Is there a definitive config guide for installing 1.1.7 on Solaris 10
I'm running a Solaris 10 U6 (10/08) whole-root zone where I'm trying to install freeRadius 1.1.7 from packages (Sunfreeware). I've loaded what is listed (on Sunfreeware) as dependencies (and dependencies of those packages), but I still get a segmentation fault on startup. No changes have been made to any of the radius config files. Is there a complete list of packages required for freeRADIUS on my version of Solaris 10? The attempted startup of radius, with the -X option is shown below: # ./S99rad* start -n Starting FreeRADIUS: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Segmentation Fault - core dumped radiusd # I've seen queries from others with the same problem, but I can't find a resolution. Thanks for the help, Larry Avery - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is there a definitive config guide for installing 1.1.7 on Solaris 10
Avery, Larry EIS-ERDC-ITL-MS Contractor wrote: Is there a complete list of packages required for freeRADIUS on my version of Solaris 10? The server doesn't need *any* packages to run. It needs gcc and gmake to compile. The configure stage figures out which packages you have, and uses those. It doesn't need SQL, LDAP, DBM, or anything. The attempted startup of radius, with the -X option is shown below: # ./S99rad* start Hmm... why not just radiusd -X from the command line? radiusd: entering modules setup Segmentation Fault - core dumped radiusd # I've seen queries from others with the same problem, but I can't find a resolution. Update the Solaris dynamic linker path to include the path where the modules were installed. It's some magic Solaris command, and I forget which one... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Filter multivalued attributes in rlm_sql
JUND wrote:
When I use :
sql_user_name = %{reply:Callback-Number}
I always get the first value of the Callback-Number,
That's the way it works. See man unlang for how to reference a
specific variable.
but I would like to
use only the one starting with “TEST=”. Is there a way to filter a
multivalued atytribute to use it for the sql_user_name?
Not really, no. I suggest adding the data into an *additional*
attribute, and using that.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Log Client-NAS-IP insetad of shortname
Hi
I have a bunch of Routers authentication agoinst a freeradius instance.
All using the same secret, therefore I configured them as follows in the
clients.conf
client dynamicdsl {
secret = XX
shortname = dynamicdsl
nastype = cisco
ipaddr = xxx.xxx.xxx.0
netmask = 20
}
Now it would be nice if it would be possible to log the NAS IP instead
of the shortname in radius.log
Is that possible. Would someone be willing to add such an option if not
allready implemented ?
Regards
Matthias
--
Matthias Cramer / mc322-ripe Senior Network Security Engineer
iway AGPhone +41 43 500
Josefstrasse 225 Fax +41 44 271 3535
CH-8005 Zürich http://www.iway.ch/
GnuPG 1024D/2D208250 = DBC6 65B6 7083 1029 781E 3959 B62F DF1C 2D20 8250
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Novell E-Directory
I've noticed in all the old documentation that it says to configure FreeRADIUS with --with-edir to enable support for Novell. All of the documentation for this that I've found is generally old and referencing FR v1.x and not 2.x. On FreeBSD, in the ports system, the with-edir toggle has been removed from the config options when building FR v2.x though it is still something available in the older FR v1.x. My question is, do I need to do anything special when building FR v2.x to get support for the couple of e-directory options (edir_account_policy_check come to mind) or if this just works out of the box. If I do still need to configure --with-edir when compiling, does anyone happen to know the syntax for FreeBSD to include it since it is no longer a toggle option. (If it is required, I'll drop an e-mail on the maintainer to see if it can be added again to make things simpler in the future.) Thanks. :) -- John McDonnell Penn Cambria School District mcdon...@pcam.org O ASCII Ribbon Campaign - www.asciiribbon.org smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is there a definitive config guide for installing 1.1.7 on Solaris 10
On Tue, 2010-07-13 at 09:49 +0200, Alan DeKok wrote: Update the Solaris dynamic linker path to include the path where the modules were installed. It's some magic Solaris command, and I forget which one... The solaris command to use to add new locations for the loader is crle(1). Carefully reading the manual page is a good idea. He can use ldd(1) to see which libraries can't be found, as in: ldd /path/to/freeradius Can also use something like: truss -fae -vall /path/to/freeradius to see exactly where and why it's dumping core. Jeff -- Jeff Smith jeff.m.sm...@gmail.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Novell E-Directory
John McDonnell wrote: I've noticed in all the old documentation that it says to configure FreeRADIUS with --with-edir to enable support for Novell. All of the documentation for this that I've found is generally old and referencing FR v1.x and not 2.x. On FreeBSD, in the ports system, the with-edir toggle has been removed from the config options when building FR v2.x though it is still something available in the older FR v1.x. It's been removed from the top-level configure script. It's still accepted by the configure script for the ldap module. When the main configure script runs, it accepts any command-line options it doesn't understand, and passes them down to the lower-level configure scripts. My question is, do I need to do anything special when building FR v2.x to get support for the couple of e-directory options (edir_account_policy_check come to mind) or if this just works out of the box. If I do still need to configure --with-edir Yes. when compiling, does anyone happen to know the syntax for FreeBSD to include it since it is no longer a toggle option. (If it is required, I'll drop an e-mail on the maintainer to see if it can be added again to make things simpler in the future.) No, sorry. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius+mysql+chillispot
Good morning,
I have a serious problem, see if you can help. It just can not authenticate
any user. The throwing error is:
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
User-Password in the request does NOT match known good password.
Failed to authenticate the user.
WARNING: unprintable characters in the password. Double-check the shared
secret on the server and the NAS!
Working with a database mysql + freeradius + chillispot.
I show the output of freeradius-X
Module: Linked to rlm_files module
Module: instantiating files
(files
usersfile = / etc / freeradius / users
acctusersfile = / etc / freeradius / acct_users
preproxy_usersfile = / etc / freeradius / preproxy_users
compat = no
)
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: instantiating radutmp
(radutmp
filename = / var / log / freeradius / radutmp
username = % (User-Name)
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
)
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: instantiating attr_filter.access_reject
(attr_filter.access_reject attr_filter
attrsfile = / etc / freeradius / attrs.access_reject
key = % (User-Name)
)
) # Modules
# Server)
server (
(modules
Module: Checking authenticate {...} for more modules to load
Module: Checking Authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: instantiating Preprocess
(Preprocess
huntgroups = / etc / freeradius / huntgroups
hints = / etc / freeradius / hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
)
Module: Linked to module rlm_sql
Module: sql instantiating
(sql
driver = rlm_sql_mysql
server = localhost
port =
login = radius
password = radpass
radius_db = radius
read_groups = yes
sqltrace = no
sqltracefile = / var / log / freeradius / sqltrace.sql
readclients = no
deletestalesessions = yes
num_sql_socks = 5
lifetime = 0
max_queries = 0
sql_user_name = % (User-Name)
default_user_profile =
nas_query = SELECT id, nasname, shortname, type, secret FROM nas
authorize_check_query = SELECT id, username, attribute, value, op
FROM radcheck WHERE username = '% (SQL-User-Name)' ORDER BY id
authorize_reply_query = SELECT id, username, attribute, value, op
FROM radreply WHERE username = '% (SQL-User-Name)' ORDER BY id
authorize_group_check_query = SELECT id, groupname, attribute,
Value, op FROM radgroupcheck WHERE groupname = '% (Sql-Group)' ORDER BY id
authorize_group_reply_query = SELECT id, groupname, attribute,
value, op FROM radgroupreply WHERE groupname = '% (Sql-Group)' ORDER BY id
accounting_onoff_query = UPDATE SET radacct acctstoptime = '% S',
acctsessiontime = UNIX_TIMESTAMP ('% S') - UNIX_TIMESTAMP (acctstarttime)
acctterminatecause = '% (Acct-Terminate-Cause)', acctstopdelay =% (%
(Acct-Delay -Time): -0) WHERE IS NULL AND acctstoptime nasipaddress = '%
(NAS-IP-Address)' AND acctstarttime = '% S'
accounting_update_query = UPDATE SET radacct framedipaddress = '%
(Framed-IP-Address)', acctsessiontime = '% (Acct-Session-Time)',
acctinputoctets ='%{%{ Acct-Input-Gigawords): -0) ' 32 |'%{%{
Acct-Input-Octets): -0) ', acctoutputoctets ='%{%{ Acct-Output-Gigawords):
-0)' 32 | Acct-'%{%{ Output-Octets): -0) 'WHERE acctsessionid ='%
(Acct-Session-Id) 'AND username = % (SQL-User-Name)' AND nasipaddress = '%
(NAS-IP-address)'
accounting_update_query_alt = INSERT INTO radacct (acctsessionid,
acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype,
acctstarttime, acctsessiontime, acctauthentic, connectinfo_start,
acctinputoctets, acctoutputoctets, calledstationid, callingstationid,
ServiceType, framedprotocol, framedipaddress, acctstartdelay,
xascendsessionsvrkey) VALUES (' % (Acct-Session-Id) ','%
(Acct-Unique-Session-Id) ','% (SQL-User-Name) ','% (Realm) ','%
(NAS-IP-Address) ','% (NAS-Port) ','% (NAS-Port-Type) ', DATE_SUB ('% S ',
INTERVAL (%{%{ Acct-Session-Time): -0) +% (% ( Acct-Delay-Time): -0))
SECOND), '% (Acct-Session-Time)', '% (Acct-Authentic)','','%{%{
Acct-Input-Gigawords): - 0) '32 |'%{%{ Acct-Input-Octets): -0)',
Acct-Output-'%{%{ Gigawords): -0) '32 |'%{%{ Acct -Output-Octets): -0)
','% (Called-Station-Id) ','% (Calling-Station-Id) ','% (Service-Type) ','%
(Framed-Protocol) ' , '% (Framed-IP-Address)',
Re: Freeradius+mysql+chillispot
jorge88 wrote: I have a serious problem, see if you can help. It just can not authenticate any user. The throwing error is: WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. User-Password in the request does NOT match known good password. Failed to authenticate the user. WARNING: unprintable characters in the password. Double-check the shared secret on the server and the NAS! All of those messages should be easy to understand. Use Cleartext-Password := .. instead of User-Password == .. Re-enter the shared secret. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius+mysql+chillispot
Hello Alan, Thank you very much for you request. Using Cleartext-Password: = message still appears: WARNING: unprintable characters in the password. Double-check the shared secret on the server and the NAS! And the user is not logged in successful, the encrypted key. What could be the problem? Thank you :) Regards, Jorge El 13/07/2010 18:44, Alan DeKok escribió: jorge88 wrote: I have a serious problem, see if you can help. It just can not authenticate any user. The throwing error is: WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. User-Password in the request does NOT match known good password. Failed to authenticate the user. WARNING: unprintable characters in the password. Double-check the shared secret on the server and the NAS! All of those messages should be easy to understand. Use Cleartext-Password := .. instead of User-Password == .. Re-enter the shared secret. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.830 / Virus Database: 271.1.1/3002 - Release Date: 07/13/10 08:36:00 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius+mysql+chillispot
Using Cleartext-Password: = message still appears: WARNING: unprintable characters in the password. Double-check the shared secret on the server and the NAS! And the user is not logged in successful, the encrypted key. What could be the problem? You need to read the error message and Alan's e-mail. The error message says: Double-check the shared secret on the server and the NAS! Tim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeRadius Disconnect-Message
Hi, Quote from another post: 2.1.9 supports disconnect. It's for disconnecting users. Alan DeKok. and another one: The Freeradius server will not do this for you You have to write maybe 10 lines of configuration to get this done. Alan DeKok. Here are my questions: 1 - Is freeRadius server able to send a disconnect-request? 2 - If so, where can I get information on how to do this? 3 - Do we still have to use radclient to send the message? Thank you. Jean - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRadius Disconnect-Message
jean...@sympatico.ca wrote: Quote from another post: ... and another one: ... Here are my questions: 1 - Is freeRadius server able to send a disconnect-request? sigh Taking messages out of context is a great way to not understand them. 2 - If so, where can I get information on how to do this? Since 2.1.8, raddb/sites-available/originate-coa. 3 - Do we still have to use radclient to send the message? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help
Hi, I am using CentOS with Radius 1.1.3. it automatically stops working. and i do restart its services to restore its original state.. As if we do restart system's services 2 or three times, system starts working it has a very strange to us... what should i share to trouble shoot. Any suggestion will be appreciated. ... Regards James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help
Check log files And upgrade your FR installation. Jawad Khawaja wrote: Hi, I am using CentOS with Radius 1.1.3. it automatically stops working. and i do restart its services to restore its original state.. As if we do restart system's services 2 or three times, system starts working it has a very strange to us... what should i share to trouble shoot. Any suggestion will be appreciated. ... Regards James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help
On Tue, Jul 13, 2010 at 11:58:53PM +0500, Jawad Khawaja wrote: Hi, I am using CentOS with Radius 1.1.3. it automatically stops working. and i do restart its services to restore its original state.. As if we do restart system's services 2 or three times, system starts working it has a very strange to us... what should i share to trouble shoot. Any suggestion will be appreciated. ... Regards James I would recommend and upgrade to the latest release of freeradius. They have fixed a large number of bugs and enhanced it in ways that are not available in the 1.x release. We had similar hang problems in the 1.x release and set up a nanny script to restart it when it occurred. The 2.x release has not had this problem aside from having a much more managable configuration. Cheers, Ken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help
On 07/13/2010 03:06 PM, Kenneth Marshall wrote: On Tue, Jul 13, 2010 at 11:58:53PM +0500, Jawad Khawaja wrote: Hi, I am using CentOS with Radius 1.1.3. it automatically stops working. and i do restart its services to restore its original state.. As if we do restart system's services 2 or three times, system starts working it has a very strange to us... what should i share to trouble shoot. Any suggestion will be appreciated. ... Regards James I would recommend and upgrade to the latest release of freeradius. They have fixed a large number of bugs and enhanced it in ways that are not available in the 1.x release. We had similar hang problems in the 1.x release and set up a nanny script to restart it when it occurred. The 2.x release has not had this problem aside from having a much more managable configuration. RHEL 5.5 ships freeradius 2.1.7 in the freeradius2 rpms. See http://wiki.freeradius.org/Red_Hat_FAQ The CentOS folks have recently made the RHEL 5.5 upgrade available so you should be able to do a freeradius2 install and pickup 2.1.7 -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRadius Disconnect-Message
Hi Alan, Sorry about the quotes... I'll have a look at the CoA. Thank you for your answer. Jean newtownz wrote: Hi, Quote from another post: 2.1.9 supports disconnect. It's for disconnecting users. Alan DeKok. and another one: The Freeradius server will not do this for you You have to write maybe 10 lines of configuration to get this done. Alan DeKok. Here are my questions: 1 - Is freeRadius server able to send a disconnect-request? 2 - If so, where can I get information on how to do this? 3 - Do we still have to use radclient to send the message? Thank you. Jean - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://old.nabble.com/freeRadius-Disconnect-Message-tp29153410p29154843.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius+mysql+chillispot
Hi, this: User-Password = L] \ 357DK \ 027 \ 304 \ 033 \ 376Hx. \ 342Ö \ 336 and this: WARNING: unprintable characters in the password. Double-check the shared secret on the server and the NAS! are clear signs that the shared secret on the NAS is wrong - or you've entered the wrong string in the clients.conf (or SQL table). fix it alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
expiration linked to both huntgroup and user
Hi, So here's my hurdle. I have multiple groups and use hunt-groups plus expiration time on the users for authentication. Assuming I have groups 1 2 how is it possible to link the expiration time to a group and the user and not just for the user. The expiration time is set on a per user level (not per group) which means a given user will either have access or not have access. A user can not have access to hunt-group 1 with an expiration in 10 days as well as an access expiring in 2 hours on hunt-group B. I only want to have one user over the whole domain so do not want to create multiple users and then append to the name on the incoming request and authenticate against multiple users who are in fact the same. Is there any other way round this problem? Many thanks, Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 63, Issue 29
Hi Alan, Thank you for this response. I accept of course that garbage in garbage out, bad data is nothing the Radius can fix. However, I thought this through and when I make the following assumptions: - Freeradius has different SQL statements stored in its configuration for radacct update and insert; - It is Freeradius ' responsibility to decide whether to peform an insert or update; and - AcctSessionId and AcctUniqueId are unique identifiers for one session; there should be only exactly one record for each AcctSessionId and AcctUniqueId; Then there is still something amiss with the Freeradius updates of radacct. Even if erroneously session updates are sent in duplicate or with same or differing information, Freeradius should not insert a new record for an existing AcctSessionId and AcctUniqueId. Based on the above assumptions double entries for AcctSessionId and AcctUniqueId should never occur in radacct. Freeradius' insert/update logic should prevent that. However, multiple entries (anything between 2 and 17 in about 1% of all cases) is what we see in my extracts. Any thoughts? Hanno Hanno Schupp wrote: I am having trouble with my radacct table. Which creates some 80k entries per annum. For about 1% of users it contains doubled up entries (entries with same AcctSessionId and same AcctUniqueId) and also lots of entries with the Username being empty (as opposed to either filled or Null). Blame the NAS. FreeRADIUS logs whatever the NAS sends. If the NAS sends two packets that have *different* information for the same user session... then the NAS is broken. What could cause the doubled up radacct entries and what might cause the empty UserName radacct updates? The NAS is sending bad data. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
