Hi Ravi,
If you're even remotely proficient in C, you'll find it is not a
difficult task to add a new module.
Use the example module, or one of the other modules (including
Makefile) as a basis. Start with an empty module that just returns
RLM_MODULE_OK from each function, get it to compile and
Hi Corey,
You don't have debug output for the "username without
realm", but I suspect what is happening is the Sripped-User-Name attribute is
not being added, because the username doesn't need to be
stripped!
You can try:
filter
= "(uid=%{Stripped-User-Name:-%{User-Name}})"
Which will
Hi Tony,
I've run into this problem in the past. What version of freeRADIUS are
you running?
Like you I found that it appears more often when proxying requests to a
home server - I guess the reqeusts sit in the queue longer waiting for a
reply.
Alan was kind enough to supply a patch within
Hi all,
I'm at a bit of a loss. I'm currently trying to load test the
authentication proxy performance of freeRADIUS 1.0.1 in preparation for
a deployment this weekend.
Unfortunately, I'm running into this error Error: FATAL! Server is too
busy to process requests.
My scenario is:
Does anybody know, where can the problem lie?.
Run the server in debug mode (radiusd -X) and it will tell you why.
If you still can't work it out, post the output back here and someone
will help you.
cheers,
Mike
-
List info/subscribe/unsubscribe? See
There used to be a DEFAULT stanza in the users configuration file that
set Auth-Type := System which tells the RADIUS server to use /etc/passwd
for authentication. This has caused a few issues like this in the past,
though I thought it had been resolved for 1.0.5.
If is still exists you may have
Hi Nan0,
The authorize section of radiusd.conf is actually run twice when an
Access-Request is received by the server.
The first time, Autz-Type is not set. During the first run through the
authorize section, one of the modules may set Autz-Type, for example, a
module may set Autz-Type to
I think your problem is that the etc/raddb directory isn't
readable/executable by your freerad user? If you run the server as root,
it first reads the configuration files (radiusd.conf, clients.conf,
proxy.conf, etc) then setuid's to the configured user before
instantiating the modules, etc.
Been here, done that. It doesn't help, looks like Access-Reject's
generated during authorize phase are never passed to
post_auth phase.
Are you using the latest release of FreeRADIUS? It was a bug in
version 1.0.2 and earlier.
CVS snapshot.
Why is authorization failing? I
hello,I had a problem with my freeradius. when I debug and
send radest there no rad-recev about accounting-request there
only about access-request.
can anyone help me whats wrong with my configuration??
Are you using radtest? Radtest is just a wrapper shell script for
radclient and
Hi,
Check /usr/local/radius/lib for rlm_ldap* to ensure that rlm_ldap
actually built and was installed.
Cheers,
Mike
Hello,
first, excuseme for my english
I have freeradius running with EAP and PEAP authentication
very well, but i would like use Openldap like database, but
when
Obviously a typo... it should most likely be 2005.06.03
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Sent: Tuesday, 7 June 2005 12:04 PM
To: freeradius-users@lists.freeradius.org
Subject: The released date of 1.0.3
Why the 1.0.3's released date is later
Well, if you have different vendor attributes for the same thing then
you should be able to do for example:
%{Quintum-h323-call-origin:-%{Cisco-h323-call-origin}}
That will use Quintum-h323-call-origin if it exists, otherwise
Cisco-h323-call-origin
See variables.txt in the doc directory for
Fantastic! That is exactly what I was looking for.
The only downside to this is that we will have to reconfigure
the system for each additional manufacturer we want to add.
Is there a more general way of doing it? Or is this just the
nature of VSAs?
Hmm, can't think of one. But there are
Hi Luke,
It's being updated by Alive (Intermin Accounting) requests coming from
your NAS at 15 minute intervals.
So the answer to your question is no, the RADIUS server cannot continue
to update this field for you after the session has ended.
Question is, why would you want it to be updated
I've already done some work to get this working, its pretty much
finished, but I'll try to do finish it off in the next couple of week...
But in the meantime I can provide some patches?
I think there's also been patches added to provide hooks to check for a
client in a database at authentication
Hi Alan,
Thanks for your answer but that is unfortunately not what I
had hoped for. What I'm actually looking for is a way to
retrieve the configured attributes of some one that is trying
to connect to my freeRADIUS server. Is that possible?
Configured where?
Do you mean you want to see
The radius server can process accounting without processing
authentication (and vice versa), there is nothing wrong with that...
Simplistically, if you want to use the Simulatenous-Use features built
into freeRADIUS, then yes the server must process RADIUS authentication
and accounting streams.
It looks like I'm interested in the 'Realm' or 'Proxy-To-Realm'
attributes, but I'm not sure where to put them. I think that
I'd have to do this in the users file, but I'm not sure if
that is too late in the process. Maybe something along these lines:
DEFAULT Huntgroup-Name ==
Is it possibly to use different SQL authorize check queries
based on the NAS the request is coming from?
Yep, sure is.
What you need to do is define multiple sql module instances in the
modules section of radiusd.conf (eg include multiple sql.conf files):
sql sql1 {
blah = ...
}
sql
It appears that your RADIUS server is proxying the
request to a "home" server, which hasn't responded... is this what you're
intending?
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Anson
RinesmithSent: Tuesday, 15 March 2005 2:30 PMTo:
The accounting_xxx_query queries in sql.conf are run in response to the
freeRADIUS server receiving an *accounting* request from a NAS. This is
independent from the authorization/authentication process that has
occurred previously. The sql queries log what was received in the
*accounting* request
Yes, you have to send the server a HUP.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf
Of Luca Lafranchi
Sent: Wednesday, 2 March 2005 6:49 PM
To: freeradius-users@lists.freeradius.org
Subject: Reload NAS table on freeradius after record update
Hi,
The
Thanks Paul,
Do we have an ETA for 1.1.0?
I'd be happy to do a bit of testing of configure scripts, etc, on
Solaris 9 if you need someone...
Regards,
Mike
I'm happy to look at patches for 1.0.2 (everyone's talking
about 1.0.1 here, I'm not taking patches for _that_) to fix
this, unless
The information is in the PoD request.
Kind of. From the NAS's perspecitive, the PoD only needs to contains the
Acct-Session-Id. However obviously in order to proxy a request we at
least need the NAS-IP-Address. I use this to map back to a Realm or a
NAS which will ultimately handle the PoD.
Title: pre-accounting/pre-proxy
radiusd.conf says:
#
# When the server decides to proxy a request to a home server,
# the proxied request is first passed through the pre-proxy
# stage. This stage can re-write the request, or decide to
# cancel the proxy.
#
# Only a few modules
Are you on a unix box?
Sending the radiusd process a HUP signal will tell the radius server to
re-read its configuration files.
Or:
/etc/init.d/radiusd restart
Or:
/etc/init.d/radiusd reload
Or wherever your init scripts live...
-Original Message-
From: [EMAIL PROTECTED]
Title: pre-acct processing and Proxy-To-Realm
I have a situation where I need to proxy (authentication and accounting) based not on realm, but on whether our LDAP database contains the user name.
For authentication this is easy, but for accounting, it proves a little more difficult.
I
Run the server in debug mode (radiusd -X) and you'll see EXACTLY why its
failing...
You need to ensure an Auth-Type is being set somewhere, sounds like it
may not be...
Also make sure your shared secret is correct. IIRC, you can have the
wrong shared secret, and CHAP will still work, but PAP
Very minor point... The link to 1.0.2 on the freeradius home page points
back to http://www.freeradius.org rather than the tar file (as per
previous releases).
As I said, very minor point ;-)
regards,
Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Firstly, run the server in debug mode (as it says in the doco), and you
can see exactly what its doing, and why you are being rejected:
radiusd -X
Secondly, the user password attribute is called User-Password (as per
the examples in the users file), so try that.
Regards,
Mike
-Original
Hi Paul,
You're looking for the block around line 3925 in aclocal.m4,
with the following comment block:
dnl #
dnl # That didn't work. Try adding the '-lcrypto' line.
dnl # Some SNMP libraries are linked against SSL...
dnl #
Copy from the next line through fi, paste below the fi,
Title: configure for rlm_ldap on Solaris
Hi List,
I've done some more investigation into why configure doesn't work out of the box on Solaris for rlm_ldap.
I've found the reason, now I need to find a solution, hopefully with someone's help...
By default, Solaris comes with ldap include
Title: configure script nightmare with ucd-snmp
Hi List,
I'm attempting to build freeRADIUS 1.0.1 on Solaris 9 with ucd-snmp 4.2.6
I've been struggling to get the configure script to successfully recognise ucd-snmp and thus enable it for compilation in freeradius. I'm on Solaris 9, and
Thanks for the reply Paul!
The (undocumented, as it happens) --with-snmp-include-dir and
--with-snmp-lib-dir options should be able to take care of
having build ucd-snmp in your home directory.
Yep, I tried them... sadly, they don't seem to work for me. I had the
same problem with the LDAP
You shouldn't have to edit rlm_ldap.c to get it to compile. The problem I had
(Solaris 9) was that the configure script did not add the path to the ldap
headers in the rlm_ldap Makefile, even though I had specified
--with-rlm-ldap-include-dir=blah to the configure script.
If you add the
Ahh brilliant! Didn't find that in my searches!
Thanks Kevin!
This is probably what you're looking for:
http://lists.freeradius.org/archives/freeradius-users/2004/10/f
rm00210.html
Kevin Bonner
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[EMAIL PROTECTED] wrote:
The problem seems to be, again, that even one adds
--with-ltdl-lib=/opt/csw/share/libtool/libltdl
--with-ltdl-include=/opt/csw/share/libtool/libltdl
make does not seem to care about it.
I've found this to be the case with several (if not all) of the
--with-BLAH-lib
alan walters wrote:
This is working fine but I would prefer if one of the ldap
directories failed the radius fell over onto another ldap. Is
this possible
Sure is. Take a look at configurable_failover in the docs directory. You
need to define two ldap instances in radiusd.conf (one for each of
Just floating an idea...
Is it worth considering adding a periodic section to radiusd.conf and
the radius server? Rather than retrofitting reload this, reload that,
functionality into existing functions that are called during the
processing of a request, modules could implement a periodic
Title: Mapping a single LDAP attribute to multiple radius attributes
I'm after some suggestions to a problem I'm facing
Can anyone think of a way to map a single LDAP attribute to one of a choice of radius attributes depending on the type of NAS that made the request?
Ie, if the request
41 matches
Mail list logo