Re: assignement
Oh my god you are GOD!!! that works so fine. clients windows are well connected and if auth fails, they are sent to vlan guest!!! but with ubuntu ( networ-manager), i must restart network manager several time to make it work, i noticed that network manager has somme issues to keep password in 802.1x :-( . thanks so much 2010/3/4 Alan Buxey a.l.m.bu...@lboro.ac.uk Hi, interface FastEthernet0/24 switchport access vlan 100 switchport mode access dot1x pae authenticator dot1x port-control auto dot1x auth-fail vlan 120 = here supposed to send it to vlan 120 spanning-tree portfast looking okay...do you need to set these global values too? dot1x system-auth-control dot1x guest-vlan supplicant PS this really is no longer a FreeRADIUS issue per se - its now very vendor specific - you should be bugging the appropriate people or list that deals with your kit :-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Lost and confused
To start FreeRadius in debug mode with time stamps use the command: radiusd -XX To shutdown FreeRadius use the command: killall radiusd After you start FreeRadius in Debug mode you can press Ctrl+c to stop FreeRadius. I think this can only be done in the same terminal window you started FreeRadius in. Fajar A. Nugraha fa...@fajar.net 3/5/2010 3:40 AM On Fri, Mar 5, 2010 at 2:34 PM, jin jin jya...@yahoo.com.sg wrote: la...@lauwk-desktop:~$ sudo netstat -anp | grep 1812 [sudo] password for lauwk: udp0 0 0.0.0.0:18120.0.0.0:* 1505/freeradius then a freeradius server process is already running. From the above I take it that freeRADIUS is using the correct port right? I followed the documents and didn't touch the configuration file at all because I'm a total beginner. What can I do from this part onwards? Thanks for the reply. As Alan said, stop the server before you run it in debugging mode. If initscript can't stop it, you may need to kill it manually. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy and copy-acct-to-home-server
Hello List, I am redoing our radius setup into FreeRadius 2.0.4 and I need some advise. Lets say I have 3 FreeRadius servers (A,B,C) and I would like to sync the accounting packet between them. On server A, I created copy-acct-to-home-server for B and C; On server B, I created copy-acct-to-home-server for A and C; On server C, I created copy-acct-to-home-server for A and B; Now in proxy.conf i need to define home_servers: On server A, created home_server B and home_server C (type=acct); On server B, created home_server A and home_server C (type=acct); On server C, created home_server A and home_server B (type=acct); But now on server_pool I seem to have an issue, I desire that A only sends copies to B and C - while B and C do not send those packets back to A or to each other respectively. Like wise with the other two servers ( ie when one of the servers I administer proxies a packet, the receiver should not proxy it any further ). How would I define this? Would I need one home_server_pool with both home_servers defined, but defined with what type=? Mind if I use multiple pools then I need both in each of my realm statements... is that even allowed. Sorry for the vagueness... any assistance would be great Kind Regards, Etienne - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Threads Perl
On Fri, Mar 5, 2010 at 9:13 AM, Alan DeKok al...@deployingradius.com wrote: Alexandr Kovalenko wrote: I'm trying to find out if FreeRADIUS create separate Perl instance per each thread (thread pool {}) (2.1.8) ? See doc/ChangeLog Cannot see there anything related to my question. The main question is: will FreeRADIUS with use of rlm_perl script be able to serve multiple requests simultaneously or each next request should wait until previous will finish? Yes. Simultaneously? My tests show me that only one perl instance created every time, max_requests_per_server option (from thread pool {}) does not work at all - FreeRADIUS does not create new instance after 3+ requests. This is perl, v5.8.9 built for i386-freebsd-64int Characteristics of this binary (from libperl): Compile-time options: MYMALLOC PERL_MALLOC_WRAP USE_64_BIT_INT USE_FAST_STDIO USE_LARGE_FILES USE_PERLIO radiusd: FreeRADIUS Version 2.1.8, for host i386-portbld-freebsd8.0, built on Feb 3 2010 at 14:04:18 1. Should I compile perl with threads to enable multiple instances? 2. With non-threaded perl, separate perl instances created? -- Alexandr Kovalenko http://uafug.org.ua/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Threads Perl
Alexandr Kovalenko wrote: The main question is: will FreeRADIUS with use of rlm_perl script be able to serve multiple requests simultaneously or each next request should wait until previous will finish? Yes. Simultaneously? Yes. Try it. My tests show me that only one perl instance created every time, That is NOT what I meant. Threads are NOT instances. One Perl instance may be used for multiple threads. max_requests_per_server option (from thread pool {}) does not work at all - FreeRADIUS does not create new instance after 3+ requests. It NEVER creates a new instance for a new request. It MAY create a new thread. 1. Should I compile perl with threads to enable multiple instances? How the heck to you expect to do parallel processing in one server daemon without threads? 2. With non-threaded perl, separate perl instances created? Your questions misunderstands how the server works, and is therefore meaningless. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Users Groups
Hi everyone. I'm using FreeRADIUS Version 2.1.1, I use it to control the access to a routers networks. I want to permit certain users to get access to some routers and deny access to another routers. Like group the users per routers, I read some documentation, but i can't make it work. Thanks in advance. _ Hotmail: Free, trusted and rich email service. https://signup.live.com/signup.aspx?id=60969- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Users Groups
On 03/05/2010 11:31 AM, Siryx XL wrote: Hi everyone. I'm using FreeRADIUS Version 2.1.1, I use it to control the access to a routers networks. I want to permit certain users to get access to some routers and deny access to another routers. Like group the users per routers, I read some documentation, but i can't make it work. Have you tried using huntgroups? -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Users Groups
I'm not all that versed in FR so there is probably a better way to do this, but maybe use virtual servers? Some routers use one virtual server with one set of access rules, another set of routers use a different virtual server with it's own access rules. As noted - you can probably do it with unlang or other built in conditional operators, or even a perl script. From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.or g] On Behalf Of Siryx XL Sent: Friday, March 05, 2010 10:31 AM To: freeradius-users@lists.freeradius.org Subject: Users Groups Hi everyone. I'm using FreeRADIUS Version 2.1.1, I use it to control the access to a routers networks. I want to permit certain users to get access to some routers and deny access to another routers. Like group the users per routers, I read some documentation, but i can't make it work. Thanks in advance. Hotmail: Free, trusted and rich email service. Get it now. https://signup.live.com/signup.aspx?id=60969 font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Lost and confused
Hi, To start FreeRadius in debug mode with time stamps use the command: radiusd -XX To shutdown FreeRadius use the command: killall radiusd in his case its killall freeradius I believe..as thats the process name from the netstat alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Autentification error
Hi, I'm trying to connect my hotspot to freeradius with the mysql. With the old version(1.1.7) works good! Now I installed newer version and I copied the same configurations in new files (radius.con, site-enabled/default, sql.conf, client.conf ); but don't works!! Looks the debugging (freeradius -XXX), I believe that the problem is this: Fri Mar 5 17:05:48 2010 : Debug: rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. Fri Mar 5 17:05:48 2010 : Debug: modsingle[authorize]: returned from pap (rlm_pap) for request 0 Fri Mar 5 17:05:48 2010 : Debug: ++[pap] returns noop Fri Mar 5 17:05:48 2010 : Debug: rad_check_password: Found Auth-Type CHAP Fri Mar 5 17:05:48 2010 : Debug: auth: type CHAP Fri Mar 5 17:05:48 2010 : Debug: +- entering group CHAP Fri Mar 5 17:05:48 2010 : Debug: modsingle[authenticate]: calling chap (rlm_chap) for request 0 Fri Mar 5 17:05:48 2010 : Debug: rlm_chap: login attempt by user with CHAP password Fri Mar 5 17:05:48 2010 : Debug: rlm_chap: Cleartext-Password is required for authentication Fri Mar 5 17:05:48 2010 : Debug: modsingle[authenticate]: returned from chap (rlm_chap) for request 0 Fri Mar 5 17:05:48 2010 : Debug: ++[chap] returns invalid Fri Mar 5 17:05:48 2010 : Debug: auth: Failed to validate the user. Fri Mar 5 17:05:48 2010 : Auth: Login incorrect (rlm_chap: Clear text password not available): [user/CHAP-Password] (from client nas port 2154823689 cli 00:25:D3:XX:XX:XX) How can I fix the problem?? This is all debugging on freeradius -XXX: Fri Mar 5 17:05:26 2010 : Debug: Listening on authentication address * port 1812 Fri Mar 5 17:05:26 2010 : Debug: Listening on accounting address * port 1813 Fri Mar 5 17:05:26 2010 : Debug: Listening on proxy address * port 1814 Fri Mar 5 17:05:26 2010 : Debug: Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.100 port 60079, id=20, length=198 NAS-Port-Type = Ethernet Calling-Station-Id = 00:25:D3:XX:XX:XX Called-Station-Id = hotspot1 NAS-Port-Id = wlan1 User-Name = user NAS-Port = 2154823689 Acct-Session-Id = 8079 Framed-IP-Address = 10.5.50.251 Mikrotik-Host-IP = 10.5.50.251 CHAP-Challenge = 0xc9da34f1dc7f357d5c51772d9da40e38 CHAP-Password = 0xa1c879f954b7bd431d878d20b8fcef94ef Service-Type = Login-User WISPr-Logoff-URL = http://10.5.50.1/logout; NAS-Identifier = MikroTik NAS-IP-Address = 192.168.1.100 Fri Mar 5 17:05:48 2010 : Debug: +- entering group authorize Fri Mar 5 17:05:48 2010 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 0 Fri Mar 5 17:05:48 2010 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 0 Fri Mar 5 17:05:48 2010 : Debug: ++[preprocess] returns ok Fri Mar 5 17:05:48 2010 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 0 Fri Mar 5 17:05:48 2010 : Debug: rlm_chap: Setting 'Auth-Type := CHAP' Fri Mar 5 17:05:48 2010 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 0 Fri Mar 5 17:05:48 2010 : Debug: ++[chap] returns ok Fri Mar 5 17:05:48 2010 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 0 Fri Mar 5 17:05:48 2010 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 0 Fri Mar 5 17:05:48 2010 : Debug: ++[mschap] returns noop Fri Mar 5 17:05:48 2010 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 0 Fri Mar 5 17:05:48 2010 : Debug: rlm_realm: No '@' in User-Name = user, looking up realm NULL Fri Mar 5 17:05:48 2010 : Debug: rlm_realm: No such realm NULL Fri Mar 5 17:05:48 2010 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 0 Fri Mar 5 17:05:48 2010 : Debug: ++[suffix] returns noop Fri Mar 5 17:05:48 2010 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 0 Fri Mar 5 17:05:48 2010 : Debug: rlm_eap: No EAP-Message, not doing EAP Fri Mar 5 17:05:48 2010 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 0 Fri Mar 5 17:05:48 2010 : Debug: ++[eap] returns noop Fri Mar 5 17:05:48 2010 : Debug: modsingle[authorize]: calling unix (rlm_unix) for request 0 Fri Mar 5 17:05:48 2010 : Debug: modsingle[authorize]: returned from unix (rlm_unix) for request 0 Fri Mar 5 17:05:48 2010 : Debug: ++[unix] returns notfound Fri Mar 5 17:05:48 2010 : Debug: modsingle[authorize]: calling files (rlm_files) for request 0 Fri Mar 5 17:05:48 2010 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 0 Fri Mar 5 17:05:48 2010 : Debug: ++[files] returns noop Fri Mar 5 17:05:48 2010 : Debug: modsingle[authorize]: calling expiration (rlm_expiration) for request 0 Fri Mar 5 17:05:48 2010 : Debug:
Re: Users Groups
On Sat, Mar 6, 2010 at 5:42 AM, John Dennis jden...@redhat.com wrote: On 03/05/2010 11:31 AM, Siryx XL wrote: Hi everyone. I'm using FreeRADIUS Version 2.1.1, I use it to control the access to a routers networks. I want to permit certain users to get access to some routers and deny access to another routers. Like group the users per routers, I read some documentation, but i can't make it work. Have you tried using huntgroups? Me I always use huntgroups + ldap as that way the groups are managed in your LDAP directory. http://lists.freeradius.org/mailman/htdig/freeradius-users/2009-November/msg1.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Autentification error
On 03/05/2010 01:18 PM, Tokie wrote: Hi, I'm trying to connect my hotspot to freeradius with the mysql. With the old version(1.1.7) works good! Now I installed newer version and I copied the same configurations in new files (radius.con, site-enabled/default, sql.conf, client.conf ); but don't works!! Version 1.x and 2.x are *not* configuration compatible. This fact is documented. The recommended procedure when upgrading to 2.x from 1.x is to start with the vanilla unmodified configuration. Read all the documentation in the config area (e.g. /etc/raddb) and *incrementally* modify your configuration to tailor it to your needs based on the 2.x configuration methodology. It will be immensely helpful to you if you place your 2.x configuration files under source code control (starting the the *unmodified* versions), then start tweaking saving your state in your source code repository with each successful test and modification. Then when things break you can roll back your configuration to a known state and not play the guessing game of what did I change that broke it? -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Autentification error
hi, do not just dump 1.1.x config onto any 2.x system - simply take the 2.x and then edit the config to get what you require. looks like you are forced the authentication type in the SQL tables to be CAHP. dont do that. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
notifying another server on accounting
Greetings, We have a bit of an odd setup (apparently). We have a vendor that is providing services based on whether a user has an active and authorized session. In order to support this we forward on accounting data with a detail file writer and reader, using the copy-acct-to-home-server as a template. This is using FreeRadius 2.1.8. I have always felt lame ascii drawings help, so this is the setup (in essence): request: NAS - accounting-server | copy | - vendor response: NAS - accounting-server - vendor Unfortunately, we seem to be hitting a wall in terms of packets transmitted to the vendor. It is my understanding that the detail reader is serial in nature, meaning it only sends one packet to the vendor (in this case), and will not send another until it gets a response. The vendor is over a slow link, or the packets are otherwise delayed, so we are getting a backlog of detail entries. The detail file is filling faster than it can be flushed to the vendor. My question is, how can we fix this? A few ideas have been batted around. One is to write some code (via rlm_perl or rlm_python) that essentially does what the entire writer/reader combination is doing, only in parallel. Meaning, it handles transmitting and retransmitting to the vendor. In the short term this might be viable, but it's reinventing wheels, and it's hard to justify long-term given most of the people dealing with this are not programmers. Another was to somehow load-balance the readers. I cannot find a configuration example to support this, but would it be possible, and more importantly useful, to have multiple readers pointing to the same detail file? Any help or suggestions would be appreciated. Thanks. -- Michael Fowler www.shoebox.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: notifying another server on accounting
Michael Fowler wrote: Unfortunately, we seem to be hitting a wall in terms of packets transmitted to the vendor. It is my understanding that the detail reader is serial in nature, meaning it only sends one packet to the vendor (in this case), and will not send another until it gets a response. The vendor is over a slow link, or the packets are otherwise delayed, so we are getting a backlog of detail entries. The detail file is filling faster than it can be flushed to the vendor. Yes, that is a bit of an issue. My question is, how can we fix this? Hack the code. :( A few ideas have been batted around. One is to write some code (via rlm_perl or rlm_python) that essentially does what the entire writer/reader combination is doing, only in parallel. Meaning, it handles transmitting and retransmitting to the vendor. In the short term this might be viable, but it's reinventing wheels, and it's hard to justify long-term given most of the people dealing with this are not programmers. Too much work. Another was to somehow load-balance the readers. I cannot find a configuration example to support this, but would it be possible, and more importantly useful, to have multiple readers pointing to the same detail file? Fix the reader to handle more than one packet. The issue right now is that it only tracks where it is in the detail file in memory. It *could* have an auxiliary file giving: - packet offset - packet data (received response, last sent data, etc.) This should be tracked automatically, and cleaned up when the detail file is deleted. There are a number of corner cases to deal with (files getting out of sync, etc.), but it's possible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html