Re: Learning Freeradius Server
11/13/2009 01:30 PM, Wagner Pereira: In other hand, maybe it's a good idea you start to test freeradius with the simplest way to authenticate: using /etc/passwd. This is not the simplest way: using /etc/freeradius/users is _the_ simplest way. -- Architecte Informatique chez Blueline/Gulfsat: Administration Systeme, Recherche Developpement +261 33 11 207 36 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius with 3COM
11/11/2009 01:42 PM, Rafael Fernandes: So, if anyone have any idea to help me. http://www.google.com/search?q=3com+forum -- Architecte Informatique chez Blueline/Gulfsat: Administration Systeme, Recherche Developpement +261 33 11 207 36 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Fwd: Re: [Fwd: I need some help with freeradius 2.0.4]]
11/11/2009 08:12 PM, Wagner Pereira:: I think this picture Uh??? Your computer doesnt let you copy/paste as text MySQL output??? -- Architecte Informatique chez Blueline/Gulfsat: Administration Systeme, Recherche Developpement +261 33 11 207 36 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cannot upgade to 2.1.7
11/10/2009 11:35 AM, kachin Agarwal:: I think i vefound the problem. it is not able to find the gdbm.h file from /usr/include. Why dont you just reply to, instead of creating a new mail? Why dont you install the freeradius bundled with you distribution? -- Architecte Informatique chez Blueline/Gulfsat: Administration Systeme, Recherche Developpement +261 33 11 207 36 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 55, Issue 38
11/10/2009 03:33 PM, Peter Carlstedt:: *_Changes in control:_* [...] _*Changes in rules*_: [...] You could just have used 'patch -Naur' (or something similar) For you other questions: Ask on the debian-mentors mailing list. -- Architecte Informatique chez Blueline/Gulfsat: Administration Systeme, Recherche Developpement +261 33 11 207 36 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius set up help
11/10/2009 06:10 AM, Horchem Gary:: let me try to send this again the last one I sent the list server said it was too large 'freeradius -X' output shows us: - how you configured your freeradius - debug output You'd better give us 'freeradius -X' output, using something like http://pastebin.ca/ -- Architecte Informatique chez Blueline/Gulfsat: Administration Systeme, Recherche Developpement +261 33 11 207 36 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: acct_postgresql+auth_ldap
10/09/2009 04:05 PM, José Johnny RANDRIAMAMPIONONA:: Thank u guys! Please keep us in touch. and if you kept some history of what you've done, I am interested in. -- Architecte Informatique chez Blueline/Gulfsat: Administration Systeme, Recherche Developpement +261 34 29 155 34 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: acct_postgresql+auth_ldap
10/09/2009 01:58 PM, José Johnny RANDRIAMAMPIONONA:: Hi all, I d like to know if someone has already tried to do the accounting (only accounting) thing with postgres and authentication with OpenLdap? I am going to try that. Not yet, but I will. and I think it's globally about: auth { ldap } accouting { sql } Authenticating and Accounting are independant. For example, using radclient, I can directly account without auth-ing. It's up to the NAS (RADIUS client) to send the User-Name to the RADIUS when Start/Stopping accounting, so that you _always_ know what User-Name is concerned by the accounting packet. PS: that is just my understanding of the thing, I really expect people to kindly correct if I am wrong. -- Architecte Informatique chez Blueline/Gulfsat: Administration Systeme, Recherche Developpement +261 34 29 155 34 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm
09/30/2009 03:35 AM, José Johnny RANDRIAMAMPIONONA: I solved the problem. I think It ll better to put it in a tutorial or something(I ll do it)! Please, yes. I inted to switch AUTH to LDAP and keep PGSQL for ACCT, your feedback is important to me. -- Architecte Informatique chez Blueline/Gulfsat: Administration Systeme, Recherche Developpement +261 34 29 155 34 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm
09/28/2009 07:32 AM, José Johnny RANDRIAMAMPIONONA:: I posted this problem a week ago I think the best thing is first not to setup from sources. Give a try to _packages_. they are pretty good for If your distribution does not include packages for that, then change distribution. :-) -- Architecte Informatique chez Blueline/Gulfsat: Administration Systeme, Recherche Developpement +261 34 29 155 34 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: your mail
09/28/2009 03:09 PM, Alan Buxey: FreeRADIUS can handle several hundred AAA per second without issues..but you put something in its way that is slow - LDAP lookup, kidding troll LDAP lookup is always fast ;-) Slowness is only for relational stuff / -- Architecte Informatique chez Blueline/Gulfsat: Administration Systeme, Recherche Developpement +261 34 29 155 34 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: account expiration attribute
09/25/2009 03:46 PM, Ivan Kalik: Why, oh why, do people trawl the internet for outdated and inaccurate Ivan, this is just the result of: http://www.google.com/search?q=radius+expiration+attribute (the results ranking may differ, we are not near) I usually tend to make the web search before searching the docs, at least to see wether: - the doc exists - I am alone to have my problem It's just an informative step, that is going to be followed by the documentation you pointed out. -- Architecte Informatique chez Blueline/Gulfsat: Administration Systeme, Recherche Developpement +261 34 29 155 34 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: account expiration attribute
09/24/2009 12:03 PM, Ivan Kalik:: What RADIUS attribute would suit to account expiration? Expiration. I cannot find its documentation (its syntax) A hint: http://www.open.com.au/pipermail/radiator/2008-July/014935.html But not more... A help? -- Architecte Informatique chez Blueline/Gulfsat: Administration Systeme, Recherche Developpement +261 34 29 155 34 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: account expiration attribute
09/25/2009 02:59 PM, Rakotomandimby Mihamina:: 09/24/2009 12:03 PM, Ivan Kalik:: What RADIUS attribute would suit to account expiration? Expiration. I cannot find its documentation (its syntax) http://www.portmasters.com/tech/docs/pdf/radius-release20.pdf In RADIUS 1.16, if a user record contained an incorrectly formatted Expiration date (for example, the Expiration check item was “Oct 1 1996”, rather than “Oct 01 1996”), the user would be authenticated even after this expiration date. With RADIUS server 2.0, attempts on or after the expiration date display an Account has expired message. Incorrectly formatted expiration dates are now logged. -- Architecte Informatique chez Blueline/Gulfsat: Administration Systeme, Recherche Developpement +261 34 29 155 34 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
account expiration attribute
Hi all, What RADIUS attribute would suit to account expiration? the context: - prepaid users must regularily add credit to his account - big credit - big validity extension - small credit - small validity extension - no account removal, just auth reject if validity date passed Credit adding and account validity extension is not managed by the RADIUS stuff, it's about a manual external insert What we just need is the right RADIUS attribute to be checked during auth, in order to reject if the date is passed. Thanks for any help. -- Architecte Informatique chez Blueline/Gulfsat: Administration Systeme, Recherche Developpement +261 34 29 155 34 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Encryption (Was: known good error)
09/24/2009 04:12 PM, wessam seleem:: Note that I changed my real password and its encryption to secure my data. By the way, As far as I know (And I might know nothing), encryption _is_ because guessing the password from it's encrypted hash is _not_ possible. -- Architecte Informatique chez Blueline/Gulfsat: Administration Systeme, Recherche Developpement +261 34 29 155 34 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed to link to module rlm_ldap
09/24/2009 04:54 PM, José Johnny RANDRIAMAMPIONONA: I rebuild it and ( ./configure --prefix=/usr/local/freeradius-server.2.1.6/) and it seems that there is library problem(I had this kind of problem in the past, but I forgot what I did to fix it). What packages are installed? Didn't you miss the -dev or -devel packages? -- Architecte Informatique chez Blueline/Gulfsat: Administration Systeme, Recherche Developpement +261 34 29 155 34 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using SQL, where is Session-Timeout updated?
09/18/2009 12:51 PM, Ivan Kalik:: You need sqlcounter (counter.conf) for that. Found. but no UPDATE query in it. Oddly enough, counter doesn't update anything - it COUNTS. OK, Attached is my 'default' file, and the 'freeradius -X' output. the counter (in counter.conf) is: sqlcounter dailycounter { counter-name = Daily-Session-Time check-name = Max-Daily-Session reply-name = Session-Timeout sqlmod-inst = sql key = User-Name reset = daily query = SELECT SUM(AcctSessionTime - \ GREATER((%b - AcctStartTime::ABSTIME::INT4), ... } What is wrong? freeradius does not start because SQL Counter modules aren't allowed in 'accounting' sections. It is told to put it in 'accounting'... -- Architecte Informatique chez Blueline/Gulfsat: Administration Systeme, Recherche Developpement +261 34 29 155 34 FreeRADIUS Version 2.0.4, for host x86_64-pc-linux-gnu, built on Sep 7 2008 at 17:42:33 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including configuration file /etc/freeradius/snmp.conf including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/sql.conf including configuration file /etc/freeradius/sql/postgresql/dialup.conf including configuration file /etc/freeradius/sql/postgresql/counter.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel including dictionary file /etc/freeradius/dictionary main { prefix = /usr localstatedir = /var logdir = /var/log/freeradius libdir = /usr/lib/freeradius radacctdir = /var/log/freeradius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = /var/run/freeradius/freeradius.pid user = freerad group = freerad checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = yes security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = testing123 nastype = other } client 41.204.0.0/16 { require_message_authenticator = no secret = testing123-2 shortname = quarante-un-deux-cent-quatre } radiusd: Loading Realms and Home Servers proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = auth secret = testing123 response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = status-server ping_check = none ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: Instantiating modules instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = request shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_sqlcounter Module: Instantiating dailycounter sqlcounter dailycounter { counter-name = Daily-Session-Time check-name = Max-Daily-Session reply-name = Session-Timeout key = User-Name sqlmod-inst = sql query = SELECT SUM(AcctSessionTime - GREATER((%b - AcctStartTime::ABSTIME::INT4), 0)) FROM radacct WHERE UserName='%{%k}' AND AcctStartTime::ABSTIME::INT4 + AcctSessionTime '%b' reset = daily safe-characters = @abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: / } rlm_sqlcounter: Reply attribute Session-Timeout is number 27 rlm_sqlcounter: Counter attribute Daily-Session-Time is number 11273 rlm_sqlcounter: Check attribute Max-Daily-Session is number 11274 rlm_sqlcounter: Current Time: 1253282691 [2009-09-18 14:04:51], Next
Re: using SQL, where is Session-Timeout updated?
09/18/2009 05:41 PM, Ivan Kalik:: sqlcounter dailycounter { counter-name = Daily-Session-Time check-name = Max-Daily-Session reply-name = Session-Timeout sqlmod-inst = sql key = User-Name reset = daily query = SELECT SUM(AcctSessionTime - \ GREATER((%b - AcctStartTime::ABSTIME::INT4), ... } What is wrong? freeradius does not start because SQL Counter modules aren't allowed in 'accounting' sections. It is told to put it in 'accounting'... No, you weren't told to put it there. Read again my message about where are you supposed to list it. from stock radiusd.conf, arround line #1488: # [...] # The module should be added in the instantiate, authorize and # accounting sections. [...] Ivan, I merged your explanation with what is in the documentation. Of course you did not tell me accounting but, I read it in radiusd.conf. Should I remove it from accounting {...} or move it elsewhere? When I think about it, placing it in accounting is a bit useless, because the counter call occurs when radreply (after authentication). It seems logical not to have to put it in here... But as well as I begin with RADIUS in general,... Your advices are welcome. -- Architecte Informatique chez Blueline/Gulfsat: Administration Systeme, Recherche Developpement +261 34 29 155 34 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneou-Use := 1
09/11/2009 07:02 PM, Ivan Kalik:: Because of legacy application requiring exotic schema, we are obliged to play with it. The problem is I cannot have ++--+++---+ | id | UserName | Attribute | op | Value | ++--+++---+ | 1 | bartek | Cleartext-Password | := | 1234 | | 3 | bartek | Simultaneous-Use | := | 1 | ++--+++---+ With our schema, but only ++--+++---+ | id | UserName | Attribute | op | Value | ++--+++---+ | 1 | bartek | Cleartext-Password | := | 1234 | ++--+++---+ Where should i specify a default Simultaneous-Use := 1 in a file, so that It wouldn't be mandatory to return it from the authorize_check_query? Just put it in users file: bartek Simultaneous-Use:=1 users file attributes are merged with from SQL ones? Which has precedence? Does it depends on the order specified in radiusd.conf? -- Architecte Informatique chez Blueline/Gulfsat: Administration Systeme, Recherche Developpement +261 34 29 155 34 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneou-Use := 1
Hi all, Using Freeradius v2 We use only PGSQL (no users file) and a custom schema Just an example: authorize_check_query = SELECT * FROM f_authorize_check_query2('%{SQL-User-Name}','%{User-Password}' = We play much with FUNCTIONs in PGSQL. Because of legacy application requiring exotic schema, we are obliged to play with it. The problem is I cannot have ++--+++---+ | id | UserName | Attribute | op | Value | ++--+++---+ | 1 | bartek | Cleartext-Password | := | 1234 | | 3 | bartek | Simultaneous-Use | := | 1 | ++--+++---+ With our schema, but only ++--+++---+ | id | UserName | Attribute | op | Value | ++--+++---+ | 1 | bartek | Cleartext-Password | := | 1234 | ++--+++---+ Where should i specify a default Simultaneous-Use := 1 in a file, so that It wouldn't be mandatory to return it from the authorize_check_query? -- Architecte Informatique chez Blueline/Gulfsat: Administration Systeme, Recherche Developpement +261 34 29 155 34 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mix user storage
Hi all Using freeradius 2.x for AAA, is it possible to mix LDAP and xxxSQL? I mean one of those cases (the only difference is about the credit): case #1: LDAP: - username - password - MAC Address - NAS (the user is tied to that NAS) - credit (credit left) SQL - radacct case #2: LDAP: - username - password - MAC Address - NAS (the user is tied to that NAS) SQL - radacct - credit (credit left) Generally, written often data will be stored in SQL, what is left will be stored in the LDAP. Will it be very hard to setup? Any configuration hint? Thank you. -- Architecte Informatique chez Blueline/Gulfsat: Administration Systeme, Recherche Developpement +261 34 29 155 34 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
usename + password + MAC address
Hi all, On a Radius version 2.x, we would like to tie an user to a MAC address. The auth key would then be the username, password and MAC address (Calling Station ID). Where is the right place to do that? - On the freeRadius? (any hint, please?) - In the PGSQL behind? (using some FUNCTION, I have an idea of that) Thank you. -- Architecte Informatique chez Blueline/Gulfsat: Administration Systeme, Recherche Developpement +261 34 29 155 34 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius server 2.1.6 not storing data in radacct table..help
08/21/2009 12:14 PM, shivashankar:: rlm_sql_oracle: execute query failed in sql_query: ORA-01400: cannot insert NULL into (RADIUSUSER.RADACCT.GROUPNAME) [...] in radacct table we have GROUPNAME is not null.. Alow it (GROUPNAME) to be NULL? -- Architecte Informatique chez Blueline/Gulfsat: Administration Systeme, Recherche Developpement +261 34 29 155 34 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dumping radius queryies
Hi all, I am on the way to migrate a freeRadius V1 to a V2. I would like to log the queries submitted to the running V1, so thaht I could test them via 'radclient' to the V2, before switching to production stage. So, on a V1.4, what kind of loggin should I enable in order to have a dump of all the queries? Thank you -- Architecte Informatique chez Blueline/Gulfsat: Administration Systeme, Recherche Developpement +261 34 29 155 34 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Session-Timeout for unlimited?
Hi, (Using freeRadius v2) We have prepaid users, where the freeradius server should answer with some non null integer Session-Timeout. We have also postpaid users, where the session should be unlimited. What is the Session-Timeout value corresponding to unlimited? Thank you. -- Architecte Informatique chez Blueline/Gulfsat: Administration Systeme, Recherche Developpement +261 34 29 155 34 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Filter or restrict on NAS
08/03/2009 05:00 PM, Ivan Kalik: Yes, there are a few ways to do that. But what is bad NAS doing in the clients.conf in the first place? Or do you want to tie users to devices? Yes, the goal is to tie a user to a specific NAS. To tie the user to a single device you need just NAS IP, for multiple devices you should use huntgroupss/sqlhuntgroups. Okay! Great. -- Architecte Informatique: Administration Systeme, Recherche Developpement + 261 32 11 401 65 Pensez a l'environnement avant d'imprimer ce message - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP (Was: urgent)
The output seems relatively obvious. FreeRADIUS tries to contact the LDAP server, and then everything stops. Install an LDAP server that works. There is really a need of more LDAP-FreeRadius beginner documentation :-P -- Architecte Informatique: Administration Systeme, Recherche Developpement + 261 32 11 401 65 Pensez a l'environnement avant d'imprimer ce message - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: urgent
08/04/2009 07:16 PM, RANDRIAMAMPIONONA José Johnny:: U are right! It works with the userfile! I don't know exactly what's wrong because the LDAP server works with another application: it means that maybe the problem is in the configuration! (I followed the faq!) Help! Now then its more about: http://www.umich.edu/~dirsvcs/ldap/mailinglist.html http://www.openldap.org/lists/ -- Architecte Informatique: Administration Systeme, Recherche Developpement + 261 32 11 401 65 Pensez a l'environnement avant d'imprimer ce message - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Filter or restrict on NAS
Hi all, Configuration (Debian packaged): - freeradius 2.0.4 - pgsql 8.3 When AUTHing and ACCounTing, the FreeRADIUS makes some SQL queries containing the NAS information. Currently, on our system, the query SELECTs a function and depending on that NAS information brought in the query we answer by a Access-Reject if from the bad NAS. - Is there, in the default FreeRadius proposed SQL schema a way to restrict on NAS? - Is there a query (or table) just for that usage? -- Architecte Informatique: Administration Systeme, Recherche Developpement + 261 32 11 401 65 Pensez a l'environnement avant d'imprimer ce message - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap not found
07/29/2009 03:32 AM, RANDRIAMAMPIONONA José Johnny:: Hi everyone, I have a problem concerning my configuration and I am wondering if somebody can help me. *freeradius-server-2.1.6* is installed without warning on* CentOS v5.3* ...configured on localhost and tested. Everything's OK. You should first try some already packaged binaries. -- Architecte Informatique: Administration Systeme, Recherche Developpement + 261 32 11 401 65 Pensez a l'environnement avant d'imprimer ce message - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
:=, == and =
Hi all, In a users file, I have for example: # DEFAULTGroup == disabled, Auth-Type := Reject #Reply-Message = Your account has been disabled. # [...] # steve Cleartext-Password := testing #Service-Type = Framed-User, #Framed-Protocol = PPP, #Framed-IP-Address = 172.16.3.33, #Framed-IP-Netmask = 255.255.255.0, #Framed-Routing = Broadcast-Listen, #Framed-Filter-Id = std.ppp, #Framed-MTU = 1500, #Framed-Compression = Van-Jacobsen-TCP-IP I have a few questions, and I am looking for the place they are documented. I dont have all the technical terms yet to make an efficient search. - what is the difference between ':=', '==' and '=' - when do/dont I put a comma - in the DEFAULT, I would like append 'Simultaneous-Use := 1' [1], but what is the syntax if i want multiple DEFAULTSs After that, I will switch to PG-SQL, and looking at: http://wiki.freeradius.org/SQL_HOWTO, must I have somthing like: ++++--+--+ | id | UserName | Attribute | Value| Op | ++++--+--+ | 1 | fredf | Cleartext-Password | wilma| := | | 2 | barney | Cleartext-Password | betty| := | | 2 | dialrouter | Cleartext-Password | dialup | := | || fredf | Simultaneous-Use | 1| := | || barney | Simultaneous-Use | 1| := | || dialrouter | Simultaneous-Use | 1| := | ++++--+--+ In the database? [1] In order to _help_ the Access controller to forbid simultneous login -- Architecte Informatique: Administration Systeme, Recherche Developpement + 261 32 11 401 65 Pensez a l'environnement avant d'imprimer ce message - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: :=, == and =
07/24/2009 11:14 AM, Rakotomandimby Mihamina:: # DEFAULT Group == disabled, Auth-Type := Reject # Reply-Message = Your account has been disabled. - in the DEFAULT, I would like append 'Simultaneous-Use := 1' [1], but what is the syntax if i want multiple DEFAULTSs Not clear. I meant: I would like to add many defaults Attributes/Values, what is the syntax? -- Architecte Informatique: Administration Systeme, Recherche Developpement + 261 32 11 401 65 Pensez a l'environnement avant d'imprimer ce message - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
same login pass pair, different behaviour.
Hi all, I have these users in my PGSQL table username | pwd --+- u_3 | pwd_3 u_one | pwd_one u_two | pwd_two When testing with radtest: miham...@rktmb:~$ radtest u_one pwd_one radius20 10 cot357 Sending Access-Request of id 240 to 41.204.103.216 port 1812 User-Name = u_one User-Password = pwd_one NAS-IP-Address = 127.0.1.1 NAS-Port = 10 rad_recv: Access-Accept packet from host 41.204.103.216 port 1812, id=240, length=26 Session-Timeout = 320 and freeradius -X trace: [...] auth: type Local auth: user supplied User-Password matches local User-Password Login OK: [u_one/pwd_one] (from client quarante_un_deux_cent_quatre port 10) +- entering group post-auth rlm_sql (sql): Processing sql_postauth expand: %{User-Name} - u_one rlm_sql (sql): sql_set_user escaped user -- 'u_one' expand: SELECT * FROM f_prepaid_activate('%{SQL-User-Name}') - SELECT * FROM f_prepaid_activate('u_one') rlm_sql (sql) in sql_postauth: query is SELECT * FROM f_prepaid_activate('u_one') rlm_sql (sql): Reserving sql socket id: 3 rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 1 rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok ++[exec] returns noop Sending Access-Accept of id 128 to 41.204.104.9 port 60642 Session-Timeout = 320 Finished request 18. Going to the next request Waking up in 4.9 seconds. === When trying through the coova web form, same login/pass: Failure. Attached is the output of freeradius -X My collegues tell me coova must use CHAP for this project. What last setup is missing? Thank you! -- Architecte Informatique: Administration Systeme, Recherche Developpement + 261 32 11 401 65 Pensez a l'environnement avant d'imprimer ce message rad_recv: Access-Request packet from host 41.204.104.68 port 2072, id=37, length=304 Vendor-14559-Attr-8 = 0x312e302e3131 User-Name = u_one CHAP-Challenge = 0x3e05e8c330102b96a377b004612fb0b8 CHAP-Password = 0x00a8a24ff230a41368ba7c0ceb0dccbd1f NAS-IP-Address = 41.204.104.68 Service-Type = Login-User Framed-IP-Address = 10.111.0.130 Calling-Station-Id = 00-14-2A-AB-4E-98 Called-Station-Id = 00-1D-73-55-95-AD NAS-Identifier = 00-1D-73-55-95-AD Acct-Session-Id = 4a69b5820001 NAS-Port-Type = Wireless-802.11 NAS-Port = 1 WISPr-Location-ID = isocc=MG,cc=,ac=,network=Coova,Blueline WISPr-Location-Name = COT_HOTSPOT WISPr-Logoff-URL = http://10.111.0.1:3660/logoff; Message-Authenticator = 0x0e1108c35fb77d938cff62ae367289b0 +- entering group authorize ++[preprocess] returns ok rlm_chap: Setting 'Auth-Type := CHAP' ++[chap] returns ok rlm_realm: No '@' in User-Name = u_one, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop expand: %{User-Name} - u_one rlm_sql (sql): sql_set_user escaped user -- 'u_one' rlm_sql (sql): Reserving sql socket id: 2 expand: SELECT * FROM f_authorize_check_query2('%{SQL-User-Name}','%{User-Password}','%{NAS-IP-Address}') - SELECT * FROM f_authorize_check_query2('u_one','','41.204.104.68') rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 5 rlm_sql (sql): User found in radcheck table expand: SELECT * FROM f_authorize_reply_query('%{SQL-User-Name}') - SELECT * FROM f_authorize_reply_query('u_one') rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 5 rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop rad_check_password: Found Auth-Type Reject rad_check_password: Auth-Type = Reject, rejecting user auth: Failed to validate the user. Login incorrect: [u_one/CHAP-Password] (from client quarante_un_deux_cent_quatre port 1 cli 00-14-2A-AB-4E-98) Found Post-Auth-Type Reject +- entering group REJECT ++- group REJECT returns noop Delaying reject of request 19 for 4 seconds Going to the next request Waking up in 0.9 seconds. Waking up in 2.9 seconds. Sending delayed reject for request 19 Sending Access-Reject of id 37 to 41.204.104.68 port 2072 Session-Timeout = 320 Waking up in 4.9 seconds. Cleaning up request 19 ID 37 with timestamp +331 Ready to process requests. ^C - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: same login pass pair, different behaviour.
07/24/2009 05:00 PM, Ivan Kalik:: username | pwd --+- u_3 | pwd_3 u_one | pwd_one u_two | pwd_two That's not freeradius schema. Yes, I know, that table was not to show my current schema. Our current one is: id | username | attribute | value | op -+--++-+ 111 | u_two| Cleartext-Password | pwd_two | := But I solved the problem, there were a NAS filtering in place, So that if I connect from one NAS, there was the Reject. -- Architecte Informatique: Administration Systeme, Recherche Developpement + 261 32 11 401 65 Pensez a l'environnement avant d'imprimer ce message - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR1 - FR2: authenticate_query
I am in the process of migrating from freeradius v1.4 to v2 I am running Debian Lenny, all installed from packages. I am first trying to merge the configuration. I use Postgresql behind. In the v1: ### # Authentication Query ### #authenticate_query = SELECT Value,Attribute FROM ${authcheck_table} \ # WHERE UserName = '%{User-Name}' AND ( Attribute = 'User-Password' OR Attribute = 'Crypt-Password' ) \ # ORDER BY Attribute DESC authenticate_query = We put ours here. # Postauth query # postauth_query = INSERT INTO radreply (username, attribute,op,value) VALUES ('%{SQL-User-Name}', 'Session-Timeout', '=','100') I did not find 'authenticate_query' in the v2 default 'postegressql/dialup.conf' file. Have I just to add what we have in v1? -- Architecte Informatique: Administration Systeme, Recherche Developpement + 261 32 11 401 65 Pensez a l'environnement avant d'imprimer ce message - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Guide: Upgrading to version 2
07/23/2009 10:13 AM, Alan DeKok: I need to decide what else to do with the document. Knowing how many people are interested in it is a first step. I am interested in. I just asked my boss if he would be tempted on buying: Waiting for some answer... -- Architecte Informatique: Administration Systeme, Recherche Developpement + 261 32 11 401 65 Pensez a l'environnement avant d'imprimer ce message - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
using (finding) mysql
Hi, I would like my freeradius to use PG SQL (no UNIX /etc/passwd nor users flat file) in /etc/freeradius/sites-enabled/default [...] # Pull crypt'd passwords from /etc/passwd or /etc/shadow, # using the system API's to get the password. If you want # to read /etc/passwd or /etc/shadow directly, see the # passwd module in radiusd.conf. # # unix # Read the 'users' file files # Look in an SQL database. The schema of the database # is meant to mirror the users file. # # See Authorization Queries in sql.conf sql # If you are using /etc/smbpasswd, and are also doing # mschap authentication, the un-comment this line, and # configure the 'etc_smbpasswd' module, above. # etc_smbpasswd [...] The file containing the 'sql' module: /etc/freeradius/sql.conf When I launch freeradius -X I got about finding the 'sql' module...: radius20:/etc/freeradius# freeradius -X FreeRADIUS Version 2.0.4, for host x86_64-pc-linux-gnu, built on Sep 7 2008 at 17:42:33 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including configuration file /etc/freeradius/snmp.conf including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/sql/postgresql/counter.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel including dictionary file /etc/freeradius/dictionary main { prefix = /usr localstatedir = /var logdir = /var/log/freeradius libdir = /usr/lib/freeradius radacctdir = /var/log/freeradius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = /var/run/freeradius/freeradius.pid user = freerad group = freerad checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = yes security { max_attributes = 200 reject_delay = 4 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = testing123 nastype = other } client 41.204.0.0/16 { require_message_authenticator = no secret = testing123 shortname = quarante_un_deux_cent_quatre nastype = livingston login = !root password = someadminpas } radiusd: Loading Realms and Home Servers proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = auth secret = testing123 response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = status-server ping_check = none ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: Instantiating modules instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = request shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = Password Has Expired } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = You are calling outside your allowed timespan minimum-timeout = 60 } } radiusd: Loading Virtual Servers server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = auto auto_header = yes } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no
Re: Guide: Upgrading to version 2
07/23/2009 10:43 AM, Rakotomandimby Mihamina: Waiting for some answer... I got: Ready to buy it. (dunno what reasonnable is) -- Architecte Informatique: Administration Systeme, Recherche Developpement + 261 32 11 401 65 Pensez a l'environnement avant d'imprimer ce message - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
using (finding) mysql
(some MTA problems... re send) Hi, I would like my freeradius to use PG SQL (no UNIX /etc/passwd nor users flat file) in /etc/freeradius/sites-enabled/default [...] # Pull crypt'd passwords from /etc/passwd or /etc/shadow, # using the system API's to get the password. If you want # to read /etc/passwd or /etc/shadow directly, see the # passwd module in radiusd.conf. # # unix # Read the 'users' file files # Look in an SQL database. The schema of the database # is meant to mirror the users file. # # See Authorization Queries in sql.conf sql # If you are using /etc/smbpasswd, and are also doing # mschap authentication, the un-comment this line, and # configure the 'etc_smbpasswd' module, above. # etc_smbpasswd [...] The file containing the 'sql' module: /etc/freeradius/sql.conf When I launch freeradius -X I got about finding the 'sql' module...: radius20:/etc/freeradius# freeradius -X FreeRADIUS Version 2.0.4, for host x86_64-pc-linux-gnu, built on Sep 7 2008 at 17:42:33 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including configuration file /etc/freeradius/snmp.conf including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/sql/postgresql/counter.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel including dictionary file /etc/freeradius/dictionary main { prefix = /usr localstatedir = /var logdir = /var/log/freeradius libdir = /usr/lib/freeradius radacctdir = /var/log/freeradius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = /var/run/freeradius/freeradius.pid user = freerad group = freerad checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = yes security { max_attributes = 200 reject_delay = 4 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = testing123 nastype = other } client 41.204.0.0/16 { require_message_authenticator = no secret = testing123 shortname = quarante_un_deux_cent_quatre nastype = livingston login = !root password = someadminpas } radiusd: Loading Realms and Home Servers proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = auth secret = testing123 response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = status-server ping_check = none ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: Instantiating modules instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = request shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = Password Has Expired } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = You are calling outside your allowed timespan minimum-timeout = 60 } } radiusd: Loading Virtual Servers server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = auto auto_header = yes } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no
Re: using (finding) mysql
07/23/2009 11:34 AM, a.l.m.bu...@lboro.ac.uk: looks like you havent got $INCLUDE sql.conf uncommented in your radiusd.conf Yes. How could I missed it, i grep'd with attention... Queries now reach the PG SQL server. Thank you. -- Architecte Informatique: Administration Systeme, Recherche Developpement + 261 32 11 401 65 Pensez a l'environnement avant d'imprimer ce message - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
login / password
Hi, Our passwords are stored as clear text in a postgresql database. The attached file tends to show CHAP is looking for something I dont understand. Would you have any suggestion? What's that no known good passwdord that might fail authentication? testing with radtest give the correct auth answers. I am now testing with the final client (coova). -- Architecte Informatique: Administration Systeme, Recherche Developpement + 261 32 11 401 65 Pensez a l'environnement avant d'imprimer ce message You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including configuration file /etc/freeradius/snmp.conf including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/sql.conf including configuration file /etc/freeradius/sql/postgresql/dialup.conf including configuration file /etc/freeradius/sql/postgresql/counter.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel including dictionary file /etc/freeradius/dictionary main { prefix = /usr localstatedir = /var logdir = /var/log/freeradius libdir = /usr/lib/freeradius radacctdir = /var/log/freeradius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = /var/run/freeradius/freeradius.pid user = freerad group = freerad checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = yes security { max_attributes = 200 reject_delay = 4 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = cot357 nastype = other } client 41.204.0.0/16 { require_message_authenticator = no secret = cot357 shortname = quarante_un_deux_cent_quatre nastype = livingston login = !root password = someadminpas } radiusd: Loading Realms and Home Servers proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = auth secret = testing123 response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = status-server ping_check = none ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: Instantiating modules instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = request shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = Password Has Expired } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = You are calling outside your allowed timespan minimum-timeout = 60 } } radiusd: Loading Virtual Servers server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = auto auto_header = yes } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = /var/log/freeradius/radwtmp } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = md5 timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating
subject of emails....
07/22/2009 02:03 PM, Hanno Schupp:: When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... -- Architecte Informatique: Administration Systeme, Recherche Developpement + 261 32 11 401 65 Pensez a l'environnement avant d'imprimer ce message - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radtest for accounting
Hi all, radtest alows me to bascally test account (login, pass,...). I would like to test the logout process now: what radtest friend is the one to use? Thank you. PS: I need it because at logout I have to process the remaining credit of the user. -- Architecte Informatique: Administration Systeme, Recherche Developpement + 261 32 11 401 65 Pensez a l'environnement avant d'imprimer ce message - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: simple test,, how to go on?
07/01/2009 02:53 PM, Rakotomandimby Mihamina:: [...] rlm_pap: login attempt with password mihamina rlm_pap: Using CRYPT encryption. rlm_pap: Passwords don't match ++[pap] returns reject [...] The question: What Have I got to put in the Cleartext-Password attribute in users in order to have Auth success? Thank you. -- Architecte Informatique Gulfsat/Blueline: Administration Système, Recherche et Développement Mob: +261 33 11 207 36 Penser à l'environnement avant d'imprimer ce message - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius on 64 bits
Hi all, I see FreeRADIUS is Debian packaged for amd64 http://packages.debian.org/search?keywords=freeradiussearchon=namessuite=allsection=all Are there limitations or known bugs about using it on x86_64 (intel/amd only)? -- Architecte Informatique: Administration Système, Recherche et Développement. Phone: +261 33 11 207 36 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
supported encryption
Hi all, At the moment, our FreeRaduis(v1.x) is looking up users in a PGSQL database, with clear username and clear password in the fields. We would like to switch it to FreeRadius (v2.x) and by the way, crypt (SHA, just crypt(),...) the password in the Database. What encryption is supported by FreeRadius, so that I could just make the PGSQL query with the encrypted password? Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html