Re: WPA/RADIUS Problems
- Original Message - From: Alan DeKok [EMAIL PROTECTED] I plan on addressing at least some of that with my book. P.S: I look for a good book, covering all about radius and especially FR. As an overview and as a reference. I'm writing one. I've got about 60 pages of good content, and 50 pages of rough notes. I would be glad to send you some of my configs for examples. Many of them you instructed me on how to accomplish the goal on the list. I posted a bunch on the wiki but that thing keeps getting spammed =( I would think at least ISP's would gain some insight from some of them. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Motorola Canopy BAM 2.1
Duane Cox wrote: Hello List Has anyone had any experience integrating the Canopy BAM 2.1 by Motorola with freeRADIUS? yes -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-3301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: appending things to User-Name before auth
Christopher Carver wrote: Hello, I'd like to append @domain.com to every username before the authentication step. I have been trying to use attr_rewrite to do this but I've been unsuccessful. Is this the proper module to use? Has anyone done this before? If you look at the wiki under the new config example section I made an entry to show you how to do this with the hints file. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-3301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
wiki config examples
http://wiki.freeradius.org/index.php/Examples The above link is something I added to the wiki the other night. I put just a couple of meager configs in there. It seems most questions are about config so I thought if we loaded that up just maybe the same questions wouldn't be asked over and over or at least we can say, see the wiki. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-3301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CentOS
Italo Morellato wrote: Freeradius 1.1.0 RPM for CentOS 4.2 (smeserver) is possible? Thanks in advance. Haven't upgraded to 1.1 yet but 1.05 works great. As for RPM's, I don't know if a spec file is available or not. There are no rpms or other packages unless someone (maybe you) is producing/maintaining them. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-3301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Features
Mohammad Flaifel wrote: Dears, I asked this question before but unfortunately I didn't get the answer yet, I hope this is not a negative sign :) Are the following features available in FreeRadius: - Change of Authorization while the subscriber's PPP session is still connected. - Radius initiated disconnect: Disconnect users based on download volume limitation RADIUS is a protocol. By the protocol definitions it either must, will, should, or may do or not do certain things as defined in those protocols. None of what you are asking for is in those RFC's. Having said that, Freeradius is very flexible in that you can call external scripts on all sorts of occurances which your NAS' will likely have to cooperate in. If all else fails, you have the source. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-3301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: hints processing for Accounting-On / Off packets?
Stefan Winter wrote: That's not how I read the comments in hints: # The hints file. This file is used to match # a request, and then add attributes to it. There's some mention of some special rules Prefix and Suffix, and _these_ can only work on the User-Name. Anything else should be doable anyway. That's definitely what that file does. The hints the filename refer to are hints that the USER submits in their authentication request, by Well, I am probably not long enough in the RADIUS business to remember the historical reasons for the hints file. For me, hints is the only means to manipulate input avp items in a packet. And a very flexible solution too, since it does users style mangling. And the comments in the file don't say but whatever you put in here will be ignored if there is no attribute User-Name in the request. prefixing, suffixing or otherwise formatting their username (the only value the user has total, sensible control over). It's an old method that the ancestors of FreeRadius used extensively. The examples in the default hints file make it pretty clear how it was originally intended to be used. Yeah, but what if I want to go beyond the examples? This file is so flexible, it would be a shame to arbitrarily limit it by requiring User-Name to be present. You don't have to have a User-Name in the request to use that file. If it isn't there and you need it for further processing you can add it. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-3301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius - Cisco L2TP Tunnel - Authentication problem.
Tony Spencer wrote: No matter what we put into the Cisco config it still uses PAP, even telling it to refuse PAP. Sounds more like a cisco issue than freeradius. What does radius -X look like? -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-3301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Custom message for overquota users
Maykel Moya wrote: How can I send a custom message to users overquota. I have many complaints from users because they think their passwd are wrong when their access is denied for being overquota. The only messae you can send is not displayed by windows. One alternative would be to setup a cache only bind server that lists itself as they only root server. Return the same address for all names. Then on that address do a rewrite to a seperate location that displays a web message saying they are out of time and to buy more. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-3301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to disconnect user after quota given to him finishes ?
Rupesh Amatya wrote: Dear all, I am using Freeradius(with mysql as database for users ) with Mikrotik as NAS. This for PPPOE users. I used Dialup Admin to manage freeradius. There is default package of 4hours/day but the users do not get disconnect after 4 hours. It just shows Out of Quota. What needs to be done to automatically disconnect user after the daily quota is finished ? There a few session attrbutes you could use for this. Session-Timeout is the first one that springs to mind. I don't know if the client will pay attention to it though. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
hints and stripped-user-name
I have more hints trouble on another radius server. I want to look for a
realm and strip it if it is there, else, send on the username untouched.
Using a config that Alan gave me a while back to do the opposite I
entered the below in my hints. Thought this would be easy but I am just
not getting something. I think the two values I have tried to use
(Stripped-User-Name and Strip-User-Name) are not yet set which is why
the username comes up blank. So, how to strip the realm from the
username and set User-Name to that?
I have this in my hints:
DEFAULT User-Name =~ .*@, NAS-IP-Address == 69.39.33.242
User-Name := %{Stripped-User-Name}
# also tried Strip-User-Name in place of Stripped-User-Name with same
#result
The parts of the radiusd -X I think are pertinent follow:
rad_recv: Access-Request packet from host 69.39.33.242:1812, id=177,
length=205
User-Name = [EMAIL PROTECTED]
--snip--
hints: Matched DEFAULT at 80 -- this is the entry above from hints
radius_xlat: '' -- Stripped-User-Name not set yet?
--snip--
rlm_realm: No '@' in User-Name = , looking up realm NULL
--snip--
auth: Failed to validate the user.
Login incorrect: [/boilers1] (from client NAS0hpr1ABI port 14081)
^^-- so username is definately set to null
Here is the full radiusd -X for this user:
rad_recv: Access-Request packet from host 69.39.33.242:1812, id=177,
length=205
User-Name = [EMAIL PROTECTED]
User-Password = passhere
NAS-IP-Address = 69.39.33.242
NAS-Identifier = 69.39.33.242
NAS-Port = 14081
Acct-Session-Id = [EMAIL PROTECTED]
USR-Interface-Index = 0
USR-Supports-Tags = 0
Service-Type = Login-User
USR-Chassis-Call-Slot = 56
USR-Chassis-Call-Span = 1
USR-Chassis-Call-Channel = 1
USR-Connect-Speed = NONE
NAS-Port-Type = Virtual
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
hints: Matched DEFAULT at 80
radius_xlat: ''
modcall[authorize]: module preprocess returns ok for request 2
modcall[authorize]: module chap returns noop for request 2
modcall[authorize]: module mschap returns noop for request 2
modcall[authorize]: module digest returns noop for request 2
rlm_realm: No '@' in User-Name = , looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 2
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 2
users: Matched DEFAULT at 151
users: Matched DEFAULT at 330
modcall[authorize]: module files returns ok for request 2
modcall: group authorize returns ok for request 2
rad_check_password: Found Auth-Type System
auth: type System
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
modcall[authenticate]: module unix returns notfound for request 2
modcall: group authenticate returns notfound for request 2
auth: Failed to validate the user.
Login incorrect: [/boilers1] (from client NAS0hpr1ABI port 14081)
As always, help is greatly appreciated.
--
Lewis Bergman
Texas Communications
4309 Maple St.
Abilene, TX 79602-8044
Off. 325-691-1301
Cell 325-439-0533
fax 325-695-6841
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: A little problem - FR with Mysql Stored Procedure
Saeed Ahmed wrote: Means I need to use CLIENT_MULTI_STATEMENTS in mysql_real_connect(), so, for now, I just need this little guidance that which file should I edit to get SP working with Freeradius. I would think that sql.conf would be the place to start. After that I would guess you would have to prod around rlm_sql if you are returning an array or result set if rlm is expecting someting else. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: A simple clients,Users and naslist
Radius User wrote: I am totally a newbie at the world of freeradius. Can any one give me a simple example clients,users and naslists file. so simply.. regards The tar comes with an extensively commented config for everything. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth question
Can anyone tell me why I am getting trashed passwords when attempting to authenticate? Login incorrect: [nickm/d\313f`\247+4\203\360/\367] Looks like your secrets in clients.conf don't match what your NAS has. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using stored procedures with freeradius
Murat Mığdısoğlu wrote: Hi all, I’m using freeradius with sybase using freetds and unixodbc. For some purposes, i had to use stored procedures and changed sql statements in sql.con to procedure calls like “EXEC -“. I have to question at this point 1) has anyone used this method before? 2) Examining my logs, i found that some sockets getting ‘Invalid cursor State’ error from unix-odbc driver in some cases and they don’t work anymore. What it can be? You should really address that on the db level. That is not a freeradius issue. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IC radius question
Jake Messinger wrote: I know this is the freeradius forum but I thought Id ask here. I have a customer using icradius and they say that they cant easily switch to freeradius because of several python scripts written to work with icradius. Don't know anything about that error but if the python scripts look at the db they should be very easy to port. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Restricting access to a NAS
Laker Netman wrote: I have a Cisco 3660 router configured for dialup AAA through FR (1.0.5) to access our LAN. I also have the login to the router itself, for admin, authenticating through FR (MySQL backend). The same DB is used for all auth, so currently anyone with a dialup account could also telnet into the router. This leaves only my 'enable' password to prevent problems. I want to configure FR to eliminate this ability for all but a select group of users (admins). There are other devices I would like to add to the list later. I've been looking at huntgroups as the solution, but was unsure how (or if) this could be handled via sql rather than the users file. Is anyone doing this and could provide a sample config layout? I am not currently doing this but plan to tackle it by using something like a realm of admin when I do get to it. So a user needing admin privs would have to log in like [EMAIL PROTECTED] to get access. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius in a production environment
Susana Macias wrote: Hy :-) I am interested to know about success stories of people using FreeRadius in a production environment. I have read http://www.freeradius.org/testimonials.html but I would like to obtain a few more experiences. Using it without issue (besides my own ignorance) for a good while. Using mysql clusters to serve as the backend for two freeradius servers. It has worked very well. Mostly dialup but it also auth's our wireless and hopefully soon our routers and servers as well. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Where are these Client-IP-Address = 127.0.0.1 messages coming from?
Matthew Schumacher wrote: Lewis Bergman wrote: Matthew Schumacher wrote: I'm getting accounting messages like these that seem to be coming from the loopback interface, but `tcpdump -i lo` doesn't see them so they are not coming from a local client. If they are not coming from a local client then how can I figure out where they are coming from? Thu Jan 12 07:19:58 2006 Acct-Status-Type = Stop NAS-IP-Address = x.x.x.x (legit nas IP) Acct-Delay-Time = 0 User-Name = user NAS-Port = 536936515 Acct-Session-Id = 0A67 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = x.x.x.x(legit Framed-IP-Address) Acct-Session-Time = 0 Acct-Input-Octets = 0 Acct-Output-Octets = 0 Acct-Input-Packets = 0 Acct-Output-Packets = 0 Client-IP-Address = 127.0.0.1 Acct-Unique-Session-Id = 1cc41474b27ed376 Timestamp = 1137082798 These appear to be from the loopback of the NAS, not the radius server. Thanks for your reply, however it doesn't make sense to me. How can the Client-IP-Address be 127.0.0.1 if the radius server records the source address of the packet in the Client-IP-Address attribute? If the packet came from the loopback of the nas then I would expect the NAS-IP-Address to be 127.0.0.1 but the Client-IP-Address to be where the packet was sourced from. I assumed when you marked the NAS ip as legit, that the actual value in that field is a legit IP that you have listed in your clients.conf file. If that is the case, then that is where the packet originated from. My NAS's report the client IP as the NAS address if I log in from the network. Login-IP-Host = ip of router Client-IP-Address = IP of NAS IP I think I remember if I logged in from the console port that it reports the Client address as the loopback. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Where are these Client-IP-Address = 127.0.0.1 messages coming from?
Matthew Schumacher wrote: I'm getting accounting messages like these that seem to be coming from the loopback interface, but `tcpdump -i lo` doesn't see them so they are not coming from a local client. If they are not coming from a local client then how can I figure out where they are coming from? Thu Jan 12 07:19:58 2006 Acct-Status-Type = Stop NAS-IP-Address = x.x.x.x (legit nas IP) Acct-Delay-Time = 0 User-Name = user NAS-Port = 536936515 Acct-Session-Id = 0A67 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = x.x.x.x(legit Framed-IP-Address) Acct-Session-Time = 0 Acct-Input-Octets = 0 Acct-Output-Octets = 0 Acct-Input-Packets = 0 Acct-Output-Packets = 0 Client-IP-Address = 127.0.0.1 Acct-Unique-Session-Id = 1cc41474b27ed376 Timestamp = 1137082798 These appear to be from the loopback of the NAS, not the radius server. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 1.0.4 + mysql cannot authincate
Jonathan Carpenter wrote: auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. This doesn't look promising. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openLDAP vs.mySQL
Carlo Prestopino wrote: Hi all, this is a “theoretical” post. As written in the object: LDAP or mySQL in the backend for a remote access control system? I’ve seen that that for remote access control, e.g. Wi-Fi prepaid access solution, it is widely used freeRADIUS+captive portal+mySQL. There are several implementation of capitve portals, but they all do the same thing: act as NAS towards RADIUS providing AAA attributes. User data are stored in the backend in a database, but for usage characteristics this database should be a directory server (LDAP server); such a solution, in fact, requires features typical for a directory server: optimization for read operation, distributed model for storage of information, advanced search capabilities. So the best solution should be LDAP (openLDAP) for users’ data and SQL (mySQL) for accounting data (these data are overwritten so number of write operations are almost equal to number of read operations). Despite this, I’ve seen that LDAP is not widely used. Is this for its complexity or are there deeper reasons that suggest to use SQL database for both (user data, accounting) purposes? Does anybody have links that might help to build a system made using this architecture? I would suspect that the vast majority of the world won't deploy a system large enough to tell the difference in performance between LDAP and SQL so most make the decision in favor of the one they are most comfortable with managing. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL Authentication (mainly @Alan!)
florian broder wrote: WHY was it done like that, i.e. that you HAVE to use a username in sql? I am no developer but my guess would be because you have just allowed everyone in the world in as long as they know you have a password correct. You can't config the cisco switch to send the mac as the user? That would be the normal behavior. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL Authentication (mainly @Alan!)
florian broder wrote: Hi. WHY was it done like that, i.e. that you HAVE to use a username in sql? I am no developer but my guess would be because you have just allowed everyone in the world in as long as they know you have a password correct. That was just an example by me, you can tell the sql module (sql.conf) to look for virtually every attribute in an access-request. You can't config the cisco switch to send the mac as the user? That would be the normal behavior. I told Cisco that too. I'm in contact with them, for this task. Nortel for example sends the MAC as username/password, no problem with that. I'd just like to know, if I can use safely my own compiled version (zero length username on sql allowed), or if I run into problems afterwards, maybe for accounting etc. That's why I was asking the developpers here directly. I mean, they must have had a reason to NOT allow that on sql, while the normal authentication via users file allows that. Thanks again! Yea, Alan has told me that the sql module differs in some areas and some of the reasons may be good and others not so much. Good luck. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cannot authenticate but there is accounting record
Alan DeKok wrote: Rohaizam Abu Bakar [EMAIL PROTECTED] wrote: I've found unusual activity where there is an attempt to authenticate but unsuccesfull due to no entry in database (LDAP) but there is accounting record for it. Ask the NAS vendor why they do this. FreeRADIUS just logs the accounting packets that the NAS sends. Many NAS's have a setting to turn unauthenticated accounting on or off. Pretty standard to have it in there, just turn it off. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: loging twice on the same username
debik wrote: Is it possible to log twice on the same username and password if the user is currently logedd in ? If there is such posibility how can I stop this ? look at the doc simultaneous-use. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client authenticated but no internet connection
mfred wrote: Hi, The clients can login (through chillispot login page) and authenticate via the radius server and mysqldb. So they have an IP like 192.168.182.5. But even if they get authenticated they still cannot connect to the internet. And I have no idea why. Any hints ? Learn your platform. Since you have auth already it is a network issue from there. You are not passing either the AP/router/client the correct config or they are not configured correctly somehow. Check reply attr for framed address, gateway and the like. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and Dlink Switch Authentication Problem
Kai Geek wrote: what problem ? when i test locally, it seems as working but teh switch doesnt connect to radius? outpt of radiusd -X? -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding multiple realms
You should probably look into the strip realms config item since you only want a single username for all realms. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error in Radius.log
LeRoy DeVries wrote: I'm getting the following error in the radius log and don't know how to handle it. I assume it's handled somewhere within the radius.conf file but I can't find anything about it. Sun Dec 25 09:28:07 2005 : Error: rlm_sql: Failed to create the pair: Unknown attribute Max-All-Session Sun Dec 25 09:28:07 2005 : Error: rlm_sql (sql): Error getting data from database Sun Dec 25 09:28:07 2005 : Error: rlm_sql (sql): SQL query error; rejecting user I'm a newbie to all this and am stumbling along :) You need to check that the dictionary that contains the attribute mentioned is included in /etc/raddb/dictionary or wherever your radius.conf lists it. Follow the syntax in that file to include it. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DialupAdmin gives Blank Pages
Scott MacEachern A.Sc.T wrote: apache2 The list contains the answer somewhere in there. Have you searched the archives? -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd -X and Raddb Configure
Kai Geek wrote: radiusd.conf[1682] Unknown Auth-Type System in authenticate section. I always keep a default copy of the radius.conf around. When an error like this pops up (I have seen that exact one before) I do a diff of my radius.conf and the default and look for the offending itme. This might work for you. I can guarantee with no config posted no one will be able to help you. Other than that, inserting something in clients.conf relating to 10.0.0.250 may help with the setup you mentioned. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: state of art of freeradius
Rafael Roldán wrote: Hy all, I would like to know your opinion about the following issues: Which is the most common use of the freeradius server in your particular cases? Authorizing dialup and highspeed wireless users. A secondary use is authenticating users allowed to log in to network equipment such as routers, switches, and servers. Which version are you using? is it stable? 1.0.5. Very stable What problems have you found using freeradius (during installation, configuration, use...)? Ignorance is always my biggest hurdle. I find I attempt to perform tasks with freeradius with which I am not familiar enough as to make the proper config very difficult. I expect the wiki to help with this as examples of challenges and their solutions are posted. My objective is writing a document trying to reflect the state of art of the freeradius server. I think if you are looking for the state of the art in RADIUS then you found it. Free or not. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Programmer/Admin Needed
Kyle Leissner wrote: I own a small dialup ISP (around 500 users at the current time) but we are expanding rapidly (at least 100 users per month signup) with no advertising since we started 4 months ago. We use Freeside as our main billing system and freeradius as our radius server. Currently we only have one programmer/admin that runs our whole operation. He does good work, but lives in New Zealand, and is very hard to get a hold of. We are looking for a freelance admin/programmer that has experience with Freeside and Freeradius features. We are looking to do the following: -setup accelerated dialup service with Freeside and radius groups -install the address book for our webmail program -upload and update the knowledge base -create an automated user signup/setup program -setup echecking features -make the signup page load faster and make it not so buggy -make/implement the customer login interface for them to cancel their account, update their password, update their information, and setup additional email accounts -setup newsgroups -setup user hosting service We are on a very tight budget as we have just broke even with our operation. Please respond off list if you are interested in doing freelance work on our system. Thank you, Kyle Leissner Ivan, the gentleman who designed freeside, is available and quite capable of all you ask. You can reach him at [EMAIL PROTECTED] His rates are good, especially when you consider your situation and the fact he is the most familiar with the code you want worked. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accept all
Alan DeKok wrote: Lewis Bergman [EMAIL PROTECTED] wrote: Due to a huge glitch in my db cluster I need to send an access accept to all requests. An entry like DEFAULT Auth-Type := Accept in the users file doesn't seem to allow chap users to authenticate. How can I allow this? Debug mode says...? When I had the debug mode going chap reported no clear text password. Maybe it was the order they are checked. I got it running so I'll have to get a test server up and then run some test against it and let you know. I still would like to configure freeradius to check against the sql and if it can't connect, accept all but now that the crisis is over I can go back to setting up a test server and trying things out and when I get frustrated with my stupidity I'll shout. Thanks Alan. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql_mysql.so where do I locate this file and its associated files for Redhat ES4 to run Radius and MySQL
Frank Reiss wrote: Hi, I am trying to build a radius server using MySQL and am getting a message about missing rlm_sql_mysql.so. I could use some help in locating the required modules. You need the mysql-devel rpm installed before you do the ./configure make make install process. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius accounting file scanning and upload to database
Ming-Ching Tiew wrote: I have implemented a file scanning mechanism to scan the radius accounting detail file and subsequently upload to database server but at the time of scanning, I detect the presence of a yesterday file ( ie a completed file). This will mean that my accounting record inside the database is one day late. Now I understand there is a way to instruct radius server to change the file name hourly, so theoretically I should be able to scan the presence of last hour completed file, and then upload to database server. However, assumming the scanning, processing, and subsequent uploading to database server is very slow, it could mean that from the start of one scan to the next scan, if more than one hour has passed, I would have missed one of the last hour file. Anyone has a better idea of how to process an hourly file more gracefully ? This is probably a stupid question but whay not log the accounting directly to the sql via the sql module? -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Propel - unknown-vendor 14895, size 6 =
Mojo Jojo wrote: Just wanted to add to this that I find it strange that when I look at this at the debug console, it shows that it's sending the info correctly. The error appears only when testing from a remote client test utility called NT radping. I have been using the propel dictionary and propel clents in production for over a year with no difficulty and no special setup required for freeradius. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DialupAdmin gives Blank Pages
Scott MacEachern A.Sc.T wrote: Does anyone have any trobleshooting scrips for the dialupadmin package? Thanks Scott There are some entries related to this in the archives. I got it working but stopped using it shortly thereafter. I had the same problem as you initially and ended up finding the answer in the archives. I remember I abondanoed it as it had some shortfalls. I don't remember what they were so it may work well for you. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sqlcounter and something else than Session-Timeout
Seferovic Edvin wrote: If you know what you want, write a patch, and we'll review it. Alan DeKok. Alan, I think you are far more better programmer then I am. It shouldn't be a big trouble to allow another config parameter for sqlcounter. This one could be named Reply-Attribute and people could use to enter Session-Timeout or Session-Octets-Limit depending on their need and usage of freeradius. If I need a feature in a free software package that isn't there, I sponsor it if I can't wait till it *might* get done one day. Suggest you take the same approach. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DialupAdmin gives Blank Pages
Scott MacEachern A.Sc.T wrote: what did you replace it with? I use an integrated billing package called Freeside that provisions the freeradius sql tables. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: UltaMonkey 3 and FreeRadius
Hugues Lepesant wrote: I all, I want to build a high availability radius plateform based on OpenSource software. To do so I've patched /usr/sbin/ldirectod with Matteo Bertato Horms' patch found here http://lists.community.tummy.com/pipermail/linux-ha-dev/2005-September/011662.html It works fine, I make the load balancing for both auth [1812] and accounting [1813]. But I've a strange behavior when freeradius started as daemon, server are nerver enabled for auth by ipvsadm. I must start freeradius in debug mode (-X) on the radius server to be enabled by the load-balancers. Even if I can make some successfull radtest from the load-balancers, and the log of ldirectord seems to be ok. I'm not sure it's UlraMonkey fault, I have tested with the last freeradius version and it the same :( Does any one have anye idea for where it can come from ? I have a redundant setup with no patches using freeradius 1.0.5 mysql cluster 4.1.14max no patches required. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth All but only for those in my clients.conf
Mojo Jojo wrote: At this time, the request are authed regardless of the username or password but they are authed regardless of the client or secret. Not possible. You are correct.. Let me re-phrase after doing a little more testing... At this time I have an AuthAll setup working and it only works for request that come from IPs with belong to clients defined in the clients.conf file. But... I have confirmed 100% that the secret on defined in those clients is totally ignored in this situation. So, I can attempt to login from a defined client using any secret and they all work as long as the request is coming from an IP belonging to a client defined in the clients.conf file. I don't care if the secret is ignored personally, just thought some of you folks might want to know. As long as the request are only honored from authorized IPs this is good enough for the application I am using it for. If you look at the way the secret is used you'll find that your use of auth-type := accept makes it irrelevant. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth All but only for those in my clients.conf
Mojo Jojo wrote: Only thing I am stuck on here is that my CHAP request are failing with this message: Sat Dec 17 22:31:06 2005 : Auth: Login incorrect (rlm_chap: Clear text password not available) seems pretty clear. You must have clear text passwords in the users file or sql for chap, pap doesn't require them. You may want to run the server in debug since I have noticed that it spits that error out even if they merely have an incorrect password but it is stored clear text. Debug will give you exactly what is going on a few lines above where this is printed. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth All but only for those in my clients.conf
Mojo Jojo wrote Mojo Jojo wrote: Only thing I am stuck on here is that my CHAP request are failing with this message: Sat Dec 17 22:31:06 2005 : Auth: Login incorrect (rlm_chap: Clear text password not available) seems pretty clear. You must have clear text passwords in the users file or sql for chap, pap doesn't require them. You may want to run the server in debug since I have noticed that it spits that error out even if they merely have an incorrect password but it is stored clear text. Debug will give you exactly what is going on a few lines above where this is printed. How is it clear? There are no passwords or users on the machine, how can I store the non existent passwords in clear text if they don't exist? I am trying to do an Auth All setup where all users from authorized clients are accepted regardless of username/password. sorry. why don't you post a debug output of the client attempt so we all have something to look at? -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dictionary files for HP Procurve switch?
Seferovic Edvin wrote: Hi, I am using HP ProCurve 2626 ( smaller version of 2650 ) and I haven't seen any dictionary files nor need for a dictionary file. MAC-Based auth is working fine with freeradius and I suppose EAP would works fine as well. Get them from HP then post them with a bug report as a file and maybe they'll get in the next release. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate users for a hotel through webpage?
Christophe Gravier wrote: Hello mfred, It is just the same things I want to achieve here in my university. This is captive portal (hope this is good translation) For that, I had to use chillispot, apache2, freeradius and ldap. I think, please correct me if freeradius is only able to do the whole thing ..., Freeradius is just a piece of the puzzle. - apache2 host the webpage for authentification (a cgi script) (using ssl) - chilispot use vtun in order to take control of your network interface plug to your wireless area (and thus redirect you to the apache page for authentification if you're not !) - freeradius handle the authentification and accounting using our pre-existing ldap directory listing all the users (teachers, students ...). I have written a complete howto that I'll post this afternoon or tomorrow (needs typo correction) to chillispot forum. I can send you the draft if you need. (I hope freeradius can't do the stuff so that I'm not making ads for anotyher system :D). Don't forget the wiki.freeradius.org site. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL authenticate Proxying
[EMAIL PROTECTED] wrote: I'm looking to implement a type of double check authentication using freeradius. I want to use the sql authentication module to provide a list of users. Everyone in this list should be proxied. However, if you aren't in the table, then you should immediately be rejected. I don't have control of the home radius server, so I can't make any modifications there. Generally, I just want to allow a controlled sub-group of users to access the system. At this point the sql module seems to be working (it is accounting and in debug mode I do see if run queries), however, it proxies the request regardless if the user is in the usergroup table. Thanks Fall-Through := Yes DEFAULT Auth-Type := Reject The above might work, Having never tried this before I can't say. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Load Test the radius server
[EMAIL PROTECTED] wrote: Hello all, Is there any scripts or tools I could use to stress test our radius server? I need to test so to see if the server we have configured would be able to handle 5000 connections trying to login in a few seconds. The server can handle they without question, If you are using a db that might be you week point. At least some tweaking might be necessary to allow enough connections to the backend. We use the redundant config onto a mysql cluster and is nicely handles our load. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Two routers using the same Radius server?
Mark Tunnell wrote: Suppose I have two Cisco routers both configured to authenticate to the same radius server. How do I allow a particular user access to one router but not the other? Is there a place in the clients.conf or users file to configure this? realms might be one way in adition to the obvious different password for the same username. I am assuming that the usernames ae the same since you asked the question. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Two routers using the same Radius server?
Mark Tunnell wrote: Suppose I have two Cisco routers both configured to authenticate to the same radius server. How do I allow a particular user access to one router but not the other? Is there a place in the clients.conf or users file to configure this? Oh yea, Alan gave me a trick with the hints file that adds a realm to a client if one is not present that could also help. DEFAULT User-Name !~ .*@, NAS-IP-Address == ip of client User-Name := [EMAIL PROTECTED] -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: -LAN clients - was (no subject)
debik wrote: Isit posible to authenicate users on LAN with freeradius, without any Access Point ? Any radius client will work as long as it is properly configured and in the docs as supported. You might want to browse the config files and doc files. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Two routers using the same Radius server?
Mark Tunnell wrote: Nice! That gets me almost all the way there. I'm able to authenticate using Auth-Type := Local. Now I just need to figure out how to authenticate that type of user name ([EMAIL PROTECTED]) using Auth-Type := System. Any ideas how to go about that? Mark Tunnell wrote: Suppose I have two Cisco routers both configured to authenticate to the same radius server. How do I allow a particular user access to one router but not the other? Is there a place in the clients.conf or users file to configure this? Oh yea, Alan gave me a trick with the hints file that adds a realm to a client if one is not present that could also help. DEFAULT User-Name !~ .*@, NAS-IP-Address == ip of client User-Name := [EMAIL PROTECTED] Well, take a look at the docs and there is an explination of the variables you can play with. I don't know what adding an @in the username would do to a linux password file but my guess would be nothing spectacular. Running radiusd -X will give you what the cisco is passing and you can use that to decide what to check attribute to manipulate. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dictionary: adding MONTHLY-TIME-LIMIT
don james wrote: Oh, yeah, right. It may as well be written in Greek. Thanks for nothing. You are sure to get many helpful responses now. If you read it and don't understand what you read, then why not post what is confusing you? You might as well go buy the O'Rielly RADIUS book now. Your not likely to get much help anywhere else with that attitude of yours. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL Call-Check Authentication (again :( )
florian broder wrote:
--#Else use hard-coded string DEFAULT as the user name.--
sql_user_name = %{Stripped-User-Name:-%{User-Name:-DEFAULT}}
So, it's really a limitation in sql, rather that a misconfiguration?
Would be nice, if anyone can confirm this!
Did you really mean to put in a :- instead of a := ?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqltrace.log
TK Lew wrote: hi all :: Is it adviseable to turn on the sqltrace.log file under production environment ? It grows pretty large. I wouldn't do it. I turn it off as soon as I know it works. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: connection to netowrk problem
debik wrote: Framed-MTU = 1500, Not that this is it but I generally find that passing back an MTU can result in starnge connectivity issues like you describe. Clients mostly seem to be able to do this better on their own. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to transfer authentication method from system to mysql?
darkblue wrote: DEFAULT Auth-Type := System, Group == admin, Huntgroup-Name == cisco Service-Type = NAS-Prompt-User, Cisco-AVPair = shell:priv-lvl=15, Login-Service = Telnet DEFAULT Auth-Type := System, Group == monitor, Huntgroup-Name == cisco Service-Type = NAS-Prompt-User, Cisco-AVPair = shell:priv-lvl=1, Login-Service = Telnet DEFAULT Auth-Type := System, Group == admin, Huntgroup-Name == 3com Login-Service = Telnet, 3Com-User-Access-Level = 3 DEFAULT Auth-Type := System, Group == monitor, huntgroup-Name == 3com Login-Service = Telnet, 3Com-User-Access-Level = 1 this kind of configuration work just fine. and now, I would like to use mysql for user db backend. So I got two problem. 1. could mysql utilize the huntgroup file? yes 2. how to transfer this user info , group check and group reply info into mysql? INSERT into radgroupcheck set GroupName='admin', Attribute='User-Name', op=':=', Value='DEFAULT'; INSERT into radgroupcheck set GroupName='admin', Attribute='Auth-Type', op=':=', Value='local'; INSERT into radgroupcheck set GroupName='admin', Attribute='Huntgroup-Name', op=':=', Value='cisco'; INSERT into radgroupreply set GroupName='admin', Attribute='Service-Type', op'=', Value='NAS-Prompt-User'; INSERT into radgroupreply set GroupName='admin', Attribute='Cisco-AVPair', op'=', Value='shell:priv-lvl=15'; INSERT into radgroupreply set GroupName='admin', Attribute='Login-Service', op'=', Value='Telnet'; I think the above would work but I honestly can't see why you would want to use the db for that few number of users. I have never used the Huntgroup-Name attribute like that so you may be better off using the hints file for that if it doesn't work. The hints file might look like this: DEFAULT NAS-IP-Address == 192.168.1.1 Huntgroup-Name := cisco I believe you are still going to have to have an entry in the radcheck table that lists the user and password as well. INSERT into radcheck set UserName='DEFAULT', Attribute='Password', op=':=', Value='changeme'; Then to pull it all together an entry in the usergroup table: INSERT into usergroups set UserName='DEFAULT', GroupName='admin'; It would seem to me that you would also need a Fall-Through = Yes there somewhere in radgroupcheck. Like I said, never tried to enter anything with the DEFAULT username in the db before. That is really what one intendeduse of the users file. If I am off I am sure that Alan will correct me. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: connection to netowrk problem
debik wrote: OK ! I changed the MTU and the client negotatet the MTU = 1380. But the problem isin't resolv. I have got the connection to netowrk but i can't seen any hosts. Have you checked to see if the client is getting DNS? Have you pinged to an IP instead of a name? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring RADIUS Users
Madhuraka Godahewa wrote: Now my problem is, when I try to send an access-request (using the Radius Test Utility) from another machine (running Windows XP), which is in the same network, the server does not says that it receives an access-request. Does anybody know, where the problem is? Have you entered the other client in clients.conf? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple 'users' files possible?
Arne Götje (高盛華) wrote: On Wednesday 23 November 2005 13:50, Lewis Bergman wrote: This is exactly my question whether this will work or the second entry will just overwrite the first one. Maybe this is a stupid question, but since you knew exactly what *might* work, have you tried it? It takes about 10 minutes to setup a test radius server if you don't want to mess with your prduction one. Give it a shot and let us all know. I tested it with my production server now... it turns out, that it does not work. Only the first line in the radius.conf file will be taken, the second one ignored. So, I have to merge the files and find another solution... Good to know. Maybe the $INCLUDE method? I have seen that used in the dictionary files so I would think it would work in users as well. SO, use the default users file with a few $INCLUDE 's that pull in your populated users files. Worth a shot anyway. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User Authentication via Websitewith Apache
Konne wrote: hi i would like to authenticate my user via apache-ssl over a website where the user must fill in his AD username and password. only if this is correct he can access the internet. my question is, if this is possible. an what i have to use that this would be secure. like the traffic between client-ap-freeradius. eap-tls? peap/mschapv2 ... i have no idea... pls help me :-) wifidog, nocat - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Mysql + Dialup Admin
Mohammad K. Flaifel wrote: Hi all, I have configured freeradius over RedHat AS4, mysql and dialup admin. I'm still now in testing phase. When testing an account with ntradping utility I get the following log on radius.log: Tue Nov 22 18:02:26 2005 : Error: rlm_sql: Failed to create the pair: Unknown value Local for attribute Auth-Type Tue Nov 22 18:02:26 2005 : Error: rlm_sql (sql): Error getting data from database Looks like you have sql configured but it can't reach the db. Run with -x to see why. Tue Nov 22 18:02:26 2005 : Auth: Login OK: [test/123] (from client flaifel port 0) On ntradping I get access accept and I can see the attributes, but is there any error in the log ?? or its normal ? You need to see if the test user is in the users file. Just about anything will work if the user is in the users file. Comment the test user out and see if it works. Still looks like the db is unreachable or unconfigured. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple 'users' files possible?
Arne Götje (高盛華) wrote:
Hi list,
is it possible with freeradius to use multiple 'users' files for
authentication? For example having users devided by department and
different administrators are allowed to edit only their own users file?
My customer requests to use text files instead of a database... I know
that a database would be the more professional solution... *sigh*
Cheers
Arne
You will find a line like below in radius.conf. Add another to your
hearts content. I haven't ever done this for users but it works for sql
and other files so I can't imagine why it wouldn't work for users file.
This is found in the modules section.
files {
usersfile = ${confdir}/users
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple 'users' files possible?
Arne Götje (高盛華) wrote:
You will find a line like below in radius.conf. Add another to your
hearts content. I haven't ever done this for users but it works for
sql and other files so I can't imagine why it wouldn't work for users
file. This is found in the modules section.
files {
usersfile = ${confdir}/users
This is exactly my question whether this will work or the second entry
will just overwrite the first one.
Maybe this is a stupid question, but since you knew exactly what *might*
work, have you tried it? It takes about 10 minutes to setup a test
radius server if you don't want to mess with your prduction one. Give it
a shot and let us all know.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: wireless+freeradius+AD
Alan DeKok wrote: You choose which group you fall into. I don't have time to care what you think about me. I remember when I was very new to Linux. I had made an incredibly stupid basic networking mistake and was trying to find out why a specific Linux ethernet driver was acting up. The esteemed Donald Becker expressed his amazement, in a funny way, in regard to why anyone would want to design something so inherently evil and no driver should handle it without error. I then went on a tirade instructing him on why I would want to do this and why he should fix his broken driver. I can only hope it wasn't on a public list so my exact stupidity isn't recorded for all time. But, as time went on, I learned how ignorant I really was, and have made a point of tracking down developers of tools I use (likely freeradius and even useradd) and thanking them even if I have just used the tool and not needed help with it. So I guess the moral of the story is that one day, he'll look back on this list and realize how stupid and indignant he was. So many people new to open source seem to believe they are owed not only the source but free support for it without much effort on their part to actually test a hypothesis and dig for an answer. For my part, you have personally helped me and I appreciate it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and mysql - no matching entry in db
Luqman H said: No matching entry in the database for request from user [luqe] but if i'm quering manually on mysql: mysql SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'luqe' ORDER BY id; +-+--+---+--++ | id | UserName | Attribute | Value| op | +-+--+---+--++ | 553 | luqe | User-Password | mypassword | == | +-+--+---+--++ 1 row in set (0.00 sec) Try := in the op field and see if a match is found. -- Lewis Bergman Texas Communications 4309 Maple ST. Abilene, TX 79602 325-691-3301 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: add a realm to a User-Name if no realm
Alan DeKok said:
Lewis Bergman [EMAIL PROTECTED] wrote:
I was hoping to look for a specific %{NAS-Identifier} and based on that
AND the fact that a user does not have an @ in the username, add the
realm.
Try using hints
DEFAULT User-Name !~ .*@, NAS-Identifier == foo
User-Name := [EMAIL PROTECTED]
You, my friend, are wonderful. Please tell me how I might be able to show
my gratitude.
--
Lewis Bergman
Texas Communications
4309 Maple ST.
Abilene, TX 79602
325-691-3301
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
add a realm to a User-Name if no realm
I am in need of rewriting a username in a request to include a domain. Basically, if a user comes in as user add the realm @dom.com so it is checked as [EMAIL PROTECTED]. I found this in the archives which seems to be close. http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg15228.html I presume the solution above would go in the users file. I need to be able to do this differently per client. Is this possible? So I added DEFAULT User-Name !~ @, User-Name := [EMAIL PROTECTED] but that fails to yeild the result I was looking for. I see from the debug that it is matched users: Matched entry DEFAULT at line 223 But that user isn't in the users file, they are all in MySQL. As a result, do I need that in the sql.conf or one of the preprocess files? I did add the user to the user file but authentication still failed. I have also studied variables.txt but seem unable to make this work. I even tried making my own preprocess file. I didn't expect it to work and I wasn't dissappointed. Any help appreciated. -- Lewis Bergman Texas Communications 4309 Maple ST. Abilene, TX 79602 325-691-3301 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: add a realm to a User-Name if no realm
I wasn't quite specific enough on my post. The NULL match in the realm
module would probably work for the no realm at all situation.
I was hoping to look for a specific %{NAS-Identifier} and based on that
AND the fact that a user does not have an @ in the username, add the
realm.
--
Lewis Bergman
Texas Communications
4309 Maple ST.
Abilene, TX 79602
325-691-3301
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What's Up Gold and Freeradius
Linda Pagillo said: Hi everyone: I'm using Ipswitch's What's Up Gold to monitor my network. I have it set to notify me when certain things in my network go down etc... I have it set to monitor Freeradius. I put an entry into my clients.conf file to give the What's Up Gold computer access to send a request to Freeradius. Here is what's happening... my What's Up Gold keeps telling me that my Freeradius is down when indeed it's not. I'm guessing that when a request gets sent from What's Up Gold to Freeradius, it is not getting there or something. I checked my radius logs and here is an example of an entry i get when What's Up Gold sends a request to Freeradius... Mon Oct 3 10:22:44 2005 : Auth: Login incorrect: [TEST/L\200\212\3101\215\277\320\350\345\373\351\201\031\215] (from client old port 0) I don't know if the above will help any, but i thought i should include it in this post. Also, this problem does not always happen. It's kind of sporradic. There are lots of times when What's Up Gold sends a request to Freeradius and i get no errors. My worry is this... are my customers having to dial up several times before getting connected? Since Freeradius won't accept all requests from What's Up Gold, who's to say that it is accepting dial in requests from all of my customers all of the time? Any help or insight would be very much appreciated. Thanks! run it in debug mode and watch what happens when it fails. -- Lewis Bergman Texas Communications 4309 Maple ST. Abilene, TX 79602 325-691-3301 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql troubles
Alan DeKok wrote: See the rlm_sql documentation. The '==' is a comparison operator. Use ':=' Must have been to late. Thanks again, Alan for your help. The issue is now resolved. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 325-691-3301 800-299-6962 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql troubles
Alan DeKok said: See the rlm_sql documentation. The '==' is a comparison operator. Use ':=' I did but somehow I didn't glean that from it. If I put the user in the users file, the correct post-auth sql query is executed and the accounting record is correctly inserted into the db. The users file is a little different than SQL. Not for good reasons, but it is different. Alan, I really appreciate your help. I re-read man 5 users and rlm_sql. I tried your suggestion for :=. Still no joy. I tried =*, :=, and ==. Nothing. Would you be up for some consulting? I have been after this for 3 days and can't seem to see through the fog. -- Lewis Bergman Texas Communications 4309 Maple ST. Abilene, TX 79602 325-691-3301 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mysql troubles
/testuser] (from client localhost port 500) auth: Failed to validate the user. Login incorrect: [testuser/testuser] (from client localhost port 500) Delaying request 2 for 1 seconds Finished request 2 But, when I run the same sql command from the radius server's mysql client I get: mysql SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'testuser' ORDER BY id; ++--+---+--++ | id | UserName | Attribute | Value| op | ++--+---+--++ | 8 | testuser | User-Password | testuser | == | ++--+---+--++ 1 row in set (0.04 sec) If I put the user in the users file, the correct post-auth sql query is executed and the accounting record is correctly inserted into the db. So in summery, I am confused why radius says rlm_sql (sql): No matching entry in the database for request from user [testuser] when the above sql does find it. I know it must be something icredibly stupid I have missed but I can't seem to find it. Any help at this point would be greatly appreciated. -- Lewis Bergman Texas Communications 4309 Maple ST. Abilene, TX 79602 325-691-3301 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Redundant Radius with Dynamic Data
[EMAIL PROTECTED] said: Is an SQL backend the best method? Would a shared SQL backend maintain the integrity of the allocated IP pool? I have experience with Freeradius and would like to continue with this platform, but is it the best one for what I am attempting? An SQL backend is one way to do it. I ma using the MySQL 4.1.10-Max cluster version so any node can read or write. This gives you a true HA RADIUS model. I haven't implimented the multiple SQL server part in radiuks yet though. Still need to do that. -- Lewis Bergman Texas Communications 4309 Maple ST. Abilene, TX 79602 325-691-3301 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql failover
Michel van Dop said: Hi, Sorry for my bad english! I have tryed everything to have it working with failover mysql db's. Somthing i not seeing. I now there is a bug in the accounting redundant. I hope someone can look at my configs and debuging log in this messages and can tell me the problem so i can use the freeradius servers, this is the last step! I am using fedora Core 1 and freeradius-0.9.3-1.1, freeradius-mysql-0.9.3-1.1 (standard rpm fedora). I have 2 servers same versions and i have the same problems. On one db radius config it works i test both mysql servers. This probably isn't the answere you want but here goes. If you are looking for redundant mysql accounting or auth why not use MySQL-max db clustering and compile freeradius from source against that. The setup is pretty well documented and works very well. freeradius works with it very well. -- Lewis Bergman Texas Communications 4309 Maple ST. Abilene, TX 79602 325-695-6962 ext 115 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Installing FreeRadius on RedHat 9 with MySql
C. Townsend said: I've been attempting to install FreeRadius on a RH9 server with MySQL. I've gotten MySql installed with some coaxing as well as running the Creation scripts for the MySQL schema. /src/modules/rlm_sql/drivers/rlm_sql_mysql/db_mysql.sql The configure seems to work alright. When I execute the make I get the following error messages: Did you install the mysql-devel rpms? I had the same errors when I had the incorrect libaries installed. -- Lewis Bergman Texas Communications 4309 Maple ST. Abilene, TX 79602 325-695-6962 ext 115 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Suggestion
Amit Gupta said: I have suggestion. We can create on online community at Yahoo/MSN messengers for fast resolution of problems. By whom? The same people on this list? If so, what do you find unique about that system that this one does not support? Even my stupid questions have been answered. Most times not before I figured them out myself, meaning I shouln't have posted them anyway. There seems to be something about posting a question to the list that lends an extra little drive to solve your own problem. -- Lewis Bergman Texas Communications 4309 Maple ST. Abilene, TX 79602 325-695-6962 ext 115 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Apache2
By the way. The standard apache2 way of setting output filters appears to be broken in at least the RH rpm's. You have to add the old Application-type directive from the Apache1 to get php to work. Funny enough that Apache2 doesn't seem to report in the log that php is enabled or not. Unless you set a high debug level it will also not tell you the output filter couldn't be added. -- Lewis Bergman Texas Communications 4309 Maple ST. Abilene, TX 79602 325-695-6962 ext 115 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius-1.0.1 die randomly
Roger Peña Escobio wrote: the enviroment is: OS: WhiteBox3 (RHEL3 clone) with all the updates freeradius rebuilded from the last SRPM provided by RH (1.0.1-1) (we need experimental modules: sqlcounter) Make sure you are using their rpms for mysql as well. I had problems using binaries from mysql and the rpms for freeradius. Works great after recompiling freeradisu from source against the mysql libaries. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 325-691-3301 800-299-6962 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
errror on make with MySQL
I apologize for posting an earlier question about a binary to a list that doesn't supply one. I am trying to build freeradius (latest) against Mysql supplied binaries for version 4.1.8. I have installed MySQL-client-4.1.8-0.i386.rpm, MySQL-devel-4.1.8-0.i386.rpm, and MySQL-shared-4.1.8-0.i386.rpm. The last one just in case. The configure is fine but the make fails on mysql with this: /usr/bin/ld: cannot find -lz collect2: ld returned 1 exit status gmake[10]: *** [rlm_sql_mysql.la] Error 1 gmake[10]: Leaving directory `/root/freeradius-1.0.1/src/modules/rlm_sql/drivers/rlm_sql_mysql' gmake[9]: *** [common] Error 1 gmake[9]: Leaving directory `/root/freeradius-1.0.1/src/modules/rlm_sql/drivers' gmake[8]: *** [dynamic] Error 2 gmake[8]: Leaving directory `/root/freeradius-1.0.1/src/modules/rlm_sql/drivers' gmake[7]: *** [common] Error 1 gmake[7]: Leaving directory `/root/freeradius-1.0.1/src/modules/rlm_sql' gmake[6]: *** [dynamic] Error 2 gmake[6]: Leaving directory `/root/freeradius-1.0.1/src/modules/rlm_sql' gmake[5]: *** [common] Error 1 gmake[5]: Leaving directory `/root/freeradius-1.0.1/src/modules' gmake[4]: *** [all] Error 2 gmake[4]: Leaving directory `/root/freeradius-1.0.1/src/modules' gmake[3]: *** [common] Error 1 gmake[3]: Leaving directory `/root/freeradius-1.0.1/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/root/freeradius-1.0.1/src' gmake[1]: *** [common] Error 1 gmake[1]: Leaving directory `/root/freeradius-1.0.1' make: *** [all] Error 2 And I also notice this entry earlier that might have something to do with it: In file included from /usr/include/mysql/mysql.h:57, from sql_mysql.c:40: /usr/include/mysql/mysql_com.h:261:5: warning: MYSQL_VERSION_ID is not defined In file included from sql_mysql.c:40: Then a bunch of errors concerning the sql_mysql.c file are mentioned like the following: sql_mysql.c: In function `sql_destroy_socket': sql_mysql.c:103: warning: unused parameter `config' Has anybody else tried to compile freeradius against 4.1.8 and if so, how did that go? -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 325-691-3301 800-299-6962 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: errror on make with MySQL
Lewis Bergman wrote: Has anybody else tried to compile freeradius against 4.1.8 and if so, how did that go? Asked to soon. It ended up to be the lack of openssl libs causing the error. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 325-691-3301 800-299-6962 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dialup_admin - blank right frames
Freeradius 1.0.1 Mysql-max-4.1.8 Apache 2.0.46 PHP 4.2.3 (from rpm) register globalsOn Magic QoutesOff Most of the right frames come back empty. Technically, they come back with some html but no information. No php errors are reported. To try and find out what is going on I inserted some print statements into the user_stats.php3 file. All the statements print until I get to the line that has $start = da_sql_escape_string($start);. After that nothing prints. Normally I would expect some kind of php error if execution stopped but I don't get anything. I compiled freeradius against 4.1.8-max libs, and headers with the standard ./configure make make install stuff. I saw a post from March 2003 about blank right frames likely being a directory problem. I have followed the directions and linked the dialup_admin/htdocs dir to another dir in my web server's space so I don't think that is it. Any ideas on where to look from here? -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 325-691-3301 800-299-6962 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mysql cluster 4.1.8-max and freeradius
I searched the list history and found one discussion about this mentioning the use of radreply. I would prefer to use the mysql-cluster I already have built if possible. While running radius -Xyz I get these error lines relating to the problem: rlm_sql (sql): Trying to (re)connect unconnected handle 4.. rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 rlm_sql_mysql: Starting connect to MySQL server for #4 rlm_sql_mysql: Couldn't connect socket to MySQL server [EMAIL PROTECTED]:radius rlm_sql_mysql: Mysql error 'Client does not support authentication protocol requested by server; consider upgrading MySQL client' rlm_sql (sql): Failed to connect DB handle #4 rlm_sql (sql): Ignoring unconnected handle 4.. rlm_sql (sql): Ignoring unconnected handle 3.. rlm_sql (sql): Ignoring unconnected handle 2.. rlm_sql (sql): Ignoring unconnected handle 1.. rlm_sql (sql): Ignoring unconnected handle 0.. rlm_sql (sql): There are no DB handles to use! skipped 5, tried to connect 1 modcall[authorize]: module sql returns fail for request 1 modcall: group authorize returns fail for request 1 There was no response configured: rejecting request 1 The mysql binary supplied by the rpm on my system failed with the same error so I simply copied over it with the mysql binary from my 4.1.8-max binary and it works now. So I guess the big question remains, is anyone interested in building a rlm_sql that is compatable with the 4.1.8 mysql-max out there now? I sincerely thank you for your time, -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 325-691-3301 800-299-6962 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
