Re: RADDB 2.1.7 and /etc/shadow
sbchem wrote: shrug It's an error produces (sic) by the PAM subsystem. Ask them what it means. Sigh It turns out the error is caused by a typo in the radiusd file provided in /redhat/radiusd-pam, NOT by the pam subsystem. In fact, the pam subsystem was merely reporting the error in the freeradius file. The message module not found was because the radiusd-pam file was pointing to password.so NOT passwd.so OK.. so the error *was* being produced by the PAM subsystem, as I said. Investigating that subsystem found the problem, and the solution. And yes, the FreeRADIUS PAM file needs to be fixed. Blaming FreeRADIUS is the same as blaming Dell Selective editing does not help your cause. The quote was: Blaming FreeRADIUS is the same as blaming Dell because the internet is slow. The comparison to Dell was because as the computer manufacturer, they get *enormous* numbers of complaints from inexperienced users, sating things like facebook is slow! Similarly, a large number of questions on this list are things like how do I get the NAS to do X. The answer is almost always read the NAS documentation. Some people end up being offended by this. I have no idea why. Hmmm--rather defensive are we??? --Alan, no one is blaming anybody for anythingit was a simple and honest question that was also posted a few years ago and remained unanswered -- until now, by me as above. My response was a simple and honest one; If subsystem X is producing an error message... you should really go investigate subsystem X. The answers will usually be found there. Is that so offensive? However I do find it interesting that you compare the customer service you provided on this to that provided by Dell -- if the shoe fits. If you *intentionally* edit my comments so as to misrepresent them, it shows the paucity of your arguments. I am part of a consortium of public and private universities and scientific research facilities Eduroam? and our internal listserv on radius frequently talks people off of freeradius solely because of the sarcastic and chip on the shoulder attitude of some of the developers. Some... but you're not naming names... Quit being such a Mordac Alan, it scares the tourists and devalues the otherwise excellent work done by other people on this project. Implying that the only excellent work is done by *other* people, and not me. You can ban me now for such a ghastly breach of etiquette. Sadly, I do no such thing, though it's clear you would in a similar situation. You've taken a simple request to investigate the root cause of the problem, and turned it into a personal attack on me. And you're saying *I* have a chip on my shoulder? Please, don't pretend to have the moral high ground here. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Option 82 parse problems.
Anton wrote: 1. In dictionary.dhcp there are two strings (version 2.1.8): ATTRIBUTE DHCP-Agent-Circuit-Id 0x0152 octets ATTRIBUTE DHCP-Agent-Remote-Id 0x0252 octets but when I start radiusd -X I see only one whole string like: DHCP-Relay-Agent-Information = 0x01060004006402080006000cce477c00 Yes... this was fixed in 2.1.9. Don't expect 2.1.8 to parse option 82. How can I get DHCP-Agent-Circuit-Id and DHCP-Agent-Remote-Id without using perl post_auth ? 2.1.9 was tested to work. 2. There is announced feature in 2.1.9 Add sub-option support for Option 82. See dictionary.dhcp. When I start radiusd -X (2.1.9) with its dictionary.dhcp it begin to eat 100% of CPU with no any output in console after the first dhcp packet received. Please supply a packet trace (wireshark / tcpdump) which contains that packet. If we had seen this issue in testing 2.1.9, we would have fixed it. How to use this announced feature of sub-option for opt82 ? It was tested to work with a number of different switches. How to find the reason why radiusd (2.1.9) eats 100% of CPU ? Supply a pcap file containing the packet, so we can reproduce the problem, and fix it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Option 82 parse problems.
Ok. Please see attach. But I'm afraid that is may only case, my unfortunate radius configuration. This is not directly received from the switch packet but from switch-dhcrelay. On Fri, 28 May 2010 13:11:57 +0700 Alan DeKok al...@deployingradius.com wrote: Please supply a packet trace (wireshark / tcpdump) which contains that packet. If we had seen this issue in testing 2.1.9, we would have fixed it. How to use this announced feature of sub-option for opt82 ? It was tested to work with a number of different switches. How to find the reason why radiusd (2.1.9) eats 100% of CPU ? Supply a pcap file containing the packet, so we can reproduce the problem, and fix it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Anton [WARM-RIPE] Stack ltd division head tel. 8 (3822) 555-797 dhcp_on_client.dump Description: Binary data dhcp_on_server.dump Description: Binary data dhcrelay-to-radius.dump Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADDB 2.1.7 and /etc/shadow
Hi, I am part of a consortium of public and private universities and scientific research facilities and our internal listserv on radius frequently talks ...as am I. but I inform people that they should read the documentation and follow the basic information provided about how to troubleshoot and get help before using the list (because there's nothing to show you up better than 'it doesnt work, please help' as the sole contents of your email :-| ) people off of freeradius solely because of the sarcastic and chip on the shoulder attitude of some of the developers. Quit being such a Mordac Alan, it scares the tourists and devalues the otherwise excellent work done by other people on this project. huh? without Alan there wouldnt be the project. PS regarding talking people off FreeRADIUS - you sure theres not some agenda present there - after all, FreeRADIUS is Open Source GPL software - something not favoured by some due to their political leanings. its also free - which is also not favoured by some. There are commercial offerings out there - but , and this is particularly apt with the current financial climate - is it not easier to defend and deploy services which are free and not extra cost than to be talking about ROI/TCO and bottom line of services - especially regarding systems such as 'eduroam' - which are pretty much free if you have 802.1X capable kit and a local 802.1X network already present... alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADDB 2.1.7 and /etc/shadow
On Thu, May 27, 2010 at 01:51:44PM -0700, sbchem wrote: our internal listserv on radius frequently talks people off of freeradius solely because of the sarcastic and chip on the shoulder attitude of some of the developers. Quit being such a Mordac Alan, it scares the tourists and devalues the otherwise excellent work done by other people on this project. Actually Alan is doing practically all the work. This is a known feature of many open-source projects - there is no separation between support people and programming people, nor an accompanying distinction in the default attitudes. The solution is to treat such projects, including FreeRADIUS, accordingly - this forum is not what you might call a first-level helpdesk venue - it is instead a venue where the user can be expected a lot from, including both a technical proficiency and an ability to take heat for lack thereof. I know that doesn't sound optimal, nor does it fit in with how the rest of the world commonly operates, but that's how it is. On a completely separate note, I think that it would be best if Alan sometimes tried to ignore some of the fuzzier user queries and left that to others, even at the cost of the request looking like it was ignored. It's better to concentrate on more important things. Alan, please consider that :) At the same time, there's a distinct possibility that the fuzzy-question-asking user will get more time to try other venues of problem investigation other than waiting to be helped (even hand-held) by a helpful person on the mailing list. Not everyone exhausts all other venues before asking; often people try some poor man's debugging method just once or twice and after failing immediately ask a new question on a forum, not even trying to e.g. google a few times for similar questions and answers. Overall, I recommend an approach with a bit more lax latencies (less pressure) in responding to *every* query, in the long run it will be better for the stress level of everyone involved. :) -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: github wiki
On Thu, May 27, 2010 at 06:00:48PM +0200, Alan DeKok wrote: Thanks, but we already *have* a Wiki. I would really prefer to not add yet *another* location for documentation. Yes... the existing Wiki has a number of out-of-date pages. I will, annoyingly enough :) again use this as an opportunity to ask for an account on the wiki in order to be able to help fixing these. (It's uncommon to call a mediawiki installation a wiki and have a strict policy of forbidding volunteers from editing, even known ones.) -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: github wiki
Josip Rodin wrote: I will, annoyingly enough :) again use this as an opportunity to ask for an account on the wiki in order to be able to help fixing these. Done. (It's uncommon to call a mediawiki installation a wiki and have a strict policy of forbidding volunteers from editing, even known ones.) 2-3 years ago the Wiki started being over-whelmed with spammers. The spam detection in MediaWiki didn't help, so the simplest solution was to make the Wiki request only for signups. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting to MySQL not working
Hi Alan, thank you for your response. according to the debug: +- entering group accounting {...} [detail]expand: /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d - +/var/log/freeradius/radacct/192.168.1.10/detail-20100527 [detail] /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to +/var/log/freeradius/radacct/192.168.1.10/detail-20100527 [detail]expand: %t - Thu May 27 23:32:23 2010 ++[detail] returns ok ++[unix] returns ok [radutmp] expand: /var/log/freeradius/radutmp - /var/log/freeradius/radutmp [radutmp] expand: %{User-Name} - chrissql ++[radutmp] returns ok [attr_filter.accounting_response] expand: %{User-Name} - chrissql attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 77 to 192.168.1.10 port 1646 Finished request 19. so, its drops into accouting section...it does detail unix radutmp attr_filter.accounting_response but where oh were was the SQL being called? hmm, from here is doesnt look like you are calling it. check the sites-enabled/* files (I dont know what virtual servers you have running or what you've called them) and please uncomment the 'sql' It comes after the lines that say: # # Log traffic to an SQL database. # # See Accounting queries in sql.conf this part is (and was) enabled please find below the configuration of the files (which is the same configuration as for 2.0.4 - this configuration is working for 2.0.4) however, it seems the sql line is ignored by the radius server file: default authorize { preprocess chap mschap suffix eap { ok = return } unix files sql expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix eap } preacct { preprocess acct_unique suffix files } accounting { detail unix radutmp sql attr_filter.accounting_response } session { radutmp } post-auth { exec Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { eap } -- fiel: inner-tunnel server inner-tunnel { authorize { chap mschap unix suffix update control { Proxy-To-Realm := LOCAL } eap { ok = return } files sql expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix eap } session { radutmp } post-auth { Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { eap } BTW: If I uncomment all 'sql' entries, I get data into the radpostauth table, but I never get data into the radacct table. Has somebody a working configuration for logging into the radacct mysql table with freeradius v2.1.8 (under Debian Lenny)? br Christoph -- GMX.at - Österreichs FreeMail-Dienst mit über 2 Mio Mitgliedern E-Mail, SMS mehr! Kostenlos: http://portal.gmx.net/de/go/atfreemail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADDB 2.1.7 and /etc/shadow
On Fri 28 May 2010, John Dennis wrote: On 05/27/2010 04:51 PM, sbchem wrote: shrug It's an error produces (sic) by the PAM subsystem. Ask them what it means. Sigh It turns out the error is caused by a typo in the radiusd file provided in /redhat/radiusd-pam, NOT by the pam subsystem. In fact, the pam subsystem was merely reporting the error in the freeradius file. The message module not found was because the radiusd-pam file was pointing to password.so NOT passwd.so Glad you got it working and sorry for the frustration. Unfortunately the files in /redhat had serious bit rot and had not been maintained for a long time. When you want Red Hat specific files or RPM's it's really best to get them from us because we maintain them. The /etc/pam.d/radiusd is supplied in our freeradius RPM and isn't the same as was found in the freeradius tarball as you unfortunately discovered. FWIW, we just synced our files to /redhat directory in the freeradius 2.1.9 release. So for 2.1.9 they will be pretty close. But they will *diverge*. Why? Because in this instance that does not represent upstream (i.e. the definitive source), we are upstream for our own files. I have certain misgivings about upstream projects providing packaging files for their project because they inevitably diverge and have bit rot. I realize it's perceived to be friendly to supply packaging files in the upstream distribution, but it comes with a price (divergence bugs). Getting packaging files from the source (i.e. the specific Linux distribution) isn't that hard and would avoid some of these issues. By the way all this is documented in the FreeRADIUS wiki at http://wiki.freeradius.org/Red_Hat_FAQ Hi John Is it happens, I agree with you. I was maintaining some prebuilt RedHat and Mandriva packages for a while in addition to the openSUSE packages (which I use myself) but I stopped doing so as it seems like duplicate effort and a source of extra problems. I maintain our FreeRADIUS (latest release) packages for openSUSE under the network:aaa namespace on the build service, but these get synced up with the official openSUSE/SLES packages in the Factory namespace before each major distro release. There is a small amount of skew between the packages at present, but we will have them in sync for the 11.3 release. I am not so familar with the dev processes for Fedora/RHEL but I am sure something similar could be arranged. Cheers -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADDB 2.1.7 and /etc/shadow
Alan--thank you for posting your response and proving my point -- diff the tone and content of your response to those of John, Josip and Alan B. -- as the younger set sez, chill dude No one is disparaging your work -- but maybe you need to divert some of your considerable energy to working on your social skills BTW *not* eduroam Alan DeKok-2 wrote: sbchem wrote: shrug It's an error produces (sic) by the PAM subsystem. Ask them what it means. Sigh It turns out the error is caused by a typo in the radiusd file provided in /redhat/radiusd-pam, NOT by the pam subsystem. In fact, the pam subsystem was merely reporting the error in the freeradius file. The message module not found was because the radiusd-pam file was pointing to password.so NOT passwd.so OK.. so the error *was* being produced by the PAM subsystem, as I said. Investigating that subsystem found the problem, and the solution. And yes, the FreeRADIUS PAM file needs to be fixed. Blaming FreeRADIUS is the same as blaming Dell Selective editing does not help your cause. The quote was: Blaming FreeRADIUS is the same as blaming Dell because the internet is slow. The comparison to Dell was because as the computer manufacturer, they get *enormous* numbers of complaints from inexperienced users, sating things like facebook is slow! Similarly, a large number of questions on this list are things like how do I get the NAS to do X. The answer is almost always read the NAS documentation. Some people end up being offended by this. I have no idea why. Hmmm--rather defensive are we??? --Alan, no one is blaming anybody for anythingit was a simple and honest question that was also posted a few years ago and remained unanswered -- until now, by me as above. My response was a simple and honest one; If subsystem X is producing an error message... you should really go investigate subsystem X. The answers will usually be found there. Is that so offensive? However I do find it interesting that you compare the customer service you provided on this to that provided by Dell -- if the shoe fits. If you *intentionally* edit my comments so as to misrepresent them, it shows the paucity of your arguments. I am part of a consortium of public and private universities and scientific research facilities Eduroam? and our internal listserv on radius frequently talks people off of freeradius solely because of the sarcastic and chip on the shoulder attitude of some of the developers. Some... but you're not naming names... Quit being such a Mordac Alan, it scares the tourists and devalues the otherwise excellent work done by other people on this project. Implying that the only excellent work is done by *other* people, and not me. You can ban me now for such a ghastly breach of etiquette. Sadly, I do no such thing, though it's clear you would in a similar situation. You've taken a simple request to investigate the root cause of the problem, and turned it into a personal attack on me. And you're saying *I* have a chip on my shoulder? Please, don't pretend to have the moral high ground here. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://old.nabble.com/RADDB-2.1.7-and--etc-shadow-tp28640012p28708369.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADDB 2.1.7 and /etc/shadow
Josip Rodin wrote: The solution is to treat such projects, including FreeRADIUS, accordingly - this forum is not what you might call a first-level helpdesk venue - it is instead a venue where the user can be expected a lot from, including both a technical proficiency and an ability to take heat for lack thereof. Also, RADIUS is a *lot* more complicated than DNS and DHCP. It takes more effort to understand and configure. This results in an increased level of frustration for the new user, compare to DNS or DHCP. On a completely separate note, I think that it would be best if Alan sometimes tried to ignore some of the fuzzier user queries and left that to others, even at the cost of the request looking like it was ignored. It's better to concentrate on more important things. Alan, please consider that :) I've actually been doing that for a while now... I've been saying this for nearly 10 years now, and the proof is in public list archives. Nearly anyone who asks a good question and provides the requested information can get their problem solved. The people who *argue* with the answers they receive get ignored, or get told to stop being rude. This is (somehow) perceived as having a hostile list. sigh Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADDB 2.1.7 and /etc/shadow
sbchem wrote: No one is disparaging your work See the other responses to your message: no one here agrees with the above statement. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting to MySQL not working
Christoph Schwabl wrote: this part is (and was) enabled please find below the configuration of the files (which is the same configuration as for 2.0.4 - this configuration is working for 2.0.4) however, it seems the sql line is ignored by the radius server This happens in one of two cases: 1) the server is reading a *different* file than the one you're editing 2) there are *two* accounting sections, and the server is using the first rather than the second. BTW: If I uncomment all 'sql' entries, I get data into the radpostauth table, but I never get data into the radacct table. Then either it isn't receiving accounting packets, *or* it's not using the sql configuration you think it's using. Has somebody a working configuration for logging into the radacct mysql table with freeradius v2.1.8 (under Debian Lenny)? $ cd /etc/raddb/sites-enabled $ grep sql * And un-comment the lines that look like: default:# sql This is the default config, and it does work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Option 82 parse problems.
Anton wrote: Ok. Please see attach. But I'm afraid that is may only case, my unfortunate radius configuration. It looks to be a bug in 2.1.9. I'll see if I can put a fix into 'git', the v2.1.x branch in the next few days. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: check ldap users with different client IP's
Stephon Chen wrote: hello all I've used freeradius as the front of a LDAP server. Here, I want to allow different access rights for each LDAP group client ip address For example below: user X in LDAP group A, from ip IP-A user Y in LDAP group B, from ip IP-B Pretty much exactly that, using unlang. if the user is from IP-A and user in LDAP group A, then send Accept-Accept packet How do this be done with freeradius? authorize { ... if ((User-Name == X) \ (LDAP-Group == A) \ (Packet-Src-IP-Address == IP-A)) { ... something ... } elseif ((User-Name == Y) ... ... more comparisons ... } else { reject } ... } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Conditional radreply with Freeradius. Possible somehow ?
Pere Hospital wrote: I have gone again through the SQL wiki. What I am not able to find anywhere (and think that it is what we exactly need) is how to emulate this behaviour of check/reply items that you can get via the users file. i.e. from users file: The SQL schema is intended to mirror the users file. i.e. it can be mapped *directly* from the users file. #swilson Service-Type == Framed-User, Huntgroup-Name == alphen # Framed-IP-Address = 192.168.1.65, # Fall-Through = Yes This becomes (roughly) radcheck: swilson Service-Type == Framed-User swilson Huntgroup-Nmae == alphen radreply: swilson Framed-IP-Address = 192.168.1.65 swilson Fall-Through = Yes This is what I can't see how to do with sql module as radreply is related just to the username. The radreply for the user is referenced *only* if the radcheck entries for that user matched. From SQL Wiki : In radreply, create entries for each user-specific radius reply attribute against their username -- against their username and not username + nas-identifier i.e.). and again If check attributes are found, and there's a match, pull the reply items from the radreply table for this user and add them to the reply -- for this user, so again no info about this user+other requirements ... The check attributes are found text is intended to *be* the other requirements Well, rules are user + NAS based. A user will get a certain IP only if he connects to a certain NAS. And from what you say I assume that configuration files + sql can be used at the same time ?. Yes. All modules are independent. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fresh Install
I just installed Ubuntu 10.04 server with the basic LAMP install added. I used the git method for downloading and compiling freeradius and everything installed properly but for one caveat. radiusd: error while loading shared libraries: libfreeradius-radius-2.1.9.so: cannot open shared object file: No such file or directory I can find this file but I am not sure how to resolve this issue David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fresh Install
On 05/28/2010 03:15 PM, David Peterson wrote: I just installed Ubuntu 10.04 server with the basic LAMP install added. I used the git method for downloading and compiling freeradius and everything installed properly but for one caveat. radiusd: error while loading shared libraries: libfreeradius-radius-2.1.9.so: cannot open shared object file: No such file or directory I can find this file but I am not sure how to resolve this issue Two things to check: In $RADDB/radiusd.config check the value of the libdir configuration parameter, does it match where the module libraries were installed? try running ldconfig -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fresh Install
David Peterson wrote: I just installed Ubuntu 10.04 server with the basic LAMP install added. I used the git method for downloading and compiling freeradius and everything installed properly but for one caveat. radiusd: error while loading shared libraries: libfreeradius-radius-2.1.9.so: cannot open shared object file: No such file or directory This means that the dynamic linker cannot find the library. The solution is to tell the linker where the library is located. So first... where is the library on disk? Is it in a non-standard location? See also: http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/dlls.html For instructions on updating the linker config cache. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Fresh Install
Ldconfig did it! Thanks! David -Original Message- From: freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org [mailto:freeradius-users-bounces+david.peterson=acc-corp@lists.freeradiu s.org] On Behalf Of John Dennis Sent: Friday, May 28, 2010 3:30 PM To: David Peterson-WirelessConnections; FreeRadius users mailing list Subject: Re: Fresh Install On 05/28/2010 03:15 PM, David Peterson wrote: I just installed Ubuntu 10.04 server with the basic LAMP install added. I used the git method for downloading and compiling freeradius and everything installed properly but for one caveat. radiusd: error while loading shared libraries: libfreeradius-radius-2.1.9.so: cannot open shared object file: No such file or directory I can find this file but I am not sure how to resolve this issue Two things to check: In $RADDB/radiusd.config check the value of the libdir configuration parameter, does it match where the module libraries were installed? try running ldconfig -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting to MySQL not working
however, it seems the sql line is ignored by the radius server This happens in one of two cases: 1) the server is reading a *different* file than the one you're editing this exactly was the problem I had 2 files in /etc/raddb/sites-enabled default.original default It seems the server was reading default.original Since I deleted default.original its working fine. thx br Christoph -- GMX.at - Österreichs FreeMail-Dienst mit über 2 Mio Mitgliedern E-Mail, SMS mehr! Kostenlos: http://portal.gmx.net/de/go/atfreemail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting to MySQL not working
On 05/28/2010 04:33 PM, Christoph Schwabl wrote: however, it seems the sql line is ignored by the radius server This happens in one of two cases: 1) the server is reading a *different* file than the one you're editing this exactly was the problem I had 2 files in /etc/raddb/sites-enabled default.original default It seems the server was reading default.original Since I deleted default.original its working fine. Hmm... we just had a discussion about how loading every configuration file in a directory trips folks up. Yet another example :-) -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting to MySQL not working
:) Sure, its good idea to create backups but do not store them in the sites-enabled dir :) John Dennis wrote: On 05/28/2010 04:33 PM, Christoph Schwabl wrote: however, it seems the sql line is ignored by the radius server This happens in one of two cases: 1) the server is reading a *different* file than the one you're editing this exactly was the problem I had 2 files in /etc/raddb/sites-enabled default.original default It seems the server was reading default.original Since I deleted default.original its working fine. Hmm... we just had a discussion about how loading every configuration file in a directory trips folks up. Yet another example :-) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
peap/eap/mschapv2 + MySQL
Hello list, First of all: freeradius-2.1.8, Mysql 5.1.41 on Ubuntu 10.04 / Airport Extreme v7.5 I'm having trouble authenticating users with EAP/mschapv2 against a mysql database. Users authenticate fine if they are in the users file. Here's the main problem it seems from the debug output: Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for oogabooga with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject Now I've read a million posts on the web, including this list where people have reported the same problem. In most cases the problem was that the inner-tunnel server wasn't configured for sql. I definitely have sql on in the inner-tunnel file (which I will post in a sec). The mysql server IS being queried on the initial request, but not in inner-tunnel. Can someone please shed some light on this for me please. Here is my inner-tunnel file and debug output (long). Thanks, Matt /etc/freeradius/sites-enabled/inner-tunnel : server inner-tunnel { authorize { chap mschap unix suffix update control { Proxy-To-Realm := LOCAL } eap { ok = return } files sql expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix eap } session { radutmp } post-auth { Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { eap } } # inner-tunnel server block debug output: rad_recv: Access-Request packet from host 10.20.20.254 port 65023, id=181, length=153 User-Name = oogabooga NAS-IP-Address = 10.20.20.254 NAS-Port = 0 Called-Station-Id = F8-1E-DF-FC-8C-82:xyz Calling-Station-Id = 00-17-F2-45-F7-CF Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 0Mbps 802.11 EAP-Message = 0x028d000e016f6f6761626f6f6761 Message-Authenticator = 0x9388a95b4d72cd941931671109245b66 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = oogabooga, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 141 length 14 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop [sql] expand: %{Stripped-User-Name} - [sql] ... expanding second conditional [sql] expand: %{User-Name} - oogabooga [sql] expand: %{%{User-Name}:-DEFAULT} - oogabooga [sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} - oogabooga [sql] sql_set_user escaped user -- 'oogabooga' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'oogabooga' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'oogabooga' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radreply WHERE username = 'oogabooga' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'oogabooga' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = 'oogabooga' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = 'oogabooga' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found
Re: Accounting to MySQL not working
Making a backup of the file in sites-available would make more sense since the files in sites-enabled are only links to the files in sites-enabled. It is documented. ;) Marinko Tarlac mangi...@gmail.com wrote: :) Sure, its good idea to create backups but do not store them in the sites-enabled dir :) John Dennis wrote: On 05/28/2010 04:33 PM, Christoph Schwabl wrote: however, it seems the sql line is ignored by the radius server This happens in one of two cases: 1) the server is reading a *different* file than the one you're editing this exactly was the problem I had 2 files in /etc/raddb/sites-enabled default.original default It seems the server was reading default.original Since I deleted default.original its working fine. Hmm... we just had a discussion about how loading every configuration file in a directory trips folks up. Yet another example :-) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: peap/eap/mschapv2 + MySQL
Now I've read a million posts on the web, including this list where people have reported the same problem. In most cases the problem was that the inner-tunnel server wasn't configured for sql. I definitely have sql on in the inner-tunnel file (which I will post in a sec). The mysql server IS being queried on the initial request, but not in inner-tunnel. Can someone please shed some light on this for me please. Ok, well like I said, mysql wasn't being queried by the inner-tunnel server. Still not clear on why that was happening, but I worked around it by commenting out inner-tunnel as the virtual server to use for peap. So the default server is being used and working. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html