Attributes of a realm
After I read the attached post, I have a doubt: if I use a MySQL DB to manage freeradius service, how can Ifix specific atributes to all users of a determined realm? From:"Jóhann B. Guðmundsson" [EMAIL PROTECTED]Reply-To:FreeRadius users mailing list freeradius-users@lists.freeradius.orgTo:FreeRadius users mailing list freeradius-users@lists.freeradius.orgSubject:Re:Re: pptp + vpn + freeradius Acct-Status-Type AliveDate:Tue, 13 Mar 2007 16:18:41 +Since I finally solved this...It was possible yet not documented in the vpn docs ( poptop + freeradius+ samba)I added "ATTRIBUTE Acct-Interim-Interval 85integer"to /etc/radiusclient/dictionary and then added to /etc/raddb/usersDEFAULT Realm == "staff.example.com",Auth-Type := MS-CHAP,Pool-Name :=staff,Simultaneous-Use := 1 Acct-Interim-Interval = 3600, --- set to one hour Fall-Through = noBest regards. Jóhann BJóhann B. Guðmundsson wrote: Alan DeKok wrote: Jóhann B. Guðmundsson wrote: Is it possible to enable Acct-Status-Type Alive for pptp vpn? If so how..Read the VPN documentation.If it doesn't say how, it's impossible. Alan DeKok. --Acepta el reto MSN Premium: incluye Antivirus y Firewall de McAffee. Descárgalo y pruébalo 2 meses gratis. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR supported attributes
Hi guys, Just to let all of you know.. I try the Expiration attribute today and it working find. The NAS used is Chillispot (ChilliSpot inside of WRT54GS). The Expiration attribute inserted into radcheck table with op == the expiration will block an account since the date put into value field. So, if I put (today is March 14, 2007 at our place) an expiration 'Mar 14 2007' the account can not login anymore. If I put an expiration 'Mar 15 2007' the account will able to login till tonight. The only problem is no explanation to user, why the system give an error Login Failed. I did try to add expiration into radiusd.conf as explain at http://wiki.freeradius.org/Radiusd.conf but FR refuse to start with error : Wed Mar 14 15:59:14 2007 : Error: radiusd.conf[1587] Failed to link to module 'rlm_expiration': Shared object rlm_expiration.so not found, required by radiusd How to fixed this problem ? TIA PD On 3/13/2007, PD [EMAIL PROTECTED] wrote: ..cut... Expiration is an internal FreeRadius attribute - it doesn't go out in radius packets. It is used to generate real radius attributes like Session-Timeout. So NAS (Cisco, Chilli, Mickrotik, whatever) will never see this attribute. None of them would know what to do with it if they would recieve it. I will try the Expiration lately at the end of this week and will let you know the result. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR supported attributes
PD wrote: I am using FR 1.1.4 build from FBSD port do I need to load the module ? No. If it's not in 1.1.5, it's not in any prior version, either. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Still having problem with FR-1.1.5
Hi Alan and list, I downloaded yesterday the freeradius-1.1.5 via cvs: cvs -d :pserver:[EMAIL PROTECTED]:/source checkout -r branch_1_1 radiusd After downloading: cd /radiusd ./configure make make install Compilation produced no error. I checked in the /usr/local/etc/ and raddb dir have created after the installation. However radiusd -X produce the following output: [EMAIL PROTECTED]@dyndns:~# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib *** glibc detected *** double free or corruption (fasttop): 0x80104ee8 *** Aborted /* * */ Running the server with valgrind valgrind --tool=memcheck --leak-check=full radiusd -X I got the following output: /* * */ Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary ==4258== Conditional jump or move depends on uninitialised value(s) ==4258==at 0x4872492: lrad_rand_seed (radius.c:2416) ==4258==by 0x486B068: my_dict_init (dict.c:1001) ==4258==by 0x486BEB4: dict_init (dict.c:1247) ==4258==by 0xBCFC: read_radius_conf_file (mainconfig.c:1262) ==4258==by 0xBDEF: read_mainconfig (mainconfig.c:1295) ==4258==by 0x10E24: main (radiusd.c:941) ==4258== ==4258== Conditional jump or move depends on uninitialised value(s) ==4258==at 0x4872492: lrad_rand_seed (radius.c:2416) ==4258==by 0x486B068: my_dict_init (dict.c:1001) ==4258==by 0x486B161: my_dict_init (dict.c:1041) ==4258==by 0x486BEB4: dict_init (dict.c:1247) ==4258==by 0xBCFC: read_radius_conf_file (mainconfig.c:1262) ==4258==by 0xBDEF: read_mainconfig (mainconfig.c:1295) ==4258==by 0x10E24: main (radiusd.c:941) ==4258== ==4258== Conditional jump or move depends on uninitialised value(s) ==4258==at 0x4872492: lrad_rand_seed (radius.c:2416) ==4258==by
Re: FR supported attributes
I think the same too... cause expiration is not the new attribute. The expiration attribute itself working fine, the only problem is no explanation to user when the system reject him/her. CMIIW PD On 3/14/2007, Alan DeKok [EMAIL PROTECTED] wrote: PD wrote: I am using FR 1.1.4 build from FBSD port do I need to load the module ? No. If it's not in 1.1.5, it's not in any prior version, either. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Access-Challenge with Avaya
Nobody can help me? - Romain Mercier - Technicien réseau et sécurité Université d'Angers - CRI Service Systèmes Réseaux 40 rue de Rennes 49035 Angers Cedex - France _ De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ius.org] De la part de Romain Mercier Envoyé : mardi 13 mars 2007 12:10 À : 'FreeRadius users mailing list' Objet : Access-Challenge with Avaya Hello ! I am having troubles with Avaya P334T switch. I am trying to authenticate users directly connected to ports of the switch. I have configured the switch well I think because the acces-request is sent to the radius but then the radius send an access-challenge to the switch and nothing is done after. There is no answer of the switch and the user cannot access the network but it is not rejected by the radius. I think the problem come from the switch because authentication on a wireless access-point connected on this switch works fine. Did anybody encounter the same problem? Any idea? Thanks for your help - Romain Mercier - Technicien réseau et sécurité Université d'Angers - CRI Service Systèmes Réseaux 40 rue de Rennes 49035 Angers Cedex - France - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR supported attributes
Did you set the reply message in radiusd.conf? # # The expiration module. This handles the Expiration attribute # It should be included in the *end* of the authorize section # in order to handle user Expiration. It should also be included # in the instantiate section in order to register the Expiration # compare function # expiration { # # The Reply-Message which will be sent back in case the # account has expired. Dynamic substitution is supported # reply-message = Password Has Expired\r\n # reply-message = Your account has expired, %{User-Name}\r\n } Ivan Kalik Kalik Informatika ISP Dana 14/3/2007, PD [EMAIL PROTECTED] piše: I think the same too... cause expiration is not the new attribute. The expiration attribute itself working fine, the only problem is no explanation to user when the system reject him/her. CMIIW PD On 3/14/2007, Alan DeKok [EMAIL PROTECTED] wrote: PD wrote: I am using FR 1.1.4 build from FBSD port do I need to load the module ? No. If it's not in 1.1.5, it's not in any prior version, either. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR supported attributes
PD wrote: I think the same too... cause expiration is not the new attribute. The expiration attribute itself working fine, the only problem is no explanation to user when the system reject him/her. You can edit the code to produce the message, or run the CVS head. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
new query verification in sql.conf
I use freeradius for authentication of pppoe wifi. I need to make new sql query in a table with a list of mac-address, if the CallingStationId will be equal to the some mac-adress of the table then will not have to be connected. A system of mac-adress blacklist. I tried to make adding one query in sql.conf but it does not function. I find that it would have to add a new function in rlm_sql.c, but am not habil C programmer. Somebody can help me? Sorry for my english Thanks Jean - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: new query verification in sql.conf
use huntgroups: ohnoyouwont Calling-Station-ID == whatever SQL-Group == suspended where suspended is a group with Auth-Type reject. Ivan Kalik Kalik Informatika ISP Dana 14/3/2007, Jean Carlos Oliveira Guandalini [EMAIL PROTECTED] piše: I use freeradius for authentication of pppoe wifi. I need to make new sql query in a table with a list of mac-address, if the CallingStationId will be equal to the some mac-adress of the table then will not have to be connected. A system of mac-adress blacklist. I tried to make adding one query in sql.conf but it does not function. I find that it would have to add a new function in rlm_sql.c, but am not habil C programmer. Somebody can help me? Sorry for my english Thanks Jean - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius 1.1.5 on RH 7.3 crashes
Dear All, I successfully used freeradius-1.0.5 on our RedHat 7.3 system for a couple years to authenticate wireless and VPN clients. I decided to upgrade to the version 1.1.5 to enable the wireless connection on a few Windows Vista clients. I downloaded the source freeradius-1.1.5.tar.gz and customized the provided freeradius.spec. Essentially in the configure I added: --with-openssl-includes=/usr/local/ssl/include \ --with-openssl-libraries=/usr/local/ssl/lib \ (as openssl-0.9.7i is installed in /usr/local/ssl/lib) and removed: --with-system-libtool \) and succefully produced the rpm for my system. I installed it and it worked even for 6, 7 hours (enabling the wireless clients to work, included the Vista clients) but then invariably it crashed. Apparently, (from the various logs attached) it always crashed after the configuration reload, but it is not evident if immedialtely after the reload or some time later. The crash can some time be initiated by sending kill -HUP at the radiusd process. Trying to minimze the frequency of the crashed I set: max_request_time = 10 but without any change in the behaviour. Any suggestion on how to solve the problem would be appreciated. Best regards Dario P.S.: Attached is a partial log (otherwise was too big), only username and password are masked). I can provide longer logs on request. -- __ Dario Palmisano ICGEB Computer System Network Administrator Tel: +39 040 3757330 Fax: +39 040 226555 E-Mail: [EMAIL PROTECTED] International Centre for Genetic Engineering and Biotechnology Area Science Park, Padriciano 99, I-34012 Trieste, ITALY __ radius.log.gz Description: GNU Zip compressed data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 1.1.5 on RH 7.3 crashes
Hi, clients to work, included the Vista clients) but then invariably it crashed. Apparently, (from the various logs attached) it always crashed after the configuration reload, but it is not evident if immedialtely after the reload or some time later. are you 'HUP'ing the server at those times to reload the config? I too have noticed change in behaviour with 1.1.5 regarding HUP of the server. 1.1.4 was fine, but a HUP on 1.1.5 can kill the process alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
checkrad or sql base simultaneous-use
Note: forwarded message attached. $ cat ~/satish/url.txt System administrator ( Data Center ) please visit this site http://linux.tulipit.com - Heres a new way to find what you're looking for - Yahoo! Answers ---BeginMessage--- Tanks dear But dear my problem is i am useing simultaneous-use with sql and it is working fine but my problem is users connect with NAS ( cisco vpdn ) but some user stuck in mssql database radacct tables means user connection error or any other error users got disconnect and then they try for login i got some log user already login because in radacct table use AcctStopTime = 1/1/1900 thats why those user not able to login how can i automaticaly close this session is there any attribute which is automaticaly clear idle session one more thing i have set idle-timeout attributes but it's also not work ??? what is the problem of users stuck in database thats why i want to change my simultaneouse-use with checkrad script is it solve by checkrad script.??? [EMAIL PROTECTED] wrote: radwho lists online users according to radutmp checkrad doesn't use radwho. It asks NAS if user so and so is on port so and so with session ID so and so. In session you choose if looking for online users will be done in database or radutmp. checkrad will be called when online user is detecded if you put cisco as nastype. If you put other it won't. Ivan Kalik Kalik Informatika ISP Dana 12/3/2007, satish patel pi¹e: anyone help me please I have many problem for simultaneous login user problem i have freeradius-1.1.0 with MSSQL with cisco VPDN configuration i dont know why simultaneous not working with checkrad script can u explain me i have confusen in radwho and checkrad command so checkrad command use radwho output and what is sql base simultenoues detection if i enable sql in /etc/radb/radius.conf in session part like :- Session { # radtump sql } what is the radutmp and sql if i use radutmp then checkrad call by radius or not i have confuseion in checkrad andsql base simultenous use can u explain me $ cat ~/satish/url.txt System administrator ( Data Center ) please visit this site http://linux.tulipit.com - Heres a new way to find what you're looking for - Yahoo! Answers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html $ cat ~/satish/url.txt System administrator ( Data Center ) please visit this site http://linux.tulipit.com - Heres a new way to find what you're looking for - Yahoo! Answers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html---End Message--- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 1.1.5 on RH 7.3 crashes
Hi Alan, no, many crashed were spontaneus (I do not know the internals of radiusd, but from time to time It reloads, maybe as response to a passwd file changed or so). Then I tried to send an HUP signal, after the server authenticated some clients, and few seconds (20-40) later the server crashed. Unfortunately the log does not show the activity during the crash, maybe someone can suggest me how to get more detailed log. Thanks Dario On Wednesday 14 March 2007 16:17, [EMAIL PROTECTED] wrote: Hi, clients to work, included the Vista clients) but then invariably it crashed. Apparently, (from the various logs attached) it always crashed after the configuration reload, but it is not evident if immedialtely after the reload or some time later. are you 'HUP'ing the server at those times to reload the config? I too have noticed change in behaviour with 1.1.5 regarding HUP of the server. 1.1.4 was fine, but a HUP on 1.1.5 can kill the process alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- __ Dario Palmisano ICGEB Computer System Network Administrator Tel: +39 040 3757330 Fax: +39 040 226555 E-Mail: [EMAIL PROTECTED] International Centre for Genetic Engineering and Biotechnology Area Science Park, Padriciano 99, I-34012 Trieste, ITALY __ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 1.1.5 on RH 7.3 crashes
[EMAIL PROTECTED] wrote: are you 'HUP'ing the server at those times to reload the config? I too have noticed change in behaviour with 1.1.5 regarding HUP of the server. 1.1.4 was fine, but a HUP on 1.1.5 can kill the process 1.1.4 was fine by accident... see bugs.freeradius.org. A HUP can still kill 1.1.4. As for why 1.1.5 is more problematic, I have no clue. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS outer identity accounting
On Tue, 13 Mar 2007 13:15:52 -0500 Alan DeKok [EMAIL PROTECTED] wrote: Sam Schultz wrote: This should be solvable by adding something like 'User-Name = %{User-Name}' to the DEFAULT entries in the users file, correct? Yes. One of my users file DEFAULT entries look like this: DEFAULT Realm == test, Autz-Type := sql-test, User-Name = %u However, FreeRADIUS tells me this: Error: Invalid operator for item User-Name: reverting to '==' I assume I'm not supposed to forcibly change User-Name, so what attribute would I set to return the correct username to the NAS? I know there is a run-time variable %(reply:User-Name}, would I need to somehow update it with the correct value for User-Name instead? This question seems to have been asked several times on the list before, but I have yet to find a definitive answer to it. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Click for free info on online degrees and make $150K/ year http://tagline.hushmail.com/fc/CAaCXv1WBS8PxpFqA1erqcUaYXrLCjjS/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : EAP-TTLS outer identity accounting
-Message d'origine- De : [EMAIL PROTECTED] radius.org [mailto:[EMAIL PROTECTED] sts.freeradius.org] De la part de Sam Schultz Envoyé : mercredi 14 mars 2007 17:13 À : freeradius-users@lists.freeradius.org Objet : Re: EAP-TTLS outer identity accounting On Tue, 13 Mar 2007 13:15:52 -0500 Alan DeKok [EMAIL PROTECTED] wrote: Sam Schultz wrote: This should be solvable by adding something like 'User-Name = %{User-Name}' to the DEFAULT entries in the users file, correct? Yes. One of my users file DEFAULT entries look like this: DEFAULT Realm == test, Autz-Type := sql-test, User-Name = %u However, FreeRADIUS tells me this: Error: Invalid operator for item User-Name: reverting to '==' I assume I'm not supposed to forcibly change User-Name, so what attribute would I set to return the correct username to the NAS? I know there is a run-time variable %(reply:User-Name}, would I need to somehow update it with the correct value for User-Name instead? Yes, by simply adding the User-Name = XXX to the reply items (that is to say not on the first line). Try something like this: DEFAULT Realm == test, Autz-Type := sql-test User-Name=`%{User-Name}` HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
clients.conf shortname
Hi All, I have a quick question on the shortname attribute for clients: must it be unique among all clients? Thanks in advance for your answers Geoff. ___ Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses http://fr.answers.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: new query verification in sql.conf
I did not explain correctly. I have a table in database with mac-adress registered, when the user connect, radius makes a verification in this table(on database) comparing mac-address of the user with mac-address registered in the database, if the mac-adress of user contain in the table(on database), user not be able to connect. Sorry for my english. I use translator! lol Thanks Jean Subject: From: [EMAIL PROTECTED] Date: Wed, 14 Mar 2007 15:09:49 +0100 To: FreeRadius users mailing list freeradius-users@lists.freeradius.org To: FreeRadius users mailing list freeradius-users@lists.freeradius.org use huntgroups: ohnoyouwont Calling-Station-ID == whatever SQL-Group == suspended where suspended is a group with Auth-Type reject. Ivan Kalik Kalik Informatika ISP Dana 14/3/2007, Jean Carlos Oliveira Guandalini [EMAIL PROTECTED] piše: I use freeradius for authentication of pppoe wifi. I need to make new sql query in a table with a list of mac-address, if the CallingStationId will be equal to the some mac-adress of the table then will not have to be connected. A system of mac-adress blacklist. I tried to make adding one query in sql.conf but it does not function. I find that it would have to add a new function in rlm_sql.c, but am not habil C programmer. Somebody can help me? Sorry for my english Thanks Jean - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : EAP-TTLS outer identity accounting
On Wed, 14 Mar 2007 11:25:20 -0500 Thibault Le Meur [EMAIL PROTECTED] wrote: -Message d'origine- De : [EMAIL PROTECTED] radius.org [mailto:[EMAIL PROTECTED] sts.freeradius.org] De la part de Sam Schultz Envoyé : mercredi 14 mars 2007 17:13 À : freeradius-users@lists.freeradius.org Objet : Re: EAP-TTLS outer identity accounting On Tue, 13 Mar 2007 13:15:52 -0500 Alan DeKok [EMAIL PROTECTED] wrote: Sam Schultz wrote: This should be solvable by adding something like 'User-Name = %{User-Name}' to the DEFAULT entries in the users file, correct? Yes. One of my users file DEFAULT entries look like this: DEFAULT Realm == test, Autz-Type := sql-test, User- Name = %u However, FreeRADIUS tells me this: Error: Invalid operator for item User-Name: reverting to '==' I assume I'm not supposed to forcibly change User-Name, so what attribute would I set to return the correct username to the NAS? I know there is a run-time variable %(reply:User-Name}, would I need to somehow update it with the correct value for User-Name instead? Yes, by simply adding the User-Name = XXX to the reply items (that is to say not on the first line). Try something like this: This didn't make much sense at first, but I think I understand it now. What you're saying is that the first line is only for check items, which is why I couldn't set User-Name there. The second line and beyond then are for, what? Reply items ONLY, or check reply items? Is this documented anywhere? I just did a quick check through the freeradius doc directory, and only found a rlm_fastusers document which didn't have anything to say about format restrictions. DEFAULT Realm == test, Autz-Type := sql-test User-Name=`%{User-Name}` HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Click for free info on online degrees and make $150K/ year http://tagline.hushmail.com/fc/CAaCXv1S7YfNF4AEzCH38YxSm8GfpqO2/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authenticating multiple modules?
Alan, Ivan, Thanks! Between both of your comments, I was able to put two and two together and get both modules working. I would never have guessed that one needs to create the groups in the passwd module. It simply isn't intuitive to use the passwd module for doing this. One would think that each module (unix and ldap in my case) could work in tandem. Any ways, it seem to be working with these two passwd modules: passwd staff { filename = /etc/raddb/unixusers format = *User-Name authtype = unix } passwd students { filename = /etc/raddb/ldapusers format = *User-Name authtype = ldap } Thanks! Tim At 11:57 AM 3/13/2007, you wrote: Tim Tyler wrote: Ivan, or others, Ok, I can't seem to find documentation on this. If I don't use the users file, I presume I should create the groups in the radiusd.conf file. How does one create a group for Students and Staff (syntax)? man rlm_passwd Can I assign Auth-Type = System for Staff and Auth-Type = LDAP for Staff and have a request against both groups? Yes. Note, there is no way ahead of time to distinguish between a user that is staff or student. So I need the solution to first check the system file and then check against ldap. No. I presume you don't have the same username for a staff student. In that case, you can do LDAP lookups to see if they're in LDAP. If so, use LDAP. If not, they should be in /etc/passwd. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Tim Tyler Network Engineer - Beloit College [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
restricting users access to clients?
Hi, We're using FreeRadius to authenticating our wireless users (who's credentials are stored in LDAP). But we'd also like to use it to authenticate a select few users who need access to our networking gear. Our networking gear is setup to do this, but I'm not sure how to set this up in FreeRadius. I would assume that you'd specify in the clients.conf section which users are allowed access to that device, but in looking at the documentation for clients.conf, that doesn't seem to be the case. Any links/advice is appreciated. Thanks Matt [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authenticating multiple modules?
Tim Tyler wrote: Alan, Ivan, Thanks! Between both of your comments, I was able to put two and two together and get both modules working. I would never have guessed that one needs to create the groups in the passwd module. It simply isn't intuitive to use the passwd module for doing this. One would think that each module (unix and ldap in my case) could work in tandem. What does that mean? i.e. You want them to work in tandem in a certain way... others want something different. That being said, in the CVS head (soon to be 2.0, I hope), the modules are much better at just figuring it out. In 2.0, you will likely have to do much less configuration to get it to work. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: clients.conf shortname
Geoffroy Arnoud wrote: Hi All, I have a quick question on the shortname attribute for clients: must it be unique among all clients? Nope. It's just used for printing. i.e. look up client by IP... if there's a short name, print it, else print the full name or IP Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 1.1.5 on RH 7.3 crashes
Dario Palmisano wrote: no, many crashed were spontaneus (I do not know the internals of radiusd, but from time to time It reloads, maybe as response to a passwd file changed or so). Then I tried to send an HUP signal, after the server authenticated some clients, and few seconds (20-40) later the server crashed. There is a bug filed on bugs.freeradius.org. Sending the server HUP signals just isn't safe until it's fixed. It may be possible to fix it in 1.1.6... Unfortunately the log does not show the activity during the crash, maybe someone can suggest me how to get more detailed log. The issue isn't the activity during the crash, but the activity during the HUP. You have a module that's taking a LONG time to process a request, and it's preventing the HUP handling from proceeding correctly. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: restricting users access to clients?
Matt Ashfield wrote: We're using FreeRadius to authenticating our wireless users (who's credentials are stored in LDAP). But we'd also like to use it to authenticate a select few users who need access to our networking gear. Our networking gear is setup to do this, but I'm not sure how to set this up in FreeRadius. Write rules in the users file. I would assume that you'd specify in the clients.conf section which users are allowed access to that device, but in looking at the documentation for clients.conf, that doesn't seem to be the case. No. The clients.conf file just defines clients. It doesn't do anything more than that. There's no reason code couldn't be written to permit that, though... Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: restricting users access to clients?
Ok, the users file it is! Thanks! I guess I was hoping for a link to an example of some sort. Because the user who would be given access is not explicitly defined in the users file (the users is defined in LDAP), I'm not sure how to setup a rule for that person. Thanks again, Cheers Matt [EMAIL PROTECTED] -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: March 14, 2007 3:50 PM To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: Re: restricting users access to clients? Matt Ashfield wrote: We're using FreeRadius to authenticating our wireless users (who's credentials are stored in LDAP). But we'd also like to use it to authenticate a select few users who need access to our networking gear. Our networking gear is setup to do this, but I'm not sure how to set this up in FreeRadius. Write rules in the users file. I would assume that you'd specify in the clients.conf section which users are allowed access to that device, but in looking at the documentation for clients.conf, that doesn't seem to be the case. No. The clients.conf file just defines clients. It doesn't do anything more than that. There's no reason code couldn't be written to permit that, though... Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proposal for LNS load-balancing with Freeradius
Hello, I was working on a solution for having round-robin LNS repartition with Freeradius. Since I must replace several parameters and they must match against each other (the Tunnel-Server-Auth-Id name must match the Tunnel-Server-Endpoint IP), I had trouble with using an external script returning random values. So, my solutions consists in modifying the SQL groupreply request (in sql.conf). Instead of: authorize_group_reply_query = SELECT ${groupreply_table}.id,${groupreply_table}.GroupName,${groupreply_table}.Attribute,${groupreply_table}.Value, ${groupreply_table}.op FROM ${groupreply_table},${usergroup_table} WHERE ${usergroup_table}.Username = '%{SQL-User-Name}' AND ${usergroup_table}.GroupName = ${groupreply_table}.GroupName ORDER BY ${groupreply_table}.id I put: authorize_group_reply_query = SELECT ${groupreply_table}.id,${groupreply_table}.GroupName,${groupreply_table}.Attribute,substring_index(substring_index(${groupreply_table}.Value, ';', myrand.val),';',-1),${groupreply_table}.op FROM ${groupreply_table},${usergroup_table},(select floor(1+rand()*2) as val) as myrand WHERE ${usergroup_table}.Username = '%{SQL-User-Name}' AND ${usergroup_table}.GroupName = ${groupreply_table}.GroupName ORDER BY ${groupreply_table}.id where the number in rand()*2 must match the number of LNS. The database value format must be either in the usual from (the value itself) when only one value must be replied, either firstvalue;secondvalue... separed by semicolon (in this case, it will return randomly one of the values, and the same random number will be used for all this request). I saw only two drawbacks: you must restart Freeradius if you modify the number of LNS and the separator character must no be used anywhere else. Does anybody have some comments on this method, or a better method to do the same thing ? Sincerely, Mathieu Dessus. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: new query verification in sql.conf
Jean Carlos Oliveira Guandalini ha scritto: I did not explain correctly. I have a table in database with mac-adress registered, when the user connect, radius makes a verification in this table(on database) comparing mac-address of the user with mac-address registered in the database, if the mac-adress of user contain in the table(on database), user not be able to connect. I think you can try changing authorize_check_query giving result only if macaddress exists in your table. if you use chillispot, %i is the variable having macaddress of client (CallingStationId). hope this help, ciao! Sorry for my english. I use translator! lol Thanks Jean Subject: From: [EMAIL PROTECTED] Date: Wed, 14 Mar 2007 15:09:49 +0100 To: FreeRadius users mailing list freeradius-users@lists.freeradius.org To: FreeRadius users mailing list freeradius-users@lists.freeradius.org use huntgroups: ohnoyouwont Calling-Station-ID == whatever SQL-Group == suspended where suspended is a group with Auth-Type reject. Ivan Kalik Kalik Informatika ISP Dana 14/3/2007, Jean Carlos Oliveira Guandalini [EMAIL PROTECTED] piše: I use freeradius for authentication of pppoe wifi. I need to make new sql query in a table with a list of mac-address, if the CallingStationId will be equal to the some mac-adress of the table then will not have to be connected. A system of mac-adress blacklist. I tried to make adding one query in sql.conf but it does not function. I find that it would have to add a new function in rlm_sql.c, but am not habil C programmer. Somebody can help me? Sorry for my english Thanks Jean - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Pierluigi Di Lorenzo ePrometeus s.r.l - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: new query verification in sql.conf
I did understand you well. We have the same thing, only with access phone numbers (mainly spammers) as Calling-Station-ID's that we want to ban. We also keep them in a table so they can be searched easily when someone calls and asks why can't I connect when I have time on my account? but in order to stop them connecting we append such entries to huntgroups file. Works great and is far simpler than rewriting code. Ivan Kalik Kalik Informatika ISP Dana 14/3/2007, Jean Carlos Oliveira Guandalini [EMAIL PROTECTED] piše: I did not explain correctly. I have a table in database with mac-adress registered, when the user connect, radius makes a verification in this table(on database) comparing mac-address of the user with mac-address registered in the database, if the mac-adress of user contain in the table(on database), user not be able to connect. Sorry for my english. I use translator! lol Thanks Jean Subject: From: [EMAIL PROTECTED] Date: Wed, 14 Mar 2007 15:09:49 +0100 To: FreeRadius users mailing list freeradius-users@lists.freeradius.org To: FreeRadius users mailing list freeradius-users@lists.freeradius.org use huntgroups: ohnoyouwont Calling-Station-ID == whatever SQL-Group == suspended where suspended is a group with Auth-Type reject. Ivan Kalik Kalik Informatika ISP Dana 14/3/2007, Jean Carlos Oliveira Guandalini [EMAIL PROTECTED] pi#65533;e: I use freeradius for authentication of pppoe wifi. I need to make new sql query in a table with a list of mac-address, if the CallingStationId will be equal to the some mac-adress of the table then will not have to be connected. A system of mac-adress blacklist. I tried to make adding one query in sql.conf but it does not function. I find that it would have to add a new function in rlm_sql.c, but am not habil C programmer. Somebody can help me? Sorry for my english Thanks Jean - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Support for Cisco PIX
Hi, Does FreeRADIUS support Level 15 authentication for Cisco PIX? Regards, Norman Zhang - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : EAP-TTLS outer identity accounting
An entry like: DEFAULT Realm == test, Autz-Type := sql-test User-Name = %{User-Name} does add a new User-Name attribute with the proper value, but I need a way to delete the anonymous@ entry still, because I Access-Accepts like this: Sending Access-Accept of id 134 to 192.168.0.5 port 5190 User-Name := [EMAIL PROTECTED] User-Name := [EMAIL PROTECTED] Followed by Accounting-Requests that still contain the anonymous entry, so it is still using the oldest (first?) User-Name attribute. Is there any way at all to REMOVE already set attributes so they aren't re-sent to the NAS? For that matter, shouldn't the use_tunneled_reply = yes in the ttls module configuration have kept me from having this problem? I also have copy_request_to_tunnel set to yes, but I doubt that should be causing a problem like this. On Wed, 14 Mar 2007 13:03:21 -0500 Sam Schultz [EMAIL PROTECTED] wrote: On Wed, 14 Mar 2007 11:25:20 -0500 Thibault Le Meur [EMAIL PROTECTED] wrote: -Message d'origine- De : [EMAIL PROTECTED] radius.org [mailto:[EMAIL PROTECTED] sts.freeradius.org] De la part de Sam Schultz Envoyé : mercredi 14 mars 2007 17:13 À : freeradius-users@lists.freeradius.org Objet : Re: EAP-TTLS outer identity accounting On Tue, 13 Mar 2007 13:15:52 -0500 Alan DeKok [EMAIL PROTECTED] wrote: Sam Schultz wrote: This should be solvable by adding something like 'User-Name = %{User-Name}' to the DEFAULT entries in the users file, correct? Yes. One of my users file DEFAULT entries look like this: DEFAULT Realm == test, Autz-Type := sql-test, User- Name = %u However, FreeRADIUS tells me this: Error: Invalid operator for item User-Name: reverting to '==' I assume I'm not supposed to forcibly change User-Name, so what attribute would I set to return the correct username to the NAS? I know there is a run-time variable %(reply:User-Name}, would I need to somehow update it with the correct value for User-Name instead? Yes, by simply adding the User-Name = XXX to the reply items (that is to say not on the first line). Try something like this: This didn't make much sense at first, but I think I understand it now. What you're saying is that the first line is only for check items, which is why I couldn't set User-Name there. The second line and beyond then are for, what? Reply items ONLY, or check reply items? Is this documented anywhere? I just did a quick check through the freeradius doc directory, and only found a rlm_fastusers document which didn't have anything to say about format restrictions. DEFAULT Realm == test, Autz-Type := sql-test User-Name=`%{User-Name}` HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Click for free info on online degrees and make $150K/ year http://tagline.hushmail.com/fc/CAaCXv1S7YfNF4AEzCH38YxSm8GfpqO2/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Click for free info on getting an MBA and make $200K/ year http://tagline.hushmail.com/fc/CAaCXv1I825CIGoNlzaFbOgSCtxLP6kM/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Still having problem with FR-1.1.5
Hi Alan, I downloaded the freeradius-1.1.5 via cvs and compiled it on 14-03-2007 21:51 but i still have the same problem. I tried to compile freeradius-1.1.3 and i got the same out after radiusd -X. What do you suggest me to do? Thanks for you help and your quick replies On Wed, 2007-03-14 at 15:00 +0100, Alan DeKok wrote: adreas polyxronopoulos wrote: ... cvs -d :pserver:[EMAIL PROTECTED]:/source checkout -r branch_1_1 radiusd ... However radiusd -X produce the following output: ... ==4258== Invalid free() / delete / delete[] ==4258==at 0x481BFCF: free (vg_replace_malloc.c:235) ==4258==by 0x494DCAF: try_dlopen (ltdl.c:3429) ==4258==by 0x494E825: lt_dlopenext (ltdl.c:3504) ==4258==by 0xD168: find_module_instance (modules.c:207) ==4258==by 0xD959: setup_modules (modules.c:879) ==4258==by 0x10E65: main (radiusd.c:965) ==4258== Address 0x4E0CFD0 is 0 bytes inside a block of size 12 free'd ==4258==at 0x481BFCF: free (vg_replace_malloc.c:235) ==4258==by 0x494DC8C: try_dlopen (ltdl.c:3428) ==4258==by 0x494E825: lt_dlopenext (ltdl.c:3504) ==4258==by 0xD168: find_module_instance (modules.c:207) ==4258==by 0xD959: setup_modules (modules.c:879) ==4258==by 0x10E65: main (radiusd.c:965) Hmm... that's a different issue inside of Ok... I've committed a fix. A patch from the CVS head was pulled into 1.1.5, when it wasn't necessary. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ___ Now you can scan emails quickly with a reading pane. Get the new Yahoo! Mail. http://uk.docs.yahoo.com/nowyoucan.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR supported attributes
Well... I can see on the source code (auth.c) that FR send the reply. static int check_expiration(REQUEST *request) { VALUE_PAIR *check_item; VALUE_PAIR *vp; check_item = pairfind(request-config_items, PW_EXPIRATION); if (!check_item) return 0; /* * Has this user's password expired? * * If so, remove ALL reply attributes, * and add our own Reply-Message, saying * why they're being rejected. */ if (((time_t) check_item-lvalue) = request-timestamp) { vp = pairmake(Reply-Message, Password Has Expired\r\n, T_OP_ADD); pairfree(request-reply-vps); request-reply-vps = vp; return -1; } Or... should I check another file ? CMIIW PD On 3/14/2007, Alan DeKok [EMAIL PROTECTED] wrote: PD wrote: I think the same too... cause expiration is not the new attribute. The expiration attribute itself working fine, the only problem is no explanation to user when the system reject him/her. You can edit the code to produce the message, or run the CVS head. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: restricting users access to clients?
On Wed, 2007-03-14 at 16:08 -0300, Matt Ashfield wrote: Ok, the users file it is! Thanks! I guess I was hoping for a link to an example of some sort. Because the user who would be given access is not explicitly defined in the users file (the users is defined in LDAP), I'm not sure how to setup a rule for that person. Thanks again, Cheers Matt [EMAIL PROTECTED] You would want to use the special username DEFAULT. (Check the man page for users(5).) What I did (although this might be slightly hackish.) is I took a look at the attributes in the request that was being sent by the supplicant. I looked for attributes that were different between the wireless users and the network equipment users. For example, you might want to do something like: admin1 NAS-Port-Type == Virtual, Auth-Type = LDAP admin2 NAS-Port-Type == Virtual, Auth-Type = LDAP # This matches everyone else DEFAULT NAS-Port-Type == Virtual, Auth-Type := Reject # This will match all wireless users DEFAULT NAS-Port-Type == Wireless-802.11, Auth-Type = LDAP Of course, this will mean that your network admins will *only* be able to login via LDAP. You may need to configure some kind of Fall-Through if you want users to authenticate using some other mechanism in addition to LDAP. So this is not without its limitations, but this should give you some ideas to start from. -- John Guthrie [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html