Re: PAM Radius Authentication
Hi can u tell me how run radius with pam? thanks On 4/19/07, daniel [EMAIL PROTECTED] wrote: Ok, I have gotten pam_radius_auth.so to work and it is working well, however, is there any way to get it to create a UID when it receives an auth accept? At the moment I have to run adduser every time I want a user to be able to log in, this would be ok if the users were fairly static, I could run a script every night to add new users to the system, unfortunately I have a lot of users and they need to be available immediately. Thanks for all your help so far. -Daniel Davis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards Reza Behroozi http://reza.behroozi.info http://www.persianadmins.ir http://www.persianadmins.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fedora 1.1.6 rpm build BROKEN
Jacob Jarick wrote: The deps have incorrect names, ie requests apache2-devel but fedora calls it httpd2-devel and so on. The Redhat freeradius.spec file distributed with FreeRADIUS doesn't reference apache2-devel. If you're using the Redhat spec file, please ask them about fixing it. * The wiki glosses over a little and gives u an incorrect dir * the spec file expects 1.1.5 tar.gz The Redhat spec file distributed with FreeRADIUS has the correct version number. # cp freeradius-1.1.6/suse/freeradius.spec /usr/src/redhat/SPECS/ # rpmbuild -ba /usr/src/redhat/SPECS/freeradius.spec Oh... you're using the SUSE spec file on a REDHAT platform. Perhaps you could try using the REDHAT spec file on a REDHAT platform. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.1.6 rpm build errors
Hi, Notes: * The wiki glosses over a little and gives u an incorrect dir * the spec file expects 1.1.5 tar.gz yes, that has already been noted. simply edit the spec file to use the correct value. # tar zxvf /root/Desktop/freeradius-1.1.6.tar.gz # cp /root/Desktop/freeradius-1.1.6.tar.gz /usr/src/redhat/SOURCES/freeradius-1.1.5.tar.gz # cp freeradius-1.1.6/suse/freeradius.spec /usr/src/redhat/SPECS/ # rpmbuild -ba /usr/src/redhat/SPECS/freeradius.spec just confirm that you are running SUSE or RedHat/Fedora/CentOS ? [EMAIL PROTECTED] src]# rpmbuild -ba /usr/src/redhat/SPECS/freeradius.spec sh: apxs2-prefork: command not found sh: apxs2-prefork: command not found sh: apxs2-prefork: command not found okay. no apache devel tools installed. error: Failed build dependencies: apache2-devel is needed by freeradius-1.1.5-0.generic.i386 db-devel is needed by freeradius-1.1.5-0.generic.i386 gettext-devel is needed by freeradius-1.1.5-0.generic.i386 mysql-devel is needed by freeradius-1.1.5-0.generic.i386 net-snmp-devel is needed by freeradius-1.1.5-0.generic.i386 openldap2-devel is needed by freeradius-1.1.5-0.generic.i386 postgresql-devel is needed by freeradius-1.1.5-0.generic.i386 unixODBC-devel is needed by freeradius-1.1.5-0.generic.i386 yep. it'll need all of these - IF you want a fully specced FreeRADIUS install. you can edit the SPEC file if you really want/need to have less features - simply edit the ./configure command etc and remove the dependencies that match those changes. now checking yum and smart --gui I do not see apache2-devel for starters. correct distro for the spec file? how did you check with yum? So for the mean time I am back to compiling as rpm's are causing the issues they are famous for. If some1 has some tips on resolving dependancies I will be intrested. But I do not see what it needs apache2 headers anyway. that'd be for the lovely FreeRADIUS apache authentication module mod_auth_radius most likely alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fedora 1.1.6 rpm build BROKEN
Hi, The deps have incorrect names, ie requests apache2-devel but fedora calls it httpd2-devel and so on. argh!!! now it all makes sense. from your previous email you said cp freeradius-1.1.6/suse/freeradius.spec /usr/src/redhat/SPECS/ why the ** would you be trying to use a SUSE spec file on a Fedora system??? Fedora is REDHAT. use the REDHAT spec file! /freeradius-1.1.6/redhat/ look. not only the correct spec file, but also a nice init.d script so you can run it as a service upon boot. oh! and a nice logrotate script too. I really cant see the problem here. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fedora 1.1.6 rpm build BROKEN
hahaha sorry alan. Big mistake of mine, I am dsylexic and yer well there u go. I was reading suse as fedors (dont ask why). Sorry for the false alarm, I did check and double check but sometimes I never see the words right once I have mis-read them until some1 else points it out. So I should be using the redhat spec file for fedora correct ? - will try that asap. On 4/19/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi, The deps have incorrect names, ie requests apache2-devel but fedora calls it httpd2-devel and so on. argh!!! now it all makes sense. from your previous email you said cp freeradius-1.1.6/suse/freeradius.spec /usr/src/redhat/SPECS/ why the ** would you be trying to use a SUSE spec file on a Fedora system??? Fedora is REDHAT. use the REDHAT spec file! /freeradius-1.1.6/redhat/ look. not only the correct spec file, but also a nice init.d script so you can run it as a service upon boot. oh! and a nice logrotate script too. I really cant see the problem here. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.1.6 rpm build errors
Thanks again for the reply. Yes it was a mistake on my behalf no1 elses (Im dsylexic and misread the suse as fedora). Thanks for catching me on that, Keep up the good work guys. On 4/19/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi, Notes: * The wiki glosses over a little and gives u an incorrect dir * the spec file expects 1.1.5 tar.gz yes, that has already been noted. simply edit the spec file to use the correct value. # tar zxvf /root/Desktop/freeradius-1.1.6.tar.gz # cp /root/Desktop/freeradius-1.1.6.tar.gz /usr/src/redhat/SOURCES/freeradius-1.1.5.tar.gz # cp freeradius-1.1.6/suse/freeradius.spec /usr/src/redhat/SPECS/ # rpmbuild -ba /usr/src/redhat/SPECS/freeradius.spec just confirm that you are running SUSE or RedHat/Fedora/CentOS ? [EMAIL PROTECTED] src]# rpmbuild -ba /usr/src/redhat/SPECS/freeradius.spec sh: apxs2-prefork: command not found sh: apxs2-prefork: command not found sh: apxs2-prefork: command not found okay. no apache devel tools installed. error: Failed build dependencies: apache2-devel is needed by freeradius-1.1.5-0.generic.i386 db-devel is needed by freeradius-1.1.5-0.generic.i386 gettext-devel is needed by freeradius-1.1.5-0.generic.i386 mysql-devel is needed by freeradius-1.1.5-0.generic.i386 net-snmp-devel is needed by freeradius-1.1.5-0.generic.i386 openldap2-devel is needed by freeradius-1.1.5-0.generic.i386 postgresql-devel is needed by freeradius-1.1.5-0.generic.i386 unixODBC-devel is needed by freeradius-1.1.5-0.generic.i386 yep. it'll need all of these - IF you want a fully specced FreeRADIUS install. you can edit the SPEC file if you really want/need to have less features - simply edit the ./configure command etc and remove the dependencies that match those changes. now checking yum and smart --gui I do not see apache2-devel for starters. correct distro for the spec file? how did you check with yum? So for the mean time I am back to compiling as rpm's are causing the issues they are famous for. If some1 has some tips on resolving dependancies I will be intrested. But I do not see what it needs apache2 headers anyway. that'd be for the lovely FreeRADIUS apache authentication module mod_auth_radius most likely alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fedora 1.1.6 rpm build BROKEN
Hi, So I should be using the redhat spec file for fedora correct ? - will correct. SUSE is a very different beast to RedHat - as you have discovered alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fedora 1.1.6 rpm build BROKEN
Here is my updated Install (now the same as the wikis) and yes works the way I expected. Swapping to 1.1.6 now, then back to figuring out LDAP :) # cd /usr/src # tar zxvf /root/Desktop/freeradius-1.1.6.tar.gz # cp /root/Desktop/freeradius-1.1.6.tar.gz /usr/src/redhat/SOURCES/ # cp freeradius-1.1.6/redhat/freeradius.spec /usr/src/redhat/SPECS/ # rpmbuild -ba /usr/src/redhat/SPECS/freeradius.spec On 4/19/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi, So I should be using the redhat spec file for fedora correct ? - will correct. SUSE is a very different beast to RedHat - as you have discovered alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql: readclients segmentation fault
Hi Alan, On Wed, Apr 18, 2007 at 05:09:11PM +0200, Alan DeKok wrote: Ah. client_add() doesn't create the necessary structure. I've just fixed that. == I can confirm it works (cool!) However here is another bug report:): * cvs head * all NASes in nas table(clients.conf not used) * sending HUP results in segmentation fault when re-building up internal clients structure: rlm_sql (sql): Read entry nasname=IP_IN_NAS_TABLE,shortname=wlan-gw29,secret=DISABLED rlm_sql (sql): Adding client IP_IN_NAS_TABLE (wlan-gw29) to clients list Program received signal SIGSEGV, Segmentation fault. 0x40033e93 in rbtree_insertnode (tree=0x81f1c48, Data=0x8276748) at rbtree.c:248 248 result = tree-Compare(Data, Current-Data); (gdb) bt #0 0x40033e93 in rbtree_insertnode (tree=0x81f1c48, Data=0x8276748) at rbtree.c:248 #1 0x40033f87 in rbtree_insert (tree=0x81f1c48, Data=0x8276748) at rbtree.c:299 #2 0x0804e64b in client_add (clients=0x815bd28, client=0x8276748) at client.c:232 #3 0x4054ef98 in generate_sql_clients (inst=0x82694f0) at rlm_sql.c:338 #4 0x4054ff6d in rlm_sql_instantiate (conf=0x820a308, instance=0x82694e4) at rlm_sql.c:862 #5 0x080561e5 in find_module_instance (modules=0x8206a80, instname=0x820f728 sql) at modules.c:307 #6 0x08057cf3 in do_compile_modsingle (parent=0x0, component=1, ci=0x820f708, filename=0x8079f48 radiusd.conf, grouptype=0, modname=0xbfffe478) at modcall.c:1195 #7 0x08058308 in compile_modsingle (parent=0x0, component=1, ci=0x820f708, filename=0x8079f48 radiusd.conf, modname=0xbfffe478) at modcall.c:1302 #8 0x0805671e in load_component_section (parent=0x0, cs=0x820f3c0, comp=1, filename=0x8079f48 radiusd.conf) at modules.c:551 #9 0x08056bc0 in setup_modules (reload=1) at modules.c:927 #10 0x08055a9d in read_mainconfig (reload=1) at mainconfig.c:968 #11 0x08058ea2 in main (argc=2, argv=0xbbb4) at radiusd.c:540 #0 0x40033e93 in rbtree_insertnode (tree=0x81f1c48, Data=0x8276748) at rbtree.c:248 248 result = tree-Compare(Data, Current-Data); (gdb) list 243 int result; 244 245 /* 246 * See if two entries are identical. 247 */ 248 result = tree-Compare(Data, Current-Data); 249 if (result == 0) { 250 /* 251 * Don't replace the entry. 252 */ (gdb) print Data $1 = (void *) 0x8276748 (gdb) print Current-Data Cannot access memory at address 0x29 == if you need more debug outpu then let me know... Milan Holub holub (at) thenet (dot) ch -- TheNet-Internet Services AG, im Bernertechnopark, Morgenstr. 129 CH-3018, Bern, Switzerland 031 998 4333, Fax 031 998 4330 http://www.thenet.ch http://wlan.thenet.ch -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_ldap: ldap_search() failed: Operations error - advice please
Freeradius 1.1.3 installed via YUM on Fedora (not suse :P) radiusd.conf: http://pastebin.ca/447690 radiusd -X -A output: http://pastebin.ca/447693 domain: tfxschool.internal ADS: tfxschoolfs01.tfxschool.internal Hi again people, I have been pouring through the oreillys LDAP book (quite informative so far to btw). I got the example of using freeradius against the linux passwd file working fine. I tried their Freeradius and OpenLDAP (now I know ADS isnt OpenLDAP btw) and it fails with the following message: rlm_ldap: ldap_search() failed: Operations error Oriellys one reccomended for OpenLDAP (errors, possibly due to incorrect syntax ?): filter = ((objectclass=posixAccount)(uid=%{Stripped-User-Name:-%{User-Name}})) Default filter (Fails with same search error): filter = (uid=%{Stripped-User-Name:-%{User-Name}}) Im wondering if it is perhaps my basedn ?, Im still getting used to the idea of them, the user jacob (me) resides in the ou people FYI. basedn = ou=people,dc=tfxschool,dc=internal Thats all my info atm, Im currently compiling a 1.1.6 rpm (after Alan resolving my silly little mistake) and will test then report back as I feel its more likely a config error than a bug :) If some1 else has a working radius setup that auths againts AD using LDAP would they mind sending me the ldap { } section, would be very handy to compare my config to a working one. Thanks all, keep up the good work. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl: perl 5.6 segmentation fault when reloaded
Hi all, I'm using cvs head on debian woody(historical reasons). I'm using rlm_perl module with perl 5.6: `dpkg -l '*perl*'` ... ii libperl-dev5.6.1-8.9 ii libperl5.6 5.6.1-8.9 ii libsnmp-perl 4.2.3-2 ... This version of perl is without ithreads and does not support multiplicity. I experienced following behaviour when sending HUP to radius process: Program received signal SIGSEGV, Segmentation fault. 0x404525dd in Perl_gv_fetchpv () from /usr/lib/libperl.so.5.6 (gdb) bt #0 0x404525dd in Perl_gv_fetchpv () from /usr/lib/libperl.so.5.6 #1 0x4044d347 in perl_get_cv () from /usr/lib/libperl.so.5.6 #2 0x4044d4b6 in perl_call_pv () from /usr/lib/libperl.so.5.6 #3 0x4042a030 in _init () from /usr/lib/freeradius/rlm_perl-2.0.0-pre0.so #4 0x08055e12 in free_mainconfig () #5 0x0804eec5 in cf_pair_free () #6 0x0804f1fc in cf_section_free () #7 0x0804f21b in cf_section_free () #8 0x0804f21b in cf_section_free () #9 0x080558c4 in read_mainconfig () #10 0x08058ee2 in main () #11 0x4024714f in __libc_start_main () from /lib/libc.so.6 Problem was localized to detach section of perl module and here is a dummy patch(do not call custom detach function as I do not need it...) Index: src/modules/rlm_perl/rlm_perl.c === RCS file: /source/radiusd/src/modules/rlm_perl/rlm_perl.c,v retrieving revision 1.51 diff -u -r1.51 rlm_perl.c --- src/modules/rlm_perl/rlm_perl.c 17 Apr 2007 16:08:00 - 1.51 +++ src/modules/rlm_perl/rlm_perl.c 19 Apr 2007 07:47:51 - @@ -1258,6 +1258,7 @@ { dTHXa(inst-perl); #endif /* USE_ITHREADS */ +#if 0 PERL_SET_CONTEXT(inst-perl); { dSP; ENTER; SAVETMPS; @@ -1276,6 +1277,7 @@ FREETMPS; LEAVE; } +#endif #ifdef USE_ITHREADS } #endif Hope this can help someone... Milan Holub holub (at) thenet (dot) ch -- TheNet-Internet Services AG, im Bernertechnopark, Morgenstr. 129 CH-3018, Bern, Switzerland 031 998 4333, Fax 031 998 4330 http://www.thenet.ch http://wlan.thenet.ch -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Grouping after Kerberos 5 authentication accepted?
Jason Chan wrote: Is it possible for FreeRadius to perform grouping after Kerberos authentication accepted? You can configure things in the post-authentication phase. My company has many switches and servers and we use kerberos 5 for RADIUS authentication. Once the user is authenticated, RADIUS will check and decide if this user can access the switches or particular servers (i.e. Allow telnet to the switch if the user belongs to the 'switch administrator' group). Authentication is independent of grouping. Where are the user groups coming from? They're not in Kerberos. See the FAQ for an example of performing some action based on a Unix group. See man rlm_passwd for configuring groups that exist only on the RADIUS server. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
configurable failover segmentation fault when reloaded
Hi all, here is another bug report(but don't worry; I'm running out of my bugreports): I used to have following attr_rewrite in modules section: attr_rewrite fix_sqlcounter_reply { attribute = Reply-Message searchin = reply searchfor = Your maximum never usage time has been reached replacewith = LoginNoCredit ignore_case = no new_attribute = no max_matches = 1 append = no } and following configurable failover section under authorize: group { noresetcounter { reject = 1 ok = return noop = return } fix_sqlcounter_reply { ok = reject } } group { noresetcounterflat { reject = 1 ok = return noop = return } fix_sqlcounter_reply { ok = reject } } ...using cvs head I'm not using this config anymore since it was a silly workaround for an issue which was fixed differently. BUT it's the valid config and I want to point out that there is a bug when re-reading configuration containing failover sections after HUP. This bug causes segmentation fault: Program received signal SIGSEGV, Segmentation fault. 0x4029bc1b in free () from /lib/libc.so.6 (gdb) bt #0 0x4029bc1b in free () from /lib/libc.so.6 #1 0x4029baa3 in free () from /lib/libc.so.6 #2 0x0804ee49 in cf_data_free (cd=0xbfffe470) at conffile.c:187 #3 0x0804f194 in cf_section_free (cs=0xbfffe4a4) at conffile.c:343 #4 0x0804f1b3 in cf_section_free (cs=0xbfffe4d4) at conffile.c:337 #5 0x0804f1b3 in cf_section_free (cs=0x8079e50) at conffile.c:337 #6 0x0805570c in read_mainconfig (reload=1) at mainconfig.c:836 #7 0x08058d2a in main (argc=2, argv=0xbb94) at radiusd.c:540 (gdb) up #1 0x4029baa3 in free () from /lib/libc.so.6 (gdb) up #2 0x0804ee49 in cf_data_free (cd=0xbfffe470) at conffile.c:187 187 free((*cd)-name); (gdb) list 182 183 static void cf_data_free(CONF_DATA **cd) 184 { 185 if (!cd || !*cd) return; 186 187 free((*cd)-name); 188 if (!(*cd)-free) { 189 free((*cd)-data); 190 } else { 191 ((*cd)-free)((*cd)-data); (gdb) print (*cd)-name $1 = 0x81fda70 instance` (gdb) print (*cd)-item $2 = {next = 0x0, parent = 0x807d800, lineno = 0, type = CONF_ITEM_DATA} (gdb) print (*cd)-item-parent $3 = (struct conf_part *) 0x807d800 (gdb) print (*cd)-item-parent-name1 $4 = 0x807d840 attr_rewrite (gdb) print (*cd)-item-parent-name2 $5 = 0x807d858 fix_sqlcounter_reply (gdb) == I wonder especially where the $1 = 0x81fda70 instance` comes from... This should be probably fixed before 2.0 released... Milan Holub holub (at) thenet (dot) ch -- TheNet-Internet Services AG, im Bernertechnopark, Morgenstr. 129 CH-3018, Bern, Switzerland 031 998 4333, Fax 031 998 4330 http://www.thenet.ch http://wlan.thenet.ch -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql: readclients segmentation fault
Milan Holub wrote: However here is another bug report:): * cvs head * all NASes in nas table(clients.conf not used) * sending HUP results in segmentation fault when re-building up internal clients structure: Ok... I've added more code to re-set pointers on cleanup, and create them on creation. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap: ldap_search() failed: Operations error - advice please
Jacob Jarick wrote: I have been pouring through the oreillys LDAP book (quite informative so far to btw). I got the example of using freeradius against the linux passwd file working fine. I tried their Freeradius and OpenLDAP (now I know ADS isnt OpenLDAP btw) and it fails with the following message: rlm_ldap: ldap_search() failed: Operations error That's an internal LDAP error saying something went wrong, and it can't be more specific than that. I'm not sure what to suggest. If some1 else has a working radius setup that auths againts AD using LDAP would they mind sending me the ldap { } section, would be very handy to compare my config to a working one. Google is your friend: freeradius ldap active directory http://lists.cistron.nl/pipermail/freeradius-users/2004-August/035046.html Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM Radius Authentication
daniel wrote: If I use LDAP to authenticate with PAM and freeradius authenticates against LDAP as well am I able to still store session details with LDAP? I believe so, yes. I am trying to integrate my current hotspot database with my terminals so that users can authenticate on either using the same username and password. It is a ticket based system and they have a limited amount of time, this works fine on both systems with freeradius (mysql backend) but it is a pain to continually have to add users to /etc/passwd. This can all be administered througha set of PHP scripts. That's why databases were invented. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fedora 1.1.6 rpm build BROKEN
On Thu 19 Apr 2007, [EMAIL PROTECTED] wrote: Hi, So I should be using the redhat spec file for fedora correct ? - will correct. SUSE is a very different beast to RedHat - as you have discovered Erm.. Having said that, the SUSE spec file should and DOES build on Fedora as well. I have gone to quite some trouble to make it compatible with SUSE, Fedora and Mandriva.. The same is not true for the existing RedHat spec file.. Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to configure
i need to configure my freeradius server in proxy server to use it with windows IAS! i want the configuration of the files of freeradius which can permit me to do that! my last coonfiguration of these files is: radiusd.conf proxy_request = yes proxy.conf realm gie.local { type = radius authhost = LOCAL accthost = LOCAL } realm DEFAULT { type = radius authhost = araignee.gie.local:1812 accthost = araignee.gie.local:1813 secret = parfait nostrip } Clients.conf client 192.168.0.2 { secret = parfait shortname = araignee.gie.local } thanks for your help! _ Windows Live Spaces : créez votre blog à votre image ! http://www.windowslive.fr/spaces - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap: ldap_search() failed: Operations error - advice please
After more research yet again (google/ oriellys/ FR mailing list archives) I think its one of these 2 scenarios. 1 - Anonymous Searches in Active Directory isnt working 2 - When I set: # identity = cn=root,o=tfxschool,c=AU # password = pass the password should be encrypted. I have tried slappasswd but to no avail. oreillys showed me the anonymous way (which fails quite possibly due to win2k3 permissions) and the gentoo 1 actually shows u how to enable Anonymous Searches in Active Directory on windows 2000. So yes, def ldap atm not FR. I will post a seperate request asking about FR + win2k3 Allowing Anonymous Searches in Active Directory. Gentoo howto: http://gentoo-wiki.com/HOWTO_Adding_a_Samba_Server_into_an_existing_AD_Domain On 4/19/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: I have been pouring through the oreillys LDAP book (quite informative so far to btw). I got the example of using freeradius against the linux passwd file working fine. I tried their Freeradius and OpenLDAP (now I know ADS isnt OpenLDAP btw) and it fails with the following message: rlm_ldap: ldap_search() failed: Operations error That's an internal LDAP error saying something went wrong, and it can't be more specific than that. I'm not sure what to suggest. If some1 else has a working radius setup that auths againts AD using LDAP would they mind sending me the ldap { } section, would be very handy to compare my config to a working one. Google is your friend: freeradius ldap active directory http://lists.cistron.nl/pipermail/freeradius-users/2004-August/035046.html Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configurable failover segmentation fault when reloaded
Milan Holub wrote: here is another bug report(but don't worry; I'm running out of my bugreports): That's good to hear. I couldn't reproduce it, but I did track down and fix the underlying problem. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to configure
i need to configure my freeradius server in proxy server to use it with windows IAS! i want the configuration of the files of freeradius which can permit me to do that! We all want lots of things. Asking a bit more polite might help. my last coonfiguration of these files is: radiusd.conf proxy_request = yes proxy.conf realm gie.local { type = radius authhost = LOCAL accthost = LOCAL } realm DEFAULT { type = radius authhost = araignee.gie.local:1812 accthost = araignee.gie.local:1813 secret = parfait nostrip } Clients.conf client 192.168.0.2 { secret = parfait shortname = araignee.gie.local } This snippet of config looks good, under the assumption that araignee.gie.local is resolvable on your DNS server and resolves to IP 192.168.0.2. Now, configure your FreeRADIUS server as a client on the IAS box so that IAS accepts the proxied requests, and, if appliable open the required firewall ports. BTW: do you actually have a _problem_? Nothing in your mail tells us where things don't work. The general, several-years-old and well-documented rule here is: post the debug output of radiusd -X if you hae a problem. It will help people here figure out the problem. Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 pgpYSrwpoRsxS.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fedora 1.1.6 rpm build BROKEN
Unless I did something wrong mate it def doesnt build (dependancies have diff names). On the topic though. 1.1.6 built fine from the redhat spec file, I am going to trial it once Im done with testing this ldap search problem. On 4/19/07, Peter Nixon [EMAIL PROTECTED] wrote: On Thu 19 Apr 2007, [EMAIL PROTECTED] wrote: Hi, So I should be using the redhat spec file for fedora correct ? - will correct. SUSE is a very different beast to RedHat - as you have discovered Erm.. Having said that, the SUSE spec file should and DOES build on Fedora as well. I have gone to quite some trouble to make it compatible with SUSE, Fedora and Mandriva.. The same is not true for the existing RedHat spec file.. Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configurable failover segmentation fault when reloaded
Hi Alan, On Thu, Apr 19, 2007 at 10:46:51AM +0200, Alan DeKok wrote: I couldn't reproduce it, but I did track down and fix the underlying problem. == And I can confirm it's fixed. Milan Holub holub (at) thenet (dot) ch -- TheNet-Internet Services AG, im Bernertechnopark, Morgenstr. 129 CH-3018, Bern, Switzerland 031 998 4333, Fax 031 998 4330 http://www.thenet.ch http://wlan.thenet.ch -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql: readclients segmentation fault
Hi Alan, On Thu, Apr 19, 2007 at 10:26:36AM +0200, Alan DeKok wrote: Ok... I've added more code to re-set pointers on cleanup, and create them on creation. == and yes it helped! no segmentation fault anymore Milan Holub holub (at) thenet (dot) ch -- TheNet-Internet Services AG, im Bernertechnopark, Morgenstr. 129 CH-3018, Bern, Switzerland 031 998 4333, Fax 031 998 4330 http://www.thenet.ch http://wlan.thenet.ch -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fedora 1.1.6 rpm build BROKEN
On Thu 19 Apr 2007, Jacob Jarick wrote: Unless I did something wrong mate it def doesnt build (dependancies have diff names). Well, sorry. to be more clear, the latest version of the spec file which is used to build the rpms in opensuse does. I may have forgotten to commit this back to cvs. The rpms and source rpms which you may simply rebuild are at: http://software.opensuse.org/download/network:/aaa/ -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to configure
it's true! i had configure my FreeRADIUS server as a client on the IAS box, but my server freeradius which i need it toi be server proxy don't transmit the request of my switch. when i learned freeradius, i begun it by configurate it with users file, and after with MySQL database. then i want to configure it to proxy server which can retransmit request to IAS on windows server 2003. i don't want my freeradius do authentication, i want it proxy server. i have find some informations on that not be true. for the commande radiusd -X he wrote ready to process requests, and when i do my test my freeradius reject the packets. i need configurations files(radiusd.conf, proxy.conf, clients.conf ...) to tranformate it at proxy server. i use freeradius with eap-MD5, Switch cysco catalyst 2950, and windows server 2003. thanks for your help! From: Stefan Winter [EMAIL PROTECTED] Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.org To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: how to configure Date: Thu, 19 Apr 2007 10:54:38 +0200 i need to configure my freeradius server in proxy server to use it with windows IAS! i want the configuration of the files of freeradius which can permit me to do that! We all want lots of things. Asking a bit more polite might help. my last coonfiguration of these files is: radiusd.conf proxy_request = yes proxy.conf realm gie.local { type = radius authhost = LOCAL accthost = LOCAL } realm DEFAULT { type = radius authhost = araignee.gie.local:1812 accthost = araignee.gie.local:1813 secret = parfait nostrip } Clients.conf client 192.168.0.2 { secret = parfait shortname = araignee.gie.local } This snippet of config looks good, under the assumption that araignee.gie.local is resolvable on your DNS server and resolves to IP 192.168.0.2. Now, configure your FreeRADIUS server as a client on the IAS box so that IAS accepts the proxied requests, and, if appliable open the required firewall ports. BTW: do you actually have a _problem_? Nothing in your mail tells us where things don't work. The general, several-years-old and well-documented rule here is: post the debug output of radiusd -X if you hae a problem. It will help people here figure out the problem. Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: Tel.: +352 424409-1 http://www.restena.luFax: +352 422473 attach4 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Windows Live Spaces : créez votre blog à votre image ! http://www.windowslive.fr/spaces - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
snmp accounting/statistic queries
Hi Alan, snmp querying works great now. Thanks for that! However I've tried also to query some MIBS from RADIUS-ACC-SERVER-MIB.txt or RADIUS-STAT-MIB.txt files and it looks like freeradius does not react on it at all(no DEBUG activity with -X). (cvs head) Working query (using MIBs from RADIUS-AUTH-SERVER-MIB.txt) example: `snmpwalk -Cc -v 1 -m /devel/freeradius/cvs/work/mibs/RADIUS-AUTH-SERVER-MIB.txt -c verysecret localhost radiusAuthServUpTime` Not working queries(examples) `snmpwalk -Cc -v 1 -m /devel/freeradius/cvs/work/mibs/RADIUS-ACC-SERVER-MIB.txt -c verysecret localhost radiusAccServUpTime` `snmpwalk -Cc -v 1 -m /devel/freeradius/cvs/work/mibs/RADIUS-STAT-MIB.txt -c verysecret localhost radiusStatUpTime` I remember all MIBs worked a week before or so... Milan Holub holub (at) thenet (dot) ch -- TheNet-Internet Services AG, im Bernertechnopark, Morgenstr. 129 CH-3018, Bern, Switzerland 031 998 4333, Fax 031 998 4330 http://www.thenet.ch http://wlan.thenet.ch -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: snmp accounting/statistic queries
Milan Holub wrote: I remember all MIBs worked a week before or so... There was a missing bracket in smux.c. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to configure
You already have those files. What you need to do (if you really want help on this list) is to paste the output from radiusd -X so people can see what has gone wrong and tell you how to fix it. freeradius reject the packets can mean loads of things. Ivan Kalik Kalik Informatika ISP Dana 19/4/2007, parfait nda [EMAIL PROTECTED] piše: it's true! i had configure my FreeRADIUS server as a client on the IAS box, but my server freeradius which i need it toi be server proxy don't transmit the request of my switch. when i learned freeradius, i begun it by configurate it with users file, and after with MySQL database. then i want to configure it to proxy server which can retransmit request to IAS on windows server 2003. i don't want my freeradius do authentication, i want it proxy server. i have find some informations on that not be true. for the commande radiusd -X he wrote ready to process requests, and when i do my test my freeradius reject the packets. i need configurations files(radiusd.conf, proxy.conf, clients.conf ...) to tranformate it at proxy server. i use freeradius with eap-MD5, Switch cysco catalyst 2950, and windows server 2003. thanks for your help! From: Stefan Winter [EMAIL PROTECTED] Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.org To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: how to configure Date: Thu, 19 Apr 2007 10:54:38 +0200 i need to configure my freeradius server in proxy server to use it with windows IAS! i want the configuration of the files of freeradius which can permit me to do that! We all want lots of things. Asking a bit more polite might help. my last coonfiguration of these files is: radiusd.conf proxy_request = yes proxy.conf realm gie.local { type = radius authhost = LOCAL accthost = LOCAL } realm DEFAULT { type = radius authhost = araignee.gie.local:1812 accthost = araignee.gie.local:1813 secret = parfait nostrip } Clients.conf client 192.168.0.2 { secret = parfait shortname = araignee.gie.local } This snippet of config looks good, under the assumption that araignee.gie.local is resolvable on your DNS server and resolves to IP 192.168.0.2. Now, configure your FreeRADIUS server as a client on the IAS box so that IAS accepts the proxied requests, and, if appliable open the required firewall ports. BTW: do you actually have a _problem_? Nothing in your mail tells us where things don't work. The general, several-years-old and well-documented rule here is: post the debug output of radiusd -X if you hae a problem. It will help people here figure out the problem. Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: Tel.: +352 424409-1 http://www.restena.luFax: +352 422473 attach4 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Windows Live Spaces : créez votre blog ŕ votre image ! http://www.windowslive.fr/spaces - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: snmp accounting/statistic queries
Hi Alan, On Thu, Apr 19, 2007 at 12:26:46PM +0200, Alan DeKok wrote: There was a missing bracket in smux.c. == accounting MIBs now working: main: smux_password = verysecret main: snmp_write_access = yes SMUX connect try 1 SMUX SMUX open oid: 1.3.6.1.4.1.3317.1.3.1 SMUX open progname: radiusd SMUX open password: verysecret SMUX SMUX register oid: 1.3.6.1.2.1.67.1.1.1.1 SMUX register priority: -1 SMUX register operation: 2 SMUX SMUX register oid: 1.3.6.1.2.1.67.2.1.1.1 SMUX register priority: -1 SMUX register operation: 2 but statistics MIBs not registered/working yet... Milan Holub holub (at) thenet (dot) ch -- TheNet-Internet Services AG, im Bernertechnopark, Morgenstr. 129 CH-3018, Bern, Switzerland 031 998 4333, Fax 031 998 4330 http://www.thenet.ch http://wlan.thenet.ch -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: snmp accounting/statistic queries
Milan Holub wrote: but statistics MIBs not registered/working yet... It's not implemented. It's also not a standard. It was added on the theory that we might do it one day, but perhaps not. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL Accounting problem with 1.0.3 - The maximum number of threads (32) are active
On 4/19/07, Alan DeKok [EMAIL PROTECTED] wrote: Rick Macdougall wrote: Recompiled with --without-threads and it locks up hard on the first accounting request. And when I say locks up hard, I mean not even a kill -9 will stop it, I have to reboot the server. Are you sure your OS isn't buggy? It's a bad problem if kill -9 doesn't work. Maybe the process had a memory leak, allocated gigs of RAM, and was in the middle of dumping core. For reasons I've never understood, most OS's don't allow core dumping to be interruptible. Pretty sure it's not the OS, it's a fully updated CentOS 4 distribution running on a Dell 1860 accessing a MySQL server running Fedora Core 3 on Dell 760 (750 maybe ?, not sure. Haven't looked at the MySQL servers in ages). All the other servers accessing the MySQL servers are running the exact same layout, with the same hardware and have no problem accessing MySQL. The same machines were running Fedora Core 3 with FreeRadius 1.0.1 and had no problems connecting. The other servers include vpopmail machines with users stored in MySQL, SpamAssassin machines access bayes and user prefs in MySQL, web machines with php scripts, etc etc. Rick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Crypt passwords doesn't work
It works!!! Thank you very much! Kevin Bonner wrote: html I almost ignored your message, as I don't parse HTML well. =) On Wednesday 18 April 2007 18:06:28 Sebastian Firpo wrote: Thank you Kevin, but it didn't work now my entire users file is: sebas Crypt-Password := "(!lGOOlHaBWoQ" Service-Type = Administrative-User, Cisco-AVPair = "shell:priv-lvl=15" and then the debug was: rad_recv: Access-Request packet from host 10.12.4.2:1645, id=103, length=75 NAS-IP-Address = 10.12.4.2 NAS-Port = 1 NAS-Port-Type = Virtual User-Name = "sebas" Calling-Station-Id = "10.11.1.25" User-Password = "hello" Another idea?? Thanks a lot, any way. $ perl -e 'print crypt("hello","(!") . "\n";' (!BVoPlmea8cg Fix your Crypt-Password? How you are generating that encrypted string? -Kevin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
suggestions for multiple vlans in hundreds of switches
Hi, We'd like to use FR to assign users on our wired network to one of 30 different vlans on campus, based on an LDAP field. Currently, we are doing this with huntgroups. Namely, we create a huntgroup for the NAS (in our case, a network switch), and then in the users file, we put the following: DEFAULT Huntgroup-Name == mySWITCH1, Ldap-Group == staff User-Name=`%{User-Name}`, Tunnel-Private-Group-Id=176, Tunnel-Type=VLAN, Fall-Through = no DEFAULT Huntgroup-Name == mySWITCH1, Ldap-Group == student User-Name=`%{User-Name}`, Tunnel-Private-Group-Id=177, Tunnel-Type=VLAN, Fall-Through = no And so on...for other groups of user like faculty, admin, etc.. This seems to work. The issue is scale. I have would conceivably have to have a huntgroup definition in the huntgroups file for each NAS. And if I wanted 30 vlans, I'd have to have 30 definitions like the ones above in my users file for EACH one of my NAS's. I'm sure there's a simpler way of doing things that I'm missing. Any advice is appreciated. Thanks Matt [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: suggestions for multiple vlans in hundreds of switches
you could extend your ldap schema and add a field for the vlan a user should belong too. then all you would need is to query that field and propogate the variable. Tunnel-Private-Group-Id=`%{private-vlan}` On 4/19/07, Matt Ashfield [EMAIL PROTECTED] wrote: Hi, We'd like to use FR to assign users on our wired network to one of 30 different vlans on campus, based on an LDAP field. Currently, we are doing this with huntgroups. Namely, we create a huntgroup for the NAS (in our case, a network switch), and then in the users file, we put the following: DEFAULT Huntgroup-Name == mySWITCH1, Ldap-Group == staff User-Name=`%{User-Name}`, Tunnel-Private-Group-Id=176, Tunnel-Type=VLAN, Fall-Through = no DEFAULT Huntgroup-Name == mySWITCH1, Ldap-Group == student User-Name=`%{User-Name}`, Tunnel-Private-Group-Id=177, Tunnel-Type=VLAN, Fall-Through = no And so on...for other groups of user like faculty, admin, etc.. This seems to work. The issue is scale. I have would conceivably have to have a huntgroup definition in the huntgroups file for each NAS. And if I wanted 30 vlans, I'd have to have 30 definitions like the ones above in my users file for EACH one of my NAS's. I'm sure there's a simpler way of doing things that I'm missing. Any advice is appreciated. Thanks Matt [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Crypt passwords doesn't work
On the topic of password encryption. Kevin would you know how to encode a password for windows 2003 active directory server. I need a user with permission to do active directory searchs, it tries atm but fails because the password is not encrypted. Even if you know what the encryption they use is it would be a big help thanks. On 4/19/07, Sebastian Firpo [EMAIL PROTECTED] wrote: It works!!! Thank you very much! Kevin Bonner wrote: html I almost ignored your message, as I don't parse HTML well. =) On Wednesday 18 April 2007 18:06:28 Sebastian Firpo wrote: Thank you Kevin, but it didn't work now my entire users file is: sebas Crypt-Password := (!lGOOlHaBWoQ Service-Type = Administrative-User, Cisco-AVPair = shell:priv-lvl=15 and then the debug was: rad_recv: Access-Request packet from host 10.12.4.2:1645, id=103, length=75 NAS-IP-Address = 10.12.4.2 NAS-Port = 1 NAS-Port-Type = Virtual User-Name = sebas Calling-Station-Id = 10.11.1.25 User-Password = hello Another idea?? Thanks a lot, any way. $ perl -e 'print crypt(hello,(!) . \n;' (!BVoPlmea8cg Fix your Crypt-Password? How you are generating that encrypted string? -Kevin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: suggestions for multiple vlans in hundreds of switches
Matt, how about the configuration that you have to have in the switch Can you Help me Robinson [EMAIL PROTECTED] On 4/19/07, Matt Ashfield [EMAIL PROTECTED] wrote: Hi, We'd like to use FR to assign users on our wired network to one of 30 different vlans on campus, based on an LDAP field. Currently, we are doing this with huntgroups. Namely, we create a huntgroup for the NAS (in our case, a network switch), and then in the users file, we put the following: DEFAULT Huntgroup-Name == mySWITCH1, Ldap-Group == staff User-Name=`%{User-Name}`, Tunnel-Private-Group-Id=176, Tunnel-Type=VLAN, Fall-Through = no DEFAULT Huntgroup-Name == mySWITCH1, Ldap-Group == student User-Name=`%{User-Name}`, Tunnel-Private-Group-Id=177, Tunnel-Type=VLAN, Fall-Through = no And so on...for other groups of user like faculty, admin, etc.. This seems to work. The issue is scale. I have would conceivably have to have a huntgroup definition in the huntgroups file for each NAS. And if I wanted 30 vlans, I'd have to have 30 definitions like the ones above in my users file for EACH one of my NAS's. I'm sure there's a simpler way of doing things that I'm missing. Any advice is appreciated. Thanks Matt [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Motorola Authenitcation
FreeRADIUS Users/Developers, Does anyone use RADIUS to authenticate Motorola SM's? If so, I'm needing some information on how to accomplish this. Thank You In Advanced!, Matt Neumark - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to use FreeRADIUS proxy to set an attribute value only if not provided by end RADIUS server ?
We would like to use FreeRADIUS (acting as a proxy server) to set the Primary-DNS-Server and Secondary-DNS-server attributes in the auth response to the RADIUS client only if these attributes are not provied by the end RADIUS server (which we don't control). Is there anyway to do this without making a FreeRADIUS source code change ? Thanks much, John Butala Senior Staff Engineer Qwest - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radclient , -c flag = radclient.c:492: failed assertion `radclient-reply == NULL'
Hi, Radclient works fine with almost every except when you use the -c flag to specify that multiple copies of the same packet are sent. --- ./radclient -c 10 -x -f user radius1.susx.ac.uk auth xxx Sending Access-Request of id 205 to 139.184.14.180 port 1812 User-Name = ac221 User-Password = rad_recv: Access-Accept packet from host 139.184.14.180 port 1812, id=205, length=20 radclient.c:492: failed assertion `radclient-reply == NULL' Was looking forward to doing some crude benchmarking :( Apart from that all seems well and good. Haven't noticed radiusd dieing at random intervals or any other weirdness. Back ticks work for sql xlat like you said, and there is indeed a reference in the attributes documentation. :) Just acquired a copy of THE C PROGRAMMING LANGUAGE Second edition, which I am assured is the best book for learning C. So you might actually see bug fixes some time soon instead of just bug reports ;) -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication Authorisation Accounting Officer Infrastructure Services | ENG1 FF08 EXT:3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Grouping after Kerberos 5 authentication accepted?
Thank you Alan. I read the documentations and now I'm able to use Kerberos and MySQL along with FreeRadius. Thank you for your help. However, I'm stuck in the last part of the project which is to reply the accept request along with assigned attributes. For example, Kerberos successfully authenticate admin/admin (yes I don't use MySQL for authentication), and FreeRadius knows this user has permission to access. Now, in the postauth part, FreeRadius searches the radreply table in its MySQL database for the proper attributes that this particular user has, say Service-Type = Administrative-User. I store these attribute information in radreply table and leave other tables empty. So, I edited the postauth_query in sql.conf: postauth_query = SELECT id, UserName, Attribute, Value, op \ FROM ${authreply_table} \ WHERE Username = '%{SQL-User-Name}' \ ORDER BY id I can't get the 'Service-Type = Administrative-User' in the accept-reply package. Am I missing something here? Any help would be appreciated. Regards, Jason -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Thursday, April 19, 2007 10:27 AM To: [EMAIL PROTECTED] Subject: Re: Grouping after Kerberos 5 authentication accepted? Jason Chan wrote: You are correct, the grouping isn't come from Kerberos. I'm going to build a mysql database in the FreeRadius server to handle all the grouping/permissions. What fields do I need for the database? I searched on the FreeRadius website and I can't find any information related to SQL See the doc directory. There are schemas and examples. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.446 / Virus Database: 269.5.4/768 - Release Date: 4/19/2007 5:32 AM - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: suggestions for multiple vlans in hundreds of switches
I was afraid someone would say that! Haha Matt -Original Message- From: Donny Jekels [mailto:[EMAIL PROTECTED] Sent: April 19, 2007 10:57 AM To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: Re: suggestions for multiple vlans in hundreds of switches you could extend your ldap schema and add a field for the vlan a user should belong too. then all you would need is to query that field and propogate the variable. Tunnel-Private-Group-Id=`%{private-vlan}` On 4/19/07, Matt Ashfield [EMAIL PROTECTED] wrote: Hi, We'd like to use FR to assign users on our wired network to one of 30 different vlans on campus, based on an LDAP field. Currently, we are doing this with huntgroups. Namely, we create a huntgroup for the NAS (in our case, a network switch), and then in the users file, we put the following: DEFAULT Huntgroup-Name == mySWITCH1, Ldap-Group == staff User-Name=`%{User-Name}`, Tunnel-Private-Group-Id=176, Tunnel-Type=VLAN, Fall-Through = no DEFAULT Huntgroup-Name == mySWITCH1, Ldap-Group == student User-Name=`%{User-Name}`, Tunnel-Private-Group-Id=177, Tunnel-Type=VLAN, Fall-Through = no And so on...for other groups of user like faculty, admin, etc.. This seems to work. The issue is scale. I have would conceivably have to have a huntgroup definition in the huntgroups file for each NAS. And if I wanted 30 vlans, I'd have to have 30 definitions like the ones above in my users file for EACH one of my NAS's. I'm sure there's a simpler way of doing things that I'm missing. Any advice is appreciated. Thanks Matt [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: suggestions for multiple vlans in hundreds of switches
Yeah, there's that too. We need to create these vlans within the edge switches as well. Once created, you shouldn't have to touch them again. Or you don't create them at the edge, and instead just create them in the core, however that kind of kills the advantage of extending your vlans to the edge. Matt Ashfield Network Analyst Integrated Technology Services University of New Brunswick (506) 447-3033 [EMAIL PROTECTED] -Original Message- From: robinson santos [mailto:[EMAIL PROTECTED] Sent: April 19, 2007 12:31 PM To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: Re: suggestions for multiple vlans in hundreds of switches Matt, how about the configuration that you have to have in the switch Can you Help me Robinson [EMAIL PROTECTED] On 4/19/07, Matt Ashfield [EMAIL PROTECTED] wrote: Hi, We'd like to use FR to assign users on our wired network to one of 30 different vlans on campus, based on an LDAP field. Currently, we are doing this with huntgroups. Namely, we create a huntgroup for the NAS (in our case, a network switch), and then in the users file, we put the following: DEFAULT Huntgroup-Name == mySWITCH1, Ldap-Group == staff User-Name=`%{User-Name}`, Tunnel-Private-Group-Id=176, Tunnel-Type=VLAN, Fall-Through = no DEFAULT Huntgroup-Name == mySWITCH1, Ldap-Group == student User-Name=`%{User-Name}`, Tunnel-Private-Group-Id=177, Tunnel-Type=VLAN, Fall-Through = no And so on...for other groups of user like faculty, admin, etc.. This seems to work. The issue is scale. I have would conceivably have to have a huntgroup definition in the huntgroups file for each NAS. And if I wanted 30 vlans, I'd have to have 30 definitions like the ones above in my users file for EACH one of my NAS's. I'm sure there's a simpler way of doing things that I'm missing. Any advice is appreciated. Thanks Matt [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: suggestions for multiple vlans in hundreds of switches
Hi, This seems to work. The issue is scale. I have would conceivably have to have a huntgroup definition in the huntgroups file for each NAS. And if I wanted 30 vlans, I'd have to have 30 definitions like the ones above in my users file for EACH one of my NAS's. that would depend on what scale this would have to go to. certainly if each switch were to hav different VLANs for each of the types of users eg switch 1 vlan 200 for staff, vlan 201 for researchers switch 2 vlan 300 for staff, vlan 301 for researchers this woul dget very big very quickly. however, if each switch only needs to feed the same VLAN depending on the class of user - ie those 30 VLANs are are the same on each switch, then you can simply define a normal huntgroup for the switch eg in $place/raddb/huntgroup my-switches NAS-IP-Address == 231.123.241.123 my-switches NAS-IP-Address == 231.123.241.124 my-switches NAS-IP-Address == 231.123.241.125 my-switches NAS-IP-Address == 231.123.241.126 etc etc. then, in your example , the entry looks like DEFAULT Huntgroup-Name == my-switches, Ldap-Group == student User-Name=`%{User-Name}`, Tunnel-Private-Group-Id=177, Tunnel-Type=VLAN, Fall-Through = no (plus the others for each class of user) a 'clear scale' way would otherwise to be having an SQL table which defines each VLAN for each Ldap-group for each switch (or NAS) and use Perl or python to extract that info and return the attributes based on the request. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Grouping after Kerberos 5 authentication accepted?
I have been following your thread and am interrested to find out how do d you get freeradius to do authentication wiht kerberos? any config examples would be helpfull. On 4/18/07, Jason Chan [EMAIL PROTECTED] wrote: Hello, Is it possible for FreeRadius to perform grouping after Kerberos authentication accepted? My company has many switches and servers and we use kerberos 5 for RADIUS authentication. Once the user is authenticated, RADIUS will check and decide if this user can access the switches or particular servers (i.e. Allow telnet to the switch if the user belongs to the 'switch administrator' group). I've looked in the huntgroup file but it seems to require a lot of works for a very large company (5000+ users), and the problem is we can't touch the Kerberos server. Any help would be appreciated. Thank you Regards, Jason - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Crypt passwords doesn't work
On Thursday 19 April 2007 10:42:30 Jacob Jarick wrote: On the topic of password encryption. Kevin would you know how to encode a password for windows 2003 active directory server. I need a user with permission to do active directory searchs, it tries atm but fails because the password is not encrypted. Even if you know what the encryption they use is it would be a big help thanks. Win2k3? Never used it before. Active Directory? Ditto. =-) Maybe [1] or [2] will help push you in the right direction. Kevin Bonner [1] http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO [2] http://lists.cistron.nl/pipermail/freeradius-devel/2006-January/009250.html pgpr1TWIInq7Y.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Grouping after Kerberos 5 authentication accepted?
I'm using Redhat Enterprise Linux and here is my steps to setup FreeRadius 1) Make SURE you have installed MIT Kerberos on your linux (krb5 packages) 2) Configure Realm, KDC servers, etc... for your linux (system-config-authentication for redhat) 3) Install FreeRadius 4) Make SURE you have rlm_krb5 modules in /usr/local/lib 5) Open and edit /usr/local/etc/raddb/radiusd.conf: Add the following in modules {...} (around line 580) # Kerbero 5 module krb5 { authtype = Kerberos } And the following in authenticate {...} (around line 1920) Auth-Type Kerberos { krb5 } Add the following in users file DEFAULT Auth-Type := Kerberos It should work. If radiusd complains about Pre-Auth failed then double check your Linux Kerberos setting -Original Message- From: Donny Jekels [mailto:[EMAIL PROTECTED] Sent: Thursday, April 19, 2007 3:20 PM To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: Re: Grouping after Kerberos 5 authentication accepted? I have been following your thread and am interrested to find out how do d you get freeradius to do authentication wiht kerberos? any config examples would be helpfull. On 4/18/07, Jason Chan [EMAIL PROTECTED] wrote: Hello, Is it possible for FreeRadius to perform grouping after Kerberos authentication accepted? My company has many switches and servers and we use kerberos 5 for RADIUS authentication. Once the user is authenticated, RADIUS will check and decide if this user can access the switches or particular servers (i.e. Allow telnet to the switch if the user belongs to the 'switch administrator' group). I've looked in the huntgroup file but it seems to require a lot of works for a very large company (5000+ users), and the problem is we can't touch the Kerberos server. Any help would be appreciated. Thank you Regards, Jason - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL Accounting problem with 1.0.3 - The maximum number of threads (32) are active
Ok, I've taken out the SQL accounting completely, left in the SQL authentication and the problem still persists. On accounting packets with threads disabled, the accounting process stops completely after one packet, on accounting packets with threads enabled, the accounts process reports the maximum number of threads has been reached. Attempting to stop radiusd when this situation is reached results in a zombied radiusd. On other thing I noticed running it under strace is that something (perhaps libmysql) is trying to open /etc/my.cnf even though we are using a remote MySQL server. Any ideas now ? Anything else I should be looking at ? Rick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL Accounting problem with 1.0.3 - The maximum number of threads (32) are active
Well, I went through everything in the accounting { } and the problems turns out to be radutmp Any reason this might be a problem. The file gets created but never written to. If I comment it out of the accounting { }, then everything, including mysql records being written, works just fine. Regards, Rick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL Accounting problem with 1.0.3 - The maximum number of threads (32) are active
On Thu 19 Apr 2007, Rick Macdougall wrote: Well, I went through everything in the accounting { } and the problems turns out to be radutmp Any reason this might be a problem. The file gets created but never written to. If I comment it out of the accounting { }, then everything, including mysql records being written, works just fine. Ahh.. Yes. I have seen similar issues long ago with radutmp now that you mention it. I simply delete it by default, so I hadn't noticed it again for years... Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radclient , -c flag = radclient.c:492: failed assertion `radclient-reply == NULL'
Arran Cudbard-Bell wrote: Radclient works fine with almost every except when you use the -c flag to specify that multiple copies of the same packet are sent. I have a fix I'll be committing tomorrow. Was looking forward to doing some crude benchmarking :( Last week it was slower than 1.x. It's now about 20% faster. Apart from that all seems well and good. Haven't noticed radiusd dieing at random intervals or any other weirdness. It still needs fixes to properly handle HUP. Other server software I've looked at doesn't really handle HUP. Apache has a master process that forks off child processes. On HUP, all the children exit, and the master forks off new children. In RADIUS, we have state we have to maintain, (request/response packets). So the Apache approach won't work. This makes any solution much more difficult. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Grouping after Kerberos 5 authentication accepted?
Jason Chan wrote: For example, Kerberos successfully authenticate admin/admin (yes I don't use MySQL for authentication), and FreeRadius knows this user has permission to access. Now, in the postauth part, FreeRadius searches the radreply table in its MySQL database for the proper attributes that this particular user has, say Service-Type = Administrative-User. I store these attribute information in radreply table and leave other tables empty. So, I edited the postauth_query in sql.conf: I think for historical reasons, you have to perform the query in the authorize section. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL Accounting problem with 1.0.3 - The maximum number of threads (32) are active
Rick Macdougall wrote: Well, I went through everything in the accounting { } and the problems turns out to be radutmp Any reason this might be a problem. The file gets created but never written to. If I comment it out of the accounting { }, then everything, including mysql records being written, works just fine. Weird. I haven't run into any problems with radutmp on my system. radutmp tries to lock the utmp file, so if one thread gets blocked, it may stop other threads, too. I would double-check the file permissions, etc. on the radutmp file, and on the directory it's in. Or, you may be mounting the radutmp file over NFS. That would explain the process being un-killable when something goes wrong. Most NFS implementations do things like mark the process as being in the kernel when certain NFS operations happen. When NFS blocks, the process can't be killed, because you can't kill the running kernel, right? This is arguably a kernel bug, just like core dumps can't be stopped vi CTRL-C. I've run into both situations in the past. And yes, I've had to reboot my system because some process was using a file over NFS, and something went wrong. The solution is to *not* mount the log directory over NFS. In fact, *all* of the file needed by FreeRADIUS should be on local disk. If they're not, the process may block completely when NFS goes away. During this time, the process will likely be unkillable. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL Accounting problem with 1.0.3 - The maximum number of threads (32) are active
You are right on with the NFS locking issue. I believe that is exactly the problem, my only concern now is why it happens with CentOS 4.x and not with Fedora Core 3. More info in the morning as I'm currently having a beer (or 4) and watching the Hockey playoffs. Thanks for the help. Regards, Rick PS - If you don't remember who I am check out the old cistron list mailings. On 4/19/07, Alan DeKok [EMAIL PROTECTED] wrote: Rick Macdougall wrote: Well, I went through everything in the accounting { } and the problems turns out to be radutmp Any reason this might be a problem. The file gets created but never written to. If I comment it out of the accounting { }, then everything, including mysql records being written, works just fine. Weird. I haven't run into any problems with radutmp on my system. radutmp tries to lock the utmp file, so if one thread gets blocked, it may stop other threads, too. I would double-check the file permissions, etc. on the radutmp file, and on the directory it's in. Or, you may be mounting the radutmp file over NFS. That would explain the process being un-killable when something goes wrong. Most NFS implementations do things like mark the process as being in the kernel when certain NFS operations happen. When NFS blocks, the process can't be killed, because you can't kill the running kernel, right? This is arguably a kernel bug, just like core dumps can't be stopped vi CTRL-C. I've run into both situations in the past. And yes, I've had to reboot my system because some process was using a file over NFS, and something went wrong. The solution is to *not* mount the log directory over NFS. In fact, *all* of the file needed by FreeRADIUS should be on local disk. If they're not, the process may block completely when NFS goes away. During this time, the process will likely be unkillable. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html