Re: strange Exec-Program problem
from the debug mode i'm getting the following: radius_xlat: '/var/radius/scripts/count.php edgars 10.5.8.103' Exec-Program: /var/radius/scripts/count.php edgars 10.5.8.103 Exec-Program output: Exec-Program: FAILED to execute /var/radius/scripts/count.php: No such file or directory Exec-Program-Wait: plaintext: Exec-Program: FAILED to execute /var/radius/scripts/count.php: No such file or directory Exec-Program: returned: 1 Login incorrect (external check failed): [edgars/no User-Password attribute] (from client druums_testsss^edgars port 769 cli 1.1.1.2) But as I said, this works if i'm using that box, where the data base is located, as an authenticator. I'm running this script being in chroot '/gamma/edgars'. But tried to change the radreply Exec-Program value to '/gamma/edgars/var/radius/scripts/count.php' - the same problem. On which machine is the script actually ecexuted - on the one i'm runnig the RADIUS server or where the DB is located? Regards, Edgars Dustin Doris wrote: Hello, when trying to execute some script on each user login attempt using local DB everythings works as it supposed to do. But if using another RADIUS server as specifying to use the previously mentioned DB (like remote DB), getting the following errors in the log file: Error: Exec-Program: FAILED to execute /var: No such file or directory For users for which i've not set the Exec-Wait as a Reply attribute, everything work perfectly. Can someone point me could be the problem? Edgars Looks like it can't find the script. Want to show us how you have it setup in the users file? Maybe some radiusd -X output as well. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
accounting question
Hi, I have a question about radius, Is there anyone on this list that can help? I'm sure this is a very common request. I have a situation where radius accounting is logged to a mysql database. I'd like to find a way to show the accurate number of users that are currently online. Up till now this has been done by querying the database to find entries in the radacct table that have value 0 for AccountStopTime. However there are quite a number of entries in this 'radacct' table that have the 0 as AccountStopTime but are not active sessions. What would be a way to get just the sessions that are active? kind regards, Luke -- ._ :| .| |.|/.|_ :|__.|_|.|\.|_ :0421 276 282. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: accounting question
I think radwho can accomplish this request -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, May 03, 2005 9:38 AM To: freeradius-users@lists.freeradius.org Subject: accounting question Hi, I have a question about radius, Is there anyone on this list that can help? I'm sure this is a very common request. I have a situation where radius accounting is logged to a mysql database. I'd like to find a way to show the accurate number of users that are currently online. Up till now this has been done by querying the database to find entries in the radacct table that have value 0 for AccountStopTime. However there are quite a number of entries in this 'radacct' table that have the 0 as AccountStopTime but are not active sessions. What would be a way to get just the sessions that are active? kind regards, Luke -- ._ :| .| |.|/.|_ :|__.|_|.|\.|_ :0421 276 282. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html * The contents of this email and any attachments are confidential. It is intended for the named recipient(s) only. If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to any one or make copies. * PALTEL E-Safety System scanned this email and found NO viruses, vandals or malicious content. * Should you need any information or clarifications regarding this system, please do not hesitate to contact our team at the IP Dep. [EMAIL PROTECTED]. * - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MAC os X and Cisco TKIP + WEP
Hello, while all my wireless cards workes perfectly with Cisco 1200 AP I have a lot of problems with MAC os X. I configured my Cisco 1200 AP to work with TKIP+WEP128 and Open Authentication with EAP with freeradius server to support both old WEP And newer WPA clients. MAC os X airport extreeme won't work in this configuration and supplicant keeps reconnecting every 5 seconds. With MAC os X everything works if I set up the Cisco access point to work only with WEP without WPA. anyone could solve this problem ? thank you Rick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Certificate Revocation List (EAP/TLS)
Hi, I work with freeradius 1.0.2 If I configure in the TLS section of eap.conf (without this entries the autentification process works fine) CA_path = /path check_crl = yes crl_dir = /path crl = file Not any certificate is accepted (I generate the certificates and the crl with tinyca). How can I configure the eap.conf that the autentification process would work correctly? Does anyone have a working EAP/TLS autentification where the CRL works? Thanks for help Alain - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC os X and Cisco TKIP + WEP
Hello, while all my wireless cards workes perfectly with Cisco 1200 AP I have a lot of problems with MAC os X. I configured my Cisco 1200 AP to work with TKIP+WEP128 and Open Authentication with EAP with freeradius server to support both old WEP And newer WPA clients. MAC os X airport extreeme won't work in this configuration and supplicant keeps reconnecting every 5 seconds. With MAC os X everything works if I set up the Cisco access point to work only with WEP without WPA. anyone could solve this problem ? thank you why do you think this has anything to do with the RADIUS server component? After all, this is a list dealing with FreeRADIUS server, not with any implementation-specific WEP/WPA problems. Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingénieur réseau et système 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg email: [EMAIL PROTECTED] tél.: +352 424409-33 http://www.restena.lu fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging/accounting regardless whether Accounting-Request packet sent
hello Is it somehow possible to log the details regardless whether NAS sends the request ? Nope. can somebody tell me which access points do send accounting data to the freeradius server ? AND does someone knows if there is a way to put this capabilitie (to send accounting data from the wrt54g to the freeradius) in the wrt54g. i understand that the basic firmware is not able to to that - but whats about the openwrt firmware and optional packages ? does someone knows a package for openwrt which makes 802.1x AND send accounting information (i know ther is chilispot for openwrt too but i would like to have a posibilitie to use a normal supplicant one the notebook instead of chillispot) greeting grischan -- +++ Neu: Echte DSL-Flatrates von GMX - Surfen ohne Limits +++ Always online ab 4,99 Euro/Monat: http://www.gmx.net/de/go/dsl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pre-proxy with attrs_filter seems to work - valid?
the included docs and examples don't use the atrrs_filter module with the pre-proxy{} section in radiusd.conf. there is a post-proxy{} and that works fine. i have different instatiations (with different config files) for each pre- and post-proxy. having no replies from the list i decided to go ahead and test. for you information it seems to work. (freereadius 1.0.2). is there a reason why this might be lucky? is this not the intended behaviour? did it only work because i have simple test configs? see below for the configs: --- post-proxy attrs: DEFAULT Service-Type =* ANY, Framed-IP-Address =* ANY, Framed-IP-Netmask =* ANY, Reply-Message =* ANY - pre-proxy attrs: DEFAULT User-Name =* ANY, User-Password =* ANY home server (proxy target) confirm the pre-processing works from the logs: rad_recv: Access-Request packet from host 217.204.125.202:1814, id=1, length=67 User-Name = [EMAIL PROTECTED] User-Password = ** Processing the authorize section of radiusd.conf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAp/TSL authorization problem
Sergey Guriev [EMAIL PROTECTED] wrote: ÷ ÓÏÏÂÝÅÎÉÉ ÏÔ 3 íÁÊ 2005 10:14 Vladimir Vuksan ÎÁÐÉÓÁÌ: Thu Apr 28 11:33:53 2005 : Debug: users: Matched entry www at line 228 Are you sure that the entry on line 228 has the correct password. I am not quite sure where the [EMAIL PROTECTED] comes from. Yes, I sure, becouse Matched entry www at line 228 means Username and password matched. Hmmm... I thought it meant simply that the User-Name was a match. Jim -- Note: My mail server employs *very* aggressive anti-spam filtering. If you reply to this email and your email is rejected, please accept my apologies and let me know via my web form at http://jimsun.linxnet.com/scform.php. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
strange behavior with two sql instances
Hello all. I've some strange radius behavior using two sql databases. I built two databases - one on the radius server itself for auth and another on separate db server for accounting. Splitted the sql.conf into sqlauth and sqlacct parts. And made changes in radiusd.conf: $INCLUDE ${confdir}/sqlauth.conf $INCLUDE ${confdir}/sqlacct.conf and sqlauth.conf: sql sqlauth { driver = rlm_sql_oracle server = localhost login = radusr password = password radius_db = (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521))(CONNECT_DATA=(SID=DBSID))) acct_table1 = acct acct_table2 = acct authcheck_table = radcheck authreply_table = radreply groupcheck_table = radgroupcheck groupreply_table = radgroupreply usergroup_table = usergroup ... } and sqlacct.conf: sql sqlacct { driver = rlm_sql_oracle server = some.host.tld login = radusr password = password radius_db = (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=some.host.tld)(PORT=1521))(CONNECT_DATA=(SID=DBSID))) acct_table1 = acct acct_table2 = acct authcheck_table = radcheck authreply_table = radreply groupcheck_table = radgroupcheck groupreply_table = radgroupreply usergroup_table = usergroup ... } when the connection between radius server and accounting db server is present - everything is good. But when i emulate connection down (filtering sql traffic to accounting db server from radius) the radius daemon stops doing authentication too until it's restarted. When radiusd is restarted it works with authentication requests well even when accounting server remains unaccessible. The debug is attached. -- SY, Alexander no-connection-fr-debug.txt.gz Description: Unix tar archive
Post-Auth: reply values
Hello all, I'm trying to write a script for the post-auth section. In this script I need the information if the Request was successful or if it was rejected. The sql module uses the following expression: %{reply:Packet-Type} But how could I use this in my script? I've written a short script shich should list all available Variables: #!/bin/bash printenv /tmp/radius/`date +%F_%H-%M-%S_%N` But it doesn't contain the reply values ... Any ideas or hints? bye Christian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius and sip
Hi everybody, I'm willing to remove from a sip URI (ie:sip:[EMAIL PROTECTED]) the sip: and @domain parts, but, when they arrive in the Calling-Station-Id or Called-Station-Id Attributes. How to solve this ??? I've been able to remove @domain from the Uri, but at the User-Name only. Any help would be nice ... thanx! Regards, Lucas -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.11.2 - Release Date: 02/05/2005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Post-Auth: reply values
On Tue, 3 May 2005, Gillmann, Christian wrote: Hello all, I'm trying to write a script for the post-auth section. In this script I need the information if the Request was successful or if it was rejected. The sql module uses the following expression: %{reply:Packet-Type} But how could I use this in my script? I've written a short script shich should list all available Variables: #!/bin/bash printenv /tmp/radius/`date +%F_%H-%M-%S_%N` But it doesn't contain the reply values ... Any ideas or hints? Only what's included in the Post-Auth-Type REJECT section in postauth is run when the request is about to be rejected. So that's a rather easy way of finding out if the request was successful or not. bye Christian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and sip
On Tue, 3 May 2005, Lucas Aimaretto wrote: Hi everybody, I'm willing to remove from a sip URI (ie:sip:[EMAIL PROTECTED]) the sip: and @domain parts, but, when they arrive in the Calling-Station-Id or Called-Station-Id Attributes. How to solve this ??? I've been able to remove @domain from the Uri, but at the User-Name only. Any help would be nice ... thanx! See the attr_rewrite module Regards, Lucas -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.11.2 - Release Date: 02/05/2005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to move a freeradius server ?
Hi, I am using a freeradius server with EAP TLS PEAP and LDAP. No problem its works perfectly. I have ta move this service on another server (differents hostname) I don't know what to do with my certificates. I dont want to give new certificates to all my clients. Is it possible to just copy and paste certificates ??? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Post-Auth: reply values
I'm trying to write a script for the post-auth section. In this script I need the information if the Request was successful or if it was rejected. The sql module uses the following expression: %{reply:Packet-Type} But how could I use this in my script? I've written a short script shich should list all available Variables: #!/bin/bash printenv /tmp/radius/`date +%F_%H-%M-%S_%N` But it doesn't contain the reply values ... Any ideas or hints? Only what's included in the Post-Auth-Type REJECT section in postauth is run when the request is about to be rejected. So that's a rather easy way of finding out if the request was successful or not. Yeah, that's true. In the meantime I solved the problem a different way. I created an exec module like this: [...] exec newclient { wait = yes program = /usr/local/etc/raddb/scripts/newclient.pl 172.16.21.174 %l %{reply:Packet-Type} } [...] bye Christian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius and sip - SOLVED IT ! ...
I'm willing to remove from a sip URI (ie:sip:[EMAIL PROTECTED]) the sip: and @domain parts, but, when they arrive in the Calling-Station-Id or Called-Station-Id Attributes. How to solve this ??? I've been able to remove @domain from the Uri, but at the User-Name only. Any help would be nice ... thanx! See the attr_rewrite module thanks, it worked nicely for the sip: part. I could remove that string with no trouble at all. Now, How do I tell the attr_rewrite module to remove @ and onwards ... ?? That's because I really do not know which domain is coming using searchfor = @.* did the job ... thanx ! Regards, Lucas -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.11.2 - Release Date: 02/05/2005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Exec-Program-Wait vs rlm_exec
Hi, what do you consider the best solution wheen you need to run an external program to make aditional checks when an access request in received, exec-program-wait or rlm_exec, im using exec-program-wait, sould i use rlm_exec instead, the script check some item like credit amount and returns 0 or 1 if success or fail , thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicate attribute name NAS-Port-Id
Hi everybody, I've followed all the step to install FreeRadius and the Radius client Library found in this HowTo http://www.iptel.org/ser/doc/ser_radius/ser_radius.html, but when I test it with this command : # radclient -f digest localhost auth MySecret I'm getting this error message : radclient: dict_init: /usr/local/etc/radiusclient-ng/dictionary[33]: dict_addattr: Duplicate attribute name NAS-Port-Id I've checked in the file /usr/local/etc/radiusclient-ng/dictionary, but the NAS-Port-Id attribute exists only once. Could you help please ? I'm new to FreeRadius Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicate attribute name NAS-Port-Id
Silent Man [EMAIL PROTECTED] wrote: radclient: dict_init: /usr/local/etc/radiusclient-ng/dictionary[33]: dict_addattr: Duplicate attribute name NAS-Port-Id You are having radclient, from the FreeRADIUS source, read a dictionary file from the radiusclient package. Don't do that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: acctsessiontime
Hi Luke, It's being updated by Alive (Intermin Accounting) requests coming from your NAS at 15 minute intervals. So the answer to your question is no, the RADIUS server cannot continue to update this field for you after the session has ended. Question is, why would you want it to be updated after the session has terminated? What you really need is to work out why the RADIUS server isn't receiving an Accounting Stop request for the session, and fix that. If you can't fix that you need to work out a strategy for detecting when a session is no longer active, and close off the records in the database... Regards, Mike Hi, I'm new to this list and to radius. I have a problem, which I think is quite common, where the end of a user's session doesn't get logged. This causes a number of entries in the database, where logging takes place, to show an acctstoptime of 0, which would indicate that the session is still active but the session is no longer active. Is it possible for acctsessiontime to continue to be updated (I noticed that this gets updated say every 15minutes) even if the session has been terminated without an acctstoptime? I'd like to read up on the fine print of what takes place, where would I find this documentation? thanks, kind regards, Luke - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html