Markus Krause wrote:
Maybe try the postauth section? That's really for handling replies
from the current server to the NAS.
hmm, that sounds interesting, but i could not find any information
(which i could unterstand) on how to do that. would that mean to write a
module of my own? maybe in
Drumm, Daniel wrote:
Is it possible to front end this type of server with FreeRADIUS, so that
NAS-Clients can send a tokencode prepended to, say, a Kerberos password
- and have the FreeRADIUS server forward the first 6 digits of the field
to the RSA server for tokencode validation - and the
Mark Jones wrote:
That is an exccert from our log this morning. Two users were denied
access even though they supplied the correct username and password. This
happens all the time exactly a few seconds prior to the filelock error.
The file lock error is being generated because I use radrelay.
I think both are wrong because you must distinguish amog the different SSIDs that an AP broadcast. It sometimes happens the wireless MAC are the same for all SSIDs. Only some devices (such as Mikrotik) let change the MAC for each ESSID.
Another thing is you have to differenciate the ESSID in
Miika Räisänen wrote:
and gdb after core dump:
http://cc.oulu.fi/~mraisane/tmp/gdb-radiusd.1st-patch.log
Please try the following patch. I believe it will fix the problem.
If so, I'll commit it to CVS.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
Jeffrey Sewell wrote:
Than you.
So if I understand this correctly, radiusd is not looking for a
directory with checksum'd certificates, just one file with all the
certficates in it?
Both is possible.
CA_path = ${raddbdir}/certs/trustedCAs/
with c_rehash generated fingerprint symlinks for
Hi,
Please elaborate on how the system can be circumvented?
FakeAP spring to mind instantly. as does any of the other man-in-middle
attacks. a quick google will bring up many methods of doing such attacks.
basically, I set up an a software AP with same SSID. I have same login
page - even the
You can always put the check for SSID *after* the check for the
realms. In that case, the usernames will be stripped, and the SSID
check can cancel any proxying, just like you do now.
Sorry Alan, I couldn't get you here.
Currently, the process (with the problem) is:
1. Check the realm, which
The Called-Station-Id has the SSID included, in addition to the MAC
address.
Called-Station-Id = 00-16-E0-FD-47-40:VIP-peap
Lai
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Santiago Balaguer Garcia
Sent: Wednesday, January 24, 2007
On 1/24/07, Alan DeKok [EMAIL PROTECTED] wrote:
Miika Räisänen wrote:
and gdb after core dump:
http://cc.oulu.fi/~mraisane/tmp/gdb-radiusd.1st-patch.log
Please try the following patch. I believe it will fix the problem.
If so, I'll commit it to CVS.
Alan DeKok.
It worked. Thanks.
I think you have to use the attribute Stripped-User-Name to authenticate the
user. Date: Wed, 24 Jan 2007 14:21:59 +0800 From: [EMAIL PROTECTED] To:
freeradius-users@lists.freeradius.org Subject: Proxying based on SSID Hi,
Sorry if the questions have been asked. I have done a lot of searches,
I keep getting this.
I have been following documentation.
A username and password, and optionally the CA cert so they can
trust the radius server cert.
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
rlm_eap: SSL error error:0B080074:x509 certificate
Hi all,
Up till now have been using sql to authenticate, and am trying to change
to my own script and mysql db.
In radiusd.conf I have :
modules {
exec exec-radauth {
wait = yes
program = /path/to/script.php -- %{User-Name} %{Password}
input_pairs = request
output_pairs =
Hi guys,
This is my previous mail phrased differently, as after further
investigation I found what Im supposed to be asking.
Up till now have been using sql to authenticate, and am trying to change
to my own script and mysql db.
In radiusd.conf I have :
modules {
exec exec-radauth {
Lai Fu Keung wrote:
1. Check the realm, which will set to DEFAULT, as the domain is unknown. The
username is NOT stripped in the DEFAULT realm.
Then add a LOCAL realm of that domain. If that's impossible, use
the hints file to match the [EMAIL PROTECTED] by hand.
2. Then check the
Here are more entries from yesterdays logs. i don't think its a quinsidensce
Jan 23 08:26:45 radius freeradius[28054]: rlm_unix: [mjones]: invalid
password
Jan 23 08:26:45 radius freeradius[28054]: Login incorrect: [mjones/mjones]
(from client 216.8.137.103 port 0)
Jan 23 08:26:46 radius
Hello,
In authorize section I have the following:
sql {
notfound = reject
}
In post-auth:
Post-Auth-Type REJECT {
sql
attr_filter.access_reject
}
Both works correctly but I would like to log notfound users into radpostauth
table as
All,
Our RADIUS server has been up and running fine for 127 days now. Suddenly
today it no longer runs. I tried to put it into debug mode and got the
following output:
[EMAIL PROTECTED] ~]# /opt/freeradius/sbin/radiusd -X
Starting - reading configuration files ...
reread_config: reading
Mark Jones wrote:
Here are more entries from yesterdays logs. i don't think its a
quinsidensce
Again, what ELSE is going on in the system?
WHY is the detail module failing to acquire the file lock? Is the
disk full? Is the CPU busy?
Alan DeKok.
--
http://deployingradius.com -
Michelle Gates wrote:
Our RADIUS server has been up and running fine for 127 days now. Suddenly
today it no longer runs. I tried to put it into debug mode and got the
following output:
read_config_files: reading clients
/opt/freeradius/etc/raddb/radiusd.conf[751]: Missing client name
Hi,
read_config_files: reading clients
/opt/freeradius/etc/raddb/radiusd.conf[751]: Missing client name
look at line 751 of the radiusd.conf file, or in clients.conf. Is the entry
syntactically correct? If it is a DNS hostname, does it resolve to an IP
address correctly?
Greetings,
Stefan
Michelle Gates schrieb:
All,
Our RADIUS server has been up and running fine for 127 days now. Suddenly
today it no longer runs. I tried to put it into debug mode and got the
following output:
[EMAIL PROTECTED] ~]# /opt/freeradius/sbin/radiusd -X
Starting - reading configuration files ...
Michelle,
Seems like someone took off your NASes either from your naslist or
clients.conf files, in your raddb dir.
In those files you need at least an entry like this (for clients.conf):
client 10.10.10.1 {
secret = secret123
}
Where 10.10.10.1 would be your NAS address and
On Wednesday 24 January 2007 10:02, Michelle Gates wrote:
read_config_files: reading clients
/opt/freeradius/etc/raddb/radiusd.conf[751]: Missing client name
You should not have anything in the clients file all clients should be in
clients.conf.
Zoltan Ori
-
List
On Wednesday 24 January 2007 10:02, Michelle Gates wrote:
read_config_files: reading clients
/opt/freeradius/etc/raddb/radiusd.conf[751]: Missing client name
-
Can anyone shed any light on this? Unfortunately for me, one of our
developers was working on our production server but
Thanks for your help Alan. I figured it out - someone had created a blank
entry into our clients.conf file.
*sigh*
Thanks for your help!!!
-michelle.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
On Behalf Of Alan DeKok
Sent: 24-Jan-07 4:22 PM
To: FreeRadius
No, I don´t have connection problems, I have actually my FreeRADIUS users in
the radcheck and radreply tables, and working fine, but accounting do
not.
Germán P. Santillán
Administrador de Redes
Jefe del Dpto. Técnico
DESETech Argentina S.A.
San Martín 133 - CP: B8000FIC
Bahía Blanca
- Original Message -
From: Alan DeKok [EMAIL PROTECTED]
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Wednesday, January 24, 2007 10:08 AM
Subject: Re: Small problem with authentication
Mark Jones wrote:
Here are more entries from yesterdays logs. i
rad_recv: Access-Request packet from host 192.168.0.250:1175, id=66,
length=149
User-Name = kurama
Cisco-AVPair = ssid=Pukey
NAS-IP-Address = 192.168.0.250
Called-Station-Id = 004096285ceb
Calling-Station-Id = 00095b679ccf
NAS-Identifier =
Just want to report back.
I build a server from the January 16th snapshot.
It would seem this problem has NOT resurfaced. I will be adding more
load to it later today to see if anything happens, but it's been up for
about 48 hours now, where as the 1.1.x release trains would exhibit the
Mark Jones wrote:
Again, what ELSE is going on in the system?
This is a dedicated box to just radius.
Load never exceeds 0.15
disk usage is less then 20 % on all volumes
OK...
WHY is the detail module failing to acquire the file lock? Is the
disk full? Is the CPU busy?
I assume it
King, Michael wrote:
I build a server from the January 16th snapshot.
It would seem this problem has NOT resurfaced. I will be adding more
load to it later today to see if anything happens, but it's been up for
about 48 hours now, where as the 1.1.x release trains would exhibit the
I am not trying to be unhelpful.
We have two new servers that we installed last fall and both are doing the
exact same thing.I can give you as much info as you ask for.
The only programs that access the detail file is radius and radrelay. I will
attempt to catch it doing it while in debug
Mark Jones wrote:
WHY is the detail module failing to acquire the file lock? Is the
disk full? Is the CPU busy?
I assume it is to do with radrelay.
Just a thought What file system are you using on the volume where
the detail records are being stored? Locking on NFS volumes can cause
I have quite a few people on campus who authenticate to various systems
without using a realm in their username. With our current radius server
there is a option in the clients file where you specify a Default-Realm
per client. When an authentication request comes in from this client
the @realm
Hi Alan,
Thanks for your help again.
Does the NAS documentation mean the documentation of my wireless access
point?
Thanks
Regards
John
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Alan DeKok
Sent: Monday, 22 January 2007 5:57 PM
To:
On Wednesday 24 January 2007 16:59, Jason E. Murray wrote:
My question is there a better way to do this, this seems a bit kludgy.
Using FreeRadius 1.1.4
Thanks in advance,
Use the hints file like below, then configure freeradius as if the realm were
included in the original request.
==
I have setup a captive portal with mysql,chilli, and freeradius.
My portal allows users access base on data use (quota), I am using the
rlm_sqlcounter (from freeradius 1.1.4) to measure the usage on login.
The problem Im having is that if I assign a quota more than 2gb
freeradius sees the
just a local volume on debian linuxat home at the moment so I can't
login and check
- Original Message -
From: Dennis Skinner [EMAIL PROTECTED]
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Wednesday, January 24, 2007 4:49 PM
Subject: Re: Small
Hi,..
running xlat within rlm_perl.. giving correct result.. but what concern me is
that.. in debug log.. there are garbage output as below:-
radius_xlat: '.*'
radius_xlat: Running registered xlat function of module y5perl for string
'%{User-Name}:%{NAS-Identifier}'
radius_xlat:
Dear
What NAS device are u using ? when user authenticate from radius
thn nas send acct-start packet to radius if your NAS not sending start
accounting packet to freeradius then radius not start accounting
I have cisco Router for NAS
aaa accounting start-stop radius ---
John Wan wrote:
Does the NAS documentation mean the documentation of my wireless access
point?
Yes.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See
42 matches
Mail list logo
