doc/rlm_sql -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help to store user details
Purpose is After the authentication i need to retrieve the group details associated with this user and according to them I need to Authorize the user. Store it in FreeRADIUS (text file also fine) ( and I want to retrieve it using JRADIUS API) I am new to RADIUS concepts so, Please guide me to implement this. Thanks Regards Rajkumar Balaji -- View this message in context: http://freeradius.1045715.n5.nabble.com/Need-help-to-store-user-details-tp4821498p4821565.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Fedora-DS + EAP-MSCHAPv2 for WIFI/AP authentication
uselessidbr wrote: People, i've read a lot about the WIFI/AP authentication over Freeradius using LDAP but it seems i cannot make it work unless i use clear-text password or Nt/Lmpassword which as far as i know implies in Samba + LDAP integration. http://deployingradius.com/documents/protocols/compatibility.html Note it doesn't mention Samba. NT-Passwords are a password *format*. They can be stored anywhere. My question is, is that really the only way to make freeradius authenticate users using a LDAP database? Do i need to have samba + ldap to authenticate WIFI users using freeradius + LDAP with EAP-MSCHAPv2? No. You need cleartext passwords, or NT passwords. Where they are stored is a completely separate question. With my current configuration i was able to authenticate LDAP users with clear-text password but thats not i really want as a WIFI authentication solution. My goal is to use freeradius to authenticate WIFI users using a LDAP database and without the need of use a non-native Windows application. You can do that. Only if you use the correct password format. Here goes my debug using a encrypted user password (which fails): It fails because you didn't tell the server what the correct password was. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Fedora-DS + EAP-MSCHAPv2 for WIFI/AP authentication
Christ Schlacta wrote: I thought if you had a certificate signed by a trusted root CA, you were good and didn't need to install anything on the client. It's true that you don't need to install anything on the client. It's *not* true that it's a good idea. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
redundant FreeRadius Servers
Hello, I need two FreeRadius Servers which have the same data consisted. I'm testing on two Ubuntu 10.4 with freeradius 2.1.8. My Cisco# asks the first and if the first is not available it asks the second. Is there any Information on this topic? I use freeradius with mysql. is mysql-replication a good idea? Best Regards, Simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: redundant FreeRadius Servers
Just ensure that they have the same config. If you want to use mysql then master/slave replication would be a way of achieving that alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authorization help
Hi All, Thanks for helped me to Authenticate with FreeRADIUS. Now I am able to authenticate successfully. Please help me to resole with the following issue, How to get authorize with FreeRADIUS? Where to store the user group details and his permissions? (which file i have to store it) Thanks Regards Rajkumar -- View this message in context: http://freeradius.1045715.n5.nabble.com/Authorization-help-tp4821733p4821733.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius performance problem
Hello Guys i have inherited the administration of a radius server, that authenticate 900 PPPoE user on mikrotik box. i've noticed that there is some performance problem, mikrotik box show that last request RTT in some cases is up to 1000ms, there is some resend request and also some timeouts, In order to mitigate the problem i've disabled the interim update, and the timeouts are drastically reduced. But exists. i' use mysql back-end, i've checked if there are slow queries but file is empty. ( of course is enabled... ) the server is a dual core Xeon 3.0Ghz with 1 Gb of ram. The SO is debian Linux stable, freeradius is 2.1.10 installed by debian package. Configuration of Thread/server: max_request_time = 30 cleanup_delay = 2 max_requests = 10240 thread pool { start_servers = 20 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } Any ideas? Best Regards, -- Giuseppe Marocchio Tel: (+39) 045.5116192 Fax: (+39) 045.597 skype: giuseppe.marocchio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.1.12 potential problem...
I can not see its giving this error while starting. Do I have to change installation directory or the library dirctory in the radiusd.conf? [10:15:39.9] gmake[11]: Entering directory `/home/network/Downloads/freeradius-server-2.1.12/src/modules/rlm_sql/drivers/rlm_sql_postgresql' [10:15:39.9] if [ x != x ]; then \ [10:15:39.9] /home/network/Downloads/freeradius-server-2.1.12/libtool --mode=install /home/network/Downloads/freeradius-server-2.1.12/install-sh -c -c \ [10:15:39.9] .la /usr/local/lib/.la || exit $?; \ [10:15:39.9] rm -f /usr/local/lib/-2.1.12.la; \ [10:15:39.9] ln -s .la /usr/local/lib/-2.1.12.la || exit $?; \ [10:15:39.9] fi DETAIL LOG file : http://freeradius.1045715.n5.nabble.com/file/n4822062/installtionlog.txt installtionlog.txt - Deniz AYDIN Senior Network Engineer -- View this message in context: http://freeradius.1045715.n5.nabble.com/2-1-12-potential-problem-tp4811959p4822062.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.1.12 potential problem...
On 20/09/2011 11:38, denizaydin wrote: I can not see its giving this error while starting. Do I have to change installation directory or the library dirctory in the radiusd.conf? [10:15:39.9] gmake[11]: Entering directory `/home/network/Downloads/freeradius-server-2.1.12/src/modules/rlm_sql/drivers/rlm_sql_postgresql' [10:15:39.9] if [ x != x ]; then \ [10:15:39.9] /home/network/Downloads/freeradius-server-2.1.12/libtool --mode=install /home/network/Downloads/freeradius-server-2.1.12/install-sh -c -c \ [10:15:39.9] .la /usr/local/lib/.la || exit $?; \ [10:15:39.9] rm -f /usr/local/lib/-2.1.12.la; \ [10:15:39.9] ln -s .la /usr/local/lib/-2.1.12.la || exit $?; \ [10:15:39.9] fi DETAIL LOG file : http://freeradius.1045715.n5.nabble.com/file/n4822062/installtionlog.txt installtionlog.txt You have to read the output of ./configure ... [10:12:29.8] === configuring in ./drivers/rlm_sql_postgresql (/home/network/Downloads/freeradius-server-2.1.12/src/modules/rlm_sql/./drivers/rlm_sql_postgresql) [10:12:29.8] configure: running /bin/sh ./configure '--prefix=/usr/local' '--enable-ltdl-install' --cache-file=/dev/null --srcdir=. [10:12:30.0] checking for gcc... gcc [10:12:30.1] checking for C compiler default output file name... a.out [10:12:30.2] checking whether the C compiler works... yes [10:12:30.2] checking whether we are cross compiling... no [10:12:30.2] checking for suffix of executables... [10:12:30.3] checking for suffix of object files... o [10:12:30.3] checking whether we are using the GNU C compiler... yes [10:12:30.3] checking whether gcc accepts -g... yes [10:12:30.3] checking for gcc option to accept ISO C89... none needed [10:12:30.3] checking for libpq-fe.h... no [10:12:30.8] checking for PQconnectdb in -lpq... no [10:12:31.2] configure: WARNING: silently not building rlm_sql_postgresql. [10:12:31.2] configure: WARNING: FAILURE: rlm_sql_postgresql requires: libpq-fe.h libpq. Fix this, and then re-compile it. -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radzap: Nothing to send
Hello, I have a script using radzap to zap clients. This script with freeradius 1.1.7 worked, but since I updated to 2.1.10 it didn't work. The command I run is: root@vulpes21:~/scripts/radius# radzap -P 9937 -u user -N 10.57.112.8 localhost secret radclient: Nothing to send. The output for this user in radwho -R is: User-Name = user Acct-Session-Id = 2CC6 NAS-IP-Address = 10.57.112.8 NAS-Port = 9938 Service-type = Login-User Framed-IP-Address = Acct-Session-Time = 92 Calling-Station-Id = 9084.0d64.2d83 Any idea? One difference between my 1.1.7 config and the new one is that now I'm using virtual servers? Could it be the reason? -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 868887590 Fax: 86337 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
User + X Authentication
Hi, We are successfully running the following version on our network for our DSL users. FreeRADIUS Version 2.1.7, for host i686-redhat-linux-gnu, built on Mar 31 2010 at 00:25:31 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. FreeRADIUS was compiled with MySQL and radcheck is used for authentication along with other relevant tables. We recently had a scenario where security of a CPE is a concern, and using PPP authentication is not enough. Someone suggested using Routers mac address along with PPP username/password authentication. But this method would relay on getting the router Mac address during the PPP negotiation, and it might be coming via the calling-station-id attribute, some suggestions are about using EAP and certifcates on the router. I would like to find out what would be the best way to go for extra layer of authentication based security while using FreeRADIUS? and how can that be done with MySQL? Regards Raz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius performance problem
Giuseppe Marocchio wrote: i have inherited the administration of a radius server, that authenticate 900 PPPoE user on mikrotik box. i've noticed that there is some performance problem, mikrotik box show that last request RTT in some cases is up to 1000ms, there is some resend request and also some timeouts, In order to mitigate the problem i've disabled the interim update, and the timeouts are drastically reduced. But exists. A 386 should handle 900 users without a problem. i' use mysql back-end, i've checked if there are slow queries but file is empty. ( of course is enabled... ) shrug Performance issues are almost always the DB. the server is a dual core Xeon 3.0Ghz with 1 Gb of ram. The SO is debian Linux stable, freeradius is 2.1.10 installed by debian package. So it's not the RADIUS server which is the problem. That amount of CPU power is more than enough. Any ideas? Fix the database. If you don't think it's the DB, configure a test server on the same machine which doesn't use the DB. It will handle 2000+ packets per second. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.1.12 potential problem...
Sorry for that, I havent check the config output that's my fault. But 2.1.11 was working fine. Nevermind 2.1.12 is working now. - Deniz AYDIN Senior Network Engineer -- View this message in context: http://freeradius.1045715.n5.nabble.com/2-1-12-potential-problem-tp4811959p4822190.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reverting Accept-Reject to Access-Accept
Thanks a lot James, thats solved my problem with the version 2.1.12 authorize { Autz-Type PPPOE_SUBSCRIBER { sql if (notfound) { update control { Auth-Type := Accept } } } } [sql] User ccotesist06adsl not found ++[sql] returns notfound ++? if (notfound) ? Evaluating (notfound) - TRUE ++? if (notfound) - TRUE ++- entering if (notfound) {...} +++[control] returns notfound ++- if (notfound) returns notfound Found Auth-Type = Accept Auth-Type = Accept, accepting the user - Deniz AYDIN Senior Network Engineer -- View this message in context: http://freeradius.1045715.n5.nabble.com/Reverting-Accept-Reject-to-Access-Accept-tp4811142p4822195.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius client redundance
Hi, We have configured EAP-PEAP with freeradius, and forward MS-CHAP-V2 request to a Microsoft NPS server. This works fine, but we now want to implement one more Microsoft NPS server, so how do we define a second radius client. So that if the first one fails, it will automatically try the next ? We have configured the following: clients.conf client merucontroller01 { ipaddr = xxx.xxx.xxx.1 secret = secretkey nastype = other require_message_authenticator = no } proxy.conf realm DEFAULT { authhost= xxx.xxx.xxx.1:1812 accthost= xxx.xxx.xxx.1:1813 secret = secretkey } So could i just add another ip here xxx.xxx.xxx.2 in both ? Thanks for reply. Regards Ole -- View this message in context: http://freeradius.1045715.n5.nabble.com/Radius-client-redundance-tp4822209p4822209.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using unlang to customize Tunnel-Medium-Type for 3com switches
Hi, my problem: I use RADA on 2 lines of 3com switches: - those with ComWare 5 expect Radius to return Tunnel-Medium-Type = IEEE-802 - those with ComWare 3 expect Tunnel-Medium-Type = 802 Of course, in users, I can use only one of those values, as follows: f0-0f-de-ad-f0-01 Cleartext-Password := f0-0f-de-ad-f0-01 Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id := 3, Tunnel-Type = VLAN Fortunately, after switching Radius mode on Comware3 switches to extended, they started to introduce themselves: rad_recv: Access-Request packet from host 172.23.30.70 port 41201, id=97, length=130 User-Name = f0-0f-de-ad-f0-01 User-Password = f0-0f-de-ad-f0-01 NAS-IP-Address = 172.23.30.210 NAS-Identifier = deadbeef1e02 NAS-Port = 16867329 NAS-Port-Id = unit=1;subslot=0;port=22;vlanid=1 NAS-Port-Type = Ethernet Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = f00f-dead-f001 3Com-Connect_Id = 9 3Com-Product-ID = 4200G 3Com-NAS-Startup-Timestamp = 954636905 I can see 3Com-Product-ID = 4200G, and I would like to change Tunnel-Medium-Type to 802 if I see it. After looking at unlang man page - explains the basics, but show no examples; radiusd.conf - still no examples; and googling - some examples, but I counted 4 of them (maybe I searched the wrong way, but see for yourself what does unlang examples yield) I decided to write here for help. From what I read, I should add the condition in post-auth section. As I understand it, it should look like this: if ( %{request:3Com-Product-ID} == 4200G ) { update reply { Tunnel-Medium-Type = 802 } } is that about right? (and yes, I should find that by myself, only explanation is that test system setup would take ~3-4 hrs and I can't do testing on production - whereas I count on you being able to tell right from wrong in about ~5 sec). Thanks in advance, Stan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using unlang to customize Tunnel-Medium-Type for 3com switches
Stanisław Kamiński wrote: After looking at unlang man page - explains the basics, but show no examples; radiusd.conf - still no examples; and googling - some examples, but I counted 4 of them (maybe I searched the wrong way, but see for yourself what does unlang examples yield) I decided to write here for help. raddb/policy.conf has a number of examples. From what I read, I should add the condition in post-auth section. As I understand it, it should look like this: if ( %{request:3Com-Product-ID} == 4200G ) { update reply { Tunnel-Medium-Type = 802 } } Or simpler: if (3Com-Product-Id == 4200G) { ... } The %{request:...} isn't needed. is that about right? (and yes, I should find that by myself, only explanation is that test system setup would take ~3-4 hrs and I can't do testing on production - whereas I count on you being able to tell right from wrong in about ~5 sec). Asking good questions is good. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius client redundance
oleaweel wrote: Hi, We have configured EAP-PEAP with freeradius, and forward MS-CHAP-V2 request to a Microsoft NPS server. This works fine, but we now want to implement one more Microsoft NPS server, so how do we define a second radius client. So that if the first one fails, it will automatically try the next ? Packets are sent to home servers, not to RADIUS clients. To configure fail-over, see raddb/proxy.conf. This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using unlang to customize Tunnel-Medium-Type for 3com switches
On 20 Sep 2011, at 19:59, Stanisław Kamiński wrote: Hi, my problem: I use RADA on 2 lines of 3com switches: - those with ComWare 5 expect Radius to return Tunnel-Medium-Type = IEEE-802 - those with ComWare 3 expect Tunnel-Medium-Type = 802 Oh wow, that's exceptionally retarded. Can you complain to 3COM tech support? Section 3.31 of RFC3580 lists the tunnel attributes as: Tunnel-Type=VLAN (13) Tunnel-Medium-Type=802 Tunnel-Private-Group-ID=VLANID The RFC author(s) obviously made a mistake, it should have been Tunnel-Type=VLAN (13) Tunnel-Medium-Type=802 (6) Tunnel-Private-Group-ID=VLANID Absolutely no RFC lists 802 (integer) as a valid value for Tunnel-Medium-Type... It's an enumerated integer attribute *sigh*. It seems that this has been discussed before however http://psg.com/lists/radiusext/2007/msg00854.html ... so no point in ranting about it again if ( %{request:3Com-Product-ID} == 4200G ) { update reply { Tunnel-Medium-Type = 802 } } is that about right? (and yes, I should find that by myself, only explanation is that test system setup would take ~3-4 hrs and I can't do testing on production - whereas I count on you being able to tell right from wrong in about ~5 sec). Though the if statement should probably be if(3Com-Product-ID == '4200G'){ -Arran Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Telkom DSL confiruration
Hi I ma looking for an example to compare of a rad accept request for telkom adsl as All of a sudden I have routers that do not auth and have throuput issues. regards Hilton - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL performance
Don't. Fix the database so that it isn't too slow. See the logs. If the DB is slow, the logs will usually say. I have no slow queries on mysql-slow.log. thanks -- Lorenzo Milesi - lorenzo.mil...@yetopen.it YetOpen S.r.l. - http://www.yetopen.it/ Via Carlo Torri Tarelli 19 - 23900 Lecco - ITALY - Tel 0341 220 205 - Fax 178 6070 222 GPG/PGP Key-Id: 0xE704E230 - http://keyserver.linux.it D.Lgs. 196/2003 Si avverte che tutte le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario. Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo, a non inoltrarlo a terzi e ad avvertirci non appena possibile. Grazie. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL performance
is the db on the same server as freeradius? yes there should be something on FR log file. If not, then run the server in debug mode and see which part is slow or spitting out errors. will try to look for something -- Lorenzo Milesi - lorenzo.mil...@yetopen.it YetOpen S.r.l. - http://www.yetopen.it/ Via Carlo Torri Tarelli 19 - 23900 Lecco - ITALY - Tel 0341 220 205 - Fax 178 6070 222 GPG/PGP Key-Id: 0xE704E230 - http://keyserver.linux.it D.Lgs. 196/2003 Si avverte che tutte le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario. Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo, a non inoltrarlo a terzi e ad avvertirci non appena possibile. Grazie. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL performance
Lorenzo Milesi wrote: Don't. Fix the database so that it isn't too slow. See the logs. If the DB is slow, the logs will usually say. I have no slow queries on mysql-slow.log. Then it must be magic. Hire a wizard to fix the problem. Something *you did* broke the server. Either say what you did, or good luck solving it yourself. i.e. See the FAQ for useless comments like it doesn't work, which is what your messages amount to. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL performance
Then it must be magic. Hire a wizard to fix the problem. Thanks, your sarcasm is really helpful! Something *you did* broke the server. Either say what you did, or good luck solving it yourself. i.e. See the FAQ for useless comments like it doesn't work, which is what your messages amount to. I *DID* say what I did: increased the amount of accounted users, nothing else. I said what changes I did to the server in order to improve mysql performance. This doesn't look to me like saying it doesn't work. And on the other hand, if I haven't been detailed enough you could have asked more specific questions, and I would have answered. Instead of wasting time trolling at me. I haven't been trolling, I didn't say this software sucks, I just asked for help for a specific problem. So either help and it'll be appreciated, or I'd suggest you to save your time and read other mails. thanks -- Lorenzo Milesi - lorenzo.mil...@yetopen.it YetOpen S.r.l. - http://www.yetopen.it/ Via Carlo Torri Tarelli 19 - 23900 Lecco - ITALY - Tel 0341 220 205 - Fax 178 6070 222 GPG/PGP Key-Id: 0xE704E230 - http://keyserver.linux.it D.Lgs. 196/2003 Si avverte che tutte le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario. Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo, a non inoltrarlo a terzi e ad avvertirci non appena possibile. Grazie. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL performance
there should be something on FR log file. If not, then run the server in debug mode and see which part is slow or spitting out errors. I ran in debug, and saw something which maybe could be wrong: User-Name = MYUSERNAME User-Password = \002\234\350v[z\035Y\237\257\354\245\326\213\305. Usually I can see the passwords. Could be some encoding problem on the client side? What looks strange to me is that some pw are fine, some are screwed this way. thanks! -- Lorenzo Milesi - lorenzo.mil...@yetopen.it YetOpen S.r.l. - http://www.yetopen.it/ Via Carlo Torri Tarelli 19 - 23900 Lecco - ITALY - Tel 0341 220 205 - Fax 178 6070 222 GPG/PGP Key-Id: 0xE704E230 - http://keyserver.linux.it D.Lgs. 196/2003 Si avverte che tutte le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario. Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo, a non inoltrarlo a terzi e ad avvertirci non appena possibile. Grazie. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL performance
Lorenzo Milesi wrote: Then it must be magic. Hire a wizard to fix the problem. Thanks, your sarcasm is really helpful! It seems to work better than honest suggestions. You've ignored those. I *DID* say what I did: increased the amount of accounted users, nothing else. The *default configuration* doesn't have the problem you described. So... what did you change? adding users is *not* the answer I'm looking for. I said what changes I did to the server in order to improve mysql performance. You edited radiusd.conf to improve MySQL performance? That's magic. This doesn't look to me like saying it doesn't work. It looks to me like that, which is why I said it. And on the other hand, if I haven't been detailed enough you could have asked more specific questions, and I would have answered. Instead of wasting time trolling at me. I haven't been trolling, I didn't say this software sucks, I just asked for help for a specific problem. So either help and it'll be appreciated, or I'd suggest you to save your time and read other mails. I asked specific questions. You evaded answering. Again, the default configuration doesn't have this problem. *You* changed the configuration. What was it? Saying I added more users is a ridiculous response, and deserves a ridiculous answer. If the server is taking 1s to respond, *something* is blocking it. That something is almost always an external script, or the DB. Saying the DB log doesn't show slow queries is a lazy answer. It means you didn't bother checking for yourself whether or not the DB was slow. The *RADIUS* server likely thinks the DB is slow. I don't care what kind of lies the DB log tells you. Go check for yourself. If you're not going to *think* in order to track down the problem, you have no hope of fixing the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL performance
Lorenzo Milesi wrote: there should be something on FR log file. If not, then run the server in debug mode and see which part is slow or spitting out errors. I ran in debug, and saw something which maybe could be wrong: User-Name = MYUSERNAME User-Password = \002\234\350v[z\035Y\237\257\354\245\326\213\305. And the REST of the debug output will say DOUBLE CHECK THE SHARED SECRET. If you're not going to read the debug output, there's no reason to run the server in debugging mode. Usually I can see the passwords. Could be some encoding problem on the client side? What looks strange to me is that some pw are fine, some are screwed this way. Odds are client X has the correct shared secret, and client Y does not. So... the passwords are broken for some clients, and not for others. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL performance
On Tue, Sep 20, 2011 at 8:23 PM, Lorenzo Milesi lorenzo.mil...@yetopen.it wrote: there should be something on FR log file. If not, then run the server in debug mode and see which part is slow or spitting out errors. There are several reasons why I suggest you run the server in debug mode (as also suggested many times on this list, and also on the wiki). For one, it can show you which part is slow (is it really the db, or is it something else). Another one is it can show relevant parts of the config which can help others pinpoint the problem. Pasting only PART of the debug log will only get you (at best) partial guesses. I ran in debug, and saw something which maybe could be wrong: User-Name = MYUSERNAME User-Password = \002\234\350v[z\035Y\237\257\354\245\326\213\305. Usually I can see the passwords. Could be some encoding problem on the client side? Maybe. The debug log will also say something like warning, unreadable password, check shared secret (or something like that). Did you find it? Did you simply ignore it, or do what it suggested? What looks strange to me is that some pw are fine, some are screwed this way. Some things to check: - did the different case (readable vs unreadable password) comes from the same NAS? (If you don't know what NAS is, see http://en.wikipedia.org/wiki/Network_access_server) - is the shared secret correct? - does the login issue happens for ALL users or only for SOME servers? Basically if it's specific user/NAS problem, then you need to focus on those particular users. Again, debug log will usually help you find out. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Fedora-DS + EAP-MSCHAPv2 for WIFI/AP authentication
Hello. Thanks for the answers. I got no AD integrated with LDAP. Is there any way i can convert an LDAP MD5/SHA hash to a NT hash password? Thanks! Alan DeKok al...@deployingradius.com escreveu: uselessidbr wrote: People, i've read a lot about the WIFI/AP authentication over Freeradius using LDAP but it seems i cannot make it work unless i use clear-text password or Nt/Lmpassword which as far as i know implies in Samba + LDAP integration. http://deployingradius.com/documents/protocols/compatibility.html Note it doesn't mention Samba. NT-Passwords are a password *format*. They can be stored anywhere. My question is, is that really the only way to make freeradius authenticate users using a LDAP database? Do i need to have samba + ldap to authenticate WIFI users using freeradius + LDAP with EAP-MSCHAPv2? No. You need cleartext passwords, or NT passwords. Where they are stored is a completely separate question. With my current configuration i was able to authenticate LDAP users with clear-text password but thats not i really want as a WIFI authentication solution. My goal is to use freeradius to authenticate WIFI users using a LDAP database and without the need of use a non-native Windows application. You can do that. Only if you use the correct password format. Here goes my debug using a encrypted user password (which fails): It fails because you didn't tell the server what the correct password was. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Atenciosamente, _ GUSTAVO VIEIRA OLIVEIRA Sistema FIESC Central de Serviços TIC TIC - Unidade Integrada de Tecnologia da Informação e Comunicação Rod. Admar Gonzaga, 2765 - Itacorubi - 2o Andar CEP 88034-001 - Florianópolis - SC Fone (48) 3231-4699 - Fax (48) 3231-4170 - Ramal 44699 e-mail: a href=mailto:atendime...@tic.fiescnet.com.br;atendime...@tic.fiescnet.com.br/a - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Fedora-DS + EAP-MSCHAPv2 for WIFI/AP authentication
On 09/20/2011 11:03 AM, GUSTAVO VIEIRA OLIVEIRA wrote: Is there any way i can convert an LDAP MD5/SHA hash to a NT hash password? one-way password hashes are called one-way for a reason :-) To produce a password hash you must start with a cleartext password. see also: http://deployingradius.com/documents/protocols/compatibility.html -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL performance
For one, it can show you which part is slow (is it really the db, or is it something else). Another one is it can show relevant parts of the config which can help others pinpoint the problem. Pasting only PART of the debug log will only get you (at best) partial guesses. Ok, I missed this, I thought was a suggestion to me :-) http://paste.ubuntu.com/693812/ this is the startup log, with the first authentication requests. as you can see from the same nas (.67) the first request is with the wrong pw, while the second is fine and Access-Accept is sent back. I obfuscated pw and ips, let me know if there is anything useful you can see. Another weird thing I noticed is that as you can see at line 155 in the middle of an Access-Accept report there's another rad_recv, like it's mixing up output. I don't know if this is a problem, or if it was doing it already, but still looks strange. Now I'm running -XX, I will post later something from that. Maybe. The debug log will also say something like warning, unreadable password, check shared secret (or something like that). Did you find it? Did you simply ignore it, or do what it suggested? I grepped for warn and err and found nothing in the debug log. Just a warning for a proxied request, but nothing else. Some things to check: - did the different case (readable vs unreadable password) comes from the same NAS? Yes. Let's say most of the problems come from a newly deployed nas. - is the shared secret correct? Yes. This puzzles me, some (half?) of the auth end successfully, others won't, and I cannot figure out where it is failing. Indeed I get the check secret message you suggested, but as said some users go through, some others don't... :/ - does the login issue happens for ALL users or only for SOME servers? As said above most of the problems come from a single nas, which is the busiest. Occasionally other nases raise the issue, but much less often. Basically if it's specific user/NAS problem, then you need to focus on those particular users. Again, debug log will usually help you find I raised even more the number of SQL threads and seems I see less radius errors on the client. Now I try to compare the failed reqs with the log, will report back. Thank you very much! cheers -- Lorenzo Milesi - lorenzo.mil...@yetopen.it YetOpen S.r.l. - http://www.yetopen.it/ Via Carlo Torri Tarelli 19 - 23900 Lecco - ITALY - Tel 0341 220 205 - Fax 178 6070 222 GPG/PGP Key-Id: 0xE704E230 - http://keyserver.linux.it D.Lgs. 196/2003 Si avverte che tutte le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario. Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo, a non inoltrarlo a terzi e ad avvertirci non appena possibile. Grazie. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL performance
On Tue, Sep 20, 2011 at 10:22 PM, Lorenzo Milesi lorenzo.mil...@yetopen.it wrote: For one, it can show you which part is slow (is it really the db, or is it something else). Another one is it can show relevant parts of the config which can help others pinpoint the problem. Pasting only PART of the debug log will only get you (at best) partial guesses. Ok, I missed this, I thought was a suggestion to me :-) http://paste.ubuntu.com/693812/ What did you use for debug, and what FR version is this? Again, as mentioned in wiki.freeradius.org: Always use radiusd -X when debugging! Your output does not look llike it comes from FR2's debug log. this is the startup log, with the first authentication requests. as you can see from the same nas (.67) the first request is with the wrong pw, while the second is fine and Access-Accept is sent back. I obfuscated pw and ips, let me know if there is anything useful you can see. Another weird thing I noticed is that as you can see at line 155 in the middle of an Access-Accept report there's another rad_recv, like it's mixing up output. I don't know if this is a problem, or if it was doing it already, but still looks strange. Now I'm running -XX, I will post later something from that. Maybe. The debug log will also say something like warning, unreadable password, check shared secret (or something like that). Did you find it? Did you simply ignore it, or do what it suggested? I grepped for warn and err and found nothing in the debug log. Just a warning for a proxied request, but nothing else. Some things to check: - did the different case (readable vs unreadable password) comes from the same NAS? Yes. Let's say most of the problems come from a newly deployed nas. Then start from there. If the db is slow and FR is late to respond, the NAS will usually resend the request and FR will complain when receiving duplicate request. Your log shows no such event, so my guess is it's not slow or db issue. One simple test is try using the same user/password to logon from a new, problematic NAS and from a working NAS. Compare debug output from both, and compare both NAS config. It should help you find out what's wrong. I raised even more the number of SQL threads and seems I see less radius errors on the client. If FR doesn't complain about duplicate request or no free DB handle (or something like that), then it shouldn't make a difference. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL performance
The *default configuration* doesn't have the problem you described. So... what did you change? adding users is *not* the answer I'm looking for. This radius has been successfully running for 4y now. Problems raised since when we increased the number of users. You edited radiusd.conf to improve MySQL performance? That's magic. I never said that. I never mentioned the config file but the config option, so I must have edited in the RIGHT place, that is for your check in /etc/freeradius/sql.conf, which is included into radiusd.conf by $INCLUDE ${confdir}/sql.conf. Happy now? I asked specific questions. You evaded answering. I didn't mean to be evasive! To me slow means mysql-slow. I must be (am) wrong about this, but I didn't know what's the acknowledged value of slow in radius. Again I can be not enough informed, again a more polite and less evasive answer (fix the db can mean a thousands of actions!) would have helped. If the server is taking 1s to respond, *something* is blocking it. That something is almost always an external script, or the DB. Saying the DB log doesn't show slow queries is a lazy answer. It means you didn't bother checking for yourself whether or not the DB was slow. Again I didn't mean to be lazy, I just had the wrong parameter of slow. And the REST of the debug output will say DOUBLE CHECK THE SHARED SECRET. If you're not going to read the debug output, there's no reason to run the server in debugging mode. I did that, and it is correct, in fact half of the login request are successfuly replied! I can't figure out why only /some/ are failing! Odds are client X has the correct shared secret, and client Y does not. So... the passwords are broken for some clients, and not for others. The clients use the same authentication web page, which is a php script that encodes the password against the secret. And it's the very same page for everyone on that nas. So, by the way, seems like there are two problems: the wrong passwords, and the failing radius requests. I've checked in the debug output and seems that most of the failed request are Interim-Update, so it may even be that the database is not actually my *main* problem right now. I will check request speed, thanks. ciao -- Lorenzo Milesi - lorenzo.mil...@yetopen.it YetOpen S.r.l. - http://www.yetopen.it/ Via Carlo Torri Tarelli 19 - 23900 Lecco - ITALY - Tel 0341 220 205 - Fax 178 6070 222 GPG/PGP Key-Id: 0xE704E230 - http://keyserver.linux.it D.Lgs. 196/2003 Si avverte che tutte le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario. Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo, a non inoltrarlo a terzi e ad avvertirci non appena possibile. Grazie. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL performance
Your output does not look llike it comes from FR2's debug log. This first debug log was a -x. And yes, it's FR 1.1.7! (yes, could have said that before) Let's say most of the problems come from a newly deployed nas. Then start from there. If the db is slow and FR is late to respond, the NAS will usually resend the request and FR will complain when receiving duplicate request. Your log shows no such event, so my guess is it's not slow or db issue. What makes this nas different from the hundreds I've deployed previously is the traffic load, which is sensibly higher. But if you say so I'm confident in believing that maybe as I wrote in the previous mail FR is not actually my main problem, instead I should start investigate this password generation problem done by the php script... One simple test is try using the same user/password to logon from a new, problematic NAS and from a working NAS. Compare debug output from both, and compare both NAS config. It should help you find out what's wrong. We had tests like these performed already. Will try again... Thanks for the suggestions, will report back ASAP! -- Lorenzo Milesi - lorenzo.mil...@yetopen.it YetOpen S.r.l. - http://www.yetopen.it/ Via Carlo Torri Tarelli 19 - 23900 Lecco - ITALY - Tel 0341 220 205 - Fax 178 6070 222 GPG/PGP Key-Id: 0xE704E230 - http://keyserver.linux.it D.Lgs. 196/2003 Si avverte che tutte le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario. Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo, a non inoltrarlo a terzi e ad avvertirci non appena possibile. Grazie. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL performance
Lorenzo Milesi wrote: Ok, I missed this, I thought was a suggestion to me :-) http://paste.ubuntu.com/693812/ Ugh. Upgrade to 2.1.x. Another weird thing I noticed is that as you can see at line 155 in the middle of an Access-Accept report there's another rad_recv, like it's mixing up output. I don't know if this is a problem, or if it was doing it already, but still looks strange. It's an old version. Upgrade. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Fedora-DS + EAP-MSCHAPv2 for WIFI/AP authentication
So, there's no other option to use LDAP database for radius authentication for WIFI users (windows users) without the use of an AD or a 3rd party supplicant? Also, is there any howto that explains how i can get my setup to work with NtPassword? If i change my radius setup to work with ntpasswords do i have to set users passwords again or can it be done automatically? I just want an alternative that makes me achieve my goal, any idea?. Thanks again! John Dennis jden...@redhat.com escreveu: On 09/20/2011 11:03 AM, GUSTAVO VIEIRA OLIVEIRA wrote: Is there any way i can convert an LDAP MD5/SHA hash to a NT hash password? one-way password hashes are called one-way for a reason :-) To produce a password hash you must start with a cleartext password. see also: http://deployingradius.com/documents/protocols/compatibility.html -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -- Atenciosamente, _ GUSTAVO VIEIRA OLIVEIRA Sistema FIESC Central de Serviços TIC TIC - Unidade Integrada de Tecnologia da Informação e Comunicação Rod. Admar Gonzaga, 2765 - Itacorubi - 2o Andar CEP 88034-001 - Florianópolis - SC Fone (48) 3231-4699 - Fax (48) 3231-4170 - Ramal 44699 e-mail: a href=mailto:atendime...@tic.fiescnet.com.br;atendime...@tic.fiescnet.com.br/a - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Fedora-DS + EAP-MSCHAPv2 for WIFI/AP authentication
You can use LDAP without needing AD or some 3rd party supplicant on the OS , but as already said, you will need to have the password as nthash or cleartext. Read the compatibility matrix alan -- Message may be brief as it has been sent from my mobile - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SoH and DHCP
Hi Phil, It's been a while since we did not receive feedbacks about that SoH and DHCP enforcement. I am just wandering if you had some news about it. Thanks! On 11-07-20 2:36 PM, Phil Mayers wrote: On 07/20/2011 06:07 PM, Francois Gaudreault wrote: Hi, I am trying to make the SoH statements to work using the FreeRADIUS DHCP. However, I have issues to get the SoH values from the NAP client. Maybe someone will be able to help. On the client side, the DHCP NAP policy is set to enabled. Unfortunately the SoH DHCP code is unlikely to work very well - I didn't quite finish it. The problem is twofold; first, the SoH payloads are 255 bytes (the max size of a DHCP option) so support for DHCP option continuation is needed; this is doubly tedious because Microsoft use a non-standard format for option continuation (main option followed by one or more option 240 IIRC) The second problem is that the constituent DHCP option(s) are themselves each 253 bytes, which means they are too big to fit inside a VALUE_PAIR structure (which is sized for radius attributes, not DHCP attributes). This means there are two unpalatable choices: 1. Change the VALUE_PAIR union to include a char dhcpopt[255] member 2. Decode DHCP options differently based on length; if = 253, decode into the octets member of VALUE_PAIR; if 253, decode into the tlv pointer-indirection method. This seems... dirty, since you're basically using the tlv pointer for options of length 254 or 255 only (although you might want to decode option continuation into the same buffer I guess?) Basically, some code needs adding to the DHCP portion of FreeRADIUS to handle DHCP option continuation, and options 253 bytes, before the SoH code will work with DHCP. I don't have much time at the moment, but I might see if I can get this working tomorrow. Cheers, Phil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Francois Gaudreault, ing. jr fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL performance
On 2011/09/20 05:22 PM, Lorenzo Milesi wrote: Ok, I missed this, I thought was a suggestion to me :-) http://paste.ubuntu.com/693812/ What is: Can't connect to SNMP agent with SMUX: Connection refused Is an SNMP connetion of some sorts not maybe slowing it down while authenticating? -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dictionnary file for Motorola RFS series (Symbol)
Hi, I thought it might be useful for some users to add the dictionnary.symbol file below : VENDOR Symbol388 BEGIN-VENDORSymbol ATTRIBUTESymbol-Admin-Role1integer VALUESymbol-Admin-RoleMonitor1 VALUESymbol-Admin-RoleHelpdesk2 VALUESymbol-Admin-RoleNetworkAdmin4 VALUESymbol-Admin-RoleSysAdmin8 VALUESymbol-Admin-RoleWebAdmin16 VALUESymbol-Admin-RoleSuperUser32768 ATTRIBUTESymbol-Current-ESSID2string ATTRIBUTESymbol-Allowed-ESSID3string ATTRIBUTESymbol-WLAN-Index4integer ATTRIBUTESymbol-QoS-Profile5integer ATTRIBUTESymbol-Allowed-Radio6string ATTRIBUTESymbol-Expiry-Date-Time 7string ATTRIBUTESymbol-Start-Date-Time 8string ATTRIBUTESymbol-Posture-Status 9string ATTRIBUTESymbol-Downlink-Limit 10string ATTRIBUTESymbol-Uplink-Limit11string ATTRIBUTESymbol-User-Group12 string ATTRIBUTESymbol-Login-Source 100integer VALUESymbol-Login-SourceHTTP16 VALUESymbol-Login-SourceSSH32 VALUESymbol-Login-SourceTelnet64 VALUESymbol-Login-SourceConsole128 VALUESymbol-Login-SourceAll240 -- Francois Gaudreault, ing. jr Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SoH and DHCP
On 09/20/2011 06:15 PM, Francois Gaudreault wrote: Hi Phil, It's been a while since we did not receive feedbacks about that SoH and DHCP enforcement. I am just wandering if you had some news about it. Sorry; I've no time to look into it at the moment. Personal real-life issues are consuming all my time. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dictionnary file for Motorola RFS series (Symbol)
Francois Gaudreault wrote: I thought it might be useful for some users to add the dictionnary.symbol file below : Added, thanks. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SoH and DHCP
That's fine, I understand that. On 11-09-20 1:56 PM, Phil Mayers wrote: On 09/20/2011 06:15 PM, Francois Gaudreault wrote: Hi Phil, It's been a while since we did not receive feedbacks about that SoH and DHCP enforcement. I am just wandering if you had some news about it. Sorry; I've no time to look into it at the moment. Personal real-life issues are consuming all my time. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Francois Gaudreault, ing. jr fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius client redundance
Hi, Thanks for fast reply. Just for information, I have not been working to much with FreeRadius:). I have read the proxy.conf file but im having problems understanding the configuration. When it say home_server is this a general name ? If I understand correct i need to configure a home_server_pool, and remove the realm DEFAULT that I have today ? Or is it possible to do something like the following (to configure to MS NPS) realm DEFAULT { authhost = xxx.xxx.xxx.1:1812 accthost = xxx.xxx.xxx.1:1813 authhost = xxx.xxx.xxx.2:1812 accthost = xxx.xxx.xxx.2:1813 secret = secretkey } If the above is not possibe, is this the right way... : home_server nps01 { type = auth+acct ipaddr = XXX.XXX.XXX.1 port = 1812,1813 secret = secretkey rest is default? } home_server nps02 { type = auth+acct ipaddr = XXX.XXX.XXX.2 port = 1812,1813 secret = secretkey rest is default? } home_server_pool my_auth_failover { type = fail-over home_server = nps01 home_server = nps02 } Regards Ole -- View this message in context: http://freeradius.1045715.n5.nabble.com/Radius-client-redundance-tp4822209p4823563.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help to store user details
Hi, Configure freeradius with his ldap module and a ldap server as openldap. http://wiki.freeradius.org/Rlm_ldap could be a good start. Fred, 2011/9/20, Rajkumar balaji rajkumar.balaj...@gmail.com: Hi All, I just want to store user details like, The user name is ABC and the user belongs to XYZ group and PQR group. Thanks Regards Rajkumar Balaji -- View this message in context: http://freeradius.1045715.n5.nabble.com/Need-help-to-store-user-details-tp4821498p4821498.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple NAS configuration
http://wiki.freeradius.org/Clients.conf 2011/9/20, Dagia Dorjsuren dagmi...@yahoo.com: Hello all, How to configure multiple NAS (NAS-IP-Address) in freeradius? Which radius database's table should I add NAS-IP-Address attributes? Anyone advise me? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help to store user details
On Tue, Sep 20, 2011 at 1:47 PM, Rajkumar balaji rajkumar.balaj...@gmail.com wrote: Purpose is After the authentication i need to retrieve the group details associated with this user and according to them I need to Authorize the user. Store it in FreeRADIUS (text file also fine) ( and I want to retrieve it using JRADIUS API) Since you're going to have two or more different applications reading the data (freeradius and jradius), better store it in db. See the link I sent earlier, should be self-explanatory. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple NAS configuration
Hi, I try to figure out how to make following configuration: 1. Three clients. (Two access points. NAS1, NAS2 and NAS3) 2. There is one, central freeradius server holding all acounts, for both locations. Now, what I try to do is to create accounts that are location dependant... so account created for NAS1 and NAS2, can't be used on NAS3. For example : NAS1 ip address : 192.168.1.10 NAS2 ip address : 192.168.1.20 NAS3 ip address : 192.168.1.30 = In clients.conf client 192.168.1.10 { secret = testap1 shortname = nas1 nastype = other } client 192.168.1.20 { secret = testap2 shortname = nas2 nastype = other } client 192.168.1.30 { secret = testap3 shortname = nas3 nastype = other } = I have configured it for one user test in radcheck table as below. +-+---++++ | id | username | attribute | op | value | +-+---++++ | 1 | test | NAS-IP-Address | == | 192.168.1.10 | | 2 | test | NAS-IP-Address | == | 192.168.1.20 | | 3 | test | NAS-IP-Address | != | 192.168.1.30 | +-+---++++ But, it is not working. The following was in radius.log file. Wed Sep 21 09:34:19 2011 : Auth: Login incorrect (rlm_chap: Clear text password not available): [test/CHAP-Password] (from client nas1 port 4 cli 00-26-5E-EF-56-CC) Have you any idea? From: Fred fred.mai...@gmail.com To: Dagia Dorjsuren dagmi...@yahoo.com; FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, September 21, 2011 4:41 AM Subject: Re: Multiple NAS configuration http://wiki.freeradius.org/Clients.conf 2011/9/20, Dagia Dorjsuren dagmi...@yahoo.com: Hello all, How to configure multiple NAS (NAS-IP-Address) in freeradius? Which radius database's table should I add NAS-IP-Address attributes? Anyone advise me? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple NAS configuration
Hi, I try to figure out how to make following configuration: 1. Three clients. (Three access points. NAS1, NAS2 and NAS3) 2. There is one, central freeradius server holding all acounts, for three locations. Now, what I try to do is to create accounts that are location dependant... so account created for NAS1 and NAS2, can't be used on NAS3. For example : NAS1 ip address : 192.168.1.10 NAS2 ip address : 192.168.1.20 NAS3 ip address : 192.168.1.30 = In clients.conf client 192.168.1.10 { secret = testap1 shortname = nas1 nastype = other } client 192.168.1.20 { secret = testap2 shortname = nas2 nastype = other } client 192.168.1.30 { secret = testap3 shortname = nas3 nastype = other } = I have configured it for one user test in radcheck table as below. +-+---++++ | id | username | attribute | op | value | +-+---++++ | 1 | test | NAS-IP-Address | == | 192.168.1.10 | | 2 | test | NAS-IP-Address | == | 192.168.1.20 | | 3 | test | NAS-IP-Address | != | 192.168.1.30 | +-+---++++ But, it is not working. The following was in radius.log file. Wed Sep 21 09:34:19 2011 : Auth: Login incorrect (rlm_chap: Clear text password not available): [test/CHAP-Password] (from client nas1 port 4 cli 00-26-5E-EF-56-CC) Have you any idea? From: Fred fred.mai...@gmail.com To: Dagia Dorjsuren dagmi...@yahoo.com; FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, September 21, 2011 4:41 AM Subject: Re: Multiple NAS configuration http://wiki.freeradius.org/Clients.conf 2011/9/20, Dagia Dorjsuren dagmi...@yahoo.com: Hello all, How to configure multiple NAS (NAS-IP-Address) in freeradius? Which radius database's table should I add NAS-IP-Address attributes? Anyone advise me? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Fedora-DS + EAP-MSCHAPv2 for WIFI/AP authentication
Very true, thank you for pointing that out as well. Note to anyone following: If you use a certificate signed by a general authority (verisign for example) then anyone with a verisign cert will be trusted in your place, and able to authenticate your users, IE as a man in the middle. They'll have access to the un-encrypted password payload (NT, cleartext), which is a severe security compromise. That's why you (should) always use an internal Certificate Authority, where you control which certs are signed and distributed. On 9/20/2011 00:31, Alan DeKok wrote: Christ Schlacta wrote: I thought if you had a certificate signed by a trusted root CA, you were good and didn't need to install anything on the client. It's true that you don't need to install anything on the client. It's *not* true that it's a good idea. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
same pool key randomly
nas1 == localhost nas2 == 200.300.xxx.1 sqlippool UserName NASIPAddress CallingStationID pool_key user1 127.0.0.1 111.111.111.225 user2 127.0.0.1 222.222.222.224 user3 127.0.0.1 333.333.333.227 user4 login ... user3 NASIPAddress CallingStationID = blank user3 pool_key == 0 user4 pool_key == 7 sqlippool UserName NASIPAddress CallingStationID pool_key user1 127.0.0.1 111.111.111.225 user2 127.0.0.1 222.222.222.224 user3 0 user4 127.0.0.1 444.444.444.227 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User + X Authentication
If you've got sufficient control over CPE and CPE is all sufficiently capable, you should be doing EAP-TLS authentication anyway. if CPE is compromised, you can simply reflash, replace the credentials, and revoke the old ones. On 9/20/2011 04:18, Raz Muhammad wrote: Hi, We are successfully running the following version on our network for our DSL users. FreeRADIUS Version 2.1.7, for host i686-redhat-linux-gnu, built on Mar 31 2010 at 00:25:31 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. FreeRADIUS was compiled with MySQL and radcheck is used for authentication along with other relevant tables. We recently had a scenario where security of a CPE is a concern, and using PPP authentication is not enough. Someone suggested using Routers mac address along with PPP username/password authentication. But this method would relay on getting the router Mac address during the PPP negotiation, and it might be coming via the calling-station-id attribute, some suggestions are about using EAP and certifcates on the router. I would like to find out what would be the best way to go for extra layer of authentication based security while using FreeRADIUS? and how can that be done with MySQL? Regards Raz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html