Re: Invalid User in RADIUS Logs
Hi, Thanks! Is there a way that I can set log level in RADIUS to make it log like when in debug mode? Coz I cannot trace exactly what causes the 'Invalid user' log in RADIUS. I have already confirmed that for this case it is not the password. So now, I'm left to look into other causes. thanks a lot! det From: Alan DeKok al...@deployingradius.com To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, December 13, 2011 11:32 PM Subject: Re: Invalid User in RADIUS Logs det.explo...@yahoo.com wrote: Will a wrong password also will sometimes log 'invalid user' in the RADIUS log file? Coz recently i get a lot of these in the log file. But the users are actually valid and was able to authenticate successfully later on. Just want to get possible reasons on what could be causing RADIUS to log that. I'm also suspecting perhaps it was not able to lookup/connect to MySQL db at that time. Would that be possible cause also? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use For Group Using Unlang
Hi,
Where do I put this piece of code? Can I do this invocation in the authorize
block? Or is it something I put in the radiusd.conf? And where do I put the
custom procedure itself? Is it in /etc/freeradius/modules?
Sorry about this. I'm confused about the placement. First time to add a custom
procedure. Possible to extend this example to show which codes go to which file?
Thanks a lot!
Det
From: Alan DeKok al...@deployingradius.com
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Wednesday, November 9, 2011 9:57 PM
Subject: Re: Simultaneous-Use For Group Using Unlang
det.explo...@yahoo.com wrote:
I'd like to implement this using unlang but not sure where to start. The part
that I am having difficulty is on where to create the procedure and how to
call the procedure. The rest of the things like the DB query I can reuse from
the existing program. I want to implement this using unlang to avoid having
to open a new MySQL connection.
Any example, I can follow?
The SQL module supports string expansion. The input strings are just
SQL statements. The output is just a one-line string containing the
result of the SQL query.
This means you can call SQL procedures directly from unlang:
if (%{sql: call procedure with args} 2) {
... more than 2 people logged in ..
}
Very simple!
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Enabling login access and denied to be logged in radius log file
Hi, How do i enable logging of user accept and deny logins in log file? I tried to put sql_log in post-auth but didn't work. thanks! det - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Enabling login access and denied to be logged in radius log file
I had tried to use the reply_log. It logs access or reject in log file but does not include the username. How do I add the username info? From: Det Det det.explo...@yahoo.com To: FreeRadius mailing list freeradius-users@lists.freeradius.org Sent: Thursday, October 27, 2011 2:15 PM Subject: Enabling login access and denied to be logged in radius log file Hi, How do i enable logging of user accept and deny logins in log file? I tried to put sql_log in post-auth but didn't work. thanks! det - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stop Logging in radpostauth table
hey thanks! that did it. From: Arran Cudbard-Bell a.cudba...@freeradius.org To: Det Det det.explo...@yahoo.com; FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Monday, October 24, 2011 6:09 PM Subject: Re: Stop Logging in radpostauth table On 24 Oct 2011, at 12:03, Det Det wrote: Hi, How do I stop logging in radpostauth table? Is commenting out the query that inserts to radpostauth a correct way of doing that? No... comment out the SQL call in the post-auth section. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Stop Logging in radpostauth table
Hi, How do I stop logging in radpostauth table? Is commenting out the query that inserts to radpostauth a correct way of doing that? thanks! det - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to Determine Whether an Attribute is a Check Item or Reply Item
Thank you. Does it mean one attribute can exist (as both or in both) radcheck/radreply tables? Like for example, NAS-Port-Type? The reason I asked is because dialupadmin segregates the attribute to a check/reply attribute. Then I happen to check NAS-Port-Type, the RFC says below... Does it mean access-request = check attribute? Sorry if this is another wrong question. Just want to clarify. It is only used in Access-Request packets. thanks! det From: Alan DeKok al...@deployingradius.com To: Det Det det.explo...@yahoo.com; FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thursday, October 13, 2011 2:12 PM Subject: Re: How to Determine Whether an Attribute is a Check Item or Reply Item Det Det wrote: how to find out whether the attribute is a check/reply attribute? Read the documentation for the module. *It* is the one which decided which attributes go where. So it's wrong to ask if an *attribute* is a check/reply attribute. Attributes are (mostly) just attributes. They're not check or reply. Alan DeKok.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL IP Pool Not Accepting Redundant SQL
hey thanks! got it working using that configuration below. It also worked when
placed in instantiate block.
From: Arran Cudbard-Bell a.cudba...@freeradius.org
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Cc: Det Det det.explo...@yahoo.com
Sent: Tuesday, October 4, 2011 6:24 PM
Subject: Re: SQL IP Pool Not Accepting Redundant SQL
You can't, 'redundant_sql' is not an sql-instance. You need to create two
instances of sqlippool, then wrap them in a redundant block...
If you're using FR = 2.1.11 or 3.*
Overload the sqlippool module
policy.conf
policy {
sqlippool {
redundant {
sqlippool1
sqlippool2
}
}
}
Arran Cudbard-Bell
a.cudba...@freeradius.org
Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to Determine Whether an Attribute is a Check Item or Reply Item
Hi there, how to find out whether the attribute is a check/reply attribute? thanks! det - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using DB instead of radutmp for simultaneous-use tracking
Hi, Thanks a lot! Got it working! I'd like to extend the simul-check to group simul value. That is a group has simul limit, then if limit is reached a user belonging to that group should be denied login. Any idea how to implement this? Thanks! Det From: Fajar A. Nugraha l...@fajar.net To: Det Det det.explo...@yahoo.com; FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Friday, September 30, 2011 3:11 PM Subject: Re: Using DB instead of radutmp for simultaneous-use tracking On Fri, Sep 30, 2011 at 1:50 PM, Det Det det.explo...@yahoo.com wrote: Hi there, In the accounting section, radutmp is used for tracking simultaneous-use. Is there a way to use DB::radacct table instead to check for simultaneous-use? Sure. Comment-out radutmp and uncomment sql from session and accounting section. See also sql/*/dialup.conf, look for simul_count_query. I usually enable simul_count_query and comment-out simul_verify_query. -- Fajar- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL IP Pool Not Accepting Redundant SQL
Hi,
How to make sqlippool accept redundant SQL as below?
sqlippool {
sql-instance-name = redundant_sql
ippool_table = radippool
...
}
radiusd.conf
...
redundant redundant_sql {
sql1
sql2
}
...
if I use sql-instance-name = sql1 or sql-instance-name = sql2, it works.
But then, I'd like to do redundancy.
sql-instance-name = sql1 sql2 or sql-instance-name = sql1, sql2 also does
not work.
Thanks!
Det
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using DB instead of radutmp for simultaneous-use tracking
Hi there, In the accounting section, radutmp is used for tracking simultaneous-use. Is there a way to use DB::radacct table instead to check for simultaneous-use? thanks, det - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: References for New RADIUS Names/Old RADIUS Names
thanks! :) From: Fajar A. Nugraha l...@fajar.net To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thursday, September 8, 2011 1:48 PM Subject: Re: References for New RADIUS Names/Old RADIUS Names On Thu, Sep 8, 2011 at 12:44 PM, Fajar A. Nugraha l...@fajar.net wrote: On Thu, Sep 8, 2011 at 12:29 PM, Det Det det.explo...@yahoo.com wrote: Hi, Any idea where I can see list of new names for those RADIUS attributes/values that's been obsoleted. Should be share/dictionary.compat Just want to confirm, for example, Framed-Filter-Id is obsolete, is Filter-Id a replacement to that? Yes. Look for the same type (number). Should've been more clear. Look for the attribute number in share/dictionary.compat, and then look for the attribute name with the same number on the other dictionaries (e.g. dictionary.rfc2865) -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error in Activation Attribute
Hi, I have Activation attribute in radcheck table (which has a date VALUE) in old RADIUS server. I don't find this attribute in FreeRADIUS. I get this error. any idea? Failed to create the pair: Invalid octet string Mar 09 2010 for attribute name Activation thanks det - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL IP Pool Control Attribute Placement
Hi, For the sqlippool, http://wiki.freeradius.org/Rlm_sqlippool, which table should the below control attribute be placed on? It says, it is not a reply attribute, does it then go to radcheck/radgroupcheck table? DEFAULT Pool-Name := main_pool Fall-Through = Yes thanks, det - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Specifying Any Port for RADIUS Client
Hi, I want to connect to RADIUS server using RADIUS client software, not through NAS. Using RADIUS client software such as radperf will generate different port numbers when connecting to the RADIUS server. How do I place client information in NAS table such that I am able to specify IP and any ports. When client connects to RADIUS server, server will just respond with, Ignoring request to authentication address * port 1812 from unknown client 192.168.0.10 port 52268 thanks! det - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Specifying Any Port for RADIUS Client
please disregard this email. I thought that the 'ports' field in 'nas' table means the 'source' port the client will use to connect to the RADIUS server when it actually means the port on the RADIUS server that the client will connect to. From: Det Det det.explo...@yahoo.com To: FreeRadius mailing list freeradius-users@lists.freeradius.org Sent: Thursday, September 8, 2011 11:07 AM Subject: Specifying Any Port for RADIUS Client Hi, I want to connect to RADIUS server using RADIUS client software, not through NAS. Using RADIUS client software such as radperf will generate different port numbers when connecting to the RADIUS server. How do I place client information in NAS table such that I am able to specify IP and any ports. When client connects to RADIUS server, server will just respond with, Ignoring request to authentication address * port 1812 from unknown client 192.168.0.10 port 52268 thanks! det - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Specifying Any Port for RADIUS Client
yeah you are right. realized that the ports value is actually not in use. it
actually get the shortname not the nasname which is why i get an 'unknown
client' error. i left the shortname empty.
From: Fajar A. Nugraha l...@fajar.net
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Thursday, September 8, 2011 11:40 AM
Subject: Re: Specifying Any Port for RADIUS Client
On Thu, Sep 8, 2011 at 10:15 AM, Det Det det.explo...@yahoo.com wrote:
please disregard this email. I thought that the 'ports' field in 'nas' table
means the 'source' port the client will use to connect to the RADIUS server
when it actually means the port on the RADIUS server that the client will
connect to.
I don't think that's the case.
While the default nas table has many columns (including ports), the
default query on dialup.conf is
nas_query = SELECT id, nasname, shortname, type, secret, server FROM
${nas_table}
... which should mean only those columns are used.
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
References for New RADIUS Names/Old RADIUS Names
Hi, Any idea where I can see list of new names for those RADIUS attributes/values that's been obsoleted. Just want to confirm, for example, Framed-Filter-Id is obsolete, is Filter-Id a replacement to that? thanks! det - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration Module Not Returning the Error Message
hey thanks! it's working now. it was because the op in radcheck is == which
is the default from the schema. I changed it to := and it is working now. :)
From: Fajar A. Nugraha l...@fajar.net
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Tuesday, September 6, 2011 1:28 PM
Subject: Re: Expiration Module Not Returning the Error Message
On Tue, Sep 6, 2011 at 11:41 AM, Det Det det.explo...@yahoo.com wrote:
Hi,
The expiration module works but it is not returning the error message.
Everytime I include the Expiration attribute and set date accordingly. The
user is denied login. The reason is because the account expired and NOT
because there is no known good password found as shown below. How to tell
RADIUS to stop processing anything after expiration check? I suspect it
proceeds the rest of the checks and so the error message has been
overwritten by other modules' error message.
+++[sql2] returns ok
++- redundant-load-balance group redundant_load_balance_sql returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Works for me. From modules/expiration: It should be included in the
*end* of the authorize section in order to handle user Expiration (or
just uncomment expiration line in sites-available/default). The debug
log should show something like this
[expiration] Checking Expiration time: '2011 Sep 6 03:00:00'
[expiration] Account has expired
[expiration] expand: Password Has Expired - Password Has Expired
++[expiration] returns userlock
Invalid user (Account has expired [Expiration 2011 Sep 6 03:00:00]):
[testuser] (from client localhost port 0)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - testuser
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 242 to 127.0.0.1 port 52990
Reply-Message += Password Has Expired\r\n
If it doesn't, then either:
- you're using an old FR version with some bugs regarding expiration
on it, in which case you should upgrade, or
- you didn't list expiration in authorize section, or
- you didn't have Expiration attribute for your user (in users
file/sql/whatever)
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RADIUS Sending Duplicate Reply
Hi, This question maybe a bit off from RADIUS, but is there a way to limit NAS or RADIUS to send only one access-request/access-accept in a single dial attempt? i am connecting via PPPoE. I can see from RADIUS logs receiving multiple access-request thus it is also giving multiple access-accept. How do i prevent this? Coz it is causing an issue connection is terminated because the remote server did not respond in a timely manner. Then I have to redial again coz the IP does not get assigned to the client. rad_recv: Access-Request packet from host 10.10.11.223 port 1645, id=110, length=93 Sending duplicate reply to client 10.10.11.223 port 1645 - ID: 110 Sending Access-Accept of id 110 to 10.10.11.223 port 1645 thanks!- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS Sending Duplicate Reply
yeah it is confirmed network issue. had to reboot the NAS. thanks guys! From: Fajar A. Nugraha l...@fajar.net To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, September 6, 2011 4:51 PM Subject: Re: RADIUS Sending Duplicate Reply On Tue, Sep 6, 2011 at 3:26 PM, Det Det det.explo...@yahoo.com wrote: Hi, This question maybe a bit off from RADIUS, but is there a way to limit NAS or RADIUS to send only one access-request/access-accept in a single dial attempt? You're looking at things the wrong way. It's like you're on a beach, and there's a big sign saying no swimming because the beach is infested with jellyfish, but you decide to swim anyway. And then when the jellyfish stings you asked how to make it so it doesn't hurt. i am connecting via PPPoE. I can see from RADIUS logs receiving multiple access-request thus it is also giving multiple access-accept. How do i prevent this? Coz it is causing an issue connection is terminated because the remote server did not respond in a timely manner. Then I have to redial again coz the IP does not get assigned to the client. I'm guessing what happens is something like this: - the NAS sends access-request - radius accepts the request, and consult whatever backend it uses (e.g. files, db, ldap, etc) - backend processing takes a long time - client sends the request again since radius hasn't respond - radius accepts the request again, and notice that it's a duplicate request - processing finally completes. since there are multiple request received, radius sends multiple response (and logs them as duplicates) OR - the NAS sends access-request - radius accepts the request, and consult whatever backend it uses (e.g. files, db, ldap, etc) - radius sends the response, but the response comes from different IP address then what the NAS expects - client sends the request again since it didn't receive expected response from the correct IP address - radius accepts the request again, notice that it's a duplicate request, and simply sends the response again If it's case #1, you need to fix the backed. Usually it involves indexing, fixing schemas/queries, upgrading hardware, and so on. If it's #2, the easiest way is to just register the radius's primary IP address in client's radius server list. Another alternative is to use --with-udpfromto when compiling freeradius. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous Use Per Domain
Hi, Just want to get inputs on how simultaneous-use can be checked per domain not per user. That is limit mydomain.com to have simultaneous-use=x. radgroupcheck will have something like mydomain.com -- simultaneous-use -- x thanks! det - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Expiration Module Not Returning the Error Message
Hi, The expiration module works but it is not returning the error message. Everytime I include the Expiration attribute and set date accordingly. The user is denied login. The reason is because the account expired and NOT because there is no known good password found as shown below. How to tell RADIUS to stop processing anything after expiration check? I suspect it proceeds the rest of the checks and so the error message has been overwritten by other modules' error message. +++[sql2] returns ok ++- redundant-load-balance group redundant_load_balance_sql returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop thanks, det - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying Based on Criteria Other Than REALM
Hey thanks! :)
From: Phil Mayers p.may...@imperial.ac.uk
To: freeradius-users@lists.freeradius.org
Sent: Thursday, September 1, 2011 10:04 PM
Subject: Re: Proxying Based on Criteria Other Than REALM
On 01/09/11 14:53, det.explo...@yahoo.com wrote:
Hi,
Is it possible to proxy based on a group the user belongs to? Or
attribute? Or based on NAS from where the request was received?
Aside from REALM, is there any other criteria that can be used to
decide whether or not to proxy a request?
There are two attributes:
1. Realm; added to the request by e.g. the suffix module. Doesn't actually
do anything; just used for logging.
2. Proxy-To-Realm; added to the control items by the suffix module, or by
other config. This is what actually controls proxying.
So for example you can do this:
authorize {
...
if (NAS-IP-Address == 192.0.2.1) {
update control {
Proxy-To-Realm := OTHERSERVER
}
}
...
}
As you can see, you can therefore proxy on any attribute you like, or even on
the output of a script, SQL query, etc.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MySQL Fail Over Error When 1 DB is Down
Hi there,
I can't get FreeRADIUS to ignore error and continue processing when 1 DB is
down even when it can connect to the other DB. Below is my config.
# radiusd.conf
instantiate {
...
redundant redundant_sql {
sql1
sql2
handled
}
}
modules {
...
$INCLUDE sql1.conf
$INCLUDE sql2.conf
}
# sql1.conf
sql sql1 {
database = mysql
…
}
# sql2.conf
sql sql2 {
...
database = mysql
}
# sites-enabled/default
authorize {
redundant_sql
}
accounting {
redundant_sql
}
session {
redundant_sql
}
post-auth {
redundant_sql
Post-Auth-Type REJECT {
redundant_sql
attr_filter.access_reject
}
}
bregards,
det
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MySQL Fail Over Error When 1 DB is Down
When I shutdown one of the DB, it generates an error. How do I tell freeradius
to ignore that and proceed if it can connect to at least one of the DB?
/etc/freeradius/sql2.conf[22]: Instantiation failed for module sql2
/etc/freeradius/radiusd.conf[75]: Failed to find module sql2.
/etc/freeradius/radiusd.conf[75]: Failed to parse sql2 entry.
/etc/freeradius/sites-enabled/default[1]: Errors parsing authorize section.
From: Det Det det.explo...@yahoo.com
To: FreeRadius mailing list freeradius-users@lists.freeradius.org
Sent: Monday, August 29, 2011 2:05 PM
Subject: MySQL Fail Over Error When 1 DB is Down
Hi there,
I can't get FreeRADIUS to ignore error and continue processing when 1 DB is
down even when it can connect to the other DB. Below is my config.
# radiusd.conf
instantiate {
...
redundant redundant_sql {
sql1
sql2
handled
}
}
modules {
...
$INCLUDE sql1.conf
$INCLUDE sql2.conf
}
# sql1.conf
sql sql1 {
database = mysql
…
}
# sql2.conf
sql sql2 {
...
database = mysql
}
# sites-enabled/default
authorize {
redundant_sql
}
accounting {
redundant_sql
}
session {
redundant_sql
}
post-auth {
redundant_sql
Post-Auth-Type REJECT {
redundant_sql
attr_filter.access_reject
}
}
bregards,
det
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL Fail Over Error When 1 DB is Down
Really? What is the failover feature for? I can specify multiple DBs but if FreeRADIUS cannot connect to at least one of the DBs it will have an error and will not be able to start. There is no way to get around this? That is use first DB if first DB is up. If second DB is down and first DB is up, don't bother, continue to operate, and vice versa, so long as it still has a DB to use. I saw this link but I can't get it to work. It is using the rlm_always module. http://wiki.freeradius.org/Fail-over thanks, det From: Alan DeKok al...@deployingradius.com To: Det Det det.explo...@yahoo.com; FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Monday, August 29, 2011 6:21 PM Subject: Re: MySQL Fail Over Error When 1 DB is Down Det Det wrote: When I shutdown one of the DB, it generates an error. How do I tell freeradius to ignore that and proceed if it can connect to at least one of the DB? You don't. The only way to change this is via source code patches. Alan DeKok.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS does not send reply for all groups the user is a member of
{...}
++[exec] returns noop
Sending Access-Accept of id 90 to 127.0.0.1 port 60675
Framed-MTU = 1500
Service-Type = Framed-User
Port-Limit = 1
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 90 with timestamp +12
Ready to process requests.
And also what does this line for item 5 in rlm_sql mean? What match is it
referring to?
If there is a match, the reply items for this group are pulled from the
radgroupreply table and applied.
thanks,
det
From: Fajar A. Nugraha l...@fajar.net
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Tuesday, August 23, 2011 1:35 PM
Subject: Re: RADIUS does not send reply for all groups the user is a member of
On Tue, Aug 23, 2011 at 12:23 PM, Det Det det.explo...@yahoo.com wrote:
Hi,
user1 is a member of group1 and group2. both group1 and group2 has replies
in radgroupreply table.
when freeradius query for radusergroup, it will only get the first group the
user is a member of and will proceed to get the reply attributes for that
group as below.
query1: SELECT groupname FROM radusergroup WHERE
username = 'us...@domain.com' ORDER BY priority
query2: SELECT id, groupname, attribute, value, op FROM
radgroupreply WHERE groupname = 'group1' ORDER BY id
from the debug, it does not do this query
query3: SELECT id, groupname, attribute, value, op FROM
radgroupreply WHERE groupname = 'group2' ORDER BY id
any idea why?
i am very sure that query 1 returns more that one value (that is 2 groups,
group1 and group2)
If you want more help, you need to provide more output from debug log,
and (possibly) what's in the radusergroup/radgroupcheck/radgroupreply.
In the mean time, see doc/rlm_sql. A snippet from that file:
5. For each group this user is a member of, the corresponding check items
are pulled from radgroupcheck table and compared with the request. If
there is a match, the reply items for this group are pulled from the
radgroupreply table and applied.
6. Processing continues to the next group IF:
a. There was not a match for the last group's check items OR
b. Fall-Through was set in the last group's reply items
(The above is exactly the same as in the users file)
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fw: RADIUS does not send reply for all groups the user is a member of
- Forwarded Message - From: Det Det det.explo...@yahoo.com To: Fajar A. Nugraha l...@fajar.net Sent: Tuesday, August 23, 2011 3:37 PM Subject: Re: RADIUS does not send reply for all groups the user is a member of Thanks Fajar! I just added the fall-through. I leave the priority as is. Worked! Thanks! From: Fajar A. Nugraha l...@fajar.net To: Det Det det.explo...@yahoo.com; FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, August 23, 2011 3:10 PM Subject: Re: RADIUS does not send reply for all groups the user is a member of On Tue, Aug 23, 2011 at 1:53 PM, Det Det det.explo...@yahoo.com wrote: Hi there, here is the SQL and debug logs from radius. mysql select * from radusergroup; +---+---+--+ | username | groupname | priority | +---+---+--+ | us...@mydomain.com | defgroup | 1 | us...@mydomain.com | dynamic | 1 | +---+---+--+ It'd be easier if you use different priorities. Since the debug log shows it's using defgroup, try changing dynamic's priority to 2 ... mysql select * from radgroupreply; ++---+---++-+ | id | groupname | attribute | op | value | ++---+---++-+ | 1 | defgroup | Framed-MTU | = | 1500 | | 2 | defgroup | Service-Type | = | Framed-User | | 3 | defgroup | Port-Limit | = | 1 | | 7 | dynamic | Framed-IP-Netmask | = | 255.255.255.255 | | 6 | dynamic | Framed-IP-Address | = | 255.255.255.254 | ++---+---++-+ ... and add a radgroupreply entry like defgroup | Fall-Through | = | Yes -- Fajar- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAP Auto Header
Hi,
I set PAP module as below. In my DB, user attribute is User-Password. Value of
User-Password is an MD5 or CRYPT password. Shouldn't auto-header=yes able to
detect the encryption scheme used in the password? What will the auto-header
setting for if I still have to specifically set attributes such as MD5-Password
or Cleartext-Password, etc.
pap {
auto_header = yes
}
thanks,
det
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP Auto Header
Yeah, perhaps, the header was not in the password value. I use dialup-admin and
MySQL. Anyway, I ended up using the specific password attribute
Crypt-Password instead of User-Password.
the debug from freeradius shows this. so i guess could be the password storage
as you said.
Module: Instantiating pap
pap {
encryption_scheme = auto
auto_header = yes
}
From: Arran Cudbard-Bell a.cudba...@freeradius.org
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Cc: Det Det det.explo...@yahoo.com
Sent: Monday, August 22, 2011 6:16 PM
Subject: Re: PAP Auto Header
* added,
And no you shouldn't need to use auto-hearder if you've set the appropriate
password attribute.
The recommended way is to prepend the headers, and use auto_header as its more
flexible, and allows you to migrate between hash schemes non disruptively.
-Arran
On 22 Aug 2011, at 12:00, Arran Cudbard-Bell wrote:
That would depend on whether you've add the correct header to the hash :)
/*
* For auto-header discovery.
*/
static const FR_NAME_NUMBER header_names[] = {
{ {clear}, PW_CLEARTEXT_PASSWORD },
{ {cleartext}, PW_CLEARTEXT_PASSWORD },
{ {md5}, PW_MD5_PASSWORD },
{ {smd5}, PW_SMD5_PASSWORD },
{ {crypt}, PW_CRYPT_PASSWORD },
{ {sha}, PW_SHA_PASSWORD },
{ {ssha}, PW_SSHA_PASSWORD },
{ {nt}, PW_NT_PASSWORD },
{ {nthash}, PW_NT_PASSWORD },
{ {x-nthash}, PW_NT_PASSWORD },
{ {ns-mta-md5}, PW_NS_MTA_MD5_PASSWORD },
{ {x- orcllmv}, PW_LM_PASSWORD },
{ {X- ORCLNTV}, PW_NT_PASSWORD },
{ NULL, 0 }
};
-Arran
On 22 Aug 2011, at 11:46, Det Det wrote:
Hi,
I set PAP module as below. In my DB, user attribute is User-Password. Value
of User-Password is an MD5 or CRYPT password. Shouldn't auto-header=yes able
to detect the encryption scheme used in the password? What will the
auto-header setting for if I still have to specifically set attributes such
as MD5-Password or Cleartext-Password, etc.
pap {
auto_header = yes
}
thanks,
det-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Arran Cudbard-Bell
a.cudba...@freeradius.org
RADIUS - Half the complexity of Diameter
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Arran Cudbard-Bell
a.cudba...@freeradius.org
RADIUS - Half the complexity of Diameter -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RADIUS does not send reply for all groups the user is a member of
Hi, user1 is a member of group1 and group2. both group1 and group2 has replies in radgroupreply table. when freeradius query for radusergroup, it will only get the first group the user is a member of and will proceed to get the reply attributes for that group as below. query1: SELECT groupname FROM radusergroup WHERE username = 'us...@domain.com' ORDER BY priority query2: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'group1' ORDER BY id from the debug, it does not do this query query3: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'group2' ORDER BY id any idea why? i am very sure that query 1 returns more that one value (that is 2 groups, group1 and group2) thanks, det - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
methods to redirect select users to authenticate to another radius server
hi, i'm testing radius migration. i plan to do it by phase so it will be safer and would have less impact in case something won't turn out right. users will be grouped and thus will be migrated by group. i'm thinking what are available methods/options to do this? i want to have the new radius server replace the old radius server slowly. old radius should still be running when i deploy the new one. AAA of selected group of users will be redirected to the new one. this will be done recursively until all groups of users are served by the new radius server. only after that will i take the old radius server down. can anyone give some more detailed instructions on how this can be achieved? like can i redirect based on user group? thanks a lot. bregards, det - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to tell freeradius of the encryption used in DB
Thanks fajar! It worked with MD5-Password. Is there a way to use User-Password attribute in MySQL and tell freeradius somewhere what encryption algo it is using? coz dialup admin by default will use User-Password when inserting this attribute in DB. Thanks! From: Fajar A. Nugraha l...@fajar.net To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, August 17, 2011 11:04 PM Subject: Re: How to tell freeradius of the encryption used in DB On Wed, Aug 17, 2011 at 10:00 PM, det.explo...@yahoo.com det.explo...@yahoo.com wrote: Fajar thanks for the reply. I checked the freeradius attribute list, there is no md5-password. Should i need to add it? If yes how to add that attribute? http://freeradius.org/rfc/attributes.html https://github.com/alandekok/freeradius-server/blob/v2.1.x/share/dictionary.freeradius.internal The attribute is internal to freeradius, and should never transmitted to/from the client. I didn't touch freeradius config on the auth protocols. I suppose, by default freeradius is set to accept all auth protocols? Do i need to say in the config use PAP exclusively? Let's just say that if you're using radtest without any fancy switch, then you're using PAP. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
