Re: Freeradius-Users Digest, Vol 14, Issue 27
I am on holiday between June 5 to June 9. I will return to my office on June 12. See you soon. Thanks, Gilbert Lo helpdesk at St. George's School - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple Autz-Type
Thanks very much Phil. That works, I think it doesn't work in the hints file for the reasons you told me.Now I've got a new problem. I use the radiusGroupName for making the users belong to VLAN1, VLAN2 or VLAN3. So I enable
groupmembership_attribute = radiusGroupNamebut I left groupname_attribute and groupmembership_filter commented ( in each ldap module ).In other file called users-vlan I defined this:
DEFAULT Ldap-Group == Local stuff for assigning VLAN1 .The file that determine the users procedence is users-procedence: DEFAULT NAS-IP-Address == 192.168.51.yy, Autz-Type=customer1
.The file that proxies ( users-proxy ): DEFAULT proxy-to-realm:=CENTRALThe authorization section:users-procedenceautztype customer1{ redundant { group {
ldap1 {
notfound = return fail = return } users-vlan
mschap
eap notfound = 1 fail = 1 } users-proxy }
}
.The situation is: a user that must be authorized against ldap2 make a match in the users-procedence file and get customer2 autztype. So the user is looked for in ldap2. 1.- If it fails in the logs I could see radius looking for ldap_groupcmp() in ldap3 when all I think it must do is proxy.
2.- In case the user is found it make a search too for ldap group in ldap3.I think in the first case there are two problems: it searches when it doesn't have to ( unnecessary search ), and it searches bad because it does in the last ldap instantiated ( that is ldap3 )
In the second case the problem is that it searches in the last ldap instantiated.(( This configuration works fine when all you have is one ldap ))Is that a bug ?? I found a similar bug in bug-list but it belongs to version
1.0.1 ( bug #163, about unnecessary searches ) and I think a read a bug about searching in the last ldap instantiated ( but I think this has to be with older versions and I can't find it )
I solved this problem yesterday but I don't know how to say... I solved it in a dirty-way ( I hope you understand ). So if you or anyone have an idea ...2006/6/5, Phil Mayers
[EMAIL PROTECTED]:wekz wrote: I don't know if I have explain it correctly, if I haven't just tell me (
I'm not an english speaker )Your english is great. My hints file:Nearly there. Try:DEFAULT NAS-IP-Address == 192.168.xx.yy, Autz-Type := LDAPxI'm not sure that'll work in a hints file - so you may need to use a
users file - hints puts items into the request pairs, Autz-Type needsto go into the configure pairs.Try this:modules { # other stuff files filesFirst { usersfile = ${confdir}/usersFirst
}}authorize { preprocess filesFirst Autz-Type LDAP1 { # stuff here ldap1 } # other LDAP modules}And in ${confdir}/usersFirst:DEFAULT NAS-IP-Address ==
192.168.51.xx, Autz-Type := LDAP1DEFAULT NAS-IP-Address == 192.168.51.yy, Autz-Type := LDAP2...and so on.The other slightly simpler way might be to use a passwd (badly named)module,
e.g.:modules { passwd nas2autz { filename = ${confdir}/nas2autz format = *NAS-IP-Address:Autz-Type # set to 0 to read file on every request - slow # but instant-updates
hashsize = 100 }}authorize { preprocess nas2autz Autz-Type LDAP1 { ldap1 } # other Autz}...and in ${confdir}/nas2autz192.168.51.xx:LDAP1
192.168.51.yy:LDAP2Hope that helpsPhil-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Peap/leap/wap
Hi, Does free radius support PEAP/LEAP 802.1x authentication? yes, of course it does. How can i configure it? I'd start by reading the documentation. Then you'd want to plan on how to implement it. make sure the required parts of, eg eap.conf are configured and make sure that the required authorization database or files are accessible. for example, bind the system into active directory and use ntlm_auth for most painless way of dealing with PEAP alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple Autz-Type
OooI think I found the solution: in users-vlan i changed the lines for this DEFAULT ldap1-Ldap-Group==Local Tunnel-Type=VLAN, Tunnel-Medium-Type=6, Tunnel-Private-Group-Id=Local,
Fall-Through = No DEFAULT ldap1-Ldap-Group==Invitados Tunnel-Type=VLAN, Tunnel-Medium-Type=6, Tunnel-Private-Group-Id=Invitado, Fall-Through = No DEFAULT ldap2-Ldap-Group==Local
Tunnel-Type=VLAN, Tunnel-Medium-Type=6, Tunnel-Private-Group-Id=Local, Fall-Through = No DEFAULT ldap2-Ldap-Group==Invitados Tunnel-Type=VLAN, Tunnel-Medium-Type=6,
Tunnel-Private-Group-Id=Invitado, Fall-Through = No DEFAULT ldap3-Ldap-Group==Local Tunnel-Type=VLAN, Tunnel-Medium-Type=6, Tunnel-Private-Group-Id=Local,
Fall-Through = No DEFAULT ldap3-Ldap-Group==Invitados Tunnel-Type=VLAN, Tunnel-Medium-Type=6, Tunnel-Private-Group-Id=Invitado, Fall-Through = NoAnd it doesn't do unnecessary searches and when it has to, it searches correctly.
This works but, is it the better way to do it?2006/6/7, wekz [EMAIL PROTECTED]:
Thanks very much Phil. That works, I think it doesn't work in the hints file for the reasons you told me.Now I've got a new problem. I use the radiusGroupName for making the users belong to VLAN1, VLAN2 or VLAN3. So I enable
groupmembership_attribute = radiusGroupNamebut I left groupname_attribute and groupmembership_filter commented ( in each ldap module ).In other file called users-vlan I defined this:
DEFAULT Ldap-Group == Local stuff for assigning VLAN1 .The file that determine the users procedence is users-procedence: DEFAULT NAS-IP-Address == 192.168.51.yy, Autz-Type=customer1
.The file that proxies ( users-proxy ): DEFAULT proxy-to-realm:=CENTRALThe authorization section:users-procedenceautztype customer1{ redundant {
group {
ldap1 {
notfound = return fail = return } users-vlan
mschap
eap notfound = 1 fail = 1 } users-proxy
}
}
.The situation is: a user that must be authorized against ldap2 make a match in the users-procedence file and get customer2 autztype. So the user is looked for in ldap2. 1.- If it fails in the logs I could see radius looking for ldap_groupcmp() in ldap3 when all I think it must do is proxy.
2.- In case the user is found it make a search too for ldap group in ldap3.I think in the first case there are two problems: it searches when it doesn't have to ( unnecessary search ), and it searches bad because it does in the last ldap instantiated ( that is ldap3 )
In the second case the problem is that it searches in the last ldap instantiated.(( This configuration works fine when all you have is one ldap ))Is that a bug ?? I found a similar bug in bug-list but it belongs to version
1.0.1 ( bug #163, about unnecessary searches ) and I think a read a bug about searching in the last ldap instantiated ( but I think this has to be with older versions and I can't find it )
I solved this problem yesterday but I don't know how to say... I solved it in a dirty-way ( I hope you understand ). So if you or anyone have an idea ...2006/6/5, Phil Mayers
[EMAIL PROTECTED]:
wekz wrote: I don't know if I have explain it correctly, if I haven't just tell me (
I'm not an english speaker )Your english is great. My hints file:Nearly there. Try:DEFAULT NAS-IP-Address == 192.168.xx.yy, Autz-Type := LDAPxI'm not sure that'll work in a hints file - so you may need to use a
users file - hints puts items into the request pairs, Autz-Type needsto go into the configure pairs.Try this:modules { # other stuff files filesFirst { usersfile = ${confdir}/usersFirst
}}authorize { preprocess filesFirst Autz-Type LDAP1 { # stuff here ldap1 } # other LDAP modules}And in ${confdir}/usersFirst:DEFAULT NAS-IP-Address ==
192.168.51.xx, Autz-Type := LDAP1DEFAULT NAS-IP-Address == 192.168.51.yy, Autz-Type := LDAP2...and so on.The other slightly simpler way might be to use a passwd (badly named)module,
e.g.:modules { passwd nas2autz { filename = ${confdir}/nas2autz format = *NAS-IP-Address:Autz-Type # set to 0 to read file on every request - slow # but instant-updates
hashsize = 100 }}authorize { preprocess nas2autz Autz-Type LDAP1 { ldap1 } # other Autz}...and in ${confdir}/nas2autz192.168.51.xx:LDAP1
192.168.51.yy:LDAP2Hope that helpsPhil-List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 14, Issue 28
I am on holiday between June 5 to June 9. I will return to my office on June 12. See you soon. Thanks, Gilbert Lo helpdesk at St. George's School - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 14, Issue 29
I am on holiday between June 5 to June 9. I will return to my office on June 12. See you soon. Thanks, Gilbert Lo helpdesk at St. George's School - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Are possible multiple ntdomain realms??????
And if they are, what efect has with_ntdomain_hack=yes. Does it affect to all??Well, Hi you all I hope haven't been too direct ;)I'll getting more troubles as I do more complex configurations. I ask this because first I had to authenticate users by machine authentication. The users in this case sends User-Name like host/username and the only way I found for working this out was to use ntdomain realm with / as the delimiter and enable with_ntdomain_hack. The other options stripes the User-Name but then packets doesn't match EAP-Identity ( at least one of them ), that is why I used ntdomain, for being able to use with_ntdomain_hack. Now I've got pda-users that sends domain\username and if I don't use ntdomain with_ntdomain_hack it fails. So, that's why I ask if multiple ntdomains are allowed and how.Any method or idea will be welcome. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
One radius and 4 pppoe/pptp servers
Hi allI have a small problem , i have a freeradius server with mysql backend and 3 pppoe server and one pptp server all the NAS'es pppoe/pptp server connect to the same radiusd and same mysql database , so when i add a user for exampe i added a user to server-one and his ip is 192.168.2.100 so the user must set the the server-name server-one in the service name when creating his connection setup , my problem is if a user on server-one did not set the service name or change it from server-one to server-two , he get connected to another server instead of server one , if he set the service name to server-two he get connected to server-two instead of server-one and if he did not set the service name at all he get connected to a ramdom server , how i can fix this issue , but forcing the user to get connect to the server we set up his account in . thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: One radius and 4 pppoe/pptp servers
Mordor Networks wrote: Hi all I have a small problem , i have a freeradius server with mysql backend and 3 pppoe server and one pptp server all the NAS'es pppoe/pptp server connect to the same radiusd and same mysql database , so when i add a user for exampe i added a user to server-one and his ip is 192.168.2.100 http://192.168.2.100 so the user must set the the server-name server-one in the service name when creating his connection setup , my problem is if a user on server-one did not set the service name or change it from server-one to server-two , he get connected to another server instead of server one , if he set the service name to server-two he get connected to server-two instead of server-one and if he did not set the service name at all he get connected to a ramdom server , how i can fix this issue , but forcing the user to get connect to the server we set up his account in . thanks What makes you think that you setup a user and restricted it to a specific NAS? You can restrict users from a pppoe server by using mac filters if your environment supports that. However, that isnt a support question. I would recommend you design your environment so that whatever pppoe NAS your users connect to things work correctly. See ospf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Storing in SQL, Procedure call
I never actually worked with MS SQL, so I'm suggesting methods that
do work with other SQL servers. Try the PostgreSQL style :
- If the function returns only a return code:
SELECT sp_name()
- If the function returns rows:
SELECT * FROM sp_name(...)
--
Best regards,
Marko Dinic, System Engineer
-
YUnet International http://www.eunet.yu
Dubrovacka 35/III, 11000 Belgrade
Tel: +381 11 311 9901; Fax: + 381 11 311 9901
-
This e-mail is confidential and intended only for the recipient.
Unauthorized distribution, modification or disclosure of its
contents is prohibited. If you have received this e-mail in error,
please notify the sender by telephone +381 11 311 9901.
-
I tried both suggestions and still no luck. Any other suggestion on how
to get a Stored Procedure to work with FreeRadius, unixODBC/FreeTDS and
Microsoft SQL Server 2000? For some reason when trying to call a Stored
Procedure rlm_sql module is trying to perform a query rather then the
procedure call. Thanks!
-Original Message-
From: Marko Dinic [mailto:[EMAIL PROTECTED]
Sent: Tuesday, June 06, 2006 4:16 AM
To: freeradius-users@lists.freeradius.org
Cc: Jackie Lau
Subject: Re: Storing in SQL, Procedure call
Im using the same setup for access to some ancient Sybase and it works
fine. However, the query doesn't use EXEC ... it's plain :
accounting_stop_query = sp_my_stored_procedure_name
'%{SQL-User-Name}','%{Realm}',
I did have problems with freetds 0.62.3, tho, so I installed 0.63 and
had no problems with Sybase access since then.
On the other hand, Oracle setup (using rlm_sql_oracle) with EXEC
SP_NAME(...)
didn't work either, so I had to change it to BEGIN SP_NAME(...); END;
Maybe that would work for your unixODBC/freetds setup too.
--
Best regards,
Marko Dinic, System Engineer
-
YUnet International http://www.eunet.yu
Dubrovacka 35/III, 11000 Belgrade
Tel: +381 11 311 9901; Fax: + 381 11 311 9901
-
This e-mail is confidential and intended only for the recipient.
Unauthorized distribution, modification or disclosure of its
contents is prohibited. If you have received this e-mail in error,
please notify the sender by telephone +381 11 311 9901.
-
Hi,
I'm using freeradius with freetds and unixodbc. I am having an issue
using a procedure call to insert to a Microsoft SQL Server. When I
try to use the procedure call 'exec', I see the following errors:
radius_xlat: 'exec ***
rlm_sql (sql): Reserving sql socket id: 8
query: exec ***
rlm_sql_unixodbc: '0 '
rlm_sql (sql): Couldn't update SQL accounting ALIVE record - 0
But if I don't use a procedure call and use an insert command in its
place, it works just find.
radius_xlat: 'INSERT
rlm_sql (sql): Reserving sql socket id: 3 rlm_sql (sql): Released sql
socket id: 3
modcall[accounting]: module sql returns ok for request 6
My question is why can't I use a procedure call 'exec'?
Thanks!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentification link with PEAP + PAM + LDAP
Hello, Finally my boss is not interested in an PEAP authentication due to password and login stocked in clear in the OpenLDAP database, and he doesn't want to use the ntlm_auth to ask a Active Directory Server. So I wonder if that kind of authentication is possible. PEAP(MsCHAP) request -- Freeradius server (extract the hashed password ) -- Authentication request sent to PAM (login + Hashed password ) via rlm_auth --- OpenLDAP Server ( compare hashed password received with the one stocked in database ) PAM is used as mediator to permit comparason with hashed stocked in OpenLDAP. My boss only wants cipher/hashed password and login. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Storing in SQL, Procedure call
Jackie Lau wrote: I tried both suggestions and still no luck. Any other suggestion on how to get a Stored Procedure to work with FreeRadius, unixODBC/FreeTDS and Microsoft SQL Server 2000? For some reason when trying to call a Stored Procedure rlm_sql module is trying to perform a query rather then the procedure call. Thanks! What are you needing to do with the stored procedure that you can't do with an insert or update? If you need to perform tasks on the data, look at putting a trigger on the table. You can also work with the raw data by creating views that would allow you to bring in other information. FWIW, I'm just doing straight inserts/updates keyed on Acct-Unique-Id, which is used as a unique index on the radacct table. I then have several views that use radacct, including radwho (list of active logins) and radiusdat (which transforms the data for use by my billing system). -- Troy Settle Pulaski Networks http://www.psknet.com 866.477.5638 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius Simultaneous use and credit time
Hi, I'm installing an hotspot solution with chillispot + freeradius + openldap. I try to find a way, to limit simultaneous connection on my hotspot so a user can only login once on the same time. Does someone have try and implement this options on his configuration ? Secondly, i want my user can only use the hotspot for 4h, after this time they must re-authentificate. Actually i have configure my freeradius for local authentification by users file's with Simultaneous-use :=1 but the user can login more than only one time. Is there other configuration to do ? My users file rom Auth-Type := Local, User-Password == password, Simulaneous-Use :=1 Thx for your answer Best regards Wink ps: sorry for my english , it's not my natural i'm french - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 14, Issue 30
I am on holiday between June 5 to June 9. I will return to my office on June 12. See you soon. Thanks, Gilbert Lo helpdesk at St. George's School - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentification link with PEAP + PAM + LDAP
On 7 Jun 2006, at 13:07, thomas hahusseau wrote: Hello, Finally my boss is not interested in an PEAP authentication due to password and login stocked in clear in the OpenLDAP database, and he doesn't want to use the ntlm_auth to ask a Active Directory Server. So I wonder if that kind of authentication is possible. PEAP(MsCHAP) request -- Freeradius server (extract the hashed password ) -- Authentication request sent to PAM (login + Hashed password ) via rlm_auth --- OpenLDAP Server ( compare hashed password received with the one stocked in database ) You don't need to use PAM - in fact, I don't think its possible. Store your users' passwords in the NTLM hash, and authenticate directly from FreeRADIUS to LDAP. josh. PAM is used as mediator to permit comparason with hashed stocked in OpenLDAP. My boss only wants cipher/hashed password and login. - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html Josh Howlett, Networking Specialist, University of Bristol. email: [EMAIL PROTECTED] | phone: +44 (0)7867 907076 | interal: 7850 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap and MD5-Challenge
Dear all, My Supplicant is a WinXP-Client, EAP-Type is MD5-Challenge. My Authenticator is a Cisco Catalyst 3750 I try to do a 802.1X Authentication for a user listet in a LDAP-database. When i do a MD5-Challenge it does not work. Do i have a problem with MD5-encrypted passwords? My configuration files follows below... Thanks in advance The LDAP-Authentication seems to work, here is the freeradius -X output after radtest: Debian# radtest schlapp Gerti1000 localhost 1645 testing123 rad_recv: Access-Request packet from host 127.0.0.1:32852, id=247, length=59 User-Name = schlapp User-Password = Gerti1000 NAS-IP-Address = 255.255.255.255 NAS-Port = 1645 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = schlapp, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry schlapp at line 87 modcall[authorize]: module files returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for schlapp radius_xlat: '((sAMAccountname=schlapp)(objectClass=person))' radius_xlat: 'DC=winlab,DC=rsnhm,DC=t-com,DC=de' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.187.64.3:389, authentication 0 rlm_ldap: bind as CN=Robert Huber,CN=Computers,DC=winlab,DC=rsnhm,DC=t-com,DC=de/Gerti1000 to 10.187.64.3:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in DC=winlab,DC=rsnhm,DC=t-com,DC=de, with filter ((sAMAccountname=schlapp)(objectClass=person)) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Setting Auth-Type = ldap rlm_ldap: user schlapp authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type ldap auth: type LDAP Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by schlapp with password Gerti1000 rlm_ldap: user DN: CN=schlapp hut,CN=Computers,DC=winlab,DC=rsnhm,DC=t-com,DC=de rlm_ldap: (re)connect to 10.187.64.3:389, authentication 1 rlm_ldap: bind as CN=schlapp hut,CN=Computers,DC=winlab,DC=rsnhm,DC=t-com,DC=de/Gerti1000 to 10.187.64.3:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user schlapp authenticated succesfully modcall[authenticate]: module ldap returns ok for request 0 modcall: leaving group LDAP (returns ok) for request 0 Login OK: [schlapp/Gerti1000] (from client localhost port 1645) Sending Access-Accept of id 247 to 127.0.0.1 port 32852 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 50 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... But when i try to use my WinXP-Client, EAP says: rlm_eap_md5: User-Password is required for EAP-MD5 authentication rlm_eap: Handler failed in EAP/md5 rlm_eap: Failed in EAP select Here is the entire freeradius -X output: rad_recv: Access-Request packet from host 10.187.0.15:1645, id=174, length=129 User-Name = schlapp Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = 00-14-69-5B-8B-03 Calling-Station-Id = 00-0B-5D-84-AE-CA EAP-Message = 0x0202000c017363686c617070 Message-Authenticator = 0x7a4a5ff5030a44b2fcee7b79d3aac47c NAS-Port = 60003 NAS-Port-Type = Virtual NAS-IP-Address = 10.187.0.15 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = schlapp, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 2 length 12 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 users: Matched entry schlapp at line 83 modcall[authorize]: module files returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for schlapp radius_xlat:
RE: peap authentication with active directory
-Original Message- From: On Behalf Of Kartthik Raghunathan A supplicant ie. win XP machine validates the identity and logon credentials against active directory using peap-mschapv2 randomly ie. every 30 mins or 60 mins. This disturbs the wireless connectivity often and am unable to complete this project due to this situation. In krb5.conf and smb.conf i have left with default settings. here is my radiusd.conf file, let me know someone faced this issue. is there something am missing in my configuration. It's not a FreeRADIUS problem. It's your access point. The access point determines when you should reauthenticated. (At least mine do) Also, my AP's allow me to stay connected while they are renegotioning. (My AP's have 4 states, Blocked, Connecting (Access is blocked), Connected, ReAuthenticated (Access is allowed)) I would consult your AP docs to figure out how to increase the Reauthetication time, but that is more a hack, they shouldn't be dropping your access while they reauthenticate. (Unless this is a change in behavior that everyone thinks is a good idea, my AP's are over 6 Years old, so it may not be standard practice now) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 14, Issue 31
I am on holiday between June 5 to June 9. I will return to my office on June 12. See you soon. Thanks, Gilbert Lo helpdesk at St. George's School - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error
Hello all, I'm new to using freeradius but I've gone trhough and have read what I can and have googled for my problem and yet i still have not been able to solve it. Whenever I try to start freeradius i get this error. rlm_preprocess: Error reading /etc/raddb/huntgroups radiusd.conf[971]: preprocess: Module instantiation failed. - Well i want to do with radius is have it authenticate against /etc/passwd and that is all. If anyone can point me to a config that simplifies it down to that I'd appreciate it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentification link with PEAP + PAM + LDAP
thomas hahusseau [EMAIL PROTECTED] wrote: So I wonder if that kind of authentication is possible. PEAP(MsCHAP) request -- Freeradius server (extract the hashed password ) There is NO hashed password in MSCHAP. Extraction is IMPOSSIBLE. PAM is used as mediator to permit comparason with hashed stocked in OpenLDAP. PAM is not a magic solution that lets you do something FreeRADIUS can't. PAM does a lot LESS than FreeRADIUS, in fact. My boss only wants cipher/hashed password and login. As Joe said, store NT-Password in LDAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error
Ross Hosman [EMAIL PROTECTED] wrote: I'm new to using freeradius but I've gone trhough and have read what I can and have googled for my problem and yet i still have not been able to solve it. Whenever I try to start freeradius i get this error. rlm_preprocess: Error reading /etc/raddb/huntgroups radiusd.conf[971]: preprocess: Module instantiation failed. You edited the default config to break it. Well i want to do with radius is have it authenticate against /etc/passwd and that is all. If anyone can point me to a config that simplifies it down to that I'd appreciate it. The default config authenticates against /etc/passwd. It's a pretty minimal configuration. What do you want to remove from the default config, and why? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap and MD5-Challenge
[EMAIL PROTECTED] wrote: I try to do a 802.1X Authentication for a user listet in a LDAP-database. When i do a MD5-Challenge it does not work. Do i have a problem with MD5-encrypted passwords? No. You have NOT configured LDAP to return a clear-text password to FreeRADIUS. Do that, and EAP-MD5 will work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SecurID authentication
Darshak, SecurID uses a proprietary client/server protocol between it's clients and it's authentication servers. That protocol is implemented in a binary DLL (or equivalent on Unix) that is part of the distribution. All our own components use that mechanism to communicate with the auth server, including our RADIUS server. You can obtain a source API library and API documentation on how to use this client. I'm not sure on the logistics, but look at our web site or ask your sales/support people. This capability has been used by others, Funk (now Juniper) developed their own support in SBR. I'm sure other have too. Dave. - Original Message - From: darshak [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: SecurID authentication Date: Wed, 7 Jun 2006 09:31:45 +0530 Thanxs David,This has been useful to me . Although proxy is best answer.I just wanna go in some details. If i own RSA ACE/server,then does it come with RSa Ace/client agent? Then what i need to do is write a code that talks with Freeradius and RSA ACE/client? Or I need not do it? Is this RSA/Ace server comes with client that talks to RADIUS? and I can be free from coding burden? Can u please explain How RADIUS --RSA/ACe server talk to each other?[if i not use proxy ] I have read that Lucent and SBR supports this RSA/ACE SecurID so how they actually support?Do they have coded extra or by proxy ? Thanxs again for your help Rgds Darshak - Original Message - From: David Mitton [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Tuesday, June 06, 2006 10:23 PM Subject: RE: SecurID authentication Darshak, I'm not a legal representative, but Michael's response is for someone that wishes to sell or distribute(?) a product that uses the SecurID service While doing a RADIUS proxy to for the new RADIUS server may be the correct approach, if you are an owner of a SecurID server solution, you can certainly develop code to use your licensed server for whatever application you wish. The product offering includes an ACE Client SDK which gives you a C-language API for doing SecurID authentication. It would be fairly straight forward to develop your own Free RADIUS module, but there are details with New Pin assignment and Next Token mode that get messy. The server uses Access-Challenge for them. Also the new server includes EAP support for several methods. So proxy may still be the best path. David Mitton Software Development, RSA Security, Inc. PS: I urge all senders to use meaningful Subject lines, the original message was discarded by me on first pass as spam. - Original Message - From: Michael Lecuyer [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: Hello, Date: Tue, 06 Jun 2006 09:08:16 -0400 It would be difficult to say how RADIUS would interact with the actual ACE server since it's a proprietary system. In 2002 I thought about going down this route and I'm summarizing from the 5 page SecurId integration document. You must write code that uses RSA's 'RSA Agent' software to communicate with the RSA ACE server. You must become a partner a a cost of ten thousand dollars for each product each year you provide the product(s). You must pay RSA twenty percent of your product's licensing fee. And you must have RSA certify it and may be required to provide a training program for RSA certification technicians. The sublicense agreement with RSA is incompatible with any open source software. The best thing to do is use FreeRadius as a proxy to the RSA RADIUS server. From a client's point of view the ACE RADIUS server may require a simple CHAP/PAP transaction or there may be challenges asking for more information. It depends on the RSA server configuration. darshak wrote: Hi All I m new to AAA things.I want how can I support RSA ACE/Server in freeradius. Can anyone has details How interaction is made between RADIUS and RSA/ACE-server?. in general scenario Rgds DArshak - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
modcall[authorize] after Access-Accept
Hello, I have both the realm and sql modules in my authorize section. After freeradius receives an Access-Accept it processes the authorize section. It is not clear to me why, but I assume this is intentional based on debug messages: Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 rlm_realm: Proxy reply, or no User-Name. Ignoring. modcall[authorize]: module realmslash returns noop for request 0 rlm_realm: Proxy reply, or no User-Name. Ignoring. modcall[authorize]: module realmat returns noop for request 0 My problem is that the sql module is called after the realm modules and querys the db. I don't know why this would ever be necessary, but it is undesirable for my configuration. I cannot simply group 'realmslash' and 'relamat' and return if 'noop'. This would cause a 'LOCAL' realm to skip the sql. I appreciate any help. Thanks, Ryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: modcall[authorize] after Access-Accept
Ryan Melendez [EMAIL PROTECTED] wrote: I have both the realm and sql modules in my authorize section. After freeradius receives an Access-Accept it processes the authorize section. See post_proxy_authorize. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 14, Issue 32
I am on holiday between June 5 to June 9. I will return to my office on June 12. See you soon. Thanks, Gilbert Lo helpdesk at St. George's School - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Simultaneous use and credit time
Hi, Hi, I'm installing an hotspot solution with chillispot + freeradius + openldap. I try to find a way, to limit simultaneous connection on my hotspot so a user can only login once on the same time. Does someone have try and implement this options on his configuration ? Secondly, i want my user can only use the hotspot for 4h, after this time they must re-authentificate. Actually i have configure my freeradius for local authentification by users file's with Simultaneous-use :=1 but the user can login more than only one time. Is there other configuration to do ? My users file rom Auth-Type := Local, User-Password == password, Simulaneous-Use :=1 Thx for your answer Best regards Wink ps: sorry for my english , it's not my natural i'm french votre anglais est tres bon, a la difference de mon francais! ;-) the Cillispot FAQ details this issue a little more: http://www.chillispot.org/FAQ.html if you are using MySQL accounting, then the accounting requests allow the simultaneous-use to be easily detected...but if you are just using files, then you must make sure that your rad_check is working 100% alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Install - Freeradius can't connect to MySQL
Hello, Warning - newbie installing Freeradius. I get this in the radius.log even though the sql.conf has the correct host/user/password (and I can access MySQL from the command line using the same login criteria): Wed Jun 7 14:01:52 2006 : Info: rlm_sql_mysql: Starting connect to MySQL server for #0 Wed Jun 7 14:01:52 2006 : Error: rlm_sql_mysql: Couldn't connect socket to MySQL server [EMAIL PROTECTED]:radius Wed Jun 7 14:01:52 2006 : Error: rlm_sql_mysql: Mysql error 'Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13)' Wed Jun 7 14:01:52 2006 : Error: rlm_sql (sql): Failed to connect DB handle #0 Wed Jun 7 14:01:52 2006 : Info: Ready to process requests. Thanks, Cliff - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Are possible multiple ntdomain realms??????
wekz wrote:
And if they are, what efect has with_ntdomain_hack=yes. Does it affect
to all??
Well, Hi you all I hope haven't been too direct ;)
I'll getting more troubles as I do more complex configurations.
I ask this because first I had to authenticate users by machine
authentication. The users in this case sends User-Name like
host/username and the only way I found for working this out was to use
ntdomain realm with / as the delimiter and enable with_ntdomain_hack.
The other options stripes the User-Name but then packets doesn't match
EAP-Identity ( at least one of them ), that is why I used ntdomain, for
Yes, this is a pain. The correct thing to do is below
being able to use with_ntdomain_hack.
FreeRadius 1.1.0 has code to do this for you - it will take names of the
form host/blah and turn them into blah$ *IF* you are using the
%{mschap:User-Name} expansion. The %{User-Name} is left alone,
meaning EAP carries on working.
Now I've got pda-users that sends domain\username and if I don't use
ntdomain with_ntdomain_hack it fails. So, that's why I ask if multiple
ntdomains are allowed and how.
Again, this is annoying.
The best way I've found is to have this:
proxy.conf (contains only real domains)
realm THEDOMAINNAME {
type = radius
authhost = LOCAL
accthost = LOCAL
# see [1] for strip
strip
}
realm DEFAULT {
type = radius
authhost = LOCAL
accthost = LOCAL
# see [1] for strip
strip
}
realm NULL {
type = radius
authhost = LOCAL
accthost = LOCAL
# see [1] for strip
strip
}
radiusd.conf (portions omitted):
modules {
mschap {
authtype = MS-CHAP
with_ntdomain_hack = yes
# this all goes on one line
# see [2] for mschap:User-Name
ntlm_auth = /path/ntlm_auth --request-nt-key \
--username=%{mschap:User-Name} \
--challenge=%{mschap:Challenge:-00} \
--nt-response=%{mschap:NT-Response:-00}
}
realm ntdomain {
format = prefix
delimiter = \\
ignore_default = no
ignore_null = no
}
}
authorize {
preprocess
ntdomain
eap
mschap
}
The various bits ensure:
1. strip in the realms means there is always a realm-free
%{Stripped-User-Name} variable, useful for e.g. LDAP/file/SQL searches.
2. The with_ntdomain_hack create an mschap:User-Name variable which
will always have the domain stripped correctly - dom\user goes to
user, and host/machine goes to machine$
Any method or idea will be welcome.
Thanks
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Install - Freeradius can't connect to MySQL
Hi, to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13)' does this socket file exist? sounds very much like the classic 'socket not where you expect' issue. eg http://lists.cistron.nl/pipermail/freeradius-users/2004-July/034410.html alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Install - Freeradius can't connect to MySQL
Cliff Hayes wrote: Hello, Warning - newbie installing Freeradius. I get this in the radius.log even though the sql.conf has the correct host/user/password (and I can access MySQL from the command line using the same login criteria): Wed Jun 7 14:01:52 2006 : Info: rlm_sql_mysql: Starting connect to MySQL server for #0 Wed Jun 7 14:01:52 2006 : Error: rlm_sql_mysql: Couldn't connect socket to MySQL server [EMAIL PROTECTED]:radius Wed Jun 7 14:01:52 2006 : Error: rlm_sql_mysql: Mysql error 'Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13)' Wed Jun 7 14:01:52 2006 : Error: rlm_sql (sql): Failed to connect DB handle #0 Wed Jun 7 14:01:52 2006 : Info: Ready to process requests. Thanks, Cliff - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Just to clarify. It looks as though MySQL is running on the localhost (same machine as FreeRADIUS) and you are logging into it with username 'root'. The FreeRADIUS database is named 'radius'. This is correct? -- --- | Nick White | | [EMAIL PROTECTED] | --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Segmentation Fault
Hi,
I have been using free radius for months for
testing. Today, if just started giving me segmentation faults.
Nothing has changed on the NAS or in the configs for freeradius so I have no
idea why it suddenly is crashing. Is there some way to track down whats
causing the segmentation fault? My log follows: or at least part of
it
[EMAIL PROTECTED] raddb]# radiusd -XStarting -
reading configuration files ...reread_config: reading
radiusd.confConfig: including file:
/etc/raddb/proxy.confConfig: including file:
/etc/raddb/clients.confConfig: including file:
/etc/raddb/snmp.confConfig: including file:
/etc/raddb/eap.confConfig: including file:
/etc/raddb/sql.confmain: prefix = "/usr"main: localstatedir
= "/var"main: logdir = "/var/log/radius"main: libdir =
"/usr/lib"main: radacctdir = "/var/log/radius/radacct"main:
hostname_lookups = nomain: max_request_time = 30main:
cleanup_delay = 5main: max_requests = 1024main:
delete_blocked_requests = 0main: port = 0main:
allow_core_dumps = nomain: log_stripped_names = nomain:
log_file = "/var/log/radius/radius.log"main: log_auth =
nomain: log_auth_badpass = nomain: log_auth_goodpass =
nomain: pidfile = "/var/run/radiusd/radiusd.pid"main: user =
"nobody"main: group = "nobody"main: usercollide =
nomain: lower_user = "no"main: lower_pass =
"no"main: nospace_user = "no"main: nospace_pass =
"no"main: checkrad = "/usr/sbin/checkrad"main:
proxy_requests = yesproxy: retry_delay = 5proxy: retry_count
= 3proxy: synchronous = noproxy: default_fallback =
yesproxy: dead_time = 120proxy: post_proxy_authorize =
yesproxy: wake_all_if_all_dead = nosecurity: max_attributes
= 200security: reject_delay = 1security: status_server =
nomain: debug_level = 0read_config_files: reading
dictionaryread_config_files: reading naslistUsing deprecated
naslist file. Support for this will go away
soon.read_config_files: reading clientsread_config_files:
reading realmsradiusd: entering modules setupModule: Library
search path is /usr/libModule: Loaded execexec: wait =
yesexec: program = "(null)"exec: input_pairs =
"request"exec: output_pairs = "(null)"exec: packet_type =
"(null)"rlm_exec: Wait=yes but no output defined. Did you mean
output=none?Module: Instantiated exec (exec)Module: Loaded
exprModule: Instantiated expr (expr)Module: Loaded PAPpap:
encryption_scheme = "crypt"Module: Instantiated pap (pap)Module: Loaded
CHAPModule: Instantiated chap (chap)Module: Loaded
MS-CHAPmschap: use_mppe = yesmschap: require_encryption =
yesmschap: require_strong = yesmschap: with_ntdomain_hack =
nomschap: passwd = "(null)"mschap: authtype =
"MS-CHAP"mschap: ntlm_auth = "(null)"Module: Instantiated mschap
(mschap)Module: Loaded eapeap: default_eap_type =
"ttls"eap: timer_expire = 60eap: ignore_unknown_eap_types =
yeseap: cisco_accounting_username_bug = norlm_eap: Loaded and
initialized type md5tls: rsa_key_exchange = notls:
dh_key_exchange = yestls: rsa_key_length = 512tls:
dh_key_length = 512tls: verify_depth = 0tls: CA_path =
"(null)"tls: pem_file_type = yestls: private_key_file =
"/etc/raddb/certs/server_keycert.pem"tls: certificate_file =
"/etc/raddb/certs/server_keycert.pem"tls: CA_file =
"/etc/raddb/certs/cacert.pem"tls: private_key_password =
"testing123"tls: dh_file = "/etc/raddb/certs/dh"tls:
random_file = "/etc/raddb/certs/random"tls: fragment_size =
1024tls: include_length = yestls: check_crl =
notls: check_cert_cn = "(null)"rlm_eap: Loaded and initialized
type tlsttls: default_eap_type = "mschapv2"ttls:
copy_request_to_tunnel = nottls: use_tunneled_reply = norlm_eap:
Loaded and initialized type ttlspeap: default_eap_type =
"mschapv2"peap: copy_request_to_tunnel = nopeap:
use_tunneled_reply = nopeap: proxy_tunneled_request_as_eap =
yesrlm_eap: Loaded and initialized type peapmschapv2:
with_ntdomain_hack = norlm_eap: Loaded and initialized type
mschapv2Module: Instantiated eap (eap)Module: Loaded
preprocesspreprocess: huntgroups =
"/etc/raddb/huntgroups"preprocess: hints =
"/etc/raddb/hints"preprocess: with_ascend_hack =
nopreprocess: ascend_channels_per_line = 23preprocess:
with_ntdomain_hack = nopreprocess: with_specialix_jetstream_hack =
nopreprocess: with_cisco_vsa_hack = noModule: Instantiated
preprocess (preprocess)Module: Loaded realmrealm: format =
"suffix"realm: delimiter = "@"realm: ignore_default =
norealm: ignore_null = noModule: Instantiated realm
(suffix)Module: Loaded filesfiles: usersfile =
"/etc/raddb/users"files: acctusersfile =
"/etc/raddb/acct_users"files: preproxy_usersfile =
"/etc/raddb/preproxy_users"files: compat = "no"Module:
Instantiated files (files)Module: Loaded
Acct-Unique-Session-Idacct_unique: key = "User-Name, Acct-Session-Id,
NAS-IP-Address, Client-IP-Address, NAS-Port"Module: Instantiated acct_unique
(acct_unique)Module: Loaded detaildetail: detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"detail:
detailperm = 384detail: dirperm = 493detail: locking =
RE: Install - Freeradius can't connect to MySQL
Yes sir, sure does. It is the same as mentioned in /etc/my.cnf I also ran mysqladmin -p version to make sure Cliff -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Wednesday, June 07, 2006 2:42 PM To: FreeRadius users mailing list Subject: Re: Install - Freeradius can't connect to MySQL Hi, to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13)' does this socket file exist? sounds very much like the classic 'socket not where you expect' issue. eg http://lists.cistron.nl/pipermail/freeradius-users/2004-July/034410.html alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Install - Freeradius can't connect to MySQL
That is correct. Here is an exerpt from sql.conf # Connect info server = localhost login = root password = ***the real password is in the file # Database table configuration radius_db = radius And I have already created the radius database and imported the schema. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of N White Sent: Wednesday, June 07, 2006 2:45 PM To: FreeRadius users mailing list Subject: Re: Install - Freeradius can't connect to MySQL Cliff Hayes wrote: Hello, Warning - newbie installing Freeradius. I get this in the radius.log even though the sql.conf has the correct host/user/password (and I can access MySQL from the command line using the same login criteria): Wed Jun 7 14:01:52 2006 : Info: rlm_sql_mysql: Starting connect to MySQL server for #0 Wed Jun 7 14:01:52 2006 : Error: rlm_sql_mysql: Couldn't connect socket to MySQL server [EMAIL PROTECTED]:radius Wed Jun 7 14:01:52 2006 : Error: rlm_sql_mysql: Mysql error 'Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13)' Wed Jun 7 14:01:52 2006 : Error: rlm_sql (sql): Failed to connect DB handle #0 Wed Jun 7 14:01:52 2006 : Info: Ready to process requests. Thanks, Cliff - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Just to clarify. It looks as though MySQL is running on the localhost (same machine as FreeRADIUS) and you are logging into it with username 'root'. The FreeRADIUS database is named 'radius'. This is correct? -- --- | Nick White | | [EMAIL PROTECTED] | --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 14, Issue 33
I am on holiday between June 5 to June 9. I will return to my office on June 12. See you soon. Thanks, Gilbert Lo helpdesk at St. George's School - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FW: Install - Freeradius can't connect to MySQL
Hello again, This may shed some light on the situation. When I run in debug mode with -x option, it looks like it may be connecting. Am I interpreting the output correctly? If so, is it normal to connect 5 times? Cliff Starting - reading configuration files ... Using deprecated naslist file. Support for this will go away soon. Module: Loaded exec rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded System Module: Instantiated unix (unix) Module: Loaded eap rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap rlm_eap: Loaded and initialized type gtc rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess Module: Instantiated preprocess (preprocess) Module: Loaded realm Module: Instantiated realm (suffix) Module: Loaded SQL rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_mysql #1 rlm_sql_mysql: Starting connect to MySQL server for #1 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 rlm_sql_mysql: Starting connect to MySQL server for #2 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 rlm_sql_mysql: Starting connect to MySQL server for #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 rlm_sql_mysql: Starting connect to MySQL server for #4 rlm_sql (sql): Connected new DB handle, #4 Module: Instantiated sql (sql) Module: Loaded Acct-Unique-Session-Id Module: Instantiated acct_unique (acct_unique) Module: Loaded files Module: Instantiated files (files) Module: Loaded detail Module: Instantiated detail (detail) Module: Loaded radutmp Module: Instantiated radutmp (radutmp) Initializing the thread pool... Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Cliff Hayes Sent: Wednesday, June 07, 2006 2:28 PM To: freeradius-users@lists.freeradius.org Subject: Install - Freeradius can't connect to MySQL Hello, Warning - newbie installing Freeradius. I get this in the radius.log even though the sql.conf has the correct host/user/password (and I can access MySQL from the command line using the same login criteria): Wed Jun 7 14:01:52 2006 : Info: rlm_sql_mysql: Starting connect to MySQL server for #0 Wed Jun 7 14:01:52 2006 : Error: rlm_sql_mysql: Couldn't connect socket to MySQL server [EMAIL PROTECTED]:radius Wed Jun 7 14:01:52 2006 : Error: rlm_sql_mysql: Mysql error 'Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13)' Wed Jun 7 14:01:52 2006 : Error: rlm_sql (sql): Failed to connect DB handle #0 Wed Jun 7 14:01:52 2006 : Info: Ready to process requests. Thanks, Cliff - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information in the post auth?
I'm just about done converting to use freeradius exclusively, but have one more rather daunting task to get done. I need more information for failed logins. What variables are available that will tell me which check item failed and why? For example, if it's the password, how about access to the attempted password? Chap-Password doesn't cut it when dealing with most of our customers. We need to be able to see that the password field is blank because Windows XP decided to unsave it, or that they need to spell Jesus with a 'u' and not an 'a.' Any pointers to appropriate documentation would be greatly appreciated. Thanks, -- Troy Settle Pulaski Networks 866.477.5638 http://www.psknet.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FW: Install - Freeradius can't connect to MySQL
According to your output it is definitely connecting. 5 open connections to the mysql db is the default configuration. If you look in etc/raddb/sql.conf you'll see the variable 'num_sql_socks = 5' This is what controls the number of open connections. Chris Carver Network Engineer Cliff Hayes wrote: Hello again, This may shed some light on the situation. When I run in debug mode with -x option, it looks like it may be connecting. Am I interpreting the output correctly? If so, is it normal to connect 5 times? Cliff Starting - reading configuration files ... Using deprecated naslist file. Support for this will go away soon. Module: Loaded exec rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded System Module: Instantiated unix (unix) Module: Loaded eap rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap rlm_eap: Loaded and initialized type gtc rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess Module: Instantiated preprocess (preprocess) Module: Loaded realm Module: Instantiated realm (suffix) Module: Loaded SQL rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_mysql #1 rlm_sql_mysql: Starting connect to MySQL server for #1 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 rlm_sql_mysql: Starting connect to MySQL server for #2 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 rlm_sql_mysql: Starting connect to MySQL server for #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 rlm_sql_mysql: Starting connect to MySQL server for #4 rlm_sql (sql): Connected new DB handle, #4 Module: Instantiated sql (sql) Module: Loaded Acct-Unique-Session-Id Module: Instantiated acct_unique (acct_unique) Module: Loaded files Module: Instantiated files (files) Module: Loaded detail Module: Instantiated detail (detail) Module: Loaded radutmp Module: Instantiated radutmp (radutmp) Initializing the thread pool... Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Cliff Hayes Sent: Wednesday, June 07, 2006 2:28 PM To: freeradius-users@lists.freeradius.org Subject: Install - Freeradius can't connect to MySQL Hello, Warning - newbie installing Freeradius. I get this in the radius.log even though the sql.conf has the correct host/user/password (and I can access MySQL from the command line using the same login criteria): Wed Jun 7 14:01:52 2006 : Info: rlm_sql_mysql: Starting connect to MySQL server for #0 Wed Jun 7 14:01:52 2006 : Error: rlm_sql_mysql: Couldn't connect socket to MySQL server [EMAIL PROTECTED]:radius Wed Jun 7 14:01:52 2006 : Error: rlm_sql_mysql: Mysql error 'Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13)' Wed Jun 7 14:01:52 2006 : Error: rlm_sql (sql): Failed to connect DB handle #0 Wed Jun 7 14:01:52 2006 : Info: Ready to process requests. Thanks, Cliff - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation Fault
Joel Lindsay [EMAIL PROTECTED] wrote: I have been using free radius for months for testing. Today, if just started giving me segmentation faults. Which version are you running? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: More information in the post auth?
Troy Settle [EMAIL PROTECTED] wrote: What variables are available that will tell me which check item failed and why? Debugging mode, and often not even that. What you're asking for is logging of *every* decision in the server, which is difficult expensive. For example, if it's the password, how about access to the attempted password? Chap-Password doesn't cut it when dealing with most of our customers. We need to be able to see that the password field is blank because Windows XP decided to unsave it, or that they need to spell Jesus with a 'u' and not an 'a.' If the server prints CHAP-Password in a failure message, it's because the request has a CHAP password. That means there's NO WAY to know what the user entered, other than it didn't match the stored password. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FW: Install - Freeradius can't connect to MySQL
Here's even more light: When I start freeradius by just typing radiusd on the command line, it connects to MySQL ok. But if I start it like I'm supposed to: service radiusd start, it doesn't. I'm using Fedora 5 with the latest freeradius.i386, freeradius-unixODBC.i386, and freeradius-mysql.i386. Cliff -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Cliff Hayes Sent: Wednesday, June 07, 2006 4:03 PM To: freeradius-users@lists.freeradius.org Subject: FW: Install - Freeradius can't connect to MySQL Hello again, This may shed some light on the situation. When I run in debug mode with -x option, it looks like it may be connecting. Am I interpreting the output correctly? If so, is it normal to connect 5 times? Cliff Starting - reading configuration files ... Using deprecated naslist file. Support for this will go away soon. Module: Loaded exec rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded System Module: Instantiated unix (unix) Module: Loaded eap rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap rlm_eap: Loaded and initialized type gtc rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess Module: Instantiated preprocess (preprocess) Module: Loaded realm Module: Instantiated realm (suffix) Module: Loaded SQL rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_mysql #1 rlm_sql_mysql: Starting connect to MySQL server for #1 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 rlm_sql_mysql: Starting connect to MySQL server for #2 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 rlm_sql_mysql: Starting connect to MySQL server for #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 rlm_sql_mysql: Starting connect to MySQL server for #4 rlm_sql (sql): Connected new DB handle, #4 Module: Instantiated sql (sql) Module: Loaded Acct-Unique-Session-Id Module: Instantiated acct_unique (acct_unique) Module: Loaded files Module: Instantiated files (files) Module: Loaded detail Module: Instantiated detail (detail) Module: Loaded radutmp Module: Instantiated radutmp (radutmp) Initializing the thread pool... Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Cliff Hayes Sent: Wednesday, June 07, 2006 2:28 PM To: freeradius-users@lists.freeradius.org Subject: Install - Freeradius can't connect to MySQL Hello, Warning - newbie installing Freeradius. I get this in the radius.log even though the sql.conf has the correct host/user/password (and I can access MySQL from the command line using the same login criteria): Wed Jun 7 14:01:52 2006 : Info: rlm_sql_mysql: Starting connect to MySQL server for #0 Wed Jun 7 14:01:52 2006 : Error: rlm_sql_mysql: Couldn't connect socket to MySQL server [EMAIL PROTECTED]:radius Wed Jun 7 14:01:52 2006 : Error: rlm_sql_mysql: Mysql error 'Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13)' Wed Jun 7 14:01:52 2006 : Error: rlm_sql (sql): Failed to connect DB handle #0 Wed Jun 7 14:01:52 2006 : Info: Ready to process requests. Thanks, Cliff - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FW: Install - Freeradius can't connect to MySQL
This doesn't really help your situation, but I've always thought just typing it on the command line, 'radiusd' or having it started automatically on boot was the way its supposed to be. Its also the way I've always know everyone else to do it too. What exactly does service do any differently? As far as I know, radiusd is designed to just be run straight from the command-line. Chris Carver Network Engineer Cliff Hayes wrote: Here's even more light: When I start freeradius by just typing radiusd on the command line, it connects to MySQL ok. But if I start it like I'm supposed to: service radiusd start, it doesn't. I'm using Fedora 5 with the latest freeradius.i386, freeradius-unixODBC.i386, and freeradius-mysql.i386. Cliff -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Cliff Hayes Sent: Wednesday, June 07, 2006 4:03 PM To: freeradius-users@lists.freeradius.org Subject: FW: Install - Freeradius can't connect to MySQL Hello again, This may shed some light on the situation. When I run in debug mode with -x option, it looks like it may be connecting. Am I interpreting the output correctly? If so, is it normal to connect 5 times? Cliff Starting - reading configuration files ... Using deprecated naslist file. Support for this will go away soon. Module: Loaded exec rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded System Module: Instantiated unix (unix) Module: Loaded eap rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap rlm_eap: Loaded and initialized type gtc rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess Module: Instantiated preprocess (preprocess) Module: Loaded realm Module: Instantiated realm (suffix) Module: Loaded SQL rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_mysql #1 rlm_sql_mysql: Starting connect to MySQL server for #1 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 rlm_sql_mysql: Starting connect to MySQL server for #2 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 rlm_sql_mysql: Starting connect to MySQL server for #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 rlm_sql_mysql: Starting connect to MySQL server for #4 rlm_sql (sql): Connected new DB handle, #4 Module: Instantiated sql (sql) Module: Loaded Acct-Unique-Session-Id Module: Instantiated acct_unique (acct_unique) Module: Loaded files Module: Instantiated files (files) Module: Loaded detail Module: Instantiated detail (detail) Module: Loaded radutmp Module: Instantiated radutmp (radutmp) Initializing the thread pool... Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Cliff Hayes Sent: Wednesday, June 07, 2006 2:28 PM To: freeradius-users@lists.freeradius.org Subject: Install - Freeradius can't connect to MySQL Hello, Warning - newbie installing Freeradius. I get this in the radius.log even though the sql.conf has the correct host/user/password (and I can access MySQL from the command line using the same login criteria): Wed Jun 7 14:01:52 2006 : Info: rlm_sql_mysql: Starting connect to MySQL server for #0 Wed Jun 7 14:01:52 2006 : Error: rlm_sql_mysql: Couldn't connect socket to MySQL server [EMAIL PROTECTED]:radius Wed Jun 7 14:01:52 2006 : Error: rlm_sql_mysql: Mysql error 'Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13)' Wed Jun 7 14:01:52 2006 : Error: rlm_sql (sql): Failed to connect DB handle #0 Wed Jun 7 14:01:52 2006 : Info: Ready to process requests. Thanks, Cliff - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 14, Issue 34
I am on holiday between June 5 to June 9. I will return to my office on June 12. See you soon. Thanks, Gilbert Lo helpdesk at St. George's School - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program and length of arguments
If I add to users file this:
When I used exec-program all the attributes I wanted were in the
environment.
And how can I exploit it? I get only this:
--
$ cat /home/engineer/acrad.sh
#!/bin/sh
printenv /tmp/exec-program-wait
--
bob Auth-Type := Local, User-Password == bob
Reply-Message = Hello, %u,
Exec-Program = /home/engineer/acrad.sh
--
after radtest in /tmp/exec-program-wait I found only
$ cat /tmp/exec-program-wait
CLIENT_IP_ADDRESS=127.0.0.1
NAS_IP_ADDRESS=255.255.255.255
PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/X11R6/bin:/usr/local/bin
NAS_PORT=0
USER_PASSWORD=bob
USER_NAME=bob
But this is far less than what I wait for... I need to do the same
that SQL accounting do. If I look at raddb/pgsql-voip.conf, I can see
the pretty accounting_stop_query, which put many interestiong info to
database. I think it can put all the
%{User-Name} : %{Service-Type} : %{Acct-Status-Type} :
%{Acct-Session-Id} : %{Framed-Protocol} : %{NAS-Identifier} :
%{NAS-Port-Id} : %{NAS-IP-Address} : %{Calling-Station-Id} :
%{Called-Station-Id} : %{Framed-IP-Address} : %{Acct-Input-Octets} :
%{Acct-Output-Octets} : %{Acct-Input-Packets} : %{Acct-Output-Packets}
: %{Acct-Session-Time} : %{Acct-Terminate-Cause}
Am I right?
So, how can I do the same, but with perl/shell script (e.g. pass all
this variables as arguments or environment) ?
From radiusd.conf
#
# The attributes which are placed into the
# environment variables for the program.
#
# Allowed values are:
#
# request attributes from the request
# config attributes from the
configuration items list
# reply attributes from the reply
# proxy-request attributes from the proxy request
# proxy-reply attributes from the proxy reply
#
# Note that some attributes may not exist at some
# stages. e.g. There may be no proxy-reply
# attributes if this module is used in the
# 'authorize' section.
I read this. But I just newbie, sorry. I tried this
exec echo {
wait = yes
program = /home/engineer/acrad.sh %{User-Name}
input_pairs = request
output_pairs = reply
}
instantiate {
exec
...
but it seems that program not started at all.
--
engineer
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
