Run FreeRADIUS in debug mode and read the output.
# radiusd -X
Tim
-Original Message-
From: freeradius-users-
bounces+tim.sylvester=networkradius@lists.freeradius.org
[mailto:freeradius-users-
bounces+tim.sylvester=networkradius@lists.freeradius.org] On Behalf Of
Morteza
My APs are all over a NAT and the radius server is outside this nat. How i
configure the clients.conf to acept the conections from the APs?
It depends. If the NAT device statically maps the AP's IP address to a
dedicated NATed IP address, then you can add the Aps NATed IP addresses to
rlm_sql (sql): Connected new DB handle, #79
Module: Instantiated sql (sql)
Failed creating PID file /root/radiusd.pid: Permission denied
Maybe you have a permissions problem?
Tim
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I usually add Auth-Type := Reject to the radcheck table to disable a user.
You remove the entry to enable the user.
Tim
-Original Message-
From: freeradius-users-
bounces+tim.sylvester=networkradius@lists.freeradius.org
[mailto:freeradius-users-
Hi Daniel,
I have a FreeRadius + MySQL setup with MikroTik as NAS.
And a few days ago I have some warnings and errors in the log:
Tue Oct 25 04:02:41 2011 : Info: Released IP xxx.xxx.xxx.xxx (did
via-pppoe-01 cli xx:xx:xx:xx:xx:xx user dmnzs-test) Tue Oct 25 05:30:36
2011 :
Error: Received
I'm in the process of testing FreeRADIUS 2.1.11, just basic/standard
setup.
I've been following the following user guide:
http://deployingradius.com/documents/configuration/pap.html. Very
useful, by the way.
PAP, MSCHAP and MSCHAPv2 work ok, but I'm unable to get any EAP tests to
pass.
Thanks for your prompt response. eapol_test has been built with all EAP
modules. See log below:
Do you know what the problem can be? I've tried almost everything now!
It's hard to tell what's going on with only a portion of the log. Send the
logs for both eapol_test and FreeRADIUS in debug
In example.pl perl script $RAD_REQUEST{'User-Name'} returns the username of
the EAP request message. How can I get the password of the
EAP request? $RAD_REQUEST{'User-Password'} won't return the password.
[Tim] You can't. RADIUS Access-Request packets that use EAP do not send
the password to the
Step 1. Try pinging the AP from the CentOS box. If that doesn't work, then
you definitely have a network problem.
Step 2. Disable the firewall on the CentOS box (/etc/init.d/iptables stop).
Then try pinging the CentOS box from the AP and then pinging the AP from the
CentOS box. If that works,
I would recommend two servers using MySQL Replication.
1. Master Server with FreeRADIUS and MySQL Master; write accounting
packets to MySQL
2. Replica Server with FreeRADIUS and MySQL Replica; forward
accounting packets to Master for writing to MySQL
As for performance, my
You NAS is sending the password in clear text and is not doing CHAP, so the
RADIUS server needs to find either a clear text password or a hashed
password. Where are you storing usernames/passwords? Make sure that you have
an entry with for User-Name = aew...@domain.ca and Cleartext-Password :=
This doesn't specifically address your problem, but you should use a more
recent version of FreeRADIUS. Try downloading FreeRADIUS 2.1.10 or 2.1.11
from www.freeradius.org.
ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.1.10.tar.bz2
Is the unix module uncommented in the authorize section of your
configuration? If so, then FreeRADIUS is authenticating the users in the
/etc/password file.
#
# Pull crypt'd passwords from /etc/passwd or /etc/shadow,
# using the system API's to get the password. If you
By default, the accounting detail files are in:
${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
which usually translates to:
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
Read the raddb/modules/detail file for more information.
Tim
From:
|
+-+--+++-+
| 386 | bob| Expiration | := | 25 Jun 2011 |
| 385 | bob| Simultaneous-Use | = | 1 |
| 384 | bob| Cleartext-Password | := | bob |
_
From: Tim Sylvester tim.sylves...@networkradius.com
To: FreeRadius users mailing list
From:
freeradius-users-bounces+tim.sylvester=networkradius@lists.freeradius.or
g
[mailto:freeradius-users-bounces+tim.sylvester=networkradius.com@lists.freer
adius.org] On Behalf Of john decot
Sent: Monday, May 23, 2011 9:36 PM
To: FreeRadius users mailing list
Subject: Re:
Yücel,
Did you add the Filter-ID attribute to the radreply table? It should look
like this.
select * from radreply;
++--+---++-+
| id | username | attribute | op | value |
I've got a radius server up and running, and I want to clean up my
configuration as much as possible. is it a safe assumption that if I
remove a file (actually move it out of the way) and attempt to
authenticate a client that if the client can successfully authenticate
that everything is
Why did you remove the files? Unless they are doing something bad, leave
them alone.
Tim
-Original Message-
From: freeradius-users-
bounces+tim.sylvester=networkradius@lists.freeradius.org
[mailto:freeradius-users-
bounces+tim.sylvester=networkradius@lists.freeradius.org] On
it's told.
--Brian
-Original Message-
From: freeradius-users-bounces+bmccann=andmore@lists.freeradius.org
[mailto:freeradius-users-
bounces+bmccann=andmore@lists.freeradius.org] On Behalf Of Tim
Sylvester
Sent: Monday, January 10, 2011 5:13 PM
To: 'FreeRadius users mailing
It claims that there is an accounting packet without an
acctsessiontime... I found the offending entries and now it works. I
guess I'll have to
edit those out each time. They are being created by a web-accelerator
program we
use.
: Info: [sql] stop packet with zero session length. [user
It doesn't import any additional records after that. It just stops,
and keeps generating the error.
OK. Run the server in debug mode (radiusd -X) and send the debug output to
the list.
Tim
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
You need to run radiusd in single threaded mode. The server forks a couple
processes to run the server as a daemon and then exits normally. If you
looked at the process table (ps -ef), you should see a copy of freeradius
running on your system.
In gdb, set the arguments for radiusd using set args
I am using freeradius to authenticate users to have access to Internet.
I want my user to use their group which is their department to be able to
have internet because I need tractability. To understand my problem I'm
going to use an example,
User-Name: bob
Groupe-name: communication
I
I'm sure I am missing something simple and probably obvious. Now that
I have installed freeradius (2.1.9-1.fc13.i686) and imported the mysql
schema
and populated it with a test user, I would like to know if there are some
basic config instructions for telling freeradius to actually use the
Now I want to also make Freeradius generate a COA by some other
means.
e.g. a tech support guy clicking disconnect on a web page.
I.e. I want to somehow trigger a coa that is not caused by an
update coa
{} block, but by some external trigger.
Is this possible in any way?
You
Run the server in debug mode (radiusd -X) and check the attributes sent by
the NAS. The NAS may not be sending the Calling-Station-Id or it may be in a
different format. Either way, the debug output is going to give you more
information.
Tim
-Original Message-
From: freeradius-users-
[mailto:freeradius-users-
bounces+krijntanis=wimood...@lists.freeradius.org]
Namens Tim Sylvester
Verzonden: maandag 4 oktober 2010 20:16
Aan: 'FreeRadius users mailing list'
Onderwerp: RE: Check multiple attributes for one user
Run the server in debug mode (radiusd -X) and check the attributes
FreeRADIUS is open source software that can be downloaded from the Internet
by anyone in the world. The concept of exporting FreeRADIUS doesn't really
make sense.
Are there ECCN codes for Linux, OpenSSL, and OpenVPN?
Tim
-Original Message-
From: freeradius-users-
well, i had tried other configuration for users:
bob Cleartext-Password = bob
Juniper-Local-User-Name = labrat
labrat is local login user id so that all of radius users will be mapped to
that user. unfortunately, it is also failed though with no warning messages:
tim You are
thanks tim:
yes, it is better but yet working correctly:
g...@giraffe:~:$ ssh b...@192.168.255.138
b...@192.168.255.138's password:
Permission denied, please try again.
b...@192.168.255.138's password:
Permission denied, please try again.
b...@192.168.255.138's password:
Permission
[sql] expand: %{User-Name} - fredf
[sql] sql_set_user escaped user -- 'fredf'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
- SELECT id, username,
I've more than one radius server configured on my switches. If one
server timeouts the switch takes the second server. On each radius
server a freeradius and a mysql db is running. I'm now searching for a
way that the freeradius does not return anything (=timeout for the
switch) if he cannot
The socket is created with this permissions:
ls -ltr /opt/freeradius/var/run/radiusd/radiusd.sock
srw-rw 1 radius radius 0 2010-09-01 20:18
/opt/freeradius/var/run/radiusd/radiusd.sock
When I try to connect to the socket with radmin I received a permission
denied:
The user 'testuser' does not have permission to access the socket.
Add
'testuser' to the group 'radius' or run radmin as root.
Tim
Is possible to connect to socket with a group different of 'radius'?.
Yes. Check the documentation in the raddb/sites-available/control-socket
file for
One option is to configure FR to be a detail file reader which will import
the files and can write them to the database. Start by looking at the
decoupled-accounting file in the sites-available directory. It shows how to
setup a detail file reader.
Tim
From:
Does freeradius support receiving Interim-Update with the accounting
info? meaning updating the radacct table with user usage / session
time at regular intervals?
Yes. You need to make sure that your NAS is configured to send the updates.
Tim
-
List info/subscribe/unsubscribe? See
Try the following:
Add this to the top of the Authorize section:
authorize {
if ADSL-Agent-Circuit-Id {
update request {
User-Name := %{ADSL-Agent-Circuit-Id}
User-Password := %{ADSL-Agent-Circuit-Id}
}
Tim Sylvester wrote:
Try the following:
Add this to the top of the Authorize section:
if ADSL-Agent-Circuit-Id {
update request {
User-Name := %{ADSL-Agent-Circuit-Id}
User-Password := %{ADSL-Agent
Ad this into the authorize section:
authorize {
if %{ADSL-Agent-Circuit-Id} {
update request {
User-Name := %{ADSL-Agent-Circuit-Id}
Password := %{ADSL-Agent-Circuit-Id}
}
}
Make sure that to add
This opens up a security hole I wish to avoid - if someone knows what
my
circuit Id's look like, and that database is used in any context where
a
user can send an id/password to authenticate that does NOT have
ADSL-Agent-Cirtcuit-Id in it, then I've created a bunch of known user
id's for
This opens up a security hole I wish to avoid - if someone knows what
my
circuit Id's look like, and that database is used in any context where
a
user can send an id/password to authenticate that does NOT have
ADSL-Agent-Cirtcuit-Id in it, then I've created a bunch of known user
id's for
Radmin was an experimental tool when it came out over a year ago. I have
safely used it on production systems.
Tim
-Original Message-
From: freeradius-users-
bounces+tim.sylvester=networkradius@lists.freeradius.org
[mailto:freeradius-users-
Using Cleartext-Password: = message still appears:
WARNING: unprintable characters in the password. Double-check the shared
secret on the server and the NAS!
And the user is not logged in successful, the encrypted key.
What could be the problem?
You need to read the error message and
Thanks for the suggestion, that's actually my back-up plan. The key
issue is that a single MySQL server will be used, and peak-load on that
server
can be quite high. By creating multiple instances, I cannot scale the
maximum
number of sockets high enough meet the requirements. Perhaps on
You're correct, though there are a few factors causing me to cautious.
The first is I'm working on new, untested hardware, and given the
complexity of the requirements, I'd rather defer to the knowledge of the
list re:
performance, before fully implementing it. The second is that the NAS'es
Hi.
Sorry 'cause i'm late. Some troubles.
Well i worked as following explained to perform a test (problem we talk
about) but also to check if password would have been passed encrypted in
the internet.
||
|NAS-USG100|( USGWAN -79.xxx.xxx.xxx )---(INTERNET)(78.yyy.yyy.yyy)
I set Freeradius with mysql server and Daloradius Management.
After some troubles to install FR, it worked fine, at least as basical
startup: i can authenticate remote users!
OK.
For real it works if i use /raddb/clients.conf file, setting readclients =
yes in /raddb/sql.conf.
Once i set it to
I bag your pardon . . . i forget to turn to no the value in sql .conf.
Which value did you set to no?
Once i did . . . non authentication . . .
What i obtain with radiusd -X is . . .
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on
Q1.what's the difference between radgroupcheck and radgroupreply?
radgroupcheck is similar to radcheck. These tables are “checked” to
authorize/authenticate a user.
radgroupreply is similar to radreply. These tables have the attributes that are
sent back to the NAS in the reply packet.
FreeRADIUS starts in seconds. I have restarted FreeRADIUS in very large
production environments without a problem. If you are concerned about
availability, use multiple FreeRADIUS servers and/or a load balancer (F5,
Cisco, lvs, etc.).
Tim
From:
I have question relating to accounting packets. I have database with
default freeradius schema where radius collecting data from controller
to radacct table. Which parameter is resposible for user ip address
? framedipaddress?
In general, yes.
Tim
-
List info/subscribe/unsubscribe? See
I am doing a project in network mesh, wireless mesh. After making the
implementation of my network, I want to do authentication and security of my
network using Radius. But I have no information of this side and I found
many documents that I do not understand. Please help me to find a clear
Should I be posting my debug logs to a pastebin rather than sending
them to the whole list?
E-mail's cheap. Paste the text from the logs into the main body of your
e-mail.
Tim
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
when using FreeRADIUS 1.1, I could store RADIUS replies like
Reply-Message := Hello, %u, and get the %u expanded to the username
in the reply. After upgrading to FreeRADIUS 2.1, this doesn't seem
to work anymore, the reply contains the unexpanded %u. Has this
feature been removed, or do I
I just confirmed that my server does have no firewall. The way I tested this
is:
ON THE SERVER
tcpdump udp port 1812
ON THE CLIENT
nc -u xx.xx.xx.xx 1812
mash the keyboard repeatedly to send fake packets
When I do this I send some raw packets to my radius server on port
Mohamed,
Tim, your analysis of ipoque operation is correct. IPOQUE receives the
accounting request as a way to dynamically map a user/IP to a class (where
combination of rules/policy are applied based on protocol and application
user is using). What I am trying to acheive actually is not
Mohamed,
Your description of the IPOQUE device and how it works is very strange. I
was not able to find any usefully documentation on the IPOQUE device but
here is what I think it is trying to do in a service provider network.
Assume the service provider network uses DSL, 3G wireless,
The NAS controls when the Accounting Interim Updates are sent to the RADIUS
server. Check the documentation on configuring your NAS to see if you can
enable Interim Updates and set the frequency of updates.
Tim
-Original Message-
From: freeradius-users-
I want to setup AAA server with freeradius, But when I finished the install,
and run radiusd -X,
error is
}
Ignoring EAP-Type/tls because we do not have OpenSSL support.
Ignoring EAP-Type/ttls because we do not have OpenSSL support.
Ignoring EAP-Type/peap because we do not have
Write the accounting information to a MySQL database. Then query the radacct
table for the accounting information.
Tim
From:
freeradius-users-bounces+tim.sylvester=networkradius@lists.freeradius.or
g
[mailto:freeradius-users-bounces+tim.sylvester=networkradius@lists.freer
You can configure FreeRADIUS to store all of the accounting information in
one file in the same directory. Look at the etc/raddb/modules/detail file
for instructions on how to change where accounting information is logged.
The default detail file name is:detailfile =
You can put an entry for the Reply-Message attribute in the radreply table.
For example, if you want to send the message Hi Bob to user bob, you would
add this entry to radreply:
usernameattribute op value
bob Reply-Message
Alex,
Where did you create the user and password cisco?
in the /etc/raddb/clients.conf.
tim That's the problem. You configure RADIUS clients in the clients.conf
file. A RADIUS client is a network device like a NAS or a wireless Access
Point.
A copy of your users configuration file would be
Alex,
Please try to be less arrogant when you answer me. I have not touched linux
or Solaris for 9 years. And I'm not a developer, and an RF engineer. I know
many of you are software developers. We should not delve into the Silicon
Valley notion of RTFM--instead should adhere to
udp 0 0 *:radius *:*
udp 0 0 *:radius-acct *:*
So after all, it's not selecting random port numbers. Is this a bug?
No. The server is behaving as expected.
Tim
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alex,
You are insulting people that are trying to help you, for FREE. Chill out!
When you did netstat -a, you probably did something like this:
[r...@springy html]# netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address
Alex,
Here's the link to the RedHAT FAQ on the FreeRADIUS site that describes how
to install FreeRADIUS on Red Hat Enterprise Linux (RHEL), CentOS and Fedora:
http://wiki.freeradius.org/Red_Hat_FAQ
You actually need several of the RPMs including the src RPM. Then you would
need to install the
Read the comments in the huntgroups file in the raddb directory. This will
show you how to setup a huntgroup which can be used to authorize users based
on the switch (NAS) sending the authentication request.
Tim
-Original Message-
From: freeradius-users-
Add this line to the home server configuration of Server A (running 2.1.7):
no_response_fail = yes
Tim
-Original Message-
From: freeradius-users-
bounces+tim.sylvester=networkradius@lists.freeradius.org
[mailto:freeradius-users-
Rihad,
Take your NAS, and throw it in the garbage. Buy a real NAS that
implements RADIUS.
Oh yeah? Isn't Cisco 7260 good enough for you?
Hmmm ... A few months ago I was working on a project with a Cisco 72XX
terminating PPoE connections from DSL modems. I was using custom SQL code
Leighton,
Try using ldapsearch in verbose mode (and debug mode) to get more info from
AD.
ldapsearch -v -h AD Server -D cn=account to bind dc=ad, dc=hud, dc=ac,
dc=uk -w password -x -b dc=ad, dc=hud, dc=ac, dc=uk
(sAMAccountName=mytestusername)
From a Windows machine, you can also use tools
Ana,
The notes in the proxy.conf file describe how proxying works when you do not
receive a response from a home server.
#
# If the home server doesn't respond to the request within
# this time, this server will consider the request dead, and
# respond
We should start collecting the Best of Alan posts. Any nominations?
Tim
-Original Message-
From: freeradius-users-
bounces+tim.sylvester=networkradius@lists.freeradius.org
[mailto:freeradius-users-
bounces+tim.sylvester=networkradius@lists.freeradius.org] On Behalf
Of
%l (lower case L)
Tim
-Original Message-
From: freeradius-users-
bounces+tim.sylvester=networkradius@lists.freeradius.org
[mailto:freeradius-users-
bounces+tim.sylvester=networkradius@lists.freeradius.org] On Behalf
Of Sajeewa Warnakulasuriya
Sent: Sunday, June 21, 2009
Jun 2009, Tim Sylvester wrote:
%l (lower case L)
Tim
-Original Message-
From: freeradius-users-
bounces+tim.sylvester=networkradius@lists.freeradius.org
[mailto:freeradius-users-
bounces+tim.sylvester=networkradius@lists.freeradius.org] On
Behalf
Of Sajeewa
How about FreeRADIUS and FreeDHCP?
The FreeX Project
-
|| | ||
| FreeRADIUS | FreeDHCP | FreeTBD | ... |
| Server | Server | Server ||
I used to work in product marketing. Let me translate this message.
This just in, from the horse's mouth (Nominum).
While the failover protocol used in DCS is based on the standard
draft, we have made some modifications where we deemed it necessary,
It was necessary to make
Hola Michel,
You should use the latest version of FreeRADIUS - v2.1.6 which can be
downloaded from the FreeRADIUS.org site at:
ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.1.6.tar.gz.
Building the new version of FreeRADIUS on CentOS is pretty easy to do.
To configure FreeRADIUS
Read the SQL HOWTO at: http://wiki.freeradius.org/SQL_HOWTO. Also, look at
the sql.conf file in the raddb directory and the mysql files in
raddb/sql/mysql. You will want to read the information in admin.sql and
schema.sql.
Tim
From:
A lot. It depends on the type of transaction - authentication, accounting;
type of authentication - pap, chap, EAP, etc.; the data store for the user
information - file, sql, ldap, etc.
FreeRADIUS can easily perform over 3,000 authentications per second using
MySQL.
Tim
From:
Steve,
Your wireless access point is sending the MAC address as the username and
password. Change the username and password in the users file and the
authentication will work.
rad_recv: Access-Request packet from host 10.10.18.241:2160, id=7, length=53
User-Name = 00215c-08b25d
Something may be wacky with the network configuration on the 10.10.10.10
machine. The packet capture shows that the NAS-IP-Address attribute is set
to 127.0.0.2 but it should be 10.10.10.10. Since 127.0.0.2 is not in
clients.conf, the request will be ignored. Try running radtest with the
following
Denny,
A couple of things:
1. Check the SQL How To at: http://wiki.freeradius.org/SQL_HOWTO
2. The radcheck table should have entries like:
mysql select * from radcheck;
++++--+--+
| id | UserName | Attribute
Hi Li,
Are you developing an application or building a device that needs a radius
client? If all you want to do is test a radius server or simulate a client,
you can download the FreeRADIUS server and use radtest and/or radclient to
simulate a radius client.
Tim
-Original Message-
Hi Shimon,
In the /usr/local/etc/raddb/sites-enabled/default file, comment out the unix
module.
#
# Pull crypt'd passwords from /etc/passwd or /etc/shadow,
# using the system API's to get the password. If you want
# to read /etc/passwd or /etc/shadow
86 matches
Mail list logo
