LDAP failover on freeRADIUS 1.0.1
I have two freeRADIUS 1.0.1 servers configured with two LDAP backends
in order to be able to answer RADIUS requests even if one of the
LDAP servers is down. We had a problem the other day, at which time
the second LDAP server simply froze and the Radius server waited
almost indefinitely (over 3 minutes for each request) until it answered.
With the configuration below, each of the LDAP instances is queried
sequentially, which is not what I want. I see:
rlm_ldap: (re)connect to l2:389, authentication 0
...
rlm_ldap: (re)connect to l1:389, authentication 0
...
rlm_ldap: (re)connect to l1:389, authentication 1
...
What am I doing wrong?
My configuration is
ldap ldap1 {
server = l1
...
}
ldap ldap2 {
server = l2
}
instantiate {
ldap1
ldap2
}
authorize {
preprocess
auth_log
files
redundant {
ldap1 {
notfound = 1
}
ldap2
}
}
authenticate {
Auth-Type LDAP {
redundant {
ldap1 {
notfound = 1
}
ldap2
}
}
}
Thanks regards,
-JP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: posgresql how to
Switch from MySQL? If so, the diffence lies only in knowledge of your particular DB. The database layout is included in the sources of freeradius. On Thu, 12 May 2005 00:15:17 +0700 avudz [EMAIL PROTECTED] wrote: Hello, anybody knows where can i download / read radius-postgre how to ? i think i better switch to postgre :-) -- Best regards, ./avd mailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Regards, M. Jessa http://www.yazzy.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[14]: daily limit
Hello Marcin, Wednesday, May 11, 2005, 6:32:36 PM, you wrote: MJ Maybe the date format is incorrect? MJ I am not sure what those silly americans use but afair it's MJ of Month-Day-Year format - as logical as using bodyparts as the MJ scale value for meassurements :) MJ What does the debugging info say? nah nah, you quite right :-) when i change the date format, its work well now :-) thanks to god my friend help me !! -- Best regards, avudzmailto:[EMAIL PROTECTED] *gila ni radius, cari manual tak dapat2 :p* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Apple Airport Extreme with EAP-TTLS...
Hello, at our university we're using CISCO APs with EAP-TTLS and everythings works just fine. But at home I tryed to build the same with my Apple Airport Extreme and it's not really working... I configured my iBook for the airport the same way like for the CISCO AP, so I don't think it's a problem at the client. I'm using freeradius-1.0.2 on debian unstable from tarball because of the strange tls-bindings in the offical debian package... When I try to authenticate for the first time I have to accept the certificate for the tls-tunnel. Afterwards I enter my username and password and everything seems to be okay. The 802.1x apple-window I counting my online-minutes, but I can't get any signalstrength information from the AP or send receive pakets via the AP. I think I not really connected. The airport syslog isn't very helpfull, it's just telling me that I'm connected... nothing more... Could there be some problems with the wpa keys or any other reason why my pakets disappear somewhere? In the users file I have nothing more than: ahzfAuth-Type := Local, User-Password == 1234 The radiusd -A -X output: Thu May 12 03:29:07 2005 : Info: Starting - reading configuration files ... Thu May 12 03:29:07 2005 : Debug: reread_config: reading radiusd.conf Thu May 12 03:29:07 2005 : Debug: Config: including file: /usr/local/etc/raddb/proxy.conf Thu May 12 03:29:07 2005 : Debug: Config: including file: /usr/local/etc/raddb/clients.conf Thu May 12 03:29:07 2005 : Debug: Config: including file: /usr/local/etc/raddb/snmp.conf Thu May 12 03:29:07 2005 : Debug: Config: including file: /usr/local/etc/raddb/eap.conf Thu May 12 03:29:07 2005 : Debug: Config: including file: /usr/local/etc/raddb/sql.conf Thu May 12 03:29:07 2005 : Debug: main: prefix = /usr/local Thu May 12 03:29:07 2005 : Debug: main: localstatedir = /usr/local/var Thu May 12 03:29:07 2005 : Debug: main: logdir = /usr/local/var/log/radius Thu May 12 03:29:07 2005 : Debug: main: libdir = /usr/local/lib Thu May 12 03:29:07 2005 : Debug: main: radacctdir = /usr/local/var/log/radius/radacct Thu May 12 03:29:07 2005 : Debug: main: hostname_lookups = no Thu May 12 03:29:07 2005 : Debug: main: max_request_time = 30 Thu May 12 03:29:07 2005 : Debug: main: cleanup_delay = 5 Thu May 12 03:29:07 2005 : Debug: main: max_requests = 1024 Thu May 12 03:29:07 2005 : Debug: main: delete_blocked_requests = 0 Thu May 12 03:29:07 2005 : Debug: main: port = 0 Thu May 12 03:29:07 2005 : Debug: main: allow_core_dumps = no Thu May 12 03:29:07 2005 : Debug: main: log_stripped_names = no Thu May 12 03:29:07 2005 : Debug: main: log_file = /usr/local/var/log/radius/radius.log Thu May 12 03:29:07 2005 : Debug: main: log_auth = no Thu May 12 03:29:07 2005 : Debug: main: log_auth_badpass = no Thu May 12 03:29:07 2005 : Debug: main: log_auth_goodpass = no Thu May 12 03:29:07 2005 : Debug: main: pidfile = /usr/local/var/run/radiusd/radiusd.pid Thu May 12 03:29:07 2005 : Debug: main: user = (null) Thu May 12 03:29:07 2005 : Debug: main: group = (null) Thu May 12 03:29:07 2005 : Debug: main: usercollide = no Thu May 12 03:29:07 2005 : Debug: main: lower_user = no Thu May 12 03:29:07 2005 : Debug: main: lower_pass = no Thu May 12 03:29:07 2005 : Debug: main: nospace_user = no Thu May 12 03:29:07 2005 : Debug: main: nospace_pass = no Thu May 12 03:29:07 2005 : Debug: main: checkrad = /usr/local/sbin/checkrad Thu May 12 03:29:07 2005 : Debug: main: proxy_requests = yes Thu May 12 03:29:07 2005 : Debug: proxy: retry_delay = 5 Thu May 12 03:29:07 2005 : Debug: proxy: retry_count = 3 Thu May 12 03:29:07 2005 : Debug: proxy: synchronous = no Thu May 12 03:29:07 2005 : Debug: proxy: default_fallback = yes Thu May 12 03:29:07 2005 : Debug: proxy: dead_time = 120 Thu May 12 03:29:07 2005 : Debug: proxy: post_proxy_authorize = yes Thu May 12 03:29:07 2005 : Debug: proxy: wake_all_if_all_dead = no Thu May 12 03:29:07 2005 : Debug: security: max_attributes = 200 Thu May 12 03:29:07 2005 : Debug: security: reject_delay = 1 Thu May 12 03:29:07 2005 : Debug: security: status_server = no Thu May 12 03:29:07 2005 : Debug: main: debug_level = 0 Thu May 12 03:29:07 2005 : Debug: read_config_files: reading dictionary Thu May 12 03:29:07 2005 : Debug: read_config_files: reading naslist Thu May 12 03:29:07 2005 : Info: Using deprecated naslist file. Support for this will go away soon. Thu May 12 03:29:07 2005 : Debug: read_config_files: reading clients Thu May 12 03:29:07 2005 : Debug: read_config_files: reading realms Thu May 12 03:29:07 2005 : Debug: radiusd: entering modules setup Thu May 12 03:29:07 2005 : Debug: Module: Library search path is /usr/local/lib Thu May 12 03:29:07 2005 : Debug: Module: Loaded exec Thu May 12 03:29:07 2005 : Debug: exec: wait = yes Thu May 12 03:29:07 2005 : Debug: exec: program = (null) Thu May 12 03:29:07 2005 : Debug: exec: input_pairs = request Thu May 12 03:29:07 2005 : Debug: exec:
Re: Re[14]: daily limit
Hi! On Thu, 12 May 2005 15:42:52 +0700 avudz [EMAIL PROTECTED] wrote: nah nah, you quite right :-) when i change the date format, its work well now :-) I'd propably stumble on the same problem if I was going to implement expiration date on my system. I don't find the american date format very logical as well... It's allways useful to take a look at the dictionary files and see if there may be somthing to solve your problem. thanks to god my friend help me !! You're welcome, glad to be of help. -- Regards, M. Jessa http://www.yazzy.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DialupAdmin/LDAP - General Questions
Chris Carver a écrit : Mathieu Bénard wrote: 2: From what I read in the /lib/ldap/create_user.php3: $dn = 'uid=' . $login . ',' . $config[ldap_default_new_entry_suffix]; $new_user_entry[objectclass][0]=top; $new_user_entry[objectclass][1]=person; $new_user_entry[objectclass][2]=organizationalPerson; $new_user_entry[objectclass][3]=inetOrgPerson; $new_user_entry[objectclass][4]=radiusprofile; dialupadmin intend to use an old radius LDAP schema instead of RADIUS-LDAPv3.schema. It uses uid= as mandatory attribute, but with RADIUS-LDAPv3.schema, cn= is expected. I don't want to modify the source of dialupadmin, so should I use an older radius schema, or modify it by myself ? I modified my schema to use cn= The objectclass radiusprofile is constructed as follows: objectclass ( 1.3.6.1.4.1.3317.4.3.2.1 NAME 'radiusprofile' SUP top STRUCTURAL DESC '' MUST cn MAY ( radiusArapFeatures $ radiusArapSecurity $ radiusArapZoneAccess $ radiusAuthType $ radiusCallbackId $ radiusCallbackNumber $ radiusCalledStationId $ radiusCallingStationId $ radiusClass $ radiusClientIPAddress $ radiusFilterId $ radiusFramedAppleTalkLink $ radiusFramedAppleTalkNetwork $ radiusFramedAppleTalkZone $ radiusFramedCompression $ radiusFramedIPAddress $ radiusFramedCompression $ radiusFramedIPAddress $ radiusFramedIPNetmask $ radiusFramedIPXNetwork $ radiusFramedMTU $ radiusFramedProtocol $ radiusFramedRoute $ radiusFramedRouting $ radiusIdleTimeout $ radiusGroupName $ radiusHint $ radiusHuntgroupName $ radiusLoginIPHost $ radiusLoginLATGroup $ radiusLoginLATNode $ radiusLoginLATPort $ radiusLoginLATService $ radiusLoginService $ radiusLoginTCPPort $ radiusLoginTime $ radiusPasswordRetry $ radiusPortLimit $ radiusPrompt $ radiusProxyToRealm $ radiusRealm $ radiusReplicateToRealm $ radiusServiceType $ radiusSessionTimeout $ radiusStripUserName $ radiusTerminationAction $ radiusTunnelAssignmentId $ radiusTunnelClientEndpoint $ radiusIdleTimeout $ radiusLoginIPHost $ radiusLoginLATGroup $ radiusLoginLATNode $ radiusLoginLATPort $ radiusLoginLATService $ radiusLoginService $ radiusLoginTCPPort $ radiusPasswordRetry $ radiusPortLimit $ radiusPrompt $ radiusProfileDn $ radiusServiceType $ radiusSessionTimeout $ radiusSimultaneousUse $ radiusTerminationAction $ radiusTunnelAssignmentId $ radiusTunnelClientEndpoint $ radiusTunnelMediumType $ radiusTunnelPassword $ radiusTunnelPreference $ radiusTunnelPrivateGroupId $ radiusTunnelServerEndpoint $ radiusTunnelType $ radiusUserCategory $ radiusVSA ) ) I hope that helps. -Chris First of all thanks for your answer. What do you mean by modifiying your schema ? What you show is the original LDAP schema provided with freeradius. This schema cannot work with the following statement in dialupadmin (for example): $dn = 'uid=' . $login . ',' . $config[ldap_default_new_entry_suffix]; To make it clear, my problem is that the codelines of DialupAdmin's user management pages don't fit the LDAP schema provided with freeradius (RADIUS-LDAPv3.schema). In my opinion there are only 2 options: - Modify dialupadmin according to the FreeRadius LDAP schema, what I don't intend to do because there are several pages involved and it may make it quite unstable. - Modify the RADIUS LDAP schema according to what dialupadmin is trying to do. I don't want to do this either, because it is the one provided with freeradius, so it doesn't seem a good idea to modify it How am I supposed to make it work without modifying freeradius LDAP schema or dialupadmin ? I am surprised that it doesn't seem to be a well-known issue. Am I missing something ? Thanks in advance, Mafioo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DialupAdmin/LDAP - General Questions
On Thu, 12 May 2005, [ISO-8859-1] Mathieu B?nard wrote: First of all thanks for your answer. What do you mean by modifiying your schema ? What you show is the original LDAP schema provided with freeradius. This schema cannot work with the following statement in dialupadmin (for example): $dn = 'uid=' . $login . ',' . $config[ldap_default_new_entry_suffix]; Wrong. dialupadmin uses more objectclasses than just radiusprofile when creating a user, in particular inetorgperson which *allows* the uid attribute, so there should be no problem creating a user. radiusprofile is an *auxiliary* objectclass, it is designed to be used in combination with other objectclasses when creating a user. The reason why radiusprofile demands cn and not uid is that it may be used in objects other than user accounts in which case the uid attribute will not be present but the cn attribute will. To make it clear, my problem is that the codelines of DialupAdmin's user management pages don't fit the LDAP schema provided with freeradius (RADIUS-LDAPv3.schema). In my opinion there are only 2 options: - Modify dialupadmin according to the FreeRadius LDAP schema, what I don't intend to do because there are several pages involved and it may make it quite unstable. - Modify the RADIUS LDAP schema according to what dialupadmin is trying to do. I don't want to do this either, because it is the one provided with freeradius, so it doesn't seem a good idea to modify it How am I supposed to make it work without modifying freeradius LDAP schema or dialupadmin ? I am surprised that it doesn't seem to be a well-known issue. Am I missing something ? I don't see why anything should be changed anywhere. Thanks in advance, Mafioo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HuntGroup + MySQL
Hello Dustin, Thanks for your fast answer. When I put == as the operator for the Huntgroup-Name attribute, I don't have any more result. radius log : rlm_sql (sql): No matching entry in the database for request from user [mytestusername] rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module sql returns notfound for request 0 modcall[authorize]: module mschap returns noop for request 0 modcall: group authorize returns ok for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Detail file : Packet-Type = Access-Request Thu May 12 12:38:36 2005 User-Name = mytestusername User-Password = NAS-IP-Address = 127.0.0.1 NAS-Port = 5060 Client-IP-Address = 127.0.0.1 Huntgroup-Name = PPP I think I will try in another way to stop loosing time. Thanks for your attention to my message Dustin Doris wrote: On Wed, 11 May 2005, Julien freeradius wrote: Hello, I would like to set freeradius to send a PPP like configuration if the request come from a nas and a VPN style configuration if coming from another NAS. More or less like that : huntgroups file: PPPNAS-IP-Address == 192.168.2.1 VPN NAS-IP-Address == 192.168.2.2 Users file: DEFAULT Huntgroup-Name = PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP, Framed-IP-Address = 255.255.255.254 DEFAULT Huntgroup-Name = VPN CVPN3000-Primary-DNS = XXX.XXX.XXX.XXX, CVPN3000-Secondary-DNS = XXX.XXX.XXX.XXX But I'm using MySQL. So I have set it as this: Usergroup table : | id | UserName | GroupName | | 1 | TestUser | confPPP | | 2 | TestUser | confVPN | Radgroupcheck Table : | id | GroupName| Attribute | op | Value | | 4 | confVPN| Huntgroup-Name | += | VPN | | 8 | confPPP | Huntgroup-Name | += | PPP | Why do you have the operator as += ? Try it with == instead. RadgroupReply table : | id| GroupName | Attribute | op | Value| prio | | 701 | confPPP | Framed-Address | := | 255.255.255.254 |3 | | 700 | confPPP | Framed-Protocol | := | PPP |2 | | 702 | confPPP | Framed-Compression | := | Van-Jacobsen-TCP-IP |4 | | 711 | confPPP | Fall-Through | := | No |5 | | 703 | confVPN | CVPN3000-Primary-DNS | := | 1|0 | | 704 | confVPN | CVPN3000-Secondary-DNS | := | 1|0 | The authentification work, the huntgroup is well match (I see the hunt group on the log), but the reply include always both data, the reply of the VPN AND the reply of the PPP. How can I reply only the VPN attributes when the request is coming from the VPN nas and PPP atribute for the other one. Thanks in advance. Read man 5 users. In that it says += always matches as a check item and == matches if the named attribute is present and has the given value. I think that is where your problem lies. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Apple Airport Extreme with EAP-TTLS...
On Thursday 12 May 2005 05:21, Achim Friedland wrote: Afterwards I enter my username and password and everything seems to be okay. The 802.1x apple-window I counting my online-minutes, but I can't get any signalstrength information from the AP or send receive pakets via the AP. I think I not really connected. The airport syslog isn't very helpfull, it's just telling me that I'm connected... nothing more... Could there be some problems with the wpa keys or any other reason why my pakets disappear somewhere? In the users file I have nothing more than: ahzfAuth-Type := Local, User-Password == 1234 You haven't examined your debug output. The radiusd -A -X output: rad_recv: Access-Request packet from host 141.24.44.109:1024, id=44, length=192 Framed-MTU = 1466 NAS-IP-Address = 10.0.1.1 NAS-Identifier = ahzfnet AP1 User-Name = ahzf-intern Service-Type = Framed-User NAS-Port = 256 NAS-Port-Type = Ethernet NAS-Port-Id = wl0 Called-Station-Id = 00-11-24-06-2d-e1 Calling-Station-Id = 00-0d-93-86-5f-aa Connect-Info = CONNECT Ethernet 54Mbps Half duplex EAP-Message = 0x022b00100161687a662d696e7465726e Message-Authenticator = 0x217c1b8348128b645236df246a53c6b9 Thu May 12 03:29:16 2005 : Debug: users: Matched entry DEFAULT at line 227 Hmmm.. for some unknown reason User-Name is not matching your entry in the users file. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problems with 802.1x - EAP-TLS
You have how to about 802.1x? 2005/5/10, Vladimir Vuksan [EMAIL PROTECTED]: Galvao Rezende wrote: eaptls_process returned 7 rlm_eap_tls: Received unexpected tunneled data after successful handshake. You need to investigate following. You may want to re-do certificates. Vladimir - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type = System and DSL Static IP
Not to be mean or anything, but you don't seem to have read the whole email or the full correspondence. The problem only occurs when the Auth-Type is set to System. I have bunch of other accounts (Auth-Type: Local) that work absolutely fine. And to answer your questions, I DID post debug info, and the override is set to no. Thanks for the suggestions though. Andrey Quoting Dustin Doris [EMAIL PROTECTED]: On Tue, 10 May 2005, Andrey wrote: Hi List, I have a question about Auth-Type = System. I have several accounts that need to be authenticated through System and it works great as long as the IP is assigned dynamically. As soon as I switch an account to static IP, it authenticates but does not assign the desired ip address. I'm guessing it's to do with the order in which things are checked: 1) check sql - auth-type: system; 2) system - authenticate; 3) assign dynamic ip, since it's not going back to sql, but of course it might be something else. When you say dynamic are you referring to rlm_ip_pool? If so, make sure you have override = no in your config. If you set it to override = yes, then ippool will override the reply item you already have configured for the user. When you say switch the account to static IP what do you mean by that. Does that mean that you are assigning the reply item of Framed-IP-Address? If so, that should not be overwriten by ip_pool so long as you have override = no. Otherwise - post some debug output (radiusd -X) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: problems with digest and ser
So you say that if I have a client returning, at authorize_check_query, a table with User-Password = , it will not work for digest ?? I'm saying it's a bad idea, and a case I didn't test. Well ... there are cases where I have no-password users. For this cases, where no-password users where having trouble at authenticating using digest, I set the attribute Auth-Type := Accept. So, no matter what the password was, I got the user succesfully authenticated. And, as I was having no trouble with users having passwords, I may conclude that I found the solution for my problem. Hope It helps somebody else Thanks Regards, Lucas -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.11.9 - Release Date: 12/05/2005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HuntGroup + MySQL
Hello Dustin, Thanks for your fast answer. When I put == as the operator for the Huntgroup-Name attribute, I don't have any more result. radius log : rlm_sql (sql): No matching entry in the database for request from user [mytestusername] rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module sql returns notfound for request 0 modcall[authorize]: module mschap returns noop for request 0 modcall: group authorize returns ok for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Detail file : Packet-Type = Access-Request Thu May 12 12:38:36 2005 User-Name = mytestusername User-Password = NAS-IP-Address = 127.0.0.1 NAS-Port = 5060 Client-IP-Address = 127.0.0.1 Huntgroup-Name = PPP I think I will try in another way to stop loosing time. Thanks for your attention to my message Did you update your huntgroups settings with localhost as a PPP huntgroup? PPPNAS-IP-Address == 192.168.2.1 VPN NAS-IP-Address == 192.168.2.2 Your packet had nas-ip-address of 127.0.0.1, so your user should not have matched according to your huntgroup definition. Or just try this. $ printf User-Name = mytestusername\nUser-Password = \nNAS-IP-Address = 192.168.2.1\n | radclient localhost auth yoursecret Dustin Doris wrote: On Wed, 11 May 2005, Julien freeradius wrote: Hello, I would like to set freeradius to send a PPP like configuration if the request come from a nas and a VPN style configuration if coming from another NAS. More or less like that : huntgroups file: PPPNAS-IP-Address == 192.168.2.1 VPN NAS-IP-Address == 192.168.2.2 Users file: DEFAULT Huntgroup-Name = PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP, Framed-IP-Address = 255.255.255.254 DEFAULT Huntgroup-Name = VPN CVPN3000-Primary-DNS = XXX.XXX.XXX.XXX, CVPN3000-Secondary-DNS = XXX.XXX.XXX.XXX But I'm using MySQL. So I have set it as this: Usergroup table : | id | UserName | GroupName | | 1 | TestUser | confPPP | | 2 | TestUser | confVPN | Radgroupcheck Table : | id | GroupName| Attribute | op | Value | | 4 | confVPN| Huntgroup-Name | += | VPN | | 8 | confPPP | Huntgroup-Name | += | PPP | Why do you have the operator as += ? Try it with == instead. RadgroupReply table : | id| GroupName | Attribute | op | Value| prio | | 701 | confPPP | Framed-Address | := | 255.255.255.254 |3 | | 700 | confPPP | Framed-Protocol | := | PPP |2 | | 702 | confPPP | Framed-Compression | := | Van-Jacobsen-TCP-IP |4 | | 711 | confPPP | Fall-Through | := | No |5 | | 703 | confVPN | CVPN3000-Primary-DNS | := | 1|0 | | 704 | confVPN | CVPN3000-Secondary-DNS | := | 1|0 | The authentification work, the huntgroup is well match (I see the hunt group on the log), but the reply include always both data, the reply of the VPN AND the reply of the PPP. How can I reply only the VPN attributes when the request is coming from the VPN nas and PPP atribute for the other one. Thanks in advance. Read man 5 users. In that it says += always matches as a check item and == matches if the named attribute is present and has the given value. I think that is where your problem lies. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type = System and DSL Static IP
On Thu, 12 May 2005, Andrey wrote: Not to be mean or anything, but you don't seem to have read the whole email or the full correspondence. The problem only occurs when the Auth-Type is set to System. I have bunch of other accounts (Auth-Type: Local) that work absolutely fine. And to answer your questions, I DID post debug info, and the override is set to no. Thanks for the suggestions though. Andrey Not to be mean to you, but I feel you have not read the full correspondance. You posted the debug output of an accounting packet. As Alan said in his reply to you, accounting requests don't set IP addresses. Please post the debug log of an authentication request. This is where your problem lies. You did not specify before whether or not override is set to no previously. Without seeing your debug output of an authentication request, I have no way of telling what is going on and whether or not that was set. Quoting Dustin Doris [EMAIL PROTECTED]: On Tue, 10 May 2005, Andrey wrote: Hi List, I have a question about Auth-Type = System. I have several accounts that need to be authenticated through System and it works great as long as the IP is assigned dynamically. As soon as I switch an account to static IP, it authenticates but does not assign the desired ip address. I'm guessing it's to do with the order in which things are checked: 1) check sql - auth-type: system; 2) system - authenticate; 3) assign dynamic ip, since it's not going back to sql, but of course it might be something else. When you say dynamic are you referring to rlm_ip_pool? If so, make sure you have override = no in your config. If you set it to override = yes, then ippool will override the reply item you already have configured for the user. When you say switch the account to static IP what do you mean by that. Does that mean that you are assigning the reply item of Framed-IP-Address? If so, that should not be overwriten by ip_pool so long as you have override = no. Otherwise - post some debug output (radiusd -X) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Apple Airport Extreme with EAP-TTLS...
Achim Friedland wrote: I configured my iBook for the airport the same way like for the CISCO AP, so I don't think it's a problem at the client. I'm using freeradius-1.0.2 on debian unstable from tarball because of the strange tls-bindings in the offical debian package... When I try to authenticate for the first time I have to accept the certificate for the tls-tunnel. Afterwards I enter my username and password and everything seems to be okay. The 802.1x apple-window I counting my online-minutes, but I can't get any signalstrength information from the AP or send receive pakets via the AP. I think I not really connected. The airport syslog isn't very helpfull, it's just telling me that I'm connected... nothing more... Could there be some problems with the wpa keys or any other reason why my pakets disappear somewhere? Try using WPA Personal (WPA-PSK) with the Airport AP. See if that works. RADIUS seems to be working correctly and authenticating you but after that if an AP is dropping packets it is something between your iBook and AP. Vladimir - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
First Run: Invalid ELF Header
FreeRadius 0.9.3 OS: SUSE 9 Installed freeradius from SUSE supplied packages. Ran 'radiusd -X' from root and got the following error: radiusd.conf[1186] Failed to link to module 'rlm_expr': rlm_expr.a: cannot open shared object file: No such file or directory So, set up the local env with; 'export LD_LIBRARY_PATH=/usr/lib/freeradius', and ran 'radiusd -X' again, now get the following error: radiusd.conf[1186] Failed to link to module 'rlm_expr': /usr/lib/freeradius/rlm_expr.a: invalid ELF header So anyone know what the problem is? Thanks in advance for any problem solving advice! Cheers Terry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type = System and DSL Static IP
Dustin, I appreciate your help, but everything is working fine now, so you can drop the issue, okay? Thanks. Andrey Quoting Dustin Doris [EMAIL PROTECTED]: On Thu, 12 May 2005, Andrey wrote: Not to be mean or anything, but you don't seem to have read the whole email or the full correspondence. The problem only occurs when the Auth-Type is set to System. I have bunch of other accounts (Auth-Type: Local) that work absolutely fine. And to answer your questions, I DID post debug info, and the override is set to no. Thanks for the suggestions though. Andrey Not to be mean to you, but I feel you have not read the full correspondance. You posted the debug output of an accounting packet. As Alan said in his reply to you, accounting requests don't set IP addresses. Please post the debug log of an authentication request. This is where your problem lies. You did not specify before whether or not override is set to no previously. Without seeing your debug output of an authentication request, I have no way of telling what is going on and whether or not that was set. Quoting Dustin Doris [EMAIL PROTECTED]: On Tue, 10 May 2005, Andrey wrote: Hi List, I have a question about Auth-Type = System. I have several accounts that need to be authenticated through System and it works great as long as the IP is assigned dynamically. As soon as I switch an account to static IP, it authenticates but does not assign the desired ip address. I'm guessing it's to do with the order in which things are checked: 1) check sql - auth-type: system; 2) system - authenticate; 3) assign dynamic ip, since it's not going back to sql, but of course it might be something else. When you say dynamic are you referring to rlm_ip_pool? If so, make sure you have override = no in your config. If you set it to override = yes, then ippool will override the reply item you already have configured for the user. When you say switch the account to static IP what do you mean by that. Does that mean that you are assigning the reply item of Framed-IP-Address? If so, that should not be overwriten by ip_pool so long as you have override = no. Otherwise - post some debug output (radiusd -X) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type = System and DSL Static IP
Great. On Thu, 12 May 2005, Andrey Furukin wrote: Dustin, I appreciate your help, but everything is working fine now, so you can drop the issue, okay? Thanks. Andrey Quoting Dustin Doris [EMAIL PROTECTED]: On Thu, 12 May 2005, Andrey wrote: Not to be mean or anything, but you don't seem to have read the whole email or the full correspondence. The problem only occurs when the Auth-Type is set to System. I have bunch of other accounts (Auth-Type: Local) that work absolutely fine. And to answer your questions, I DID post debug info, and the override is set to no. Thanks for the suggestions though. Andrey Not to be mean to you, but I feel you have not read the full correspondance. You posted the debug output of an accounting packet. As Alan said in his reply to you, accounting requests don't set IP addresses. Please post the debug log of an authentication request. This is where your problem lies. You did not specify before whether or not override is set to no previously. Without seeing your debug output of an authentication request, I have no way of telling what is going on and whether or not that was set. Quoting Dustin Doris [EMAIL PROTECTED]: On Tue, 10 May 2005, Andrey wrote: Hi List, I have a question about Auth-Type = System. I have several accounts that need to be authenticated through System and it works great as long as the IP is assigned dynamically. As soon as I switch an account to static IP, it authenticates but does not assign the desired ip address. I'm guessing it's to do with the order in which things are checked: 1) check sql - auth-type: system; 2) system - authenticate; 3) assign dynamic ip, since it's not going back to sql, but of course it might be something else. When you say dynamic are you referring to rlm_ip_pool? If so, make sure you have override = no in your config. If you set it to override = yes, then ippool will override the reply item you already have configured for the user. When you say switch the account to static IP what do you mean by that. Does that mean that you are assigning the reply item of Framed-IP-Address? If so, that should not be overwriten by ip_pool so long as you have override = no. Otherwise - post some debug output (radiusd -X) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP failover on freeRADIUS 1.0.1
Jan-Piet Mens [EMAIL PROTECTED] wrote: With the configuration below, each of the LDAP instances is queried sequentially, which is not what I want. I see: It's what you configured. If the first one is down, it falls over to the second one. If the second one is down, there's nothing left to do but wait for it to come back up. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
token card strong authentication
Hi, I wish to use One Time Passwords with the freeradius server. I'm trying to find the best way to do this. Unfortunately there are not many of the token card manafacturers that support the freeradius server. At the moment it looks as if Cryptocard are the best bet. I would be very interested to hear from anyone who has implemented any OTP solution with freeradius. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Comparison
What do you guys think of "Linspire" compared to other Linux Distributors, especially Red hat Linux? Does it have the same Run Command Console?
RE: Comparison
Linspire sucks, sucks and really sucks, Paulo, please go somewhere else with your crack, far away from this list. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Paulo C. PanaliganSent: Thursday, May 12, 2005 12:54 PMTo: freeradius-users@lists.freeradius.orgSubject: Comparison What do you guys think of "Linspire" compared to other Linux Distributors, especially Red hat Linux? Does it have the same Run Command Console?
RE: Comparison
I mean CRAP!!! -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of [EMAIL PROTECTED]Sent: Thursday, May 12, 2005 1:31 PMTo: freeradius-users@lists.freeradius.orgSubject: RE: Comparison Linspire sucks, sucks and really sucks, Paulo, please go somewhere else with your crack, far away from this list. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Paulo C. PanaliganSent: Thursday, May 12, 2005 12:54 PMTo: freeradius-users@lists.freeradius.orgSubject: Comparison What do you guys think of "Linspire" compared to other Linux Distributors, especially Red hat Linux? Does it have the same Run Command Console?
Freeradius + MySQL + huntgroups configuration and more questions
First posting to group, please be gentle. . . Version: radiusd: FreeRADIUS Version 0.9.3, for host i686-pc-linux-gnu, built on Nov 9 2004 at 11:08:43 Running on SuSE Linux 2.6.5-7.151-smp Fri Mar 18 11:31:21 UTC 2005 i686 i686 i386 GNU/Linux For several months, our system has been working to allow dialup and reject e-mail only, virus lockouts, and billing lockouts. We want to add RADIUS to our wireless and DSL systems. What I Need to Accomplish: a. Any given user may have access to any combination of dialin, wireless, dsl b. Reject access to unknown users, virus_lockout, billing_lockout and email_only customers, regardless of the NAS they are using. c. Accept a known user from a modem server only if the user is part of the dialin group. d. Accept a known user from a wireless access point only if the user is part of the wireless group. e. Accept a known user from DSL only if the user is part of the dsl group. Our DialUp_Default' group is given these attributes and values: Coming from the 'radgroupreply' table: Session-Timeout := 14400 Service-Type := Framed-User Framed-Compression := Van-Jacobsen-TCP-IP Framed-MTU := 1500 Framed-IP-Address := 255.255.255.254 Coming from the 'radgroupcheck' table: Simultaneous-Use := 1 [Question: Is that even done correctly?] I've been trying to setup 'huntgroups' using this template: dialup NAS-IP-Address == 1.2.3.4 dialup NAS-IP-Address == 1.2.3.5 dialup NAS-IP-Address == 1.2.3.6 wirelessNAS-IP-Address == 1.3.5.7 Are these the ONLY entries that go into the huntgroups file? 'radiusd -X' includes these lines: Module: Loaded preprocess preprocess: huntgroups = /etc/raddb/huntgroups preprocess: hints = /etc/raddb/hints However, when I add to 'radgroupcheck': Wireless_defaultHuntgroup-Name := wireless radtest for the user responds with 'reject' -- it responds with 'accept' as long as that row is not in 'radgroupcheck'. My Reference Points: I [think] 'radiusd -X' shows me that: 1. preprocess works first, but I can't see that it is including 'huntgroups' 2. 'radcheck' looks like a replacement for 'users', retrieving username and password. The key on this allows only one entry per username. 3. 'radgroupcheck' 'usergroup' provides the 'Group' attribute and value(s) for the user (these return for me, a member of both groups): Wireless_DefaultSimultaneous-Use := 1 DialUp_Default Simultaneous-Use := 1 4. 'radreply' provides specific attributes and values for specific users. Eg. Session-Timeout := 28800 Eg. Framed-IP-Address := 1.2.3.200 5. 'radgroupreply' is basic attributes and values (noted above) I see that radacct is the logging. I'm not sure how radpostauth and userinfo are used, or if they are just tables I inherited since there is nothing new in them. The docs are very nice EXCEPT I'm having trouble figuring out how the MySQL tables fit into the scheme. A nice overview of the /etc/raddb files and the mysql tables and how they relate to each other would be nice to have and might help me self-solve my situation. Thanks for your help, information, and guidance. Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RadZap
I have installed freeradius from CVS and i found out that radzap in that is a bin file and it is giving Segmentation Fault, I just want a confirmation if there was any changes made on cvs? Also The Version of radwho.c is 1.44.2.1, and Changelog states that it is the candidate for 1.0.3 Thank you Sarky -- Original Message --- From: Sarkis Gabriel [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Tue, 10 May 2005 00:12:20 +0200 Subject: Re: RadZap Okie i got the CVS once more, i think the way i got it the first time was wrong hence i got the ./configure error. I noticed that i was talking about another email in the archive and not the one originated from you, now i got the cvs and compiled it tomorrow when my brain is functioning properly i will install and configure and play around with radzap. Sorry for the confusion, and thanks for the help. Sarky -- Original Message --- From: Alan DeKok [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Mon, 09 May 2005 17:19:13 -0400 Subject: Re: RadZap Sarkis Gabriel [EMAIL PROTECTED] wrote: The CVS command i used was the one advising someone else to use and i got radiusd, copied the files and got a compile error when it got to radwho.c If you grab the 1.0.x candidate from CVS, you don't have to copy over radwho.c. The previous messages in the list archive say that. And didn't you say in your previous message that it failed in configure? Are you sure you know what's going on in your system? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- End of Original Message --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- End of Original Message --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
peap (ms-chap v2) + ldap bind
I would like to know if anyone has a work around to support PEAP (ms chap v2) client access authenticate against a LDAP server with bind operation. Currently, retrieving clear text password from LDAP is not an option. Thanks Cedric
Re: peap (ms-chap v2) + ldap bind
CHui wrote: I would like to know if anyone has a work around to support PEAP (ms chap v2) client access authenticate against a LDAP server with bind operation. Currently, retrieving clear text password from LDAP is not an option. No this is not possible. Only way you can authenticate via LDAP bind is using TTLS with PAP as inner tunnel authentication. If you do need to use PEAP you will have to add NT/LM hashes in your LDAP directory. To do that extend the schema with Samba objects and download the smbldap-tools package. Of course this will involve users having to reset their passwords since you can't convert from MD5 to NT/LM. Vladimir - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RadZap
Sarkis Gabriel [EMAIL PROTECTED] wrote: I have installed freeradius from CVS and i found out that radzap in that is a bin file and it is giving Segmentation Fault, I just want a confirmation if there was any changes made on cvs? That's fixed. Do a cvs update Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: peap (ms-chap v2) + ldap bind
I would like to know if anyone has a work around to support PEAP (ms chap v2) client access authenticate against a LDAP server with bind operation. Currently, retrieving clear text password from LDAP is not an option. This is how I got it going http://vuksan.com/linux/dot1x/802-1x-LDAP.html#PEAP_with_OpenLDAP Vladimir - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + MySQL + huntgroups configuration and more questions
[EMAIL PROTECTED] wrote: radiusd: FreeRADIUS Version 0.9.3, for host i686-pc-linux-gnu, built on Nov 9 2004 at 11:08:43 You should really upgrade to 1.0.2. What I Need to Accomplish: a. Any given user may have access to any combination of dialin, wireless, dsl The server allows this by default, unless you edit the configuration to disallow this. b. Reject access to unknown users, The server does this by default. virus_lockout, billing_lockout and email_only customers, regardless of the NAS they are using. How do you define those customers? c. Accept a known user from a modem server only if the user is part of the dialin group. d. Accept a known user from a wireless access point only if the user is part of the wireless group. e. Accept a known user from DSL only if the user is part of the dsl group. See the FAQ, you can do group checking via Unix groups. See also rlm_passwd in 1.0.2, for non-Unix group checks. However, when I add to 'radgroupcheck': Wireless_defaultHuntgroup-Name := wireless That should be '==' 3. 'radgroupcheck' 'usergroup' provides the 'Group' attribute No. The Group attribute is for checking Unix groups, nothing else. ... Are these the ONLY entries that go into the huntgroups file? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: token card strong authentication
Maqbool Hashim [EMAIL PROTECTED] wrote: I wish to use One Time Passwords with the freeradius server. I'm trying to find the best way to do this. Unfortunately there are not many of the token card manafacturers that support the freeradius server. At the moment it looks as if Cryptocard are the best bet. They're OK. I would be very interested to hear from anyone who has implemented any OTP solution with freeradius. I haven't personally, but I know a number of others have. e.g. rlm_x99_token has been used at Google with CryptoCard tokens. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP failover on freeRADIUS 1.0.1
On Thu May 12 2005 at 18:24:09 CEST, Alan DeKok wrote: Jan-Piet Mens [EMAIL PROTECTED] wrote: With the configuration below, each of the LDAP instances is queried sequentially, which is not what I want. I see: It's what you configured. If the first one is down, it falls over to the second one. If the second one is down, there's nothing left to do but wait for it to come back up. Well, not quite. In the log output shown in my previous message, both LDAP servers are healthy and answering queries correctly. Why is freeRadius querying both the servers, and what must I change to avoid that? -JP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
