what the module file would look like.
There are dozens of them there. Just save what is quoted in the guide
(with adjusted text) as a file into raddb/modules directory.
Ivan Kalik
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Configure AD as ldap server in ldap module (.raddb/modules/ldap). Then
add to users file:
DEFAULT Ldap-Group == max_priv_level or whatever is your group called
Service-Type = NAS-Prompt-User,
cisco-avpair = shell:priv-lvl=15
Ivan Kalik
-
List info/subscribe
to put the reference to that new file (ntlm_rick
in this case) into inner-tunnel as well? And in the virtual server
config? In both the authorize{} and authenticate {} sections?
Just authenticate and default virtual server. Inner tunnel is for peap.
Ivan Kalik
-
List info/subscribe/unsubscribe
Wagner Pereira wrote:
Dear colleagues,
I am introducing now a new information. Below is what is declared into my IOS -
Cisco 6500. Is this correct?
Why don't you just read the cisco wiki page.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http
, the the user disconnected and reconnected, keeping all
data records for that month, within that month.
Don't do that.
Im curious as to why not?
Because it doesn't make sense to break accounting records that are
correct. Fix what's wrong instead.
Ivan Kalik
Kalik Informatika ISP
-
List info
config seems to work but I'm wondering if i'm missing
out on
something important.
O'Reilly's book is also out of date. Updated documentation is available
with server source. Look through that info first.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http
Need to know if there's a script that allows users to clean their
session has been connected by a long period in the table raddact.
DELETE FROM radacct WHERE AcctStartTime whatever
Why would you allow users to do anything with their accounting records?
Ivan Kalik
Kalik Informatika ISP
-
List
would like
the end-client to be able to use MSCHAPv2 to use both.
http://wiki.freeradius.org/Combining_authentication_of_AD_accounts_(ntlm_auth)_with_accounts_stored_elsewhere
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
And what is unclear about that message?
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
for
easiest log handling *only* ?
What does that mean?
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
:(
So? It's not hard to translate user file entries into sql entries:
what's on yhe first (check) line goes into radcheck table
what's on reply lines goes into radreply
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
find any documentation about it?
Also, should I use system passwords or keep them in the postgres to make
it
working?
You can't use system (crypted) passwords with mschap.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
in counter.conf.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
not installed.
Meanwhile the radutmp line in session section of
/sites-available/default file is commented out, sql line is in charge.
If you don't want checkrad.pl to check with NAS (ie only look in the
radacct table) set nastype as other in clints.conf.
Ivan Kalik
Kalik Informatika ISP
-
List info
or listen in sites-enabled directory.Should I just put
listen clause in one of the files remove the default file there and
remove listen from radiusd.conf ?
It's documented in raddb/sites-available/README.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http
.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
me to the problem source.
This is usually a Samba issue. Several people have resolved it by
downgrading Samba from 3.2.x to 3.0.x.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
as pppoe client and i would like to
give AAA for my users.
And the problem is ...?
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Framed-User | PPP|
0.0.0.0 | 0 | 0 | |
Now find the start record for that session and see what happened to the
Framed-IP-Address there. Stop record doesn't update IP. Start and updates
do.
Ivan Kalik
Kalik Informatika ISP
?
Probably. Does your PPPoE server support radius? It probably does.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sergio Belkin wrote:
Hi,
Sorry for the stupid question, but I'd want to get how many time every
user is connected, please could you provide some kind of guideliness?
Using Version 2.1.1.
SELECT Count(*) FROM radacct WHERE UserName='some_username'
Ivan Kalik
Kalik Informatika ISP
-
List
Auth-Type in radgroupcheck at all. Replace Password and ==
with Cleartext-Password and := and things will work.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
:=
Enterasys:version=1:policy=Mitarbeiter
Any ideas ?
Enable use_tunneled_reply in peap section of eap.conf.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sergio Belkin wrote:
2009/10/29 Ivan Kalik t...@kalik.net:
Sergio Belkin wrote:
Hi,
Sorry for the stupid question, but I'd want to get how many time every
user is connected, please could you provide some kind of guideliness?
Using Version 2.1.1.
SELECT Count(*) FROM radacct
...
There is no difference in using any sql server. All that is different is
what you put as database in sql.conf. Everything else is the same
whichever database server you use.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
should really test NAS rather than radius for that. If you really want
to use radius records look into the radius database (radacct table).
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I´m new user. Does anyone help-me with FreeRADIUS Active
Directory
Integration
HOWTOhttp://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO
?
This paper is no more avaiable on site.
http://deployingradius.com/documents/configuration/active_directory.html
Ivan
, with 3.13
version.
Post the debug of one accounting packet when such error happens. And don't
use HTML email.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
will be
accepted.
One more quick question, how can we set timeout for different users, so if
the connection is ideal for say 4 hrs, it should get disconnected.
See Session-Timeout attribute.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
file to have it do mac authentication.
Would this be the right way to do this?
Probably. That's the question for ChilliSpot list.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
might not work as expected.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
that it will be on the
control list).
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Stripped-User-Name???
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
. If it doesn't - it probably isn't supported, so upgrade.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Is this the option?
EAP-TLS-Require-Client-Cert = Yes
I'm not sure where I should place it.
Authorize section of inner-tunnel virtual server I think. Use unlang
(update control ...).
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list
PS. No, default virtual server looks more like it. Won't hurt to try both.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
and radacct table and there are many indexed and
nothing I could found is the problem. It only append when I enable radius
accounting in SQL.
Run server in debug mode and see which queries are failing.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http
the
Realm name not domain.name. (i.e. I want it to pick up from the first .
character not the last )
So put prefix not suffix as format. But that will break down if you allow
dots in usernames, like:
Sam.Body.domain.name
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http
. Sending IP addresses
to the NAS in a RADIUS packet won't work.
You can configure FreeRADIUS to be a DHCP server, but that involves
creating a DHCP configuration, not a RADIUS configuration.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list
Don't use User-Password at all. See man rlm_pap.
Ivan Kalik
Kalik Informatika ISP
user password i guess is same as System?
On Mon, Oct 19, 2009 at 11:49 AM, Alan Buxey
a.l.m.bu...@lboro.ac.ukwrote:
Hi,
But I still got small problem, when i run in de debug mode i saw this
warning. I'm
then.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
store expiration date? If it's in a database you can make a
query that checks if Expiration value is less then now() and then calls
the script.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
.
That is because there is no requirement to use sql in authorize (that's
when sql module test group membership) - you can use SQL-Group without
listing sql there (if it's not listed anywhere you need to list sql in
instantiate).
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http
1812, id=168,
length=20
and when I execute radclient I get
Received response ID 146, code 2, length = 32
But when I try authenticate on my nootebook I get
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=168
You have removed realm LOCAL from proxy.conf.
Ivan Kalik
Kalik
There's no such path in /etc/raddb
I'm running version 1.1.3
Upgrade. That version is many years out of date. In 1.1.3 module will be
in radiusd.conf.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
the user not matching NAS-IP-Address for this group you
need to add:
if(SQL-Group == dialup-freedom) {
if(NAS-IP-Address !~ ^111.222.333.(1|2|3|4|5|6)$) {
ok
}
else {
reject
}
}
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http
User-Name breaks EAP.
I have checked again, files are uncommented in my inner-tunnel
configuration and hints is reprocessed.
Thanks for any suggestions.
Alter ldap information. It's not AD so don't use it's naming conventions.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe
of customers with one
NASIpAddress?
NAS-IP-Address + NAS-Port should be unique per online user (without
simultaneous logins) but there are plenty devices using same NAS-Port for
everybody (usually 0). You can try NAS-IP-Address + Calling-Station-Id in
such cases.
Ivan Kalik
Kalik Informatika ISP
.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
to dhcp. That's how wireless works.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
, then the script is
executed and takes myusername as an argument. With freeradius it should to
automatically the same?
Yes. But perl module already makes all request attributes available in
$RAD_REQUEST and it should run perl scripts faster than exec module.
Ivan Kalik
Kalik Informatika ISP
-
List info
hey all
we keep upgrading FR servers and i got stuck with problem where I need PAP
(I think) well i need clear text password and its not working for my user.
When i send request through NTRAdping w/ CHAP all works well but when I'm
using device as NAS nothing works :(
I hope some one can
.
/*
* If stop but zero session length AND no previous
* session found, drop it as in invalid packet
* This is to fix CISCO's aaa from filling our
* table with bogus crap
*/
Your NAS is broken. Fix it so it sends proper accounting packets.
Ivan Kalik
Kalik Informatika ISP
-
List info
the radius log file)?
You should look into the detail file and see what is wrong with the
packets that were stuck (or did the queries fail for some reason), like:
WARNING: Unresponsive child for request 165616, in module sql component
accounting
etc.
Ivan Kalik
Kalik Informatika ISP
-
List info
credentials from
those entered by the user. That's the whole point of cacheing them.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-String-0.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
in acct_users file:
u1 Tmp-String-0 := pppoe25
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
? Currently I'm running
freeradius
2.1.6 on freebsd 7.2 and windows 2003.
Yes. Configure AD as ldap server in raddb/modules/ldap and use group
membership queries (Ldap-Group).
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
}
}
You can't use unlang in proxy.conf file. Use it in virtual server
configuration (authorize section).
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I am trying to build a version of 2.1.7 without threads (trying to debug
an abandoned child process issue). on a redhat AS5 Linux system
You don't build it without threads, you start it without threads. See man
radiusd.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
the sites-available directory, it seems
that it is not possible to define a 'log' section in a virtual server.
It's documented in log section. Only requests line is below debug enabling
example. It should be above.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http
very basic
calculations. You will need more knowledge to construct counter queries
oin sql than for programming in perl.
Any advise on what ISP's use as a radius solution?
Freeradius.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
to be ok, and be doing what I
desire. but I want the config to be CLEAN.
All I really want is to run a script when an accounting STOP record is
received. Am I doing it wrong?
You can't use Tmp-String-0 as a reply item. Use Exec-Program-Wait.
Ivan Kalik
Kalik Informatika ISP
-
List info
for some hints to help determine why when the process fails through to
PAP, it won't use ntlm_auth - it will only use files
Post the debug.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-Response
is incorrect
Where is your password? Ldap didn't pass it back.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
this, if there is one? I have read the documentation, the wiki
and the configuration files and I couldn't figure it out.
Configure two ldap instances and use them in virtual servers listen
sections point to.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http
claims about
numbers device can handle. Divide it by 10. If brochure says device can
handle 10,000 connections it will handle about 1,000 in a realistic case.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
outside
database (sql, ldap). Post a debug with timestamps (radiusd -Xx) that will
show where is the delay.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
a list of (all) known callerIDs? Solution will depend on the policy.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
and where is it? BTW I don't see
ntlm-auth on that debug either.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
returns ok for request 5
rad_check_password: Found Auth-Type System
auth: type System
...
You are using much outdated freeradius version that has Auth-Type System
enabled by default in users file. Comment that DEFAULT line out.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe
? Can you get all the data in authorize
script and let freeradius default modules do the authentication (that can
speed things up quite a bit)? Can you get (some of) the data using
freeradius sql/ldap/whatever modules instead?
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
need that at all? Instead of calling the database to see if the
flag (wherever you are using it) is set you can make a query that checks
if user is online.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
accounting
packets.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
someone more knowledgeable than you will be more able to assess
all points involved.
Oh, good luck with that one :-D I somehow doubt that you will find someone
more knowledgeable than Alan on this matter.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http
will be incremented until the disconnection time ).
For that you will need to enable accounting updates on your NAS. If your
NAS supports Acct-Interim-Interval you can send it in the Access-Accept.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I know that in the users file radius can check
ittems stored in the LDAP, only in a per user basis. But i would like to
do
that in a per ldap group basis.
If you like users file that much you can also put it there as DEFAULT entry:
DEFAULT Ldap-Group == some_group, Expiration := when
Ivan
on the file.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
. The actual number
I have been given to use is 32768, and the problem seems to be the fact
that the number is 5 digits long. If I make the number 4 digits long my
server starts up without complaint.
Any suggestions?
Vendor number must be smaller than 32K. 32766 is max.
Ivan Kalik
Kalik Informatika
? Have you created radius
database? Does user configured in radius have permissions to run queries
on radius database? Is there a firewall stopping traffic? Do you see
radius handles connected to the database server when you start radius
server?
Should I go on?
Ivan Kalik
Kalik Informatika ISP
-
List
but this problem is on radius or db?
2009/10/9 Alan DeKok al...@deployingradius.com
Alisson wrote:
ok.. but what I need to do on my DB?
Repair? Create another DB? alter some variable?
Ask the people who wrote and support the DB.
Asking DB questions on a RADIUS list isn't the best
but this problem is on radius or db?
Database, network between radius and sql or incorrect data in sql.conf.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
queries
are failing.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
in LDAP. Are you sure
that the user is configured correctly?
Hm, try adding mapping for Cleartext-Password as userPassword to
ldap.attrmap.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Just had a look at your ldap antries again. This doesn't look right:
userPassword:: dGVzdGVy
Shouldn't there be just one colon?
Ivan Kalik
Kalik Informatika ISP
You can add NT / LM pairs to each LDAP user object. You must include the
samba.schema into the ldap server schemas.
Ex
.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
: +- entering group UNIX {...}
Thu Oct 8 14:12:07 2009 : Debug: modsingle[authenticate]: calling
unix (rlm_unix) for request 1
Thu Oct 8 14:12:07 2009 : Auth: [unix] invalid password jason
Password is wrong.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http
}} but
Stripped-User-Name does not have a value.
I'm not interested in the domain in my accounting, so does anyone have
any guidance on how to safely strip/sanitise the usernames?
Activate ntdomain in preacct and create local realm in proxy.conf:
realm UOB {
}
That should give you Stripped-User-Name.
Ivan
This is freeradius, not Cisco support list.
Ivan Kalik
Kalik Informatika ISP
I want to implement the pppoe service at one cisco 7600
-sup720bxl-SIp600-Spa5gbe ,but no success.
I have searching at the cisco web to see if is possible with SIp 600 but
not found .I am not sure that the SIP 600
= ${pool_config.test_password}
ipaddr = server2.net
secret = ${pool_config.secret2}
port = 1812
type = auth+acct
}
Start the server in debug mode. You will see how does home server
configuration resolve and is something not as expected.
Ivan Kalik
Kalik Informatika ISP
is radius authentication configured (and are radius server details
correct).
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
in dialup.conf.
Do you think this could work ? (I'll test it anyway, but just would like
to
know if this seems feasible).
It can. Default post-auth query is not storing any reply attributes but
you can adapt the query and schema to log those you want.
Ivan Kalik
Kalik Informatika ISP
-
List
no idea where it would fit in.
Do guidlines from man unlang work in perl? If they do, you can get number
of avpairs from %{Cisco-AVPair[#]}, and the loop through
%{Cisco-AVPair[i]} until you find the one with ssid.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http
);
# }
This alteration will get the script working properly for 7xxx routers that
fail default check (ie. they don't support OID that checks who is on the
port - instead they peek into local accounting to see if there is an
active session for that accounting id).
Ivan Kalik
Kalik Informatika ISP
-
List info
* section!
My configuration of eap.conf:
ttls {
Nice, but ...
...
[eap] processing type peap
...
... you are not doing EAP-TTLS. Enable same parameter in peap section of
eap.conf.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list
for
Google, for instance? What you want *is* a captive portal - it will
capture the user and redirect him from the requested page onto the one you
want him to see.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
that is to change the assigned DNS
servers - and he can surf the net. You need a proper captive portal where
user can't simply change DNS info and/or assigned IP and escape.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
already and if it has sends the reply from the cache without processing
the (dulicated) request. You can re-use and adapt some of that code for
your purpose.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
1 - 100 of 1351 matches
Mail list logo
