Re: EAP-SIM on freeradius-server-2.1.12
Hi GNUbie, You don't need the special patch for testing EAP-SIM. Just get 3 different triplets for your SIM and create a static users file entry with them, contrary to what -X says, you should put the triplets attrs as reply attrs, not check attrs. Regards, Thor. - Original Message - From: GNUbie gnu...@gmail.com To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Cc: al...@deployingradius.com Sent: Wednesday, February 15, 2012 5:17:29 AM GMT +01:00 Amsterdam / Berlin / Bern / Rome / Stockholm / Vienna Subject: Re: EAP-SIM on freeradius-server-2.1.12 Hello Alan, Thank you anyway. I already checked the directory you mentioned even before I posted my original message on this mailing list. Hello all, Anybody from this community would like to share their experiences on EAP-SIM authentication? Thank you in advance. Regards, GNUbie On Tue, Feb 14, 2012 at 3:21 PM, Alan DeKok al...@deployingradius.com wrote: GNUbie wrote: What am I missing in my current setup that I am getting such errors? Why is it that it can't find the triplets when in fact it's there? No idea. I don't use SIM myself. See src/tests/eapsim-* for examples of using SIM authentication. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Postgresql undefined symbol PQinitSSL
Hi, I have the same problem with both 2.1.11 and 2.1.12-pre ... I'm on CentOS 4.6 with following RPMs: $ rpm -qa | grep devel glibc-devel-2.3.4-2.39 krb5-devel-1.3.4-60.el4_7.2 mysql-devel-5.0.54-1.el4.centos openssl-devel-0.9.7a-43.17.el4_8.5 kernel-smp-devel-2.6.9-67.0.4.EL e2fsprogs-devel-1.35-12.17.el4 zlib-devel-1.2.1.2-1.2 openldap-devel-2.2.13-12.el4 kernel-devel-2.6.9-67.0.4.EL cyrus-sasl-devel-2.1.19-14 postgresql-devel-7.4.19-1.el4_6.1 $ rpm -qa | grep postgresql postgresql-7.4.19-1.el4_6.1 postgresql-libs-7.4.19-1.el4_6.1 postgresql-server-7.4.19-1.el4_6.1 postgresql-devel-7.4.19-1.el4_6.1 $ rpm -qa | grep openssl openssl-devel-0.9.7a-43.17.el4_8.5 xmlsec1-openssl-1.2.6-3 openssl096b-0.9.6b-22.46 openssl-0.9.7a-43.17.el4_8.5 I use the following configure options: ./configure --prefix=/opt/freeradius-server-2.1.12 --with-mysql --with-postgresql --with-openldap --with-openssl --without-snmp --without-krb5 --without-dhcp Everything seems to build fine, here's the postgresql module build output: Making all in rlm_sql_postgresql. gmake[10]: Entering directory `/home/thor/freeradius-server-2.1.12/src/modules/rlm_sql/drivers/rlm_sql_postgresql' /home/thor/freeradius-server-2.1.12/libtool --mode=compile gcc -g -O2 -Wall -D_GNU_SOURCE -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DNDEBUG -I../.. -I/home/thor/freeradius-server-2.1.12/src/ -I/usr/include/postgresql -I/home/thor/freeradius-server-2.1.12/libltdl -c sql_postgresql.c mkdir .libs gcc -g -O2 -Wall -D_GNU_SOURCE -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DNDEBUG -I../.. -I/home/thor/freeradius-server-2.1.12/src/ -I/usr/include/postgresql -I/home/thor/freeradius-server-2.1.12/libltdl -c sql_postgresql.c -fPIC -DPIC -o .libs/sql_postgresql.o sql_postgresql.c: In function `sql_init_socket': sql_postgresql.c:153: warning: implicit declaration of function `PQinitSSL' gcc -g -O2 -Wall -D_GNU_SOURCE -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DNDEBUG -I../.. -I/home/thor/freeradius-server-2.1.12/src/ -I/usr/include/postgresql -I/home/thor/freeradius-server-2.1.12/libltdl -c sql_postgresql.c -o sql_postgresql.o /dev/null 21 /home/thor/freeradius-server-2.1.12/libtool --mode=link gcc -release 2.1.12 \ -module -export-dynamic -o rlm_sql_postgresql.la \ -rpath /opt/freeradius-server-2.1.12/lib sql_postgresql.lo -L/usr/lib -lpq gcc -shared .libs/sql_postgresql.o -L/usr/lib -lpq -Wl,-soname -Wl,rlm_sql_postgresql-2.1.12.so -o .libs/rlm_sql_postgresql-2.1.12.so (cd .libs rm -f rlm_sql_postgresql.so ln -s rlm_sql_postgresql-2.1.12.so rlm_sql_postgresql.so) ar cru .libs/rlm_sql_postgresql.a sql_postgresql.o ranlib .libs/rlm_sql_postgresql.a creating rlm_sql_postgresql.la (cd .libs rm -f rlm_sql_postgresql.la ln -s ../rlm_sql_postgresql.la rlm_sql_postgresql.la) gmake[10]: Leaving directory `/home/thor/freeradius-server-2.1.12/src/modules/rlm_sql/drivers/rlm_sql_postgresql' But then when starting the server with -X with my configuration, I get the following and it stops: rlm_sql Creating new attribute sql_auth1-SQL-Group rlm_sql (sql_auth1): Driver rlm_sql_postgresql (module rlm_sql_postgresql) loaded and linked rlm_sql (sql_auth1): Attempting to connect to radius@195.130.158.155:/radius rlm_sql (sql_auth1): starting 0 rlm_sql (sql_auth1): Attempting to connect rlm_sql_postgresql #0 /opt/radproxyin/freeradius/sbin/radiusd: symbol lookup error: /opt/freeradius-server-2.1.12/lib/rlm_sql_postgresql-2.1.12.so: undefined symbol: PQinitSSL Any ideas on what could be the problem here or any solution or tips on where to look further? P.S.: I'm not looking to get SSL working for my database connections, I just want to get the server running with postgresql and eap support built in. Regards, Thor - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Postgresql undefined symbol PQinitSSL
Hi Alan, Yes, I removed the code and then it runs ;-) Thanks, Thor. - Original Message - From: Alan DeKok al...@deployingradius.com To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, September 28, 2011 3:28:14 PM GMT +01:00 Amsterdam / Berlin / Bern / Rome / Stockholm / Vienna Subject: Re: Postgresql undefined symbol PQinitSSL Thor Spruyt wrote: Any ideas on what could be the problem here or any solution or tips on where to look further? FreeRADIUS is built with Postgresql SSL. So it assumes that Postgresql can do SSL, too. The simple fix is to go to the sql_postgresql.c file, and delete the code which refers to PQinitSSL A longer term fix is to update the configure script to look for PQinitSSL. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Address and Username Binding on FreeRADIUS
Hi, You could use a huntgroup for the MAC addresses and then define what to do for that huntgroup. Thor. - Original Message - From: syharash syhar...@yahoo.com To: freeradius-users@lists.freeradius.org Sent: Tuesday, April 12, 2011 12:11:51 PM GMT +01:00 Amsterdam / Berlin / Bern / Rome / Stockholm / Vienna Subject: MAC Address and Username Binding on FreeRADIUS Hi, My FreeRadius is working fine, my wireless clients are able to authenticate with username and password from the /etc/raddb/users file and dynamic vlan assignment is working fine too. Need to now configure to restrict a user to get authenticated only from a single mac address, so the dynamic vlan assignment is restricted to that user only from its authorized mac address. Please help. I tried following the How-to guide but have not been able to get it working. please help. I have attached my configuration files for your reference, please let me know if how to go about doing it. http://freeradius.1045715.n5.nabble.com/file/n4297874/authorize_macs authorize_macs http://freeradius.1045715.n5.nabble.com/file/n4297874/default%5Bsites-available%5D default%5Bsites-available%5D http://freeradius.1045715.n5.nabble.com/file/n4297874/eap.conf eap.conf http://freeradius.1045715.n5.nabble.com/file/n4297874/files files http://freeradius.1045715.n5.nabble.com/file/n4297874/policy.conf policy.conf http://freeradius.1045715.n5.nabble.com/file/n4297874/radiusd.conf radiusd.conf http://freeradius.1045715.n5.nabble.com/file/n4297874/users users -- View this message in context: http://freeradius.1045715.n5.nabble.com/MAC-Address-and-Username-Binding-on-FreeRADIUS-tp4297874p4297874.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different sql servers for separated authacc
Hi, Read http://wiki.freeradius.org/Rlm_sql section Instances Regards, Thor. - Original Message - From: c schwarz c.schw...@funknetz.at To: freeradius-users@lists.freeradius.org Sent: Tuesday, April 12, 2011 1:36:17 PM GMT +01:00 Amsterdam / Berlin / Bern / Rome / Stockholm / Vienna Subject: Different sql servers for separated authacc Hello, in a special setup we are using freeradius Version 1.1.3 (sql.conf v 1.41.2.2.2.2), on a debian x86 machine, which can’t be upgraded to Version 2.0. I would like to check authorization against mysqldb1 and insert/update accounting in mysqldb2. Is it possible to use two independent mysql databases in Version 1.1.3? Thanks in advance, chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap and file authentication
Hi, Read http://wiki.freeradius.org/Fail-over Regards, Thor. - Original Message - From: Marco Kalmbach mc...@gmx.de To: freeradius-users@lists.freeradius.org Sent: Tuesday, April 12, 2011 3:24:35 PM GMT +01:00 Amsterdam / Berlin / Bern / Rome / Stockholm / Vienna Subject: ldap and file authentication hi @all, is it possible to provide ldap authentication and users file authentication at the same time on a radius server? On my radius server the ldap authentication works fine, additional I want to provide users file authentication, so I commented out the following lines: --radiusd.conf file { userfile = ${confdir}/users } ... authorize{ ... files ... } My users file: testuser Cleartext-Password := XXX When I want to login the user testuser the Debugscreen shows: Login incorrect: (rlm_ldap: User not found): [testuser] Are there any other options I have to set or isn´t it possible to authenticate users via ldap and users file at the same time? Thanks for your answers, greetings Klaus -- NEU: FreePhone - kostenlos mobil telefonieren und surfen! Jetzt informieren: http://www.gmx.net/de/go/freephone - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to add RADIUS users under OU=People
Hi, Read http://wiki.freeradius.org/Rlm_ldap You might want to play with basedn and filter. Regards, Thor. - Original Message - From: pradyumna dash pradyumna_dash...@yahoo.co.in To: freeradius-users@lists.freeradius.org Sent: Tuesday, April 12, 2011 4:34:52 PM GMT +01:00 Amsterdam / Berlin / Bern / Rome / Stockholm / Vienna Subject: How to add RADIUS users under OU=People Hello, I need a help, What i want is instead of creating a OU called radius, i would like to add all radius users under OU=People, how to achieve this? I am not able to add a user with objectclass:radiusprofile, I tried changing radius schema to AUX but no luck. Please have a look at my LDIF file. I am using SuSE 11 dn: uid=kris,ou=People,dc=example,dc=com uid: kris cn: kris objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount objectClass: uidObject objectClass: radiusprofile userPassword: {crypt}$2a$10$DXf3RUs5cQv/WYOgaeyv1uwvUJ.3ZfW3sr7sCr75/6/dw062c5YOe shadowLastChange: 15076 shadowMax: 9 shadowWarning: 7 loginShell: /bin/bash uidNumber: 1003 gidNumber: 100 homeDirectory: /home/krisradiusServiceType: Framed-User radiusFramedProtocol: PPP radiusFramedIPNetmask: 255.255.255.0 radiusFramedRouting: None radiusGroupName: dial radiusGroupName: isdn radiusAuthType: LDAP Suggestions will be appreciated. /Neo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication based on users and NAS
Hi, If you're going to use LDAP, then just add the Called-Station-Id to your search filter and add one or multiple attributes to match against in your LDAP entries. Regards, Thor. - Original Message - From: Sergio Belkin seb...@gmail.com To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, April 12, 2011 5:46:58 PM GMT +01:00 Amsterdam / Berlin / Bern / Rome / Stockholm / Vienna Subject: Authentication based on users and NAS Hi, It was easier than I thought, I simply had to add to /etc/raddb/users something like: steve Called-Station-Id == 00259c14066e,Cleartext-Password := password Still I had to solve 2 issues: The first one is that if I want steve to login through more than NAS I have to add one line like above per NAS. Is a nicer way to do it? The second one is that I don't know how to do it for Ldap users. Thanks in advance! -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:
- Oorspronkelijk bericht - Van : wessam seleem [mailto:wessam.sel...@gmail.com] Verzonden : zondag , september 27, 2009 02:34 PM Aan : 'FreeRadius users mailing list' Onderwerp : Re: Dear Thor and Ivan, Thanks for your support. I would like to notice that I have the same configuration in a server that has freeradius-1.1.7-1 installed and it is working fine. I want to upgrade. That is why I am testing freeradius-2.1.6-2. I want to ask is there is any difference between 1.1.7-1 and 2.1.6-2 configuration files that I should put it in my consideration? Thor, I don't have the same output in the debug mode. I have what you can see below: ++[ldap] returns ok !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the known good !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! +- entering group PAP {...} [pap] login attempt with password password [pap] Using clear text password $...@hfgusllj%$#kasjs [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - username attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Dear Ivan and Thor, As you can see the problem that I am sending a clear text password and the radius doesn't convert it to encrypted one. I want my radius to take a clear text password and encrypt it then compare it with the encrypted one in my ldap. Please let me know if I should clarify more or if you need more info. Thanks again for your support. Regards, I'm not saying that how I got it working is *the* way to do it, I just got it working this way... I'm using 2.1.7, but I guess 2.1.6 has exactly the same behaviour. In your ldap module configuration, remove this: password_header = {CRYPT} Then the ldap module will not remove {CRYPT} from User-Password and the server will not complain about the attributes... The pap module configuration should only have the following line: auto_header = yes This will make the PAP authentication step recognize that the password retrieved from ldap is crypted and do the correct password comparison. Regards, Thor. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mimic lower_user in FR2
- Oorspronkelijk bericht - Van : Alexander Clouter [mailto:a...@digriz.org.uk] Verzonden : donderdag , september 24, 2009 05:24 PM Aan : freeradius-users@lists.freeradius.org Onderwerp : Re: Mimic lower_user in FR2 Thor Spruyt thor.spr...@telenet.be wrote: Since lower_user doesn't exist anymore in FR2, I was thinking of doing the following in FR2 to mimic the behaviour, which seems to be working correctly: In hints file: DEFAULT User-Name !~ /^$/ User-Name := `%{exec:/opt/tolower %{User-Name}}`, Fall-Through = Yes DEFAULT Stripped-User-Name !~ /^$/ Stripped-User-Name := `%{exec:/opt/tolower %{Stripped-User-Name}}`, Fall-Through = Yes Content of /opt/tolower: #!/bin/sh echo -n $1 | tr '[A-Z]' '[a-z]' Is there any reason why I should not do this or why it's not recommended? The servers on which I want to do this is not heavily loaded (1req/s). Well although the load is not a problem, I mean you should feel *really* dirty that every time a packet goes through your box, you system() out twice. Hell I feel dirty enough when doing the following for the not-often upstream proxying requests we do: update proxy-request { NAS-IP-Address := `/bin/hostname -i` NAS-Identifier := `/bin/hostname -f` } This however is just me being lazy until I patch FreeRADIUS to give me some static runtime variable action :) You should do this with Perl if you really want or alternatively I'll start sending your RADIUS server something like the following as you do no validation at all (you get the idea, might work, probably won't, but why risk it?): User-Name = '\; rm -rf /; echo \' Cheers -- Alexander Clouter .sigmonster says: The best things in life go on sale sooner or later. I would indeed tighten the script, but I was wondering if changing the 2 attributes in this way could cause problems in later processing. Or maybe there's a better way which I don't know about to get the same result... Regards, Thor. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mimic lower_user in FR2
Hi, Since lower_user doesn't exist anymore in FR2, I was thinking of doing the following in FR2 to mimic the behaviour, which seems to be working correctly: In hints file: DEFAULT User-Name !~ /^$/ User-Name := `%{exec:/opt/tolower %{User-Name}}`, Fall-Through = Yes DEFAULT Stripped-User-Name !~ /^$/ Stripped-User-Name := `%{exec:/opt/tolower %{Stripped-User-Name}}`, Fall-Through = Yes Content of /opt/tolower: #!/bin/sh echo -n $1 | tr '[A-Z]' '[a-z]' Is there any reason why I should not do this or why it's not recommended? The servers on which I want to do this is not heavily loaded (1req/s). Regards, Thor. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:
Hi, I tried to get this working also and I found that if you let the ldap module *not* check the password_header, then the password incl. the header is put in the User-Password attribute. If you then use auto_header = yes for the pap module, it should figure out automatically to do crypt... unless the uppercase CRYPT is causing issues... Here's some sample debug output to check your setup: [ldap] Password header not found in password {crypt}XXX for user test [ldap] Added User-Password = {crypt}XXX in check items [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user test authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ldap] returns ok ++- group returns ok ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password [pap] Using CRYPT encryption. [pap] User authenticated successfully ++[pap] returns ok Regards, Thor. - Oorspronkelijk bericht - Van : wessam seleem [mailto:wessam.sel...@gmail.com] Verzonden : donderdag , september 24, 2009 02:16 PM Aan : t...@kalik.net, 'FreeRadius users mailing list' Onderwerp : Re: known good error Thanks Ivan for your reply. Here is the ldap configuration section: ldap { server = x.x.x.x identity = cn=username password = password basedn = ou=email,o=data,c=eg filter = (uid=%{Stripped-User-Name:-%{User-Name}}) password_header = {CRYPT} ldap_connections_number = 100 timeout = 15 timelimit = 10 net_timeout = 5 tls { start_tls = no } profile_attribute = radiusProfileDn access_attr = dialupAccess dictionary_mapping = ${confdir}/ldap.attrmap password_attribute = radiususerPassword } and here is the debug message ++[ldap] returns ok Found Auth-Type = PAP !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the known good !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! +- entering group PAP {...} [pap] login attempt with password 123456 [pap] Using clear text password ^%$%$%JGjgjg(%%^njahjahs [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - username attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Thanks for your support. Wessam On Thu, Sep 24, 2009 at 1:37 PM, Ivan Kalik t...@kalik.net wrote: I decided to install free radius 2.1.6-2 to test it and then to upgrade my existing versions in my servers. I configured my free radius to use ldap. When I tried to authenticate from the new radius it gave me the following message from radius -X. Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the known good !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! Note that when I wrote the password encrypted like *%@ks...@sdgsadgjhsb I was able to login but when I wrote the password in clear text like test I failed to login. Password in ldap probably has a header. You can ignore the message then, because server will convert User-Password to appropriate password attribute on it's own (Crypt-Password for {crypt}, SHA-Password for {sha} etc.) if auto-header is enabled. Post the whole debug. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre-release of 2.1.7
Hi, Compiles and runs smoothly on Centos 4.6 32-bit... Using postgresql backends and exec module for both auth and acct packets home_server status_check = none ok, need this ;-) I've been away from FR evolution for a while... I must say I'm really surprised what's possible now with 2.1.7 compared to 1.1.7 (still running in production), nice job! Regards, Thor. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius-server-2.1.4 make fails
Hi, I'm trying to compile freeradius-server-2.1.4 on CentOS 4.6 32-bit Configure command: ./configure --prefix=/opt/freeradius-2.1.4 --with-mysql --with-postgresql --with-openldap --without-snmp --without-openssl --without-krb5 --without-vmps But make fails: /home/thor/freeradius-server-2.1.4/libtool --mode=compile gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG -I/home/thor/freeradius-server-2.1.4/src -DHOSTINFO=\i686-pc-linux-gnu\ -DRADIUSD_VERSION=\2.1.5\ -DNO_OPENSSL -c listen.c gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG -I/home/thor/freeradius-server-2.1.4/src -DHOSTINFO=\i686-pc-linux-gnu\ -DRADIUSD_VERSION=\2.1.5\ -DNO_OPENSSL -c listen.c -fPIC -DPIC -o .libs/listen.o listen.c: In function `client_listener_find': listen.c:126: warning: passing arg 1 of pointer to function discards qualifiers from pointer target type listen.c:206: warning: assignment discards qualifiers from pointer target type In file included from listen.c:1053: command.c: In function `command_show_client_config': command.c:845: warning: passing arg 2 of `cf_section2file' discards qualifiers from pointer target type listen.c: In function `listen_init': listen.c:1795: error: `RAD_LISTEN_VQP' undeclared (first use in this function) listen.c:1795: error: (Each undeclared identifier is reported only once listen.c:1795: error: for each function it appears in.) gmake[4]: *** [listen.lo] Error 1 gmake[4]: Leaving directory `/home/thor/freeradius-server-2.1.4/src/main' gmake[3]: *** [common] Error 2 gmake[3]: Leaving directory `/home/thor/freeradius-server-2.1.4/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/home/thor/freeradius-server-2.1.4/src' gmake[1]: *** [common] Error 2 gmake[1]: Leaving directory `/home/thor/freeradius-server-2.1.4' make: *** [all] Error 2 Any idea what's going wrong? Regards, Thor Spruyt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I will be out of the office
Hugh Messenger wrote: I will be out of the office from Wednesday May 30 until Monday June 4. What a coincidence! I'll be out of the office during those dates as well ... hunting down and killing everyone who writes broken autoresponders. Sorry, I know I shouldn't increase list pollution by letting myself respond to this, but I just can't help myself. Sorry, I'm in the office so I can't answer mail to my private mail address now. Kind Regards, Thor ;-) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: O'Reillys Radius Book - Worth buying
Alan DeKok wrote: If you're familiar with RADIUS, it will contain little useful information. I can confirm this. I was pretty disappointed about the value of the book when I bought it 3 years ago. I doesn't go indepth into anything. Thor. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: online users
Mordor Networks wrote: hi Graham yes sir i know but my question is how to do that im all new to all this.. thank you Connect to your mysql database and type show tables;, then you'll see a list of tables in your database. It's probably the radacct table you need to query for session information. If you don't know how to write SQL queries, have a look at http://www.mysql.org/doc/ Thor. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: two database
http://wiki.freeradius.org/Rlm_sql - Original Message - From: Nirmal To: FreeRadius users mailing list Sent: Monday, April 09, 2007 1:53 PM Subject: Re: two database can i use two sql database in sql.conf for free radius version 0.9 ? currently i m using freeradius 0.9 + MySQL 3.23 + PPPoE on linux (NAS) authentication and accounting is happening in one database. i have a very large user database and i want to assign roaming profile to my users, in that case users will be authenticated from database1 which is having authentication information (radcheck, radgroupcheck,radreply) of all users and accounting will be done in database2 (radacct table). how to specify two database in sql.conf ? as there is only one line radius_db. :( i did not find more help in docs of freeradius-1.1.5 !! Please help Nirmal Patel +91-9323704733 Alan DeKok [EMAIL PROTECTED] wrote: Nirmal wrote: Hi i m using freeradius 0.9 Why? is it possible to select two sql databases in sql.conf ? Yes. how ? See the documentation in the recent versions. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- 8:00? 8:25? 8:40? Find a flick in no time with theYahoo! Search movie showtime shortcut. -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius unistalling
There is no uninstall and make clean just cleans the source tree. Use rpmbuild to make an rpm. - Original Message - From: elmalhi abdelghani To: FreeRadius users mailing list Sent: Friday, March 23, 2007 3:48 PM Subject: Re : freeradius unistalling hi, but i found always my directory usr/local/etc/raddb regards! Abdelghani ELMALHI Devesestr. 1 45897 Gelsenkirchen Deutschland Tel. 00 49 176 65 84 38 50 Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS outer identity accounting
Sam Schultz wrote: P.S. A link to a list of known-good access points, or personal recommendations on access points would also be appreciated. We will be replacing a few 3com APs soon because they don't play well with...well...ANYTHING. One (3com OfficeConnect) doesn't even have options for radius account, even though it advertises the feature right on the box. I would recommend Cisco Aironet. Regards, Thor. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
1.1.5 double free or corruption
(0xf7c000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 5, 0x1000) = 0xf7c000 close(5)= 0 open(/dev/tty, O_RDWR|O_NONBLOCK|O_NOCTTY) = 5 writev(5, [{*** glibc detected *** , 23}, {double free or corruption (fastt..., 35}, {: 0x, 4}, {080f95d8, 8}, { ***\n, 5}], 5*** glibc detected *** double free or corruption (fasttop): 0x080f95d8 *** ) = 75 rt_sigprocmask(SIG_UNBLOCK, [ABRT], NULL, 8) = 0 tgkill(26392, 26392, SIGABRT) = 0 --- SIGABRT (Aborted) @ 0 (0) --- +++ killed by SIGABRT +++ Process 26392 detached -- Thor Spruyt M: +32 475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Return values for rlm_exec scripts
Garry Glendown wrote: Thor Spruyt wrote: Session-Timeout := `%{exec:/bin/echo 200}` I use exec_program_wait, try having a look at that. ... which doesn't return a value if I'm not mistaken ... !? It can return several Attribute-Value pairs. Read the documentation, search google and there's even an example scripts in the source tree! -- Thor Spruyt M: +32 475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Return values for rlm_exec scripts
Garry Glendown wrote: Garry Glendown wrote: Hi, I'm trying to configure dynamic values in the users-file, which works fine using the rlm_expr module. Anyway, due to some more complicated expressions that can not be formed using rlm_expr, I tried to set up an external script that will return the value I need ... only problem is: I can't seem to get the format right, and I can't seem to find any docs on what exactly to return so that the %{exec:...} entry will be used ... e.g, on a field that expects a numeric value, I tried something like this: Session-Timeout := `%{exec:/bin/echo 200}` But all I get is this in the loggfile: Mon Jan 8 16:05:24 2007 : Error: Exec-Program-Wait: /bin/echo 200: unparsable reply What do I have to do to get FreeRadius to understand the return value? Thanks!!! Nobody using rlm_exec??? I use exec_program_wait, try having a look at that. -- Thor Spruyt M: +32 475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
chap requests and users file
Hi, I was wondering how I should create an entry in the users file for a user that authenticates with CHAP. Normally I have entries like this: ausernameAuth-Type := Local, User-Password == apassword This works for PAP requests, but is it also fine for CHAP? I actually need a method to let both PAP and CHAP succeed, it's up to the user to decide what to use. -- Thor Spruyt M: +32 475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: logging to normal radius.log and syslog
tail -F radius.log | logger - Original Message - From: Michael Messner [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Thursday, November 16, 2006 3:10 PM Subject: logging to normal radius.log and syslog hey @all, for testing we write the complete debugging messages to syslog into a special file but with this method the loggin to the normal radius.log file won't work anymore! We start radiusd with daemontools and with these parameters: loggeropt=logger -p local6.info -t radiusd -s ARGS=-Afxyz NICELEVEL=-10 exec nice -n $NICELEVEL $RADIUSD $ARGS | $loggeropt this works quite good but there are nomore messages in the radius.log - file. the radiusd.conf: 15:09:45 Xradius ~ [root]grep radius.log /etc/raddb/radiusd.conf log_file = ${logdir}/radius.log the detail logs are working! any ideas what can I do? thanks mIke - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: working rlm_perl example ?
Michael Gale wrote: Hello, Does anyone have a working rlm_perl module I can test with ? I have just started out and at this point can not determine if it is my perl module that is having a problem or my radius configuration. An example comes with the freeradius source code in /src/modules/rlm_perl # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # Copyright 2002 The FreeRADIUS server project # Copyright 2002 Boian Jordanov [EMAIL PROTECTED] # # # Example code for use with rlm_perl # # You can use every module that comes with your perl distribution! # use strict; # use ... # This is very important ! Without this script will not get the filled hashesh from main. use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK); use Data::Dumper; # This is hash wich hold original request from radius #my %RAD_REQUEST; # In this hash you add values that will be returned to NAS. #my %RAD_REPLY; #This is for check items #my %RAD_CHECK; # # This the remapping of return values # use constantRLM_MODULE_REJECT=0;# /* immediately reject the request */ use constant RLM_MODULE_FAIL= 1;# /* module failed, don't reply */ use constant RLM_MODULE_OK=2;# /* the module is OK, continue */ use constant RLM_MODULE_HANDLED= 3;# /* the module handled the request, so stop. */ use constant RLM_MODULE_INVALID= 4;# /* the module considers the request invalid. */ use constant RLM_MODULE_USERLOCK= 5;# /* reject the request (user is locked out) */ use constant RLM_MODULE_NOTFOUND= 6;# /* user not found */ use constant RLM_MODULE_NOOP= 7;# /* module succeeded without doing anything */ use constant RLM_MODULE_UPDATED= 8;# /* OK (pairs modified) */ use constant RLM_MODULE_NUMCODES= 9;# /* How many return codes there are */ # Function to handle authorize sub authorize { # For debugging purposes only # log_request_attributes; # Here's where your authorization code comes # You can call another function from here: test_call; return RLM_MODULE_OK; } # Function to handle authenticate sub authenticate { # For debugging purposes only # log_request_attributes; if ($RAD_REQUEST{'User-Name'} =~ /^baduser/i) { # Reject user and tell him why $RAD_REPLY{'Reply-Message'} = Denied access by rlm_perl function; return RLM_MODULE_REJECT; } else { # Accept user and set some attribute $RAD_REPLY{'h323-credit-amount'} = 100; return RLM_MODULE_OK; } } # Function to handle preacct sub preacct { # For debugging purposes only # log_request_attributes; return RLM_MODULE_OK; } # Function to handle accounting sub accounting { # For debugging purposes only # log_request_attributes; # You can call another subroutine from here test_call; return RLM_MODULE_OK; } # Function to handle checksimul sub checksimul { # For debugging purposes only # log_request_attributes; return RLM_MODULE_OK; } # Function to handle pre_proxy sub pre_proxy { # For debugging purposes only # log_request_attributes; return RLM_MODULE_OK; } # Function to handle post_proxy sub post_proxy { # For debugging purposes only # log_request_attributes; return RLM_MODULE_OK; } # Function to handle post_auth sub post_auth { # For debugging purposes only # log_request_attributes; return RLM_MODULE_OK; } # Function to handle xlat sub xlat { # For debugging purposes only # log_request_attributes; # Loads some external perl and evaluate it my ($filename,$a,$b,$c,$d) = @_; radiusd::radlog(1, From xlat $filename ); radiusd::radlog(1,From xlat $a $b $c $d ); local *FH; open FH, $filename or die open '$filename' $!; local($/) = undef; my $sub = FH; close FH; my $eval = qq{ sub handler{ $sub;} }; eval $eval; eval {main-handler;}; } # Function to handle detach sub detach { # For debugging purposes only # log_request_attributes; # Do some logging. radiusd::radlog(0,rlm_perl::Detaching. Reloading. Done.); } # # Some functions that can be called from other functions # sub test_call { # Some code goes here } sub log_request_attributes { # This shouldn't be done in production environments! # This is only meant for debugging! for (keys %RAD_REQUEST) { radiusd::radlog(1, RAD_REQUEST: $_ = $RAD_REQUEST{$_}); } } -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com
Re: (no subject)
How about adding a dictionary will all 256 numbers? - Original Message - From: Robert Dukes To: FreeRadius users mailing list Sent: Thursday, July 13, 2006 9:26 PM Subject: Re: (no subject) Sorry, Ok I use Alvarion Su radios that has radius accounting option. but the radios send some VSA that is not reconizable in the radius. Breezenet/Breezecom/Alvarion VSA's. These NASs send Ethernet port data in VSAs (up to 11 per accounting request) but unfortunately dont use the same attribute numbers each time. Instead, the attribute number increments each time, then wraps at 256. Radiator automatically maps the fist one in a packet to Breezecom-Attr1, the second to Breezecom-Attr2 etc through to Breezecom-Attr11. I can send a dump log if you want - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: File ATTRS
José Berenguer wrote: Hello! In the file attrs I have: domain.es Reply-Message = RADIUS OK but it doesn't return me the message. Try adding a colon before the equals sign. -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: perl scripts
Add this in your script and then run radiusd in debugging mode: for (keys %RAD_REQUEST) {radiusd::radlog(1, "RAD_REQUEST: $_ = $RAD_REQUEST{$_}");} --Groeten, Regards, Salutations, Thor SpruytM: +32 (0)475 67 22 65E: [EMAIL PROTECTED]W: www.thor-spruyt.com www.salesguide.bewww.telenethotspot.be - Original Message - From: debik To: FreeRadius users mailing list Sent: Wednesday, March 15, 2006 7:38 PM Subject: Re: perl scripts Hello again. I have stuckon writing that perl script to autheticate users from onother database. How can i grep the User-Name and Password from RAD_REQUEST to my perl script as a variable. I have tried to do something like this: my $username = $RAD_REQUEST{'User-Name'} Is it anyway possibble what im trying to do ? - Original Message - From: debik To: FreeRadius users mailing list Sent: Sunday, March 12, 2006 12:28 PM Subject: Re: perl scripts I tried to add new sql1.conf. But when i trie starting te radius server he told me that the database is nit in the Attribute Value. I that onother dsatabase i have got users of my network, and i wont, that teh radius server use that logins which are in that database. Sorry for that HTML, and for my english. - Original Message - From: mnisay To: 'FreeRadius users mailing list' Sent: Sunday, March 12, 2006 10:55 AM Subject: RE: perl scripts what do you want to achieve with this perl script, freeradius can do the authentication. is this script for management of database? if it is, you can use server side php scripts as well. if its not, does the perl script manipulates user database differently? sorry i think i did not get you well. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of debikSent: Saturday, March 11, 2006 2:43 PMTo: FreeRadius users mailing listSubject: Re: perl scripts Yes. But that onother database is not in radius format like: op, value, etc. So I have to write a perl script. - Original Message - From: mnisay To: 'FreeRadius users mailing list' Sent: Saturday, March 11, 2006 11:27 AM Subject: RE: perl scripts From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of debikSent: Friday, March 10, 2006 8:41 PMTo: FreeRadius users mailing listSubject: Re: perl scripts I have got onother mysql base and i wont to write perl script to tel the radius server to use the data in that database. do you mean use MySQL for freeradius authentication? - Original Message - From: mnisay To: 'FreeRadius users mailing list' Sent: Friday, March 10, 2006 11:26 AM Subject: RE: perl scripts Could somebody share with some scripts that authorize users in radius. Im trying to write my own script, but i don't find any docs. Could somebody help me. authorize users inradius? freeradius can authorize usersby default. --No virus found in this incoming message.Checked by AVG Free Edition.Version: 7.1.375 / Virus Database: 268.2.1/278 - Release Date: 3/9/2006 --No virus found in this outgoing message.Checked by AVG Free Edition.Version: 7.1.375 / Virus Database: 268.2.1/278 - Release Date: 3/9/2006 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --No virus found in this incoming message.Checked by AVG Free Edition.Version: 7.1.375 / Virus Database: 268.2.1/278 - Release Date: 3/9/2006 --No virus found in this outgoing message.Checked by AVG Free Edition.Version: 7.1.375 / Virus Database: 268.2.1/279 - Release Date: 3/10/2006 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --No virus found in this incoming message.Checked by AVG Free Edition.Version: 7.1.375 / Virus Database: 268.2.1/279 - Release Date: 3/10/2006 --No virus found in this outgoing message.Checked by AVG Free Edition.Version: 7.1.375 / Virus Database: 268.2.1/279 - Release Date: 3/10/2006 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: perl scripts
SEND PLAIN TEXT!!! You can change the SQL queries in the sql configuration file. If you really want to use a perl script, then go have rlm_exec and rlm_perl at your disposal... read the docs. -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - Original Message - From: debik To: FreeRadius users mailing list Sent: Saturday, March 11, 2006 2:43 PM Subject: Re: perl scripts Yes. But that onother database is not in radius format like: op, value, etc. So I have to write a perl script. - Original Message - From: mnisay To: 'FreeRadius users mailing list' Sent: Saturday, March 11, 2006 11:27 AM Subject: RE: perl scripts From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] .org] On Behalf Of debik Sent: Friday, March 10, 2006 8:41 PM To: FreeRadius users mailing list Subject: Re: perl scripts I have got onother mysql base and i wont to write perl script to tel the radius server to use the data in that database. do you mean use MySQL for freeradius authentication? - Original Message - From: mnisay To: 'FreeRadius users mailing list' Sent: Friday, March 10, 2006 11:26 AM Subject: RE: perl scripts Could somebody share with some scripts that authorize users in radius. Im trying to write my own script, but i don't find any docs. Could somebody help me. authorize users in radius? freeradius can authorize users by default. -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 268.2.1/278 - Release Date: 3/9/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 268.2.1/278 - Release Date: 3/9/2006 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 268.2.1/278 - Release Date: 3/9/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 268.2.1/279 - Release Date: 3/10/2006 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CVS down
Chris Parker wrote: No, that's just CVSWEB, due to webbots that ignore 'robots.txt' and cane the server recursing through 80+ simultaneous CVS diffs via CVSWEB. I meant CVSWeb :) Disabled the CGI while working out a way to better throttle it's use. Maybe require a login like with the bugs module. -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: perl scripts
First of all: READ http://www.freeradius.org/list/users.html = please send PLAIN TEST mails! For your question: read the docs about rlm_exec and rlm_perl -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - Original Message - From: debik To: FreeRadius users mailing list Sent: Friday, March 10, 2006 8:41 PM Subject: Re: perl scripts I have got onother mysql base and i wont to write perl script to tel the radius server to use the data in that database. - Original Message - From: mnisay To: 'FreeRadius users mailing list' Sent: Friday, March 10, 2006 11:26 AM Subject: RE: perl scripts Could somebody share with some scripts that authorize users in radius. Im trying to write my own script, but i don't find any docs. Could somebody help me. authorize users in radius? freeradius can authorize users by default. -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 268.2.1/278 - Release Date: 3/9/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 268.2.1/278 - Release Date: 3/9/2006 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
CVS down
http://www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/ -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New accounting database each month
Nicolas Baradakis wrote: Is there a way to configure freeradius to create a new MySQL accounting database each month? (in example: jan_06_radacct, feb_06_radacct, etc). The database should be created the first minute of the first day of each month. This is required for backup/database size. Run a script each month that takes all records from the month before, do whatever with them and remove them from the database. I thought databases are especially friendly for stuff like that... -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wiki is now live
Alan DeKok wrote: http://wiki.freeradius.org/ Please feel free to add documentation, configuration examples, etc. Right now it's pretty minimal and free-form. Thanks to Peter Nixon for setting it up and hosting it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Yet another thing to maintain... something that nobody has time for :( -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing attributes from a reply
Joe Maimon wrote: I can test for existence of Attribute X and if exists, remove attribute Y (using rlm_attr_filter -- I am sure there are other things I could trysuch as rlm_perl(?) sending all A/V to a shell script...) rlm_perl should be able to do it, but you'll need the latest CVS version -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing attributes from a reply
Joe Maimon wrote: I need to remove an A/V from the reply list, but only if another A/V is already there. This needs to be done post-proxy stage for my needs. rlm_attr_filter can do it -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: working rlm_perl example
[EMAIL PROTECTED] wrote: It seems that I missed the user file entry and the Auth-Type Perl { perl } entry in the radiusd.conf file. That shouldn't be necessary, just calling the module in the authorize section should be sufficient. -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: working rlm_perl example
[EMAIL PROTECTED] wrote: I have tried the example.pl and it still gives me a access-reject message. Please provide your rlm_perl configuration and debug output of radiusd -X -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Postgresql+freeradius configuration
[EMAIL PROTECTED] wrote: Driver rlm_sql_postgresql (module rlm_sql_postgresql) loaded and linked Info: rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radiusdb Error: rlm_sql_postgresql: Couldn't connect socket to PostgreSQL server [EMAIL PROTECTED]:radiusdb Error: rlm_sql_postgresql: Postgresql error 'could not connect to server: Permission denied ?Is the server running on host localhost and accepting ?TCP/IP connections on port 5432? ' Error: rlm_sql (sql): Failed to connect DB handle #0 Info: Ready to process requests. Try using 127.0.0.1 instead of localhost -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cannot return access accept from proxy to client
Wilson Lie wrote: When host B acts as a proxy, the [sql] failed as the username from access-accept is missing. You should make the SQL query so that it won't make an error when certain attributes are not present or empty. See the example sql.conf file. Turn sql traces on and run in debug mode to see what queries are done. Check why they are failing and correct the queries. -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Proxying and Message-Authenticator
Alan DeKok wrote: Paolo Rotela [EMAIL PROTECTED] wrote: So you are implementing YOUR radius to support YOUR PROPOSED method... well it seems some propietary... If one wants control over a project, one should start his own project. It's clear to everybody that FreeRadius is widely used because it's strong and serves a general purpose (not to mention that it's free). So if one needs something specific to one's needs, one should contribute and hope that the project coordinators will see a general benefit. Please do not reply... I just wanted to give Alan some credit, so that the FreeRadius project will continue to evolve like it has before. -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: not to return the detault attributes in reject?
kevin wrote: Try... DEFAULT Auth-Type := Reject Reply-Message = , Fall-Through = Yes DEFAULT Service-Type == Framed-User Framed-IP-Netmask=255.255.255.255, Service-Type = Framed-User, Idle-Timeout=1800, Session-Timeout=86000, -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl / rlm_python
[EMAIL PROTECTED] wrote: Hi there, Could someone tell me what versions of freeradius have rlm_perl? All latest version have it. But it's unstable and therefore you have to compile from source using --with-experimental-modules Do I have to install the 1.0.4 version to get rlm_perl? No, but latest version is best :) A very subjective question here... what is better to use rlm_perl or rlm_python? I think that rlm_perl is likely to be supported better than rlm_python. I would have to learn python, but if the general concensus is to go with python I'll do it. Go for rlm_perl -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Script to process authentications accounting
[EMAIL PROTECTED] wrote: Is there any information about using a script with freeradius to process authentications? rlm_exec rlm_perl (not stable) rlm_python (not stable) -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl support for pre/post-proxy in next release?
Boian Jordanov wrote: On Fri, Sep 02, 2005 at 01:16:31AM +0200, Thor Spruyt wrote: I'm wondering if rlm_perl will support pre/post-proxy functions in the next release? This is allready in CVS. You can checkout release 1.19 of rlm_perl and use it with freeradius 1.0.4 Sure, but will it be in the next official release? -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with passwd module
Alan DeKok wrote: Erling Paulsen [EMAIL PROTECTED] wrote: I'm using the passwd module to lookup users in a SMBPASSWD file. This works great. But if new users are added or a user change his/hers password. Then I have to restart freeradius to make changes visible to freeradius. Or, send it a HUP signal. That's how *all* of the configuration files work. Is there a way I can make freeradius lookup the SMBPASSWD file each time it tries to fetch user-data from it? It seems to me like it reads the file to memory and caches it! Yes. Reading the file for every request is slow, and pointless. I have a script that makes a restart of the daemon everytime a new user is added or users changes their passwords. It can be quite som restarts, and I donæt like the risk of restarting the server so foten. Any hints? Consider a seperate backend in which to store user credentials and let samba as well as freeradius auth against that backend. -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cannot start freeradius
On 9/2/05, Daniel Corbe [EMAIL PROTECTED] wrote: when I go to start radiusd I get the following error: radiusd.conf[1383] Failed to link to module 'rlm_exec': dlopen(/usr/local/lib/rlm_exec-1.0.4.so, 9): Symbol not found: _debug_flag Referenced from: /usr/local/lib/rlm_exec-1.0.4.so Expected in: flat namespace This is a fresh install on a Mac OS X box. Any help is appriciated. More information would also be appriciated :) Which version of freeradius? Did you try to compile freeradius from source? Provide the output. Provide the complete output, also that what comes before the error. -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows Client Authentification bevore Domain logon
Please use correct terminology. It's AUTHENTICATION, not authentification! To authenticate = authentication To authorize = authorization To account = accounting To identify = identification -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl support for pre/post-proxy in next release?
Hi, I'm wondering if rlm_perl will support pre/post-proxy functions in the next release? Also, is there any chance to get bug 275 into next release? http://bugs.freeradius.org/show_bug.cgi?id=275 Or does it have to be discussed further on the list? -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TTLS-PAP only option for LDAP backend?
Cian Phillips wrote: Thanks to Alan, Thor and Vladmir for getting me this far. grin I have TTLS-PAP working and authenticating against our OSX LDAP server. I was wondering if anyone has had any success getting Microsoft clients to use TTLS-PAP without installing additional software as suggested in this tutorial. http://vuksan.com/linux/dot1x/wpa-client-config.html#Windows_XP Is there a simpler way to accomplish the same thing? No -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to run sql query on radius startup
Sergey Pariev wrote: Hi All. I'm currently setting up freeeradius 1.0.4 with pgsql (8.0.3) backend, and I need to run an SQL query on radius server startup. Id like to know is it possible at all ? I've read the docs and *.sql config files but haven't found anything like this. Any suggestions ? I know I can run a query via psql from radius startup script, but I'd prefer another solution if such exists. What exactly would you want to do? Maybe it serves a general purpose :) -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: wlse leap patches
Marc-Henri Boisis-delavaud wrote: Hello Were Can I found patches for cisco wlse work ? Marc Huh... my best guess would be cisco.com :) -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: wlse leap patches
How about submitting them to bugs.freeradius.org? -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - Original Message - From: M.McNeil To: FreeRadius users mailing list Sent: Monday, August 29, 2005 6:44 PM Subject: Re: wlse leap patches Here are the patches. These were made against FreeRadius 1.0.0 Here's how to apply them: 1. mkdir patchdir, cd patchdir 2. gzip -dc freeradius-1.0.0-wlse-patches.tar.gz |tar -xvf - 3. Grab the FreeRadius-1.0.0 source code and extract it. 4. cd freeradius-1.0.0/src/modules/rlm_eap 5. Apply the eap.c patch: patch /patchdir/freeradius-1.0.0-eap-patch 6. Apply the mem.c patch: patch /patchdir/freeradius-1.0.0-mem-patch 7. Apply the rlm_leap patch: cd freeradius-1.0.0/src/modules/rlm_eap/types/rlm_leap, patch /patchdir/freeradius-1.0.0-leap-patch Configure and compile as usual. Thanks should be given to Richard Timsit and John Koen for their assistance in providing/testing these patches. Best Regards, -- Mike McNeil Sr. Network Engineer University of California Berkeley Ph: 510-643-4656 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (no subject)
Matt morris wrote: So how do I setup freeradius to use rlm_perl then? Some pointers will be greatly appreciated. Thank you. rlm_perl is still experimental That means that you'll need to compile freeradius with the --with-experimental-modules option. The configuration is in etc/raddb/experimental.conf rlm_exec is stable, so your freeradius will support it already. The configuration is in etc/raddb/radiusd.conf You can use any executable script (which *can* be a perl script). Look in CVS, there's a lot of information added about rlm_exec! -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_attr_filter for proxied accounting packets
Hi, I noticed that rlm_attr_filter.c contains the following in the attr_filter_preproxy function: if (request-packet-code != PW_AUTHENTICATION_REQUEST) { return (RLM_MODULE_NOOP); } This means that accounting packets are not handled by this function. Instead, the accounting packets are handled by the attr_filter_accounting function. I have a problem with this, because I'm rewriting attributes with the preproxy_users file. That module's function will change attributes in both proxied authentication requests and proxied accounting requests. Now, for authentication everything works fine: - I don't do any attribute changing in the authenticate stage, so everything stays the same here - then we go to the pre-proxy stage, where first I use rlm_files for some changing and then rlm_attr_filter to filter some attributes out For accounting however, the following happens: - in the accounting stage, rlm_attr_filter filters some attributes out because I don't want them to be sent to the home radius - in the pre-proxy stage, rlm_files wants to change some attribute based on another attribute which was filtered out already by rlm_attr_filter in the accounting stage - in the pre-proxy stage, rlm_attr_filter returns NOOP, since it's coded not to do anything here for accounting packets. To be clear: I think that the pre-proxy functions should always act on both Access-Request and Account-Request packets, the configuration in radiusd.conf should take care if you want to differentiate between the two. Obviously, for post-proxy this would apply too, but the need is not there, since Accounting-Reply packets generally do not contain any attributes, but even then it would be nice to be able to tell the server to filter them our or not. Since rlm_attr_filter should only be used for proxied packets, the attr_filter_accounting function is obsolete, just like the attr_filter_authenticate function was! If you want, I can supply a patch for rlm_attr_filter.c to also accept accounting packets in the attr_filter_preproxy function, just let me know. -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: not to return the detault attributes in reject?
kevin wrote: Still not sure how to handle with rlm_exec. Can anybody give me more details? Maybe another solution.. in users file TART with: DEFAULT Auth-Type := Reject Fall-Through = Yes kevin Thor Spruyt wrote: kevin wrote: How can I return Reject-Packet without default attributes? It seems that the default attributes in the users file are returned regardless of Accept or Reject. I don't want to give a hint to hacker who can try a lot of rejects. Is there a way? Somebody suggested Exec-Program-Wait = reject.sh before. But, it didn't work for me. rlm_exec - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL radacct not updated
sean wrote: In order to enable the accounting packets between Chilli and Radius I removed all of the pin holes in my ADSL modem and instead set up a NAT default server pointing to my Radius/WEB/Jabber/POP/SMTP/SMPP/Apache server. This allows all of the trafic arriving to the ADSL modem to pass through to the server and solved the problem. I not sure about the security of this fix so I'm setting up a firewall on the server. This will give me better control over the trafic than the ADSL modem did. Remember for your next projects :) Always check that what you expect also happens (in this case traffic arriving at your server). -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: not to return reply-attributes in reject?
kevin wrote: How can I return Reject-Packet without default attributes? It seems that the default attributes in the users file are returned regardless of Accept or Reject. I don't want to give a hint to hacker who can try a lot of rejects. Is there a way? Somebody suggested Exec-Program-Wait = reject.sh before. But, it didn't work for me. rlm_exec -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius proxy question
[EMAIL PROTECTED] wrote: People might be able to do more if they had configs and debug output (-X) -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL radacct not updated
sean wrote: Hi ALL, I have made no progress in resolving the radaccct problem. Radius is loading with no error messages and I've gone over the radiusd.conf and sql.conf a million times. below is the output from Radius when a client logs in. Now a debug trace of an Access-Request packet is very handy to spot an issue which has to do all with accounting packets :) The radacct table is only filled with INSERT queries when Accounting-Request packets are handled! Check that the NAS is actually sending accounting packets and that they actually arrive on the correct radius server! -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with PEAP and LDAP
Carlos Martínez-Troncoso Cera wrote: Hello. We are trying to use FreeRadius with PEAP and LDAP. You might consider TTLS with PAP instead of PEAP with MS-CHAP-V2 -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Replaying data with tcpdump/netcat
Alan DeKok wrote: with tcpdump -s 1500 -w raw.txt port 1813 and udp. -s 0 instead of -s 1500 would be better, radius packets are not restricted to 1500 bytes. -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec and retriving RAD_REQUEST attribute values
Matt morris wrote: Hello list, This has probably been asked a lot times before, but I just couldn't get the attributes values from accounting request packets with my perl script. I am trying to do some database queries when I received stop accounting request packets, here are the relevant sections of my radiusd.conf and script file: You're mixing up 2 modules: rlm_exec and rlm_perl You configured your radius to use rlm_exec, but you're using a sample script for rlm_perl, which is completely different! There's a sample for rlm_exec at http://www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/scripts/exec-program-wa it?rev=1.4content-type=text/x-cvsweb-markup -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL radacct not updated (Thor Spruyt)
sean wrote: The NAS is a Linksys WRT-54G running DD-WRT firmware. I have made no changes to the NAS configuration and up to a while ago the radacct file was being updated. I suspect that the problem is either in radiued.conf, sql.conf or the MySQL access rights. I have noticed that by inserting sql in the post-auth section of radiusd.conf it updates the radpostauth part of the database. Is there a part of radiusd.conf that needs to be changed to do the the same for radacct? Below is the output when Radius starts up. I'm sorry to fill the post with so much info but if you look at the SQL part of the startup it seems OK. Can you spot anything wrong? Again... sending the debug output of an ACCOUNTING packet might help. Since you're not doing that, I assume the accounting packets never arrive at the radius server. Do a tcpdump on your radius server to verify that accounting packets are actually coming in! -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL radacct not updated
sean wrote: I'm sorry but I don't understand your answer. Can you explain the debug of an accounting packet? Found a nice explanation here: http://support.intel.com/support/si/library/bi0409.htm QUOTE In addition to the authentication and authorization process, an extension of the RADIUS protocol provides an accounting function. Typically, when a user logs in, the Network Access Server (NAS) sends an accounting start record to the security server in order to signal that an accounting session has started. When the user logs out, the NAS sends an accounting stop record to indicate that the accounting session has ended. This record contains information about the amount of time used, data sent and received during the session, and other relevant billing information. You can configure the NAS to send accounting records to a server for both standard and RADIUS users. This is a guaranteed service - each request is acknowledged by the server, making it a reliable way of gathering user access information. /QUOTE Do you mean something like an Ethereal trace? Yep. How do I do a tcp dump on the Radius server. http://www.google.com/search?hl=nlq=tcpdump+howtolr # tcpdump -s 0 -i eth0 -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: best place for logic - users file or custom module?
Tariq Rashid wrote: hi, i'm planning a significant migration from a different radius server (Radiator, perl based). You might have a look at the rlm_perl module (persistent perl module to intervene in multiple stages). It's not marked stable yet, but it should be soon and it should be working fine already. There's a sample script included in the source distribution in src/module/rlm_perl/ The configuration of the module sits in etc/raddb/experimental.conf for now. -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: best place for logic - users file or custom module?
Tariq Rashid wrote: is python more stable than the support for perl? i have much more experience in python than perl. rlm_python is not marked stable yet either. I don't know about it's stability, but I haven't seen much about rlm_python on the maillist, so maybe support could be very low; also is the perl/python stuff persistent - or is the interpreter invoked for every request? i am asking as i think this is the main reason for Radiator's performance issues - in theory even a big interpreter loaded into RAM should run fine ... but I suspect something inefficent is happening with Radiator. rlm_perl is persistent -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL radacct not updated
sean wrote: Hi, I have a strange problem with MySQL and FreeRadius. The system had been performing perfectly but it is no longer updating radacct. The result is that when users login the counter on their login page counts down their remaining time. But when they logout and then login again the counter is reset back to its origional value. This means that user names and passwords last forever. Check that accounting packets sent by the NAS are actually received on your radius server. -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Database field lengths for radacct and radpostauth
Alan DeKok wrote: The RFC's say that the passwords cannot be longer than 127 characters. Submitted bug 270 to correct. -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Database field lengths for radacct and radpostauth
I've reported bug 266 with a patch for postgresql http://bugs.freeradius.org/show_bug.cgi?id=266 You don't know the maximum length of the username and password of your roaming partners, but you need to store those as well into the database. -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR suddenly doesn't respond any more and eats all cpu
Nicolas Baradakis wrote: Benedikt Panzer wrote: Also I tested the switch -s and just the same, the error doesn't occur then. Back in normal mode (without -x or -s) FR crashes again, with one of both switches it doesn't. Strange to me. Is this normal for you experts? I have no idea what's causing the problem. You might try with the option '-f' too, like in bug #100. http://bugs.freeradius.org/show_bug.cgi?id=100 I had the same issue with 1.0.1 I have 2 radius servers which each use 2 postgresql database backends. When I stopped one server for maintenance, the radiusd process on the other server suddenly went to constantly using 100% CPU. When starting radiusd while 1 database is already down, this doesn't happen. Looks to me that it's not LDAP or Postgresql related :) -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x and LDAP
Cian Phillips wrote: Many of the settings are the default. The settings I have changed have been from several online tutorials none of which talked about both 802.1x and LDAP. Seems to me you didn't search well enough... http://www.google.com/search?hl=nlq=freeradius+802.1x+ldap+howto -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Bug #256 should go into 1.0.5
http://bugs.freeradius.org/show_bug.cgi?id=256 It's a really big mistake and only a 1-line change! -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-ttls + PAP using Crypt-Password obtained by ldap
Thor Spruyt wrote: Florian Prester wrote: The Crypted-Password is working and it is available as Crypt-Password. (Tested with ntradping). I added DEFAULTAuth-Type := pap at the end of the users-file, without it wants to use ldap-authentication! You should set Auth-Type := pap I mean SHOULDN'T!!! See http://vuksan.com/linux/dot1x/802-1x-LDAP.html -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-ttls + PAP using Crypt-Password obtained by ldap
Florian Prester wrote: The Crypted-Password is working and it is available as Crypt-Password. (Tested with ntradping). I added DEFAULTAuth-Type := pap at the end of the users-file, without it wants to use ldap-authentication! You should set Auth-Type := pap See http://vuksan.com/linux/dot1x/802-1x-LDAP.html -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication Responses during error conditions
Doug Hardie wrote: I am a bit confused now. I understood that if a module returns RLM_MODULE_FAIL that radiusd would not return an authorization reject. However, it appears that it still does. Have a look at doc/configurable-failover -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication Responses during error conditions
Doug Hardie wrote: I am trying to get the Ascend NASs to switch to the secondary radius server when the primary has a failure condition. I know that no response will cause that, but haven't been able to find any way to make the switch occur with the primary is not working properly. Is there a particular value to send back that would cause the switch? You should setup both your radius servers with 2 database backends in failover, so that if one db is down, both radius servers can still handle things. If freeradius itself is down or the complete host is down, then the NAS should switch to the other radius server. Maybe your NAS can also do round-robin for load-balancing. -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using RADIUS for content filtering.
This is completely NAS-specific, so read your NAS documentation to know what attributes and values to return. P.S.: try sending plain-text mail next time :) -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - Original Message - From: Rohaizam Abu Bakar To: freeradius-users@lists.freeradius.org Sent: Friday, July 29, 2005 10:04 AM Subject: Using RADIUS for content filtering. Dear all, I've given one assignment to create some sort of tunneling to cache server (netcache) to do some content filtering when browsing. There will be 2 cache-server. One passing all traffic another one will do content filtering.. When user subscribe to this service (for their children maybe).. When user doing authentication, what should i include in the profile for the traffic to be diverted to cache server that do the filtering? Is it possible to use below? Or pls suggest suitable method.. Login-Service: TCP-Clear Login-IP-Host: 10.1.1.1 Service-Type: Login-User Login-TCP-Port: 80 I've heart about method L2TP tunnelling with ERX/SDX (juniper) .. But that seems costly... thanks.. --haizam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: session-time with incorrect calculations
Barry wrote: I am running FreeRadius 1.0.4 with Postgres. I have noticed that the sessiontime is sometimes calculated incorrectly in the radacct table. If you compare the acctsessionstart and the acctsessionend with the acctsessiontime it does not match. This is particularly true for connections ended with idle-timeout. When would session times generally be wrong and how can I stop this from happening ? Could be a feature of the NAS to distract the idle time from the session time so as not to bill the user for unused time. Check your NAS features/configuration. -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPTABLES - continued
Shaun Rossi wrote: After posting, I realized I should have elaborated more. I would like to have this FreeRadius box on the Internet so a few of my NAS devices can access it no matter where they are. I understand port 1812 and 1813 udp must be opened. I am looking for some example IPTABLES (fedora core) entries that would enable UDP access to FreeRadius. http://www.google.be/search?hl=nlq=iptables+samplemeta= -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Postgres problem
Try connecting to the postgresql database with the same user/pass and from the same host as freeradius. Check access rights to the database. -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - Original Message - From: Santiago Balaguer García To: freeradius-users@lists.freeradius.org Sent: Wednesday, July 20, 2005 7:37 PM Subject: Postgres problem I am migrating mu MySQL DB to Postgres. My authentication ios OK, but the accounting query insertion fails with the following error: rlm_sql_postgresql: Status: PGRES_FATAL_ERROR rlm_sql_postgresql: affected rows = rlm_sql_postgresql: Postgresql check_error: PGRES_FATAL_ERROR, returning SQL_DOWN rlm_sql (sql): failed after re-connect rlm_sql (sql): Couldn't insert SQL accounting START record - ERROR: relation radacct_radacctid_seq does not exist I create all tables in the database RADIUS. Could you help me someone? Qué hacer en tu ciudad por la tarde y por la noche. No te lo pierdas en MSN Entretenimiento - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql_mysql make error for 1.0.4 and snapshot-20050718
Paul Hampson wrote: On Mon, Jul 18, 2005 at 05:22:51PM +0200, Thor Spruyt wrote: Hi, `/home/thor/freeradius-1.0.4/src/modules/rlm_sql/drivers/rlm_sql_mysql' gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wal l -D_GNU_SOURCE -DNDEBUG -I../.. -I../../../../include -I'/usr/include/mysq l' -I/home/thor/freeradius-1.0.4/libltdl -c sql_mysql.c -o sql_mysql.o sql_mysql.c:39:20: errmsg.h: No such file or directory sql_mysql.c:40:19: mysql.h: No such file or directory The build process didn't find your mySQL headers. I installed mysql-devel rpm and it works now. Strange... for other modules when the devel is not there, they're skipped... for mysql an error is the result. Anyway... I have now successfully compiled 1.0.4 with support for postgresql (which I will use) and mysql (which I won't use). -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sql_mysql make error for 1.0.4 and snapshot-20050718
, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mrtg
Alan DeKok wrote: Micko [EMAIL PROTECTED] wrote: I would like to know if I can create mrtg using snmp on how many users are currently connected? FreeRADIUS doesn't supply that information through SNMP. You *could* store the sessions in a database from which this info can be retrieved. -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
error at end of make install
Hi, I just ran a quick test on Centos 3.4 for freeradius-1.0.3. Successfully did ./configure and make, but then just at the end of make install there's an error. Making install in main... gmake[4]: Entering directory `/home/thor/freeradius-1.0.3/src/main' /home/thor/freeradius-1.0.3/libtool --mode=install /home/thor/freeradius-1.0.3/install-sh -c -m 755 -s radiusd /opt/freeradius-1.0.3/sbin /home/thor/freeradius-1.0.3/install-sh -c -m 755 -s .libs/radiusd /opt/freeradius-1.0.3/sbin/radiusd /home/thor/freeradius-1.0.3/install-sh -c -m 755 -s radwho /opt/freeradius-1.0.3/bin strip: /opt/freeradius-1.0.3/bin/#inst.3617#: File format not recognized gmake[4]: *** [install] Error 1 gmake[4]: Leaving directory `/home/thor/freeradius-1.0.3/src/main' gmake[3]: *** [common] Error 2 gmake[3]: Leaving directory `/home/thor/freeradius-1.0.3/src' gmake[2]: *** [install] Error 2 gmake[2]: Leaving directory `/home/thor/freeradius-1.0.3/src' gmake[1]: *** [common] Error 2 gmake[1]: Leaving directory `/home/thor/freeradius-1.0.3' make: *** [install] Error 2 -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and perl modules
Emil Wilmanski wrote: Can I use any perl modules in rlm_perl script? I try to use DBI and I get I don't know about any, must normally they *should* work. For example, I use the following: use strict; use DBI; Write a normal perl script that uses the module's functions and see if that works. -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with postgresql (Login incorrect)
Title: Freeradius with postgresql (Login incorrect) Please send mail in PLAIN TEXT! I don't know where YOU see an error message, but I don't see any. I would suggest turning SQL traces on (see postgresql.conf) --Groeten, Regards, Salutations, Thor SpruytM: +32 (0)475 67 22 65E: [EMAIL PROTECTED]W: www.thor-spruyt.com www.salesguide.bewww.telenethotspot.be - Original Message - From: Brian Gao To: freeradius-users@lists.freeradius.org Sent: Thursday, April 14, 2005 7:42 PM Subject: Freeradius with postgresql (Login incorrect) Hi, all I am trying to configure postgresql 7.4 as a backend of freeradius server. After I run " radtest radius radius 47.135.23.217 1812 testing123 "The debug file shows: rad_recv: Access-Request packet from host 47.135.123.217:32782, id=217, length=58 User-Name = "radius" User-Password = "radius" NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op ??FROM radcheck ??WHERE Usernam e = 'radius' ??ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: affected rows = rlm_sql_postgresql: query: SELECT radgroupcheck.id, radgroupcheck.GroupName, ??radgroupcheck.Attribu te, radgroupcheck.Value,radgroupcheck.Op ??FROM radgroupcheck, usergroup ??WHERE usergroup.Username = 'radius' AND usergroup.GroupName = radgroupcheck.GroupName ??ORDER BY radgroupcheck.id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: affected rows = rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op ??FROM radreply ??WHERE Usernam e = 'radius' ??ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: affected rows = rlm_sql_postgresql: query: SELECT radgroupreply.id, radgroupreply.GroupName, radgroupreply.Attribute , ??radgroupreply.Value, radgroupreply.Op ??FROM radgroupreply,usergroup ??WHERE usergroup.Username = 'radius' AND usergroup.GroupName = radgroupreply.GroupName ??ORDER BY radgroupreply.id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: affected rows = rlm_sql (sql): Released sql socket id: 4 Login incorrect: [radius/radius] (from client 47.135.123.0 port 1812) rad_recv: Access-Request packet from host 47.135.123.217:32782, id=217, length=58 Sending Access-Reject of id 217 to 47.135.123.217:32782 This looks to me like the connection is established already, the error that is being thrown looks like it is coming from the PostgreSQL. I have searched on Internet but didn't find the exact error. Any ideas? TIA Brian
Re: dictionary file - rfc compilant or not - Authen::Radius?
Bram wrote: I'm asking this because the 'ecnrypt=1' after User-Password in the dictionary file is breaking the perl module Authen::Radius, I mailed the author of this module (informing him about it) and he found the used syntax strange... Found on http://search.cpan.org/~manowar/RadiusPerl-0.12/Radius.pm ... load_dictionary ( [ DICTIONARY ] ) Loads the definitions in the specified Radius dictionary file (standard Livingston radiusd format). Tries to load '/etc/raddb/dictionary' when no argument is specified, or dies. NOTE: you need to load valid dictionary if you plan to send Radius requests with other attributes than just User-Name/Password. -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Integrating with freeradius and postgresql.
Integrating with freeradius and postgresql.Sure. -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - Original Message - From: Brian Gao To: 'freeradius-users@lists.freeradius.org' Sent: Friday, April 01, 2005 7:43 PM Subject: Integrating with freeradius and postgresql. Just wondering if anyone has done integrating with freeradius and postgresql? Brian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fail_over
Rangel, Luciano wrote: Rangel, Luciano [EMAIL PROTECTED] wrote: What should I do to configure fail-over in my freeradius ? Read doc/configurable_failover and try. -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: use more radius-mysql databases
[EMAIL PROTECTED] wrote: i have a freeradiusserver with a connection to a mysql db. now i want to unstall a new customer. for this customer i want to use a seperate database. how can i uinstall this? You can define multiple instances of a module: See doc/rlm_sql: 5. Instances Just like any other module, multiple instances of the rlm_sql module can be defined and used wherever you like. The default .conf files for the different database types, contain 1 instance without a name like so: sql { ... } You can create multiple named instances like so: sql sql_instance1 { ... } sql sql_instance2 { ... } And then you can use a specific instance in radiusd.conf, like so: authorize { ... sql_instance1 ... } accounting { ... sql_instance1 sql_instance2 ... } -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: questions about the clients.conf file
Q1: split the internet in half: 0.0.0.0/1 and 128.0.0.0/1 Q2: read sql docs and configuration files - Original Message - From: Lists To: freeradius-users@lists.freeradius.org Sent: Friday, February 25, 2005 5:34 PM Subject: questions about the clients.conf file Hi, I have two questions about the clients.conf file: _ when I define a client on this file, I need to write the ip or the hostname or a network... it's possible to enable all client to execute an AAA request (it's for testing) ? _ it's possible to move the clients.conf informations to a Mysql table ? Thank you Luca - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS table replaces clients.conf?
- Original Message - From: Patricio Marin [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Wednesday, February 23, 2005 8:39 PM Subject: NAS table replaces clients.conf? Hi, I made a fresh install of FreeRadius 1.0.2 and I was wondering if the NAS mysql table is a replacement for the clients.conf file (that would be great, and a lot easier to administrate). You CAN put all your clients in a database if you wish, but the clients.conf will will not disappear. If so, where do I set the NAS IP? Do I need to make any changes to the .conf files so FreeRadius only uses the data from the NAS table? NAS IP goes into the name field in sql.conf set readclients = yes (at the end of the file) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Customize RadPosAuth table
- Original Message - From: Eric Gregory [EMAIL PROTECTED] Using Freeradius 1.1 and would like to customize the radpostauth table in MYSQL, I'd like it to not record the plain text passwords on successful authentications is the most important and also I'd like to see failed logins as well. Any help is appreciated. Have a look in raddb/sql.conf, the queries are there. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Append realm to username but sorted by dnis
See http://bugs.freeradius.org/show_bug.cgi?id=189 - Original Message - From: Kevin Bonner [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Saturday, February 19, 2005 2:23 AM Subject: Re: Append realm to username but sorted by dnis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[Bug 211] Patch for making the nas query configurable
[EMAIL PROTECTED] wrote: http://bugs.freeradius.org/show_bug.cgi?id=211 --- Additional Comments From [EMAIL PROTECTED] 2005-02-18 18:59 --- The nas client reading happens in the instantiate section, where radius_xlat won't work. So the ${nas_table} variable will never be evaluated. Also rlm_sql expects a certain format to the query, so i don't see any real point in allowing the administrator to play with the column names. In general there's little value in the patch. A documentation update on the *.conf files about the nas query syntax would be nice though. I testing this and the ${nas_table} variable IS substituted (see debug output below). As long as the query returns the data in the format rlm_sql expects it, then what's the problem? Same goes for all the other queries! Added value is that the table name, column names and order in the table can be according to the liking of the system admin. In postgresql.conf I have: # Table to keep radius client info nas_table = clients # Query for radius clients nas_query = SELECT id,name,shortname,type,secret FROM ${nas_table} # Set to 'yes' to read radius clients from the database ('nas' table) readclients = yes Partial output from radiusd -X: ... sql: usergroup_table = usergroup sql: read_groups = yes sql: nas_table = clients sql: dict_table = dictionary sql: sqltrace = yes sql: sqltracefile = /usr/local/var/log/radius/sqltrace.sql sql: readclients = yes sql: deletestalesessions = yes sql: num_sql_socks = 5 sql: sql_user_name = %{User-Name} sql: default_user_profile = sql: nas_query = SELECT id,name,shortname,type,secret FROM clients ... rlm_sql (sql): - generate_sql_clients rlm_sql (sql): Query: SELECT id,name,shortname,type,secret FROM clients rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_postgresql: query: SELECT id,name,shortname,type,secret FROM clients rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: affected rows = rlm_sql (sql): Read entry nasname=127.0.0.1,shortname=localhost,secret=testing123 rlm_sql (sql): Adding client 127.0.0.1 (localhost) to clients list rlm_sql (sql): Released sql socket id: 4 Module: Instantiated sql (sql) ... Works for me... -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Status of rlm_perl
Hi, I was wondering when rlm_perl will become stable. What needs to be done in order to get it there? -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: howto check authorizations on a regular time basis ?
Pierre Bourgin wrote: My EAP-TLS stuff is working, but I've noticed that once a wireless client (supplicant) is allowed to use the WLAN network, the AP (freeRadius client in terminology) never re-check authorization of the supplicant to use this wireless network until the supplicant is leaving this WLAN network then comes back. Look at your AP documentation. I would like that the Access Point re-checks authorization of supplicants every hour for instance without ending its wireless session if the authorization (and authentication) is still ok. Look at your AP documentation. I've tried to modify my attrs file like this (copy below), but since I did not find the exact meaning of Session-Timeout and Idle-Timeout keywords, Session-Timeout = seconds after which the session has to be terminated Idle-Timeout = seconds that the user did nothing (was idle) after which to terminate the session -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Set EAP-TLS and Postgresql
nake116 nake116 wrote: I have confuse about to set freeradius with 1.EAP-TLS 2.use Postgresql Database I don't know the right way to set config file You could start with http://www.google.com/search?q=Freeradius+EAP-TLS+Postgresql -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html