Problem with rlm_counter in compiling
Hy all, I am trying to install freeradius 1.0.5 in a solaris 8 machine. When I run make, I obtain the following error: ... rlm_counter.c:38:18: gdbm.h: No such file or directoryrlm_counter.c:84: parse error before "GDBM_FILE"rlm_counter.c:84: warning: no semicolon at end of struct or unionrlm_counter.c:88: parse error before '}' tokenrlm_counter.c:88: warning: type defaults to `int' in declaration of `rlm_counter_t'rlm_counter.c:88: warning: data definition has no type or storage classrlm_counter.c:116: parse error before ')' tokenrlm_counter.c:116: initializer element is not constantrlm_counter.c:116: (near initialization for `module_config[0].offset')rlm_counter.c:116: warning: missing initializerrlm_counter.c:116: warning: (near initialization for `module_config[0].offset')rlm_counter.c:116: initializer element is not constantrlm_counter.c:116: (near initialization for `module_config[0]')rlm_counter.c:117: parse error before ')' tokenrlm_counter.c:117: initializer element is not constantrlm_counter.c:117: (near initialization for `module_config[1].offset')rlm_counter.c:117: warning: missing initializerrlm_counter.c:117: warning: (near initialization for `module_config[1].offset')rlm_counter.c:117: initializer element is not constantrlm_counter.c:117: (near initialization for `module_config[1]')rlm_counter.c:118: parse error before ')' tokenrlm_counter.c:118: initializer element is not constantrlm_counter.c:118: (near initialization for `module_config[2].offset')rlm_counter.c:118: warning: missing initializerrlm_counter.c:118: warning: (near initialization for `module_config[2].offset')rlm_counter.c:118: initializer element is not constantrlm_counter.c:118: (near initialization for `module_config[2]')rlm_counter.c:119: parse error before ')' tokenrlm_counter.c:119: initializer element is not constantrlm_counter.c:119: (near initialization for `module_config[3].offset')rlm_counter.c:119: warning: missing initializerrlm_counter.c:119: warning: (near initialization for `module_config[3].offset')rlm_counter.c:119: initializer element is not constantrlm_counter.c:119: (near initialization for `module_config[3]')rlm_counter.c:120: parse error before ')' tokenrlm_counter.c:120: initializer element is not constantrlm_counter.c:120: (near initialization for `module_config[4].offset')rlm_counter.c:120: warning: missing initializerrlm_counter.c:120: warning: (near initialization for `module_config[4].offset')rlm_counter.c:120: initializer element is not constantrlm_counter.c:120: (near initialization for `module_config[4]')rlm_counter.c:121: parse error before ')' tokenrlm_counter.c:121: initializer element is not constantrlm_counter.c:121: (near initialization for `module_config[5].offset')rlm_counter.c:121: warning: missing initializerrlm_counter.c:121: warning: (near initialization for `module_config[5].offset')rlm_counter.c:121: initializer element is not constantrlm_counter.c:121: (near initialization for `module_config[5]')rlm_counter.c:122: parse error before ')' tokenrlm_counter.c:122: initializer element is not constantrlm_counter.c:122: (near initialization for `module_config[6].offset')rlm_counter.c:122: warning: missing initializerrlm_counter.c:122: warning: (near initialization for `module_config[6].offset')rlm_counter.c:122: initializer element is not constantrlm_counter.c:122: (near initialization for `module_config[6]')rlm_counter.c:123: parse error before ')' tokenrlm_counter.c:123: initializer element is not constantrlm_counter.c:123: (near initialization for `module_config[7].offset')rlm_counter.c:123: warning: missing initializerrlm_counter.c:123: warning: (near initialization for `module_config[7].offset')rlm_counter.c:123: initializer element is not constantrlm_counter.c:123: (near initialization for `module_config[7]')rlm_counter.c:124: initializer element is not constantrlm_counter.c:124: (near initialization for `module_config[8]')rlm_counter.c: In function `counter_cmp':rlm_counter.c:138: `data' undeclared (first use in this function)rlm_counter.c:138: (Each undeclared identifier is reported only oncerlm_counter.c:138: for each function it appears in.)rlm_counter.c:138: parse error before ')' tokenrlm_counter.c:139: `datum' undeclared (first use in this function)rlm_counter.c:156: `key_datum' undeclared (first use in this function)rlm_counter.c:159: `count_datum' undeclared (first use in this function)rlm_counter.c:159: warning: implicit declaration of function `gdbm_fetch'rlm_counter.c:133: warning: unused parameter `instance'rlm_counter.c: At top level:rlm_counter.c:171: parse error before '*' tokenrlm_counter.c:172: warning: function declaration isn't a prototyperlm_counter.c: In function `add_defaults':rlm_counter.c:173: `datum' undeclared (first use in this function)rlm_counter.c:173: parse error before "key_datum"rlm_counter.c:180: `key_datum' undeclared (first use in this
Re: Problem writing config attributes from script
Hereafter is the debug output for an access request (freeradius 1.0.5).
My external script authorize_prepaid_account writes this to the output
Post-auth-Type := new_prepaid_account
Password == test
However these config attributes are not taken into account for
processing by other modules. The chap authentication module does not
see any password.
Which is actually true, my second dump script just dump the config
attributes ... there's no Post-Auth-Type or Password attribute.
I guess my output format is not correct, and not parsed by freeradius.
What should be the output format for config attributes ?
Thanks for your help
Starting - reading configuration files ...
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: authtype = MS-CHAP
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
..
exec: wait = yes
exec: program = /etc/raddb/scripts/authorize %{User-Name}
exec: input_pairs = request
exec: output_pairs = config
exec: packet_type = Access-Request
Module: Instantiated exec (authorize_prepaid_account)
.
exec: wait = yes
exec: program = /etc/raddb/scripts/dump %{User-Name}
exec: input_pairs = config
exec: output_pairs = reply
exec: packet_type = Access-Request
Module: Instantiated exec (dump)
.
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
rad_recv: Access-Request packet from host 172.16.0.2:2121, id=0, length=240
User-Name = prepaid1
CHAP-Challenge = 0x4f8d8594b5f54d2ed0b4d5e2677cf6f7
CHAP-Password = 0x00427a8e6d6f41280fd0974fbbab1f4fcc
NAS-IP-Address = 0.0.0.0
Service-Type = Login-User
Framed-IP-Address = 192.168.182.13
Calling-Station-Id = 00-04-23-6C-89-87
Called-Station-Id = 00-0F-66-A3-24-71
NAS-Identifier = deltroo_1
Acct-Session-Id = 43a926ed
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Message-Authenticator = 0xf7d949b9e72693fe8c1f85e47afe3131
WISPr-Logoff-URL = http://192.168.182.1:3990/logoff;
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
radius_xlat: '/var/log/radius/radacct/172.16.0.2/auth-detail-20051221'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
modcall[authorize]: module auth_log returns ok for request 0
rlm_chap: Setting 'Auth-Type := CHAP'
modcall[authorize]: module chap returns ok for request 0
modcall[authorize]: module mschap returns noop for request 0
radius_xlat: '/etc/raddb/scripts/authorize prepaid1'
Exec-Program: /etc/raddb/scripts/authorize prepaid1
Exec-Program output: Post-Auth-Type := new_prepaid_account Password == test
Exec-Program-Wait: plaintext: Post-Auth-Type := new_prepaid_account
Password == test
Exec-Program: returned: 0
modcall[authorize]: module authorize_prepaid_account returns ok
for request 0
users: Matched entry DEFAULT at line 148
modcall[authorize]: module files returns ok for request 0
radius_xlat: 'prepaid1'
rlm_sql (sql): sql_set_user escaped user -- 'prepaid1'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck
WHERE Username = 'prepaid1' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): User prepaid1 not found in radcheck
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM .
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM .
rlm_sql (sql): User prepaid1 not found in radgroupcheck
rlm_sql (sql): User not found
rlm_sql (sql): Released sql socket id: 4
modcall[authorize]: module sql returns notfound for request 0
radius_xlat: '/etc/raddb/scripts/dump prepaid1'
Exec-Program: /etc/raddb/scripts/dump prepaid1
Exec-Program output: Reply-Message += Dump script executed
Exec-Program-Wait: value-pairs: Reply-Message += Dump script executed
Exec-Program: returned: 0
modcall[authorize]: module dump returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type CHAP
auth: type CHAP
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
rlm_chap
Re: Problem with rlm_counter in compiling
Do you need to use rlm_counter? If not, you can simply delete the rlm_counter directory and run configure again then make, or delete rlm_counter from the MODULES item in Make.inc, and run make again. The problem is that the compiler can't find gdbm.h. It may not be installed on your system, in which case the configure process should have removed rlm_counter from the Makefiles. If gdbm.h does exist, the configure script may not have updated the Makefile with the location of gdbm.h. If you know where gdbm.h exists on your system (config.log may give you some hints) then you can update RLM_CFLAGS in the Makefile in rlm_counter manually and see if you get any further. Please report back with your progress, as it may help to improve the configure and Make process for the future. Building freeRADIUS on Solaris always seems to be a little troublesome - I've had various problems with the configure scripts on Solaris 9 and 10 in the past. If none of this makes sense, shoot me an email and I can try to walk you through it in a bit more detail. regards, Mike Rafael Roldán wrote: Hy all, I am trying to install freeradius 1.0.5 in a solaris 8 machine. When I run make, I obtain the following error: ... rlm_counter.c:38:18: gdbm.h: No such file or directory rlm_counter.c:84: parse error before GDBM_FILE rlm_counter.c:84: warning: no semicolon at end of struct or union rlm_counter.c:88: parse error before '}' token rlm_counter.c:88: warning: type defaults to `int' in declaration of `rlm_counter_t' rlm_counter.c:88: warning: data definition has no type or storage class rlm_counter.c:116: parse error before ')' token rlm_counter.c:116: initializer element is not constant rlm_counter.c:116: (near initialization for `module_config[0].offset') rlm_counter.c:116: warning: missing initializer rlm_counter.c:116: warning: (near initialization for `module_config[0].offset') rlm_counter.c:116: initializer element is not constant rlm_counter.c:116: (near initialization for `module_config[0]') rlm_counter.c:117: parse error before ')' token rlm_counter.c:117: initializer element is not constant rlm_counter.c:117: (near initialization for `module_config[1].offset') rlm_counter.c:117: warning: missing initializer rlm_counter.c:117: warning: (near initialization for `module_config[1].offset') rlm_counter.c:117: initializer element is not constant rlm_counter.c:117: (near initialization for `module_config[1]') rlm_counter.c:118: parse error before ')' token rlm_counter.c:118: initializer element is not constant rlm_counter.c:118: (near initialization for `module_config[2].offset') rlm_counter.c:118: warning: missing initializer rlm_counter.c:118: warning: (near initialization for `module_config[2].offset') rlm_counter.c:118: initializer element is not constant rlm_counter.c:118: (near initialization for `module_config[2]') rlm_counter.c:119: parse error before ')' token rlm_counter.c:119: initializer element is not constant rlm_counter.c:119: (near initialization for `module_config[3].offset') rlm_counter.c:119: warning: missing initializer rlm_counter.c:119: warning: (near initialization for `module_config[3].offset') rlm_counter.c:119: initializer element is not constant rlm_counter.c:119: (near initialization for `module_config[3]') rlm_counter.c:120: parse error before ')' token rlm_counter.c:120: initializer element is not constant rlm_counter.c:120: (near initialization for `module_config[4].offset') rlm_counter.c:120: warning: missing initializer rlm_counter.c:120: warning: (near initialization for `module_config[4].offset') rlm_counter.c:120: initializer element is not constant rlm_counter.c:120: (near initialization for `module_config[4]') rlm_counter.c:121: parse error before ')' token rlm_counter.c:121: initializer element is not constant rlm_counter.c:121: (near initialization for `module_config[5].offset') rlm_counter.c:121: warning: missing initializer rlm_counter.c:121: warning: (near initialization for `module_config[5].offset') rlm_counter.c:121: initializer element is not constant rlm_counter.c:121: (near initialization for `module_config[5]') rlm_counter.c:122: parse error before ')' token rlm_counter.c:122: initializer element is not constant rlm_counter.c:122: (near initialization for `module_config[6].offset') rlm_counter.c:122: warning: missing initializer rlm_counter.c:122: warning: (near initialization for `module_config[6].offset') rlm_counter.c:122: initializer element is not constant rlm_counter.c:122: (near initialization for `module_config[6]') rlm_counter.c:123: parse error before ')' token rlm_counter.c:123: initializer element is not constant rlm_counter.c:123: (near initialization for `module_config[7].offset') rlm_counter.c:123: warning: missing initializer rlm_counter.c:123: warning: (near initialization for `module_config[7].offset') rlm_counter.c:123: initializer element is not constant rlm_counter.c:123: (near initialization for `module_config[7]')
users file logic?
Hi, I have this in my users file: user Auth-Type := Local, User-Password = pass Tunnel-Type = 13, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-ID = 4016, Fall-Through = No I would like to assign a different vlan-id if the user doesn't authenticate successfully, i.e. the username is the same but he enters the wrong password. Is this actually possible, as the processing will stop once it matches the first entry for the user user? Regards, Maqbool Hashim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with rlm_counter in compiling
Hy Michael, Thanks a lot for your extense response. I have deleted rlm_counter and rlm_ippool directory (both of them need gdbm.h) because I only want to test the proxy functionality of freeradius. But, after this I have installed freeradius 1.0.5 in another solaris 8 machine and here I haven´t had any problem (and the gdbm.h file doesn´t exits in this machine too, I tried to find it with the find command wihout any result). I don´t know what I am doing different... Best regards from Madrid Rafa - Original Message - From: Michael Mitchell [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, December 21, 2005 11:41 AM Subject: Re: Problem with rlm_counter in compiling Do you need to use rlm_counter? If not, you can simply delete the rlm_counter directory and run configure again then make, or delete rlm_counter from the MODULES item in Make.inc, and run make again. The problem is that the compiler can't find gdbm.h. It may not be installed on your system, in which case the configure process should have removed rlm_counter from the Makefiles. If gdbm.h does exist, the configure script may not have updated the Makefile with the location of gdbm.h. If you know where gdbm.h exists on your system (config.log may give you some hints) then you can update RLM_CFLAGS in the Makefile in rlm_counter manually and see if you get any further. Please report back with your progress, as it may help to improve the configure and Make process for the future. Building freeRADIUS on Solaris always seems to be a little troublesome - I've had various problems with the configure scripts on Solaris 9 and 10 in the past. If none of this makes sense, shoot me an email and I can try to walk you through it in a bit more detail. regards, Mike Rafael Roldán wrote: Hy all, I am trying to install freeradius 1.0.5 in a solaris 8 machine. When I run make, I obtain the following error: ... rlm_counter.c:38:18: gdbm.h: No such file or directory rlm_counter.c:84: parse error before GDBM_FILE rlm_counter.c:84: warning: no semicolon at end of struct or union rlm_counter.c:88: parse error before '}' token rlm_counter.c:88: warning: type defaults to `int' in declaration of `rlm_counter_t' rlm_counter.c:88: warning: data definition has no type or storage class rlm_counter.c:116: parse error before ')' token rlm_counter.c:116: initializer element is not constant rlm_counter.c:116: (near initialization for `module_config[0].offset') rlm_counter.c:116: warning: missing initializer rlm_counter.c:116: warning: (near initialization for `module_config[0].offset') rlm_counter.c:116: initializer element is not constant rlm_counter.c:116: (near initialization for `module_config[0]') rlm_counter.c:117: parse error before ')' token rlm_counter.c:117: initializer element is not constant rlm_counter.c:117: (near initialization for `module_config[1].offset') rlm_counter.c:117: warning: missing initializer rlm_counter.c:117: warning: (near initialization for `module_config[1].offset') rlm_counter.c:117: initializer element is not constant rlm_counter.c:117: (near initialization for `module_config[1]') rlm_counter.c:118: parse error before ')' token rlm_counter.c:118: initializer element is not constant rlm_counter.c:118: (near initialization for `module_config[2].offset') rlm_counter.c:118: warning: missing initializer rlm_counter.c:118: warning: (near initialization for `module_config[2].offset') rlm_counter.c:118: initializer element is not constant rlm_counter.c:118: (near initialization for `module_config[2]') rlm_counter.c:119: parse error before ')' token rlm_counter.c:119: initializer element is not constant rlm_counter.c:119: (near initialization for `module_config[3].offset') rlm_counter.c:119: warning: missing initializer rlm_counter.c:119: warning: (near initialization for `module_config[3].offset') rlm_counter.c:119: initializer element is not constant rlm_counter.c:119: (near initialization for `module_config[3]') rlm_counter.c:120: parse error before ')' token rlm_counter.c:120: initializer element is not constant rlm_counter.c:120: (near initialization for `module_config[4].offset') rlm_counter.c:120: warning: missing initializer rlm_counter.c:120: warning: (near initialization for `module_config[4].offset') rlm_counter.c:120: initializer element is not constant rlm_counter.c:120: (near initialization for `module_config[4]') rlm_counter.c:121: parse error before ')' token rlm_counter.c:121: initializer element is not constant rlm_counter.c:121: (near initialization for `module_config[5].offset') rlm_counter.c:121: warning: missing initializer rlm_counter.c:121: warning: (near initialization for `module_config[5].offset') rlm_counter.c:121: initializer element is not constant rlm_counter.c:121: (near initialization for `module_config[5]')
Re: Problem with CHAP, users file and radclient
Andreas Engler [EMAIL PROTECTED] wrote: rlm_chap: login attempt by hubba with CHAP password rlm_chap: Using clear text password bubba for user hubba authentication. rlm_chap: Pasword check failed The password entered in the client does not match the password you configured on the server. Nothing else will cause this error. Alan DeKok. thank you for response. One question remains. Is it possible to resend an auth-detail file with Access-Requests that once where successfully authenticated via radclient and authenticate them successfully again, even if there are Chap-Password and Chap-Challenge attributes in the auth-detail file and so the Auth-Type will be CHAP? I expected that would work, but it seems not to function. Is that an CHAP related issue? Andreas Engler - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius accounting file scanning and upload to database
Ming-Ching Tiew wrote: I have implemented a file scanning mechanism to scan the radius accounting detail file and subsequently upload to database server but at the time of scanning, I detect the presence of a yesterday file ( ie a completed file). This will mean that my accounting record inside the database is one day late. Now I understand there is a way to instruct radius server to change the file name hourly, so theoretically I should be able to scan the presence of last hour completed file, and then upload to database server. However, assumming the scanning, processing, and subsequent uploading to database server is very slow, it could mean that from the start of one scan to the next scan, if more than one hour has passed, I would have missed one of the last hour file. Anyone has a better idea of how to process an hourly file more gracefully ? This is probably a stupid question but whay not log the accounting directly to the sql via the sql module? -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple accounting hosts for one realm?
Hello Freeradius-users! While configuring freeradius 1.0.5 on Solaris 9 I began to look at setting up different accounting hosts for users depending on which realm users orginated from. That worked fine. However; I have now come across a situation where it might be valuable to send the same accounting information to multiple accounting hosts. I am hoping to do this by changing the accthost variable in etc/raddb/proxy.conf. Does anyone on the list know if (a) this is possible, and if it is possible (b) how to do it - i.e can I add further hosts in a list to the existing variable or do I need to use some other method? Thanks! /jre - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple accounting hosts for one realm?
Johan Ramm-Ericson wrote: While configuring freeradius 1.0.5 on Solaris 9 I began to look at setting up different accounting hosts for users depending on which realm users orginated from. That worked fine. However; I have now come across a situation where it might be valuable to send the same accounting information to multiple accounting hosts. I am hoping to do this by changing the accthost variable in etc/raddb/proxy.conf. Does anyone on the list know if (a) this is possible, and if it is possible (b) how to do it - i.e can I add further hosts in a list to the existing variable or do I need to use some other method? You might look at radrelay, it comes with FreeRADIUS. http://freeradius.org/radiusd/doc/radrelay -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sqlcounter and something else than Session-Timeout
I really don't know why everybody is telling that such config would be impossible. It's impossible to enforce traffic limiting *during* a users session. So if a user is a tiny bit below their limit and logs in again, they can go over their limit. The server will only catch enforce their limit on the next login. It is possible, but that depends on your NAS equipment. Chillispot will use the radius reply attribute ChilliSpot-Max-Total-Octets to specify how much octets the user is allowed to transfer. Once the user passes the limit he is deauthenticated and his session ends. -- damjan | дамјан This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sqlcounter and something else than Session-Timeout
It's impossible to enforce traffic limiting *during* a users session. So if a user is a tiny bit below their limit and logs in again, they can go over their limit. The server will only catch enforce their limit on the next login. It is possible, but that depends on your NAS equipment. Chillispot will use the radius reply attribute ChilliSpot-Max-Total-Octets to specify how much octets the user is allowed to transfer. Once the user passes the limit he is deauthenticated and his session ends. BTW. Chillispot (free software) also supports ChilliSpot-Max-Input-Octets and ChilliSpot-Max-Output-Octets atributes, if you want to separatelly limit the traffic. All the radius attributes Chillispot supports are documented here: http://www.chillispot.org/features.html#mozTocId36714 -- damjan | дамјан This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem writing config attributes from script
Yannick Deltroo [EMAIL PROTECTED] wrote:
However these config attributes are not taken into account for
processing by other modules.
Because you're putting the attributes into the reply item list, not
the config item list.
Module: Instantiated exec (authorize_prepaid_account)
.
exec: wait = yes
exec: program = /etc/raddb/scripts/dump %{User-Name}
exec: input_pairs = config
exec: output_pairs = reply
See? Change output_pairs to config, and it should work.
The documentation for rlm_exec explains this.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with CHAP, users file and radclient
Andreas Engler [EMAIL PROTECTED] wrote: One question remains. Is it possible to resend an auth-detail file with Access-Requests that once where successfully authenticated via radclient and authenticate them successfully again, even if there are Chap-Password and Chap-Challenge attributes in the auth-detail file and so the Auth-Type will be CHAP? I have *no* idea what that means. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sqlcounter and something else than Session-Timeout
Jonathan De Graeve [EMAIL PROTECTED] wrote: ... That's the reason (IMHO) most people want the possibility to set the reply attribute. So submit a patch, or find a patch that exists, and say publicly that it works for you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem writing config attributes from script
Alan, thanks for your help.
I've read the rlm_exec documentation in the configuration file before
posting on the list.
As you can see, I actually run two scripts in the authorization section.
The first script to run is authorize_prepaid_account, which is
correctly set to output to config, as per the documentation. Then, I
run a second script called dump, just to write environment variables
to a file (to see what's going on). dump does not output any pairs,
so whether it's set to write to reply or config should not have an
impact.
When I play around with what the authorize_prepaid_account script is
doing, I can reproduce this strange behavior:
1- If authorize_prepaid_account only outputs Password = X, then
everything works fine. I can authorize/authenticate. My dump file
shows that Password = was correctly written to config attributes.
2- If I modify authorize_prepaid_account to output two pairs instead
of just Password =, i.e. somehting like
Post-Auth-Type = THIRD_SCRIPT
Password = X
I cannot authenticate. Chap authentication fails (see debug log below)
My dump file shows that the output of authorize_prepaid_account was
not taken into account. (No Post-Auth-Type, No password written to
config = chap fails)
The server is running with the exact same configuration in case 1 and case 2.
I'm just commenting out lines in my script manually.
Am I missing something about the correct format for a script output ?
I guess, it's one pair per line ?
I'm using freeradius 1.0.5
radius.log
exec authorize_prepaid_account {
wait = yes
program = /etc/raddb/scripts/authorize %{User-Name}
output_pairs = config
packet_type = Access-Request
}
exec dump {
wait = yes
program = /etc/raddb/scripts/dump %{User-Name}
input_pairs = config
output_pairs = reply
packet_type = Access-Request
}
authorize {
preprocess
auth_log
chap
mschap
authorize_prepaid_account
files
sql
dump
}
=
Daemon debug output
exec: wait = yes
exec: program = /etc/raddb/scripts/authorize %{User-Name}
exec: input_pairs = request
exec: output_pairs = config
exec: packet_type = Access-Request
.
exec: wait = yes
exec: program = /etc/raddb/scripts/dump %{User-Name}
exec: input_pairs = config
exec: output_pairs = reply
exec: packet_type = Access-Request
..
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
rlm_chap: login attempt by prepaid1 with CHAP password
rlm_chap: Could not find clear text password for user prepaid1
modcall[authenticate]: module chap returns invalid for request 0
modcall: group Auth-Type returns invalid for request 0
auth: Failed to validate the user.
Login incorrect (rlm_chap: Clear text password not available):
[prepaid1/CHAP-Password] (from client WRT54G port 0 cli
00-04-23-6C-89-87)
=
On 12/21/05, Alan DeKok [EMAIL PROTECTED] wrote:
Yannick Deltroo [EMAIL PROTECTED] wrote:
However these config attributes are not taken into account for
processing by other modules.
Because you're putting the attributes into the reply item list, not
the config item list.
Module: Instantiated exec (authorize_prepaid_account)
.
exec: wait = yes
exec: program = /etc/raddb/scripts/dump %{User-Name}
exec: input_pairs = config
exec: output_pairs = reply
See? Change output_pairs to config, and it should work.
The documentation for rlm_exec explains this.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap behavior: authorize v.s. authenticate
I ask because I set:
password_header = {clear}
password_attribute = cfAppPassword
...and make my users choose a weak or secondary password for all
services that authenticate off of LDAP-via-FreeRADIUS (802.11x, VPN, etc.)
However, this permits for Authentication, but the Authorization step
is broken due to the the Bind-as-the-user logic.
So for the Cisco 1200 AP with EAP/PEAP (Windows XP), I have to setup one
instance of FreeRADIUS with:
authenticate {
Auth-Type LDAP {
eap
}
}
And for Cisco VPN3000 with non-EAP:
authenticate {
Auth-Type LDAP {
pap
}
}
I then backup the cleartext-stored LDAP password by requiring client SSL
certificates.
It would just be nice if the behavior was a flag. More than likely I
don't understand how the protocol is supposed to work with regard to
Authorization v.s. Authentication
~BAS
On Fri, 9 Dec 2005, Alan DeKok wrote:
Brian A. Seklecki [EMAIL PROTECTED] wrote:
If on the authorization stage, the module can read (and cache) the entire
DN's attribute set (actually, any DN in the LDAP), why does it need to use
a re-connect as the user method for authentication?
Because some LDAP servers don't supply the password.
Also, some administrators use LDAP only for authentication.
If the password in cleartext, comparison is easy. If it's in
SSHA/SHA/MD5/blowfish/crypt, then the comparison can happen against
those algorithms.
Which is the default behavior of the server.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
l8*
-lava
x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap filter problem
Try to escape the / with \. I doubt it...but...you've got some
non-standard characters in there.
~BAS
On Mon, 5 Dec 2005, Norbert Wegener wrote:
When I set my vars to the values below, ldapsearch succeeds:
server=TDE002.mydomain.NET^M
identity=[EMAIL PROTECTED]^M
password=!QAY2wsx3edc4^M
basedn=dc=TDE002,dc=mydomain,dc=NET^M
filter=((servicePrincipalName=host/26tef001.tde002.mydomain.net)(objectclass=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
servicePrincipalName primaryGroupID ^M
^M
#ldapsearch -LLL -b DC=TDE002,dc=mydomain,dc=NET -s sub $FILTER -x $LOGON
^M
ldapsearch -LLL -h $server -b $basedn -s sub $filter -x -D $identity -w
$password ^M
lnxad:/usr/local/etc/raddb # sh x^M
dn:
CN=26TEF001,OU=CAT-Computers,OU=OU16,OU=MchP,DC=tde002,DC=mydomain,DC=net^M
primaryGroupID: 515^M
servicePrincipalName: HOST/26TEF001^M
servicePrincipalName: HOST/26tef001.tde002.mydomain.net^M
^M
#
refldap://DomainDnsZones.tde002.mydomain.net/DC=DomainDnsZones,DC=tde002,DC=s^M
itest,DC=net^M
Having the same variables with the same values set on the same machine in
radiusd.conf:
ldap ldap1 {
server = tde002.mydomain.net
identity = [EMAIL PROTECTED]
password = !QAY2wsx3edc4
basedn = dc=TDE002,dc=SITEST,dc=NET
filter=((servicePrincipalName=host/26tef001.tde002.mydomain.net)(objectclass=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
servicePrincipalName primaryGroupID
ldap_debug=0x
base_filter = (objectclass=computer)
ldap_connections_number = 5
timeout = 40
timelimit = 30
net_timeout = 10
tls {
start_tls = no
}
dictionary_mapping = ${raddbdir}/ldap.attrmap
}
radiusd fails to get the values from the ldap server, claiming Bad search
filter:
.
rlm_ldap: performing user authorization for host/26tef001.tde002.mydomain.net
radius_xlat:
'((servicePrincipalName=host/26tef001.tde002.mydomain.net)(objectclass=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
servicePrincipalName primaryGroupID'
radius_xlat: 'dc=TDE002,dc=MYDOMAIN,dc=NET'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=TDE002,dc=MYDOMAIN,dc=NET, with filter
((servicePrincipalName=host/26tef001.tde002.mydomain.net)(objectclass=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
servicePrincipalName primaryGroupID
ldap_search
put_filter:
((servicePrincipalName=host/26tef001.tde002.mydomain.net)(objectclass=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
servicePrincipalName primaryGroupID
put_filter: AND
put_filter_list
(servicePrincipalName=host/26tef001.tde002.mydomain.net)(objectclass=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2))
put_filter: (servicePrincipalName=host/26tef001.tde002.mydomain.net)
put_filter: simple
put_simple_filter: servicePrincipalName=host/26tef001.tde002.mydomain.net
put_filter: (objectclass=computer)
put_filter: simple
put_simple_filter: objectclass=computer
put_filter: (!(userAccountControl:1.2.840.113556.1.4.803:=2))
put_filter: NOT
put_filter_list (userAccountControl:1.2.840.113556.1.4.803:=2)
put_filter: (userAccountControl:1.2.840.113556.1.4.803:=2)
put_filter: simple
put_simple_filter: userAccountControl:1.2.840.113556.1.4.803:=2
put_filter: default
put_simple_filter: servicePrincipalName primaryGroupID
rlm_ldap: ldap_search() failed: Bad search filter:
((servicePrincipalName=host/26tef001.tde002.mydomain.net)(objectclass=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
servicePrincipalName primaryGroupID
ldap_msgfree
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap1 returns fail for request 2
modcall: leaving group authorize (returns fail) for request 2
There was no response configured: rejecting request 2
Delaying request 2 for 1 seconds
Finished request 2
Going to the next request
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 206 with timestamp 43942d52
Sending Access-Reject of id 207 to 222.25.36.124 port 1645
What did I forget to obey?
Thanks
Norbert Wegener
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
l8*
-lava
x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap filter problem
See the message thread question on ldap_escape_func in rlm_ldap.c
(author: Kostas Kalevras) on Dec 7 for more dicussion .
On Wed, 21 Dec 2005, Brian A. Seklecki wrote:
Try to escape the / with \. I doubt it...but...you've got some
non-standard characters in there.
~BAS
On Mon, 5 Dec 2005, Norbert Wegener wrote:
When I set my vars to the values below, ldapsearch succeeds:
server=TDE002.mydomain.NET^M
identity=[EMAIL PROTECTED]^M
password=!QAY2wsx3edc4^M
basedn=dc=TDE002,dc=mydomain,dc=NET^M
filter=((servicePrincipalName=host/26tef001.tde002.mydomain.net)(objectclass=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
servicePrincipalName primaryGroupID ^M
^M
#ldapsearch -LLL -b DC=TDE002,dc=mydomain,dc=NET -s sub $FILTER -x
$LOGON ^M
ldapsearch -LLL -h $server -b $basedn -s sub $filter -x -D $identity -w
$password ^M
lnxad:/usr/local/etc/raddb # sh x^M
dn:
CN=26TEF001,OU=CAT-Computers,OU=OU16,OU=MchP,DC=tde002,DC=mydomain,DC=net^M
primaryGroupID: 515^M
servicePrincipalName: HOST/26TEF001^M
servicePrincipalName: HOST/26tef001.tde002.mydomain.net^M
^M
#
refldap://DomainDnsZones.tde002.mydomain.net/DC=DomainDnsZones,DC=tde002,DC=s^M
itest,DC=net^M
Having the same variables with the same values set on the same machine in
radiusd.conf:
ldap ldap1 {
server = tde002.mydomain.net
identity = [EMAIL PROTECTED]
password = !QAY2wsx3edc4
basedn = dc=TDE002,dc=SITEST,dc=NET
filter=((servicePrincipalName=host/26tef001.tde002.mydomain.net)(objectclass=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
servicePrincipalName primaryGroupID
ldap_debug=0x
base_filter = (objectclass=computer)
ldap_connections_number = 5
timeout = 40
timelimit = 30
net_timeout = 10
tls {
start_tls = no
}
dictionary_mapping = ${raddbdir}/ldap.attrmap
}
radiusd fails to get the values from the ldap server, claiming Bad search
filter:
.
rlm_ldap: performing user authorization for
host/26tef001.tde002.mydomain.net
radius_xlat:
'((servicePrincipalName=host/26tef001.tde002.mydomain.net)(objectclass=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
servicePrincipalName primaryGroupID'
radius_xlat: 'dc=TDE002,dc=MYDOMAIN,dc=NET'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=TDE002,dc=MYDOMAIN,dc=NET, with filter
((servicePrincipalName=host/26tef001.tde002.mydomain.net)(objectclass=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
servicePrincipalName primaryGroupID
ldap_search
put_filter:
((servicePrincipalName=host/26tef001.tde002.mydomain.net)(objectclass=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
servicePrincipalName primaryGroupID
put_filter: AND
put_filter_list
(servicePrincipalName=host/26tef001.tde002.mydomain.net)(objectclass=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2))
put_filter: (servicePrincipalName=host/26tef001.tde002.mydomain.net)
put_filter: simple
put_simple_filter: servicePrincipalName=host/26tef001.tde002.mydomain.net
put_filter: (objectclass=computer)
put_filter: simple
put_simple_filter: objectclass=computer
put_filter: (!(userAccountControl:1.2.840.113556.1.4.803:=2))
put_filter: NOT
put_filter_list (userAccountControl:1.2.840.113556.1.4.803:=2)
put_filter: (userAccountControl:1.2.840.113556.1.4.803:=2)
put_filter: simple
put_simple_filter: userAccountControl:1.2.840.113556.1.4.803:=2
put_filter: default
put_simple_filter: servicePrincipalName primaryGroupID
rlm_ldap: ldap_search() failed: Bad search filter:
((servicePrincipalName=host/26tef001.tde002.mydomain.net)(objectclass=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
servicePrincipalName primaryGroupID
ldap_msgfree
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap1 returns fail for request 2
modcall: leaving group authorize (returns fail) for request 2
There was no response configured: rejecting request 2
Delaying request 2 for 1 seconds
Finished request 2
Going to the next request
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 206 with timestamp 43942d52
Sending Access-Reject of id 207 to 222.25.36.124 port 1645
What did I forget to obey?
Thanks
Norbert Wegener
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
l8*
-lava
x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8
l8*
-lava
x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Use Client-IP-Address in Hungroups?
Hello, First, before I forget again, this link: http://www.freeradius.org/radiusd/doc/ (linked from: http://www.freeradius.org/usage.html) is Forbidden and has been for some time. I keep forgetting to mention it when I see it since I just grab the tarball and get the info I need. Anyway, to my question... I read through the docs and man pages regarding huntgroups. All of the examples use items like this: alphen NAS-IP-Address == 192.168.2.5 alphen NAS-IP-Address == 192.168.2.6 Is it possible to do this? network1 Client-IP-Address == 192.168.2.5 network1 Client-IP-Address == 192.168.2.6 network2 Client-IP-Address == 192.168.6.45 network2 Client-IP-Address == 192.168.6.46 If I understand the way huntgroups work, then I think I can add: userHuntgroup := network1 to my radcheck table and restrict user to modems from a particular modem provider (who is proxying radius to us). They add and remove NAS's quite oftem, so using NAS-IP-Address would be painful. Hopefully I am understanding it correctly since it would be somewhat easier than our current method (using a passwd module and regex matching). If anyone has tried it and it definitely won't work with Client-IP-Address, then it will save me several hours testing and running back and forth from the dialup machine. Thanks! -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cisco WLSE status?
I am working with WLSE in my organization. The product has a lot of shortcomings. I do not think it is time well spent to create a workaround for Cisco LEAP authentication issue. I can recommend to use one of the Cisco AP ( I would assume that you are using them ) to be LEAP server for the WLSE instrumentation mode authentication. In this case you do not have to introduce another RADIUS server. Thanks, Alek. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeffrey C. Ollie Sent: Wednesday, December 21, 2005 12:34 AM To: FreeRadius users mailing list Subject: Cisco WLSE status? Ok, I know that the problems getting Cisco WLSE to authenticate properly with FreeRadius is a problem with the Cisco supplicant, but I'm wondering: 1) Has anyone opened up a ticket with Cisco trying to get them to fix the problem? If so, what is the status of the ticket? 2) Has anyone polished up a patch that will allow WLSE to authenticate agianst FreeRadius? It'd be nice to have a hack that could be enabled conditionally so it doesn't break other hosts but if I have to run a separate server on a different host or port that'd probably work until we can get Cisco to fix their problem. Jeff Ollie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem writing config attributes from script
Yannick Deltroo [EMAIL PROTECTED] wrote: of just Password =, i.e. somehting like Post-Auth-Type = THIRD_SCRIPT Password = X I cannot authenticate. Chap authentication fails (see debug log below) Put a , in between the two items, just like you do in the users file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Use Client-IP-Address in Hungroups?
Hi Dennis, First, before I forget again, this link: http://www.freeradius.org/radiusd/doc/ Yep, same for me too.. Is it possible to do this? network1 Client-IP-Address == 192.168.2.5 network1 Client-IP-Address == 192.168.2.6 network2 Client-IP-Address == 192.168.6.45 network2 Client-IP-Address == 192.168.6.46 Yep, that's perfectly fine. I can't comment on the rest of your question, as I don't use sql for authorisation. But in the users file you can do things like: user1 Huntgroup-Name == network1, Auth-Type := Reject Hope that helps! regards, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with CHAP, users file and radclient
Hello Alan, Andreas Engler [EMAIL PROTECTED] wrote: One question remains. Is it possible to resend an auth-detail file with Access-Requests that once where successfully authenticated via radclient and authenticate them successfully again, even if there are Chap-Password and Chap-Challenge attributes in the auth-detail file and so the Auth-Type will be CHAP? I have *no* idea what that means. Alan DeKok. Ok, sorry. I try it with other words and hope the problem becomes clear. I try to test a fresh freeradius 1.0.5 installation. I use radclient to send Access-Request packets, which are stored in a file. These Access-Request packets were loged with an other freeradius server in production environment. These Access-Request packets contain Chap related attributes, so the Auth-Type will be CHAP. When i resend such Access-Request packet via radclient, it will not authenticate successfully again. Where is the problem in that test setup? Thank you Andreas Engler - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem writing config attributes from script
Does not work any better with , or ; or between the pairs. After the script is executed, the config environment variables do not contain the output of the script: AUTH_TYPE=CHAP PWD=/root SHLVL=1 _=/usr/bin/printenv If I only write a Password=XXX from the script, the output is taken into account. See the env variable then: PASSWORD=test AUTH_TYPE=CHAP PWD=/root SHLVL=1 _=/usr/bin/printenv My tests show that the only pair accepted from the script is Password = X. Any other single attribute is just ignored. Could it be a problem with attributes dictionnaries ? On 12/21/05, Alan DeKok [EMAIL PROTECTED] wrote: Yannick Deltroo [EMAIL PROTECTED] wrote: of just Password =, i.e. somehting like Post-Auth-Type = THIRD_SCRIPT Password = X I cannot authenticate. Chap authentication fails (see debug log below) Put a , in between the two items, just like you do in the users file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with CHAP, users file and radclient
Andreas Engler [EMAIL PROTECTED] wrote: When i resend such Access-Request packet via radclient, it will not authenticate successfully again. Where is the problem in that test setup? radclient is encoding the CHAP-Password attribute. See the source. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: segmentation fault on solaris,unable to call modules
Hi, thanks a lot Alan. I'm trying to obtain the core dump file now, but it seems that freeradius core dump file is not created in the current working directory as usual. may i know where is it created? - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, December 21, 2005 12:27 AM Subject: Re: segmentation fault on solaris,unable to call modules Qin Zhen [EMAIL PROTECTED] wrote: havent figured out how to solve the segmentation fault problem yet. any suggestion? or anybody encountered the similar problem as me? Read doc/bugs Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: segmentation fault on solaris,unable to call modules
Have you got core dumps enabled in radiusd.conf? regards, Mike -Original Message- From: [EMAIL PROTECTED] eeradius.org [mailto:freeradius-users-bounces+mitchell.michael=bigpond.com@ lists.freeradius.org] On Behalf Of Qin Zhen Sent: Thursday, 22 December 2005 1:12 PM To: FreeRadius users mailing list Subject: Re: segmentation fault on solaris,unable to call modules Hi, thanks a lot Alan. I'm trying to obtain the core dump file now, but it seems that freeradius core dump file is not created in the current working directory as usual. may i know where is it created? - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, December 21, 2005 12:27 AM Subject: Re: segmentation fault on solaris,unable to call modules Qin Zhen [EMAIL PROTECTED] wrote: havent figured out how to solve the segmentation fault problem yet. any suggestion? or anybody encountered the similar problem as me? Read doc/bugs Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RADIUS process looping...
I am sure that this is not related to FreeRADIUS but I have seen the
topic posted here so I wanted to post my research for those that
search these archives.
It appears to be a common problem of having a Windows Client
(specifically with the wZc utility) which gets stuck in a loop of
constantly verifying authorization and obtaining an IP. I,
personally, can see from my radiusd -A -X output that the entire
auth/autz process succeeds -- on EVERY pass of the loop.
AFTER applying the MS Hotfix KB885453, I still have my clients
periodically stuck in a loop (as according to the RADIUS server
showing the same debug info over and over). I have found that it
appears to be due to my access point (D-Link DWL-3200AP) REBOOTING!
Here is what I told my D-Link rep:
These steps help to illustrate the problem:
logged into the windows domain.
configured the wireless interface for WPA using automatically provided
windows credentials
successfully and immediately logged on to the wireless WPA network
logged out
logged back into the windows domain and it successfuly and immediately
connected to the WPA network
rebooted
logged into domain, it took 3 (THREE) minutes to login (using cached
credentials)
-- This entire time NO connections were made to the RADIUS server
after finally logging in I notice that about 40 pings to the AP were
dropped before it came back to life and suddenly 260 buffered RADIUS
requests were sent to the RADIUS server After the 260th, the windows
computer successfully connected to the wpa wireless network
It is important to note that DURING a windows domain logon (and
simultaneously a connection to the WPA wireless network) the AP
REBOOTED.
Is my hypothesis correct -- that it is the AP? Do I have enough
information to make that determination? To anyone that would like to
help me troubleshoot the issue, let me know if I can provide more
information or logs or debug output or whatever...
BTW, I also have syslog logs (DWL-3200AP can log to a syslogger...)
proving that the AP REBOOTED and not just some of my pings were
dropped.
Stefan
Here is my configuration:
D-Link DWL-3200AP FW2.10, WPA-Enterprise w/AES, multi-SSID support, VLAN support
FreeRADIUS 1.1.0-pre0 (snapshot-20051220)
Windows XP SP2, 802.1x, EAP-PEAP, MS-CHAPv2
radiusd.conf:
proxy_requests = no
$INCLUDE ${confdir}/proxy.conf
modules {
unix {
radwtmp = ${logdir}/radwtmp
}
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
}
ldap {
server = snip
identity = snip
password = snip
basedn = snip
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
base_filter = (objectclass=radiusprofile)
tls { ... }
access_attr = dialupAccess
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
auto_header = no
access_attr_used_for_allow = yes
}
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
tls {
private_key_password = snip
private_key_file = /etc/1x/server.pem
certificate_file = /etc/1x/server.pem
CA_file = /etc/1x/root.pem
dh_file = /etc/1x/DH
random_file = /etc/1x/random
include_length = yes
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
}
mschapv2 {
}
}
realm ntdomain {
format = prefix
delimiter = \\
}
preprocess {
:
with_ntdomain_hack = no
:
}
}
authorize {
preprocess
ntdomain
eap
ldap
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
eap
}
clients.conf:
client 172.16.16.0/24 {
secret = testing123
shortname = ap
}
client 172.16.254.0/24 {
secret = testing123
shortname = server
}
proxy.conf:
realm LOCAL {
type= radius
authhost= LOCAL
accthost= LOCAL
}
realm DEFAULT {
type= radius
authhost= LOCAL
accthost= LOCAL
}
[
If SSID Authorization is desired:
modules {
ldap {
filter =
((uid=%{Stripped-User-Name:-%{User-Name}})(radiusCalledStationId=%{Called-Station-ID}))
}
attr_rewrite
Windows WPA
Does anyone know how it's possible to log into a windows domain (no local account) from a Windows XP computer using WPA when the user has never logged in before (making cached credentials impossible)? I work at a high school. We have several mobile carts with laptop computers that do NOT have local accounts for each student. Therefore, each student is required to logon to the windows domain using wireless. This works fine using WEP. However, using WPA, with the automatically supply windows username/password/domain checkbox selected, a user that has never logged into that machine before is not able to log on. The Windows computer complains that the domain controller is not available. This, of course, is true because there are no 'up' network interfaces. But wouldn't it be logical for Windows to first supply the entered credentials to the access point for authorization to the WPA WLAN and then supply those same credentials to the domain controller? Is that the way it works, is there some other way, or are people that have never logged on to these laptops before condemned to never logon at all given our new WPA infrastructure? Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: segmentation fault on solaris,unable to call modules
Qin Zhen [EMAIL PROTECTED] wrote: I'm trying to obtain the core dump file now, but it seems that freeradius core dump file is not created in the current working directory as usual. may i know where is it created? In the current directory. See standard Unix administration guides which describe ulimit, and why programs that change uid don't dump core. The short answer is to run it in debugging mode, and follow *all* of the instructions in doc/bugs. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: DialupAdmin gives Blank Pages
I've been fighting with this problem for a couple of days. Searched everywhere I can think of on the net. According to the docs it should just work. I had this EXACT prob and it drove me insane, but I eventually solved it: Here's your problem (if it is indeed the same cause) - Your PHP instance does not have the mysql module loaded/compiled in. Have a look at your php.ini in the extensions stanza, and make sure that the extension line that loads mysql.so is uncommented/present. This is an utterly baffling one and the interface does NOT spit any useful errors at all - If I get time, I will submit a patch that detects this and throws useful errors to prevent this happening for others. Cheers, Fenn. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
