Re: Query regarding Free Radius Testing
Hi, User-Name = sujatha User-Password = test123 NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. rlm_unix: [sujatha]: invalid password rad_recv: Access-Request packet from host 127.0.0.1:32769, id=157, length=59 Sending Access-Reject of id 157 to 127.0.0.1 port 32769 Can I know the reason. sure - you've just been told the reason in the above output. rlm_unix didnt find anything - and due to your config, its been set as the end of all answers - probably you have DEFAULT Auth-Type := System in your 'users' file (which means 'set the auth-type' to system (unix files) authentication and dont try anything else. comment that entry out...and if you dont use unix authentication then comment out the unix entries in radiusd.conf etc too alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: access only particular website through RADIUS
Yes, it forbit the access to some site it is easy if you have the correct NAS. You need for instance a mikrotik device where in the walled garden you can allow some site but you can ban others. ;) From:"Parham Beheshti" [EMAIL PROTECTED]Reply-To:FreeRadius users mailing list freeradius-users@lists.freeradius.orgTo:"FreeRadius users mailing list" freeradius-users@lists.freeradius.orgSubject:RE: access only particular website through RADIUSDate:Mon, 27 Aug 2007 13:12:38 +0330Hello,We do this kind of stuff for our users.When our users run out of credit, instead of rejecting them, we return adifferent ip-pool to the user(ex: 10.10.X.X) From that ip-pool, users can only access our ticketing system, paymentgateways and such.(ex: from 10.10.X.X users can access few ip addresses)After making payment, they reconnect and get a normal ip address whichthey have full access to everything.CheersParhamCoches nuevos, coches de ocasión, coches de Km 0 Si piensas en cambiar de coche, MSN Motor. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem for IPv6 Connection...
Hi All, I want to use the Radius Server where the requesting Client are IPv6 Host. I have changed the clients.conf like : client 2001:0:0:1::9 { secret = pass shortname = admin } I have changed the users file: vikas User-Password == password Service-Type = Administrative-User But, the RADIUS SERVER is showing: rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. I have enabled the IPv6 connection line form radiusd.conf file. Is am i require to do any changes which impact of responding to ipv6 client host THANKS IN ADVANCE...I am waiting for early reply. Thanks Vikas S - Got a little couch potato? Check out fun summer activities for kids.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem for IPv6 Connection...
Vikas Bagora wrote: I want to use the Radius Server where the requesting Client are IPv6 Host. Is this in 2.0.0-pr2? I have changed the users file: vikas User-Password == password No. See the FAQ. Service-Type = Administrative-User But, the RADIUS SERVER is showing: rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. This problem has nothing to do with IPv6. It is because you haven't configured the users file entry correctly. I have enabled the IPv6 connection line form radiusd.conf file. I have no idea what that means. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use per NAS
On 8/30/07, Svend Eriksen [EMAIL PROTECTED] wrote: Hi, We run freeradius 1.1.6 against postgresql 8.1. With the current configuration the user can only login one time simultaneously. What I want is that a user can login only one time per NAS, but that the user can login on several NASes at the same time. The reason for this is that a user can move between NASes without the need to logout from the NAS he is leaving. The user can only login to NASes that is in a group that he is a member of (this already works today). Is it also possible to set the Simultaneously-Use as a default value for all users, so we don't have to set it on all the groups? Here are the lines from the database SELECT * FROM radcheck 40 | user1 | Cleartext-Password | := | kebab1 41 | user1 | Expiration | := | Dec 31 2050 00:00:00 SELECT * FROM radusergroup user1 | testusergroup |0 SELECT * FROM nas 7 | 10.0.0.1 | NAS1 | other | | naspw 8 | 10.0.0.2 | NAS2 | other | | naspw SELECT * FROM radgroupcheck 15 | testusergroup | NAS-IP-Address | += | 10.0.0.1 16 | testusergroup | NAS-IP-Address | += | 10.0.0.2 17 | testusergroup | Simultaneous-Use | := | 1 reg Svend Eriksen Hi, Why don't you just add Simultaneous-Use for each user to radcheck? As I understand you correctly, that would solve the problem, right? I don't know how you actually add the new users, but it can easily be done to give them that attr. as a default one. Kind Regards, Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Caveat: schema differences in Acct(Start|Stop)Time
Hi, (this goes into a Wiki page as well) Today I fell over some caveat when it comes to handling AcctStopTime in databases. In mysql, the schema defines acctstarttime datetime NOT NULL default '-00-00 00:00:00', acctstoptime datetime NOT NULL default '-00-00 00:00:00', and the accounting queries set a literal '0' on starts. postgresql is different though: AcctStartTime TIMESTAMP with time zone, AcctStopTimeTIMESTAMP with time zone, and doesn't set anything on starts, which makes the content a NULL. The difference comes into play for example when you want to delete old records: a DELETE * from radacct WHERE AcctStopTime $YOUR_THRESHOLD_DATE will a) on postgresql only delete closed sessions older than your threshold age b) on mysql will additionally DELETE ALL YOUR OPEN SESSIONS (because they have AcctStopTime = -00-00 00:00 and that is smaller than your threshold date) I strongly suggest updating CVS head (+will there be a 1.1.8?) with a better schema for mysql (i.e. follow postgresql's NULL). I would do it myself right now, but I'm off for holidays in a few hours. So if someone feels like doing it, there you go. If not: I'll put a Post-It on my computer :-) Greetings, Stefan Winter -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use per NAS
On 8/30/07, *Svend Eriksen* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Hi, We run freeradius 1.1.6 against postgresql 8.1. With the current configuration the user can only login one time simultaneously. What I want is that a user can login only one time per NAS, but that the user can login on several NASes at the same time. The reason for this is that a user can move between NASes without the need to logout from the NAS he is leaving. The user can only login to NASes that is in a group that he is a member of (this already works today). Is it also possible to set the Simultaneously-Use as a default value for all users, so we don't have to set it on all the groups? Here are the lines from the database SELECT * FROM radcheck 40 | user1 | Cleartext-Password | := | kebab1 41 | user1 | Expiration | := | Dec 31 2050 00:00:00 SELECT * FROM radusergroup user1 | testusergroup |0 SELECT * FROM nas 7 | 10.0.0.1 http://10.0.0.1 | NAS1 | other | | naspw 8 | 10.0.0.2 http://10.0.0.2 | NAS2 | other | | naspw SELECT * FROM radgroupcheck 15 | testusergroup | NAS-IP-Address | += | 10.0.0.1 http://10.0.0.1 16 | testusergroup | NAS-IP-Address | += | 10.0.0.2 http://10.0.0.2 17 | testusergroup | Simultaneous-Use | := | 1 reg Svend Eriksen Hi, Why don't you just add Simultaneous-Use for each user to radcheck? As I understand you correctly, that would solve the problem, right? I don't know how you actually add the new users, but it can easily be done to give them that attr. as a default one. Kind Regards, Yves This is what I do today. The problem occurs when a user leaves a NAS without logging out, and then tries to connects to another NAS. The second NAS will ask for a new login, but freeradius will answer that the user is already logged in. The solution I am looking for is that a user only can have one simultaneously login per NAS, but that the user can be logged in simultaneously on different NASes. reg Svend - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ad
Hi, I have taken 1.1.6 version. why? oh dear why?!? 1.1.7 is the latest 1.1.x release and its there for many many reasons. i dont grab Linux 0.9 kernel if i want to run a Linux server. I am not very clear on configuring the files. First we are going to do dummy testing. for very very basic testing you only need to edit 3 files radiusd.conf - set the userid,groupid and listen directive (and thats it! leave the rest alone!) clients.conf - edit the 127.0.0.1 entry eg client 127.0.0.1 { secret = the_secret_i_put_into_clients.conf shortname = localhost nastype = other users - at the very top add a test user eg my_Test_user_00x1 Cleartext-Password := bigf439qyft789 that should be it. you can then use, eg radtest, to check its alive. so open 2 terminal windows... in one, type radiusd -X (to run freeradius in full debugging) and in the other type radtest my_Test_user_00x1 bigf439qyft789 localhost 1812 the_secret_i_put_into_clients.conf Can we give a file name as the argument in the command line while using radtest? If so How to use? man radclient radtest is a little more basic. its the 'basic freeradius 101' test tool alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: hints/acct_users matching of subnets
Hi, Ok, using regex matching fixed it. Thanks! you might also add those client IP addresses to a huntgroup and use the huntgroup name in your hints... Hm... thinking of it... is shortname from clients.conf available as an attribute? Then you could treat all IP addresses equal by their shortname... Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
prevent ldap from searching for groups
I am using rlm_ldap (2.0.0-pre2) to check an account for being valid in AD. This works. As I am only interested in one attribute from AD, it would be sufficient, if rlm_ldap would only use filter to dive into AD once. How could I prevent rlm_ldap from Entering ldap_groupcmp() ? Setting groupname_attribute = NULL groupmembership_filter = NULL only results in an error message Bad search filter . rlm_ldap: looking for check items in directory...^M rlm_ldap: LDAP attribute primaryGroupID as RADIUS attribute Group-Name == 515^M rlm_ldap: looking for reply items in directory...^Mrlm_ldap: user host/28tef004.ww006.mycomany.net authorized to use remote access^M rlm_ldap: ldap_release_conn: Release Id: 0^M ++[ldap] returns ok^M How to prevent entering this function?? rlm_ldap: Entering ldap_groupcmp()^M expand: DC=MYCOMPANY,dc=NET - DC=MYCOMPANY,dc=NET^M expand: NULL - NULL^M . Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius + ad
Whether the password given in Users file is a Encrypted password or normal? Whether the secret which I am configuring in clients.conf should be configured anywhere else? All these files should be configured in the path /usr/local/etc/xxx.conf. Is this right? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, August 31, 2007 1:49 PM To: FreeRadius users mailing list Subject: Re: freeradius + ad Hi, I have taken 1.1.6 version. why? oh dear why?!? 1.1.7 is the latest 1.1.x release and its there for many many reasons. i dont grab Linux 0.9 kernel if i want to run a Linux server. I am not very clear on configuring the files. First we are going to do dummy testing. for very very basic testing you only need to edit 3 files radiusd.conf - set the userid,groupid and listen directive (and thats it! leave the rest alone!) clients.conf - edit the 127.0.0.1 entry eg client 127.0.0.1 { secret = the_secret_i_put_into_clients.conf shortname = localhost nastype = other users - at the very top add a test user eg my_Test_user_00x1 Cleartext-Password := bigf439qyft789 that should be it. you can then use, eg radtest, to check its alive. so open 2 terminal windows... in one, type radiusd -X (to run freeradius in full debugging) and in the other type radtest my_Test_user_00x1 bigf439qyft789 localhost 1812 the_secret_i_put_into_clients.conf Can we give a file name as the argument in the command line while using radtest? If so How to use? man radclient radtest is a little more basic. its the 'basic freeradius 101' test tool alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Disclaimer: This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at a href=http://www.techmahindra.com/Disclaimer.html;http://www.techmahindra.com/Disclaimer.html/a externally and a href=http://tim.techmahindra.com/Disclaimer.html;http://tim.techmahindra.com/Disclaimer.html/a internally within Tech Mahindra. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius + ad
Whether the password given in Users file is a Encrypted password or normal? Clertext-Password is normal. Whether the secret which I am configuring in clients.conf should be configured anywhere else? On a client which is sending radius packets. With servers IP address. All these files should be configured in the path /usr/local/etc/xxx.conf. Is this right? Path is /usr/local/etc/raddb/ by default. Ivan Kalik Kalik Informatika iSP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Several login-service attribut in reply message
Hello Everybody, I just want to put several login-service in an access-accept packet. If i try this in the users file : login_user Auth-Type := Local, User-Password == pass_user login-service = 50, login-service = telnet, Fall-Through = no It send an acces-racccept with only one attribut : login-service = telnet But if i put this in attrs file with rlm_filter module : DEFAULT login-service := telnet, login-service := 50 It works very well ! Sending Access-Accept of id 26 to IP_NAS port 5001 Login-Service := Telnet Login-Service := 50 How i can do this with the users file ?? Thanks for your help !! Nicolas. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use per NAS
Make multiple sql instances - one for each NAS. Ivan Kalik Kalik Informatika ISP Dana 31/8/2007, Svend Eriksen [EMAIL PROTECTED] piše: On 8/30/07, *Svend Eriksen* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Hi, We run freeradius 1.1.6 against postgresql 8.1. With the current configuration the user can only login one time simultaneously. What I want is that a user can login only one time per NAS, but that the user can login on several NASes at the same time. The reason for this is that a user can move between NASes without the need to logout from the NAS he is leaving. The user can only login to NASes that is in a group that he is a member of (this already works today). Is it also possible to set the Simultaneously-Use as a default value for all users, so we don't have to set it on all the groups? Here are the lines from the database SELECT * FROM radcheck 40 | user1 | Cleartext-Password | := | kebab1 41 | user1 | Expiration | := | Dec 31 2050 00:00:00 SELECT * FROM radusergroup user1 | testusergroup |0 SELECT * FROM nas 7 | 10.0.0.1 http://10.0.0.1 | NAS1 | other | | naspw 8 | 10.0.0.2 http://10.0.0.2 | NAS2 | other | | naspw SELECT * FROM radgroupcheck 15 | testusergroup | NAS-IP-Address | += | 10.0.0.1 http://10.0.0.1 16 | testusergroup | NAS-IP-Address | += | 10.0.0.2 http://10.0.0.2 17 | testusergroup | Simultaneous-Use | := | 1 reg Svend Eriksen Hi, Why don't you just add Simultaneous-Use for each user to radcheck? As I understand you correctly, that would solve the problem, right? I don't know how you actually add the new users, but it can easily be done to give them that attr. as a default one. Kind Regards, Yves This is what I do today. The problem occurs when a user leaves a NAS without logging out, and then tries to connects to another NAS. The second NAS will ask for a new login, but freeradius will answer that the user is already logged in. The solution I am looking for is that a user only can have one simultaneously login per NAS, but that the user can be logged in simultaneously on different NASes. reg Svend - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: prevent ldap from searching for groups
Norbert Wegener wrote: As I am only interested in one attribute from AD, it would be sufficient, if rlm_ldap would only use filter to dive into AD once. How could I prevent rlm_ldap from Entering ldap_groupcmp() ? Don't reference the LDAP-Group attribute? The only time that the ldap_groupcmp() function is called is when the LDAP-Group attribute is used. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Several login-service attribut in reply message
http://wiki.freeradius.org/Operators += Ivan Kalik Kalik Informatika ISP Dana 31/8/2007, [EMAIL PROTECTED] [EMAIL PROTECTED] piše: Hello Everybody, I just want to put several login-service in an access-accept packet. If i try this in the users file : login_user Auth-Type := Local, User-Password == pass_user login-service = 50, login-service = telnet, Fall-Through = no It send an acces-racccept with only one attribut : login-service = telnet But if i put this in attrs file with rlm_filter module : DEFAULT login-service := telnet, login-service := 50 It works very well ! Sending Access-Accept of id 26 to IP_NAS port 5001 Login-Service := Telnet Login-Service := 50 How i can do this with the users file ?? Thanks for your help !! Nicolas. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Several login-service attribut in reply message
[EMAIL PROTECTED] wrote: I just want to put several login-service in an access-accept packet. That's not permitted. No NAS will understand that response from a server. If i try this in the users file : login_user Auth-Type := Local, User-Password == pass_user login-service = 50, login-service = telnet, Fall-Through = no It send an acces-racccept with only one attribut : login-service = telnet This behavior IS documented. See man users. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius + ad
On a radius client device (switch, AP, router, server, ...) which is trying to authenticate the user. Ivan Kalik Kalik Informatika ISP Dana 31/8/2007, Pelluru Sujatha [EMAIL PROTECTED] piše: I did not get clearly where to configure the secret other than /usr/local/etc/raddb/clients.conf file. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, August 31, 2007 2:39 PM To: FreeRadius users mailing list Subject: RE: freeradius + ad Whether the password given in Users file is a Encrypted password or normal? Clertext-Password is normal. Whether the secret which I am configuring in clients.conf should be configured anywhere else? On a client which is sending radius packets. With servers IP address. All these files should be configured in the path /usr/local/etc/xxx.conf. Is this right? Path is /usr/local/etc/raddb/ by default. Ivan Kalik Kalik Informatika iSP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Disclaimer: This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at a href=http://www.techmahindra.com/Disclaimer.html;http://www.techmahindra.com/Disclaimer.html/a externally and a href=http://tim.techmahindra.com/Disclaimer.html;http://tim.techmahindra.com/Disclaimer.html/a internally within Tech Mahindra. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use per NAS
I'm sorry, but I dont understand what you mean. Can you please explain? reg Svend [EMAIL PROTECTED] skrev: Make multiple sql instances - one for each NAS. Ivan Kalik Kalik Informatika ISP Dana 31/8/2007, Svend Eriksen [EMAIL PROTECTED] piše: On 8/30/07, *Svend Eriksen* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Hi, We run freeradius 1.1.6 against postgresql 8.1. With the current configuration the user can only login one time simultaneously. What I want is that a user can login only one time per NAS, but that the user can login on several NASes at the same time. The reason for this is that a user can move between NASes without the need to logout from the NAS he is leaving. The user can only login to NASes that is in a group that he is a member of (this already works today). Is it also possible to set the Simultaneously-Use as a default value for all users, so we don't have to set it on all the groups? Here are the lines from the database SELECT * FROM radcheck 40 | user1 | Cleartext-Password | := | kebab1 41 | user1 | Expiration | := | Dec 31 2050 00:00:00 SELECT * FROM radusergroup user1 | testusergroup |0 SELECT * FROM nas 7 | 10.0.0.1 http://10.0.0.1 | NAS1 | other | | naspw 8 | 10.0.0.2 http://10.0.0.2 | NAS2 | other | | naspw SELECT * FROM radgroupcheck 15 | testusergroup | NAS-IP-Address | += | 10.0.0.1 http://10.0.0.1 16 | testusergroup | NAS-IP-Address | += | 10.0.0.2 http://10.0.0.2 17 | testusergroup | Simultaneous-Use | := | 1 reg Svend Eriksen Hi, Why don't you just add Simultaneous-Use for each user to radcheck? As I understand you correctly, that would solve the problem, right? I don't know how you actually add the new users, but it can easily be done to give them that attr. as a default one. Kind Regards, Yves This is what I do today. The problem occurs when a user leaves a NAS without logging out, and then tries to connects to another NAS. The second NAS will ask for a new login, but freeradius will answer that the user is already logged in. The solution I am looking for is that a user only can have one simultaneously login per NAS, but that the user can be logged in simultaneously on different NASes. reg Svend - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ad
Hi, Whether the password given in Users file is a Encrypted password or normal? your choice! Whether the secret which I am configuring in clients.conf should be configured anywhere else? yes - on the NAS itself. but if you're using radtest or radclient then that software is a virtual NAS so you use it with that tool. alan All these files should be configured in the path /usr/local/etc/xxx.conf. Is this right? heck! i dont know how you've configured your system mate! by default it would all be in /usr/local/etc/raddb if its installed via RPM or yum or yast or 'umwifolm' then it'll be where the package manager has decided it would be - /etc/raddb , /opt/freeradius/config/ , /usr/local/freeradius/etc/ etc etc alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ad
Hi, I did not get clearly where to configure the secret other than /usr/local/etc/raddb/clients.conf file. unless (UNLESS) you are using some other NAS authentication method - eg sticking them into an SQL table for checking, clients.conf is the ONLY place where the NAS secret needs to be placed. that is the single place where freeradius reads to check the secrets for each NAS (or direct client talking to FR server - which are also known as NAS in that context) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: hints/acct_users matching of subnets
Hi, Ok, using regex matching fixed it. Thanks! you might also add those client IP addresses to a huntgroup and use the huntgroup name in your hints... Hm... thinking of it... is shortname from clients.conf available as an attribute? Then you could treat all IP addresses equal by their shortname... or 'Type' if that was available too.. then you could apply the peculiar replies that certain NASs need only if it was that NAS type much easier. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius help
Hi all, I have installed a freeradius server and it works perfectly... Now, I want to play with the Session-Timeout attribute. I want to set that value according to the NAS in which the client is connected. For instance, let us assume a user connect himself to a Group1 NAS and have X seconds session-timeout. But if he would be connected to a Group2 NAS, he will have X-10 seconds session-timeout. Finally, what I want is: 1) to run a script that set a session-timeout value according to the NAS IP address. 2) to run a script when the user log out (when the session-timeout attribute is updated) But I don't know how to do so...I thought about launching scripts but if you have a better solution, i'll take it heartily. Thanks a lot. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use per NAS
http://wiki.freeradius.org/Rlm_sql Ivan Kalik Kalik Informatika ISP Dana 31/8/2007, Svend Eriksen [EMAIL PROTECTED] piše: I'm sorry, but I dont understand what you mean. Can you please explain? reg Svend [EMAIL PROTECTED] skrev: Make multiple sql instances - one for each NAS. Ivan Kalik Kalik Informatika ISP Dana 31/8/2007, Svend Eriksen [EMAIL PROTECTED] piše: On 8/30/07, *Svend Eriksen* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Hi, We run freeradius 1.1.6 against postgresql 8.1. With the current configuration the user can only login one time simultaneously. What I want is that a user can login only one time per NAS, but that the user can login on several NASes at the same time. The reason for this is that a user can move between NASes without the need to logout from the NAS he is leaving. The user can only login to NASes that is in a group that he is a member of (this already works today). Is it also possible to set the Simultaneously-Use as a default value for all users, so we don't have to set it on all the groups? Here are the lines from the database SELECT * FROM radcheck 40 | user1 | Cleartext-Password | := | kebab1 41 | user1 | Expiration | := | Dec 31 2050 00:00:00 SELECT * FROM radusergroup user1 | testusergroup |0 SELECT * FROM nas 7 | 10.0.0.1 http://10.0.0.1 | NAS1 | other | | naspw 8 | 10.0.0.2 http://10.0.0.2 | NAS2 | other | | naspw SELECT * FROM radgroupcheck 15 | testusergroup | NAS-IP-Address | += | 10.0.0.1 http://10.0.0.1 16 | testusergroup | NAS-IP-Address | += | 10.0.0.2 http://10.0.0.2 17 | testusergroup | Simultaneous-Use | := | 1 reg Svend Eriksen Hi, Why don't you just add Simultaneous-Use for each user to radcheck? As I understand you correctly, that would solve the problem, right? I don't know how you actually add the new users, but it can easily be done to give them that attr. as a default one. Kind Regards, Yves This is what I do today. The problem occurs when a user leaves a NAS without logging out, and then tries to connects to another NAS. The second NAS will ask for a new login, but freeradius will answer that the user is already logged in. The solution I am looking for is that a user only can have one simultaneously login per NAS, but that the user can be logged in simultaneously on different NASes. reg Svend - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Caveat: schema differences in Acct(Start|Stop)Time
Hi, Today I fell over some caveat when it comes to handling AcctStopTime in databases. In mysql, the schema defines acctstarttime datetime NOT NULL default '-00-00 00:00:00', acctstoptime datetime NOT NULL default '-00-00 00:00:00', ..and we've already has a discussion last week about those values being 'illegal' according to the MySQL datetime documentation. The DATETIME type is used when you need values that contain both date and time information. MySQL retrieves and displays DATETIME values in '-MM-DD HH:MM:SS' format. The supported range is '1000-01-01 00:00:00' to '-12-31 23:59:59'. however, just to run it in, if you enter an illegal entry (eg 123454324352) then that value gets converted to. yes, wait for it -00-00 00:00:00 hurrah! the docs clearly state this case too. I would say we get a little historical and set the default date to 1970-01-01 00:00:00 alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem for IPv6 Connection...
Hi All, Sending Clear Information... 1. I am using freeradius-server-2.0.0-pre1 Version(which support for IPv6 also). 2. My Objective is ( Radius Client Information): Make Radius Server to accept the request from the IPv6 client(Embedded System). - My Client has dual TCP/IP Stack enable(IPv4 / IPv6). - My Client IPv6 IP Address is 2001:0:0:1::175. - Sending Radius Packet to 2001:0:0:1::105( Radius Server is running in this IPv6 IP Address). 3. Radius Server Information: Current situation is, Radius Server is getting the Radius Client Request Packet and not responding to its client for the received request packet. - In Radius Server clients.conf file is modified with : client 2001:0:0:1::175 { secret = pass Shortname = admin } - users file is modified in only with this lines : vikas User-Password == password Service-Type = Administrative - radiusd.conf is changed to ( to accept the IPv6 Request): listen { # IP address on which to listen. # Allowed values are: # dotted quad (1.2.3.4) # hostname(radius.example.com) # wildcard(*) # ipaddr = * (COMMENTED THIS LINE) # OR, you can use an IPv6 address, but not both # at the same time. ipv6addr = :: # any. ::1 == localhost (UNCOMMENTED THIS LINE) -. -. - } These are the Changes i have made for Radius Server. When i try to login from the CLI to my embedded system with: username: vikas password: password The Server shows following messeges..( LOG IN ATTACHMENT). 5. So, with this behaviour my Radius Client is getting time out after 3 tries to connect with server. This is not the same with IPv4 request, where in IPv4 from the same Embedded system the Radius Server is responding, but with access-reject packet. LOG FOR IPv4 response from Server : RADIUS_CLIENT::process_radius_response() - received a response (2741423ms) code 3, identifier 0, length 20, port index 0, src ip :::169.26.27.105, src port 1812 Please let me know what changes are require in either side of Radius Server / Radius Client. THANKS IN ADVANCE... Vikas s Alan DeKok [EMAIL PROTECTED] wrote: Vikas Bagora wrote: I want to use the Radius Server where the requesting Client are IPv6 Host. Is this in 2.0.0-pr2? I have changed the users file: vikas User-Password == password No. See the FAQ. Service-Type = Administrative-User But, the RADIUS SERVER is showing: rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. This problem has nothing to do with IPv6. It is because you haven't configured the users file entry correctly. I have enabled the IPv6 connection line form radiusd.conf file. I have no idea what that means. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Be a better Heartthrob. Get better relationship answers from someone who knows. Yahoo! Answers - Check it out. rad_recv: Access-Request packet from host 2001:0:0:1::175 port 21812, id=0, length=63 User-Name = vikas User-Password = password NAS-IP-Address = 0x200100010175 Fri Aug 31 15:20:10 2007 : Debug: Processing the authorize section of radiusd.conf Fri Aug 31 15:20:10 2007 : Debug: +- entering group authorize Fri Aug 31 15:20:10 2007 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 0 Fri Aug 31 15:20:10 2007 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 0 Fri Aug 31 15:20:10 2007 : Debug: ++[preprocess] returns ok Fri Aug 31 15:20:10 2007 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 0 Fri Aug 31 15:20:10 2007 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 0 Fri Aug 31 15:20:10 2007 : Debug: ++[chap] returns noop Fri Aug 31 15:20:10 2007 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 0 Fri Aug 31 15:20:10 2007 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 0 Fri Aug 31 15:20:10 2007 : Debug: ++[mschap] returns noop Fri Aug 31 15:20:10 2007 : Debug: modsingle[authorize]: calling unix (rlm_unix) for request 0 Fri Aug 31 15:20:10 2007 : Debug: modsingle[authorize]: returned from unix (rlm_unix) for request 0 Fri Aug 31 15:20:10 2007 : Debug: ++[unix] returns notfound Fri Aug 31 15:20:10 2007 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 0 Fri Aug 31 15:20:10 2007 : Debug: rlm_realm: No '@' in User-Name = vikas, looking up realm NULL Fri Aug
Re: Problem for IPv6 Connection...
Vikas Bagora wrote: 1. I am using freeradius-server-2.0.0-pre1 Please use 2.0.0-pre2. - *users* file is modified in only with this lines : vikas User-Password == password Change that line to: vikas Cleartext-Password := password Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use per NAS
I've got through the same problem, and based in some help I got here from the list I managed to solve the problem with a simple change to sql.conf, modifying the simul_count_query. The original entry: simul_count_query = SELECT COUNT(*) FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0 The one I use: simul_count_query = SELECT COUNT(*) FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0 AND NASIPAddress = '%{ NAS-IP-Address}' Basically, all I am doing is checking if the user is already logged specifically in the current NAS. Just an extra note: You will probably need to play a little with the hints, proxy and users files to get the behavior you wish. In our case, due to some policies from the university, in some NAS we wanted users to type their domains, in other NAS we wanted them without domain. Took some time to make it work Roberto [EMAIL PROTECTED] wrote: http://wiki.freeradius.org/Rlm_sql Ivan Kalik Kalik Informatika ISP Dana 31/8/2007, Svend Eriksen [EMAIL PROTECTED] pi¹e: I'm sorry, but I dont understand what you mean. Can you please explain? reg Svend [EMAIL PROTECTED] skrev: Make multiple sql instances - one for each NAS. Ivan Kalik Kalik Informatika ISP Dana 31/8/2007, Svend Eriksen [EMAIL PROTECTED] pi¹e: On 8/30/07, *Svend Eriksen* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Hi, We run freeradius 1.1.6 against postgresql 8.1. With the current configuration the user can only login one time simultaneously. What I want is that a user can login only one time per NAS, but that the user can login on several NASes at the same time. The reason for this is that a user can move between NASes without the need to logout from the NAS he is leaving. The user can only login to NASes that is in a group that he is a member of (this already works today). Is it also possible to set the Simultaneously-Use as a default value for all users, so we don't have to set it on all the groups? Here are the lines from the database SELECT * FROM radcheck 40 | user1 | Cleartext-Password | := | kebab1 41 | user1 | Expiration | := | Dec 31 2050 00:00:00 SELECT * FROM radusergroup user1 | testusergroup |0 SELECT * FROM nas 7 | 10.0.0.1 http://10.0.0.1 | NAS1 | other | | naspw 8 | 10.0.0.2 http://10.0.0.2 | NAS2 | other | | naspw SELECT * FROM radgroupcheck 15 | testusergroup | NAS-IP-Address | += | 10.0.0.1 http://10.0.0.1 16 | testusergroup | NAS-IP-Address | += | 10.0.0.2 http://10.0.0.2 17 | testusergroup | Simultaneous-Use | := | 1 reg Svend Eriksen Hi, Why don't you just add Simultaneous-Use for each user to radcheck? As I understand you correctly, that would solve the problem, right? I don't know how you actually add the new users, but it can easily be done to give them that attr. as a default one. Kind Regards, Yves This is what I do today. The problem occurs when a user leaves a NAS without logging out, and then tries to connects to another NAS. The second NAS will ask for a new login, but freeradius will answer that the user is already logged in. The solution I am looking for is that a user only can have one simultaneously login per NAS, but that the user can be logged in simultaneously on different NASes. reg Svend - -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ad
Alexsander wrote: alan, do you already saw freeradius work with active directory?? do you have some example file? http://deployingradius.com/documents/configuration/active_directory.html BUT if you have ntlm_auth working from the command line, 99% of the work is done. Again, If ntlm_auth is telling the server that the MSCHAP authentication was invalid, then there isn't much that can be done to fix that. Alan Dekok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ad
alan, do you already saw freeradius work with active directory?? do you have some example file? tkx On 8/31/07, Alan DeKok [EMAIL PROTECTED] wrote: Alexsander wrote: yes, i took it from the site freeradius.org, version 1.1.7, is correct? Yes... the changes in 1.1.2 (or so) mean that the entire command line isn't being printed out. That should be fixed. In the mean time, ntlm_auth is telling the server that the MSCHAP authentication was invalid. There isn't much that can be done to fix that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Alexsander A. Rodrigues Se você tivesse que identificar, em uma palavra, a razão pela qual a raça humana ainda não atingiu (e nunca atingirá) todo o seu potencial, essa palavra seria REUNIÕES. L.F.V. http://counter.li.org/cgi-bin/runscript/display-person.cgi?user=413267 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
checkitem problem
I get an attribute/value from ad via freeradius and want this as a checkitem in another module. Therefore I added checkItem User-Password primaryGroupID := to ldap.attrmap and have the following users: DEFAULT User-Password == wrong” Service-Type = Framed-User, Tunnel-Type:1 = VLAN, Tunnel-Medium-Type:1 = IEEE-802, Tunnel-Private-Group-ID = VL-SBS-AD02-0001, DEFAULT User-Password == 515” Service-Type = Framed-User, Tunnel-Type:1 = VLAN, Tunnel-Medium-Type:1 = IEEE-802, Tunnel-Private-Group-ID = VL-SBS-AD02-0002, radiusd -AX says: ... rlm_ldap: looking for check items in directory...^M rlm_ldap: Adding primaryGroupID as User-Password == 515^M The 515 is form AD and for me its seems to be what I expect. rlm_ldap: looking for reply items in directory...^M rlm_ldap: user host/28tef004.ww006.mycompany.net authorized to use remote access^M rlm_ldap: ldap_release_conn: Release Id: 0^M modcall[authorize]: module ldap returns ok for request 11^M users: Matched entry DEFAULT at line 2^M Now I would assume, User-Password == 515 is added to the list of checkitems. Nevertheless the first DEFAULT Entry of the users file is taken. What am I missing? The complete typescript is at http://www.wegener-net.de/freeradius/typescript Thanks Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: checkitem problem
Norbert Wegener wrote: DEFAULT User-Password == wrong” Repeat after me: Cleartext-Password := Fix this everywhere. Then try it again. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: checkitem problem
Alan DeKok wrote: ... Repeat after me: Cleartext-Password := If it helps :-) Before posting I tried nearly everything, including the use of Cleartext-Password := in ldap.attrmap and the users file. Unfortunately the result was always the same ... add checkItem Cleartext-Password primaryGroupID := to ldap.attrmap users: DEFAULT Cleartext-Password := wrong” Service-Type = Framed-User, Tunnel-Type:1 = VLAN, Tunnel-Medium-Type:1 = IEEE-802, Tunnel-Private-Group-ID = VL-SBS-AD02-0001, DEFAULT Cleartext-Password := 515” Service-Type = Framed-User, Tunnel-Type:1 = VLAN, Tunnel-Medium-Type:1 = IEEE-802, Tunnel-Private-Group-ID = VL-SBS-AD02-0002, radiusd -AX (1.1.7) ... rlm_ldap: looking for check items in directory...^M rlm_ldap: Adding primaryGroupID as Cleartext-Password == 515^M rlm_ldap: looking for reply items in directory...^M rlm_ldap: user host/28tef004.ww006.mycompany.net authorized to use remote access^M rlm_ldap: ldap_release_conn: Release Id: 0^M modcall[authorize]: module ldap returns ok for request 11^M users: Matched entry DEFAULT at line 2^M . Again, the complete output at http://www.wegener-net.de/freeradius/typescript Fix this everywhere. Then try it again. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MOTP with freeradius
Hi Gents, I've configured successfully MOTP with xtradius. This way I can do a otp check with a password generated on my mobile (with a java script). see http://motp.sourceforge.net for more information Now I would like to build this functionality with freeradius. I've read that Exec-Program-Wait is ending so I would like to follow procedures and start with rlm_exec. I've read information about it, but find it very poor documented on the freeradius site, so I hope that someone else also bumped in to this startup, or maybe implementation of otpverify. First my setup worked with this user config file, and some other to declare some options: --- DEFAULT Auth-Type = External Exec-Program-Wait = /usr/local/bin/otpverify.sh %u %w %S %P %O, Fall-Through = Yes # # Users # test1 Secret = 34963495834, PIN = 1234, Offset = 3600 --- there was also a execparams file which contained the options for otpverify --- User-Name u Passwordw Secret S PIN P Offset O --- I understand that I must configure something like in the radiusd.conf : --- modules { exec otpverify { wait = yes program = /usr/local/bin/otpverify.sh %u %w %S %P %O input_pairs = request output_pairs = reply } } --- I think that I miss the basic info, being stuck in the basic points of: - How do I handle the options needed for otpverify.sh (username / password / secret / PIN / offset) - How to call this script for a user Regards, Gaston - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius help
Hi all, I have installed a freeradius server and it works perfectly... Now, I want to play with the Session-Timeout attribute. I want to set that value according to the NAS in which the client is connected. For instance, let us assume a user connect himself to a Group1 NAS and have X seconds session-timeout. But if he would be connected to a Group2 NAS, he will have X-10 seconds session-timeout. Finally, what I want is: 1) to run a script that set a session-timeout value according to the NAS IP address. 2) to run a script when the user log out (when the session-timeout attribute is updated) But I don't know how to do so...I thought about launching scripts but if you have a better solution, i'll take it heartily. Thanks a lot. ps: I sent that mail but it has not been postedif it has been posted, sorry in advance... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius help
You can set up DEFAULT entries in users file: DEFAULT NAS-IP-Address == NAS1IP Session-Timeout = X Same thing for NAS2. Ivan Kalik Kalik Informatika ISP Dana 31/8/2007, Khaldon manIP [EMAIL PROTECTED] piše: Hi all, I have installed a freeradius server and it works perfectly... Now, I want to play with the Session-Timeout attribute. I want to set that value according to the NAS in which the client is connected. For instance, let us assume a user connect himself to a Group1 NAS and have X seconds session-timeout. But if he would be connected to a Group2 NAS, he will have X-10 seconds session-timeout. Finally, what I want is: 1) to run a script that set a session-timeout value according to the NAS IP address. 2) to run a script when the user log out (when the session-timeout attribute is updated) But I don't know how to do so...I thought about launching scripts but if you have a better solution, i'll take it heartily. Thanks a lot. ps: I sent that mail but it has not been postedif it has been posted, sorry in advance... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy accounting information in a diffrect table
How do you configure freeradius to receive accounting information from a proxy radius server ? Is it possible to store this accounting information in a different table in postgresql database? Thanks - Choose the right car based on your needs. Check out Yahoo! Autos new Car Finder tool.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Several login-service attribut in reply message
Hi, I just want to put several login-service in an access-accept packet. If i try this in the users file : login_user Auth-Type := Local, User-Password == pass_user login-service = 50, login-service = telnet, Fall-Through = no It send an acces-racccept with only one attribut : login-service = telnet But if i put this in attrs file with rlm_filter module : DEFAULT login-service := telnet, login-service := 50 err, thars because your attributes are different! use the same attributes in you users file. and which version of FR by the way? User-Password == is quite wrong these days. should be Cleartext-Password := alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius + ad
I did not get clearly where to configure the secret other than /usr/local/etc/raddb/clients.conf file. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, August 31, 2007 2:39 PM To: FreeRadius users mailing list Subject: RE: freeradius + ad Whether the password given in Users file is a Encrypted password or normal? Clertext-Password is normal. Whether the secret which I am configuring in clients.conf should be configured anywhere else? On a client which is sending radius packets. With servers IP address. All these files should be configured in the path /usr/local/etc/xxx.conf. Is this right? Path is /usr/local/etc/raddb/ by default. Ivan Kalik Kalik Informatika iSP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Disclaimer: This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at a href=http://www.techmahindra.com/Disclaimer.html;http://www.techmahindra.com/Disclaimer.html/a externally and a href=http://tim.techmahindra.com/Disclaimer.html;http://tim.techmahindra.com/Disclaimer.html/a internally within Tech Mahindra. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius + ad
I have taken 1.1.6 version. I am not very clear on configuring the files. First we are going to do dummy testing. What are the changes to be done on client and server configurations? Can we give a file name as the argument in the command line while using radtest? If so How to use? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Friday, August 31, 2007 10:39 AM To: FreeRadius users mailing list Subject: Re: freeradius + ad Alexsander wrote: yes, i took it from the site freeradius.org, version 1.1.7, is correct? Yes... the changes in 1.1.2 (or so) mean that the entire command line isn't being printed out. That should be fixed. In the mean time, ntlm_auth is telling the server that the MSCHAP authentication was invalid. There isn't much that can be done to fix that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Disclaimer: This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at a href=http://www.techmahindra.com/Disclaimer.html;http://www.techmahindra.com/Disclaimer.html/a externally and a href=http://tim.techmahindra.com/Disclaimer.html;http://tim.techmahindra.com/Disclaimer.html/a internally within Tech Mahindra. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html