Brian Walters wrote:
Has anyone noticed high processor loads after restarting freeradius
1.1.3 or 1.1.6? I've noticed this on Debian as well as CentOS 4.5.
After sending it a HUP? Yes. Don't send it a HUP.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
Hugh Messenger wrote:
...
I like this new unlang.
Thanks. It makes me much more confident in releasing a 2.0 that is
*much* better than 1.1.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hugh Messenger wrote:
I said:
2) Where can I find the sqlippool schema in 2.0.0?
It's in the Postgresql schema file, but not in MySQL.
...
It seems to want %{check:Pool-Name}. Which is weird in itself, because 'man
unlang' doesn't mention a 'check' list type, it should be 'request'.
On Wed 27 Jun 2007, Hugh Messenger wrote:
I'm slowly getting there with my 2.0.0 install. Couple of sqlippool
questions:
1) The sqlippool.conf file has this at the end:
## Uncomment the appropriate config file for your SQL dialect
# $INCLUDE ${confdir}/sql/mysql-dialup.conf
$INCLUDE
On Wed 27 Jun 2007, [EMAIL PROTECTED] wrote:
There is a redback dictionary included with freeradius (do locate redback
to find it). I would check that attributes they want to use are missing
before replacing it (you do have a file to replace it with?).
Additionally, if there are new RedBack
On Wed 27 Jun 2007, Alan DeKok wrote:
Hugh Messenger wrote:
I said:
2) Where can I find the sqlippool schema in 2.0.0?
It's in the Postgresql schema file, but not in MySQL.
...
It seems to want %{check:Pool-Name}. Which is weird in itself, because
'man unlang' doesn't mention a
On Wed 27 Jun 2007, Hugh Messenger wrote:
I said:
2) Where can I find the sqlippool schema in 2.0.0?
I went ahead and used the same schema from 1.1.6, seems to be OK. But I'd
still like to know where to find it documented, for next time I need it.
From now on (20 min ago), MySQL should be
Hi,
Is there an easy way to separate accounting for national and international
traffic with freeradius? (National traffic is charged at a lower rate per GB
than international).
Any suggestions would be appreciated.
Cheers
Liam
-
List info/subscribe/unsubscribe? See
Hi All,
I have a problem with the radius-Attribute NAS-IP-ADDRESS.
I use freeradius with pam_radius and a mysql-DB
If i want to ssh-login on the machine, freeradius runs, the nas-ip is
127.0.0.1.
It's correct, but the database does not know 127.0.0.1. It knows the
real ip and therefore my
On Wed 27 Jun 2007, Liam Farr wrote:
Hi,
Is there an easy way to separate accounting for national and international
traffic with freeradius? (National traffic is charged at a lower rate per
GB than international).
National and International VoIP traffic.. yes.. just check for the country
Rascher, Markus wrote:
Hi All,
I have a problem with the radius-Attribute NAS-IP-ADDRESS.
I use freeradius with pam_radius and a mysql-DB
If i want to ssh-login on the machine, freeradius runs, the nas-ip is
127.0.0.1.
It's correct, but the database does not know 127.0.0.1. It knows the
Is there a more reliable method of detecting EAP then checking for the
presence of an EAP-Message, I heard mention of an EAP-Type attribute...
guessing this is set by the EAP module in authorize ?
Is this a control attribute ?
--
Arran Cudbard-Bell ([EMAIL PROTECTED])
Authentication,
Hi,
All data / traffic, not just voip. I guess it would have to be done by the
route somehow?
Cheers
Liam
On 27/06/07, Peter Nixon [EMAIL PROTECTED] wrote:
On Wed 27 Jun 2007, Liam Farr wrote:
Hi,
Is there an easy way to separate accounting for national and
international
traffic with
hi,
if we are going to use -S option in radclient, wat should be the format of that
shared secret file.
thanks
-
Once upon a time there was 1 GB storage on Yahoo! Mail. Click here for happy
ending!-
List info/subscribe/unsubscribe? See
Wow thanks, I wish I had thought of remaking the serial file after the root
certificate was made.
Bryant Marsh wrote:
To Dead6re,
I fixed it by copying the serial file again from the scripts directory
immediately after the root certificate was created, but before the client
Liam Farr wrote:
Hi,
All data / traffic, not just voip. I guess it would have to be done by
the route somehow?
Cheers
Liam
On 27/06/07, *Peter Nixon* [EMAIL PROTECTED]
mailto:[EMAIL PROTECTED] wrote:
On Wed 27 Jun 2007, Liam Farr wrote:
Hi,
Is there an easy
On Wed 27 Jun 2007, Liam Farr wrote:
Hi,
All data / traffic, not just voip. I guess it would have to be done by the
route somehow?
This information is very unlikely to be available via RADIUS accounting.
Your NAS (or your border routers or core switches) may however support
netflow, sflow or
Peter Nixon wrote:
On Wed 27 Jun 2007, Liam Farr wrote:
Hi,
All data / traffic, not just voip. I guess it would have to be done by the
route somehow?
It's still a really evil thing to do IMO, goes against the very nature
of the interweb :\
--
Arran Cudbard-Bell ([EMAIL PROTECTED])
On Wed, 2007-06-27 at 09:58 +0100, Arran Cudbard-Bell wrote:
Is there a more reliable method of detecting EAP then checking for the
presence of an EAP-Message, I heard mention of an EAP-Type attribute...
guessing this is set by the EAP module in authorize ?
EAP-Type is an internal server
Phil Mayers wrote:
On Wed, 2007-06-27 at 09:58 +0100, Arran Cudbard-Bell wrote:
Is there a more reliable method of detecting EAP then checking for the
presence of an EAP-Message, I heard mention of an EAP-Type attribute...
guessing this is set by the EAP module in authorize ?
EAP-Type is an
Hi,
PMACCT seems interesting, I assume I could setup a Linux router that
supports one of those protocols? My ISP just provides me with a single
connection with both national and international piped down it.
Cheers
Liam
On 27/06/07, Peter Nixon [EMAIL PROTECTED] wrote:
On Wed 27 Jun 2007,
Hi,
Being a nice friendly openish institution, and not wanting to overload
our helpdesk staff with hundreds of users trying to set up their
laptops, we decided to make registration, a self service kind of affair.
We decided to setup an unauthorised VLAN, on this VLAN there exists a
support
Phil Mayers wrote:
They're already called both config and check - let's not start
calling them control as well!
check was used because of the users file. config was wrong,
because there's also the configuration files.
In 2.x, the preferred name is control, and the docs examples are
being
Arran Cudbard-Bell wrote:
Is there a more reliable method of detecting EAP then checking for the
presence of an EAP-Message, I heard mention of an EAP-Type attribute...
guessing this is set by the EAP module in authorize ?
EAP *is* detected by the presence of EAP-Message.
Alan DeKok.
-
Has anyone got any ideas ?
I'm assuming theres no way to do it..
Not that I can think of. You shouldn't be able to coax a supplicant onto
a network by munging authentication (this is a *good* thing).
josh.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
What we really want to be able to do, is for users with broken software,
force the wireless association to succeed, and put them on the
unauthorised VLAN. Of course just sending a plain old Access-Accept
packet isn't sufficient, as it requires the tunneled authentication to
succeed as well...
Hey everyone,
I attempted at first to post this issue in openser's mailing list but have
failed
to get a reply and thus I am trying in freeradius's as I hope there are
people here
with similar experience.
OpenSER is a SIP Proxy tool and I integrated it to send accounting records
to a freeradius
On Wed, 2007-06-27 at 08:09 +0200, Alan DeKok wrote:
Brian Walters wrote:
Has anyone noticed high processor loads after restarting freeradius
1.1.3 or 1.1.6? I've noticed this on Debian as well as CentOS 4.5.
After sending it a HUP? Yes. Don't send it a HUP.
I'm not sending it a HUP,
I will appreciate if others can still comment on this subject as I do want
to understand
more thoroughly what's going on but it seems like the manpage for dictionary
explains it
pretty well:
The dictionaries in */usr/local/share* SHOULD NOT be edited unless you know
exactly what you are doing.
Thank you Alan,
you'd probably notice my 2nd email prior to receiving yours that I found
the relevant information in the manpage and hope that it'll be enough to
understand and follow it to the end.
In the meanwhile, waiting for your book already :)
Regards,
Liri.
On 6/27/07, Alan DeKok
liran tal wrote:
What I would like is the ability to extend the formal SIP ATTRIBUTES
with my own set.
Use a vendor-specific dictionary. We're trying to convince the SER
people to do the same thing.
And so, I tried adding myself some custom attributes to both dictionary
files, the one on
pmacct is a package that contains a number of daemons capable of different
things. pmacctd can listen in promiscuous mode (on a switch span/monitor
port) or simply capture all traffic which passes through an interface (if
the linux box is routing the traffic) and aggregate that traffic
I'm having problems connecting a wired Ethernet machine authenticating
with EAP-TLS, I'm connecting via a Lindy switch with 802.1x port
authentication forced on the port that the machine is connecting to,
that port is also on the same VLAN as the RADIUS server. This
FreeRADIUS setup is working
On Wed 27 Jun 2007, liran tal wrote:
Hey everyone,
I attempted at first to post this issue in openser's mailing list but have
failed
to get a reply and thus I am trying in freeradius's as I hope there are
people here with similar experience.
Hi Liran
Basically the way both SER and openSER
Hi, list
I have no samba installed in my linux.
1.freeradius + AD :
When I user radtest tool to test user/password on Win2k3/AD, I can get
correct answer when I set authenticate type to ldap too.
2.eap/peap + 8021x + freeradius + openldap:
Success.
Which file do I need to modify to assign vlan tags to unknown mac
addresses?
Thanks,
Brian
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
g] On Behalf Of Alan DeKok
Sent: Saturday, June 23, 2007 2:51 AM
To: FreeRadius users mailing list
Subject: Re: Version 1.1.6 -
Darren Maden wrote:
The RADIUS server is not receiving the request,
Find out why the NAS isn't sending the RADIUS request.
Poking wpa_supplicant or FreeRADIUS won't help.
Is there anything special I need to do in my FreeRADIUS config?
Supporting Windows wired clients is not
Brian Walters wrote:
I'm not sending it a HUP, I've read where that's bad. I'm using the
redhat start up script and I'm using the restart option which kills the
process, then starts it.
Looking through the script functions it first gives freeradius a
kill -TERM then a kill -KILL
Hmm...
For your case 1): depends. If there actually is a user cert on the client's
box and its CN does not contain an @, same as above applies. If their CN does
contain an @, well, then you are pretty much lost. Shouldn't be many though.
No certs on users boxes, completely vanilla installs... Well
The RADIUS server is not receiving the request
So, where is the switch sending the request? Check switch configuration.
Freeradius is most likely OK if it works with wireless clients. Only
thing you would need to do there is to add the switch into clients.conf.
Ivan Kalik
Kalik Informatika ISP
Hi everyone,
Thank you verry much for your help. If you have firewall or VPN problem
I will be more able to help you.
I made a find command for redback but it returned no result.
The same command for dictionary returned two results :
One in /etc/freeradius/dictionary
and one in
Brian Ertel wrote:
Which file do I need to modify to assign vlan tags to unknown mac
addresses?
The users file. You have to tell the server to accept the request,
and then assign the RADIUS attributes that put it into a VLAN.
See your NAS documentation for how to assign VLANs.
Alan
Hangjun He wrote:
* I have no samba installed in my linux.*
Then you won't get PEAP to work with AD. There's a reason the howto's
say to use Samba: it's needed.
*3.eap/peap + 8021x + freeradius + Win2k3/AD*
*When I auth the Winxp user access to switch. It failed. Even if I
set
Seems like everyday from one upstream provider we use I get accouting record
start and for some reason i get no stop packet on customers. I also use same
radius with YourNetPlus and I am not seeing this issue with them. So it leads
me to believe its something between I and GlobalPOPS. My
/dialin.example.com/detail-20070627'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands
to /var/log/radius/radacct/dialin.example.com/detail-20070627
modcall[accounting]: module detail returns ok for request 1
modcall[accounting]: module unix returns ok for request 1
radius_xlat
On 6/27/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
thing you would need to do there is to add the switch into clients.conf.
and set a secret, and set that secret in the switch too.
Then he might post a tcpdump capture of the conversation, with the
options -vv -s 65535 -X to say one
-
Thank you Alan
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
g] On Behalf Of Alan DeKok
Sent: Wednesday, June 27, 2007 9:46 AM
To: FreeRadius users mailing list
Subject: Re: Version 1.1.6 - Mac Address Authentication/vlan tagging
Brian Ertel wrote:
Which file do I
Karen R McArthur wrote:
huntgroups:
admin NAS-IP-Address == 192.168.1.1
Called-Station-Id == xxx
I think you want something more like this:
huntgroups:
admin NAS-IP-Address == 192.168.1.1, Called-Station-Id == xxx
Ldap-Group == admin
Then
The switch is added into the nas table in mysql and that secret is set
in the switch as well.
Doing a TCP dump on the machine trying to authenticate tells me that
packets have been dropped by the kernel and filters. I haven't got any
firewall or iptables setup, anything you can suggest about
Peter Nixon [mailto:[EMAIL PROTECTED] said
From now on (20 min ago), MySQL should be a fully support dialect for
rlm_sqlippool so the table is part of the normal schema and the queries
_should_ work by default. Please send patches for anything that is still
broken as I don't test against MySQL
Alan DeKok [EMAIL PROTECTED] said:
Hugh Messenger wrote:
...
I like this new unlang.
Thanks. It makes me much more confident in releasing a 2.0 that is
*much* better than 1.1.
My only suggestion is adding some examples to the man page, and/or in the
config file comments. I'm sure you
Alan DeKok [EMAIL PROTECTED] said:
Or, Framed-IP-Address. But I don't see that typo in the CVS head.
My apologies, that was a typo in the email, not the config file. I'll do
some more testing and get back to you on this one.
The lines are wrapped at 80 characters, with '\' at the end.
On Wed, 2007-06-27 at 13:00 +0200, Alan DeKok wrote:
Phil Mayers wrote:
They're already called both config and check - let's not start
calling them control as well!
check was used because of the users file. config was wrong,
because there's also the configuration files.
In 2.x,
On Wed 27 Jun 2007, Hugh Messenger wrote:
Peter Nixon [mailto:[EMAIL PROTECTED] said
From now on (20 min ago), MySQL should be a fully support dialect for
rlm_sqlippool so the table is part of the normal schema and the queries
_should_ work by default. Please send patches for anything that
I'll friendly-up the new mysql-ippool-dialup.conf and send you a copy.
Sounds like a plan :-)
Remember to change any value substitutions to the new scheme
%{%{foo}:-%{bar}}
:)
--
Arran Cudbard-Bell ([EMAIL PROTECTED])
Authentication, Authorisation and Accounting Officer
Infrastructure
On Wed 27 Jun 2007, Hugh Messenger wrote:
Alan DeKok [EMAIL PROTECTED] said:
Or, Framed-IP-Address. But I don't see that typo in the CVS head.
My apologies, that was a typo in the email, not the config file. I'll do
some more testing and get back to you on this one.
The lines are
The default mysql-dialup.conf queries are generating a lot of these
warnings:
WARNING: Deprecated conditional expansion :-. See man unlang for
details
expand: INSERT INTO radpostauth (id, user, pass, reply, date)
VALUES ('', '%{User-Name}', '%{User-Password:-Chap-Password}',
Do first select * from ... to check if those are the records you want
deleted:
DELETE FROM radacct WHERE AcctStopTime=0 AND AcctStartTime
DATE_SUB(NOW(), INTERVAL 5 HOUR)
Ivan Kalik
Kalik Informatika ISP
Dana 27/6/2007, Jeff [EMAIL PROTECTED] piše:
Seems like everyday from one upstream
What freeradius version are you using? Try locate redback.
Ivan Kalik
Kalik Informatika ISP
Dana 27/6/2007, Thomas LAVIGNE [EMAIL PROTECTED] piše:
Hi everyone,
Thank you verry much for your help. If you have firewall or VPN problem
I will be more able to help you.
I made a find command for
With my current configuration, if sqlippool cannot assign an IP, the
authentication still succeeds.
How can I set things up so if no IP is available, the authentication will
fail with some informative Reply-Message, like the simultaneous use session
control does?
-- hugh
-
List
Thanks Alan DeKok.
But there are no enough memory on my linux system to install samba.
What should I do?
John
Alan DeKok [EMAIL PROTECTED] 写道:
Hangjun He wrote:
* I have no samba installed in my linux.*
Then you won't get PEAP to work with AD. There's a reason the howto's
Can I start ldap-auth after eap authenticate failed..just like radclient.
Hangjun He [EMAIL PROTECTED] 写道:
Thanks Alan DeKok.
But there are no enough memory on my linux system to install samba.
What should I do?
John
Alan DeKok [EMAIL PROTECTED] 写道:
Hangjun He
Hangjun He [EMAIL PROTECTED] said:
But there are no enough memory on my linux system to install samba.
What should I do?
Install more memory. As Alan said, you have to have Samba to do what you
want to do.
John
-- hugh
-
List info/subscribe/unsubscribe? See
Arran Cudbard-Bell [EMAIL PROTECTED] said:
Remember to change any value substitutions to the new scheme
%{%{foo}:-%{bar}}
You just answered my rather long winded question about the 'deprecated'
warnings, before I asked it.
I've fixed all occurrences, and all warnings have gone away. I'll
Hugh Messenger wrote:
I just noticed the 'man unlang' paragraph about 'check' being a synonym for
'control'. Did that just get added, or was I being blind first time round?
I do try and read the docs before posting here, and I'd hate to think I
missed that.
I added it.
Alan DeKok.
-
Hugh Messenger wrote:
...
I'm assuming the warning is telling me that things like
'%{User-Password:-Chap-Password}' should now be
'%{%{User-Password}:-%{Chap-Password}}', as per 'man unlang':
Yes. *All* of the sample config files need to be fixed for this.
The benefit is that this now
Hugh Messenger wrote:
My only suggestion is adding some examples to the man page, and/or in the
config file comments. I'm sure you already intend to do this, just wanted
to get it back on your radar. As has been noted by others, unlang is likely
to top the league table of FMF's (Frequently
Thomas LAVIGNE wrote:
I made a find command for redback but it returned no result.
Then you're not using a version of FreeRADIUS that was released in the
past 7 years. It's included a dictionary.redback for almost that long.
The same command for dictionary returned two results :
One in
Darren Maden wrote:
The switch is added into the nas table in mysql and that secret is set
in the switch as well.
Does the switch have the IP address of the server?
Plugging a laptop into the sniffing port of the switch and running
ethereal shows packets going from the machine trying to
Hugh Messenger wrote:
With my current configuration, if sqlippool cannot assign an IP, the
authentication still succeeds.
The module returns NOOP. It could arguable return fail.
How can I set things up so if no IP is available, the authentication
will fail with some informative
On Thu 28 Jun 2007, Alan DeKok wrote:
Hugh Messenger wrote:
With my current configuration, if sqlippool cannot assign an IP, the
authentication still succeeds.
The module returns NOOP. It could arguable return fail.
How can I set things up so if no IP is available, the authentication
71 matches
Mail list logo
