Re: strange Exec-Program problem

[Edgars]

from the debug mode i'm getting the following:
radius_xlat:  '/var/radius/scripts/count.php edgars 10.5.8.103'
Exec-Program: /var/radius/scripts/count.php edgars 10.5.8.103
Exec-Program output: Exec-Program: FAILED to execute 
/var/radius/scripts/count.php: No such file or directory
Exec-Program-Wait: plaintext: Exec-Program: FAILED to execute 
/var/radius/scripts/count.php: No such file or directory
Exec-Program: returned: 1
Login incorrect (external check failed): [edgars/no User-Password 
attribute] (from client druums_testsss^edgars port 769 cli 1.1.1.2)

But as I said, this works if i'm using that box, where the data base is 
located, as an authenticator.
I'm running this script being in chroot '/gamma/edgars'. But tried to 
change the radreply Exec-Program value to 
'/gamma/edgars/var/radius/scripts/count.php' - the same problem.

On which machine is the script actually ecexuted - on the one i'm runnig 
the RADIUS server or where the DB is located?

Regards,
Edgars

Dustin Doris wrote:
Hello,
when trying to execute some script on each user login attempt using
local DB everythings works as it supposed to do. But if using another
RADIUS server as specifying to use the previously mentioned DB (like
remote DB), getting the following errors in the log file:
Error: Exec-Program: FAILED to execute /var: No such file or directory
For users for which i've not set the Exec-Wait as a Reply attribute,
everything work perfectly.
Can someone point me could be the problem?
Edgars
   

Looks like it can't find the script.  Want to show us how you have it
setup in the users file?  Maybe some radiusd -X output as well.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

accounting question

[luke]

Hi,

I have a question about radius,
Is there anyone on this list that can help?
I'm sure this is a very common request.

I have a situation where radius accounting is logged to a mysql database.
I'd like to find a way to show the accurate number of users that are currently
online.

Up till now this has been done by querying the database to find entries in the
radacct table that have value 0 for AccountStopTime.
However there are quite a number of entries in this 'radacct' table that have
the 0 as AccountStopTime but are not active sessions.

What would be a way to get just the sessions that are active?


kind regards,
Luke
-- 
._
:|  .| |.|/.|_
:|__.|_|.|\.|_
:0421 276 282.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: accounting question

[Jamal Taweel]

I think radwho can accomplish this request

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, May 03, 2005 9:38 AM
To: freeradius-users@lists.freeradius.org
Subject: accounting question

Hi,

I have a question about radius,
Is there anyone on this list that can help?
I'm sure this is a very common request.

I have a situation where radius accounting is logged to a mysql
database.
I'd like to find a way to show the accurate number of users that are
currently
online.

Up till now this has been done by querying the database to find entries
in the
radacct table that have value 0 for AccountStopTime.
However there are quite a number of entries in this 'radacct' table that
have
the 0 as AccountStopTime but are not active sessions.

What would be a way to get just the sessions that are active?


kind regards,
Luke
-- 
._
:|  .| |.|/.|_
:|__.|_|.|\.|_
:0421 276 282.

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html




*
The contents of this email and any attachments are confidential. It is 
intended for the named recipient(s) only. If you have received this email 
in error please notify the system manager or  the sender immediately and 
do not disclose the contents to any one or make copies.
*
PALTEL E-Safety System scanned this email and found NO viruses, 
vandals or malicious content.
*
Should you need any information or clarifications regarding this system, 
please do not hesitate to contact our team at the IP Dep. 
[EMAIL PROTECTED].
*

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

MAC os X and Cisco TKIP + WEP

[Riccardo Veraldi]

Hello,
while all my wireless cards workes perfectly with Cisco 1200 AP
I have a lot of problems with MAC os X.
I configured my Cisco 1200 AP to work with TKIP+WEP128 and Open 
Authentication with EAP with freeradius server to support both old WEP 
And newer WPA clients.
MAC os X airport extreeme won't work in this configuration
and supplicant keeps reconnecting every 5 seconds.
With MAC os X everything works if I set up the Cisco
access point to work only with WEP without WPA.
anyone could solve this problem ?
thank you

Rick

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Certificate Revocation List (EAP/TLS)

[freeradius]

Hi,

I work with freeradius 1.0.2

If I configure in the TLS section of eap.conf (without this entries the
autentification process works fine)

CA_path = /path
check_crl = yes
crl_dir = /path
crl = file

Not any certificate is accepted (I generate the certificates and the crl with
tinyca).

How can I configure the eap.conf that the autentification process would work
correctly?

Does anyone have a working EAP/TLS autentification where the CRL works?

Thanks for help

Alain





- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MAC os X and Cisco TKIP + WEP

[Stefan Winter]

Hello,

 while all my wireless cards workes perfectly with Cisco 1200 AP
 I have a lot of problems with MAC os X.
 I configured my Cisco 1200 AP to work with TKIP+WEP128 and Open
 Authentication with EAP with freeradius server to support both old WEP
 And newer WPA clients.
 MAC os X airport extreeme won't work in this configuration
 and supplicant keeps reconnecting every 5 seconds.
 With MAC os X everything works if I set up the Cisco
 access point to work only with WEP without WPA.
 anyone could solve this problem ?
 thank you

why do you think this has anything to do with the RADIUS server component? 
After all, this is a list dealing with FreeRADIUS server, not with any 
implementation-specific WEP/WPA problems.

Stefan Winter

-- 
Stefan WINTER

Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche
Ingénieur réseau et système

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
email: [EMAIL PROTECTED]     tél.:      +352 424409-33
http://www.restena.lu                     fax:      +352 422473

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Logging/accounting regardless whether Accounting-Request packet sent

[glanzel]

hello

  Is it somehow possible to log the details regardless whether NAS sends
  the request ?
 
 Nope.
 

can somebody tell me which access points do send accounting data to the
freeradius server ?

AND

does someone knows if there is a way to put this capabilitie (to send
accounting data from the wrt54g to the freeradius) in the wrt54g.
i understand that the basic firmware is not able to to that - but whats
about the openwrt firmware and optional packages ? does someone knows a
package for openwrt which makes 802.1x AND send accounting information
(i know ther is chilispot for openwrt too but i would like to have a
posibilitie to use a normal supplicant one the notebook instead of
chillispot)



greeting grischan
 

-- 
+++ Neu: Echte DSL-Flatrates von GMX - Surfen ohne Limits +++
Always online ab 4,99 Euro/Monat: http://www.gmx.net/de/go/dsl

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

pre-proxy with attrs_filter seems to work - valid?

[Tariq Rashid]

the included docs and examples don't use the atrrs_filter module with the
pre-proxy{} section in radiusd.conf.

there is a post-proxy{} and that works fine. 

i have different instatiations (with different config files) for each pre-
and post-proxy. having no replies from the list i decided to go ahead and
test. 

for you information it seems to work. (freereadius 1.0.2). 

is there a reason why this might be lucky? is this not the intended
behaviour? did it only work because i have simple test configs?

see below for the configs:

---

post-proxy attrs:

DEFAULT
Service-Type =* ANY,
Framed-IP-Address =* ANY,
Framed-IP-Netmask =* ANY,
Reply-Message =* ANY


-

pre-proxy attrs:

DEFAULT
User-Name =* ANY,
User-Password =* ANY



home server (proxy target) confirm the pre-processing works from the logs:

rad_recv: Access-Request packet from host 217.204.125.202:1814, id=1,
length=67
User-Name = [EMAIL PROTECTED]
User-Password = **
  Processing the authorize section of radiusd.conf




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAp/TSL authorization problem

[Jim Seymour]

Sergey Guriev [EMAIL PROTECTED] wrote:
 
 ÷ ÓÏÏÂÝÅÎÉÉ ÏÔ 3 íÁÊ 2005 10:14 Vladimir Vuksan ÎÁÐÉÓÁÌ:
 
  Thu Apr 28 11:33:53 2005 : Debug: users: Matched entry www at line 228
 
 
  Are you sure that the entry on line 228 has the correct password. I am not
  quite sure where the [EMAIL PROTECTED] comes from.
 
 
  Yes, I sure, becouse Matched entry www at line 228 means Username and 
 password matched.

Hmmm... I thought it meant simply that the User-Name was a match.

Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at http://jimsun.linxnet.com/scform.php.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

strange behavior with two sql instances

[Alexander Serkin]

Hello all.
I've some strange radius behavior using two sql databases.
I built two databases - one on the radius server itself for auth and another on 
separate db server for accounting. Splitted the sql.conf into sqlauth and 
sqlacct parts. And made changes in radiusd.conf:

$INCLUDE  ${confdir}/sqlauth.conf
$INCLUDE  ${confdir}/sqlacct.conf
and
sqlauth.conf:
sql sqlauth {
driver = rlm_sql_oracle
server = localhost
login = radusr
password = password
radius_db = 
(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521))(CONNECT_DATA=(SID=DBSID)))
acct_table1 = acct
acct_table2 = acct
authcheck_table = radcheck
authreply_table = radreply
groupcheck_table = radgroupcheck
groupreply_table = radgroupreply
usergroup_table = usergroup
...
}

and
sqlacct.conf:
sql sqlacct {
driver = rlm_sql_oracle
server = some.host.tld
login = radusr
password = password
radius_db = 
(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=some.host.tld)(PORT=1521))(CONNECT_DATA=(SID=DBSID)))
acct_table1 = acct
acct_table2 = acct
authcheck_table = radcheck
authreply_table = radreply
groupcheck_table = radgroupcheck
groupreply_table = radgroupreply
usergroup_table = usergroup
...
}

when the connection between radius server and accounting db server is present - 
everything is good.
But when i emulate connection down (filtering sql traffic to accounting db 
server from radius) the radius daemon stops doing authentication too until it's 
restarted.
When radiusd is restarted it works with authentication requests well even when 
accounting server remains unaccessible.

The debug is attached.
--
SY,
Alexander


no-connection-fr-debug.txt.gz
Description: Unix tar archive

Post-Auth: reply values

[Gillmann, Christian]

Hello all,

I'm trying to write a script for the post-auth section.
In this script I need the information if the Request was successful or if it
was rejected.

The sql module uses the following expression: %{reply:Packet-Type}

But how could I use this in my script?
I've written a short script shich should list all available Variables:


#!/bin/bash

printenv  /tmp/radius/`date +%F_%H-%M-%S_%N`


But it doesn't contain the reply values ...

Any ideas or hints?

bye
Christian

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius and sip

[Lucas Aimaretto]

Hi everybody,

I'm willing to remove from a sip URI (ie:sip:[EMAIL PROTECTED]) the sip: and
@domain parts, but, when they arrive in the Calling-Station-Id or
Called-Station-Id Attributes. How to solve this ??? I've been able to
remove @domain from the Uri, but at the User-Name only.

Any help would be nice ... thanx!

Regards,

Lucas

-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.308 / Virus Database: 266.11.2 - Release Date: 02/05/2005
 


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Post-Auth: reply values

[Kostas Kalevras]

On Tue, 3 May 2005, Gillmann, Christian wrote:
Hello all,
I'm trying to write a script for the post-auth section.
In this script I need the information if the Request was successful or if it
was rejected.
The sql module uses the following expression: %{reply:Packet-Type}
But how could I use this in my script?
I've written a short script shich should list all available Variables:

#!/bin/bash
printenv  /tmp/radius/`date +%F_%H-%M-%S_%N`

But it doesn't contain the reply values ...
Any ideas or hints?
Only what's included in the Post-Auth-Type REJECT section in postauth is run 
when the request is about to be rejected. So that's a rather easy way of 
finding out if the request was successful or not.

bye
Christian
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]   National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius and sip

[Kostas Kalevras]

On Tue, 3 May 2005, Lucas Aimaretto wrote:
Hi everybody,
I'm willing to remove from a sip URI (ie:sip:[EMAIL PROTECTED]) the sip: and
@domain parts, but, when they arrive in the Calling-Station-Id or
Called-Station-Id Attributes. How to solve this ??? I've been able to
remove @domain from the Uri, but at the User-Name only.
Any help would be nice ... thanx!
See the attr_rewrite module
Regards,
Lucas
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.308 / Virus Database: 266.11.2 - Release Date: 02/05/2005

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]   National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

how to move a freeradius server ?

[Arthur EBEL]

Hi,
I am using a freeradius server with EAP TLS PEAP and LDAP. No problem its 
works perfectly.

I have ta move this service on another server (differents hostname) I don't 
know what to do with my certificates. I dont want to give new certificates 
to all my clients. Is it possible to just copy and paste certificates ??? 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Post-Auth: reply values

[Gillmann, Christian]

  I'm trying to write a script for the post-auth section.
  In this script I need the information if the Request was 
 successful or if it
  was rejected.
 
  The sql module uses the following expression: %{reply:Packet-Type}
 
  But how could I use this in my script?
  I've written a short script shich should list all available 
 Variables:
 
  
  #!/bin/bash
 
  printenv  /tmp/radius/`date +%F_%H-%M-%S_%N`
  
 
  But it doesn't contain the reply values ...
 
  Any ideas or hints?
 
 Only what's included in the Post-Auth-Type REJECT section in 
 postauth is run 
 when the request is about to be rejected. So that's a rather 
 easy way of 
 finding out if the request was successful or not.

Yeah, that's true.
In the meantime I solved the problem a different way. I created an exec
module like this:

[...]
exec newclient {
   wait = yes
   program = /usr/local/etc/raddb/scripts/newclient.pl 172.16.21.174 %l
%{reply:Packet-Type}
}
[...]

bye
Christian



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: freeradius and sip - SOLVED IT ! ...

[Lucas Aimaretto]

   I'm willing to remove from a sip URI (ie:sip:[EMAIL PROTECTED])
   the sip: 
   and @domain parts, but, when they arrive in the 
   Calling-Station-Id 
   or Called-Station-Id Attributes. How to solve this ??? I've 
   been able 
   to remove @domain from the Uri, but at the User-Name only.
  
   Any help would be nice ... thanx!
  
  See the attr_rewrite module
 
 thanks, it worked nicely for the sip: part. I could remove 
 that string with no trouble at all. Now, How do I tell the 
 attr_rewrite module to remove @ and onwards ... ?? That's 
 because I really do not know which domain is coming  

using searchfor = @.* did the job ... thanx !

Regards,

Lucas

-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.308 / Virus Database: 266.11.2 - Release Date: 02/05/2005
 


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Exec-Program-Wait vs rlm_exec

[mmiranda]

Hi, what do you consider the best solution wheen you need to run an external
program to make aditional checks when an access request in received,
exec-program-wait or rlm_exec, im using exec-program-wait, sould i use
rlm_exec instead, the script check some item like credit amount and returns
0 or 1 if success or fail ,
thanks

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Duplicate attribute name NAS-Port-Id

[Silent Man]

Hi everybody,
I've followed all the step to install FreeRadius and the Radius client
Library found in this HowTo
http://www.iptel.org/ser/doc/ser_radius/ser_radius.html, but when I
test it with this command :

# radclient -f digest localhost auth MySecret

I'm getting this error message :

radclient: dict_init: /usr/local/etc/radiusclient-ng/dictionary[33]:
dict_addattr: Duplicate attribute name NAS-Port-Id

I've checked in the file /usr/local/etc/radiusclient-ng/dictionary,
but the NAS-Port-Id attribute exists only once.

Could you help please ? I'm new to FreeRadius

Thanks

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Duplicate attribute name NAS-Port-Id

[Alan DeKok]

Silent Man [EMAIL PROTECTED] wrote:
 radclient: dict_init: /usr/local/etc/radiusclient-ng/dictionary[33]:
 dict_addattr: Duplicate attribute name NAS-Port-Id

  You are having radclient, from the FreeRADIUS source, read a
dictionary file from the radiusclient package.

  Don't do that.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: acctsessiontime

[Mitchell, Michael J]

Hi Luke,

It's being updated by Alive (Intermin Accounting) requests coming from
your NAS at 15 minute intervals.

So the answer to your question is no, the RADIUS server cannot continue
to update this field for you after the session has ended.

Question is, why would you want it to be updated after the session has
terminated?

What you really need is to work out why the RADIUS server isn't
receiving an Accounting Stop request for the session, and fix that. If
you can't fix that you need to work out a strategy for detecting when a
session is no longer active, and close off the records in the
database...
 
Regards,
Mike



Hi,

I'm new to this list and to radius.
I have a problem, which I think is quite common, where the end 
of a user's session doesn't get logged. 
This causes a number of entries in the database, where logging 
takes place, to show an acctstoptime of 0, which would 
indicate that the session is still active but the session is 
no longer active.

Is it possible for acctsessiontime to continue to be updated 
(I noticed that this gets updated say every 15minutes) even if 
the session has been terminated without an acctstoptime?

I'd like to read up on the fine print of what takes place, 
where would I find this documentation?

thanks,
kind regards,
Luke


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html