Re: How can i authenticate my users against Active Directory?
On Wed, 29 Jun 2005, Schuster Christian wrote: Hi @ all, I'm a freeradius newbie and try to authenticate a user against a active directory . My freeradius has version 1.0.2 I googled a lot and found differend hints how to implement this. (ntlm, pam-module), but no configuration example. Which of these ways is the securest way? Are there any other possibilities? Are there any manuals/helps or can someone discribe me how to implement this? AD runs ldap, you could always try just using the ldap module to authenticate the user to your AD directory. There are several people doing it that have posted to this list, check the archives. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How can i authenticate my users against Active Directory?
See I am trying to authenticate against the AD, but in my case the RADIUS server is running on a Windows Server and my client is a Linux box. But the problem I am having is that when I try to authenticate against the AD from my Linux box I get error message in /var/log/messages login[4578]: pam_radius_auth: RADIUS server Windows_Radius_Server IP_address failed to respond login[4578]: pam_radius_auth: All RADIUS servers failed to respond. When I go check the log on the Radius server I can see the login attempts that are made from the Linux box. So I am not sure where else I can see what I am doing wrong here. What does the radius server show in debug mode? radiusd -X - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How can i authenticate my users against Active Directory?
I was under the assumption you were running freeradius, and didn't read into your email enough. I apologize, please disregard my post. On Wed, 29 Jun 2005, Talwar, Puneet (NIH/NIAID) wrote: Well I am not running radiusd on my Linux box. Do I need to run radiusd on my Linux Box even though my radius server is running on a MS windows 2000 server? I thought only thing I had to do is setup pam_radius_auth to talk to my radius server. ___ Puneet Talwar -Original Message- From: Dusty Doris [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 29, 2005 4:15 PM To: FreeRadius users mailing list Subject: RE: How can i authenticate my users against Active Directory? See I am trying to authenticate against the AD, but in my case the RADIUS server is running on a Windows Server and my client is a Linux box. But the problem I am having is that when I try to authenticate against the AD from my Linux box I get error message in /var/log/messages login[4578]: pam_radius_auth: RADIUS server Windows_Radius_Server IP_address failed to respond login[4578]: pam_radius_auth: All RADIUS servers failed to respond. When I go check the log on the Radius server I can see the login attempts that are made from the Linux box. So I am not sure where else I can see what I am doing wrong here. What does the radius server show in debug mode? radiusd -X - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusprofile entry don't work
hi all, excuse me for my bad english, I'm italian. i would to create a structure wich control the user's access on a WLAN by an auth-ldap. I have create a ldap directory witch basedn dc=unime,dc=it. now, like is write on the ldap_tutorial in the doc/ directory, i try to import this ldif file (modified for my interst). the authentication to be with the EAP-TLS protocol (it work fine) therefore I've deleted the sections of the passwords and for authentication. dn: dc=unime,dc=it objectClass: dcObject objectClass: organizationUnit ou: Unime.it Radius dc: unime dn: ou=radius,dc=unime,dc=it objectclass: organizationalunit ou: radius dn: ou=profiles,ou=radius,dc=unime,dc=it objectclass: organizationalunit ou: profiles dn: ou=users,ou=radius,dc=unime,dc=it objectclass: organizationalunit ou: users dn: uid=WLAN,ou=profiles,ou=radius,dc=unime,dc=it objectclass: radiusprofile uid: WLAN radiusServiceType: Framed-User radiusFramedProtocol: PPP radiusFramedIPNetmask: 255.255.255.0 radiusFramedRouting: None dn: uid=Felice,ou=users,ou=radius,dc=mydomain,dc=com objectclass: radiusProfile uid: Felice radiusGroupName: WLAN the entry with uid =WLAN don't work, this is the message returned is invalid syntax #0 approximately... I don't have my pc here. Anyone can help me? Check the RADIUS-LDAPv3.schema file that you used. That howto doc was using an old one that used uid, the new one uses cn. Go down to the objectclass of radiusprofile and look what it says in MUST. If it says cn, then you will need to use cn or change that to uid. example: dn: cn=WLAN,ou=profiles,ou=radius,dc=unime,dc=it objectclass: radiusprofile cn: WLAN radiusServiceType: OR change that file. objectclass ( 1.3.6.1.4.1.3317.4.3.2.1 NAME 'radiusprofile' SUP top AUXILIARY DESC '' MUST cn to objectclass ( 1.3.6.1.4.1.3317.4.3.2.1 NAME 'radiusprofile' SUP top AUXILIARY DESC '' MUST uid I'd recommend just using cn, so you don't have to remember to modify it everytime you install freeradius on a machine. -Dusty Doris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusprofile entry don't work
I have tryed both solution but don't work!!! :'( this is the output: #ldapadd -x -D cn=Manager,dc=unime,dc=it -W -f example.ldif Enter LDAP Password: adding new entry ou=radius, dc=unime,dc=it adding new entry ou=profiles, ou=radius,dc=unime,dc=it adding new entry ou=users, ou=radius,dc=unime,dc=it adding new entry cn=WLAN, ou=profiles,ou=radius,dc=unime,dc=it ldap_add: Invalid syntax (21) additional info: objectclass: value #0 invalid per syntax I have forgotten: I have deleted the first entry: dn: dc=unime,dc=it objectClass: dcObject objectClass: organizationUnit ou: Unime.it Radius dc: unime because don't work absolutely. wtithout this entry the entryes for ou=radius ou=profiles ou=users works, and I have the error output above. With this entry I have a error on the first entry . Anyone can help me?? -- Email.it, the professional e-mail, gratis per te: http://www.email.it/f Sponsor: Personalizza il tuo cellulare con le immagini piĆ¹ divertenti o con le foto di chi ami * Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=3117d=30-6 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusprofile entry don't work
I have tryed both solution but don't work!!! :'( this is the output: #ldapadd -x -D cn=Manager,dc=unime,dc=it -W -f example.ldif Enter LDAP Password: adding new entry ou=radius, dc=unime,dc=it adding new entry ou=profiles, ou=radius,dc=unime,dc=it adding new entry ou=users, ou=radius,dc=unime,dc=it adding new entry cn=WLAN, ou=profiles,ou=radius,dc=unime,dc=it ldap_add: Invalid syntax (21) additional info: objectclass: value #0 invalid per syntax Did you include the RADIUS-LDAPv3.schema into slapd.conf? You need to tell openldap about the objectclass radiusprofile. in slapd.conf include/yourpathto/openldap/schema/RADIUS-LDAPv3.schema - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusprofile entry don't work
On Thu, 30 Jun 2005, Felice Pizzurro wrote: Dusty Doris ha scritto: I have tryed both solution but don't work!!! :'( this is the output: #ldapadd -x -D cn=Manager,dc=unime,dc=it -W -f example.ldif Enter LDAP Password: adding new entry ou=radius, dc=unime,dc=it adding new entry ou=profiles, ou=radius,dc=unime,dc=it adding new entry ou=users, ou=radius,dc=unime,dc=it adding new entry cn=WLAN, ou=profiles,ou=radius,dc=unime,dc=it ldap_add: Invalid syntax (21) additional info: objectclass: value #0 invalid per syntax Did you include the RADIUS-LDAPv3.schema into slapd.conf? You need to tell openldap about the objectclass radiusprofile. in slapd.conf include/yourpathto/openldap/schema/RADIUS-LDAPv3.schema - yes, of course... I have copied the RADIUS-LDAPv3.schema from the doc/ directory to my directory /usr/local/etc/openldap/schema, and I import it in the slapd.conf. this is my ldif file: dn: ou=radius, dc=unime,dc=it objectclass: organizationalunit ou: radius dn: ou=profiles, ou=radius,dc=unime,dc=it objectclass: organizationalunit ou: profiles dn: ou=users, ou=radius,dc=unime,dc=it objectclass: organizationalunit ou: users dn: cn=WLAN, ou=profiles,ou=radius,dc=unime,dc=it objectClass: radiusProfile cn: WLAN radiusServiceType: Framed-User radiusFramedProtocol: PPP radiusFramedIPNetmask: 255.255.255.0 radiusFramedRouting: None dn: cn=Felice, ou=users,ou=radius,dc=unime,dc=it objectclass: radiusProfile cn: Felice radiusGroupName: WLAN It looks like it should work to me. Can you reply and attach that schema file to the email? That way I can take a look at it. Also, be sure to include the full ldif you are importing. If you left anything out (such as userPassword or any other attributes, be sure to include that). Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusprofile entry don't work
dn: cn=WLAN, ou=profiles,ou=radius,dc=unime,dc=it objectClass: radiusProfile cn: WLAN radiusServiceType: Framed-User radiusFramedProtocol: PPP radiusFramedIPNetmask: 255.255.255.0 radiusFramedRouting: None I think I know what's wrong. If you are using the most recent version of that file, then radiusProfile is an AUXILLARY objectclass. You MUST have one structural objectclass for each entry to add to openldap. That means one of two things. Either you change your objectclass to structural, or you add another objectclass that is structural to that entry. example: change radiusprofile objectclass to: SUP top STRUCTURAL OR include a structural objectclass in that user dn: cn=WLAN, ou=profiles,ou=radius,dc=unime,dc=it objectClass: radiusProfile objectClass: person cn: WLAN sn: WLAN radiusServiceType: Framed-User radiusFramedProtocol: PPP radiusFramedIPNetmask: 255.255.255.0 radiusFramedRouting: None It may be in your best interest to read up more on ldap, specifically openldap. Perhaps subscribe to the openldap mailling list and some general ones as well. http://www.openldap.org/lists/ http://lists.fini.net/mailman/listinfo/ldap-interop http://listserver.itd.umich.edu/cgi-bin/lyris.pl?enter=ldap - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and eDirectory
The only part the does not work is the chap authentication all other authentication works as it should. Our wholesale provider says we are doing PAP just fine but no chap. They had very old instructions for Freeradius but decided to start out with a totally clean install. This user below is in mysql database, and the system passwd/shadow files. He will not authenticate with the mysql database when we include a realm @domain and chap password. It gets the slipstream false from the database so I'm not sure why it won't authenticate the rest. Thread 1 handling request 0, (1 handled so far) User-Name = [EMAIL PROTECTED] User-Password = test123 NAS-IP-Address = 255.255.255.255 NAS-Port = 100 I don't see a CHAP password in there. Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 hints: Matched other at 80 You matched on the hints file on line 80 - what does your hints file say? modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module attr_filter returns noop for request 0 modcall[authorize]: module chap returns noop for request 0 rlm_realm: No '@' in User-Name = rniclh, skipping NULL due to config. modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 159 users: Matched entry DEFAULT at line 178 users: Matched entry DEFAULT at line 190 You matched the users file in three seperate lines, 159, 178, and 190. What does your users file say on each of those lines? modcall[authorize]: module files returns ok for request 0 radius_xlat: 'rniclh' rlm_sql (sql): sql_set_user escaped user -- 'rniclh' ... modcall[authorize]: module sql returns ok for request 0 modcall: group authorize returns ok for request 0 Your sql call returned OK, that means the sql part worked. rad_check_password: Found Auth-Type System auth: type System Now it just got changed to Auth-Type System. Is this from your users file? Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_unix: [rniclh]: invalid password You authenticated with the unix module, is that what you want? The user failed because the password did not match your /etc/passwd file. modcall[authenticate]: module unix returns reject for request 0 modcall: group authenticate returns reject for request 0 auth: Failed to validate the user. I would look at your hints file and your users file to the lines it matched at - post them here if you want us to take a look at it. Also, if you don't want to use /etc/passwd, then disable the unix module in the authentication section. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dusty Here's the info requested......PAP ok No Chap new Installation.
DEFAULTSuffix == .ppp, Strip-User-Name = Yes Hint = PPP, Service-Type = Framed-User, Framed-Protocol = PPP DEFAULTSuffix == .slip, Strip-User-Name = Yes Hint = SLIP, Service-Type = Framed-User, Framed-Protocol = SLIP DEFAULTSuffix == .cslip, Strip-User-Name = Yes Hint = CSLIP, Service-Type = Framed-User, Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP Those hints are fine, won't cause any issues as far as I can tell. You matched the users file in three seperate lines, 159, 178, and 190. What does your users file say on each of those lines? # First setup all accounts to be checked against the UNIX /etc/passwd. # (Unless a password was already given earlier in this file). # DEFAULTAuth-Type == System Fall-Through = 1 What happens if you comment out where you set Auth-Type == System? The rest of your users file looked to just be matching for setting up reply attributes. It shouldn't have done anything to the Autz/Auth type. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dusty Here's the info requested......PAP ok No Chap new Installation.
On Thu, 7 Jul 2005, Radius wrote: OK, so there is nothing you can see why it's not working? The PAP authenticates work fine. it's CHAP that is failing. Any other ideas? Thanks Bob Well, the debug output you sent didn't contain a CHAP passwd. It failed because you had set Auth-Type == System, which told freeradius to auth against /etc/passwd, which failed. As I asked before, what happens when you comment out Auth-Type == System in your users file? Did you try that, yet? Also, if please post debug output that contains a CHAP passwd in it for help with your CHAP problem. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dusty Here's the info requested......PAP ok No Chap new Installation.
On Thu, 7 Jul 2005, Radius wrote: OK I can do this, but will the PAP that uses the /etc/passwd be prevented? We have both running here. Good question, I think it would. Is there any reason you're using both /etc/passwd and mysql? Why not just use mysql? Do I need to add a Auth == Local or something like that after that so it will check the MySql database when the /etc/passwd fails? Maybe my Fallthough is wrong for 1.0.4. This is runing ok in 0.9.3 Thanks Bob If there is something coming in the packet that would definately tell you whether they were in sql or /etc/passwd, then you could edit your users file to handle that. Say, if a certain realm, then set Autz-Type to sql, otherwise, set Autz-Type to system. Check out doc/Autz-Type in the sourcecode. If you can't tell whether or not a user would be in sql or /etc/passwd, then you will probably want to do one of two things. First, migrate all the /etc/passwd users into sql. That would be the preferred method (to me at least). Secondly, check out doc/configurable_failover. That document will show you how to do grouping so that you can try one thing first and if that fails, try another before rejecting the user. Its interesting that it worked for you fine in .9, but not now. As I learn more about your setup, I can say that I've never done this before (using mysql and /etc/password with PAP and CHAP). Since it used to work, I have to think that there is just one small thing that needs to be tweaked. Perhaps there is someone on the list that has an easier suggestion for you than what I had above. But you could always throw it together on your lab machine and give it a try and see how it goes. Hope that is a little helpful, at least maybe pointing to some documentation that might interest you. Dusty Doris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: class attribute wont pass
rad_recv: Access-Accept packet from host 63.174.xxx.xx:1645, id=1, length=218 Proxy-State = 0x3735 Service-Type = Framed-User Framed-Protocol = PPP Ascend-Data-Filter = ip in forward tcp est Ascend-Data-Filter = ip in forward dstip 63.174.xxx.x/24 0 Ascend-Data-Filter = ip in drop tcp dstport = 25 Ascend-Data-Filter = ip in forward 0 Idle-Timeout = 1800 Session-Timeout = 21600 Propel-Accelerate = 1 X-Ascend-Idle-Limit = 1800 X-Ascend-Maximum-Time = 28800 Class = IEAS1\005378602\003292 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 73 attr_filter: Matched entry DEFAULT at line 84 modcall[authorize]: module attr_filter returns updated for request 73 What does line 84 of the attrs file say? Perhaps you are filtering out the class attribute. Read the manpage rlm_attr_filter. If you don't intend on filtering any of the reply values, then comment out attr_filter in radiusd.conf. Or maybe you just need to add Class to it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Service-Type: Outbound vs. Outbound-User
The names are IRRELEVANT. The dictionaries matter only to the RADIUS server and it's configuration files. I could rename all of the attributes valuess to random words from the dictionary, and it would make *no* difference to the clients. To expand on what Alan was saying, for the purpose of the list archive. If you read further into the RFC it talks about how radius attributes are formed. They have 3 fieds, the type, length, and value. The type is one octect, in the case of Service-Type, it would be 6. The length is one octet and indicates the length of the Attribute. Finally, is the value field. In this field we would have what defines the value to be Outbound or Outbound-User. In the RFC, it will tell you that Outbound has a value of 5. If you look at the freeradius dictionary, it shows that Outbound-User is set to 5. If you looked at an actual radius packet with ethereal you would see the value being transferred in the packet is an integer of 5. The dictionary file merely maps that value to a name. This is so you can put something like this in the users file. DEFAULT Service-Type = Outbound-User Think of it like DNS, mapping to a user-friendly name. Otherwise, you'd have to do this. DEFAULT 6 = 5 You could easily change that dictionary file to say whatever you want. Say you changed it from: VALUE Service-TypeOutbound-User 5 to: VALUE Service-TypeOutbound-Monkey 5 Then in the users file, you could have this rule. DEFAULT Service-Type = Outbound-Monkey That would still make sense to your Cisco gear, because it would come across the line as a Type of 6 and a Value of 5. Hope that is helpful. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: self user registration
Check out the Cisco SSG/SESM solution. You route all the traffic through one (or many) SSG's. The SSG will determine whether or not the session is authenticated based on IP address. If not, it will redirect the user to the SESM page, where they will login. The SESM will send the username/password to RADIUS and then communicate back to the SSG whether or not it was successful and certain reply attributes that define the profile they have access to. Then the user will be redirected back to the page they originally created. We use it here for our Wifi APs around the city. The downfall of it, is that the sessions are based on IP, so NAT will break it. If you have your APs setup to NAT/PAT the connections behind it, then only one user will have to authenticate and all will be authenticated. You get around that by making the APs a simple bridge and assign IPs to the PCs connected to it via DHCP. If you decide to use the SSG/SESM, I can send you informatoin on how to configure Freeradius for it as I am doing this now. The other nice thing about it, is that it will support multiple profiles that can be stored in RADIUS. So, you could have the user login to different services, or different ISPs, etc.. Based on something, such as a realm, the RADIUS server will return which profile the user now has access to. The SSG will then allow access to the services defined in that profile. You can also define the ACLs, next hop, etc.. in the RADIUS server for that profile and the SSGs can simply query RADIUS for that information. That helps so you don't have to configure multiple profiles on each SSG, its all in RADIUS. You can also do walled gardens within it, so unauthenticated users can still have access to local content (such as company info, portal pages, dns, other local websites, etc...). -Dusty Doris On Mon, 11 Jul 2005, Michael Fisher wrote: Unfortunatly this solution must be able to scale up. We have already assesed other technologies but they are not to our liking. Since there will be many APs in a certain area so they must be abble to grab account info from a central server. [EMAIL PROTECTED] wrote: On Sun, Jul 10, 2005 at 08:40:46PM +0100, Jason Clifford wrote: How about simply firewalling unauthenticated connections and routing all access requests to a secured website running a registration script. This may not scale to a large deployment without a fair bit of work but for a small to medium sized network it should be fairly easy. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS v1.0.4, rlm_ldap module, and redundancy
authorize { redundant { svr1 svr3 svr2 notfound = return } files } authenticate { Auth-Type LDAP { redundant { # wasn't sure if this was necessary svr1 svr3 svr2 } } } I test by simulating a failure of svr1 using: route add -host svr1 IP 127.0.0.1 -blackhole Svr3 happens to be down for maintenance at the moment Thanks for any help, Jason Log: rad_recv: Access-Request packet from host x.x.x.x:3104, id=14, length=54 User-Name = username User-Password = X Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall: entering group redundant for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for usersname radius_xlat: '' radius_xlat: '' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to svr1 IP, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /path/to/cacert.pem rlm_ldap: bind as to rlm_ldap: XX bind to XXX failed: Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module svr1 returns fail for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for username radius_xlat: 'XXX' radius_xlat: 'XXX' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to svr3 IP, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /path/to/cacert.pem rlm_ldap: bind as XX to XX rlm_ldap: XXXx bind to XXX failed: Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module svr3 returns fail for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for username radius_xlat: 'XXXxx' radius_xlat: 'X' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to svr2 IP, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /path/to/cacert.pem rlm_ldap: bind as X to rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in XX, with filter (()(XX)) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user username authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module svr2 returns ok for request 0 modcall: group redundant returns ok for request 0 radius_xlat: 'XXX' rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'XXX' radius_xlat: '((objectClass=group)(member=))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to svr1 IP, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /path/to/cacert.pem rlm_ldap: bind as XX to XXXx rlm_ldap: bind to Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Search returned error radius_xlat: '' rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'X' radius_xlat: '((objectClass=group)(member=Xxx))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to svr1 IP, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /path/to/cacert.pem rlm_ldap: bind as X to rlm_ldap: X bind to failed: Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Search returned error users: Matched entry DEFAULT at line 224 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type Reject rad_check_password: Auth-Type = Reject, rejecting user auth:
Re: FreeRADIUS v1.0.4, rlm_ldap module, and redundancy
On Wed, 13 Jul 2005, Zawacki Jason D Ctr AFRL/IFOS wrote: Hey folks, Has anyone gotten redundancy working when using LDAP to perform authentication and authorization? Yep, its working for me in the lab. I've been trying to get this to work, but it appears, to me, that the redundancy is only used for part of the auth process. When looking up the DN for the user who is trying to authenticate, redundancy works. After that though, it appears that only the first module in the redundant list is tried. Then it ultimately fails. The LDAP servers are 3 Windows DCs. authorize { redundant { svr1 svr3 svr2 notfound = return } files } I usually list files before ldap. authenticate { Auth-Type LDAP { redundant { # wasn't sure if this was necessary svr1 svr3 svr2 } } } That is correct. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS v1.0.4, rlm_ldap module, and redundancy
You're using the LDAP-Group attribute, which is set to use svr1, which is down. There's currently no fail-over for the LDAP-Group attribute. I dig, that's kind of what I thought (even if I didn't word it correctly). Thanks for your help! You can simulate redundancy for the Ldap-Group attribute, by doing this. Instantiate your ldap modules in radiusd.conf. instantiate { srv1 srv2 srv3 } In users file, add multiple lines of the same ldap-group lookup, for each srv. For example, say you must have ldap-group of dial if coming from a dial huntgroup. DEFAULT Huntgroup-Name == dial, srv1-Ldap-Group == dial DEFAULT Huntgroup-Name == dial, srv2-Ldap-Group == dial DEFAULT Huntgroup-Name == dial, srv3-Ldap-Group == dial What will happen is if the huntgroup matches, then the server will lookup on the srv1 instance if ldap-group = dial. If so, it matches and the users file ends. If not, it continues down the file, where it will then try srv2. If that fails, it continues to srv3. So, if one and two are down, then this will require 3 different lookups to finally get to srv3, but it will provide you with some type of redundancy. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and PIX 520 accounting
On Thu, 14 Jul 2005 [EMAIL PROTECTED] wrote: You're right, sorry Here's what I get in my radius.log Error: WARNING: Malformed RADIUS packet from host 172.17.: Vendor specific attributes do not exactly fill Vendor-Specific That's the only error I get. Please run radius under debug mode (radiusd -X) and copy/paste the output from when the packet comes in (so we can see all the attributes that are sent) to where the error messages occurs. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS AD, LDAP works - how to check for group membership?
On Thu, 14 Jul 2005, Shelbyville.Unwired wrote: I would like to check group membership before authenticating user login requests. I currently have radiusd.conf setup such that all users can login. However after spending several days reading man pages, and searching these archives I haven't found the key that unlocks my problem. radiusd.conf # snip ldap { server = xx.xx.xx.xx # ad server address identity = cn=some_user,cn=users,dc=domain,dc=com # bind account password = xxx # bind account password basedn = cn=users,dc=domain,dc=com # base dn filter = (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) # uid start_tls = no # nope dictionary_mapping = ${raddbdir}/ldap.attrmap # default ldap_connections_number = 5 # why not password_attribute = userPassword # no need to explain # ok this is where things get real fuzzy - I've read rlm_ldap several times... timeout = 4 timelimit = 3 net_timeout = 1 } Users file remains untouched. Specifically what else do I need to if a user is a member of XYZ_group and if so authenticate them. Any help would be greatly appreciated. TYIA. You will define where to search for group memberships in that section above. You left out the configs above. Look for groupname_attribute, groupmembership_filter and groupmembership_attribute. Configure those for how you have groups setup. Then in users file you can define to check for group membership. eg: DEFAULT Huntgroup-Name == dial, Ldap-Group == dial DEFAULT Huntgroup-Name == adsl, Ldap-Group == adsl DEFAULT Auth-Type := Reject That says must have dial group if the request comes from a NAS in the dial huntgroup, must have adsl from an adsl nas, otherwise reject. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Nas-Port-Type quesiton
Hi guys, I use freeradius with poptop, just a question that im trying to figure out, My radius server sees the NAS-Port-Type as Async whenever a vpn connectio is made, is there anyway to change this to let radius see for example as a vpn nas-port-type .Must this port-type come from my vpn server? Thanks J Radius Attribute/Value pairs come from the NAS. Perhaps if you describe what it is you are trying to do, we can help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Authorization different VLAN
Hi, I have made a system of authorization with freeradius 1.0.4 based on LDAP attribute radiusGroupName and it works perfectly! Now I have this problem: I have on my access points two VLAN named data and students. I want to create different group for the authorization to access to this VLANs. Example, I want that who have the attribute radiusGroupName = WLANdata can access to the VLAN data; and who have the attribute radiusGroupName=WLANstudents can access to the VLAN students. How I can configure the huntgroups file? or I need to configure the users file? Thanks and excuse me for my english, Felice I'm assuming you mean that if someone has radiusgroupname=WLANStudents, then you want to assign them to that VLAN. Is that correct? If so, you need to find out what radius attributes you need to send back to the access point to assign them to that VLAN. Then you can use the users file to set that up. For example. DEFAULT Ldap-Group == WLANstudents SomeAttribute = SomeValue DEFAULT Ldap-Group == WLANdata SomeAttribute = OtherValue Make sense? The SomeAttribute is some radius attribute that your NAS expects back that will assign them to a VLAN. The SomeValue and OtherValue are the values you would return that would specify which VLAN they should be in. You'll have to check the documentation of your AccessPoint to figure out what that attribute/value pair should be. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: grouping services - LDAP
On Wed, 20 Jul 2005, Rohaizam Abu Bakar wrote: Hi all, Using Freeradius 1.0.4 (FB 4.11) I want to grouping between dialup adsl... refer to users file below by if if Ldap-Group ==ADSL is found, should authenticate/authorize by ldapadsl and if not found, assuming dialup user and should authenticate/authorize by ldap1/ldap2 (DIALUP) But the problem, referring to debug log.. doesn't matter whether Ldap-Group=ADSL is found or not, it still check at both ldap1/ldap2 ldapadsl i.e checking adslAccess dialAcess atttribute. What i want is that.. If Ldap-Group ==ADSL is found, it should be handled by ldapadsl and not checking ldap1/ldap2 and same goes when not found, it will be handled by ldap1/ldap2 and not checking ldapadsl anyone can help.?? thanks Try using Autz Type as well, there is some documentation on it in the doc dir. It might look something like this. DEFAULT Ldap-Group == ADSL, Autz-Type := ADSL, Auth-Type := ADSL DEFAULT Autz-Type := LDAP, Auth-Type := LDAP # authorize { Autz-Type LDAP { redundant { ldap1 ldap2 } } Autz-Type ADSL { ldapadsl } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Nas-Port-Type quesiton
When clients vpn into my server this is what part of the access-request comes to my radius server: What you listed below is accounting, not access-request. Please post the access-request, along with your reply. rad_recv: Accounting-Request packet from host 192.168.2.254:32955, id=89, length=95 Acct-Session-Id = 42DE38EA0AEA User-Name = blabla Acct-Status-Type = Start Service-Type = Framed-User Framed-Protocol = PPP Acct-Authentic = RADIUS /* NAS-Port-Type = Async*/ Framed-IP-Address = 192.168.0.244 NAS-IP-Address = 127.0.0.1 NAS-Port = 4 Acct-Delay-Time = 0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
re: Restricting Access by Group Membership
On Wed, 20 Jul 2005 [EMAIL PROTECTED] wrote: My fault...members of that group are DENIED access. Now I get. So, that leads me to another question. How do I change the syntax so that users are ALLOWED access if they are a member of the specified group? I tried changing the line in the users file to Auth-Type := Allow, but this didn't work. Unfortunately, I can't find anything on this in rlm_ldap or FAQ. Thanks in advance, Josh Just think backwards. DEFAULT Ldap-Group == cn=remoteusers,o=services DEFAULT Auth-Type := Reject Reply-Message = Your account has been disabled That will see if you match Ldap-Group, if not, you won't match that line in the users file so it will try the next line. The next line rejects everyone. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different Passwd Files on Different Servers
I've tried using Autz-Tye but I can't seem to quite make it work. I'm getting this erro: No authenticate method (Auth-Type) configuration found for the request. I'm not sure where this should be set. And I've inserted this int he users file: DEFAULT Realm == domain.com Autz-Type := virtual_passwd, Auth-Type := unix, Fall-Through = 1 DEFAULT Realm == NULL Autz-Type := sys_passwd, Auth-Type := unix This users file entries are invalid. Read man 5 users. All check-items, go on the first line. Try this (I shorted virtual_passwd to make sure you saw it on one line) DEFAULT Realm == domain.com, Autz-Type := virt, Auth-Type := unix Fall-Through = no Same for the last one. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: filter id stored in LDAP
On Wed, 20 Jul 2005, sean wagoner wrote: Can the actual Filter ID be store in and retreived by the radius server. By this I mean not just the name of the filter but it's actual contents? If so how? Sure. The file ldap.attrmap maps radius attributes to ldap attributes. By default there is one that is for filter-id. replyItem Filter-ID radiusFilterID To use, it just put radiusFilterID in your ldap directory under either the user, or the default profile user. For example. dn: cn=someuser,ou=radius,dc=yourdomain objectclass: radiusprofile objectclass: person cn: someuser sn: someuser userpassword: password radiusFilterID: Somefilterid This would pull radiusFilterID from ldap and make it a Filter-ID reply item, such as Filter-ID = Somefilterid - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius 1.0.4 - FreeBSD - Syslog not working
[EMAIL PROTECTED] radiusd -l syslog Didn't know freeradius did syslog, cool. Anyway, just tried it out on freebsd 5.4. In man radiusd, it shows that when using -l syslog, there is also -g to specify the facility, where it also shows the default is daemon. You will need to edit /etc/syslog.conf and add daemon.*/var/log/whateverfileyouwant Touch /var/log/whateverfileyouwant and then restart syslogd and then restart freeradius with at least -l syslog. You could also use -g and specify a different facility such as local[0-7]. Make sure to touch the file first before restarting syslogd. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP and FreeRadius Authentication - One user, multiple groups
On Fri, 22 Jul 2005, Mark Litchfield wrote: Using: FreeRadius 1.0.4 OpenLDAP 2.2.27 FreeBSD 5.4 We are trying to get FreeBSD to allow a user to be a member in multiple groups. Here's roughly the way we have the tree laid out. dc: treeroot |_ou: accounts | |_ou: domain1 | | |_uid: joe | | mail: [EMAIL PROTECTED] | |_ou: domain2 | |_uid: joe |mail: [EMAIL PROTECTED] |_ou: groups |_cn: group1 | uniqueMember: uid=joe,ou=domain1,ou=accounts,dc=treeroot |_cn: group2 | uniqueMember: uid=joe,ou=domain2,ou=accounts,dc=treeroot |_cn: group3 | uniqueMember: uid=joe,ou=domain1,ou=accounts,dc=treeroot |_uniqueMember: uid=joe,ou=domain2,ou=accounts,dc=treeroot I have freeradius and LDAP authenticating nicely. The problem I am running into is that when I id a user, it only shows the primary group that user is a member of. How can I get FreeRadius to report the other groups that the user belongs to? Mark Litchfield Sorry I don't understand. Can you explain what you mean by only shows the primary group and report the other groups. Report to what? Perhaps some radiusd -X output and an explanation of what you are trying to do would help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: session-time with incorrect calculations
Hi I am running FreeRadius 1.0.4 with Postgres. I have noticed that the sessiontime is sometimes calculated incorrectly in the radacct table. If you compare the acctsessionstart and the acctsessionend with the acctsessiontime it does not match. This is particularly true for connections ended with idle-timeout. When would session times generally be wrong and how can I stop this from happening ? Thanks Barry Freeradius just logs what is sent over. Are you using radrelay? We get session delays sometimes when using radrelay when our sql server is overwhelmed. Check for acctstartdelay and acctstopdelay. If you find it, subtract acctstartdelay from the session time and see if that makes sense. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap basedn assignment
In the authorize stage it looks in both AD and ldap. In the authenticate stage it queries both AD and ldap. The problem is that in the authenticate stage it uses the basedn of the server that returns the first ok in the authorize stage. So if the username is in both AD and ldap, openldap rejects the user because it is using the AD basedn to query the openldap server. Is there a way for me to force the basedn for the ldap server regardless of which server returned the first ok? How do you have this setup? Check out doc/configurable_failover. That should show you how to do it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication problem-FreeRadius Output
On Wed, 3 Aug 2005, Hamid Salim wrote: radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. You need to figure out why your NAS is not sending radius packets to the radius server. Check your network connections, your firewall rules, etc.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: ldap basedn assignment
The above problem line should be: rlm_ldap: bind as uid=username, ou=People, dc=university,dc=edu,c=us/test123 to openldap.university.edu:1744 However, it is taking the userdn from the ad server which gave the first authorize ok. What I need is for it to attempt to authenticate with the appropriate userdn depending on which server it is authenticating to. So it would use the userdn from AD authenticating to the AD server and the openldap userdn when authenticating to the openldap server. I see what is happening, that's a tough one. You are passing both authorization modules since the username is the same for your search filter. Then it tries to bind with the first DN that passed the authorization, but that is the incorrect DN since you want to use the openldap version of that user. The easiest method to work around this right away, is if there is something coming in the packet that will tell you whether this should be an AD or openldap user. If that's the case, then you can make a rule specifying which Autz type and Auth type to use. For example. Say all AD users come from nas-ip of 1.1.1.1 and all openldap users come from nas-ip of 1.1.1.2. In users file. DEFAULT NAS-IP-Address == 1.1.1.1, Autz-Type := ldap1, Auth-Type := ldap2 DEFAULT NAS-IP-Address == 1.1.1.2, Autz-Type := ldap2, Auth-Type := ldap2 DEFAULT Auth-Type := Reject That would get you what you want. Note that it doesn't have to be nas-ip, you can go off any radius attribute that is consistantly in those auth requests. However, if there is nothing identifying whether it should be an AD lookup vs an openldap lookup, then its going to be harder. ( I think - although I don't know the internals, so a developer could answer this better). The overlap of the names makes it hard. Are these actually different users, with the same RDN or are they the same user that exists in both AD and openldap? I'd have to think about this a bit based on your answer to see if I can think of anything. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius - LDAP Authenication
server (running on another machine). I have the vpn talking successfully to freeradius, but I cannot get the onward connection to the LDAP to work. I have validated that the server running freeradius is able to talk to the ldap by using ldapsearch. rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 198.100.0.18:389, authentication 0 rlm_ldap: bind as cn=account mgr/* to 198.100.0.18:389 rlm_ldap: cn=directory manager bind to 198.100.0.18:389 failed: Can't contact LDAP server rlm_ldap: (re)connection attempt failed This is pretty clear that it cannot connect. What does your ldapsearch command look like? Perhaps, you have the wrong port or ip in your config? What does telnet 198.100.0.18 389 show you? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to return multiple attributes from ldap?
Hi How can I return multiple ldap attributes which have a same name? For example, I want to get the 'Filter-ID' list from ldap. Any idea? Kevin I believe you have to put them in ldap with the += value in it. For example, radiusFilterId: += something radiusFilterId: += somethingelse I can't remember the exact syntax, perhaps someone else can help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to return multiple attributes from ldap?
I think so, let me see if I can find a test machine around here and try it. I might need that some day too. On Tue, 9 Aug 2005, kevin wrote: What? So, should I change the ldap attribute values with += ??? Any other way? kevin Dusty Doris wrote: Hi How can I return multiple ldap attributes which have a same name? For example, I want to get the 'Filter-ID' list from ldap. Any idea? Kevin I believe you have to put them in ldap with the += value in it. For example, radiusFilterId: += something radiusFilterId: += somethingelse I can't remember the exact syntax, perhaps someone else can help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to return multiple attributes from ldap?
On Tue, 9 Aug 2005, kevin wrote: What? So, should I change the ldap attribute values with += ??? Any other way? Yep, it works. I did a test, with this DN only one filter-id was returned. dn: uid=dustytest,ou=users,ou=radius,dc=test,dc=com objectClass: radiusprofile userPassword:: ZHVzdHl0ZXN0 radiusGroupName: dial radiusGroupName: adsl uid: dustytest radiusFilterId: filter1 radiusFilterId: filter2 Received response ID 210, code 2, length = 59 Framed-Routing = None Framed-IP-Netmask = 255.255.255.0 Framed-Protocol = PPP Service-Type = Framed-User Filter-Id = filter1 With this dn, both were returned (note there were no quotes in it - that didn't work) dn: uid=dustytest,ou=users,ou=radius,dc=test,dc=com objectClass: radiusprofile userPassword:: ZHVzdHl0ZXN0 radiusGroupName: dial radiusGroupName: adsl uid: dustytest radiusFilterId: += filter1 radiusFilterId: += filter2 Received response ID 214, code 2, length = 68 Framed-Routing = None Framed-IP-Netmask = 255.255.255.0 Framed-Protocol = PPP Service-Type = Framed-User Filter-Id = filter1 Filter-Id = filter2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wireless authentication
We have a customer oriented wireless network and we are trying to build a central authentication system for it, so that we can add and easily control customer radios from one location. What types of authentication should we be using? What should be avoided? Any experiences to share? I would use a backend such as mysql or ldap. Either would work great for something like this. Additionally, would we be able to route traffic to a captive page if the customer is placed on hold or doesn't have an account yet? I suppose that more of a microtik list question, but I'm just asking in case anyone knows. I use the Cisco SSG/SESM solution. The SSG is setup as the next hop for the customers. It then figures out whether that IP address has been authorized yet. If not, it redirects all traffic to the SESM server. The SESM server is merely a web front-end that displays information such as how long you've been active, what services you are subscribed to, and whether or not you need to login. If you need to login it presents a login page for you and then sends your username/password to a radius server for authentication. When you are authorized and authenticated, it can then redirect you back to the page you originally requested if you want and that IP now has an open connection to the Internet. This solution is based on IP address, so that removes the ability to use APs that provide NAT. You need to set them up as a bridge so each user can pull a different IP. However, all authentication is centralized, which makes it easy to administer. I've also looked at other solutions, where the the AP would run NAT/PAT and then have its own SESM type of login page for the users that are connected to it. You can configure those to talk RADIUS, so you can still centralize user management. The downside of that is that you have more smart devices out in the field to troubleshoot and you need to punch a bunch of holes in your firewalls to allow radius traffic from each device. I personally prefer a centralized system. I know there are a lot of less expensive solutions out there as well, I'm sure someone on the list has other ideas. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple LDAPS
Hi, I was wondering if there's a way to look for users in differents LDAP trees and/or servers depending of the suffix (@something) in the login. If it's possible could someone show me the config ? Thanks in advance. Sure. First you need to define two ldap configs in radiusd.conf. Instead of just having ldap {, you define ldap and then a name for each instance and include all the config entries under it. ldap ldap1 { server basedn ... } ldap ldap2 { ... } Then in the authorize section you do this. authorize { Autz-Type ldap1 { ldap1 } Autz-Type ldap2 { ldap2 } } Then in authenticate, you do authenticate { Auth-Type ldap1 { ldap1 } Auth-Type ldap2 { ldap2 } } Now, in the users file you can specify which to use based on the realm. Make sure you enable the suffix module to use suffix for realms. DEFAULT Realm == somerealm.com, Autz-Type := ldap1, Auth-Type := ldap1 DEFAULT Realm == otherrealm.com, Autz-Type := ldap2, Auth-Type := ldap2 DEFAULT Auth-Type := Reject The users file is parsed top to bottom. In this instance say a username comes over as [EMAIL PROTECTED] It will match on the first line and will then use your settings in ldap1 for authorization and authentication. By default you will not fall-through to any other rules. A user comes in with [EMAIL PROTECTED], it will not match the first and will fall through to the second line. There it will match and use ldap2. A user comes in with [EMAIL PROTECTED], it will not match the first two and hit the last rule, which will reject the user. Of course you could do something else at this point and maybe make it hit a different type of authentication for other realms if you'd like. You can read more in doc/Autz-Type. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Bus error - core dumped on freeradius 1.0.5
I just installed freeradius 1.0.5 on freebsd 5.4 and I am not having problems with rlm_sql_mysql. I just started it up and used it for testing an accounting packet. I haven't tried authentication, but I don't think that should matter. How did you build it? Since the port is still on 1.0.4, I'm assuming it was from source? Here is what I did. First I installed mysql. I use the port in /usr/ports/databases/mysql41-server. Then I installed freeradius from /usr/ports/net/freeradius first to get all the dependancies. These include libtool, gmake, gdbm, libltdl. Then I did a make deinstall on that port and build freeradius from source using only ./configure --prefix. On Tue, 27 Sep 2005, Richard Cotrina wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 segmentation fault when rlm_sql_mysql is enabled (bug 271), happens both in FreeBSD 4.X and FreeBSD 5.X. - - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, September 27, 2005 12:08 AM Subject: Re: Bus error - core dumped on freeradius 1.0.5 Rohaizam Abu Bakar [EMAIL PROTECTED] wrote: So.. do i need to upgrade to 5.X in order to use FR 1.0.5 ?? For MySQL, perhaps. Or, find out what's causing the problem in FreeBSD 4.x, and fix it. It doesn't happen on other platforms, so I suspect it's an issue specific to FreeBSD 4.x. Alan DeKok. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.0.1 (Build 2185) iQA/AwUBQzl9qyQekFb/3FIhEQKgzwCg+3Jo9bcaimtcDoPlVKv+nsDM914AnRda BGC7la0ap0NZH0M3Vq8pig7V =OAoc -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Bus error - core dumped on freeradius 1.0.5
Yep. FreeBSD 5.4-RELEASE-p7 /usr/local/freeradius105/sbin/radiusd -v radiusd: FreeRADIUS Version 1.0.5, for host , built on Sep 27 2005 at 11:31:35 clip from startup and handling a packet. The config file is very stripped down right now. I'll fire one up later today with the default setup to see if that works too. - rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 rlm_sql_mysql: Starting connect to MySQL server for #4 rlm_sql (sql): Connected new DB handle, #4 Module: Instantiated sql (sql) Listening on accounting *:1813 Ready to process requests. rad_recv: Accounting-Request packet from host 127.0.0.1:54936, id=90, length=32 User-Name = test Acct-Status-Type = Start Processing the preacct section of radiusd.conf modcall: entering group preacct for request 0 rlm_acct_unique: WARNING: Attribute NAS-Port was not found in request, unique ID MAY be inconsistent rlm_acct_unique: WARNING: Attribute Client-IP-Address was not found in request, unique ID MAY be inconsistent rlm_acct_unique: WARNING: Attribute NAS-IP-Address was not found in request, uni que ID MAY be inconsistent rlm_acct_unique: WARNING: Attribute Acct-Session-Id was not found in request, un ique ID MAY be inconsistent rlm_acct_unique: Hashing 'User-Name = test' rlm_acct_unique: Acct-Unique-Session-ID = c62495cf388d0bb3. modcall[preacct]: module acct_unique returns ok for request 0 modcall[preacct]: module files returns noop for request 0 modcall: group preacct returns ok for request 0 Processing the accounting section of radiusd.conf modcall: entering group accounting for request 0 radius_xlat: 'test' rlm_sql (sql): sql_set_user escaped user -- 'test' radius_xlat: 'INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm , NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSession Time, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctO utputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('', 'c62 495cf388d0bb3', 'test', '', '', '', '', '2005-09-27 14:33:54', '0', '0', '', '', '', '0', '0', '', '', '', '', '', '', '', '0')' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): Released sql socket id: 4 modcall[accounting]: module sql returns ok for request 0 modcall: group accounting returns ok for request 0 Sending Accounting-Response of id 90 to 127.0.0.1:54936 Finished request 0 Going to the next request --- Walking the entire request list --- Cleaning up request 0 ID 90 with timestamp 43399092 Nothing to do. Sleeping until we see a request. On Tue, 27 Sep 2005, Richard Cotrina wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Have you enabled rlm_sql_mysql in radiusd.conf and sql.conf ? How your config files look like ? If rlm_sql_mysql is not enabled, freeradius daemon works without problem for me. - - Original Message - From: Dusty Doris [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, September 27, 2005 12:44 PM Subject: Re: Bus error - core dumped on freeradius 1.0.5 I just installed freeradius 1.0.5 on freebsd 5.4 and I am not having problems with rlm_sql_mysql. I just started it up and used it for testing an accounting packet. I haven't tried authentication, but I don't think that should matter. How did you build it? Since the port is still on 1.0.4, I'm assuming it was from source? Here is what I did. First I installed mysql. I use the port in /usr/ports/databases/mysql41-server. Then I installed freeradius from /usr/ports/net/freeradius first to get all the dependancies. These include libtool, gmake, gdbm, libltdl. Then I did a make deinstall on that port and build freeradius from source using only ./configure --prefix. On Tue, 27 Sep 2005, Richard Cotrina wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 segmentation fault when rlm_sql_mysql is enabled (bug 271), happens both in FreeBSD 4.X and FreeBSD 5.X. - - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, September 27, 2005 12:08 AM Subject: Re: Bus error - core dumped on freeradius 1.0.5 Rohaizam Abu Bakar [EMAIL PROTECTED] wrote: So.. do i need to upgrade to 5.X in order to use FR 1.0.5 ?? For MySQL, perhaps. Or, find out what's causing the problem in FreeBSD 4.x, and fix it. It doesn't happen on other platforms, so I suspect it's an issue specific to FreeBSD 4.x. Alan DeKok. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.0.1 (Build 2185) iQA/AwUBQzmKjSQekFb/3FIhEQIkxwCeJQFEu1qYBV3ttdru/1pVj/axGusAnjLk xjHBg+h+EwPoEvsAroNz+n3W =Eb35 -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List
Re: Bus error - core dumped on freeradius 1.0.5
Forgot to follow-up. I moved all my configurations out and loaded up all the original unmodified files in my raddb dir. I only modified sql.conf and changed the username/password to the sql table. Everything else was left as is - out of the box. It all worked fine. Freeradius started up using the mysql module and I was able to send accounting packets and auth packets to it. Have you enabled rlm_sql_mysql in radiusd.conf and sql.conf ? How your config files look like ? If rlm_sql_mysql is not enabled, freeradius daemon works without problem for me. - - Original Message - From: Dusty Doris [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, September 27, 2005 12:44 PM Subject: Re: Bus error - core dumped on freeradius 1.0.5 I just installed freeradius 1.0.5 on freebsd 5.4 and I am not having problems with rlm_sql_mysql. I just started it up and used it for testing an accounting packet. I haven't tried authentication, but I don't think that should matter. How did you build it? Since the port is still on 1.0.4, I'm assuming it was from source? Here is what I did. First I installed mysql. I use the port in /usr/ports/databases/mysql41-server. Then I installed freeradius from /usr/ports/net/freeradius first to get all the dependancies. These include libtool, gmake, gdbm, libltdl. Then I did a make deinstall on that port and build freeradius from source using only ./configure --prefix. On Tue, 27 Sep 2005, Richard Cotrina wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 segmentation fault when rlm_sql_mysql is enabled (bug 271), happens both in FreeBSD 4.X and FreeBSD 5.X. - - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, September 27, 2005 12:08 AM Subject: Re: Bus error - core dumped on freeradius 1.0.5 Rohaizam Abu Bakar [EMAIL PROTECTED] wrote: So.. do i need to upgrade to 5.X in order to use FR 1.0.5 ?? For MySQL, perhaps. Or, find out what's causing the problem in FreeBSD 4.x, and fix it. It doesn't happen on other platforms, so I suspect it's an issue specific to FreeBSD 4.x. Alan DeKok. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.0.1 (Build 2185) iQA/AwUBQzmKjSQekFb/3FIhEQIkxwCeJQFEu1qYBV3ttdru/1pVj/axGusAnjLk xjHBg+h+EwPoEvsAroNz+n3W =Eb35 -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl
Could someone show me how to process an access-accept via rlm_perl? The example in the script example.pl still causes an access-reject nomater what I try. That isn't enough information, except to tell you to return a proper value such as RLM_MODULE_OK. Please post debug output. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Questions about upgrading Freeradius
On Wed, 28 Sep 2005, Linda Pagillo wrote: Hi everyone: I have been using Freeradius v.0.9.3 for over a year and i wish to upgrade to the latest version. Can anyone give me detailed instructions on how to do this? I use Freeradius in a prodcution enviroment and i can't afford to mess it up. I'm running Linux RedHat 9. Do i just do a ./configure, make and make install like i did the first time? If yes, won't that overwrite all of my current config files? Thanks! First, I would recommend setting up a lab machine (you can do it on your workstation if you need to) to test that your configs work correctly with the new version. Its probably backward compatible, but I wouldn't just blindly upgrade on production and hope for the best. Then you could compile freeradius with --prefix. This will put all configurations, binaries, etc.. into a certain directory. For example: ./configure --prefix=/usr/local/freeradius1.0.5 make make install When that's done, cd to /usr/local/freeradius1.0.5/etc/raddb and change your files to make it work like it did in testing. Shutdown the current radius version and start up the new one with /usr/local/freeradius1.0.5/sbin/radiusd -X and see if its working. If so, modify your startup scripts to point to the new version instead of the old. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Questions about upgrading Freeradius
You consider that much work? I wish I had your job! :) On Wed, 28 Sep 2005, Linda Pagillo wrote: Thanks for your reply. Is it really this much work to do a simple upgrade? Is there a shortcut? - Original Message - From: Dusty Doris [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, September 28, 2005 9:58 AM Subject: Re: Questions about upgrading Freeradius On Wed, 28 Sep 2005, Linda Pagillo wrote: Hi everyone: I have been using Freeradius v.0.9.3 for over a year and i wish to upgrade to the latest version. Can anyone give me detailed instructions on how to do this? I use Freeradius in a prodcution enviroment and i can't afford to mess it up. I'm running Linux RedHat 9. Do i just do a ./configure, make and make install like i did the first time? If yes, won't that overwrite all of my current config files? Thanks! First, I would recommend setting up a lab machine (you can do it on your workstation if you need to) to test that your configs work correctly with the new version. Its probably backward compatible, but I wouldn't just blindly upgrade on production and hope for the best. Then you could compile freeradius with --prefix. This will put all configurations, binaries, etc.. into a certain directory. For example: ./configure --prefix=/usr/local/freeradius1.0.5 make make install When that's done, cd to /usr/local/freeradius1.0.5/etc/raddb and change your files to make it work like it did in testing. Shutdown the current radius version and start up the new one with /usr/local/freeradius1.0.5/sbin/radiusd -X and see if its working. If so, modify your startup scripts to point to the new version instead of the old. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Questions about upgrading Freeradius
No need to install .9.3. I'd just install 1.0.5 on another system (or to the same system, but in a different directory with --prefix) and then modify all the config files so it has the setup you currently use on .9. Then make sure it works. I doubt it, but perhaps you'll find that some configuration you have in radiusd.conf in .9 isn't compatible with 1.0.5 and you need to find a new way to declare the same functionality. Or maybe you need to use some switch to configure to enable a module you are using, that was previously auto-detected. I predict you'll find that its a smooth transition, but its just good practice to test it all out before you go and modify your production system. On Wed, 28 Sep 2005, Linda Pagillo wrote: Thanks Dusty, i know you were just kidding with me and that's cool :) I'm just having a bad day hehe. So what i would have to do is set up freeradius 0.9.3 on a different system and then upgrade it as a test and if everything goes well i should do it on my production system? - Original Message - From: Dusty Doris [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, September 28, 2005 12:50 PM Subject: Re: Questions about upgrading Freeradius I was just giving you a hard time. Its a little longer of a process, but it will definately save you a lot of time and more importantly a lot of stress if you do run into issues. BTW - I am in the process of replacing all our radius servers here too. So far, I've had no issues with configurations moving between .9 or .93 and 1.0.5. My setup is pretty simple here though. Good Luck with the upgrade. -Dusty Doris On Wed, 28 Sep 2005, Linda Pagillo wrote: I wish you had my job too because i'm about fed up with this crap.. Anyway, thanks for the reply, i'll do it. - Original Message - From: Dusty Doris [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, September 28, 2005 11:48 AM Subject: Re: Questions about upgrading Freeradius You consider that much work? I wish I had your job! :) On Wed, 28 Sep 2005, Linda Pagillo wrote: Thanks for your reply. Is it really this much work to do a simple upgrade? Is there a shortcut? - Original Message - From: Dusty Doris [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, September 28, 2005 9:58 AM Subject: Re: Questions about upgrading Freeradius On Wed, 28 Sep 2005, Linda Pagillo wrote: Hi everyone: I have been using Freeradius v.0.9.3 for over a year and i wish to upgrade to the latest version. Can anyone give me detailed instructions on how to do this? I use Freeradius in a prodcution enviroment and i can't afford to mess it up. I'm running Linux RedHat 9. Do i just do a ./configure, make and make install like i did the first time? If yes, won't that overwrite all of my current config files? Thanks! First, I would recommend setting up a lab machine (you can do it on your workstation if you need to) to test that your configs work correctly with the new version. Its probably backward compatible, but I wouldn't just blindly upgrade on production and hope for the best. Then you could compile freeradius with --prefix. This will put all configurations, binaries, etc.. into a certain directory. For example: ./configure --prefix=/usr/local/freeradius1.0.5 make make install When that's done, cd to /usr/local/freeradius1.0.5/etc/raddb and change your files to make it work like it did in testing. Shutdown the current radius version and start up the new one with /usr/local/freeradius1.0.5/sbin/radiusd -X and see if its working. If so, modify your startup scripts to point to the new version instead of the old. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Questions about upgrading Freeradius
That's a perfect example of something that you'd find in testing, but might end up spending all night fighting if you just go and make the change. On Wed, 28 Sep 2005, Paolo Rotela wrote: One thing I came across when upgrading from 0.9.3 to 1.0.5 is that the default allowed characters for sql queries changed. I used [ and ] in my usernames, so the results after upgrade whas that my accounting reccords where set with the mime-equivalent of [ and ]. I had to add these characters as allowed ones in sql.conf - Original Message - From: Linda Pagillo [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, September 28, 2005 3:01 PM Subject: Re: Questions about upgrading Freeradius Thanks Dusty, i know you were just kidding with me and that's cool :) I'm just having a bad day hehe. So what i would have to do is set up freeradius 0.9.3 on a different system and then upgrade it as a test and if everything goes well i should do it on my production system? - Original Message - From: Dusty Doris [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, September 28, 2005 12:50 PM Subject: Re: Questions about upgrading Freeradius I was just giving you a hard time. Its a little longer of a process, but it will definately save you a lot of time and more importantly a lot of stress if you do run into issues. BTW - I am in the process of replacing all our radius servers here too. So far, I've had no issues with configurations moving between .9 or .93 and 1.0.5. My setup is pretty simple here though. Good Luck with the upgrade. -Dusty Doris On Wed, 28 Sep 2005, Linda Pagillo wrote: I wish you had my job too because i'm about fed up with this crap.. Anyway, thanks for the reply, i'll do it. - Original Message - From: Dusty Doris [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, September 28, 2005 11:48 AM Subject: Re: Questions about upgrading Freeradius You consider that much work? I wish I had your job! :) On Wed, 28 Sep 2005, Linda Pagillo wrote: Thanks for your reply. Is it really this much work to do a simple upgrade? Is there a shortcut? - Original Message - From: Dusty Doris [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, September 28, 2005 9:58 AM Subject: Re: Questions about upgrading Freeradius On Wed, 28 Sep 2005, Linda Pagillo wrote: Hi everyone: I have been using Freeradius v.0.9.3 for over a year and i wish to upgrade to the latest version. Can anyone give me detailed instructions on how to do this? I use Freeradius in a prodcution enviroment and i can't afford to mess it up. I'm running Linux RedHat 9. Do i just do a ./configure, make and make install like i did the first time? If yes, won't that overwrite all of my current config files? Thanks! First, I would recommend setting up a lab machine (you can do it on your workstation if you need to) to test that your configs work correctly with the new version. Its probably backward compatible, but I wouldn't just blindly upgrade on production and hope for the best. Then you could compile freeradius with --prefix. This will put all configurations, binaries, etc.. into a certain directory. For example: ./configure --prefix=/usr/local/freeradius1.0.5 make make install When that's done, cd to /usr/local/freeradius1.0.5/etc/raddb and change your files to make it work like it did in testing. Shutdown the current radius version and start up the new one with /usr/local/freeradius1.0.5/sbin/radiusd -X and see if its working. If so, modify your startup scripts to point to the new version instead of the old. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Bus error - core dumped on freeradius 1.0.5
It sounds strange because the unmodified radiusd.conf does not have authentication, authorization or accounting enabled for sql. I followed your instructions, and rlm_sql_mysql is not started because it has not enabled in radiusd.conf. Hmmm, maybe I didn't copy the right files over. I'll do it again. and post my configs as well. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Bus error - core dumped on freeradius 1.0.5
It sounds strange because the unmodified radiusd.conf does not have authentication, authorization or accounting enabled for sql. I followed your instructions, and rlm_sql_mysql is not started because it has not enabled in radiusd.conf. You're correct. I copied files I thought were an original, but had already been modified. How is your working radiusd.conf looks like in the following sections : - - authorize - - authenticate - - preacct - - accounting - - session This time I did copy the original files over to raddb dir. I then modified sql.conf and changed the username/password to match my user. I then opened radiusd.conf and uncommented every instance of sql. Then I fired it up and it started fine and made the 5 sql connections. No need for me to post the configs because they are exactly the same as out of the box, except that I uncommented sql in authorize, accounting, session, and post-auth. I have no idea what could be wrong at this point. What version of mysql are you running? Can you start mysql and query it from the command line? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Bus error - core dumped on freeradius 1.0.5
and I still get segfaults. ( I have built freeradius 1.0.5 from source / FreeBSD 5.4-RELEASE-p6 ) Just in case this helps at all, here is my pkg_info and uname -a. # pkg_info bash-3.0.16_1 The GNU Project's Bourne Again SHell cvsup-without-gui-16.1h_2 General network file distribution system optimized for CVS gdbm-1.8.3_1The GNU database manager gettext-0.14.5 GNU gettext package gmake-3.80_2GNU version of 'make' utility libiconv-1.9.2_1A character set conversion library libltdl-1.5.20 System independent dlopen wrapper libtool-1.3.5_2 Generic shared library support script (1.3) libtool-1.5.20 Generic shared library support script (1.5) mysql-client-4.1.14 Multithreaded SQL database (client) mysql-server-4.1.14 Multithreaded SQL database (server) openssh-portable-4.2.0.0,1 The portable version of OpenBSD's OpenSSH perl-5.8.6_2Practical Extraction and Report Language # uname -a FreeBSD radacctm.lab.soc.int 5.4-RELEASE-p7 FreeBSD 5.4-RELEASE-p7 #0: Tue Sep 27 14:14:11 EDT 2005 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/carp i386 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How can i tell which version of freeradius i'm running?
radiusd -v check the radiusd manpage for more info on startup flags On Thu, 29 Sep 2005, Linda Pagillo wrote: Linda Pagillo Director of Technical Services N2 The Net, LLC [EMAIL PROTECTED] 931-372-9179 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS - FreeBSD - Segmentation fault
On Mon, 3 Oct 2005, Alan DeKok wrote: Christian Meutes [EMAIL PROTECTED] wrote: are there any new findings in context to the problem with FreeRADIUS(rlm_sql_mysql?) 1.0.4 under FreeBSD? I have just tested it with FreeBSD5.4-Release and FreeRADIUS out of the ports and the problem still exists: I don't have access to a FreeBSD box, so I can't track down the problem. I did have access to one for a while, and found a bug which is fixed in 1.0.5. That *should* have fixed the problem, but it appears to still be there. Alan DeKok. Just an FYI. I just put into production late last night, two freeradius 1.0.5 servers running on freebsd 5.4, which are using rlm_mysql. They are setup only as accounting servers. I have all my other radius servers sending the accounting data over to them. I have not seen any issues in my testing in the lab or today in production with these machines. I will be setting up another instance of it in our lab next week to mirror production, so if I run into any problems I'll let you all know and maybe I can get Alan or whomever temporary access to that machine to check it out. But so far, I just haven't seen any problems. -Dusty Doris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS - FreeBSD - Segmentation fault
a few thing would be nice to know to maybe localize the problem further: Are you running FreeBSD 5.4-Release or 5.4-Stable? Which MySQL version are you running and do you have compiled it with native threads or with linuxthreads? I installed freebsd 5.4-release and then updated the source about one week ago with the following: cvsup standard-supfile (tag=RELENG_5_4) cd /usr/src make buildworld make buildkernel KERNCONF=mykernel (didn't change much in the kernel) -added options SMP -added device CARP -removed all cpu accept I686_CPU -changed ident make installkernel KERNCONF=mykernel reboot mergemaster -p make installworld mergemaster reboot I installed everything except freeradius from ports with all the defaults (eg: make install clean) # pkg_info -Ea bash-3.0.16_1 cvsup-without-gui-16.1h_2 gdbm-1.8.3_1 gettext-0.14.5 gmake-3.80_2 libiconv-1.9.2_1 libltdl-1.5.20 libtool-1.3.5_2 libtool-1.5.20 mysql-client-4.1.14 mysql-server-4.1.14 openssh-portable-4.2.0.0,1 perl-5.8.6_2 # uname -a FreeBSD radsql1.soc.int 5.4-RELEASE-p7 FreeBSD 5.4-RELEASE-p7 #0: Tue Sep 27 14:14:11 EDT 2005 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/carp i386 Installed freeradius last from source simply doing ./configure --prefix=/usr/local/freeradius105. My radiusd.conf is very stripped down. Basically this machines only purpose is to do radius accounting to mysql, so almost everything is commented out or blank (such as users). However, I did test authentication with it briefly with an out of the box configuration only modifying sql.conf username/password and uncommenting all instances of sql in radiusd.conf. Hope that is helpful. If you have any more questions, fire away. -Dusty - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What's Up Gold and Freeradius
Good morning Mr. DeKok: Thank you for your reply. Could you please tell me what i need to do to correct this issue? Which file do i have to fix? clients.conf is where you put the shared secret for the client to use. So, either fix the shared secret there to match your client, or change the client to match the secret listed there. - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Monday, October 03, 2005 6:29 PM Subject: Re: What's Up Gold and Freeradius Linda Pagillo [EMAIL PROTECTED] wrote: Mon Oct 3 10:22:44 2005 : Auth: Login incorrect: = [TEST/L\200\212\3101\215\277\320\350\345\373\351\201\031\215] (from = client old port 0) The shared secret on the RADIUS client is wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Which Operating System is best for freeRADIUS
Building my FR server, I have the choice of a number of operating system for my FreeRADIUS server. Anybody with a suggestion which operating system is best suited for FR? I like to run FR on a VPS (virtual private server) using one of the following OS: - FreeBSD 4.9 (jail) - FreeBSD 5.2 (jail) - Fedora 2 (virtuozza) - Redhat AS3 (virtuozza) - Redhat 9.0 (virtuozza) - CentOS 4.0 (virtuozza) Thanks! Gunther I think they all would work fine. I myself prefer freebsd, specificall 5.4. I am running it on standalone freebsd5.4 servers in production and in the process of setting a few up in jails in my lab. I really like the jails in freebsd, they are so easy to use. If you need any tips with it, email me off-list. I've got a couple jails setup right now running openldap. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS - FreeBSD - Segmentation fault
Just wondering if you've had any luck? I just installed freeradius 1.0.5 from the ports tree (it was finally updated) on a freebsd 5.4 jail and its starting up for me. I've got to run to a meeting now, but I will be testing it later with actual data. -Dusty - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: build snapshot on freebsd 5.4-release
Hi, Anyone ever tried building current snapshot from cvs on freebsd 5.4- release? Tried searching from the archive and seems like this wasn't resolved yet. Anyone? I did it successfully a few weeks ago. I'll give it a shot again next week if I have time. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Microsoft SQL 2000 interface
All, Please help with instructions on how to download the CVS ver of freeradius mentioned below. I'm new to Linux. I know how to tar, configure, and make. Don't know how to CVS. $ cvs -d :pserver:[EMAIL PROTECTED]:/source login type in anoncvs as password $ cvs -d :pserver:[EMAIL PROTECTED]:/source checkout radiusd - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: testing freeradius ports
On Thu, 13 Oct 2005, jean wrote: Hi All, I am running freeradius 1.0.5, it seems to start with no errors and listens on the default ports 1812 1813, should I be able to telnet to these ports to check if it accepts connections on them? No, telnet uses tcp. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Microsoft SQL 2000 interface
Thanks. Went to http://www.freeradius.org/development.html#cvs. Made assumption I need to download CVS. Went there and downloaded it. Came back and executed the command listed on http://www.freeradius.org/development.html#cvs: cvs -d :pserver:[EMAIL PROTECTED]:/source login I entered the password anoncvs and was taken back to the system prompt. Half way there, now enter the second command listed on that page. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple instances
Hello there. This is probably a stupid question, but how do I run multiple instances of radiusd on the same machine, listening on different ports? I have two configuration directories: /usr/local/etc/raddb /usr/local/etc/raddb2 which specify ports 1812 and 1813 respectively, so I thought I'd be able to issue the following commands: 1812 is for authentication and 1813 for accounting. So, if you used the port configuration in radiusd.conf and set raddb to 1812, it will automatically use 1813 for accounting. radiusd -d /usr/local/etc/raddb radiusd -d /usr/local/etc/raddb2 That is the correct way to do that part. This doesn't seem to work however, as the second command seems to have no effect, ie. I see the first radiusd process running but never the second. Can anyone help please? Probably because you are trying to set port = 1813 on raddb2, which would make it listen to 1813 and 1814 - but 1813 is already taken on raddb. Easiest way to do it is to set raddb with port = 1812 and raddb2 with port = 1645 (1645 and 1646 are the old traditional radius ports. Those are pretty safe to use since a lot of people still run radius on those ports - you'll probably still see it commented out in /etc/services) -Dusty Doris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP address assignment
Infusino, Michael - ADP Dataphile wrote: I am using radius to authenticate access from VPN. Would anyone now how to record the IP address the user is assigned after they log in. Michael How does a little dynamic dns strike you? Make sure to actualy read below and attached scripts and setup a DNS key. --radiusd.conf- modules section exec ddns_update { wait = no program = /usr/local/sbin/radius-dns-update.sh input_pairs = request packet_type = Accounting-Request shell_escape = yes } end modules instantiate section--- ddns_update ---end section Interesting idea. I like it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging question
Currently I'm using the mysql logging functions of FreeRADIUS and I'm logging two different things: Dial-up customers that log in with just their username (username) DSL Customers that log in with user at domain ([EMAIL PROTECTED]) I'm wondering, how would I get it so that both log the same way, that is, just username, not the suffix @itol.com. Any advice would be great! Are these the same users? For example bob is the same as [EMAIL PROTECTED] Is that the only domain you serve? If so, use the hints file to automatically change the username for you. This was recommended by Alan a few days ago for a similar question on the list. in hints DEFAULT User-Name !~ .*@ User-Name := [EMAIL PROTECTED] That will rewrite bob to [EMAIL PROTECTED], if its doesn't contain an @. Then they could do either. However, if you plan on supporting more domains in the future, then I'd start getting them used to @domain now because it will be even more of a struggle if you need to make them start using it later. Plus with an @domain on the username you leave yourself open to more options with realms, proxying, etc.. I am close to finally converting everyone to use realms as our services and domains using radius have grown quite a bit. Having realms makes it a lot easier for us, especially that we now have a dozen ISPs running over our lines. Its been a struggle, especially getting marketing/customer service to let me do it. However, if you don't need realms and probably never will, that config entry will do exactly you need. -Dusty Doris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, Ldap, and static IPs for users.
I have a huntgroup for the dial-up that allows me to differentiate between the dial and dsl based on the radiusGroupName without any problems. But now i need to be able to let a DSL user with a static ip be able to log in via dial-up and pull a dynamic ip. Is this possible and how do i do it (or for that matter, what docs might even point me in the right direction) i'm not seeing much on this in my searches. Did you ever get help on this? If not, do all your dsl users get static ips? If so, here is a quick idea. Not sure if this would work, as in not sure if the variable will carry over, so you'll have to test it. In your radiusd.conf file, under the ldap section, perhaps you could put this. dictionary_mapping = ${raddbdir}/%{Huntgroup-Name}-ldap.attrmap Then copy ldap.attrmap to dialup-ldap.attrmap and dsl128-ldap.attrmap In dialup attrmap, comment out the radiusFramedIPAddress and radiusFramedIPNetmask parts. That will make radius not add those reply values to your users that login from the dialup nas. If only some of your dsl users get static IPs and the rest get dynamic, then I'll have to think a bit more about this one. I'm sure there will be a way to do it, you could always call an external program or use rlm_perl to build some login into it to do this for you. -Dusty Doris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is rlm_perl a viable solution for production environments yet?
On Mon, 17 Oct 2005, Tim O'Donovan wrote: Hi, I'm considering writing some Perl for use with the rlm_perl module, but before I do I need to know whether the module is ready for use in a production environment. Has anyone had any experience (both positive and negative) with rlm_perl, performance wise, that they could share with me to help my decision? I am using rlm_perl in production right now. Its been working flawlessly for me. I'm using it with freeradius 1.0.2. -Dusty Doris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is rlm_perl a viable solution for production environments yet?
I'm considering writing some Perl for use with the rlm_perl module, but before I do I need to know whether the module is ready for use in a production environment. Has anyone had any experience (both positive and negative) with rlm_perl, performance wise, that they could share with me to help my decision? I am using rlm_perl in production right now. Its been working flawlessly for me. I'm using it with freeradius 1.0.2. I guess I should add what I'm doing with it. I'm using it to hand out IP addresses to PPPoA ADSL connections from a mysql database. We have about 30,000 DSL modems that get a dynamic IP out of a pool and about 8,000 that get a static IP. We get about 1-2 radius requests per second. I'll document it one of these days and then post it to the list. I just haven't had time yet to do it. -Dusty Doris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: not to proxy accounting
I want to make an option not to proxy accounting but log locally. What option can I take? Should I make a preproxy code for this function? In proxy.conf, you define where to send the accounting packets. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco and No NAS-Port seen (checkrad)
On Tue, 25 Oct 2005, Miguel wrote: Hi, im having problems implementing simultaneous-use on a cisco AS5400, is the same problem addresses in this thread http://lists.cistron.nl/pipermail/freeradius-users/2005-March/041894.html Ok, i know what the problem is, but how can i instruct the cisco that it must send the NAS-Port attribute?, is this even posible? thanks I think in conf t you can define the radius attribute with something like radius-server attribute nas-port format X with X being dependant on the type of connections I don't know if this will force it, but perhaps the default type is something that doesn't apply to your type of connection. For PPPoA we use format d, which gives you the slot/mod/port vpi/vci. But there are a few other options, just give it a ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reject reply
On Wed, 26 Oct 2005, hannibal wrote: hi, everyone, i got these logs: -- modcall: group authorize returns reject for request 37 Delaying request 37 for 1 seconds Finished request 37 // why finished request, but not send reply to client?? It delays the reject for the amount of time you specify in radiusd.conf in reject_delay = 1 Going to the next request Thread 6 waiting to be assigned a request --- Walking the entire request list --- Sending Access-Reject of id 1 to 127.0.0.1:32874 // Sending this message, i think is because of process time out. Cleaning up request 37 ID 1 with timestamp 435cf28f It did send the reject, after the 1 second delay. Read the documentation above that line, it explains why you may want to do that. If you don't like it though, you can change that number to 0. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with static IP
On Tue, 1 Nov 2005, Daniel Torres wrote: Hi, First of all excuse my englis it is not very well, i wanted to know if somebody has been able to set a freeradius server to assign static IP or if it is possible to assign static IP with freeradius1.0.5. Thanks for the information. Yes, I do it. I return Framed-IP-Address and Framed-IP-Netmask back to the NAS. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeBSD anyone?
Hi, im running freeradius 1.0.5 + postgres 8.0.3 on a dual xeon, gentoo 2005.1, all is working ok, but i have another server with the same hardware specs that i recently upgraded from gentoo to freebsd 5.3, the server was running apache + postgres and, wow , great diference, better performance, so postgres definitely liked freebsd, what about freeradius?, i have read on the website that it is developed on debian but it compiles on freebsd, what is your experience with freebsd , good?, bad? , any gotchas?. Should i migrate to freebsd or stay with gentoo?, my personal preference is bsd, but im worried of any obscure future that only works on linux api's ,etc Been using freeradius on freebsd exclusively for several years now. Started with freeradius .8 on freebsd 4.6 I think. Now, I'm running freeradius 1.0.5 on freebsd 5.4. We handle about 75,000 logins per day between 3 servers and are using openldap as a backend, which stores about 400,000 users. We use radrelay to push all the accounting into a mysql db. Its been working perfectly, no issues ever with freeradius or freebsd (can't say the same for harddrives and motherboards though - so you should build redundancy into your architecture). I'm going to write up our architecture one of these days and I'll submit a copy to freeradius, but I'm re-designing everything right now to keep recent, add more redundancy, and simply things. So I've been too busy. There is an old document of the original system I put in, in the doc folder called ldap_howto.txt. Anyway, I'd suggest installing freeradius from the freebsd ports tree since they've got the most recent version in there right now. The ports are just so easy to maintain. However, I do have it running on a few machines compiled from source before the ports tree was updated. Anyway, I'm on the list and read it often, so if you've got freebsd specific questions, feel free to ask. -Dusty Doris BTW this is fun to look at. Below is the last of our old systems, that I haven't replaced yet. Will be doing so in the next few weeks, though. I don't think I've ever touched them more than a few times and only to make config changes. They're just proxy radius servers and only get about 1000-2000 logins per day from some old systems and proxy everything over to our 3 real servers, but I still like the stats. [EMAIL PROTECTED]:~] # radiusd -v radiusd: FreeRADIUS Version 0.8.1, for host i386-unknown-freebsd4.7, built on Mar 26 2003 at 14:36:24 [EMAIL PROTECTED]:~] # w 1:03AM up 932 days, 15:06, 1 user, load averages: 0.00, 0.00, 0.00 [EMAIL PROTECTED]:~] # uname -sr FreeBSD 4.8-RELEASE [EMAIL PROTECTED]:~] # radiusd -v radiusd: FreeRADIUS Version 0.8.1, for host i386-unknown-freebsd4.8, built on May 13 2003 at 13:06:20 [EMAIL PROTECTED]:~] # uname -sr FreeBSD 4.8-RELEASE [EMAIL PROTECTED]:~] # w 1:08AM up 903 days, 17:49, 1 user, load averages: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE WHAT root p0 172.20.1.209 1:08AM - w - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding Attributes to a post proxy request
I have a case where I use Freeradius for proxy auth/acct to home servers. Before the answer goes back to the Nas I need to add some attributes and now looking for the best way of doing this. You can do this with the rlm_attr_filter. Read the attrs file and man rlm_attr_filter. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeBSD anyone?
Hi Dusty, Now, I'm running freeradius 1.0.5 on freebsd 5.4. We handle about 75,000 logins per day between 3 servers and are using openldap as a backend, which stores about 400,000 users. We use radrelay to push all the accounting into a mysql db. Can you comment on the accounting record rate that you're achieving? We're currently testing FreeRadius and I'm seeing a performance ceiling of about 200 accounting records per second. Matthew. I will have to take a look tomorrow to see what kind of data is coming in. But, I will let you know the architecture I am using, in case it interests you. Our billing system pulls from our accounting database periodically, so we don't need real-time information on all our accounting records. We have three main radius servers. We setup each of the radius servers to log all accounting to a detail file and we then use radrelay to push the data to our sql servers. This makes the accounting part of our AAA much quicker between the NAS and the radius server. The radius server just has to log it to a file and move on, so the accounting response comes very quickly. This is especially apparent during high loads as we don't need to wait for an sql resource to come available. The sql servers are two mysql 4.1 servers on freebsd 5.4. They are running in a multi-master setup. The two servers share an IP with CARP, which is built into freebsd. CARP will setup one server as the master and that server will answer all ARP requests for that IP. If the interface goes down (or if carp is shutdown by script/manual invervention), then the other machine will automatically take over that IP and then become the master sql server. The whole point of this setup is for reliability of our data rather than availability of the sql server. If one of the sql servers goes down, the other will take over the master role. When the dead server comes back up, it will assume the slave role and will update itself to be current with the master or we can manually update it if we wish. If both sql servers go down, or a small transition time between switching masters, or perhaps the radius load is just too high to accept all the requests we are getting, then the detail file on the radius servers will begin to grow. When the radius accounting server comes back up or the packets coming in slow down to an rate lower than the sql server can accept it, radrelay will then catch up the accounting server. We do occassionally see times where there was too much data coming in at once and the accounting server will post warnings to the log file and the detail files will begin to grow. However, its never been more than a few minutes and radrelay quickly catches the servers back up to date when the rates return to a lower level. Our authentication structure is quite different as we are looking more for availability. But in the accounting world, we can afford to delay the records if needed. I'll take a look at the data coming in tomorrow and let you know what kind of numbers we are seeing. If you'd like I can also send you any information you'd like about CARP or our mysql setup. I've also tested using another method which we chose not to implement. With this method I setup the accounting in a configurable-failover scenario. First we would send the accounting data directly to the sql server. If that failed, then the data would be populated into the detail file to quickly return an accounting response and radrelay would pick it up and deliver to the accounting server when it can. This worked quite well, but we chose to go with just radrelay instead. By doing just radrelay we could make the radius accounting server open up a large number of connections to itself vs spreading out the connection pool among our main radius servers. Hope that is helpful. -Dusty - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeBSD anyone?
Thanks for the advice. Didn't get a change to get good numbers for you today, but here is at least something. I took a look at our records for today and we have about 70,000 entries, with only 1500 of them without a stop yet. I can't get a good estimate at packets right now because I'm not sure how many updates we receive. But if I were to take a guess and say there is 1 update per user session (very rough guess), then that puts us at about 210,000 packets in 24 hours with 1 start, 1 update, and 1 stop. That makes our average about 2.5/second. Now, there are probably at least a few more than 1 update, so that number could be a bit higher. Also, our usage definately has big peaks during certain times of the day. But, I'd guess that we don't hit much more than 20-30/second during those peaks. I've found that the performance problem goes away when I test with interim accounting records instead of start records. I haven't figured out why start records generate such a performance hit. Any ideas? That seems odd to me. I don't have any ideas on that, looking at the queries in sql.conf it seems to me that the accounting start should be faster since it begins with just a plain insert vs the update starting with an update that contains a where clause. Do you have a my.cnf file tuning that db? I can't explain update vs insert, but it could help with performance. Did you tweak sql.conf or radiusd.conf either? Perhaps you could try adjusting the num_sql_socks and connection_failure_retry_delay numbers in sql.conf and the thread pool section of radiusd.conf. Also, you can do many other things to help especially turning off radutmp. I'd also comment out any other modules that aren't used. Actually read tuning_guide in the doc dir, there are some good comments there. Also, remember that the sql performance is going to be primarily dependant on your configuration vs freeradius in general. For example, the CPU, disk speed, ram, etc.. will have more of an influence than anything else. We're currently looking at radrelay. That sounds like a good idea. Its been working great for us. However, in the CVS head they now have sqlrelay which I'd definately considering taking a look at. It does the same thing as radrelay, but sends over sql queries to your db instead of radius packets. Might be nice to not have to worry about an additional process (radiusd) on your sql servers. I'll test it out one of these days if I ever get some spare time. -Dusty - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: memory leaks with rlm_perl? (FreeRADIUS bug #221)
I really appreciate that the FreeRADIUS developers actually take their time to do end user support on this list. I am impressed by the work you all do. Getting two(!) working solutions to a problem in a couple of hours during the weekend, is a level of support that I think you can't buy from any commercial company at any price. It makes me wish that I had something to give back. At least I'll have an example for all the bosses that express their concern about unsupported open source solutions.. Thanks again. I agree with you 100% on this. Our company pays extra for so-called support on many of the commercial products we use. However, I've found that the community that supports freeradius on this mailling list is much more valuable than any of our paid support on commercial software. The support here on the list comes from people that actually USE the product in a PRODUCTION network. This is something you can't always get from a commercial product. You definately can give back by documenting anything you think might help and sending it to the list. Or perhaps you can stay on the list and see if you can help anyone with similar issues to what you've experienced. I'm in the same boat as you, and trying to give back by occassionally responding to threads here and sending in some documentation whenever I get the time to write some up. -Dusty Doris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius using two SQL servers
when a radius client ask my freeradius, if the Realm is I want to autorize him with the first SQL server and if the Realm is with the second one. I already have two diferent sql configuration files, sql1.conf and sql2.conf, with instance name SQL1 and SQL2. I had been trying to do exactly what the Autz-Type Doc says, but I had no luck with it. I don't know what to do... Thanks So, what have you tried? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius using two SQL servers
what do you think if we try to use a Perl module inside of the autorize section?!?!. I want the Perl module to decide between my two sql servers depending of the incoming realm, I think this can be a possible way to take. If you have any idea please let me know. Thanks!! That should work too. However, you can do this with Autz-Type, I am currently doing it right now, but using ldap instead of sql. Comment out your Autz-Type entries in your users file and try this. Actually, comment out all your entries if you're not on a production system. DEFAULT Realm == wireless, Autz-Type := SQL1 DEFAULT Realm == dhcp, Autz-Type := SQL2 Notice that the check item Realm == is first, then Autz-Type. Make sure your sql1.conf and sql2.conf files look like this at the top. sql1.conf sql sql1 { ... } sql2.conf sql sql2 { ... } Then give it a shot. If that does not work, try change it to add Auth-Type to the end. DEFAULT Realm == dhcp, Autz-Type := SQL2, Auth-Type := Local If neither of those work for you, please post your debug again. Also, make sure to reply to all, so your replies go back to the list, not just me. -Dusty - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pool-Name check item causes Access-Reject
Following the docs, I have the files db.ipindex and db.ippol set up, and the main_pool is configured in radiusd.conf. user 'gerret' is the gunea pig with the following radcheck table entries: | 1354 | gerret | User-Password | == | testpw | | 1491 | gerret | Pool-Name | == | main_pool | Try setting the operator on Pool-name to := instead of ==. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: php account stats
On Thu, 17 Nov 2005, Jean Gaudreau wrote: I'm looking for a script in php that can produce some stats from MySQL. Anyone ? What kind of stats? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius How to integrate Active Directory[ADIntegrationWindowsXP NTLM Tutorial]
So, the question again is if the VPN Concentrator is only sending username and password, do I need ntml_auth or ms-chap? FreeRADIUS doesn't have any usernames and password and will query Active Directory for the actual authentication. Thanks, If the packet is merely containing plaintext username and password, then you can probably just use rlm_ldap against AD and hit it directly. Just need to setup a user with read access to the directory to do the initial bind with and search of the user for authorization. Then the user will be authenticated by doing a bind against AD with the username/password in the packet. BTW - I use freeradius w/ ldap for cisco VPN concentrators as well, although its openldap instead of AD. To pass back the class attribute, you must modify ldap.attrmap and specify the reply item of Class to match what you call it in the directory. eg: replyItem Class radiusClass Then in the directory, you have dn: cn=someuser,... ... radiusClass: OU=myvpngroup; So, for AD, you'll need to extend the schema and add an attribute for this. Or if you already have something that you can use, just modify ldap.attrmap to know what it is. -Dusty Doris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP, FreeRadius, and Schema
Hi all, I was wondering what everyone uses for an account objectClass? Right now I'm using Person, which makes the dn: cn=user,ou=Radius,dc=mydomain,dc=net However, indexing the cn would index the CN of other OU's as well ... .. I'm just wondering what people use. I know Account could also be used. I extend my schema with RADIUS-LDAPv3.schema and use the radiusprofile objectclass. However, mine is old and uses uid instead of cn, which is in that file. You certainly could create your own objectclass or modify the one that is there. I think you should stick with cn, since that is what freeradius knows and you already use it. It will make maintanence and upgrades much easier. However, back to your problem. I don't see what the issue is with indexing cn. If you are ever going to do searches on other OU's for a cn attribute, you would probably hope that its indexed. The performance hit you will take for indexing that attribute is probably not even close to the performance gain you will get having cn indexed for searches. This is especially true with the newest versions of openldap (2.3). Dusty Doris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius How to integrate Active Directory and return group attribute to VPN Concentrator
Radiusd.conf: filter = ((sAMAccountName=%{Stripped-User-Name:-%{User-Name}})(memberOf=CN=rptp cps,OU=Datawave Users,DC=corp,DC=van,DC=dwave)) This works fine. However I can't get it to return any replyItems. Has anyone gotten this to work with Active Directory? All the docs I see on the Net refeerence OpenLDAP. I'm sure there is a lot of folks out there running Windows 2000/2003 Active Directory. I have spent a couple of days on this not having much luck. Here are a few questions that would help me a bit. 1) Do I need groupname_attribute to get this to work? 2) What about groupmembership_filter and groupmembership_attribute? My ldap.attrmap looks like this: replyItem Class groupofnames replyItem Class group I think the above is correct. Can some shed some light on this? Is group and groupofnames something that is an attribute of a user? When freeradius searches for reply items it is searching for attributes of that user. eg: dn: cn=someuser,... group: somegroup Should then add Class = somegroup to the reply items. If you want to make reply items attached to a group, rather than in individual, you will need to set the User-Profile attribute. For example, dn: cn=somegroup,ou=groups,... group: somegroup Then in the users file. DEFAULT Ldap-Group == somegroup, User-Profile := cn=somegroup,ou=groups,... You may be able to do this dynamically using xlat or something like huntgroups too. If you want an example, send us an example of a user and group from AD in ldif format and an example of a radius packet that you would expect in the reply and I'll see if I can come up with an idea for ya. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error in configurable failover?
Norbert Wegener [EMAIL PROTECTED] wrote: authenticate { #ldap1 group { ldap1 { You can't use anonymous groups in the authenticate section. You have to explicitely use Auth-Type, and give it a name. This is because only ONE auth-type is run from that section. So if you had an anonymous group, it would never get run, because you could never reference it by name. Alan DeKok. Say you had two ldap instances. authorize { redundant { ldap1 ldap2 } } authenticate { ldap1 ldap2 } Say you had 4 ldap instances. Two for dial users and two for isdn users. They point to the same servers, but with different configurations. authorize { Autz-Type dial { redundant { ldap_dial1 ldap_dial2 } } Autz-Type isdn { redundant { ldap_isdn1 ldap_isdn2 } } } authenticate { Auth-Type dial { ldap_dial1 ldap_dial2 } Auth-Type adsl { ldap_isdn1 ldap_isdn2 } } In that case, you would need to declare these somewhere, such as the users file. DEFAULT NAS-Port-Type == Async, Autz-Type := dial, Auth-Type := dial DEFAULT NAS-Port-Type == ISDN, Autz-Type := isdn, Auth-Type := isdn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius How to integrate Active Directory and return groupattribute to VPN Concentrator
On Wed, 30 Nov 2005, Alhagie Puye wrote: Ok, So I played around some more with the settings. Actually group and groupofnames are not correct attributes for user. It is supposed to be memberof. So I changed line in ldap.attrmap to look like: replyItem Class memberof Now I'm getting replyItems but the data looks like garbage. I want it to return the group name. You are returning CN as the class in your radius packet. Class = CN Class is not a string, its an octet so what you are seeing 434e is really CN. You must be returning something like memberof: CN=somegroup,ou=someou,... It seems like rlm_ldap is stripping anything after that = sign. You should check the bugs db and see if you can find something like this. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring a proxied and local authentication
I did configure one radius server (A) to proxy incoming requests to an other radius server (B, this later one using pam). First question: I don't find a way to add a NAS-Identifier value inside the proxied request, so that B server could check it... preproxy_users will do this for you. How to configure the A server so that if B rejects the request, then A will check in a local user base (through pam) ? Not sure on that one, will have to defer to someone else. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP, FreeRadius, and Schema
Well, most of our email accounts are in a different organizational unit, and they use posixAccount (so based off of uid). However, our radius organizational unit is separate ... and I'm now using type account with cn's. You're saying this is ok? Its probably fine. The only reason I was complaining about indexing is because in the organizational unit that managed the email accounts uses the cn value for full name so I was indexing the full name without being needed. That's ok. Your just indexing with eq anyway, correct? If you were doing substring indexes as well it would be a little more load, but I usually err on the side of having too much indexed. But we run pretty good sized ldap servers anyway. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Free Radius and Squid
AFAIK - NO - it is way to simple to work like that. Squid is only a cache. You could redirect an user to a login site with your firewall script, after he logs in, you could redirect him to squid ( at least his http traffic ). But again AFAIK there is no radius client module for squid. Nor it is planned in a way you want it. Regards, Edvin -Original Message- Hello, I'm very new to free raduis and would like to know if it will run with squid proxy server. If so how would this work? What I am looking to do is to allow users to access the internet via the transparent squid proxy for limited time sessions. Eg. a user who wishes to use the system would be greeted by a web page asking for a code. The code (which they would get from the system admin) would grant them access for 1 hour. Can this be done using FreeRadius and Squid? Sean. Actually, I have tested squid using a radius plugin before to talk to freeradius. It worked for me then, but we never used it and it was also years ago. http://www.squid-cache.org/related-software.html There are a few radius modules in there, you might want to give one shot. The second one seems to still be active. I don't know about a time limit however and I don't really know much about squid to help. This wifi entry talks about using authentication with squid, it might help you. http://wiki.squid-cache.org/faq/authentication - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql_mysql on FreeBSD 5.4 - Segmentation fault at startup
I'm running it fine right now on freebsd 5.4. I installed everything from ports. I first installed mysql server from ports. I'm runnning mysql-server-4.1.14 cd /usr/ports/databases/mysql41-server/ make install clean (I didn't specifiy any unique make options)_ cd /usr/ports/net/freeradius make install clean (select mysql) $uname -a FreeBSD radsql1.soc.int 5.4-RELEASE-p7 FreeBSD 5.4-RELEASE-p7 #0: Tue Sep 27 14:14:11 EDT 2005 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/carp i386 On Thu, 8 Dec 2005, Matthew Horoschun wrote: Hi All, I'm having trouble getting FreeRadius (CVS) working with MySQL 5.0.15 on FreeBSD 5.4. I have been testing successfully with PostgreSQL up until now. Running under gdb: ... rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): failed after re-connect rlm_sql (sql): Error retrieving group list rlm_sql (sql): Error processing groups; rejecting user rlm_sql (sql): Released sql socket id: 0 Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 1 (LWP 100524)] 0x08059635 in safe_unlock (instance=0x0) at modcall.c:227 227 if (instance-mutex) (gdb) bt #0 0x08059635 in safe_unlock (instance=0x0) at modcall.c:227 #1 0x0805971c in call_modsingle (component=1, sp=0x8139140, request=0x806f800, default_result=6) at modcall.c:258 #2 0x08059dc6 in modcall (component=1, c=0x8139140, request=0x806f800) at modcall.c:590 #3 0x0805979f in call_one (component=1, p=0x8139140, request=0x806f800, priority=0xbfbfd1e0, result=0xbfbfd1e4) at modcall.c:287 #4 0x08059896 in call_modgroup (component=1, g=0x8135ec0, request=0x806f800, default_result=6) at modcall.c:342 #5 0x08059d3b in modcall (component=1, c=0x8135ec0, request=0x806f800) at modcall.c:575 #6 0x0805876c in indexed_modcall (comp=1, idx=0, request=0x806f800) at modules.c:428 #7 0x08059271 in module_authorize (autz_type=0, request=0x806f800) at modules.c:936 #8 0x0804d412 in rad_authenticate (request=0x806f800) at auth.c:548 #9 0x0805e00a in rad_respond (request=0x806f800, fun=0x804d25c rad_authenticate) at request_process.c:451 #10 0x0805fbad in thread_pool_addrequest (request=0x806f800, fun=0x804d25c rad_authenticate) at threads.c:901 #11 0x0805be34 in main (argc=2, argv=0xbfbfebfc) at radiusd.c:668 I noticed that people have had somewhat similar problems (http://lists.cistron.nl/pipermail/freeradius-users/2005-September/047030.html), but I'm not sure that this is the same thing. Matthew. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap behavior: authorize v.s. authenticate
From reading debug logs, am I correct in concluding that rlm_ldap's behavior: - when processing authorize{ } is to bind to the LDAP as the provided administrative DN and search for the DN of the user in the Access-Request packet - when processing authenticate{ } is to, if successful during authorize, then re-bind to the LDAP using the provided username and password and return Access-Accept only if the bind-as-the-user succeeds? Correct, as the default behavior? Sounds right to me. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Checkitems
Maybe my last question was unclear this morning. Therefore I would like to rephrase it: Checkitems may be defined via ldap.attrmap e.g. like: checkItem User-Category primaryGroupID Those items, retrieved from an ldapserver and thus not part of the request: Are they supposed to be accessible by following modules? In a case like this in radiusd.conf: authorize { ldap { notfound = return } files } Should the files module have access to to a check item User-Category ? Thanks I'm not sure, I've never tried that before, but I don't believe you can. I think you'd need to use xlat for that. Grep for xlat in doc/rlm_ldap. You could certainly use that ldap attribute as an Ldap-Group item, if you are going to be keying off of it a lot. in radiusd.conf groupmembership_attribute = primaryGroupID Then in the users file DEFAULT Ldap-Group != xxx, Auth-Type := Reject or something like that. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: bug in rlm_ldap?
I changed the users file as you recommended, the ldap.attrmap contains the additional line: checkItem User-Category primaryGroupID Unfortunately also in this case only the Reject entry matches, although the primaryGroupID seems to passed to User-Category: radiusd -AX . rlm_ldap: looking for check items in directory... ldap_get_values ldap_get_values rlm_ldap: Adding LDAP attribute primaryGroupID as RADIUS attribute User-Category == 515 ldap_get_values Did you get the second email I sent. I don't believe you can use that check item from ldap in the users file. Try the ldap-group options I sent over in the last email. That should work for you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: bug in rlm_ldap?
Thank you, I got it and already tried that attribute. The behaviour is a bit better, but does not really lead to the desired result, as the client gets an: Incoming RADIUS packet did not have correct Message-Authenticator - dropped Well, at least you've got the ldap part working. The message-authenticator shouldn't have anything to do with ldap. It has to do with the packet between the radius server and the nas. Seems ok, but unfortunately on the other side, the result is not that good. Alan proposed eapol_test recently for testing of such connections(thank you, very usefull) and this tool shows me: ... Received RADIUS message RADIUS message: code=2 (Access-Accept) identifier=0 length=38 Attribute 64 (?Unknown?) length=6 Attribute 65 (?Unknown?) length=6 Attribute 81 (?Unknown?) length=6 STA 00:00:00:00:00:02: Received RADIUS packet matched with a pending request, round trip time 0.15 sec No Message-Authenticator attribute found Incoming RADIUS packet did not have correct Message-Authenticator - dropped STA 00:00:00:00:00:02: No RADIUS RX handler found (type=0 code=2 id=0) - dropping packet EAPOL: startWhen -- 0 EAPOL test timed out MPPE keys OK: 0 mismatch: 1 FAILURE I can't help on this part. I'd start a new thread with that error, so the subject line might draw some attention from someone that can. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Reply Proxy for Accounting Requests
On Fri, 16 Dec 2005, David Bickle wrote: Does anyone know how to configure a proxy for the forwarding of no reply accounting requests? In particular I am interested in accounting start/stop packets. Thanks, What does forwarding of no reply accounting requests mean? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS packet did not have correct Message-Authenticator
although I have not yet found the culprit, it is calming to know the reason behind. I have read this and that documentation about freeradius during the past time, but this one I think, did never cross my way. Is there a document, where this behaviour is described? I believe its your users file, from your previous messages on ldap. I had given you an example of using ldap-group to make sure you hit that check-item you want. That worked, but now your access-accept is cancelling the EAP. Sorry if I confused you, but I was just focusing on the ldap part, didn't even realize there was something else going in inside this. Perhaps you should change it from: DEFAULT Ldap-Group == 515, Auth-Type := Accept Framed-Type = Framed, Tunnel-Type:1 = VLAN, Tunnel-Medium-Type:1 = IEEE-802, Tunnel-Private-Group-ID:1 = 100 DEFAULT Auth-Type := Reject To: DEFAULT Ldap-Group == 515 Framed-Type = Framed, Tunnel-Type:1 = VLAN, Tunnel-Medium-Type:1 = IEEE-802, Tunnel-Private-Group-ID:1 = 100 DEFAULT Auth-Type := Reject ?? I have never used EAP, but I belive if you take out the Auth-Type := Accept, the server should pick up on the fact that it needs to do EAP and will continue with that part. Someone else will be able to give more insight on that part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius cannot Authenticate to Windows AD
rlm_ldap: login attempt by mike with password mike123 radius_xlat: '(SamAccountName=mike)' radius_xlat: 'CN=Person,DC=chikka,DC=ph' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 192.168.1.1:389, authentication 0 rlm_ldap: bind as / to 192.168.1.1:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in CN=Person,DC=chikka,DC=ph, with filter (SamAccountName=mike) - LDAPSEARCH RESULT [EMAIL PROTECTED] ~]# ldapsearch -LLL -h 192.168.1.1 -x -b 'dc=domain,dc=com' '(samaccountname=mike)' -D mike -w mike123 dn: CN=mike,CN=Users,DC=domain,DC=com There are two major differences in what you have freeradius configured to do and what your commandline search shows. Is this intended?? Freeradius -bind anonymously -search in CN=Person,DC=chikka,DC=ph Commandline -bind as mike -search in dc=domain,dc=com Unless I missed something and I'm just not getting it, I would give freeradius an identity and password of a user that has read access to the part of the directory your users are in. Then I would change the basedn in freeradius to actually match the basedn of your directory. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth All but only for those in my clients.conf
You want to allow any client that matches what is in the clients.conf file in, correct? The secret in your clients.conf file is used to encrypt and sign packets between the clients and the server. It is not used for authentication. Have you tried adding the IPs to some type of backend? For example, if you used the users file and huntgroups file. In huntgroups. allow Client-IP-Address == 1.1.1.1 allow Client-IP-Address == 1.1.1.2 allow Client-IP-Address == 1.1.1.3 Then in users file DEFAULT Huntgroup-Name == allow, Auth-Type := Accept DEFAULT Auth-Type := Reject - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization
Let's say I have 2 groups: students and faculty. I want to authorize authenticated members of the LDAP group cn=students,ou=Groups IFF their Access-Request Called-Station-ID =~ /:StudentWLAN$/ I want to authorize authenticated members of the LDAP group cn=faculty,ou=Groups IFF their Access-Request Called-Station-ID =~ /:FacultyWLAN$/ You left out your ldap part? Anyway it should look something like this. groupname_attribute = cn groupmembership_filter = ((objectclass=GroupOfNames)(member=%{Ldap-UserDN})) Of course you'll have to change that to fit with how your directory is structured. Once you've got that part down, then in the users file you could do something like this. DEFAULT Called-Station-ID =~ /:StudentWLAN$/, Ldap-Group == students DEFAULT Called-Station-ID =~ /:FacultyWLAN$/, Ldap-Group == faculty DEFAULT Auth-Type := Reject That would look to see if Called-Station-ID matches that regex. If so, it would look to see if they are in the Ldap-Group of students. Your groupmembership filter and groupname_attribute should look for a group named cn=students and then see if the DN of the user is in it. If not, it would fall through to the Reject statement. Now, there are other things going on outside of ldap that I don't really know about, so a copy/paste of what I wrote might not work. But, it should help lead you in the right direction. I'd give it a shot running in debug mode (radiusd -X) and then you can see the exact queries that are taking place and what is happening. You can then go back and modify those ldap group statements and the users file to fit what you need. Once you've got it started if you need more help, please post debug output and what you would expect vs what you got and we can probably help sort it out. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 8, Issue 82
On Mon, 19 Dec 2005, Stefan Adams wrote: Hey, guys! Thanks for the great replies!! I like what you suggested better than what I've come up with in the mean time. I think what I came up with will work, it just seems messy/wrong/inefficient. What do you think? modules { ldap { : filter = ((uid=%{Stripped-User-Name:-%{User-Name}}) (radiusGroupName=%{Called-Station-ID})) : } attr_rewrite getssid { attribute = Called-Station-Id searchin = packet searchfor = .: replacewith = ignore_case = yes new_attribute = no } } authorize { # for WinXP, 802.1x, EAP-PEAP, MS-CHAPv2 preprocess eap getssid ldap } This cuts off the first 17 bytes and then a colon of the Called-Station-ID (My AP transmits a dash separated MAC followed by a colon and then the SSID). Then it uses this rewritten Called-Station-ID and uses that as a filter in the LDAP search. Therefore, if the SSID a user tries to connect to is not listed as an attribute of the user's LDAP object, the user is denied. Does that make sense? That's a pretty neat idea. The benefit of that is if you had multiple ldap instances and wanted to implement fail-over within freeradius. To do it the traditional way, you would need this for fail-over with ldap-group checks if say you had two ldap instances. DEFAULT Called-Station-Id =~ /studentregex/, ldap1-Ldap-Group == students DEFAULT Called-Station-Id =~ /studentregex/, ldap2-Ldap-Group == students That is so it will check with ldap1 instance first. If that fails, then check ldap2. By doing it your way, you won't need to do that anymore. Instead a redundant block in authorize would get you what you need already since the radiusGroupname inside your search filter takes care of the Ldap-Group check. I wonder if you could use regex matches of Called-Station-ID in the huntgroups file. You'll have to test this out, I doubt it would work, but its another interesting idea. I don't know if huntgroups excepts regex and if it can use things like Called-Station-Id in huntgroups studentsCalled-Station-Id =~ /studentregex/ faculty Called-Station-Id =~ /facultyregex/ Then in users file. DEFAULT Ldap-Group == %{Huntgroup-Name} Or you're way. ((uid=%{Stripped-User-Name:-%{User-Name}})(radiusGroupName=%{Huntgroup-Name})) See doc/configurable_failover and doc/rlm_ldap to see what I'm talking about with the failover. If you have a load balancer in front of that ldap server, you won't need to worry about it. But if you don't and you want to add redundancy, then its something you'll need to think about some day. Freeradius can do the redundancy for you w/out a load balancer or shared IP using configurable failover. Actually in the upcoming 1.1 release it will also do load balancing for you in addition to failover inside your ldap blocks. Hope I'm not too confusing. My point is I like your idea and if its working for you, it doesn't sound like a bad one to me. You might want to try hitting it hard to see if the rewrite slows anything down, but I would bet it doesn't. I'd also make sure to add an eq index to radiusgroupname, since you'll be using that as part of your search filter. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth All but only for those in my clients.conf
The secret in your clients.conf file is used to encrypt and sign packets between the clients and the server. It is not used for authentication. Based on what you mention here and what someone else on the list mentioned earlier, I think the reason the secret is ignored is because it is used to encrypt the auth info which is basically non existant in an Auth All situation. Am I getting this correct now? Yep Well, I don't understand the huntgroups and all just yet, I am new to FreeRadius (not to Radius in general, just FreeRadius). So, will this fix my issue where only CHAP request are rejected? I am only having trouble with CHAP request at this time, all other request from allowed clients in the clients.conf file are getting an Accept back just as I want. The huntgroups file is pretty easy to understand. Just read the comments in it. But, now that you mention it. Your Auth-Type := Accept is still working with chap. Perhaps what I told you won't make a difference. Do you have anything in your authorize and authenticate section? Perhaps you ought to just try this. Comment out everything in authorize except for preprocess and files, so it would look like this w/out the comments. authorize { preprocess files } authenticate { } That way the only thing that is touched is the users file. I'd be willing to bet that you have chap listed in authorize right now and its before the files section. So, its hitting the chap section of authorize and doesn't see a chap passwd and fails which causes a reject before it even gets to the files section. Just a guess? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth All but only for those in my clients.conf
Again, I did want to mention that only CHAP request fail, others go through fine with an Accept. # Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host ##MyIPwasHere##:3457, id=0, length=57 User-Name = [EMAIL PROTECTED] CHAP-Password = 0x7e842a573cd6363e06fe53a93a7b8d9e94 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 radius_xlat: '/var/log/radius/radacct/##ClientIPwasHere##/auth-detail-20051219' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/##ClientIPwasHere##/auth-detail-20051219 modcall[authorize]: module auth_log returns ok for request 0 I think this is the problem. Try commenting out chap in the authorize section. rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module chap returns ok for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: Looking up realm ##MyDomainWasHere##/ for User-Name = [EMAIL PROTECTED]/.com rlm_realm: No such realm ##MyDomainWasHere##/.com modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 156 I'd have to assume this matches line (156) matches your Auth-Type := Accept. However, for some reason its not overriding the Auth-Type := Chap, that was set earlier by the chap section of authorize. modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type CHAP auth: type CHAP Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_chap: login attempt by [EMAIL PROTECTED] with CHAP password rlm_chap: Could not find clear text password for user [EMAIL PROTECTED] modcall[authenticate]: module chap returns invalid for request 0 modcall: group Auth-Type returns invalid for request 0 auth: Failed to validate the user. Login incorrect (rlm_chap: Clear text password not available): [EMAIL PROTECTED]/CHAP-Password] (from client ToddHome port 0) Delaying request 0 for 1 seconds Finished request 0 Try commenting out chap in authorize and authenticate and see what happens. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html