Re: Version 1.0.2 has been released.
On Wed, Feb 16, 2005 at 02:55:12PM -0500, Alan DeKok wrote: FreeRADIUS 1.0.2 ; $Date: 2005/02/13 01:03:20 $, urgency=medium * Novell eDirectory support. Patch from Novell. * localweb Trapeze dictionary updates. * EAP-SIM fixes. * Make Strip-User-Name = No work. * Don't declare zero-length arrays in rlm_passwd * Bug fix to make udpfromto code work * radrelay shouldn't dump core if it can't read a VP from the detail file. * Only initialize the random pool once. * In rlm_sql, don't escape characters twice. * Fix MD4 calculation on big-endian machines. * In rlm_ldap, only claim Auth-Type if a plain text password is present * Treat Quintium VSAs like Cisco VSAs * Locking fixes in threading code * rlm_krb5 includes /usr/include/et for Fedora Core * Fix post-auth REJECT stanza processing for rejections from external processes or home RADIUS servers * Fix building on gcc-4.0 by not trying to access static auth_port from other files. * Fix building SNMP support on Solaris 9, which needs -lkstat Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Dear Alan, unfortunately, as I can see, the patch discussed in http://bugs.freeradius.org/show_bug.cgi?id=128 was not applied in this release. Is this an omission, or the plan is to be applied later? Thanks and keep up the good work! -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Install Solaris9 - ver 1.0.1 and 1.0.2
Do you need x99 support? If not, you can disable that by removing it from the Make.inc. gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -DNDEBUG -I../../include -DX99_MODULE_NAME=\rlm_x99_token\ -DFREERADIUS -c x99_rlm.c -o x99_rlm.o In file included from x99_rlm.c:54: x99.h:26:42: openssl/des.h: No such file or directory Here's the first problem. If you need x99, then you need to find out why gcc can't find openssl/des.h Do you have openssl installed? What (if any) parameters did you pass to configure? configure obviously thought that it can build the x99 module, so there could be something that configure is checking, but isn't getting transferred over to the x99 module's Makefile... Or, there could be something that configure should be check for that it is not checking by default. Check the config.log file in the freeradius-1.0.2 directory after doing a configure. Search for all instances of x99 and determine if configure thinks that it should build ok. You can then possibly use that information to determine what flags should be included in the x99 Makefile to get x99 to compile. I build on Solaris 9 also, so if you get really stuck I may be able to help troubleshoot a some more if you want x99 support. I don't need it, so I remove it from Make.inc so it doesn't try to build. hope that helps... Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre-Proxy-Type, Post-Proxy-Type
Alle 15:17, domenica 13 febbraio 2005, Nicolas Baradakis ha scritto: Post-Proxy-Type is a check item, therefore I think you can set it in the first pass of authorization, then the server remember it when it receives the reply from the realm server. good I noticed the freeRADIUS 1.0.2 release without your patch...what a pity :( -- Massimiliano Liccardo (maX) [EMAIL PROTECTED] jid:[EMAIL PROTECTED] GnuPG public key available on wwwkeys.eu.pgp.net Key ID: D01F1CAD Key fingerprint: 992D 91B7 9682 9735 12C9 402D AD3F E4BB D01F 1CAD la velocitĂ induce all'oblio, la lentezza al ricordo pgp7ks9hnnVlk.pgp Description: PGP signature
Dialup admin PostgreSQL
Hi all First of all, congratulations for your huge work FreeRADIUS 1.0.2 is working fine with me using EAP/TTLS and PostgreSQL. I am trying to use the dialup admin with a postgreSQL database. I have created the additionnal tables modifying a little bit the given sql files to fit to the pgsql syntax. Is there any known bug running dialup admin with a pgsql database ? Can we use every functions that is being currently implemented with MySQL (I hope more) ? Has anyone tried to make the bin scripts in shell script rather than perl ? I'll try to submit some patches in order to make the dialup admin even more efficient with pgsql. Thanks a lot for your answers. Best regards, Florian -- Cordialement, Florian Association Nantes-Wireless www.nantes-wireless.org www.alphacore.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dialup admin PostgreSQL
On Thu, 17 Feb 2005, Florian Fainelli wrote: Hi all First of all, congratulations for your huge work FreeRADIUS 1.0.2 is working fine with me using EAP/TTLS and PostgreSQL. I am trying to use the dialup admin with a postgreSQL database. I have created the additionnal tables modifying a little bit the given sql files to fit to the pgsql syntax. Is there any known bug running dialup admin with a pgsql database ? Can we use every functions that is being currently implemented with MySQL (I hope more) ? dialupadmin is developed in MySQL. pgsql support was added just based on the php module documentation so there may be bugs here and there. I am counting on dialupadmin users to point them out. Has anyone tried to make the bin scripts in shell script rather than perl ? I don't see a reason for that. I'll try to submit some patches in order to make the dialup admin even more efficient with pgsql. That's great. Thanks a lot for your answers. Best regards, Florian -- Cordialement, Florian Association Nantes-Wireless www.nantes-wireless.org www.alphacore.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 1.0.2 has been released.
On Thu, 17 Feb 2005, Kostas Zorbadelos wrote: On Wed, Feb 16, 2005 at 02:55:12PM -0500, Alan DeKok wrote: FreeRADIUS 1.0.2 ; $Date: 2005/02/13 01:03:20 $, urgency=medium * Novell eDirectory support. Patch from Novell. * localweb Trapeze dictionary updates. * EAP-SIM fixes. * Make Strip-User-Name = No work. * Don't declare zero-length arrays in rlm_passwd * Bug fix to make udpfromto code work * radrelay shouldn't dump core if it can't read a VP from the detail file. * Only initialize the random pool once. * In rlm_sql, don't escape characters twice. * Fix MD4 calculation on big-endian machines. * In rlm_ldap, only claim Auth-Type if a plain text password is present * Treat Quintium VSAs like Cisco VSAs * Locking fixes in threading code * rlm_krb5 includes /usr/include/et for Fedora Core * Fix post-auth REJECT stanza processing for rejections from external processes or home RADIUS servers * Fix building on gcc-4.0 by not trying to access static auth_port from other files. * Fix building SNMP support on Solaris 9, which needs -lkstat Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Dear Alan, unfortunately, as I can see, the patch discussed in http://bugs.freeradius.org/show_bug.cgi?id=128 was not applied in this release. Is this an omission, or the plan is to be applied later? Thanks and keep up the good work! The patch was just commited in CVS. Could you check it out and make sure everything works as expected? -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
1.0.1 + MPPE
I can't get working MPPE. I see in cisco's debug that user login ok by MS-CHAPv2, but MPPE doesn't work, cisco's debug say: MPPC: no encryption keys available, disabling optional MPPE. Could someone say me, what's wrong? radiusd.conf: modules { ... mschap { authtype = MS-CHAP use_mppe = yes } } authorize { ... mschap } authenticate { ... Auth-Type MS-CHAP { mschap } -- DSS5-RIPE DSS-RIPN 2:550/[EMAIL PROTECTED] 2:550/[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] http://neva.vlink.ru/~dsh/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ldap Group Attribute radiusGroupName
On Thu, 17 Feb 2005, Chan Min Wai wrote: Kostas Kalevras wrote: You 've got multiple instances of the ldap module and you 're using the wrong one to perform group checks. Use: DEFAULTldap_instance-Ldap-Group == disabled, Auth-Type := Reject Ok Things statring to be more interesting now. I've using the following entry in users as below: DEFAULT ocesbldap-Ldap-Group == cn=disabled,ou=profiles,dc=ocesb,dc=com,dc=my,dc=., Auth-Type := Reject Reply-Message = Sorry, you are not allowed to have dialup access =OR== DEFAULT ocesbldap-Ldap-Group == disabled, User-Profile := cn=disabled,ou=profiles,dc=ocesb,dc=com,dc=my,dc=., Auth-Type := Reject Reply-Message = Sorry, you are not allowed to have dialup access Both of them are working however... Seem to be they don't care what group the users is in and just by default disable everybody. Anyone have some hints for me... Run the server in debug mode to see what happens exactly. After working on this Group, I'm thinking what is the real use of Group? None really, apart from group checks like the above Define the default attribute/replyItem for certain services? That's what Default/REgular/User profiles are for. Regards, Chan Min Wai - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: huntgroup question
On Wed, 16 Feb 2005, Dustin Doris wrote: I was wondering if you can add multiple check-items to huntgroup lines, besides Nas-Port-Id. Right now, it appears to be working for me, with Nas-Port-Type. Using something like this dialNAS-IP-Address == 127.0.0.1, Nas-Port-Type == Async isdnNAS-IP-Address == 127.0.0.1, Nas-Port-Type == ISDN It seems to be working fine for me, just wanted to check to see if that is intended behavior. I only see reference to Nas-Port-ID in the documentation, which is why I ask. I think you can. Thanks Dusty Doris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_linelog
Im not sure anyone has any experience with this module yet, but I thought Id ask since there isnt any documentation and I really wouldnt know where to look for this information. It appears from my fumbling around in the .c file that this module is looking for two different parameters; one is filename the other is format filename is fairly straightforward, format however is not. I have no idea what my options are for formatting the strings it is outputting. Does anyone have any hints on this.. All I really would like it to do is print [$username/$password] Shouldnt be too hard, however I dont really know how to tell it to do that. Anyone hit me with the cluebat? You guys have been really helpful, I just need this one last little push, and I can be done with this nightmarish project. Thanks, -Drew
Re: rlm_linelog
On Thu, 17 Feb 2005, Drew Weaver wrote: Im not sure anyone has any experience with this module yet, but I thought I'd ask since there isn't any documentation and I really wouldn't know where to look for this information. It appears from my fumbling around in the .c file that this module is looking for two different parameters; one is 'filename' the other is 'format' filename is fairly straightforward, format however is not. I have no idea what my options are for formatting the strings it is outputting. Does anyone have any hints on this.. All I really would like it to do is print [$username/$password] Shouldn't be too hard, however I don't really know how to tell it to do that. Whatever is supported by the xlat function. Check out doc/variables.txt Anyone hit me with the cluebat? You guys have been really helpful, I just need this one last little push, and I can be done with this nightmarish project. Thanks, -Drew -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + mysql + dial-up admin - strange error (admin,en)
On Wed, 16 Feb 2005, Hyperlink Admin wrote: Hi There, Thanx for the reply. I am using the version that came with freeradius 1.0.1 I have not made any changes to any of the pages, except the admin.conf file I tried to get get the latest CVS version with the method in the HOWTO. I copied the files to /usr/local/dialup_admin, but then trying to access the webpage, I got a file not found (buttons.html) error where the buttons should be. Don't know if I did something wrong ? There's no buttons.html in dialupadmin so you 're probably doing something wrong. The file is usually called buttons.php3 Thanks Jacqueco Peenz -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kostas Kalevras Sent: 16 February 2005 03:03 PM To: freeradius-users@lists.freeradius.org Subject: Re: Freeradius + mysql + dial-up admin - strange error (admin,en) On Wed, 16 Feb 2005, Hyperlink Admin wrote: Hi Guys, I am running freeradius 1.01, Freebsd 5.3, MySQL 4.15, PHP4 and apache 1.3 I have everything setup more or less correctly (I think), but I am experiencing a weird problem. I have checked, and double checked my config files, and cannot see anything in there, that would cause this error. When I open dialupadmin webpage and try to add a user or a group I always get 'admin,en' in the username or group name field. I then replace it with the propper username or group name, and fill in all the rest of the required fields. When I click on submit or add, the user is created sucessfully, but with the wrong username or groupname. It defaults back to admin,en as the username or group name. When I then try to add another user or group, the same thing happens and I change the name again, but then it tell me user (or group) admin,en already exsists. Could anybody please help me to try sort this problem out ? I really need to get this up and runing soon. What version of dialupadmin are you using? Try using the latest CVS version. Have you done any changes in any of the pages? Thank you, Jacqueco Peenz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: !!!
On Wed, 16 Feb 2005, Ruslan A Dautkhanov wrote: ! fnasirov wrote: Hello ! Huawei A8010 Expert Access Server [ http://www.futurewei.com/itemsdetail.asp?catid=6dt=productsid=68 http://www.futurewei.com/itemsdetail.asp?catid=6dt=productsid=68 ] patch for checkrad located at ftp://rd.ranetka.ru/pub/checkrad/checkrad.patch . The link does not work. Could you post a bug report in bugs.freeradius.org for the patch to be added? That SNMP oids test for dial-up clients, but no reasons why it can't be used with other types of subscribers... May you commit to current CVS ? This patch tested for about 1,5 years in our environment :) ?? ? ?? ?? ? ??. ? ???. ? ?, --- checkradSat May 29 19:27:56 2004 +++ checkrad-patchedSat May 29 19:53:36 2004 @@ -25,6 +25,7 @@ # cyclades_snmp1.0Author: [EMAIL PROTECTED] # usrhiper_snmp1.0Author: [EMAIL PROTECTED] # multitech_snmp 1.0Author: [EMAIL PROTECTED] +# huawei_snmp 1.0Author: Ruslan A Dautkhanov [EMAIL PROTECTED] # netserver_telnet 1.0Author: [EMAIL PROTECTED] # versanet_snmp1.0Author: [EMAIL PROTECTED] # bay_finger 1.0Author: [EMAIL PROTECTED] @@ -426,6 +427,20 @@ } # +# Check a Huawei A8010 Expert Access Server +# +# Author: Ruslan A Dautkhanov [EMAIL PROTECTED] +# +$hwsm= '.iso.org.dod.internet.private.enterprises.2011'; +sub huawei_snmp { +$login = snmpget($ARGV[1], $cmmty_string, $hwsm.2.3.4.3.2.2.1.5.0.$ARGV[2]); + my $cbhack = $login =~ s/^\d+:// ? 'yes':'no'; +print LOG user at port N $ARGV[2]: $login callback-hack=$cbhack\n if $debug; + +($login eq $ARGV[3]) ? 1 : 0; +} + +# # Check a Computone Powerrack via finger # # Old Author: Shiloh Costa of MDI Internet Inc. [EMAIL PROTECTED] @@ -928,7 +943,8 @@ $login = snmpget($ARGV[1], $password, $usrm.4.10.1.1.18.$oidext); if ($login =~ /\/) { - $login =~ /^.*\([^]+)\/; + $login =~ /^.*\([^]+)\/; +# - this comment for proper syntax highlighting in Midnight Commander (MC) $login = $1; } @@ -1382,6 +1398,8 @@ $ret = cvx_snmp; } elsif ($ARGV[0] eq 'multitech') { $ret = multitech_snmp; +} elsif ($ARGV[0] eq 'huawei') { + $ret = huawei_snmp; } elsif ($ARGV[0] eq 'computone') { $ret = computone_finger; } elsif ($ARGV[0] eq 'max40xx') { -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
With-edir in 1.02 / Novell eDirectory
Novell has worked with the most recent release of freeradius to include support for eDirectory. (Thank you, Novell.) Up until now I've only been able to make freeradius work with eDirectory over clear text ldap on TCP:389. We really want to have freradius connect via ldaps on TCP:636. I have been able to get freeradius to work over ldaps with openldap, but not with edirectory. The new integration with edirectory (compile with --with-edir) is supposed to work. However Novell has not distributed the Radius plug-in for iManager (it's locked away on their beta servers). Does ANYONE here know of a way to get ahold of this plug-in? I've contacted some fairly high level engineers at Novell and for several days we haven't been able to get the plug-in. I can only assume that the developers from novell and those of you who develop for free-radius have some information that my sources don't about this plug-in. There's a link to the plug-in on the open source site forge.novell.com so I'm hoping that this plug-in is GPL. BTW - You coders have built a ROCK SOLID product. I have no idea how you manage to do this and still keep a day job. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 1.0.2 has been released.
On Thu, Feb 17, 2005 at 03:16:30PM +0200, Kostas Kalevras wrote: The patch was just commited in CVS. Could you check it out and make sure everything works as expected? -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf Kostas, I cannot find a web cvs interface in the freeradius site. I will wait till tomorrow and I will download the latest snapshot. The patch as seen in http://bugs.freeradius.org/show_bug.cgi?id=128 is already applied in our production environment and runs without problems for a few months. Thanks a lot Kostas -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 1.0.2 has been released.
On Thu, 17 Feb 2005, Kostas Zorbadelos wrote: On Thu, Feb 17, 2005 at 03:16:30PM +0200, Kostas Kalevras wrote: The patch was just commited in CVS. Could you check it out and make sure everything works as expected? -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf Kostas, I cannot find a web cvs interface in the freeradius site. I will wait till tomorrow and I will download the latest snapshot. The patch as seen in http://www.freeradius.org/development.html#cvs http://www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/ And you 're right, the link to the web cvs interface should appear in the freeradius site. http://bugs.freeradius.org/show_bug.cgi?id=128 is already applied in our production environment and runs without problems for a few months. Thanks a lot Kostas -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: With-edir in 1.02 / Novell eDirectory
Believe it or not, I have found the information. The i-Manager plug in is the file radius_npm.tar.gz. This file is on the forge.novell.com site and is placed in a manner that mislead me into believing that it was not the imanager plugin required for freeradius. We're actually planning on using freeradius 1.02 with edirectory in a production environment. I'll post any gotchas to the list and help in any way that I can. Thanks, Dennis On Thu, 17 Feb 2005 08:58:44 -0600, Dennis Comeaux [EMAIL PROTECTED] wrote: Novell has worked with the most recent release of freeradius to include support for eDirectory. (Thank you, Novell.) Up until now I've only been able to make freeradius work with eDirectory over clear text ldap on TCP:389. We really want to have freradius connect via ldaps on TCP:636. I have been able to get freeradius to work over ldaps with openldap, but not with edirectory. The new integration with edirectory (compile with --with-edir) is supposed to work. However Novell has not distributed the Radius plug-in for iManager (it's locked away on their beta servers). Does ANYONE here know of a way to get ahold of this plug-in? I've contacted some fairly high level engineers at Novell and for several days we haven't been able to get the plug-in. I can only assume that the developers from novell and those of you who develop for free-radius have some information that my sources don't about this plug-in. There's a link to the plug-in on the open source site forge.novell.com so I'm hoping that this plug-in is GPL. BTW - You coders have built a ROCK SOLID product. I have no idea how you manage to do this and still keep a day job. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
h323-remote-address
Hi My problem isn't really with freeradius but I'm hoping someone on the list is familiar with the situation. I've got a Cisco AS5400 running IOS 12.2 acting as my gateway. For voip to voip calls the h323-remote-address attribute is only sent in the stop request and not the start. I saw a similar question in the list archive but no solution was posted. Anyone familiar with this or a similar setup? Regards, Chetan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 1.0.2 has been released.
Mitchell, Michael J [EMAIL PROTECTED] wrote: Very minor point... The link to 1.0.2 on the freeradius home page points back to http://www.freeradius.org rather than the tar file (as per previous releases). One quote too many... fixed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.0.1 + MPPE
Denis Shaposhnikov [EMAIL PROTECTED] wrote: I can't get working MPPE. I see in cisco's debug that user login ok by MS-CHAPv2, but MPPE doesn't work, cisco's debug say: MPPC: no encryption keys available, disabling optional MPPE. Could someone say me, what's wrong? Without the debug log, no, we can't. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_linelog
Drew Weaver [EMAIL PROTECTED] wrote: Im not sure anyone has any experience with this module yet, but I thought I'd ask since there isn't any documentation and I really wouldn't know where to look for this information. It appears from my fumbling around in the .c file that this module is looking for two different parameters; one is 'filename' the other is 'format' filename is fairly straightforward, format however is not. I have no idea what my options are for formatting the strings it is outputting. Does anyone have any hints on this.. All I really would like it to do is print The format is a string where variables are expanded, just like the filename. format = %{User-Name} logged in from %{NAS-IP-Address} with %{NAS-Port} Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 1.0.2 has been released.
Kostas Kalevras [EMAIL PROTECTED] wrote: http://www.freeradius.org/development.html#cvs http://www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/ And you 're right, the link to the web cvs interface should appear in the freeradius site. ? It does. Hmm... I'll make it a little more prominent. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: TIMEOUT for request xxxx in module server core
Serg Shipaev [EMAIL PROTECTED] wrote: Due using FreeRadius with rlm_perl module I got the following messages in radius.log file: Thu Feb 17 02:33:52 2005 : Error: TIMEOUT for request 37555 in module server core, component accounting That's a new message, which should hopefully make debugging easier. So, whould you please help me to understand, what does it mean? It means that something is blocked while processing the accounting packet. Unfortunately, it's more difficult to find out *what* is blocking. Run it in debugging mode to see what is slow. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: trouble building 1.0.2 on Tru64 5.1B
Tim Winders [EMAIL PROTECTED] wrote: I am having trouble building 1.0.2 on Tru64 5.1B. make dies with this error: ld: Unresolved: set_auth_parameters Unfortunately, I don't know of anyone else running Tru64. My suggestion is to go to src/include/autoconf.h, and delete the line saying #define OSFC2. Re-build, and it should work. Alan DeKOk. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Install Solaris9 - ver 1.0.1 and 1.0.2
Message: 2 Date: Wed, 16 Feb 2005 16:40:30 -0700 (MST) From: Data Processing Fone Net [EMAIL PROTECTED] Subject: Install Solaris9 - ver 1.0.1 and 1.0.2 To: freeradius-users@lists.freeradius.org Reply-To: freeradius-users@lists.freeradius.org Afternoon, I can not get the 1.0.1 or 1.0.2 versions to compile on may Solaris 9 server. I went to the FAQ's and archive to research past recommendations. I have installed all the recommended packages, updated the CPAN modules, installed all new gcc, make, ld and the like. I put on the newest patches for sol9. I have tried the standard ./configure, I tried on teh recommended ./configure in the archives and I am not able to get a build. I remove the freeradius dir and untar the tar ball for each time I attempt to get a build completed. Here is what I do get on the make and make install. configure seems to be ok. I am not the best or most knowledgeable when it comes to this so I do expect it is a simple problem that I have missed. End of the make process: make[6]: Leaving directory `/var/tmp/freeradius-1.0.2/src/modules/rlm_unix' Making static dynamic in rlm_x99_token... make[6]: Entering directory `/var/tmp/freeradius-1.0.2/src/modules/rlm_x99_token' gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -DNDEBUG -I../../include -DX99_MODULE_NAME=\rlm_x99_token\ -DFREERADIUS -c x99_rlm.c -o x99_rlm.o In file included from x99_rlm.c:54: x99.h:26:42: openssl/des.h: No such file or directory In file included from x99_rlm.c:54: msg trunkated. on my Sol 9 box, i removed all references to x99 in the makefile and then it compiled just fine. But then, i didn't need that stuff so i was okay with that. -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: trouble building 1.0.2 on Tru64 5.1B
Tim Winders [EMAIL PROTECTED] wrote: I am having trouble building 1.0.2 on Tru64 5.1B. make dies with this error: ld: Unresolved: set_auth_parameters Unfortunately, I don't know of anyone else running Tru64. My suggestion is to go to src/include/autoconf.h, and delete the line saying #define OSFC2. Re-build, and it should work. I rebuilt and it seemed to work, but now when I start freeradius, I get: Starting FreeRADIUS:Thu Feb 17 13:02:07 2005 : Info: Starting - reading configuration files ... /usr/local/sbin/rc.radiusd: 407044 Memory fault - core dumped radiusd I remember I had a heck of a time getting the snapshot-20041210 running, but I finally did. Unfortunately, I did not document it and never got around to sending it to the list when it was fresh on my mind. :-( === Tim BEGIN:VCARD VERSION:2.1 N:Winders;Tim FN:Tim Winders ORG:South Plains College TITLE:Associate Dean of Information Technology TEL;WORK;VOICE:(806) 894-9611 x2369 ADR;WORK:;;1401 College Ave.;Levelland;TX;79336;United States of America LABEL;WORK;ENCODING=QUOTED-PRINTABLE:1401 College Ave.=0D=0ALevelland, TX 79336=0D=0AUnited States of America KEY;X509;ENCODING=BASE64: MIICZzCCAdCgAwIBAgIDDcuZMA0GCSqGSIb3DQEBBAUAMGIxCzAJBgNVBAYTAlpBMSUwIwYD VQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVy c29uYWwgRnJlZW1haWwgSXNzdWluZyBDQTAeFw0wNTAxMTIyMTU5MjdaFw0wNjAxMTIyMTU5 MjdaMFExHzAdBgNVBAMTFlRoYXd0ZSBGcmVlbWFpbCBNZW1iZXIxLjAsBgkqhkiG9w0BCQEW H3R3aW5kZXJzQHNvdXRocGxhaW5zY29sbGVnZS5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0A MIGJAoGBAK95IcXhktSwBA0pRzTx4UJH2ABtErVe6Uakhlzu1XeXPouDnUw21yOnAiss20D5 u0HDE7PaLimye+RFaT6JjAzuz9AheH7MX2g9B4cEVQ3+AsX+B3k9Yqef0T/H46IF306cf79g eTVXSxOQwrPQ3L+CV9QQ8tLM/62pSTYQ8V7vAgMBAAGjPDA6MCoGA1UdEQQjMCGBH3R3aW5k ZXJzQHNvdXRocGxhaW5zY29sbGVnZS5lZHUwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQF AAOBgQBQXIfReTLlLERWofc+VbGENyywIA/RvCwGrPC/ae045v3QxvXRFswePX14DRUjED9s z4/EYEMUXFr12yBMhtaBbXxZTDKchBx8RQVXi4LI1GAwb0YTSleAyN1VYzw7CtuW7bKy9yMa mihfhxfccH5TvZm6HhBX7Gqmp8geUn3tEg== EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20050112T232001Z END:VCARD smime.p7s Description: S/MIME cryptographic signature
RE: trouble building 1.0.2 on Tru64 5.1B
Tim Winders [EMAIL PROTECTED] wrote: I am having trouble building 1.0.2 on Tru64 5.1B. make dies with this error: ld: Unresolved: set_auth_parameters Unfortunately, I don't know of anyone else running Tru64. My suggestion is to go to src/include/autoconf.h, and delete the line saying #define OSFC2. Re-build, and it should work. I rebuilt and it seemed to work, but now when I start freeradius, I get: Starting FreeRADIUS:Thu Feb 17 13:02:07 2005 : Info: Starting - reading configuration files ... /usr/local/sbin/rc.radiusd: 407044 Memory fault - core dumped radiusd I remember I had a heck of a time getting the snapshot-20041210 running, but I finally did. Unfortunately, I did not document it and never got around to sending it to the list when it was fresh on my mind. :-( === Tim As a followup, I built snapshot-20050216 with the same options as 1.0.2 and it does run, although with some warnings on startup: Starting FreeRADIUS:Thu Feb 17 13:16:26 2005 : Info: Starting - reading configuration files ... Thu Feb 17 13:16:26 2005 : Info: Using deprecated naslist file. Support for this will go away soon. Thu Feb 17 13:16:26 2005 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? radiusd BEGIN:VCARD VERSION:2.1 N:Winders;Tim FN:Tim Winders ORG:South Plains College TITLE:Associate Dean of Information Technology TEL;WORK;VOICE:(806) 894-9611 x2369 ADR;WORK:;;1401 College Ave.;Levelland;TX;79336;United States of America LABEL;WORK;ENCODING=QUOTED-PRINTABLE:1401 College Ave.=0D=0ALevelland, TX 79336=0D=0AUnited States of America KEY;X509;ENCODING=BASE64: MIICZzCCAdCgAwIBAgIDDcuZMA0GCSqGSIb3DQEBBAUAMGIxCzAJBgNVBAYTAlpBMSUwIwYD VQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVy c29uYWwgRnJlZW1haWwgSXNzdWluZyBDQTAeFw0wNTAxMTIyMTU5MjdaFw0wNjAxMTIyMTU5 MjdaMFExHzAdBgNVBAMTFlRoYXd0ZSBGcmVlbWFpbCBNZW1iZXIxLjAsBgkqhkiG9w0BCQEW H3R3aW5kZXJzQHNvdXRocGxhaW5zY29sbGVnZS5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0A MIGJAoGBAK95IcXhktSwBA0pRzTx4UJH2ABtErVe6Uakhlzu1XeXPouDnUw21yOnAiss20D5 u0HDE7PaLimye+RFaT6JjAzuz9AheH7MX2g9B4cEVQ3+AsX+B3k9Yqef0T/H46IF306cf79g eTVXSxOQwrPQ3L+CV9QQ8tLM/62pSTYQ8V7vAgMBAAGjPDA6MCoGA1UdEQQjMCGBH3R3aW5k ZXJzQHNvdXRocGxhaW5zY29sbGVnZS5lZHUwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQF AAOBgQBQXIfReTLlLERWofc+VbGENyywIA/RvCwGrPC/ae045v3QxvXRFswePX14DRUjED9s z4/EYEMUXFr12yBMhtaBbXxZTDKchBx8RQVXi4LI1GAwb0YTSleAyN1VYzw7CtuW7bKy9yMa mihfhxfccH5TvZm6HhBX7Gqmp8geUn3tEg== EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20050112T232001Z END:VCARD smime.p7s Description: S/MIME cryptographic signature
RE: CHAP / PAP ?
Stupid question. Is it possible to do CHAP for some accounts and PAP for others? I'm using CHAP and it works great for PC users. But I have some WebTV receivers that as far as I can tell only do PAP. And they aren't getting connected through my 3COM Total Control 1000's. Would it work it I created and seperate group for them and used encrypted passwords in MySql to authenticate them? Using Freeradius 1.0.1-1, MySql 3.23.58-9.1 Joel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Solaris packages available on www.blastwave.org
Packages for 1.0.1 are available on www.blastwave.org. Please submit any bugs there. mph - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 1.0.2 has been released.
Kostas Kalevras wrote: And you 're right, the link to the web cvs interface should appear in the freeradius site. It's on the http://www.freeradius.org/development.html page. -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 1.0.2 has been released.
Alan DeKok wrote: And you 're right, the link to the web cvs interface should appear in the freeradius site. ? It does. Hmm... I'll make it a little more prominent. Alan DeKok. In my humble opinion, the top menu is very bad to use. I personally think that menu items should always be the same on every page, which makes navigation a lot easier. -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Assembling call legs.
I have a quick question, I remember seeing this in the docs somewhere but for the life of me I can't find where it was again. I have records coming in from a cisco gatekeeper that should have 2 legs. I see ip addresses from carriers I'm buying minutes from and those buying from me. So I know there are ingress and egress records, but the Acct-Session-Id that is supposed to bind the 2 together never matches. Is this an issue at the freeradius level or is it at the gatekeeper. I would assume it's at the gatekeeper because freeradius doesn't know or care about call legs, right? I ask this because we need to make sure 100% it's not a freeradius issue before it's time to call Cisco tech support. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP / PAP ?
Thor Spruyt wrote: PAP can work with unencrypted passwords in the backend. CHAP cannot. I think you mean the other way around ;-) CHAP *requires* clear text passwords in the backend. PAP can work with either encrypted or clear text passwords in the backend. Don't want to confuse people ;-) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_linelog
The format is a string where variables are expanded, just like the filename. format = %{User-Name} logged in from %{NAS-IP-Address} with %{NAS-Port} Alan, I am a little confused.. Even though my format is just this: format = %{User-Name} My log the contents of filename is: Packet-Type = Access-Request Thu Feb 17 14:18:39 2005 User-Name = aweaver User-Password = 1234 NAS-IP-Address = 209.190.0.72 Client-IP-Address = 209.190.0.72 Stripped-User-Name = aweaver Realm = NULL Realm = NULL Proxy-State = 0x34 Any clues? -Drew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP / PAP ?
You can add to the same user entry an encrypted password (eg: SHA) for PAP authentication and a NTPassword por CHAP authentication (both would be different attribs of the same entry). You can use smbencrypt en freeradius distrtribution to get the NTPassword encryption. J.M. Thor Spruyt wrote: Joel Eddy wrote: Would it work it I created and seperate group for them and used encrypted passwords in MySql to authenticate them? PAP can work with unencrypted passwords in the backend. CHAP cannot. -- ___ Ing. Juan Manuel GarcĂa Carral IntermediaSP Intermedia Comunicaciones S.A. Suipacha 128 - Bloque 2 Piso 2 C1008AAD Buenos Aires - Argentina Tel.: (+54 11) 5032 www.intermediasp.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_linelog
Alan, I am a little confused.. Don't really like replying to my own dreck, but I figured out why it wasn't displaying the username, then I realized there isn't a variable for passwords. Is there some way to get the password? Basically I just need like. format = [%{User-Name}/%{Password}] So each line in my logfile will just be [username/password] looking in doc/variables.txt I don't see a variable for passwords, but I know it has to be somewhere because if you do a radiusd -X it shows there in the request and you can log it by setting a config setting in radiusd.conf Im really close to getting this thing to work. Thanks for any advice. -Drew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_linelog
Drew Weaver [EMAIL PROTECTED] wrote: Don't really like replying to my own dreck, but I figured out why it wasn't displaying the username, then I realized there isn't a variable for passwords. Is there some way to get the password? From where? If you mean the password in the Access-Request, it's a normal RADIUS attribute, called User-Password. This is visible in debug mode. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius +connect to postgresql server
On Tue, 2005-15-02 at 12:26 +, nake116 nake116 wrote: server =localhost login=postgres password=postgres #database table configuration radius_db=radiusdb Using the information you supplied, have you tried to use psql to access the database? Example $ psql --host localhost --username postgres --dbname radiusdb --password Enter Password : postgres If you cannot connect using that command you have not correctly configured the permissions in PostgreSQL, which is not a topic supported on the FreeRadius list. Note: It is not a good idea to use the postgres user for anything other than administration. Install pgadminIII if you need a GUI tool to administrate one or more PostgreSQL servers. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Copying accounting packets
Hello All, I'm looking for information on what others have done in similar situations. What i have to do is copy the accounting packets from one particular NAS device to another radius server. I know i can use radrelay for this if i copy all the accounting packets from that NAS device into one file but here is my dilemma. I am flat filing all accounting packets from the different NAS devices by IP then by date. Then once a day, i copy all these into a database for accounting/billing purposes. (yes i realize this is a little clunky but i lose almost no data this way, and the overall system runs faster, and i have a guaranteed backup if my database takes a major nosedive for the trashcan and the normal database backups fail as well) To add to the fun, I'm about to have to start forwarding all (from all NAS devices) accounting packets to a web content filtering system. So I suppose the question is, will there be a problem running two sets of radrelay (one on all accounting packets, and one on accounting packets from just one NAS)? or is there a better way to do this and I'm just being blind? -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sql accounting failover
hello, I am interested to know if it is possible to configure freeradius sql module to write in a file only the failed querys (accounting and/or auth) ? from what I understand the sqltrace boolean parameter is used to log all the sql querys. I want to be able to reaply the only the failed querys in case of an sql server crash. thanks, razvan radu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dialup_admin - please help
Hi guys, Ok, I don't know what to do anymore. I have tried everyhting. I got it working yesterday, and most of today, then the problem came back. When I open one of the pages where I can enter the username or groupname I get admin,en filled in that field. When I turn on sql debug in admin.conf, all pages where where u can specify a username or password, something similar to this is on the screen: DEBUG(SQL,MYSQL DRIVER): Query: SELECT groupname FROM usergroup WHERE username = 'admin,en'; DEBUG(SQL,MYSQL DRIVER): Query It looks like it is getting the admin,en value from somewhere. I have tried working around it, but for example, when I want to edit a user, and I type the usename in the field and click edit user, they it comes up with a User [admin,en] could not be found. For some reason it is defaulting back to admin,en. I have even tried restarting my whole installation from scratch, fresh FreeBSD installation, re downloaded all src files, recompiling everyhting, and setting everything up from scratch. But I still get the same thing. Is it maybe the FreeBSD ? Or version of PHP or something like that ? What I did to fix it twice is to remove the whole /usr/local/dialup_admin directory and redo the whole installation from the freeradius tar file. Then it worked fine, and then all of the sudden it is back. I didnt change any config file, or made any other changes. I know someone mentioned trying to get the latest version via cvs, but when I followed the instructions in the HOWTO file, it downloaded a bunch of file, but it is mostly garbage. Commands I used: shell cvs -d:pserver:[EMAIL PROTECTED]:/cvsroot/dialup-admin login * When prompted for a password simply press the Enter Key shell cvs -z3 -d:pserver:[EMAIL PROTECTED]:/cvsroot/dialup-admin co dialup_admin I then replace the /usr/local/dialup_admin directory with the one that downloaded and then the whole page is just garbage. I have followed the HOWTO step-by-step, and still have no joy. If anybody got any idea what else I can try, please let me know. Thanks Jacqueco Peenz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Newbie: Radius + Mysql
I dont know much about the features you need. Basically RADIUS has different methods for getting user details, the users file in the etc/ folder has some. You need to edit the radiusd.conf file to use sql, giving sql priority over files by comenting out the files option. Then you need to create a database and use the supplied mysql.sql file to create the structure and insert some data into each table and use radtest to see if its authenticating. starting radious with -X as a switch will show what radius is doing and can be handy to see if its connecting to mysql and if the authentication is work. you should, if successful you should get Access-Accept as the result. When i used radtest to test sql i used the command ./radtest fredf wilma localhost 1845 mysecret123 This doc should get you going.. http://www.frontios.com/freeradius.html Hope it helps -Colin O'Keeffe On Tue, 15 Feb 2005 14:46:47 +0530, chetanjain [EMAIL PROTECTED] wrote: Hi GuysI am a newbie to RadiusCan i get any howto on Configuring Freeradius + Mysql.i need couple of features. 1. Download/Upload Bandwidth Control.Ascend-Data-Rate 2. Download/Upload Data Control ---1GB Restriction ( Need to Run a Script Before freeradius gives a Access-Accept to the NASmy script will check for the data usage and give access-accept or access-reject message ) Need ur help guys Vol - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP / PAP ?
Michael Mitchell wrote: Thor Spruyt wrote: PAP can work with unencrypted passwords in the backend. CHAP cannot. I think you mean the other way around ;-) Not exactly the other way around, but I didn't explain correctly. CHAP *requires* clear text passwords in the backend. PAP can work with either encrypted or clear text passwords in the backend. That's correct. -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_linelog
Drew Weaver wrote: Basically I just need like. format = [%{User-Name}/%{Password}] format = [%{User-Name}/%{User-Password}] -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Copying accounting packets
Terry J Fike Jr wrote: Hello All, I'm looking for information on what others have done in similar situations. What i have to do is copy the accounting packets from one particular NAS device to another radius server. I know i can use radrelay for this if i copy all the accounting packets from that NAS device into one file but here is my dilemma. I am flat filing all accounting packets from the different NAS devices by IP then by date. Then once a day, i copy all these into a database for accounting/billing purposes. (yes i realize this is a little clunky but i lose almost no data this way, and the overall system runs faster, and i have a guaranteed backup if my database takes a major nosedive for the trashcan and the normal database backups fail as well) To add to the fun, I'm about to have to start forwarding all (from all NAS devices) accounting packets to a web content filtering system. So I suppose the question is, will there be a problem running two sets of radrelay (one on all accounting packets, and one on accounting packets from just one NAS)? or is there a better way to do this and I'm just being blind? Never let more than 1 radrelay process the same logfile! For each radrelay, you should configure a seperate rlm_detail instance, which logs the needed packets to a different logfile which radrelay can read from. So for your situation, you need 3 rlm_detail instances: - 1 to log all requests to seperate logfiles based on source ip and time - 1 to log all requests to a single logfile - 1 to log requests from a particular NAS to a single logfile -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql accounting failover
[EMAIL PROTECTED] wrote: I am interested to know if it is possible to configure freeradius sql module to write in a file only the failed querys (accounting and/or auth) ? Yes, read doc/configurable_failover from what I understand the sqltrace boolean parameter is used to log all the sql querys. Yes, that's probably not what you want because it's mainly for debugging your queries and would cause to much overhead. -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP / PAP ?
Joel Eddy [EMAIL PROTECTED] wrote: In MySql the passwords are in plain text. When I use NTRADPING to check authentication it will only give me an accept if I have the check mark in CHAP. If I remove the check it won't authenticate. Why are you looking at the client, when the server debug log will tell you exactly what it's doing, and why? I guess the question is do I need something special in Radgroupreply to do PAP authentication? The server comes configured to do PAP, CHAP, MS-CHAP, and a host of other authentication methods. If PAP doesn't work for you, then something in your local configuration is breaking PAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: CHAP / PAP ?
Run the server in debug mode (radiusd -X) and you'll see EXACTLY why its failing... You need to ensure an Auth-Type is being set somewhere, sounds like it may not be... Also make sure your shared secret is correct. IIRC, you can have the wrong shared secret, and CHAP will still work, but PAP wont. At least that was my experience with NTRADPING. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joel Eddy Sent: Friday, 18 February 2005 11:15 AM To: freeradius-users@lists.freeradius.org Subject: Re: CHAP / PAP ? Okay, In MySql the passwords are in plain text. When I use NTRADPING to check authentication it will only give me an accept if I have the check mark in CHAP. If I remove the check it won't authenticate. I guess the question is do I need something special in Radgroupreply to do PAP authentication? Joel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP / PAP ?
I'm running the server that way at all times. I was reading in the Radius book to run it that way so you can see the log file go by. When I look at it says rad_check_password: Found Auth-Type System auth: type System modcall[authenticate]: module unix returns notfound for request 969 modcall; group authenticate returns notfound for request 969 auth: Failed to validate user I know I didn't set auth type to system. Or at least rather sure. I made sure not to set that as I've seen Alan go ape if that gets set. So I didn't want the rath of kan for setting it. ;-) It's got me perplexed. I'll do more reading in the Radius book. Joel - Original Message - From: Mitchell, Michael J [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Thursday, February 17, 2005 6:20 PM Subject: RE: CHAP / PAP ? Run the server in debug mode (radiusd -X) and you'll see EXACTLY why its failing... You need to ensure an Auth-Type is being set somewhere, sounds like it may not be... Also make sure your shared secret is correct. IIRC, you can have the wrong shared secret, and CHAP will still work, but PAP wont. At least that was my experience with NTRADPING. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joel Eddy Sent: Friday, 18 February 2005 11:15 AM To: freeradius-users@lists.freeradius.org Subject: Re: CHAP / PAP ? Okay, In MySql the passwords are in plain text. When I use NTRADPING to check authentication it will only give me an accept if I have the check mark in CHAP. If I remove the check it won't authenticate. I guess the question is do I need something special in Radgroupreply to do PAP authentication? Joel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP / PAP ?
Hi Joel, Yep, the default users file sets Auth-Type := System by default. The order, and behaviour of the modules in your 'authorize' section of radiusd.conf which Auth-Type is eventually used. I believe that each module will set the Auth-Type appropriate, *IF* the Auth-Type hasn't already been set... I've never really worked out the best way to change this behaviour that still adheres to the intended design, and still get the results I want. If you don't need to process the users file for authorization, you should be able to remove it from the 'authorize', section. Otherwise, if you do need to process the users file, probably the easiest is to change the default behaviour in the users file, ie change: # # First setup all accounts to be checked against the UNIX /etc/passwd. # (Unless a password was already given earlier in this file). # DEFAULT Auth-Type = System Fall-Through = 1 to: DEFAULT Auth-Type = PAP Fall-Through = 1 That should still let CHAP work when specified, but will default to PAP if no other method of authentication has already been specified. This is untested of course, so please report back to me if it worked or not... Alan or others may want to comment on this... regards, Mike Joel Eddy [EMAIL PROTECTED] wrote: I'm running the server that way at all times. I was reading in the Radius book to run it that way so you can see the log file go by. When I look at it says rad_check_password: Found Auth-Type System auth: type System modcall[authenticate]: module unix returns notfound for request 969 modcall; group authenticate returns notfound for request 969 auth: Failed to validate user I know I didn't set auth type to system. Or at least rather sure. I made sure not to set that as I've seen Alan go ape if that gets set. So I didn't want the rath of kan for setting it. ;-) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP / PAP ?
Michael Mitchell [EMAIL PROTECTED] wrote: DEFAULT Auth-Type = PAP Fall-Through = 1 That should still let CHAP work when specified, but will default to PAP if no other method of authentication has already been specified. This is untested of course, so please report back to me if it worked or not... Alan or others may want to comment on this... It's probably a good idea. I'm in the process of hacking the rlm_unix module in CVS so that it doesn't read /etc/passwd any more. Now that we have rlm_passwd, that module can read /etc/passwd. We can then have an authorize section to rlm_unix, and list it in authorize, just like pap, chap, and mschap. It will add a Crypt-Password to the request, if the user is in /etc/passwd. Then, the users file can be updated to do Auth-Type = PAP by default. The PAP module will take care of figuring out how to authenticate the user via the Crypt-Password. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Copying accounting packets
Never let more than 1 radrelay process the same logfile! For each radrelay, you should configure a seperate rlm_detail instance, which logs the needed packets to a different logfile which radrelay can read from. So for your situation, you need 3 rlm_detail instances: - 1 to log all requests to seperate logfiles based on source ip and time - 1 to log all requests to a single logfile - 1 to log requests from a particular NAS to a single logfile -- Groeten, Regards, Salutations, Okay, sounds like what i was thinking. Thanks very much! t- -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How can I unsubscribe
Title: How can I unsubscribe How can I unsubscribe?
test freeradius
Hi !, I have test my freeradius server by connecting my laptop to internet explorer, but i can't connect. The message is : windows unable ti find a certificate to log you on to the network xxx is there somebody know what's wrong? Please help me, Thanx. Handa __ Do you Yahoo!? Yahoo! Mail - 250MB free storage. Do more. Manage less. http://info.mail.yahoo.com/mail_250 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP / PAP ?
I APPRECIATE the help. If I'm understanding it correctly. The user file in /etc/raddb is read first then it moves to MySql to get it's information for the user if nothing matches in the user file. As far as I can see I don't need to process the user file if I get everything set up correctly in the MySql database. If I use MySql to handle the process do I need to create a user table in the radius database to process authentication? If that would work could you or someone that has it set up send what would be required in it or a link to a how-to. Otherwise if it would be better to just make the changes in the user file I could do that instead. Sorry If I'm rambling. Just thinking out loud. Other than that I am LOVING freeradius and dialup admin. Just a few more small adjustments and I'll have it. I give you much applause. Keep up the good work. You've freed me of Microsoft forever by having this product of much labor available. You have my total admiration.( a little a$$ kissing here, or smoke in the orifice) ;-) I can only hope and pray that I become as wise as many of you are using Linux. Again THANKS for the help. If I get this to work I'll be sure to report back so the rest may benefit from it's results. Joel - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Thursday, February 17, 2005 7:12 PM Subject: Re: CHAP / PAP ? Michael Mitchell [EMAIL PROTECTED] wrote: DEFAULT Auth-Type = PAP Fall-Through = 1 That should still let CHAP work when specified, but will default to PAP if no other method of authentication has already been specified. This is untested of course, so please report back to me if it worked or not... Alan or others may want to comment on this... It's probably a good idea. I'm in the process of hacking the rlm_unix module in CVS so that it doesn't read /etc/passwd any more. Now that we have rlm_passwd, that module can read /etc/passwd. We can then have an authorize section to rlm_unix, and list it in authorize, just like pap, chap, and mschap. It will add a Crypt-Password to the request, if the user is in /etc/passwd. Then, the users file can be updated to do Auth-Type = PAP by default. The PAP module will take care of figuring out how to authenticate the user via the Crypt-Password. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
monthly hourly statistics per user
I currently have freeradius 1.0.1 running with the dialupadmin from 1.0.2 on Debian Sarge. I was just curious if there is anyway to pull monthly total hours for all users. The user statistics isn't exactly what i need, it shows daily user statistics, so if I show a week of statistics, i get 7 entries per user(assuming the user has logged on every day). Basically I'd like to be able to see how much total time in a month users/a user are connected. Thanks! -Nick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error in radius.log
Fri Feb 18 06:26:50 2005 : Info: Using deprecated naslist file. Support for this will go away soon. Fri Feb 18 06:26:50 2005 : Info: Using deprecated clients file. Support for this will go away soon. Fri Feb 18 06:26:50 2005 : Info: Using deprecated realms file. Support for this will go away soon. Fri Feb 18 06:26:50 2005 : Error: rlm_eap_tls: conf N ctx stored Fri Feb 18 06:26:50 2005 : Info: Listening on IP address *, ports 1812/u dp and 1813/udp, with proxy on 1814/udp. Fri Feb 18 06:26:50 2005 : Info: Ready to process requests. What is cause of this problem ?, and how to fix it ? - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
two patches for 1.0.1: Simultaneous-Use and Hint
Hi! I think that Simultaneous-Use/Login-Time is server side attribs, like Auth-Type. So we have to ignore it on comparing. This this patch someone able to use Simultaneous-Use = 2 in user's check list and Simultaneous-Use = 1 in DEFAULT below. Note, =, not := which set value unconditionaly. In this situation user's attr have priority. --- src/main/valuepair.c.orig Thu Sep 9 18:31:06 2004 +++ src/main/valuepair.cWed Feb 16 15:16:30 2005 @@ -242,7 +242,9 @@ case PW_AUTH_TYPE: case PW_AUTZ_TYPE: case PW_ACCT_TYPE: + case PW_LOGIN_TIME: case PW_SESSION_TYPE: + case PW_SIMULTANEOUS_USE: case PW_STRIP_USER_NAME: continue; break; This patch add more functionality to rlm_files. If with_fallthrough_hint = yes (it no by default) someone able to rewrite request check list with Hint AV like using hints file. So, it able to do like templating for users records. For example: user1 User-Password == XXX Hint := PPP, Fall-Through = Yes user2 User-Password == XXX Hint := UUCP, Fall-Through = Yes ... userX User-Password == XXX Hint := PPP, Fall-Through = Yes DEFAULT Hint == PPP PPP-Special-AV = ... DEFAULT Hint == UUCP UUCP-Special-AV = ... As you see, we have many users records which linked on special DEFAULT entries. It's like using hints file, but per user, not per suffix/prefix. --- src/modules/rlm_files/rlm_files.c.orig Fri Mar 12 19:12:53 2004 +++ src/modules/rlm_files/rlm_files.c Wed Feb 16 15:12:03 2005 @@ -40,6 +40,7 @@ struct file_instance { char *compat_mode; + int with_fallthrough_hint; /* autz */ char *usersfile; @@ -74,6 +75,8 @@ offsetof(struct file_instance,preproxy_usersfile), NULL, ${raddbdir}/preproxy_users }, { compat,PW_TYPE_STRING_PTR, offsetof(struct file_instance,compat_mode), NULL, cistron }, + { with_fallthrough_hint, PW_TYPE_BOOLEAN, + offsetof(struct file_instance,with_fallthrough_hint), NULL, no }, { NULL, -1, 0, NULL, NULL } }; @@ -194,6 +197,7 @@ */ if (!(vp-attribute ~0x) (vp-attribute 0xff) + (vp-attribute != PW_HINT) (vp-attribute 1000)) { log_debug([%s]:%d WARNING! Check item \%s\\n \tfound in reply item list for user \%s\.\n @@ -369,6 +373,21 @@ found = 1; check_tmp = paircopy(pl-check); reply_tmp = paircopy(pl-reply); + + /* We have to move reply's Hint to + request's items for future DEFAULT + entry's check. /[EMAIL PROTECTED] */ + if (inst-with_fallthrough_hint) { + VALUE_PAIR *tmp; + + tmp = paircopy2(reply_tmp, PW_HINT); + if (tmp != NULL) { /* found it */ + pairmove(request_pairs, tmp); + pairfree(tmp); + pairdelete(reply_tmp, PW_HINT); + } + } + pairxlatmove(request, reply_pairs, reply_tmp); pairmove(check_pairs, check_tmp); pairfree(reply_tmp); @@ -393,6 +412,7 @@ * Remove server internal parameters. */ pairdelete(reply_pairs, PW_FALL_THROUGH); + pairdelete(reply_pairs, PW_HINT); return RLM_MODULE_OK; } -- DSS5-RIPE DSS-RIPN 2:550/[EMAIL PROTECTED] 2:550/[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] http://neva.vlink.ru/~dsh/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html