RE: Re[5]: limiting sessions
radiusd -X in the debug mode you can see attributes that are being send back to you NAS. If you want to see what comes to NAS - please consult the documentation of your NAS ! Regards, E:S -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] g] On Behalf Of Andrew Long Sent: Donnerstag, 09. November 2006 14:51 To: Alan DeKok; FreeRadius users mailing list Subject: Re[5]: limiting sessions Andrew Long [EMAIL PROTECTED] wrote: I tried Session-Timeout but it doesn't seem to do the job. So... is it being sent back to the NAS? If it is, then the NAS is ignoring it. Go ask your NAS manufacturer for a refund, or for a firmware upgrade that implements RADIUS. Alan DeKok. How would you suggest I verify the session-timeout is actually being sent/received? Andrew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how can I contribute ( configure options )
Sure. How can I help? English is not my native language, but I don't see that as a problem. The only problem I see ( at the moment ) is that I am not familiar with all modules of freeradius and their configure options ( Alan notices that some of them don't even have configure options etc ). I have a few successfull freeradius installations behind myself and I wrote a similar patch Jonathan de Grave published at the mailing list recently ( mine has a hardcoded attribute ;) ). I would appreciate some feedback on the topic how can I contribute to freeradius project. Regards, E:S -Original Message- From: Peter Nixon [mailto:[EMAIL PROTECTED] Sent: Montag, 23. Oktober 2006 09:52 To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: Re: configure options On Sun 22 Oct 2006 04:43, Seferovic Edvin wrote: Hello, wouldn't it be useful to publish all configure options ( like modules options ) in WIKI ? Yes. Thats a great idea. At present there is several hundred pages in the wiki, and most of them were put there by either myself or Keven (Hi Kevin :-) We would appreciate your help :-) Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: configure options
wouldn't it be useful to publish all configure options ( like modules options ) in WIKI ? Yes. I am trying to build debian packages for my machines with only those modules I need. And at the moment I don't have a clue how to deactivate the modules I don't need. Many modules don't even have configure scripts. The solution is to either delete the source directory (src/modules/rlm_foo), or to delete the resulting rlm_foo.so files. I wanted to deactivate mysql module ( rlm_sql ). But since I built debian package, I was able to install only the freeradius and freeradius-ldap which are needed for my setup. Something like this would be sure usefull if it were possible to enable/disable it in configure script. Thank you for your answer Alan ! Regards, E:S - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
configure options
Hello, wouldn't it be useful to publish all configure options ( like modules options ) in WIKI ? I am trying to build debian packages for my machines with only those modules I need. And at the moment I don't have a clue how to deactivate the modules I don't need. Regards, E:S - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Proxy.conf clients.conf
Hello, how do you except the server to work if he doesn't know which clients are allowed to use it? Commenting out the proxy.conf should not affect the server if you do not need proxy features. Regards, Edvin Seferovic -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] g] On Behalf Of Cliff Hayes Sent: Freitag, 15. September 2006 18:07 To: freeradius-users@lists.freeradius.org Subject: Proxy.conf clients.conf Hello, I am a new FreeRADIUS user. The server is working for us. However, I am wondering why it won't start if I comment out the includes for clients.conf and proxy.conf. Even setting to debug level 3 doesn't tell me why. We are not proxying, and I have proxying turned off. Also, the clients file is almost completely commented out except for the 127.0.0.1 section, which the directions say should be commented out anyway after testing. Thanks in advance, Cliff - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: HOW-TO for Linux radius client
Hello, what are you using as backend for freeradius server? If you use LDAP as backend for freeradius, I really do NOT see the need for the use of RADIUS protocol to do authentication for such services ( login, ssh etc ). It would be easier if you implement auth against LDAP directory for such services, and use RADIUS where it can serve the purpose ( full AAA ) ! Regards, Edvin Seferovic From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J. C. Desai Sent: Freitag, 01. September 2006 21:34 To: freeradius-users@lists.freeradius.org Subject: HOW-TO for Linux radius client Hi, I am looking for a Linux client side HOW-TO for radiusauthentication without requiring presence of the login id on client side locally. The following is the authentication scenario I am trying: 1) I have freeRadius server installed on a RedHat Linux machine 2) I would like users logging into other RedHat Linux machines in our network to have their login/passwd authenticated using freeRadius server (for login, su, ssh, telnet, ftpetc. ways of accessing local client machines in the network) 3) I do not want to use LDAP on server or client side 4) I am using PAM and have experimented with pam_radius_auth module without success 5) The problem I am facing is that the login id has also to be defined locally on client Linux machines --- otherwise, for example, the su command fails indicating that the id does not exist (if I create the login id on client locally, then it queries freeRadius server) 6) I do not want to add ldap to nsswitch.conf file of client --- just want to stick to radius for now In summary, is there a Linux client side HOW-TOfor radiusauthentication without requiring presence of the login id on client side locally? Regards ... J. C. Desai - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + OpenLDAP - user password problem
Set up the ldap module right for your server and map your NAS attributes to the LDAP attributes ! Shouldnt be hard to set up ! Regards, Edvin Seferovic From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tilen Sent: Mittwoch, 30. August 2006 16:58 To: FreeRadius users mailing list Subject: Re: Freeradius + OpenLDAP - user password problem So, what i want to achieve is, to authorize against OpenLDAP the easiest way. I don't care if i use cleartext passwords or NT hashes. What would be the fastest way to make things work? I'm running out of time for this . - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius Log File ?
I think that freeRADIUS logs to /var/log/radius/ look at this directory
and you will find out what log file you need !
Regards,
Edvin Seferovic
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
g] On Behalf Of Scott Miller
Sent: Donnerstag, 29. Juni 2006 16:26
To: freeradius-users@lists.freeradius.org
Subject: FreeRadius Log File ?
Hello all - I have freeradius with mysql up and running perfectly. I
recently upgraded from icradius because it seems to have dropped off the
face of the earth. Anyways - there was a feature in icradius where I could
poll the log file to get customers authentication status. I created a link
to a php file which referenced this log file for our techs to help with
troubleshooting. The file looks like this:
?php
include ('header.php');
$file =/var/log/radius.log;
$limit=60;
$fp = popen(/usr/bin/tail -$limit $file, 'r');
if (! $fp ) {
echo 'unable to pipe command';
}
while (!feof($fp) ) {
$line = fgets($fp, 4096);
print $line.br;
}
include ('footer.php');
?
But - there doesn't seem to be any log file I can poll this type of info
from. Here's an excerpt of what I was able to get with the above:
Wed Jun 28 13:22:13 2006: Auth: Login OK: [sshort] (from nas CiscoAS5300/S0)
socket 0 (0 sec)
Wed Jun 28 13:22:56 2006: Auth: Login OK: [lilia] (from nas Cisco AS5300/S0)
socket 0 (0 sec)
Wed Jun 28 13:23:03 2006: Auth: Login OK: [eaglesight] (from nas
CiscoAS5300/S0) socket 0 (0 sec)
Wed Jun 28 13:23:56 2006: Auth: Login OK: [dierman] (from nas
CiscoAS5300/S0) socket 0 (0 sec)
Wed Jun 28 13:23:58 2006: Auth: Login OK: [rprice] (from nas CiscoAS5300/S0)
socket 0 (0 sec)
Wed Jun 28 13:25:32 2006: Auth: Login OK: [hafens] (from nas CiscoAS5300/S0)
socket 0 (0 sec)
Wed Jun 28 13:25:43 2006: Auth: Login OK: [edie_a] (from nas CiscoAS5300/S0)
socket 0 (0 sec)
Wed Jun 28 13:26:09 2006: Auth: Login OK: [megameg] (from nas
CiscoAS5300/S0) socket 0 (0 sec)
Wed Jun 28 13:26:35 2006: Auth: Login OK: [stinger] (from nas
CiscoAS5300/S0) socket 0 (0 sec)
Wed Jun 28 13:26:39 2006: Auth: Login OK: [inahat] (from nas CiscoAS5300/S0)
socket 0 (0 sec)
Wed Jun 28 14:26:57 2006: Auth: Login OK: [cafe] (from
nascore219.interbel.net/S10101001) socket 0 (0 sec)
Do we have a log file we can poll this type of info from, or does it store
it in the mysql database somewhere?
Thanks,
Scott Miller
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS + LDAP Authentication/Authorization + MySQL Accounting
-Authentication through LDAP YES. Using it currently ! -Authorization through LDAP YES. See above :) -Accounting through MySQL YES. Doing traffic accounting. I have multiple Cisco and Foundry devices on my network. The RADIUS server will primarily be used for AAA for Telnet/SSH logins and eventually VPN dialin accounts. Is FreeRADIUS the software I should use? RADIUS provides AAA features and freeRADIUS is just one hell of a software :) I am using ProCurve with RADIUS support and I didnt have any troubles setting it up. ProCurve is based ( IMHO ) on Cisco software ( not 100% ) so you should be able to do whatever you need. Regards, Edvin Seferovic - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Peculiar Input/Output Octet Data In Alive/Stop Packets
Hello, is the timestamp in the Accounting packet really important for your monitoring puroposes? Regards, Edvin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] g] On Behalf Of Tim O'Donovan Sent: Dienstag, 13. Juni 2006 21:19 To: freeradius-users@lists.freeradius.org Subject: Peculiar Input/Output Octet Data In Alive/Stop Packets Hi, The majority of alive and stop packets received by our FreeRadius server contain correct input and output octet data, but there are a number of users that receive a UNIX time formatted integer translating to midnight of the day the packet was received instead of the correct data. Here's an example of such a packet, note the output octets: Tue Jun 13 16:05:30 2006 User-Name = [EMAIL PROTECTED] NAS-IP-Address = xxx.xxx.xxx.xxx NAS-Port = 29 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = xxx.xxx.xxx.xxx Proxy-State = 0x42543030326436336366643134 Acct-Status-Type = Alive Acct-Delay-Time = 0 Acct-Input-Octets = 899858807 Acct-Output-Octets = 1150153200 Acct-Session-Id = 0002576E Acct-Authentic = RADIUS Acct-Session-Time = 1583103 Acct-Input-Packets = 7437599 Acct-Output-Packets = 8973389 NAS-Port-Type = Virtual Client-IP-Address = xxx.xxx.xxx.xxx Acct-Unique-Session-Id = 372fc40c32b2b500 Timestamp = 1150211130 The output octets figure 1150153200 translates to Tue Jun 13 00:00:00 2006 GMT. We currently do not have direct access to the NAS servers that are sending across this data, but we have worked together with our provider towards replicating this through testing. In each case the expected data is reported and we have yet to reproduce the error manually. As the data transfer has only recently become an area we wish to monitor and log, it is impossible to tell whether this has always been occurring. Has anyone experienced this before? Any help or advice would be greatly appreciated. Kind regards, Tim O'Donovan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: mysql accounting
Hello,
I do NOT want to be rude, but sometimes searching the archives helps A LOT !
BELIEVE ME ! But for the lazy developers among you people - here is the part
that describes the needed feature. Thanks to Jamal ( of course ). This is
copy paste - so do NOT blame me ;)
START
Create a table in the radius schema (called fails_log) to include three
columns: trial_date, username, password.
Create a function in the database (called fails). The main statements
which you should write are
fails ( username1 in out char, password1 in char) return char is
v_user char:='';
v_password:='';
begin
select username , value into v_user from radcheck where
attribute='password' and username= username1 and password=password1;
if v_user = '' then insert into fails_log values
(sysdate,username1,password1);
else return v_user;
end if;
end;
Update authorize_ceck_query module in sql.conf file to be as follows:
authorize_check_query = SELECT id,Username,Attribute,Value,op FROM
${authcheck_table} WHERE Username =(select
fails('%{SQL-User-Name}','%{User-Password}') from dual) ORDER BY id
That is all. Then you can find all failed logs inside the new created table
fails_log.
END
Regards,
Edvin Seferovic
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
g] On Behalf Of Sean Taylor
Sent: Donnerstag, 15. Juni 2006 07:13
To: freeradius-users@lists.freeradius.org
Subject: mysql accounting
I have a quick question on the mysql accounting. I am working on my own
interface for managing the freeradius+mysql setup. Everything is
working great, I can view all my users, see who's connected, add new
users, manage static vs. dynamic IP's, etc..The problem is it doesnt
seem to log authentication failures into the radacct table. It logs all
the successes just fine, but it would be very beneficial to have it log
the failures too. I have the sql module turned on in the accounting
section of the config and have uncommented all of the accounting
queries. Any help appreciated.
Thanks
Sean Taylor
Systems Administrator
Valutel Communications
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to implement traffic limit
Hello, first you should read the documentation of your NAS server. Find out what attributes does it need for traffic limiting ! Regards, Edvin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Radhika Sent: Montag, 12. Juni 2006 12:19 To: freeradius-users@lists.freeradius.org Subject: How to implement traffic limit Hi, I am new to freeradius server.I want to use traffic limit in Freeradius How do i do that? Curretly we are using cisco edge routers for our ADSL server to authenticate free radius server,For Dialup we are using sendmax for to transfer request to free radius server.Now i want to do a traffic limit on each users download limit.How do i proceed this in Free radius server?.What attributes i need to configure?.What i need to do on cisco routers side. Thanks for your help __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to implement traffic limit
Hi, for ADSL users, you probably have some DSLAM or other ADSL server for PPPoE ! Look at the documentation of one of those components and you will probably find something out. Regards, Edvin From: Radhika [mailto:[EMAIL PROTECTED] Sent: Montag, 12. Juni 2006 13:39 To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: RE: How to implement traffic limit Hi, Thanks for your reply.I am new this concepts and what presently we are using the below configuration i am not sure which is working as NAS.If you have any docs or idea please let me know. Sorry for asking basic questions Thanks Seferovic Edvin [EMAIL PROTECTED] wrote: Hello, first you should read the documentation of your NAS server. Find out what attributes does it need for traffic limiting ! Regards, Edvin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Radhika Sent: Montag, 12. Juni 2006 12:19 To: freeradius-users@lists.freeradius.org Subject: How to implement traffic limit Hi, I am new to freeradius server.I want to use traffic limit in Freeradius How do i do that? Curretly we are using cisco edge routers for our ADSL server to authenticate free radius server,For Dialup we are using sendmax for to transfer request to free radius server.Now i want to do a traffic limit on each users download limit.How do i proceed this in Free radius server?.What attributes i need to configure?.What i need to do on cisco routers side. Thanks for your help __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: NAS Server Type
However, when I call our primary carrier, they don't have that information and have never been asked that question. They do NOT know what NAS they r using? Are they only a reseller ? Unbelievable ! Regards, Edvin Seferovic - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: postgresql and freeradius (dialupadmin)
I would say it is rather an apache2 problem. Update it to the latest version and be sure that your apache2+php+postgres works before you start dialupadmin. Regards, Edvin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] g] On Behalf Of Krzysztof Matusik Sent: Mittwoch, 07. Juni 2006 01:03 To: freeradius-users@lists.freeradius.org Subject: postgresql and freeradius (dialupadmin) Hello I've got freeradius running with postgresql backend but since I can't get (IMHO correctly configured) dialupadmin running I'm not even sure it runs ok. My apache2 says something like: [notice] child pid 27829 exit signal Segmentation fault (11) and postgres daemon: could not accesp SSL connection: connection terminated ... while http browser gives something like 'connection terminated' whenever I'm trying to perform any operation excluding just the 'home page'. I've been trying and googling to get any solution but found only some (crappy?) posts from few years ago. Is it that my database is corrupted? (I've had some problems creating it). Does anybody could help me with the solution? Thanks in advance. Krzysztof - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: session tracking
Hi,
session tracking is called - accounting ! the last A in AAA ;)
Just empty the accounting { } part in your radiusd.conf file. If your NAS
sends accounting info - turn it off !
Regards,
Edvin
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
g] On Behalf Of Jeremy Ford
Sent: Mittwoch, 07. Juni 2006 01:58
To: 'FreeRadius users mailing list'
Subject: session tracking
I have read over the docs but haven't found a clear way to turn off session
tracking. I just want the radius server to give an Accept or Reject for user
auth (which I have working with mysql) and not track the session (start/stop
records etc...)
Thanks
Jeremy
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: configuring Freeradius server + accounting + IP address
Hello ! Hi All, I am newly joined to this group. I have started working on radius. I am facing some problems in configuring the free radius for accounting purpose and to get the IP address of MS. What do you mean by IP address of MS ? accounting setup is pretty well described in freeRadius documentation! Regards, Edvin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] dius.org]On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, May 31, 2006 8:23 PM To: freeradius-users@lists.freeradius.org Subject: Freeradius-Users Digest, Vol 13, Issue 145 Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. RE: Session-Octets-Limits (Seferovic Edvin) 2. Re: Session-Octets-Limits (Mordor Networks) 3. 1.1.2 Build Problems - rlm_eap-1.1.2.soT - ld: skipping incompatible (Alan) 4. Re: 1.1.2 Build Problems - rlm_eap-1.1.2.soT - ld: skippingincompatible (Stefan Winter) 5. RE: 1.1.2 Build Problems - rlm_eap-1.1.2.soT - ld:skippingincompatible (Alan) -- Message: 1 Date: Wed, 31 May 2006 12:16:43 +0200 From: Seferovic Edvin [EMAIL PROTECTED] Subject: RE: Session-Octets-Limits To: 'FreeRadius users mailing list' freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=us-ascii Its working and the user disconnect when reachs the limit but now if the user disconnect and reconnect it will all start over is there a way to lock the account? so that the user wont be able to connect again? YES, by using sqlcounter module ! This module should count the traffic usage before user is authorized to connect. Regards, Edvin -- Message: 2 Date: Wed, 31 May 2006 14:01:28 +0300 From: Mordor Networks [EMAIL PROTECTED] Subject: Re: Session-Octets-Limits To: [EMAIL PROTECTED], FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=iso-8859-1 Do i have to patch the sqlcounter module so that it can be used for counting traffic? I have the default sqlcounter in my radius.conf sqlcounter Dailycounter and sqlcounter monthlycounter/ On 5/31/06, Seferovic Edvin [EMAIL PROTECTED] wrote: Its working and the user disconnect when reachs the limit but now if the user disconnect and reconnect it will all start over is there a way to lock the account? so that the user wont be able to connect again? YES, by using sqlcounter module ! This module should count the traffic usage before user is authorized to connect. Regards, Edvin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- next part -- An HTML attachment was scrubbed... URL: https://list.xs4all.nl/pipermail/freeradius-users/attachments/20060531/08a09 0b4/attachment-0001.html -- Message: 3 Date: Wed, 31 May 2006 09:49:19 -0400 From: Alan [EMAIL PROTECTED] Subject: 1.1.2 Build Problems - rlm_eap-1.1.2.soT - ld: skipping incompatible To: freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=US-ASCII When I compile the latest stable FreeRadius build version 1.1.2. I came across a few problems. I noticed the eap library file has a T appended to the end of it (rlm_eap-1.1.2.soT) and some ld warnings after running make. Please advise. ~Alan OS: Red Hat Enterprise v.3 AMD64 --- Make ld warnings: sql_mysql.c: In function `sql_error': sql_mysql.c:333: warning: return discards qualifiers from pointer target type /usr/bin/ld: skipping incompatible /usr/lib/libz.so when searching for -lz /usr/bin/ld: skipping incompatible /usr/lib/libz.a when searching for -lz /usr/bin/ld: skipping incompatible /usr/lib/libpthread.so when searching for -lpthread /usr/bin/ld: skipping incompatible /usr/lib/libpthread.a when searching for -lpthread /usr/bin/ld: skipping incompatible /usr/lib/libcrypt.so when searching for -lcrypt /usr/bin/ld: skipping incompatible /usr/lib/libcrypt.a when searching for -lcrypt /usr/bin/ld: skipping incompatible /usr/lib/libnsl.so when searching for -lnsl /usr/bin/ld: skipping incompatible /usr/lib/libnsl.a when searching for -lnsl /usr/bin/ld: skipping incompatible /usr/lib/libm.so when searching for -lm /usr/bin/ld: skipping incompatible /usr/lib/libm.a when searching for -lm /usr/bin/ld: skipping incompatible /usr/lib/libpthread.so when searching
RE: Re: freeradius 1.1.1 and mysql issues
modcall[authorize]: module sql returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Login incorrect: [simon/no User-Password attribute] (from client linksys-434 port 56 cli 0013ce29c6d7) There is no password ? Is that okay? You can set Auth-Type to Accept if the user is found in sql ! If that is what you actually want. Regards, Edvin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Session-Octets-Limits
Its working and the user disconnect when reachs the limit but now if the user disconnect and reconnect it will all start over is there a way to lock the account? so that the user wont be able to connect again? YES, by using sqlcounter module ! This module should count the traffic usage before user is authorized to connect. Regards, Edvin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_sqlcounter developer required
Hi, I have been working with sqlcounter and for few of my installations I have changed it funcionality so it is able to count traffic instead of time. What do you need ? What is your NAS ? Send me a mail off the list if you need some specific solution. Regards, Edvin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Lovatt Sent: Dienstag, 16. Mai 2006 12:51 To: freeradius-users@lists.freeradius.org Subject: rlm_sqlcounter developer required Hi, Im using rlm_sqlcounter to limit the amount of time my users can stay connected to a NAS, which works very well, as you know, it SUMS the amount of time a users has been online by querying the radacct table then returns a Session-Timeout attribute. My NAS supports Max-Input_octets and Max-Output-Octets attributes, Id like to perform an SQL SUM on AccInputOctets and AccOutputOctets during the authorize phase then return these two attributes to set the max amount of bandwidth a user can use. Ive spent all day reading about rlm_sqlcounter, this functionality isnt available but has been talked about previously, what Im really asking for, since my C knowledge is a little rusty and Im a bit pressed for time is for one of you guys to patch this module for me, for a price of course. R Mark - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to use time period
Hi ! YUP !! It does ! radiusLoginTime is the attribute in LDAP that u r looking for. Simply set it to Al0800-1200 and youll have ur time period. Depending on your NAS the user will be kicked off at 12 AM. Regards, Edvin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ludovic cailleau Sent: Dienstag, 16. Mai 2006 15:18 To: freeradius freeradius-users Subject: How to use time period Good morning!! I would like to authorize connection to the users to one time period stored in Ldap base. Example: The user Steeve can be connecting between 8h and 12h. So at the time of the request for connection, freeradius will have to check if the time of connection is between this time period. If its true freeradius send accept but if it is wrong he send reject. Does freedius manage that? Because I be not found information in connection with that. Thanks Ludovic Cailleau Faites de Yahoo! votre page d'accueil sur le web pour retrouver directement vos services préférés : vérifiez vos nouveaux mails, lancez vos recherches et suivez l'actualité en temps réel. Cliquez ici. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_sqlcounter developer required
Well, you just hit the
point where you have to alter the code of freeradius ( rlm_sqlcounter to be
precise ). Sqlcounter returns SessionTime ( as usual ). You have to change
sqlcounter.c.. the function sqlcounter_authorize has the part that you would
like to change. Here you should check the documentation of your NAS to be sure
which attribute it expects to become from a freeradius server ( probably
something Like *Octets ). Then add this attribute to the dictionary file of the
server and you should need to add it to the header file which contains attributes
and their numbers. Be sure that you have the same number like in the dictionary
file.
In the function
sqlcounter_authorize ( line 676 ) youll find reply_item =
paircreate(PW_SOMETHING, PW_TYPE_INTEGER)) in an ELSE block. Instead of
PW_SOMETHING, you should enter PW_YOUR_ATTRIBUTE_NAME !!
Recompile, install and
freeradius will return your attribute to NAS ( actually it will return
the difference between check-name and the value which is returned by the query
).
Hope this helps...
I will probably send a
patch to freeradius developers that will contain this functionality ( returning
a specific value ) for traffic accounting ( ie ).
Regards,
Edvin Seferovic
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Lovatt
Sent: Dienstag, 16. Mai 2006 14:04
To: [EMAIL PROTECTED];
'FreeRadius users mailing list'
Subject: RE: rlm_sqlcounter
developer required
I have been able to
configure it to count traffic instead of time, but only when a user first logs
in, itll then allow or deny them access, however it doesnt return
any attributes such as Max-Input_octets = ??, where ?? is some value(ie account
balance) less the sum of acctinputoctets, this would allow the NAS to
disconnect a client during the session, ie client has 5Mb on their account, they
login but are disconnected after 5Mb of throughput.
This is what Ive
done so far, but it only works on login and doesnt return any
attributes:
sqlcounter
monthlybandwidthcounter {
counter-name = Max-Bytes
check-name = Max-Bytes
sqlmod-inst = sql
key = User-Name
reset = monthly
Reply-Message = You have reached your bandwidth cap for this Month
query = SELECT sum(AcctOutputOctets) + sum(AcctInputOctets) FROM radacct
where UserName = '%{%k}'
}
Im using a
Colubris MSC-5200
R
Mark
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
On Behalf Of Seferovic Edvin
Sent: 16 May 2006 11:59
To: 'FreeRadius
users mailing list'
Subject: RE: rlm_sqlcounter
developer required
Hi,
I have been working with
sqlcounter and for few of my installations I have changed it funcionality so it
is able to count traffic instead of time.
What do you need ? What
is your NAS ?
Send me a mail off the
list if you need some specific solution.
Regards,
Edvin
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Mark Lovatt
Sent: Dienstag, 16. Mai 2006 12:51
To:
freeradius-users@lists.freeradius.org
Subject: rlm_sqlcounter developer
required
Hi,
Im using rlm_sqlcounter to limit the amount of
time my users can stay connected to a NAS, which works very well, as you know,
it SUMS the amount of time a users has been online by querying the radacct
table then returns a Session-Timeout attribute.
My NAS supports Max-Input_octets and
Max-Output-Octets attributes, Id like to perform an SQL SUM on
AccInputOctets and AccOutputOctets during the authorize phase then return these
two attributes to set the max amount of bandwidth a user can use.
Ive spent all day reading about rlm_sqlcounter,
this functionality isnt available but has been talked about previously,
what Im really asking for, since my C knowledge is a little rusty and
Im a bit pressed for time is for one of you guys to patch this module
for me, for a price of course.
R
Mark
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to use time period
It is not about your NAS.. FreeRADIUS manages this. Every Access-Request has a timestamp. If the Access-Request comes at 7.50 AM, FreeRadius will compare the time with the Login-Time attribute ( if set ) and then reject the request. If the access-request comes at 8.50 AM.. the user will be able to log in. FreeRadius will also send ( AFAIK ) the Session-Time attribute as reply. This attribute contains the allowed duration for the session. If your NAS supports this attribute, the user will be authorized and then kicked off of the system at 12.00 AM. I hope this was clear enough. Please read the NAS documentation first.. the mailing list members must not be familiar with your NAS ! Regards, Edvin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ludovic cailleau Sent: Dienstag, 16. Mai 2006 17:15 To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: RE: How to use time period Hi Ok, but my NAS does not manage radiusLoginTime. Is there another solution for that? Example: to recover the hour system and to compare it with the Ldap attributes (new check-items)? Regards Seferovic Edvin [EMAIL PROTECTED] a écrit: Hi ! YUP !! It does ! radiusLoginTime is the attribute in LDAP that u r looking for. Simply set it to Al0800-1200 and youll have ur time period. Depending on your NAS the user will be kicked off at 12 AM. Regards, Edvin Ludovic Cailleau Faites de Yahoo! votre page d'accueil sur le web pour retrouver directement vos services préférés : vérifiez vos nouveaux mails, lancez vos recherches et suivez l'actualité en temps réel. Cliquez ici. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Several passwords for a user
Hello, besides the comment of Alan D. I think you should have a damn good reason for entering more than one password for ONE user. Are you trying to make your system THAT complicated? Or are your users just stupid to remeber ( or even write down ) a given password? Regards, Edvin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] g] On Behalf Of Alan DeKok Sent: Donnerstag, 11. Mai 2006 15:46 To: FreeRadius users mailing list Subject: Re: Several passwords for a user =?iso-8859-1?B?U2FudGlhZ28gQmFsYWd1ZXIgR2FyY+1h?= [EMAIL PROTECTED] wrote: I use freeradius-1.1.0. Where is any problem an account has two or more entries in radcheck table??? I use : 11:22:33:44:55:66 :='' 11:22:33:44:55:66 :=mypassword WHat are you trying to do? Those entries don't match anything in the FreeRADIUS documentation, and will *not* do anything useful. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Strange error
how formilar are you with Freeradius? Uh... try reading the list for a while. Alan DeKok. HAHAHHA :) Sorry - I just couldn't help myself! For mailing-list-newbies: people that respond to your questions have more experience then you do and they are willing to help ( in most cases ). Nobody should attach a freeradius-CV when answering to the list! Yes - I have compiled freeradius at least 100 times ( in a row ;) ) and does that make me familiar with this software? Regards, Edvin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius and MySQL
Hello Jeremy, PLEASE ! SPECIFY YOUR PROBLEM ! you have sent 2-3 comments to the mailing list and nobody ( besides Alan ) wanted to respond! Why? No needed information ( aka I have car, car has tires, but I cannot drive, why? ). You are using db. Okay. What DB? Firebird, MySql, MSSQL, Oracle? How does your config looks like? Send us the debug output of freeradius! We cannot help you without information ( or do you expect us to hack into your server to get some info about your config ?? ). Regards, Edvin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] g] On Behalf Of Jeremy ohara Sent: Donnerstag, 11. Mai 2006 20:23 To: freeradius-users@lists.freeradius.org Subject: Freeradius and MySQL Hi there i have free radius updated on fedora. got a mysql database. but from what i'm noticing its not being check on the database. got dialupadmin installed and using that to put the accounts into the database. and have setup freeradisu with the db Jeremy This email has been scanned for Virus by MDaemon AntiVirus part of MDaemon. Updated daily to keep up-to-date with all new and old viruses. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Worked!- RE: Couldn't stop freeradius server!!
Try linking /etc/init.d/freeradius to your /sbin ;)
Regards,
Edvin
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
g] On Behalf Of lmyho
Sent: Dienstag, 04. April 2006 21:04
To: 'FreeRadius users mailing list'
Subject: Worked!- RE: Couldn't stop freeradius server!!
Hi Alex,
The command '/etc/init.d/freeradius stop' worked! but 'freeradius stop'
won't!
Maybe you can try this too?
Regards,
leo :)
--- Alex M [EMAIL PROTECTED] wrote:
I had the same problem on RedHat (well name was the way it supposed to be)
it was caused by some conflict between fr and something with os... still
investigating the problem, but in my case kill and reboot, halt command
where blocked I think that was cased because SSH connection was lost
during execution of the command.
-Original Message-
From:
[EMAIL PROTECTED]
.org
[mailto:[EMAIL PROTECTED]
eeradius.org] On Behalf Of debik
Sent: Wednesday, April 05, 2006 2:26 PM
To: FreeRadius users mailing list
Subject: Re: Couldn't stop freeradius server!!
Try killall radiusd or killall freeradius.
I have debian and that commands are allwright.
- Original Message -
From: lmyho [EMAIL PROTECTED]
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Sent: Tuesday, April 04, 2006 6:19 PM
Subject: Re: Couldn't stop freeradius server!!
--- monish ar [EMAIL PROTECTED] wrote:
Instead of using the command to stop the radius daemon, herez another
simple way.
At the console type ps -ax | grep radiusd , this will give u the
list
of
radius servers currently
along with its process IDs. The next thing u do is type kill pid#
,
PID# refers to the process
id number of ur currently running radius daemon. Hope it helps...
Dunno bout the NAS list though...
Hi Monish,
Thank you for the idea! I checked, and found the process. but on this
debian
system, the process is actually named freeradius, instead of the
traditional
radiusd.:( So there are indeed some changes on how the freeradius is
run on
debian. Do you have more idea about it?
Can anyone tell me more on how the debian is running the freeradius and
how I can
stop the server from command line in debian system? (pls see problem
detail below)
Thanks a lot!!
leo
On 4/4/06, lmyho [EMAIL PROTECTED] wrote:
Hi All,
Installed freeradius 1.1.0-1 on debian system (2.6.15-1-686). The
radius
server started automatically well each time when the system booting.
But I
wanted to stop it to do some testing using my modified configuration
files. I tried
to stop the server using command: 'freeradius stop' ('radiusd' doesn't
work on this
debian - anyone knows why??)
But so werid, no matter what command I gave, with parameter
stop|start|restart, the server ALWAYS goes to START again!! even from
the
/etc/init.d/freeradius I can read that the 'stop' param should stop the
server! Can
anyone tell me why the command couldn't stop the server?? and how should
I
stop it??
The log file shows entries like this for each of my trying, even the
command given was to stop:
Tue Apr 4 01:14:13 2006 : Info: Using deprecated naslist file.
Support
for this will go away soon.
Tue Apr 4 01:14:13 2006 : Error: There appears to be another RADIUS
server running on the authenticat
What is happenning here? (I couldn't top the running deamon, so is
the
2nd line above)
Also, from the log file I noticed: even when the system automatically
started the freeradius server deamon, it was Using deprecated
naslist
file.
Log entries show like this:
Fri Mar 31 13:51:54 2006 : Info: Using deprecated naslist file.
Support
for this will go away soon.
Fri Mar 31 13:51:54 2006 : Info: rlm_exec: Wait=yes but no output
defined.
Did you mean output=none?
Fri Mar 31 13:51:55 2006 : Info: Ready to process requests.
Can anyone tell me what is happenning here?? Why it's using the
deprecating naslist file? The installed radiusd.conf file doesn't
show
the
server will use the naslist
file at all! from where I can stop the server to use this deprecating
file? Also what does the 2nd line of the above log entries mean?
Any help would be greatly appreciated! Thank you so much for help in
advance!!
Best regrads,
leo
__
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
__
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection
RE: pppoe-server
Hi, 1. try sending the interval in the Acct-Interim-Interval attribute to your pppoe-server 2. try to send the questions to the mailing list Regards, Edvin From: Wassim abbas [mailto:[EMAIL PROTECTED] Sent: Montag, 03. April 2006 00:18 To: [EMAIL PROTECTED] Subject: Re: (no subject) Hello 1. modify your pppoe-server to send accouting updates every hour or less How? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: (no subject)
Hi, 1. modify your pppoe-server to send accouting updates every hour or less 2. modify sql.conf to write an entry to sql for each accouting-update packet 3. based on session start time and update time you can calculate and see the hourly transfer. Regards, Edvin PS: I am planing to use such system to detect misuse ;) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] g] On Behalf Of [EMAIL PROTECTED] Sent: Samstag, 01. April 2006 11:06 To: freeradius-users@lists.freeradius.org Subject: (no subject) hi, i have freeradius + mysql + cisco + pppoe clients. the pppoe client is 3 day online. the radius have 1 line with input/output octets the statistic for the users must to every hours the input/output octets have you a idea? best regrds harald -- Feel free - 10 GB Mailbox, 100 FreeSMS/Monat ... Jetzt GMX TopMail testen: http://www.gmx.net/de/go/topmail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Shared secret is wrong, except that it isn't?
Hi Peter, I had same issue on Suse 9.1/64bit version. Some stupid library was broken ( I think the LIBLTDL = /usr/lib64/libltdl.so was wrong ). That had the whole stuff messed up. Since I am not familiar with NetBSD, maybe you should consider asking the same question on their mailing list about this lib and linking with freeradius. Regards, Edvin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] g] On Behalf Of Peter Seebach Sent: Mittwoch, 29. März 2006 21:49 To: freeradius-users@lists.freeradius.org Subject: Shared secret is wrong, except that it isn't? Okay, I'm sorta stumped here. I'm getting the exact behavior described for shared secret is wrong, but I am pretty confident that it isn't. FreeRadius 1.1.1, installed on NetBSD 3.0/amd64. Synopsis: No matter how cleverly I try to make sure I have the right shared secret, I get garbage passwords. My clients file says: 127.0.0.1 foobar I'm using radtest: radtest user pw localhost 10 foobar I get: auth: type System Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_unix: [beta1]: invalid password modcall[authenticate]: module unix returns reject for request 0 modcall: leaving group authenticate (returns reject) for request 0 auth: Failed to validate the user. WARNING: Unprintable characters in the password. ? Double-check the shared secret on the server and the NAS! There are no unprintable characters in the password I'm sending. So. The one thing I can think of is the 64-bit environment, because an old version of cistron-radiusd I was skimming once had a comment about assumptions about the size of long and the size of (void *). However, even then, I would expect that a radtest and a radiusd built and running on the same server would, even if they were doing it wrong, do it wrong in precisely compatible ways! So, uhm. Where exactly is this encryption happening? It looks like lib/radius.c is the place where shared secrets are used, but the code seems to be substantially different from the cistron code I vaguely remember from way back when. In particular, I don't remember this MD5 stuff... -s - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: User Disconnect
Hi, are you using PPP ??? Regards, Edvin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] g] On Behalf Of Mohammad Flaifel Sent: Sonntag, 26. März 2006 11:45 To: freeradius-users@lists.freeradius.org Subject: User Disconnect Dears, I know I asked this questions before, but I got lost what shall I do. Can I disconnect a user when he/she reaches a download limit? We have Radius server and connected to an oracle server. What do you think? Regards, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Set environnement variable
Hi, I am not sure but I have seen solutions using radattr.so module with PPP and then you can access the attributes ( which would be sent by freeradius ) from /var/run/radattr.$interface ;) Maybe you would need to add your attributes to the dictionary file ( both server and client ). Regards, Edvin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] g] On Behalf Of Alexandre DELAY Sent: Samstag, 25. März 2006 19:00 To: freeradius-users@lists.freeradius.org Subject: Set environnement variable Hi guys, I'm using freeradius to authenticate users against PPP (Poptop and PPPOE). After connection, i start a few processes from /etc/ppp/ppp.linkup and need to set some user dependent variable. I would like to get those informations from the same database as for auth. Here is my question: Is it possible to set environnement variables during authentication process? Wth this, I will use them to launch my processes. (my other solution is to setup a secured connection to the sql database, but I would like to use freeradius if possible). Thanks for the help cheers Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MAC/VLAN with HP Procurve
Dynamic VLAN on an access point? Is this possible anyway? I've tried to use VLAN assignment on HP ProCurve 2626, but it just wont work. Due the lack of documentation, maybe someone should contact HP on this topic? Regards, Edvin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] g] On Behalf Of Jim Potter Sent: Dienstag, 14. März 2006 16:10 To: FreeRadius users mailing list Subject: MAC/VLAN with HP Procurve Hi all, Part 2 of my problems - has anyone got a radius server to hand out dynamic VLANs to an access point? I've got the following from various sites, but it doesn't seem to work (users file): 00-0e-35-31-5c-1b Auth-Type == Local,User-Password == 00-0e-35-31-5c-1b Tunnel-Medium-Type = 802, Tunnel-Private-Group-ID = 20, Tunnel-Type = VLAN - this is meant to make the laptop with the given VLAN join to the network on vlan 20, but there is no sign of this working... any clues? cheers Jim Potter -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: About Monthly Time Limits
Hi Lisa, to make it short - when NAS tries to authorize the user, freeradius uses a simple counter modules ( sql or db file - depending on your setup ) to count the time information in specific time period. Since NAS sends start and stop time of a session ( and also the session duration ) freeradius is able to count the time and authorize the user if the time limit is NOT reached ! Hope this helps ! Regards, Edvin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] g] On Behalf Of Lisa Casey Sent: Montag, 13. März 2006 21:40 To: freeradius-users@lists.freeradius.org Subject: About Monthly Time Limits Hi, We are an ISP. As many ISP's do these days, we outsource our dialup numbers to wholesalers such as Megapops, etc. but we maintain our own radius servers. The wholesaler proxies radius requests to us. The following is kind of hypothetical, but I need to know this in order to understand how all this works. I have monthly time limits set up in my Freeradius. When customers login, where exactly does the information come from that tells Freeradius This customer is OK, he has not used up his time limit yet or Reject this customer, he has used up his limit for this month. Is this dependent on something in the radius config at the wholesalers end, or is this info taken from my db.monthly file? Another way of asking this question (in case I'm not making myself clear which is always a possibility) is: Does the wholesaler have to support monthly time limits or can I do it all from my end (whether or not the wholesaler supports such an attribute)? Any info about how this process works will probably help clear up my thinking. Thanks, Lisa Casey - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: About Monthly Time Limits
-Original Message- From: freeradius-users- [EMAIL PROTECTED] [mailto:freeradius-[EMAIL PROTECTED] rg] On Behalf Of Ben Plimpton Sent: Montag, 13. März 2006 23:34 To: freeradius-users@lists.freeradius.org Subject: RE: About Monthly Time Limits This is a somewhat related question. Can I use an attribute that is not in the Stop record as the key for a monthly counter? For example, I would like to make the Ldap-UserDn attribute the key for the counter. Is there a way to make that value available to my counter? Thanks Sure.. if you use LDAP for Authentication and Authorisation ! there is ldap.attrmap file which maps the LDAP attributes to freeradius attributes. The key is usually username ( or something else specific for a user or machine ). I have such setup in a boarding home and it works like a charm ;) Regards, Edvin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: mysql 4.1.0 can not run normally in Freeradius 1.0.5
rlm_sql (sql): Could not link driver rlm_sql_mysql: file not found
Are you sure that you have compiled FR with mysql support ? Recompile it
with sql_mysql driver and it should work.
Regards,
Edvin
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
g] On Behalf Of yao guoxian
Sent: Dienstag, 07. März 2006 08:58
To: freeradius-users@lists.freeradius.org
Subject: mysql 4.1.0 can not run normally in Freeradius 1.0.5
Freeradius works well through authenticating users throught
files option.
In order to authenticate users throng sql , I have installed
mysql 4.1.0 on the machine which has the Redhat 9 operation system.
I followed the suggestion :
mysql -uroot -prootpass radius db_mysql.sql
and made changes to radiusd.conf like below:
authorise {
preprocess
chap
mschap
#counter
#attr_filter
#eap
suffix
sql
#files
#etc_smbpasswd
}
authenticate {
authtype PAP {
pap
}
authtype CHAP {
chap
}
authtype MS-CHAP{
mschap
}
#pam
#unix
#authtype LDAP {
# ldap
#}
}
preacct {
preprocess
suffix
#files
}
accounting {
acct_unique
detail
#counter
unix
sql
radutmp
#sradutmp
}
session {
radutmp
}
However when I input : radiusd -X, only got the following errors:
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = /usr/local
main: localstatedir = /usr/local/var
main: logdir = /usr/local/var/log/radius
main: libdir = /usr/local/lib
main: radacctdir = /usr/local/var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /usr/local/var/log/radius/radius.log
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /usr/local/var/run/radiusd/radiusd.pid
main: user = (null)
main: group = (null)
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/local/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: authtype = MS-CHAP
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded eap
eap: default_eap_type = md5
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = Password:
gtc: auth_type = PAP
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = /usr/local/etc/raddb/huntgroups
preprocess: hints = /usr/local/etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
realm: ignore_default = no
RE: Dual Server free radius
Sure, but do NOT forget to tell your client ( radiusclient ) to use new server on new ports ;) Regards, Edvin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] g] On Behalf Of [EMAIL PROTECTED] Sent: Freitag, 03. März 2006 19:07 To: FreeRadius users mailing list Subject: Re: Dual Server free radius Hi, Hi, I have question, its possible to put two radius servers runnig in same server with diferents ports? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html yes. this is a fairly common question - use the '-d' directive to define a different config directory and change the port settings in the new directories version of radiusd.conf etc alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
virus through freeradius-user-request mail??
I've got 2 mail containing viruses sent through freeradius-user-request.. was this email spoofed ( my antivirus software deleted the email so I had no chance to look at the headers etc ) or were email really sent through mailman? Regards, Edvin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: type of lvalue in VALUE_PAIR
If it does send them, then yes, you'll have to update the sqlcounter module to handle 64-bit numbers. But you don't need to update any of the valuepair structures. Alan DeKok. So what variable should I alter to handle 64-bit numbers. As far I have understood the check-name value is written to valuepair structure for further comparing. How should this be done ( correctly - since I am not a freeradius developer ) ? I have finished my patch for traffic accounting with Poptop ( I would like to see if it would work with PPPoE ( RP ) Server. Regards, Edvin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
type of lvalue in VALUE_PAIR
Hi, I know this question is probably for the developer list, but I think someone can answer me without any further complications ;) As I promised, I am patching freeradius ( sqlcounter actually ) so it can do traffic accounting. I have patched it but since I want to have the ability to set the limit by entering the amount of bytes ( in my backend ), I am limited by lvalue of value_pair struct. So values above a (ca) 4 GB are above the limit of uint32 right? What can I do to increase the limit without crashing the freeradius functions. Can I simply change it to uint64_t ( 2 ^64 should be enough ;) ) ??? Regards, Edvin PS: the patched freeradius is working and is able to account traffic, but I think it would not be RFC compliant because I haven't found the needed attributes in the dictionaries - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: type of lvalue in VALUE_PAIR
Seferovic Edvin [EMAIL PROTECTED] wrote: As I promised, I am patching freeradius ( sqlcounter actually ) so it can do traffic accounting. I have patched it but since I want to have the ability to set the limit by entering the amount of bytes ( in my backend ), I am limited by lvalue of value_pair struct. So values above a (ca) 4 GB are above the limit of uint32 right? Yes. I was taking about variable in the struct value_pair ( libradius.h ). What can I do to increase the limit without crashing the freeradius functions. Can I simply change it to uint64_t ( 2 ^64 should be enough ;) ) ??? See the dictionaries. Use Acct-Input-GigiWords Okay - but I suppose I will have to patch my NAS ( Poptop server ) to use Acct-Input-GigaWords and Output- instead of Octets. Still if I patch my NAS to send GigaWords.. when I use sqlcounter to count the MBs I will still not be able to compare the check-name which is written into uint32 variable. Shouldn't this be patched too ( I am not a professional programmer - so excuse my silly question ). PS: the patched freeradius is working and is able to account traffic, but I think it would not be RFC compliant because I haven't found the needed attributes in the dictionaries Which attributes? Poptop server accepts Session-Octets-Limit for the traffic limit ( actually it is ppp that is doing the limiting ). So Ive added this attribute to my dictionary. PPP also needs Octets-Direction so it can know which traffic flow to count. Ive added both attributes and it is working ( for 2^32 ). Can you give me some directives how to implement this. Maybe to extend the config of sqlcounter and value_pair struct? Thank you in advance Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius 1.1.0 and mysql5
Hello, are there any known issues when installing freeradius with mysql support? I have Suse 9.1 with mysql5 ( from RPMs ) and after compiling freeradius - rlm_sql module is not able to link rlm_sql_myql because I do NOT have libmysqlclient.so.12 !! Sun Feb 26 17:36:24 2006 : Error: rlm_sql (sql): Could not link driver rlm_sql_mysql: libmysqlclient.so.12: cannot open shared objey Sun Feb 26 17:36:24 2006 : Error: rlm_sql (sql): Make sure it (and all its dependent libraries!) are in the search path of your sys. Sun Feb 26 17:36:24 2006 : Error: radiusd.conf[14]: sql: Module instantiation failed. Sun Feb 26 17:36:24 2006 : Error: radiusd.conf[1257] Unknown module sql. Sun Feb 26 17:36:24 2006 : Error: radiusd.conf[1243] Failed to parse accounting section. YES - I have tried to compile with -disable-shared, but then I get a lot of other error messages about DynaLoader and rlm_smb??? extracting global C symbols from `../modules/rlm_sql/drivers/rlm_sql_mysql/.libs/rlm_sql_mysql.a' (cd .libs gcc -c -fno-builtin -fno-rtti -fno-exceptions radiusdS.c) cc1: warning: -fno-rtti is valid for C++ but not for C/ObjC rm -f .libs/radiusdS.c .libs/radiusd.nm .libs/radiusd.nmS .libs/radiusd.nmT gcc .libs/radiusdS.o -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -DNDEBUG -I../include -DHt ../modules/rlm_perl/.libs/rlm_perl.a(rlm_perl.o)(.text+0x26fb): In function `xs_init': /root/software/freeradius-1.1.0/src/modules/rlm_perl/rlm_perl.c:613: undefined reference to `boot_DynaLoader' ../modules/rlm_smb/.libs/rlm_smb.a(smbencrypt.o)(.text+0x172): In function `E_md4hash': /root/software/freeradius-1.1.0/src/modules/rlm_smb/smbencrypt.c:107: undefined reference to `mdfour' collect2: ld returned 1 exit status rm -f .libs/radiusdS.o gmake[4]: *** [radiusd] Error 1 gmake[4]: Leaving directory `/root/software/freeradius-1.1.0/src/main' gmake[3]: *** [common] Error 2 gmake[3]: Leaving directory `/root/software/freeradius-1.1.0/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/root/software/freeradius-1.1.0/src' gmake[1]: *** [common] Error 2 gmake[1]: Leaving directory `/root/software/freeradius-1.1.0' make: *** [all] Error 2 Is there any way I can disable those modules I do not need ( or plan to use )? Any ideas how I can solve those problems? Thank you in advance. Regards, Edvin Seferovic - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MYSQL and FreeRadius
Maybe a firewall script at startup? Regards, Edvin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] g] On Behalf Of Diniz Da Rocha Sent: Samstag, 25. Februar 2006 06:51 To: freeradius-users@lists.freeradius.org Subject: MYSQL and FreeRadius Hi I have currently setup FreeRadius 1.0.4 with ldap authentication and authorization as well as mysql authorization and its all working fine. The problem exists when I restart the server, freeradius starts on boot but it fails in connecting to the MYSQL server. If I then shutdown the service and start it again it works fine. I have move the boot order to be S99 but it still fails. The MYSQL server is on a seperate server, so I am wondering whether the ports are blocked until startup is complete, if this is the case How can I get round this??? I am using Fedora Core 4... Has anyone else had this problem??? thanks diniz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: simultaneous-use and stateless sessions in sql
But how to use radzap when only using SQL for session tracking... I've tried it but it said it cannot find radutmp ( because Ive commented it in radiusd.conf - I do not need it.. or do I ?? ). Is it kind of OK to have session tracking in sql and radutmp? How should I start radzap ( or is it run automatically by deletestatlesssession ) ? TIA Regards, Edvin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Donnerstag, 26. Jänner 2006 23:51 To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: Re: simultaneous-use and stateless sessions in sql Seferovic Edvin [EMAIL PROTECTED] wrote: Are there any workarounds for this scenario? I've found deletestatlesssessions in sql.conf file, but I have no idea how does this work ( it is set to yes but no use ). Since my NAS is POPTOP server, type is set to other and checkrad cannot check ( or won't check ). radzap? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: simultaneous-use and stateless sessions in sql
Hi, but what if I only have session data in SQL? Running radzap manually for each user is not a good idea by 200 users. And I haven't found any entries how deletestatlesssessions ( in sql.conf ) work :( sorry - I probably missed something. Any hints please :( Regards, Edvin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Seferovic Edvin [EMAIL PROTECTED] wrote: But how to use radzap when only using SQL for session tracking... In 1.0.5 and following, radzap is just a shell script wrapper around radwho radclient. You can use radclient to create a fake stop packet, and send that to the server. Is it kind of OK to have session tracking in sql and radutmp? yes. How should I start radzap ( or is it run automatically by deletestatlesssession ) ? Read the man page? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
documentation on rlm_sql_log
Hi there, I havent been able to find any documentation on rlm_sql_log module ( doc directory, freeradius-wiki L ). Can somebody give me a hint where to look for it? I know it is a new module, but is there any documentation somewhere out there? Regards, Edvin Seferovic - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
simultaneous-use and stateless sessions in sql
Hi, I have set up my new test environment with freeradius-1.1.0 ( with ldap and mysql ) and I just hit the wall as my VPN server ( poptop - MS PPTP ) crashed. I have a session left in my mysql db with Acct-Stop = 0 which permits user to login again ( after the crash ) because simultaneous-use is set to 1. Are there any workarounds for this scenario? I've found deletestatlesssessions in sql.conf file, but I have no idea how does this work ( it is set to yes but no use ). Since my NAS is POPTOP server, type is set to other and checkrad cannot check ( or won't check ). At the end of the Simultaneous-Use doc it is mentioned that Idle-Timeout could be used, but this works for specific NASes and not for such VPN server that looses all info about users when crashed. Only way I figured out would be to check for open session before simultaneous-use-query. Since Ive configured my NAS to send accounting data every 2 minutes, it would be easy to say delete all session data where traffic_data = 0 and time difference between now and session_start 2 Minutes.. but where could I put such query. Does anyone have any suggestions on this topic? I know it is rather complex topic, but I would appreciate any opinions. TIA Regards, Edvin Seferovic PS: sorry for my HTML eMail today ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius in a production environment
HI Susana, before I start telling you life stories, Ill just tell you to USE IT !!! :D I use one server for VPN Auth, MAC auth etc.. and it is stable and it works pretty well LDAP ( in my case ) Regards, Edvin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susana Macias Sent: Freitag, 20. Jänner 2006 12:31 To: freeradius-users@lists.freeradius.org Subject: FreeRadius in a production environment Hy :-) I am interested to know about success stories of people using FreeRadius in a production environment. I have read http://www.freeradius.org/testimonials.htmlbut I would like to obtain a few more experiences. Best regards, Susana LLama Gratis a cualquier PC del Mundo. Llamadas a fijos y móviles desde 1 céntimo por minuto. http://es.voice.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Simple Question about LDAP
Hi, you can adjust the LDAP section in radiusd.conf file to your LDAP server ( it's a directory rather than a database ;) ). When you have configured the connection between freeradius and LDAP, add ldap to autentication section and test it with radtest if you get an Access-Accept for an user from LDAP. Regards, Edvin Seferovic -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] g] On Behalf Of Armin Krämer Sent: Donnerstag, 19. Jänner 2006 15:50 To: 'FreeRadius users mailing list' Subject: Simple Question about LDAP Whee can i define that freeradius should look at the ldap database for user accounts and not at the users list? Greetings Armin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: IP-Address assignment - NAS Pool if value is empty in LDAP
Hi, YES... it is possible ( at least in my case it is ). I've used Framed-IP-Address attribute which I mapped to an attribute in my LDAP directory. As NAS I use Poptop daemon ( MS PPTP Server for Linux ). Regards, Edvin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] g] On Behalf Of [EMAIL PROTECTED] Sent: Mittwoch, 11. Jänner 2006 09:16 To: FreeRadius users mailing list Subject: IP-Address assignment - NAS Pool if value is empty in LDAP I am running freeradius-1.0.2-5.5 and need a solution for the following problem: we want to achieve that freeradius sends back an IP-Address if there is one for that user in LDAP. If the value is empty freeradius shouldnt send back an IP-Address and the NAS should choose one from his own ip-pool. is this possible to realize? greetings, Stefan -- DSL-Aktion wegen gro_er Nachfrage bis 28.2.2006 verldngert: GMX DSL-Flatrate 1 Jahr kostenlos* http://www.gmx.net/de/go/dsl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_sqlcounter and something else than Session-Timeout
I think he wants Session-Octets-Limit to be sent back for limiting traffic passed thru for each user. I've changed the plain counter module so it sends back my attribute ;), and I think this could be done for sqlcounter as well. I really don't know why everybody is telling that such config would be impossible. It worked for me, so do I have to write a patch that would allow users to switch between time and traffic accounting/limiting in sqlcounter module, or could the professionals do that ? Nicolas - the reply-name option is used for what? For sending back the value in an specific attribute? Couldn't this be used for Damjan's purpose then? Regards, Edvin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nicolas Baradakis Sent: Dienstag, 20. Dezember 2005 11:48 To: FreeRadius users mailing list Subject: Re: rlm_sqlcounter and something else than Session-Timeout Damjan wrote: I limit users by bytes transfered, so I need to sum AcctInputOctets and AcctOutputOctets, compare that sum to a check attribute (let's call it Max-All-Transfer) and return a coresponding ChilliSpot-Max-Total-Octets. I beleive this is not configurable in rlm_sqlcounter? Indeed. I could try to make a patch if someone is willing to help me and guide me a bit. I'd suggest to make the reply attribute user-defined (like the check attribute). You might add an option reply-name with Session-Timeout as the default value, so it doesn't break someone else's setup. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_sqlcounter and something else than Session-Timeout
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Dienstag, 20. Dezember 2005 17:30 To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: Re: rlm_sqlcounter and something else than Session-Timeout Seferovic Edvin [EMAIL PROTECTED] wrote: I really don't know why everybody is telling that such config would be impossible. It's impossible to enforce traffic limiting *during* a users session. So if a user is a tiny bit below their limit and logs in again, they can go over their limit. The server will only catch enforce their limit on the next login. I do NOT want to limit or change the limit during a session. I just want to limit it for a session ( confusing - huh )! Consider following: 1. User start to log in by using PPTP or PPPOE ( my cases ) 2. sqlcounter sums up the used traffic, and makes substracts it from a limit defined 3. freeradius returns Session-Octets-Limit with the value from sqlcounter which is the actual limitation. Freeradius should also return Session-Octet-Direction because the traffic limitation AFAIK a feature of PPP and PPP needs to know if it should monitor upload, download, or use the limit for max(upload+download). 4. the server running pptp, or pppoe gets the limit and sets the value for the users current session. 5. if user reaches the limit, his connection is terminated ( I've seen logs and this works ;) ). If he tries to log again, he won't be allowed because sqlcounter will provide 0 or negative value. 6. if user terminates his connection before reaching the limit, the accounting data will be passed to sql. By the time he wants to connect again, we will have the same game over. The catch is - PPP always lets user have a little bit more than the limit actually is ( 10kB sometimes ), so the sqlcounter won't have to return values like 2 or 5 bytes as a limit because the user will be way over quota. I will have to dig into PPP implementation to see how this works actually. The next catch is - simultaneous logins - NO WAY ! here comes the impossible part. You cannot limit traffic for 2 simultaneous connections - reason : the session limit is only passed once to the service which uses freeradius AAA features and it is not sent every few seconds or so. THERE IS MORE This has been discussed multiple times on the list over the past 5 years. It worked for me, so do I have to write a patch that would allow users to switch between time and traffic accounting/limiting in sqlcounter module, or could the professionals do that ? If you know what you want, write a patch, and we'll review it. Alan DeKok. Alan, I think you are far more better programmer then I am. It shouldn't be a big trouble to allow another config parameter for sqlcounter. This one could be named Reply-Attribute and people could use to enter Session-Timeout or Session-Octets-Limit depending on their need and usage of freeradius. I know that this is not a perfect or even a good solution, because it is not a limitation in real-time, but considering many systems ( like smaller ISP use ) this solution is even more then enough for their needs. Regards, Edvin Seferovic - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_sqlcounter and something else than Session-Timeout
OK, now I've understood that it's a NAS problem. ( Maybe my bad knowledge of english language is guilty for that - sorry ). Lewis suggested that I sponsor your project... well I would if I really needed this feature so badly ;) and since I am just only a student, I might try hacking the freeradius code. In my scenario, I use Poptop and RP-PPPoE server as NAS ( by the way ). Alan should I write a patch for 1.0.5 or should I wait for 1.1.0, or just take the daily from CVS? Regards, Edvin Seferovic -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Dienstag, 20. Dezember 2005 19:53 To: freeradius-users@lists.freeradius.org Subject: Re: rlm_sqlcounter and something else than Session-Timeout Seferovic Edvin [EMAIL PROTECTED] wrote: I do NOT want to limit or change the limit during a session. I just want to limit it for a session As I was trying to say that in general, you CANNOT do this. You can check if they're over the limit at the START of a session. The NAS will *not* check the limit during a session, and the server can't check the limit during a session. So if they're under the limit at the start of the session, they can go over during the session, and no one will notice. This has NOTHING to do with changing the limits during a session. 3. freeradius returns Session-Octets-Limit with the value from sqlcounter which is the actual limitation. If the NAS supports this, it may work. But 99.% of the NASes do NOT support this. It's not a standard, and it's not a common vendor extension to RADIUS. Alan, I think you are far more better programmer then I am. It shouldn't be a big trouble to allow another config parameter for sqlcounter. This one could be named Reply-Attribute and people could use to enter Session-Timeout or Session-Octets-Limit depending on their need and usage of freeradius. I can't test that, sorry. I'd rather see a patch that works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius RPM for SUSE 10.0 or 9.3
Hi, I would suggest you to compile freeradius from the scratch, because with the RPM package you would also have dependandcy errors ( which will give you headache believe me ). If you have troubles compiling your do some googling, and you'll find a solution. If not - send an email to this list, and I am sure someone will be able to pinpoint your mistake ( or missing component ). Regards, Edvin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of LeRoy DeVries Sent: Samstag, 17. Dezember 2005 16:11 To: FreeRadius users mailing list Subject: Freeradius RPM for SUSE 10.0 or 9.3 Does anyone here on the list have the RPM for freeradius /w experimental modeles to share with me. I would be very greatfull. I would compile it however, SUSE won't let me compile the program because of interdependancy errors and it's like chasing my tail so I gave up. LeRoy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: how get current TRAFFIC (ACCT) ?
Hi, for traffic information - look at the RADACCT table in your mysql database called radius. A simple sql query could be - SELECT SUM(AcctOutputOctets) as download, SUM(AcctInputOctets) as upload GROUP BY Username ORDER BY Username ASC; This should give you a list of your users and their upload and download traffic ( list is sorted ascending by usernames ). Regards, Edvin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andreas Sokov Sent: Donnerstag, 15. Dezember 2005 11:33 To: freeradius-users@lists.freeradius.org Subject: how get current TRAFFIC (ACCT) ? Importance: High Hi, freeradius-users. Linux Debian, # uname -a Linux g48 2.6.14.3-1 #4 Sun Dec 11 05:57:57 MSK 2005 i686 GNU/Linux #freeradius -v freeradius: FreeRADIUS Version 1.0.5, for host , built on Oct 16 2005 at 11:56:56 # mysql -V mysql Ver 14.12 Distrib 5.0.13-rc, for pc-linux-gnu (i486) using readline 5.0 TELL ME PLEASE : HOW I CAN GET CURRENT TRAFFIC INFORMATION ? I need to kno how much traffic user eat before it close your session. Do Know anybody ? I try radwho, radlast - but they show all but acct information Try radacct - but it is not show anything info, just run and no information ... HELP PLEASE. -- Best Regards, Andreas Thursday, December 15, 2005 1:29:42 PM Do not hesitate to ask me ICQ UIN 177624 http://ServersLease.net - Offshore Dedicated Servers, Offshore Collocation http://HOST-LUX.RU - Offshore Virtual Hosting, Web Hosting, as low as 5$ per 1Gb HDD/month http://Reg-Master.net - Register`s Master of Domains http://Web-Media.Ru - Web Design studio. http://VEHICLE.RU - автомобили на заказ из США - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: HELP - Freeradius+mysql - LOST ACCOUNTING
Hi, use Acct-Interim-Interval attribute ( maybe you will need to change your dictionary file ). This also depends on pppoe which is using radclient - I am not sure if it is supported by your server. I am using Poptop with freeradius and it works. Regards, Edvin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andreas Sokov Sent: Donnerstag, 15. Dezember 2005 11:29 To: freeradius-users@lists.freeradius.org Subject: HELP - Freeradius+mysql - LOST ACCOUNTING Importance: High Hi, freeradius-users-bounces. I use pppoe+ppp+freeradius+mysql on Linux Debian. When user connect by pppoe - into radacct table insertes records, where inOctets out ==0 If session will be 20 hours - data about acct will be updated after session will be close. But if session will be lost - i lost ALL DATA ABOUT TRAFFIC (ACCT) Tel me please - how i can update with interval current traffic for ever connected users ? -- Best Regards, Andreas Thursday, December 15, 2005 3:22:10 AM Do not hesitate to ask me ICQ UIN 177624 http://ServersLease.net - Offshore Dedicated Servers, Offshore Collocation http://HOST-LUX.RU - Offshore Virtual Hosting, Web Hosting, as low as 5$ per 1Gb HDD/month http://Reg-Master.net - Register`s Master of Domains http://Web-Media.Ru - Web Design studio. http://VEHICLE.RU - автомобили на заказ из США - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Re[2]: how get current TRAFFIC (ACCT) ?
Well you have set up your pppoe-server to send the accounting information only at the end of the session. If connection is lost, you will have the accounting data in your database with AcctTerminateCause something like terminated by server. The session you have sent me is just an open session. As I said - you can set the Acct-Interim-Interval attribute so that your server sends the accouting packets every few minutes for example. -Original Message- From: Andreas Sokov [mailto:[EMAIL PROTECTED] Sent: Donnerstag, 15. Dezember 2005 12:42 To: freeradius-users@lists.freeradius.org Cc: [EMAIL PROTECTED] Subject: Re[2]: how get current TRAFFIC (ACCT) ? Hi. [ You wrote Thursday, December 15, 2005, 2:14:10 PM ] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- =-= SE Hi, SE for traffic information - look at the RADACCT table in your mysql database SE called radius. A simple sql query could be - -) i know what information about traffic collect in that table. But please, look at this : RadAcctId AcctSessionId AcctUniqueIdUserName Realm NASIPAddress NASPortId NASPortType AcctStartTime AcctStopTime AcctSessionTime AcctAuthentic ConnectInfo_start ConnectInfo_stopAcctInputOctets AcctOutputOctets CalledStationId CallingStationIdAcctTerminateCause ServiceType FramedProtocol FramedIPAddress AcctStartDelay AcctStopDelay 19 43A154E9151B00 835535e0e65d3acetest 213.159.102.146 0 Virtual 2005-12-15 14:35:05 -00-00 00:00:00 0 RADIUS 0 0 Framed-User PPP 192.168.96.10 0 0 18 43A13CE87DBE00 73e57ea8afc72d3btest 213.159.102.146 0 Virtual 2005-12-15 12:52:40 2005-12-15 14:10:12 4652RADIUS 6857793 7229167 User-RequestFramed-User PPP 192.168.96.10 0 0 look at id=19 into AcctStopTime and while session OPENS! the value AcctInputOctets AcctOutputOctets == 0 !!! and if session will be open during 20 hourse - we can not know that current value of AcctInputOctets AcctOutputOctets ?! What you think about it ? SE SELECT SUM(AcctOutputOctets) as download, SUM(AcctInputOctets) as upload SE GROUP BY Username ORDER BY Username ASC; SE This should give you a list of your users and their upload and download SE traffic ( list is sorted ascending by usernames ). SE Regards, SE Edvin SE -Original Message- SE From: [EMAIL PROTECTED] SE [mailto:[EMAIL PROTECTED] On Behalf Of Andreas SE Sokov SE Sent: Donnerstag, 15. Dezember 2005 11:33 SE To: freeradius-users@lists.freeradius.org SE Subject: how get current TRAFFIC (ACCT) ? SE Importance: High SE Hi, freeradius-users. SE Linux Debian, # uname -a SE Linux g48 2.6.14.3-1 #4 Sun Dec 11 05:57:57 MSK 2005 i686 GNU/Linux SE #freeradius -v SE freeradius: FreeRADIUS Version 1.0.5, for host , built on Oct 16 2005 at SE 11:56:56 SE # mysql -V SE mysql Ver 14.12 Distrib 5.0.13-rc, for pc-linux-gnu (i486) using readline SE 5.0 SE TELL ME PLEASE : HOW I CAN GET CURRENT TRAFFIC INFORMATION ? SE I need to kno how much traffic user eat before it close your session. SE Do Know anybody ? SE I try radwho, radlast - but they show all but acct information SE Try radacct - but it is not show anything info, just run and no information SE ... SE HELP PLEASE. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- =-= -- - Best Regards, Andreas Thursday, December 15, 2005 2:36:16 PM Web-Media L.t.d. +7 (901) 301-5811 ICQ UIN 177624 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Re[4]: how get current TRAFFIC (ACCT) ?
Hi, dictionary file on your freeradius server is usually found under /usr/share/freeradius/dictionary... Search for ATTRIBUTE Acct-Interim-Interval 85 integer On your pppoe server ( which is using radiusclient ), look at /etc/radiusclient/dictionary and add if not exists ATTRIBUTE Acct-Interim-Interval 85 integer Then it might work.. what pppoe server are you using? And please set up Acct-Interim-Interval to something greater then 2 minutes. Values lower then 120 won't work. Regards, Edvin -Original Message- From: Andreas Sokov [mailto:[EMAIL PROTECTED] Sent: Donnerstag, 15. Dezember 2005 13:21 To: [EMAIL PROTECTED] Cc: freeradius-users@lists.freeradius.org Subject: Re[4]: how get current TRAFFIC (ACCT) ? Hi. [ You wrote Thursday, December 15, 2005, 2:52:10 PM ] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- =-= SE Well you have set up your pppoe-server to send the accounting information SE only at the end of the session. If connection is lost, you will have the SE accounting data in your database with AcctTerminateCause something like SE terminated by server. SE The session you have sent me is just an open session. SE As I said - you can set the Acct-Interim-Interval attribute so that your SE server sends the accouting packets every few minutes for example. i try i insert into radreply : id UserNameAttribute op Value 1 testFramed-IP-Address := 192.168.96.10 4 testAcct-Status-Type:= Interim-Update 5 testAcct-Interim-Interval := 60 6 testFramed-IP-Netmask := 255.255.252.0 but it is not worked you wrote : add attribute into dictionary file tell me please IN WHAT FILE I NEED ADD IT ? and what will have to line ? into /etc/freeradius folder i c one file ./dictionaty : # # This is the master dictionary file, which references the # pre-defined dictionary files included with the server. # # Any new/changed attributes MUST be placed in this file, as # the pre-defined dictionaries SHOULD NOT be edited. # # $Id: dictionary.in,v 1.4 2004/04/14 15:26:20 aland Exp $ # # # The filename given here should be an absolute path. # $INCLUDE/usr/share/freeradius/dictionary # # Place additional attributes or $INCLUDEs here. They will # over-ride the definitions in the pre-defined dictionaries. # # See the 'man' page for 'dictionary' for information on # the format of the dictionary files. # # If you want to add entries to the dictionary file, # which are NOT going to be placed in a RADIUS packet, # add them here. The numbers you pick should be between # 3000 and 4000. # #ATTRIBUTE My-Local-String 3000string #ATTRIBUTE My-Local-IPAddr 3001ipaddr #ATTRIBUTE My-Local-Integer3002integer what i need add there ? like this : ATTRIBUTE Acct-Interim-Interval3003integer ATTRIBUTE Acct-Status-Type 3004string ?? SE -Original Message- SE From: Andreas Sokov [mailto:[EMAIL PROTECTED] SE Sent: Donnerstag, 15. Dezember 2005 12:42 SE To: freeradius-users@lists.freeradius.org SE Cc: [EMAIL PROTECTED] SE Subject: Re[2]: how get current TRAFFIC (ACCT) ? SE Hi. SE [ You wrote Thursday, December 15, 2005, 2:14:10 PM ] SE =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- SE =-= SE Hi, SE for traffic information - look at the RADACCT table in your mysql SE database SE called radius. A simple sql query could be - SE -) SE i know what information about traffic collect in that table. SE But please, look at this : SE RadAcctId AcctSessionId AcctUniqueIdUserName Realm SE NASIPAddress NASPortId NASPortType AcctStartTime AcctStopTime SE AcctSessionTime AcctAuthentic ConnectInfo_start SE ConnectInfo_stopAcctInputOctets AcctOutputOctets SE CalledStationId CallingStationIdAcctTerminateCause SE ServiceType FramedProtocol FramedIPAddress SE AcctStartDelay AcctStopDelay SE 19 43A154E9151B00 835535e0e65d3acetest SE 213.159.102.146 0 Virtual 2005-12-15 14:35:05 -00-00 SE 00:00:00 0 RADIUS 0 0 SE Framed-User PPP 192.168.96.10 0 0 SE 18 43A13CE87DBE00 73e57ea8afc72d3btest SE 213.159.102.146 0 Virtual 2005-12-15 12:52:40 2005-12-15 SE 14:10:12 4652RADIUS 6857793 7229167 SE User-RequestFramed-User PPP 192.168.96.10 0 0 SE look at id=19 into AcctStopTime and SE while session OPENS! the value AcctInputOctets AcctOutputOctets == 0 SE !!! SE and if session will be open during 20 hourse - we can not know that current SE value of SE AcctInputOctets AcctOutputOctets
RE: Dictionary files for HP Procurve switch?
Hi, I am using HP ProCurve 2626 ( smaller version of 2650 ) and I haven't seen any dictionary files nor need for a dictionary file. MAC-Based auth is working fine with freeradius and I suppose EAP would works fine as well. Regards, Edvin Seferovic -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Dienstag, 13. Dezember 2005 23:30 To: FreeRadius users mailing list Subject: Re: Dictionary files for HP Procurve switch? Mark Tunnell [EMAIL PROTECTED] wrote: Can anyone point me to dictionary file for an HP ProCurve 2650 switch? Ask HP. I've never used one of those switches, or seen an HP dictionary. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius and LDAP : to be continued
Hello,
I must admit, I have been reading this thread, but I still do not understand
what Christophe is trying to accomplish. As far as I understand - you have
your passwords in LDAP, and you only ( kind of ) need to authorize but NOT
authenticate users that are in your LDAP directory..
Please correct me...
Regards,
Edvin
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Christophe Gravier
Sent: Donnerstag, 15. Dezember 2005 16:05
To: FreeRadius users mailing list
Subject: Re: Freeradius and LDAP : to be continued
Phil Mayers wrote:
Alan DeKok wrote:
[EMAIL PROTECTED] wrote:
rlm_ldap: Adding userPassword as User-Password, value { op=11
That's better.
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type LDAP
Yuck.
My quick answer is to edit rlm_ldap.c to have it *never* set
Auth-Type to LDAP. That would solve a lot of problems.
Interesting. I mentioned this to another querier the other day:
http://lists.freeradius.org/pipermail/freeradius-users/2005-December/049221.
html
Ar. You lost me.
Still not working.
I can't imagine I'm unable to make freeradius uses LDAP password without
hacking it :-/
What then would the authenticate section look like to use LDAP?
Presumably something like:
authenticate {
Auth-Type PAP {
ldap
}
}
...but of course then you get into what happens if you want 2
different services in the same server, such as:
authenticate {
Auth-Type PAP-service1 {
ldap1
}
Auth-Type PAP-service2 {
ldap2
}
Auth-Type MSCHAP-service1 {
mschap1
}
Auth-Type MSCHAP-service2 {
mschap2
}
}
...etc. - nasty. Is it possible to do:
authenticate {
Huntgroup Service1 {
Auth-Type PAP {
ldap1
}
Auth-Type MSCHAP {
mschap1
}
}
Huntgroup Service2 {
Auth-Type PAP {
ldap2
}
Auth-Type MSCHAP {
mschap2
}
}
}
...although Realm might make more sense than Huntgroup in
understanding what I mean.
There's also the possibility of wanting to use fallback:
authenticate {
Auth-Type PAP {
ldap
pap
}
}
...although I'm pretty sure you can do that with configurable failover
and the above syntax is wrong.
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Christophe Gravier
Laboratoire DIOM, groupe SATIn - Doctorant
ISTASE - Ingénieur d'études
Perso: http://perso.univ-st-etienne.fr/gravchri/
SATIn: http://www.istase.com/satin
Tel : 04 7748 5034
A mediter: http://www.fsffrance.org/news/article2005-11-25.fr.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius and LDAP : to be continued
Hi,
rather confusing. I have to admit, I have never used chillispot, but I've
just visited their website and in FAQ I found Why should I use
CHAP-Challenge and CHAP-Password? so this makes me think that Chillispot
uses CHAP authorization. And when you use CHAP, you do NOT need LDAP as
authorisation, but as a password storage. Okay - great.. what now?
When you look at your radiusd.conf file there is a part where you can define
your LDAP server etc..
ldap ldap_users {
server = 81.xx
# identity = cn=admin,o=My Org,c=UA
# password = mypass
basedn = ou=People,dc=xxx,dc=xx
filter = ((objectClass=posixAccount)(uid=%u))
start_tls = no
..
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 10
# password_header = {clear}
password_attribute = userPassword
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# access_attr_used_for_allow = yes
}
I hope you have that right ( this is only a part of my working config ).
Next, what Alan said is to change the authorisation part. As I said -
chillispot aparently wants CHAP, so in following section use CHAP
authorize {
# The chap module will set 'Auth-Type := CHAP' if we are
# handling a CHAP request and Auth-Type has not already been set
Chap
# here you can also have
ldap_users
# for radtest to work ( IMHO it should be like this )
}
And in
authenticate {
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
Auth-Type CHAP {
chap
ldap_users
}
}
As it says in authenticate section - passwords in LDAP should be in clear
text...
Try this out. I cannot promise you that it will work, but it is the same way
I have set up my POPTOP server with MS-CHAP, and it works.. I would also
appreciate some guru to take a look at this and publish his opinion about
this on this list ;)
Kind regards,
Edvin
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Christophe Gravier
Sent: Donnerstag, 15. Dezember 2005 16:41
To: FreeRadius users mailing list
Subject: Re: Freeradius and LDAP : to be continued
Hello Edvin,
First, I received my email posted to the list several times in my mail
client.
I higly hope this is not the case for all you ! (if it is, thunderbird
didn't like to switch from the testing wireless network back to cable
and vice versa, since they're all dated to the same hour)
If you received only one mail, it is OK, just forget what I told ;-)
For what I am trying to do:
I have an existing LDAP directory with all users being able to connect
to the wireless area.
The hotspot architecture is :
client - chillispot (login page served with apache2 + ssl) -
freeradius - ldap.
I just want my ldap users being able to connect to the hotspot.
So, *at first*, I edited the conf file to let users be authenticate via
LDAP.
This way, radtest way just OK but not ChilliSpot. When I report it to
the list, asking how radtest is different to chillispot login, Alan
explained me:
You're using LDAP as an authentication server. Don't do that. Use LDAP
to store passwords.
i.e. remove the ldap entry from the authenticate section. Get
radtest to work. Once that works, Chillispot will work, too.
So I remove ldap from authentificate (I let it in authorize section
thgouh).
But it still doesn't solve the problem.
In the end, Alan proposed to hack rlm_ldap.c to have it *never* set
Auth-Type to LDAP. That would solve a lot of problems.
I just find it dirty to hack the radius then recompile to get ldap
support :-(
If you're using LDAP for your users accessing the hotspot, would you
please tell me how you achieve this ?
Best Regards,
Seferovic Edvin wrote:
Hello,
I must admit, I have been reading this thread, but I still do not
understand
what Christophe is trying to accomplish. As far as I understand - you have
your passwords in LDAP, and you only ( kind of ) need to authorize but NOT
authenticate users that are in your LDAP directory..
Please correct me...
Regards,
Edvin
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Christophe Gravier
Sent: Donnerstag, 15. Dezember 2005 16:05
To: FreeRadius users mailing list
Subject: Re: Freeradius and LDAP : to be continued
Phil Mayers wrote:
Alan DeKok wrote:
[EMAIL PROTECTED] wrote:
rlm_ldap: Adding userPassword as User-Password, value { op
RE: bandwidth per user (pppoe)
Do you talk about current bandwidth like 1 MBit/sec or are you refering to traffic limitations i.e. 20 GB per month ??? Regards, Edvin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TwoMan Sent: Mittwoch, 14. Dezember 2005 18:43 To: freeradius-users@lists.freeradius.org Subject: bandwidth per user (pppoe) Hi All, I have successfully set up freeradius with mysql backend, rp-pppoe concentrator, and pppd. Bandwidth control also working, but every pppd connection have the same bandwidth, because I cannot determine which user has benn connected. I use the ppp/ip-up script to control the bandwidth. The desired bandwidth is in the mysql database too, for each user. Could You help me find a way how to use different badwidth to each user? thx in advance TM - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: dictionary: adding MONTHLY-TIME-LIMIT
I can only agree with Lewis Bergman. And believe me - I am subscribe to many mailing lists - and on this one, you get help from really good and competent people ( like developers of the software ). Such support you don't even get when you buy software !! In the name of all members of this list - please be polite and do NOT overreact to some posts. It is understandable that you come here when you need to get your questions answered ( read - desperate ;) in my case ), but stay calm and polite and everything will work out.. trust me... Regards, Edvin PS: sorry for this off topic mail ! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lewis Bergman Sent: Mittwoch, 07. Dezember 2005 00:45 To: FreeRadius users mailing list Subject: Re: dictionary: adding MONTHLY-TIME-LIMIT don james wrote: Oh, yeah, right. It may as well be written in Greek. Thanks for nothing. You are sure to get many helpful responses now. If you read it and don't understand what you read, then why not post what is confusing you? You might as well go buy the O'Rielly RADIUS book now. Your not likely to get much help anywhere else with that attitude of yours. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: SQL Call-Check Authentication (again :( )
Well - I am not a developer but it seems that is a restriction of the SQL
module. If you comment out that part of the code and recompile freeradius,
it should work as the file-based-auth ;)
Regards,
Edvin
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of florian
broder
Sent: Montag, 05. Dezember 2005 14:19
To: freeradius-users@lists.freeradius.org
Subject: SQL Call-Check Authentication (again :( )
Hi.
I'm still having a hard time of implementing the Calling-Station-Id
Authentication. Basis is a Cisco Catalyst with
Mac-Authentication-Bypass turned on.
Alan DeKok told me, that I can use sql.conf:
#Use Stripped-User-Name, if it's there.
#Else use User-Name, if it's there,
--#Else use hard-coded string DEFAULT as the user name.--
sql_user_name = %{Stripped-User-Name:-%{User-Name:-DEFAULT}}
To tell freeradius, that there is no user-name.
Ok, I've done that, but It gives me this error:
rad_recv: Access-Request packet from host 192.168.1.222:1038, id=13,
length=45
Service-Type = Call-Check
Calling-Station-Id = 11-22-33-44-55-66
-- rlm_sql (sql): zero length username not permitted --
That's basically the same packet, the Cisco Switch sends as
Auth-Request. Notice, that there is NO user-name in here at all.
The fact is also mentioned in the sql Source-Code:
/*
* They MUST have a user name to do SQL authorization.
*/
if ((request-username == NULL) ||
(request-username-length == 0)) {
radlog(L_ERR, rlm_sql (%s): zero length username not
permitted\n,
inst-config-xlat_name);
return RLM_MODULE_INVALID;
}
Switching to file-based-Authentication (in radiusd.conf) it works
immediately:
rad_recv: Access-Request packet from host 192.168.1.222:1044, id=19,
length=45
Service-Type = Call-Check
Calling-Station-Id = 11-22-33-44-55-66
Sending Access-Accept of id 19 to 192.168.1.222:1044
Reply-Message = Hello
So, it's really a limitation in sql, rather that a misconfiguration?
Would be nice, if anyone can confirm this!
Bye Flo
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Free Radius and Squid
AFAIK - NO - it is way to simple to work like that. Squid is only a cache. You could redirect an user to a login site with your firewall script, after he logs in, you could redirect him to squid ( at least his http traffic ). But again AFAIK there is no radius client module for squid. Nor it is planned in a way you want it. Regards, Edvin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sean Ali Sent: Montag, 05. Dezember 2005 22:54 To: freeradius-users@lists.freeradius.org Subject: Free Radius and Squid Hello, I'm very new to free raduis and would like to know if it will run with squid proxy server. If so how would this work? What I am looking to do is to allow users to access the internet via the transparent squid proxy for limited time sessions. Eg. a user who wishes to use the system would be greeted by a web page asking for a code. The code (which they would get from the system admin) would grant them access for 1 hour. Can this be done using FreeRadius and Squid? Sean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 802.1x ldap tls
Hi, as it says rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for myRfx with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module mschap returns reject for request 9 you will need a clear-text password or a NT/LM password hash to be in your LDAP directory. Then you have to map that attribute ( for example sambaNTPassword ) to User-Password. You are trying to do MSCHAP but there is simply no defined password for this authorization type. Regards, Edvin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paolo Barbato Sent: Donnerstag, 01. Dezember 2005 09:48 To: freeradius-users@lists.freeradius.org Subject: 802.1x ldap tls Hi list, yes I know that this question has been discussed so many times but, still I'm in trouble. I've set up freeradius in order to authenticate+authorize Cisco NAS of Aironet. I've successfully connected PC/MAC wireless clients using TTLS+PAP with in backend and LDAP DB. Problem arise when I try to make the same with TLS, I mean PEAP+MSCHAP and LDAP DB. THis doesn't works. If I set a local user in users file, that is good, but if I try a LDAP user nothing come. LDAP store plain password. Some hints ? Here, some extracts from log: rlm_ldap: - authorize rlm_ldap: performing user authorization for myRfx radius_xlat: '(uid=myRfx)' radius_xlat: 'o=Consorzio RFX' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=Consorzio RFX, with filter (uid=myRfx) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user myRfx authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 9 modcall: group authorize returns updated for request 9 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 9 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 9 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for myRfx with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module mschap returns reject for request 9 modcall: group Auth-Type returns reject for request 9 rlm_eap: Freeing handler modcall[authenticate]: module eap returns reject for request 9 modcall: group authenticate returns reject for request 9 auth: Failed to validate the user. Login incorrect: [myRfx/no User-Password attribute] (from client localhost port 0) PEAP: Got tunneled reply RADIUS code 3 MS-CHAP-Error = \tE=691 R=1 EAP-Message = 0x04090004 Message-Authenticator = 0x PEAP: Processing from tunneled session code 0x9db3b30 3 MS-CHAP-Error = \tE=691 R=1 EAP-Message = 0x04090004 Message-Authenticator = 0x PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE modcall[authenticate]: module eap returns handled for request 9 modcall: group authenticate returns handled for request 9 Sending Access-Challenge of id 239 to 150.178.33.150:1645 EAP-Message = 0x010a002a1900170301001f1daf025ff66ee7cba51f42762f540bf78052e745788d4144c970 5681d67359 Message-Authenticator = 0x State = 0x2846493df32aa5a3d90a7d4d8c3b4867 Finished request 9 Going to the next request --- Walking the entire request list --- Waking up in 5 seconds... rad_recv: Access-Request packet from host 150.178.33.150:1645, id=240, length=176 User-Name = myRfx Framed-MTU = 1400 Called-Station-Id = 0011.2075.ab11 Calling-Station-Id = 0030.6519.c496 Service-Type = Login-User Message-Authenticator = 0x33f13f5d35c399dbc0f3422dc2c798d9 EAP-Message = 0x020a002a1900170301001fa1cae4d87f9f3e55c42ec8b99729dadddf42ba9a8f4eba029615 a9ece90eff NAS-Port-Type = Wireless-802.11 NAS-Port = 12652 State = 0x2846493df32aa5a3d90a7d4d8c3b4867 NAS-IP-Address = 150.178.33.150 NAS-Identifier = NET26 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 10 modcall[authorize]: module preprocess returns ok for request 10 modcall[authorize]: module chap returns
RE: regexp with ldap
Hello, has anyone got this working. I have a similar setup, but Ive decided to have an extra copy of mac-addresses in my ldap tree for mac-auth. Markus, have you found a solution? Regards, Edvin Seferovic -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Krause Sent: Donnerstag, 24. November 2005 01:15 To: freeradius-users@lists.freeradius.org Subject: regexp with ldap hi all, i am using freeradius 1.0.5 on sles 9. what i want to achieve: network devices send their mac-address to a switch, which then sends access-request packages to the freeradius. the mac-addresses are stored in an ldap tree using the objectclass dhcpHost and the entry dhcpHWAddress (which is also used for dhcp). unfortunately the attribute dhcpHWAddress contains entries like ethernet 00:11:22:33:44:55 and not only the mac address. (how) can i use regexp to get the necessary information from ldap? i read variables.txt but seem to be misunderstanding the concept (sorry, i am not an english native speaker ..). do i have to enter something in the ldap section in 'filter=...' radiusd.conf? could someone give me some examples? thanks in advance for any hints! best regards, markus -- Markus Krause email: [EMAIL PROTECTED] Computing CenterTel.: 089 - 89 40 85 99 Group Lottspeich / Proteomics Fax.: 089 - 89 40 85 98 - This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
multiple timespan entries ( Login-Time )
Hi, I would like to allow my users to access the internet only between 0700 and 1430 and between 1530 and 2200 hours. So my Login-Time attribute looks like Wk0700-1430, Wk1530-2200. It is also stored in my LDAP directory... so.. my user wants to connect at 1600 and I get message Auth: Outside allowed timespan (time allowed Wk0700-1430): username ... why is freeradius ignoring the second entry? Or should multiple entries look else then that? Regards, Edvin Seferovic - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Radius Server
Lay a 150$ bucks on the table and I'll install it for ya ;) Sure.. the configuration will cost you probably another 150$ ;) Regards, Edvin PS: should mailing lists not be a place where you come to share your knowledge or ask for a help on specific topic and problems... besides I think that freeradius has really good documentation ( which is not specific for open source software ) and a website which contains a lot of helpful information !!! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of tarun sharma Sent: Dienstag, 15. November 2005 10:28 To: freeradius-users@lists.freeradius.org Cc: [EMAIL PROTECTED] Subject: Radius Server Dear All, We are making a new Radius Server for our billing purpose so please kindly send me the installation procedure of new radius and necessary requirements of system. Waiting for your reply Thanks Regards, Amit __ Yahoo! FareChase: Search multiple travel sites in one click. http://farechase.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Radius Server
Oh cmon.. I was just kidding actually. I didn't expect someone to hire an admin for 150$. Sure.. maybe for a ./configure | make | make install stuff :P Besides - you don't just install RADIUS server... how about planning etc.. Regards, Edvin PS: sorry for going OT -Original Message- From: BillB [mailto:[EMAIL PROTECTED] Sent: Dienstag, 15. November 2005 15:32 To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: RE: Radius Server Your cheap I'd do the install and config for $500 I agree this is the first time I've posted to the list because I've found all my answers in the documentation, or in the archives. Bill - Bill Beaudet| [EMAIL PROTECTED] Network Administrator | http://www.gloryroad.net 252-492-4317 ext 19 | NCOL/GloryRoad Internet On Tue, 15 Nov 2005, Seferovic Edvin wrote: Lay a 150$ bucks on the table and I'll install it for ya ;) Sure.. the configuration will cost you probably another 150$ ;) Regards, Edvin PS: should mailing lists not be a place where you come to share your knowledge or ask for a help on specific topic and problems... besides I think that freeradius has really good documentation ( which is not specific for open source software ) and a website which contains a lot of helpful information !!! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of tarun sharma Sent: Dienstag, 15. November 2005 10:28 To: freeradius-users@lists.freeradius.org Cc: [EMAIL PROTECTED] Subject: Radius Server Dear All, We are making a new Radius Server for our billing purpose so please kindly send me the installation procedure of new radius and necessary requirements of system. Waiting for your reply Thanks Regards, Amit __ Yahoo! FareChase: Search multiple travel sites in one click. http://farechase.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: assigning a vlan-id after successful authentication
Sure but that aint working.. at least not on my switches and dont ask me why... I usually have 2-3 computers on one port ( but computers have the same VLANID in RADIUS ), so might that be the problem? Regards, Edvin Seferovic From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Reilly Sent: Sonntag, 13. November 2005 21:58 To: FreeRadius users mailing list Subject: RE: assigning a vlan-id after successful authentication First, this information is well documented both by ProCurve and in RFC3580. That said the AV pairs you're looking for are as follows: Tunnel-Medium-Type = 802 Tunnel-Private-Group-ID = 123 (the VLAN) Tunnel-Type = VLAN Jeff Original Message Subject: assigning a vlan-id after successful authentication From: Sven Juergensen [EMAIL PROTECTED] Date: Fri, November 11, 2005 8:48 pm To: freeradius-users@lists.freeradius.org hello people, how does the above mentioned work? i am not quite sure where to start. is it embedded in the 'Reply-Message' or does it have to do with the tunnel-types? i'm trying to supply a vlan-id to an hp2626 with mac-based authentication. couldn't find this in the faq or relevant conf-files either - what am i missing? thanks alot in advance, sven - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: assigning a vlan-id after successful authentication
I am aware of the fact that 1 VLAN per port is possible. Besides I am using mac-based authentication, so Ive tried what happens when I connect only one computer per switch port, but as I already have written, the Radius-Reply is kind of ignored L. Has anyone have such problems or its just me? L Jeff, do you maybe know how VLAN assignment is being done with mac-based auth? Would it on link-down set the port VLAN to the manually set for unauthorised clients? TIA ! Regards, Edvin Seferovic From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Reilly Sent: Montag, 14. November 2005 04:11 To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: RE: assigning a vlan-id after successful authentication The 2626 supports1 VLAN per port.I'm not sureexactly howthe2626deals with multiple supplicants... but I would bet (based on passed experience on other switches)... the 2626 ignores all 802.1x (EAP Starts) from any subsequent endpoints afterthe first successful authentication (untilthe portsees link-down or an EAP logoff form the original supplicant). Whatever provisioning (VLANs in your case) is based on the first endpoints authentication/authorization all other endpoints will share the same level of access as the first (authenticated supplicant). Jeff Original Message Subject: RE: assigning a vlan-id after successful authentication From: Seferovic Edvin [EMAIL PROTECTED] Date: Sun, November 13, 2005 2:35 pm To: 'FreeRadius users mailing list' freeradius-users@lists.freeradius.org Sure but that ain't working.. at least not on my switches and don't ask me why... I usually have 2-3 computers on one port ( but computers have the same VLANID in RADIUS ), so might that be the problem? Regards, Edvin Seferovic From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Reilly Sent: Sonntag, 13. November 2005 21:58 To: FreeRadius users mailing list Subject: RE: assigning a vlan-id after successful authentication First, this information is well documented both by ProCurve and in RFC3580. That said the AV pairs you're looking for are as follows: Tunnel-Medium-Type = 802 Tunnel-Private-Group-ID = 123 (the VLAN) Tunnel-Type = VLAN Jeff Original Message Subject: assigning a vlan-id after successful authentication From: Sven Juergensen [EMAIL PROTECTED] Date: Fri, November 11, 2005 8:48 pm To: freeradius-users@lists.freeradius.org hello people, how does the above mentioned work? i am not quite sure where to start. is it embedded in the 'Reply-Message' or does it have to do with the tunnel-types? i'm trying to supply a vlan-id to an hp2626 with mac-based authentication. couldn't find this in the faq or relevant conf-files either - what am i missing? thanks alot in advance, sven - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: assigning a vlan-id after successful authentication
Hi, I have been trying to do that on HP 2626 ! But the attributes ( according to RFC 3500 - I think this one is the right one ) are not accepted by 2626 :( for some bloody reason the Tunnel-Type aren't accepted by the switch. In the manuals HP writes that Switch expects VID in the RADIUS reply message. Ive tried this one too - but no good :( I think maybe someone should ask HP how they expect this to work! Regards, Edvin Seferovic -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sven Juergensen Sent: Samstag, 12. November 2005 04:48 To: freeradius-users@lists.freeradius.org Subject: assigning a vlan-id after successful authentication hello people, how does the above mentioned work? i am not quite sure where to start. is it embedded in the 'Reply-Message' or does it have to do with the tunnel-types? i'm trying to supply a vlan-id to an hp2626 with mac-based authentication. couldn't find this in the faq or relevant conf-files either - what am i missing? thanks alot in advance, sven - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: mysql.sock moved and cannot be found by freeradius !
I think this is the most simple solution. Making symlinks to the usual location might be confusing for other applications or users themselves. Is there any performance difference between using .sock and tcp connection to localhost? Regards, Edvin Seferovic -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Clifford Sent: Montag, 07. November 2005 17:07 To: FreeRadius users mailing list Subject: Re: mysql.sock moved and cannot be found by freeradius ! On Mon, 7 Nov 2005, Alan DeKok wrote: Nicolas Baradakis [EMAIL PROTECTED] wrote: Question for Alan: it seems easy to pass an option to the libmysqlclient to make it read a section called radiusd in my.cnf. It'd make possible to define there any options specific to MySQL which are not available through our sql.conf. Should I try to add this to the CVS ? If you are going to make a change in freeradius to cope with this don't waste time trying to read the my.cnf file as you wont know where it is with any certainty. Instead have a section in the sql.conf to specify the mysql socket file. Jason Clifford -- UKFSN.ORGFinance Free Software while you surf the 'net http://www.ukfsn.org/ 2Mb ADSL Broadband from just £14.98 / month http://www.linuxadsl.co.uk/ ADSL Routers from just £21.98 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mysql.sock moved and cannot be found by freeradius !
Hi, and a big HLP ( or should I say save our/my soul ) Ive moved my mysql database to another partition ( databases were getting big ) and Ive corrected my mysql config so that the socket file is now located at /data/mysql/mysql.sock. Restarted MySql and it worked.. but my freeradius ( 1.0.5 ) first crashed with seg. fault ( I suppose this happened because of an Access-Request packet while restarting the server )... and when I started it for the second time it said that it cannot find the mysql.sock file in the usual place ( /var/lib/mysql/mysql.sock )... is the location of mysql.sock hard-coded in freeradius ? What can I do to get my radius connect to mysql ? Thank you very much in advance... Regards, Edvin Seferovic - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: mysql.sock moved and cannot be found by freeradius !
Hi, I have been looking at sql.conf, but no use.. I use localhost, usual port, username and password are okay.. and this is what freeradius says to me now. Info: rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked Info: rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radius Info: rlm_sql_mysql: Starting connect to MySQL server for #0 Error: rlm_sql_mysql: Couldn't connect socket to MySQL server [EMAIL PROTECTED]:radius Error: rlm_sql_mysql: Mysql error 'Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2)' Error: rlm_sql (sql): Failed to connect DB handle #0 Info: Ready to process requests. But according to my new mysql datadir location ( and my my.cnf file ) - the socket can be found at /data/mysql/mysql.sock... shouldn't freeRadius find out the new location? How is this done anyway? Any hints? I would be thankful ! Regards, Edvin Seferovic -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Sonntag, 06. November 2005 05:15 To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: Re: mysql.sock moved and cannot be found by freeradius ! Seferovic Edvin [EMAIL PROTECTED] wrote: when I started it for the second time - it said that it cannot find the mysql.sock file in the usual place ( /var/lib/mysql/mysql.sock )... is the location of mysql.sock hard-coded in freeradius ? No. See sql.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 802.1x
I hate quoting but IEEE 802.1X is an IEEE standard for port-based network access control, part of the IEEE 802 (802.1) group of protocols. It provides authentication to devices attached to a LAN port, establishing a point-to-point connection or preventing access from that port if authentication fails. It is used for certain closed wireless access points, and is based on the EAP, Extensible Authentication Protocol (RFC 2284). RFC 2284 has been obsoleted by RFC 3748 Says it is a standard for port-based network access control, and as far as I know - is has nothing to do with PORTS on a user machine. by port-based it is not meant the port on a user machine, but the ports on an access hardware like a switch. I hope I could help you out of dilemma ! Regards, Edvin -Original Message- From: Alex M [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 02. November 2005 23:07 To: [EMAIL PROTECTED]; 'FreeRadius users mailing list' Subject: RE: 802.1x Wikipedia well, can it show me how to block ports like port 88 on user side? Yea I should learn how to use goggle he he -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Seferovic Edvin Sent: Wednesday, November 02, 2005 4:42 PM To: 'FreeRadius users mailing list' Subject: RE: 802.1x Maybe you should learn how to do a research with google ;) or just use an encyclopedia... http://en.wikipedia.org/wiki/802.1x have fun ! Regards, Edvin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex M Sent: Mittwoch, 02. November 2005 22:34 To: 'FreeRadius users mailing list' Subject: RE: 802.1x That what I started with... but it returns me all very very expansive enterprise equipment, and other junk... well I maybe I'm using wrong keyword but goggle doesn't give me anything I'm looking for -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oliver Graf Sent: Wednesday, November 02, 2005 4:14 PM To: freeradius-users@lists.freeradius.org Subject: Re: 802.1x On Wed, Nov 02, 2005 at 11:10:20AM -0500, Alex M wrote: Now im totally lost... Can u give me an example what 802.1x does? Can u use google? Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LDAP Authentication
Hi, I think that your problem has nothing to do with LDAP.. because .. --- snip --- rlm_ldap: user jtaylor authorized to use remote access --- snip --- Your certificates are not okay.. TLS says that the CA is unknown TLS Alert read:fatal:unknown CA TLS_accept:failed in SSLv3 read client certificate A Check them... Regards, Edvin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Taylor Sent: Donnerstag, 27. Oktober 2005 01:26 To: 'FreeRadius users mailing list' Subject: LDAP Authentication I am currently trying to get LDAP authentication to work properly. As I am still learning the ins-and-outs on how all this comes together I am having an issue validating a user with Radius-LDAP. Attached is an example of the debug. Maybe it is just something stupid that I am doing. Thank you for your help! James Taylor EAP-Message = 0x573bea1ceb16030100040e00 Message-Authenticator = 0x State = 0xf666044c26dce30b13ecbacd04693e18 rad_recv: Access-Request packet from host 192.168.43.106:1645, id=126, length=151 User-Name = jtaylor Framed-MTU = 1400 Called-Station-Id = 0014.6ae0.3180 Calling-Station-Id = 0040.96a6.d46c Service-Type = Login-User Message-Authenticator = 0x421ab8418995a7c7b6b94367b0d154d9 EAP-Message = 0x02040011198715030100020230 NAS-Port-Type = Wireless-802.11 NAS-Port = 4082 State = 0xf666044c26dce30b13ecbacd04693e18 NAS-IP-Address = 192.168.43.106 NAS-Identifier = SAP rlm_ldap: - authorize rlm_ldap: performing user authorization for jtaylor rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user jtaylor authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 rlm_eap_tls: Length Included TLS Alert read:fatal:unknown CA TLS_accept:failed in SSLv3 read client certificate A 9963:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1052:SSL alert number 48 9963:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure:s3_pkt.c:837: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. rlm_eap_tls: BIO_read failed in a system call (-1), TLS session fails. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius doesn't find VNUML hosts and nets
andre kip [EMAIL PROTECTED] wrote: How do I configure freeradius to recognize the nets and hosts created by VNUML ? Huh? Are we supposed to guess what VNUML is, and how you've configured it? freeradius mailing list is known place to accumulate people who can read other's thoughts :-) People cannot read other's thoughts... GOOGLE CAN !!! .. ;) besides - if you need a straight answer - please to be straight and precise and of course including all abbrevations that are impossible to guess :D Regards, Edvin Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: help newbie here
If you mean for proxying the radius request - the answer is YES Regards -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of achan awungshi Sent: Dienstag, 25. Oktober 2005 23:13 To: freeradius-users@lists.freeradius.org Subject: help newbie here Hello friends, can you please suggest me whether i can used this freeradius for caching/proxy server only ? If yes please let me know. thanking you. Regards, Achandash __ Yahoo! FareChase: Search multiple travel sites in one click. http://farechase.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: SUSE freeradius configuration
As always, be sure that your Accees Point is allowed client to connect to the freeradius... Then ( as said on the website you have used ) start radius with XAx parameter to see the debugging information ( that is radiusd XAx )... then try to auth on your access point and look what happens... When you ask a question next time please include your debugging information, because no mailing list user can actually know what your freeradius server is doing.. Regards, Edvin Seferovic From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Esposito Sent: Sonntag, 23. Oktober 2005 07:41 To: freeradius-users@lists.freeradius.org Subject: SUSE freeradius configuration Im new to freeRadius and Linux (Suse) and need some help. I apologize but I really dont know the question to ask because of my limited knowledge of Linux and wireless technology, but Ill give it a try. I setup freeRadius v1.0.2 on SUSE v9.0. I have another NetWare 6.5 server installed hopefully to be used as the LDAP server that freeRadius will use to get usernames and passwords from eDirectory via LDAP. I followed the following guide for my setup http://www.novell.com/coolsolutions/tip/15922.html Im using D-Link DWP-8200 access points which supports WPA2/Enterprise. Ive setup this access point to point to my SUSE server. I can start Radius on the Linux box, but when I try to connect through the access point, I am getting no response on the Radius server. Everything IP wise is fine, I can ping from everywhere and if I change the Access Point to a Linksys WAP55AG, I get a login screen (not that I know the format to put the username, password, and how domain would be used with NetWare). My client has the D-Link DWP-8200 access points, and Id like to get it working with this if possible so they dont have to buy 50 new access points. I believe Im trying to use EAP/TLS with LDAP authentication. I guess my question is, does the D-Link 8200-AP work with freeRadius, and if so, does anyone know NetWare enough to give me a hand. I understand if that isnt possible, but I thought Id at least try. Im sorry for being so vague, but maybe I can learn a little about wireless security and authentication if anything. The D-Link seems to have the same settings as the Linksys, so I hope it can work. Thanks- Chris -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.344 / Virus Database: 267.12.4/146 - Release Date: 10/21/2005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: meed help on sering freeradius with MySQL
Install the header files ( which should be automatically placed in /usr/include/mysql ), and then run the configure script like . ./configure --with-mysql-include-dir=PATH to mysql include-dir --with-mysql-lib-dir=PATH to mysql-lib dir --with-mysql-dir=PATH to mysql-dir Just as marco said... that shouldnt be a problem ! Regards, Edvin Seferovic From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex M Sent: Sonntag, 23. Oktober 2005 19:40 To: [EMAIL PROTECTED]; 'FreeRadius users mailing list' Subject: RE: meed help on sering freeradius with MySQL Ok, I just tested that mysql client is working gladly the commands here are the same as on windows. And its as appears installed by default in Red hat Now what folders does Free Radius needs to work with MySQl, because when I did whereis mysql I got only bin and lib folder? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Seferovic Edvin Sent: Sunday, October 23, 2005 1:27 PM To: 'FreeRadius users mailing list' Subject: RE: meed help on sering freeradius with MySQL Hi, while installing RedHat ( again I suppose ).. search for any packages which contain mysql in their name.. and simply installl them all.. you will get mysql-server, mysql-client and mysql-libraries installed...after installation just type whereis mysql and that will give you ( when correctly installed ) the paths to mysql-libraries and header files... you should use those directories when running ./configure ( of freeradius )... sometimes ./configure will look for mysql it self ( of course in default paths ), but you may want to tell the configure script where your mysql libs are.. just like marco wrote ! If you want to test mysql-client, you will need a server too... but when properly installed there is no need of testing it... Regards, Edvin Seferovic From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex M Sent: Sonntag, 23. Oktober 2005 18:45 To: 'FreeRadius users mailing list' Subject: RE: meed help on sering freeradius with MySQL I tried that but it doesnt work L what can I do? Let me try to start all over again, I will do: Install Red Hat Install MySQL Client Test MySQL Clint (How?) Install FreeRadius Allow use of SQL in config Run radiusd X It wont work so Ill be screwed again Is that correct? Or any other suggestions, cause this my sql feature is driving me crazy. Im a windows engineer and lot linux L From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ho Sent: Sunday, October 23, 2005 4:18 AM To: FreeRadius users mailing list Subject: Re: meed help on sering freeradius with MySQL Hi,For example the following line tells you that during installation the header files weren't foundsql_mysql.c:40:19: mysql.h: No such file or directoryIf you have installed mysql you have to tell the configure script, where the mysql- include- library- and the mysql programmon you box liveslook at./configure --helpfor more information.it could look like (change to your environment!!!):./configure --with-mysql-include-dir=PATH to mysql include-dir --with-mysql-lib-dir=PATH to mysql-lib dir --with-mysql-dir=PATH to mysql-dirmarco - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: return ALL the AVPs for a username that belongs multiple groups
Fall-Through ??? Regards, Edvin Seferovic PS: is a user is matched to one group because of his connection-specific attributes, he wont be accepted as a member of another group ( to differentiate between modem and vpn users for example )... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex M Sent: Montag, 24. Oktober 2005 04:37 To: 'FreeRadius users mailing list' Subject: RE: return ALL the AVPs for a username that belongs multiple groups In config file there should be a line that will allow you to go to the next parameter despite the fact that it alredy found muching record... that's a theory, that I remember from documentation -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lenir Sent: Sunday, October 23, 2005 10:14 PM To: 'FreeRadius users mailing list' Subject: RE: return ALL the AVPs for a username that belongs multiple groups Can anybody help me with this? Thanks in advance, Lenir -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lenir Sent: Friday, October 21, 2005 12:53 AM To: 'FreeRadius users mailing list' Subject: return ALL the AVPs for a username that belongs multiple groups Hello list, I have a user that belongs to multiple groups, lets say in the usergroup table, I have username Paul_S that belongs to Group1, Group2 and Group3 (using a different row for each group membership). In the radgroupreply table, I have multiple different attributes for each group. When I do radius authentication for that username, it only returns the AVPs for the first group match in the radgroupreply table, instead of returning ALL the AVPs that match ALL the groups that the user belongs to. How can I make this happen? Im using freeradius 1.0.5 and using mysql as the database. Thanks Lenir - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
counter with Session Octet Limit
Hello,
I am using freeRadius 1.0.2, and I would like to
limit weekly bandwidth for my VPN ( pptp ) users. So Ive changed the example
counter part in my radiusd.conf
counter weekly_traffic {
filename = ${raddbdir}/db.weekly
key = User-Name
count-attribute
= Acct-Input-Octets
reset = weekly
counter-name
= Weekly-Traffic
check-name = Max-Weekly-Traffic
allowed-servicetype = Framed-User
}
The counter works for it self It checks the
Max-Weekly-Traffic attribute in my ldap tree for a specific user, calculates
the rest, but then it tries to add Session-Timeout attribute to Access-Accept
packet. This is not working / attribute is not being added, and besides
it is the wrong attribute. Is it possible for the counter module to add the
value, which is usualy added as Session-Timeout, as Session-Octets-Limit?
Regards,
Edvin Seferovic
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeRadius with LDAP for MSCHAP mac auth
Hello everyone...
Ive set up a freeradius server with LDAP backend for MSCHAP, but now I have
to set up a mac based auth on the same server also with the same LDAP
backend ( but the mac info is found in another subtree ). So I have made two
ldap instances under modules including MSCHAP...
modules {
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes
}
ldap ldap_users
{
server = 81.yyy.xxx.xxx
basedn = ou=People,dc=xxx,dc=xxx
filter = ((objectClass=posixAccount)(uid=%u))
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 10
timeout = 4
timelimit = 3
net_timeout = 1
}
ldap ldap_mac
{
server = 81.xxx.xxx.xxx
basedn = ou=Hosts,dc=xxx,dc=xxx
filter = ((objectClass=ipHost)(ipHostNumber=%u))
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 10
timeout = 4
timelimit = 3
net_timeout = 1
}
... } // modules end
instantiate {
weekly_traffic // just a counter
}
authorize {
mschap
ldap_users
ldap_mac
weekly_traffic
}
authenticate {
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
Auth-Type LDAP {
ldap_mac
ldap_users
}
}
So what I actually need is - when my vpn server sends Access-Request packets
with MS-CHAP attributes, I would like mschap module to use the ldap_users
part. And when an Access-Request packet with the mac address is recieved I
would like to use ldap_mac ONLY ! here is a part of my log file...
rad_recv: Access-Request packet from host 172.19.10.2:1024, id=22,
length=193
Framed-MTU = 1480
NAS-IP-Address = 172.19.10.2
NAS-Identifier = HP2626-Verwaltung
User-Name = 00:0a:e4:22:c5:9d
Service-Type = Administrative-User
Framed-Protocol = PPP
NAS-Port = 10
NAS-Port-Type = Ethernet
NAS-Port-Id = 10
Called-Station-Id = 00-14-38-2e-2c-76
Calling-Station-Id = 00-0a-e4-22-c5-9d
Connect-Info = CONNECT Ethernet 100Mbps Full duplex
CHAP-Password = 0x1525d56e4e21bbbc83d5e49fa3be8173a5
Debug: Processing the authorize section of radiusd.conf
Debug: modcall: entering group authorize for request 0
Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 0
Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request
0
Debug: modcall[authorize]: module mschap returns noop for request 0
Debug: modsingle[authorize]: calling ldap_users (rlm_ldap) for request 0
Debug: rlm_ldap: - authorize
Debug: rlm_ldap: performing user authorization for 00:0a:e4:22:c5:9d
Debug: radius_xlat: '((objectClass=posixAccount)(uid=00:0a:e4:22:c5:9d))'
Debug: radius_xlat: 'ou=People,dc=kolp,dc=at'
Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
Debug: rlm_ldap: ldap_get_conn: Got Id: 0
Debug: rlm_ldap: attempting LDAP reconnection
Debug: rlm_ldap: (re)connect to 81.189.101.10:389, authentication 0
Debug: rlm_ldap: bind as / to 81.189.101.10:389
Debug: rlm_ldap: waiting for bind result ...
Debug: rlm_ldap: Bind was successful
Debug: rlm_ldap: performing search in ou=People,dc=kolp,dc=at, with filter
((objectClass=posixAccount)(uid=00:0a:e4:22:c5:9d))
Debug: rlm_ldap: object not found or got ambiguous search result
Debug: rlm_ldap: search failed
Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Debug: modsingle[authorize]: returned from ldap_users (rlm_ldap) for
request 0
Debug: modcall[authorize]: module ldap_users returns notfound for
request 0
Debug: modsingle[authorize]: calling ldap_mac (rlm_ldap) for request 0
Debug: rlm_ldap: - authorize
Debug: rlm_ldap: performing user authorization for 00:0a:e4:22:c5:9d
Debug: radius_xlat:
'((objectClass=ipHost)(ipHostNumber=00:0a:e4:22:c5:9d))'
Debug: radius_xlat: 'ou=Hosts,dc=kolp,dc=at'
Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
Debug: rlm_ldap: ldap_get_conn: Got Id: 0
Debug: rlm_ldap: attempting LDAP reconnection
Debug: rlm_ldap: (re)connect to 81.189.101.10:389, authentication 0
Debug: rlm_ldap: bind as / to 81.189.101.10:389
Debug: rlm_ldap: waiting for bind result ...
Debug: rlm_ldap: Bind was successful
Debug: rlm_ldap: performing search in ou=Hosts,dc=kolp,dc=at, with filter
((objectClass=ipHost)(ipHostNumber=00:0a:e4:22:c5:9d))
Debug: rlm_ldap: looking for check items in directory...
Debug: rlm_ldap: looking for reply items in directory...
Debug: rlm_ldap: Adding description as vid, value 20 op=11
Debug: rlm_ldap: user 00:0a:e4:22:c5:9d authorized to use remote access
Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Debug: modsingle[authorize]: returned from ldap_mac (rlm_ldap) for request
0
Debug: modcall[authorize]: module ldap_mac returns ok for request 0
Debug: modsingle[authorize]: calling weekly_traffic
RE: FreeRADIUS 1.0.5 has been released
Hi, We suggest everyone upgrade to 1.0.4. shouldn't it be 1.0.5? Regards, Edvin Seferovic PS: Im glad to have a new piece of software to test :D -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Mittwoch, 14. September 2005 02:03 To: freeradius-users@lists.freeradius.org Subject: FreeRADIUS 1.0.5 has been released See www.freeradius.org for download information. This version has a LOT of fixes over 1.0.4, including security fixes. We suggest everyone upgrade to 1.0.4. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: pppoe+radius
Hi, how about posting your config and we try to figure out what is wrong? Regards, Edvin Seferovic From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wassim abbas Sent: Sonntag, 11. September 2005 13:28 To: freeradius-users@lists.freeradius.org Subject: pppoe+radius Hello I want to use freeradius with pppoe-server both runing on the same machine but i cant get radius working i loaded the radius.so in the pppoe-option file but it says raidus is not responding and timed out so please if any one have done it before and can send me the config file, im using the user files without mysql thanks -- Slackware Inside - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Removing prefix and suffix from User-Name
Hi,
is this a typo ?
\host\login.server.domain.com to username backslash
DEFAULTPrefix == /host, Strip-User-Name = Yes slash?
Regards,
Edvin Seferovic
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jérémy
Cluzel
Sent: Freitag, 02. September 2005 02:05
To: freeradius-users@lists.freeradius.org
Subject: Removing prefix and suffix from User-Name
Hi,
I want to convert the User-Name recieved:
\host\login.server.domain.com to username.
What's the best way to do this ?
- using preprocess module and hints file:
DEFAULTPrefix == /host, Strip-User-Name = Yes
DEFAULTSuffix == .server.domain.com, Strip-User-Name = Yes
- using proxy.conf file:
realm server.domain.com {
type= radius
authhost= LOCAL
accthost= LOCAL
}
- using realm module:
realm test {
format = suffix
delimiter = .
ignore_default = no
ignore_null = no
}
- using attr_rewrite module:
attr_rewrite saneUserName {
attribute = User-Name
searchin = packet
searchfor = ^(+.).server.domain.com
replacewith = %{1}
ignore_case = yes
new_attribute = no
max_matches = 1
append = no
}
- or using preprocess module and hints file:
DEFAULTPrefix == /host, Strip-User-Name = Yes
DEFAULTSuffix == .server.domain.com, Strip-User-Name = Yes
Regards,
Jeremy
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: TLS/SSL to eDirectory
Hi,
it may sound stupid, but - does the NetWare server has TLS / SSL turned on?
Regards,
Edvin Seferovic
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Freitag, 02. September 2005 04:59
To: freeradius-users@lists.freeradius.org
Subject: TLS/SSL to eDirectory
Setup:
- FreeRADIUS 1.0.4 built with edir on FreeBSD 4.11 server.
- Cisco 3005 VPN Concentrator
- LDAP database on NetWare 6.5 server
Everything works fine when not use SSL certificate and TLS. However,
when TLS is turned on, here is what I get:
-snip-
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.254.1.6:1063, id=27,
length=118
User-Name = username
User-Password = password
NAS-Port = 1028
Service-Type = Framed-User
Framed-Protocol = PPP
Called-Station-Id = 10.254.1.6
Calling-Station-Id = 69.152.48.158
Tunnel-Client-Endpoint:0 = 69.152.48.158
NAS-IP-Address = 10.254.1.6
NAS-Port-Type = Virtual
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
rlm_realm: No '@' in User-Name = stcrye, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for stcrye
radius_xlat: '(cn=username)'
radius_xlat: 'o=services'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.254.8.25:389, authentication 0
rlm_ldap: setting TLS CACert File to
/home/juser/trustedrootcertssl-certdns-episd1.b64
rlm_ldap: starting TLS
rlm_ldap: ldap_start_tls_s()
rlm_ldap: could not start TLS Connect error
rlm_ldap: (re)connection attempt failed
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap1 returns fail for request 0
modcall: group authorize returns fail for request 0
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.254.1.6:1063, id=27,
length=118
Discarding duplicate request from client VPN:1063 - ID: 27
--- Walking the entire request list ---
Waking up in 2 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 27 with timestamp 431712ab
Nothing to do. Sleeping until we see a request.
-snip-
Relevent portion of radiusd.conf:
-snip-
ldap ldap1 {
server = 10.254.8.25
identity = cn=raduser,o=services
password = secretrad
basedn = o=services
filter = (cn=%{Stripped-User-Name:-%{User-Name}})
#start_tls = no
start_tls = yes
tls_cacertfile =
/home/juser/trustedrootcertssl-certdns-episd1.b64
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_attribute = userPassword
edir_account_policy_check=no
timeout = 20
timelimit = 20
net_timeout = 20
-snip-
When I un-comment start_tls = no and comment out start_tls = yes and
tls_cacertfile, everything works fine.
I don't really know where to start. I have read the faq's, been up
and down the list and can't find a solution.
Thanks in advance.
Josh
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: ippool
Hi, why do you actually need two different instances of freeradius? Regards, Edvin Seferovic From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Miguel Sennoun Sent: Donnerstag, 16. Juni 2005 14:33 To: 'FreeRadius users mailing list' Subject: ippool Hi, Has anyone an idea on the best solution to run two freeradius on the same machine. I tried with one installation that uses different conf and log directories but I wonder if all works well with the second instance. For example the radwho has no parameters to indicate which instance to consider. Perhaps ther is other problems I didnt noticed. Perhaps the best solution is to make two different install. Any advices? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: no DB handles
Hi, increase the number of connections to the mysql db in your sql.conf ! # number of sql connections to make to server num_sql_socks = 15 Regards, Edvin Seferovic -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas Aimaretto Sent: Mittwoch, 15. Juni 2005 21:26 To: freeradius-users@lists.freeradius.org Subject: no DB handles Hi all, I've seen many of these messages in the radius.log ... Wed Jun 15 15:10:23 2005 : Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 What does it mean ? How to solve this ? Best regards, Lucas -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.7.3/15 - Release Date: 14/06/2005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: NAS info + MySQL
Hi, I must have missed that part. Where can I find some doc about OMAPI support in freeradius? Thank you in advance. Regards, Edvin Seferovic -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Dienstag, 07. Juni 2005 20:54 To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: Re: NAS info + MySQL Seferovic Edvin [EMAIL PROTECTED] wrote: I have been watching this from the beginning ;) It got really interesting now. Does anyone know about OMAPI support in DHCPd? It allows you to change the config ( for example - update a lease ) at the real time without a need to restart a server. As I said in an earlier post, FreeRADIUS allows this, too. Just not for everything. Similarly, DHCPd doesn't export all of it's configuration through OMAPI. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: ...traffic control with freeradius?
LoginTime attribute Read the doc Regards, Edvin Seferovic -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Dienstag, 07. Juni 2005 22:47 To: freeradius-users@lists.freeradius.org Subject: ...traffic control with freeradius? Hi Just a question: There any way to establish that a user (or group) connects at certain hours of the day only? For example: If Peter attempts to connect after 3:00 pm, the radius should reject the request; because Peter can connect only between 12:00 am and 3:00 pm. Thanks you. - Este mensaje fue enviado usando el servicio de correo en web de Infomed http://webmail.sld.cu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: NAS info + MySQL
Hi, I have been watching this from the beginning ;) It got really interesting now. Does anyone know about OMAPI support in DHCPd? It allows you to change the config ( for example - update a lease ) at the real time without a need to restart a server. I am not a professional programmer, but would it be hard to implement something like that in freeRadius? Lets say to change the NAS info, or the IP pools etc... Regards, Edvin Seferovic -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Dienstag, 07. Juni 2005 00:14 To: FreeRadius users mailing list Subject: Re: NAS info + MySQL Marcin Jessa [EMAIL PROTECTED] wrote: The way I understand it, say a PHP script used to HUP radiusd would get executed as the httpd user. In that case the httpd deamon would need to be added to the sudoers group like this: www your.server = NOPASSWD: /usr/local/sbin/radiusd How else can this be done? Huh? why would you permit user www to run radiusd? You need to send a HUP signal to radiusd. You don't need to run it. The FreeRadius daemon can be remotely accessed and it updates data stored in SQL database. Does it make it unsecure ? The more pieces you have involved, the less secure something is. FreeRADIUS is more secure than FreeRADIUS + SQL, is more secure than FreeRADIUS + SQL + web admin too, is more secure than FreeRADIUS + SQL + What in your opinion would make an elegant solution to create a user-friendly tool to configure FreeRadius ? *I* wasn't the one asking for an elegant solution. You were. I was just pointing out that a solution you called not very elegant is pretty much identical to what a solution you're implementing. [ re: todo ] I was convinced you were a part of the developers team and every project I know of has certain goals and milestones. There's no official todo list for FreeRADIUS. If you want a feature, submit a request on bugs.freeradius.org. Even better, submit a patch, so it's easy to add the feature. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: No Calling-Station-Id in Auth-Request
Hi,
1. install ppp-2.4.3
2. I am attaching my radius.c where the radius client from pppd is sending
the MAC address of connecting host. This is my patch and it works fine for
me. I do NOT take any responsibility for the use of this changed file. The
radius.c file has to be places into ppp-2.4.3/pppd/plugins/radius/
directory. When you open the file you will see a part like
/* do you want to send MAC address or IP address in the attribute
* Calling-Station-Id ?
* SEND_HW_ADDR = 1 ( YES ) / 0 ( NO )
* string client_hw_addr contains clients MAC address
*/
where you can enable this option or not. This allows you to send the MAC
address to the radius server ONLY if the authenticating host is on the same
LAN segment as your gateway with pppd. It reads the MAC address from the arp
cache!
Recompile ppp-2.4.3 and voila !
I know this has NOT anything to do with freeRadius, but since the question
was mailed here, maybe some other users may need this too.
Regards,
Edvin Seferovic
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of open
source
Sent: Samstag, 04. Juni 2005 10:37
To: freeradius-users@lists.freeradius.org
Subject: No Calling-Station-Id in Auth-Request
hey guys
I have been trying to authenticate user based on mac-address. But the
problem is my pppd is not sending the mac address of clients in it's
Auth-Request.
I'm using following softwares:
(i) rp-ppoe
(ii) pppd-2.4.1
(iii) ppp-2.4.1-vanilla-radclient-v2.1.patch
(iv) freeradius-1.0.2
Can anyone tell me how to send the mac-address of the client in the
Auth-Request as Calling-Station_Id or anyother attribute/value pair.
Thanks in advance
Open
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
/***
*
* radius.c
*
* RADIUS plugin for pppd. Performs PAP, CHAP, MS-CHAP, MS-CHAPv2
* authentication using RADIUS.
*
* Copyright (C) 2002 Roaring Penguin Software Inc.
*
* Based on a patch for ipppd, which is:
*Copyright (C) 1996, Matjaz Godec [EMAIL PROTECTED]
*Copyright (C) 1996, Lars Fenneberg [EMAIL PROTECTED]
*Copyright (C) 1997, Miguel A.L. Paraz [EMAIL PROTECTED]
*
* Uses radiusclient library, which is:
*Copyright (C) 1995,1996,1997,1998 Lars Fenneberg [EMAIL PROTECTED]
*Copyright (C) 2002 Roaring Penguin Software Inc.
*
* MPPE support is by Ralf Hofmann, [EMAIL PROTECTED], with
* modification from Frank Cusack, [EMAIL PROTECTED].
*
* This plugin may be distributed according to the terms of the GNU
* General Public License, version 2 or (at your option) any later version.
*
***/
static char const RCSID[] =
$Id: radius.c,v 1.28 2004/11/14 10:27:57 paulus Exp $;
#include pppd.h
#include chap-new.h
#ifdef CHAPMS
#include chap_ms.h
#ifdef MPPE
#include md5.h
#endif
#endif
#include radiusclient.h
#include fsm.h
#include ipcp.h
#include syslog.h
#include sys/types.h
#include sys/time.h
#include string.h
#include netinet/in.h
#include stdlib.h
/* INCLUDES FOR ARP CACHE ACCESS */
#include net/if_arp.h
#include sys/ioctl.h
#include netinet/in.h
#include arpa/inet.h
/* do you want to send MAC address or IP address in the attribute
* Calling-Station-Id ?
* SEND_HW_ADDR = 1 ( YES ) / 0 ( NO )
* string client_hw_addr contains clients MAC address
*/
#define SEND_HW_ADDR 1
char client_hw_addr[16];
char client_ip_addr[15];
#define BUF_LEN 1024
#define MD5_HASH_SIZE 16
static char *config_file = NULL;
static int add_avp(char **);
static struct avpopt {
char *vpstr;
struct avpopt *next;
} *avpopt = NULL;
static bool portnummap = 0;
static option_t Options[] = {
{ radius-config-file, o_string, config_file },
{ avpair, o_special, add_avp },
{ map-to-ttyname, o_bool, portnummap,
Set Radius NAS-Port attribute value via libradiusclient library,
OPT_PRIO | 1 },
{ map-to-ifname, o_bool, portnummap,
Set Radius NAS-Port attribute to number as in interface name
(Default), OPT_PRIOSUB | 0 },
{ NULL }
};
static int radius_secret_check(void);
static int radius_pap_auth(char *user,
char *passwd,
char **msgp,
struct wordlist **paddrs,
struct wordlist **popts);
static int radius_chap_verify(char *user, char *ourname, int id,
struct chap_digest_type *digest,
unsigned char *challenge,
unsigned char *response,
char *message, int message_space);
static void radius_ip_up(void *opaque, int arg);
static void radius_ip_down(void *opaque, int arg);
static void make_username_realm(char *user);
static int radius_setparams(VALUE_PAIR *vp, char *msg, REQUEST_INFO *req_info,
struct chap_digest_type *digest,
unsigned
RE: FreeRadius documentation
Please visit the www.poptop.org for the documentation and a good howto on configuring POPTOP with Radius. Regards, Edvin Seferovic -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alexei Monastyrnyi Sent: Donnerstag, 02. Juni 2005 09:30 To: James Flockton; FreeRadius users mailing list Subject: Re: FreeRadius documentation Hi. There is a bit of info here, which is pretty much in correlation with O'Reilly book RADIUS. http://www.tldp.org/HOWTO/LDAP-Implementation-HOWTO/radius.html The book helped me a lot with configuring simple auth via RADIUS against LDAP userPassword attribute. I'm trying now to find now something for NTLM passwords and MPPE keys to authenticate PPTP VPN clients. Pls drop me a line if you meet it somewhere. A. James Flockton wrote: All, Just wondering if anyone can point me towards to some good documentation for FreeRadius please? I'm wanting to build a box running Radius and using OpenLDAP for authentication detail i.e. user name, IP etc. Many thanks James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Please resend this message to Kim Jones'
CAN YOU PLEASE TURN OF THIS AUTOMATIC RESPONDER ! OR CAN SOMEONE UNSUBSCRIBE HIS EMAIL ADDRESS FROM THIS LIST! Thank you in advance. Regards, Edvin Seferovic -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kim Sent: Dienstag, 31. Mai 2005 19:38 To: freeradius-users@lists.freeradius.org Subject: Please resend this message to Kim Jones' Please resend this message to Kim Jones' new email address. Thank You. [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LEAP
Hi, look in /etc/raddb for the ldapattr.map file. That file contains mappings from Radius attributes to the ones in LDAP. There are Reply- and Check Items. Just alter the file so that User-Password maps to userPassword or sambaNTPassword. Regards, Edvin Seferovic -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Luis Daniel Lucio Quiroz Sent: Mittwoch, 01. Juni 2005 01:07 To: freeradius-users@lists.freeradius.org Subject: LEAP Ehlo We are usign Cisco1200 AP for roaming, but AP needs to auth into radius. Because CISCO it must use LEAP. But it fails on this rlm_eap: EAP/leap rlm_eap: processing type leap rlm_eap_leap: No User-Password or NT-Password configured for this user rlm_eap: Handler failed in EAP/leap rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 3 EAP with TLS and PEAP works well. LDAP user exists uid: AP-DATI userrPassword: cisco1234 sambaNTPassword: 3B298390489F668CA3C38047C7FE1266 sambaLMPassword: 8BE57A0FA91F460C19F10A933D4868DC How should I fix this? Regards, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: No detail logs # 2
Hi, then run it and search for the information on detailed accouting :D Regards, Edvin Seferovic -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Radius Sent: Montag, 30. Mai 2005 09:41 To: FreeRadius users mailing list Subject: Re: No detail logs # 2 Doug Hardie wrote: Presuming you don't want to bring it down to run in debug mode which would answer that question, run ktrace/strace/truss or whichever equivallent you have have on the running radiusd for a few minutes. Then look through the output for the open of the logfile. It should show the relevent error code. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Actually, debug mode radiusd -x would be OK to run. That you mentioned of ktrace doesn't seem to be on the system. Bob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: No Detail Logs
As you said... a missed keyword look for detail in your radiusd.conf ! Regards, Edvin Seferovic -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Radius Sent: Sonntag, 29. Mai 2005 18:57 To: freeradius-users@lists.freeradius.org Subject: No Detail Logs I'm sure I missed a setting or something. We changed providers as well as our IP address's 4 days ago. Ever Since we did, no detail logs are being created by FreeRadius 9.3 Everyone can get logged in and realms are working fine, just no detail log. Any Ideas? Thanks Bob Ross - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
