FreeRadius between VPN Users and Safeword/RSA Servers
Hi, I need to configure the Free Radius (as proxy) to forward the authentication request to safeword and RSA Servers from AT T VPN Users based on user@norealm and user@realm condition. Users - VPN - Free Radius - Safeword RSA Example: User - VPN - Free Radius (no realm, so nostrip) and pass the authentication to safeword servers. u...@ab.abc.com - VPN - Free Radius (strip realm name) and pass the authentication to RSA servers. How do I configure the Free Radius as a proxy to achieve this. Also I need to configure 2 FreeRadius (as proxy) Server to achive High Availability, can I configure the same on both the servers. If the above is not possible can I use an NPS Radius Proxy to achive this, but in this case where should I place the FreeRadius, between VPN and NPS or between NPS and safeword. My Safeword does not support EAP, so I cannot achieve this by NPS Radius proxy directly forwarding request to safeword. Thank you in advance. Nair - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius failover-through proxy or other way?
I'm really beginner in freeradius realm, and in advance sorry if the question is immature... After rading all wiki - freeradius, still is not clear to me, is it possible to do failover-through proxy, and how to organize the things that I want to accomplish. Explanation fallow: Now I have the fallowing setup: node 1 - NAS (pptp, openvpn) - server 2 (freeradius + mysql as backed) I red in documentation about 2 or 3 mysql db and how to do fail-over, load-balancing and redundancy, but If I do it like that when freeradius server fail, the whole setup is down. I want to add another node as second NAS so the things will become like this: node 1 - NAS (pptp, openvpn) - server 2 AAA (freeradius+mysql) node 3 - NAS ( l2tp) -^ I want to have redundancy in case server 2 AAA (freeradius + mysql as backend) fail, second server 4 AAA to take over with exactly the same setup (freeradius + mysql backend).. Should I use freeradius proxy on every node??? other solution? So the thigs needs to become like this: node 1 - NAS (+freeradius proxy?)--| Internet |---server 2 master (freeradius+mysql, location ex.US ) node 3 - NAS (+freeradius proxy?)--| Internet |---server 4 slave (freeradius+mysql, location ex.EU ) I want to have mysql db to be updated (to have mirror copy) on booth server 2,4 in real time. The purpose of this set up is redundancy if one of the AAA server is down the other one to take over without impact over node 1,3 ( temporary user disconnect is acceptable ) Or may be there is other way to do so? Any advices are welcomed, correction or hints anything that can help me see better :) Best Regards, Martin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL Counter Escape String !
Hi Alan, Did you managed to look into the issue ? or maybe any hints on how to use DATETIME in Expiration instead of String ? Regads Suman On 3/15/2011 4:04 PM, Suman Dash wrote: Dear Alan, I have not removed any debug messages. I will try to put everything once again . I was not aware that i sent you a mail. I am having a nightmare and accidently i clicked Send All instead of selecting the mailing list. sqlcounter monthlycounter { counter-name = Monthly-Session-Time check-name = Max-Monthly-Session reply-name = Session-Timeout sqlmod-inst = sql key = User-Name reset = never query = SELECT SUM(acctsessiontime) FROM tbl_acct where \ username = '%{%k}' AND acctstarttime BETWEEN \ (SELECT STR_TO_DATE((SELECT value FROM tbl_check \ WHERE username = '%{%k}' AND attribute = 'Activation'), 'd M Y H:i:s')) \ AND (SELECT STR_TO_DATE((SELECT value FROM tbl_check WHERE username = '%{%k}' \ AND attribute = 'Expiration'), 'd M Y H:i:s')) } DEBUG Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 122.175.85.117 port 21658, id=10, length=59 User-Name = suman User-Password = duman12 Calling-Station-Id = 001122334455 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = suman, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop [sql] expand: %{User-Name} - suman [sql] sql_set_user escaped user -- 'suman' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM tbl_check WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM tbl_check WHERE username = 'suman' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM tbl_reply WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM tbl_reply WHERE username = 'suman' ORDER BY id [sql] expand: SELECT groupname FROM tbl_usergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM tbl_usergroup WHERE username = 'suman' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM tbl_groupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, Value, op FROM tbl_groupcheck WHERE groupname = 'Biz1Mbps-UL' ORDER BY id [sql] User found in group Biz1Mbps-UL [sql] expand: SELECT id, groupname, attribute, value, op FROM tbl_groupreply WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, value, op FROM tbl_groupreply WHERE groupname = 'Biz1Mbps-UL' ORDER BY id rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair ++[dailycounter] returns noop rlm_sqlcounter: Entering module authorize code sqlcounter_expand: 'SELECT SUM(acctsessiontime) FROM tbl_acct where username = '%{User-Name}' AND acctstarttime BETWEEN (SELECT STR_TO_DATE((SELECT value FROM tbl_check WHERE username = '%{User-Name}' AND attribute = 'Activation'), '%0%0d %0%0M %0%0Y %0%0H:%0%0i:%0%0s')) AND (SELECT STR_TO_DATE((SELECT value FROM tbl_check WHERE username = '%{User-Name}' AND attribute = 'Expiration'), '%0%0d %0%0M %0%0Y %0%0H:%0%0i:%0%0s'))' [monthlycounter] WARNING: Unknown variable '%0': See 'doc/variables.txt' [monthlycounter] WARNING: Unknown variable '%0': See 'doc/variables.txt' [monthlycounter] WARNING: Unknown variable '%0': See 'doc/variables.txt' [monthlycounter] WARNING: Unknown variable '%0': See 'doc/variables.txt' [monthlycounter] WARNING: Unknown variable '%0': See 'doc/variables.txt' [monthlycounter] WARNING: Unknown variable '%0': See 'doc/variables.txt' [monthlycounter] WARNING: Unknown variable '%0': See 'doc/variables.txt' [monthlycounter] WARNING: Unknown variable '%0': See 'doc/variables.txt' [monthlycounter] WARNING: Unknown variable '%0': See 'doc/variables.txt' [monthlycounter] WARNING: Unknown variable '%0': See 'doc/variables.txt'
Re: SQL Counter Escape String !
Suman Dash wrote: Hi Alan, Did you managed to look into the issue ? No. or maybe any hints on how to use DATETIME in Expiration instead of String ? Honestly, in 2.1.10, you can just write SELECT statements directly in unlang. update reply { Session-Timeout := %{sql: SELECT ...} } Couple that with a few other things, and you should be able to replace the sqlcounter module entirely. i.e. I don't use that module, and I know little or nothing about it. I have little time to do anything with it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL Counter Escape String !
Much thanks Alan, That was some really good advice on how to make the thing work. So now i have to write unlang statement in preprocess so that it directly gives the Session-Timeout . Please correct me if i am wrong. Thanks Again On 3/16/2011 4:09 PM, Alan DeKok wrote: Suman Dash wrote: Hi Alan, Did you managed to look into the issue ? No. or maybe any hints on how to use DATETIME in Expiration instead of String ? Honestly, in 2.1.10, you can just write SELECT statements directly in unlang. update reply { Session-Timeout := %{sql: SELECT ...} } Couple that with a few other things, and you should be able to replace the sqlcounter module entirely. i.e. I don't use that module, and I know little or nothing about it. I have little time to do anything with it. Alan DeKok. __ Information from ESET NOD32 Antivirus, version of virus signature database 5924 (20110303) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius failover-through proxy or other way?
Martin Lambev wrote: After rading all wiki - freeradius, still is not clear to me, is it possible to do failover-through proxy, and how to organize the things that I want to accomplish. Explanation fallow: See raddb/proxy.conf. Now I have the fallowing setup: node 1 - NAS (pptp, openvpn) - server 2 (freeradius + mysql as backed) I red in documentation about 2 or 3 mysql db and how to do fail-over, load-balancing and redundancy, but If I do it like that when freeradius server fail, the whole setup is down. Exactly. I want to add another node as second NAS so the things will become like this: node 1 - NAS (pptp, openvpn) - server 2 AAA (freeradius+mysql) node 3 - NAS ( l2tp) -^ I want to have redundancy in case server 2 AAA (freeradius + mysql as backend) fail, second server 4 AAA to take over with exactly the same setup (freeradius + mysql backend).. Should I use freeradius proxy on every node??? other solution? So the thigs needs to become like this: The NASes should do fail-over by listing a primary secondary RADIUs server. node 1 - NAS (+freeradius proxy?)--| Internet |---server 2 master (freeradius+mysql, location ex.US ) node 3 - NAS (+freeradius proxy?)--| Internet |---server 4 slave (freeradius+mysql, location ex.EU ) I want to have mysql db to be updated (to have mirror copy) on booth server 2,4 in real time. The purpose of this set up is redundancy if one of the AAA server is down the other one to take over without impact over node 1,3 ( temporary user disconnect is acceptable ) See raddb/sites-enabled/copy-acct-to-home-server Or may be there is other way to do so? There are lots of ways to do it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
The story of PAP, CHAP and the blank password
Greetings all, Instead of auth'ing a user on the 'User-Name' / 'Cleartext-Password' method we are using the 'Caller-Station-Id' with a blank password. ... # /etc/freeradius/sql/mysql/dialup.conf sql_user_name = %{Calling-Station-Id} ... We are using a mysql backend Here are a few challenges that came up: Using PAP: * The blank password transmitted is picked up by the RADIUS as void (an actual string value of 4 charaters) * To authenticate the 'blank password' the radcheck is set to [ user123 | Cleartext-Password | := | void] * Here are snippets of a successful connection ... rad_recv: Access-Request packet from host x.x.x.x port 57772, id=75, length=156 User-Name = void User-Password = void NAS-IP-Address = x.x.x.x NAS-Identifier = rbggs2 Called-Station-Id = apn.xxx.net Framed-Protocol = GPRS-PDP-Context Service-Type = Framed-User NAS-Port-Type = Virtual NAS-Port = 230647144 Calling-Station-Id = 00121231234 3GPP-PDP-Type = 0 3GPP-SGSN-Address = x.x.x.x 3GPP-GGSN-Address = x.x.x.x +- entering group authorize {...} ... ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password void [pap] Using clear text password void [pap] User authenticated successfully ++[pap] returns ok expand: The elders of the internet have granted you access - The elders of the internet have granted you access Login OK: [void/void] (from client XXX_APN port 230647144 cli 00121231234) The elders of the internet have granted you access +- entering group post-auth {...} ... Using CHAP: * The blank password transmitted is picked up by the RADIUS as a challenge * To authenticate the 'blank password' the radcheck is set to [ user123 | Cleartext-Password | := | ] * Here are snippets of a successful connection rad_recv: Access-Request packet from host x.x.x.x port 50312, id=67, length=175 User-Name = void CHAP-Challenge = 0x48e2fc18c8f16b825cc4ce7c06b4bdea CHAP-Password = 0x012a6931a816773e44873124ecd7701e57 NAS-IP-Address = x.x.x.x NAS-Identifier = rbggs2 Called-Station-Id = apn.xxx.net Framed-Protocol = GPRS-PDP-Context Service-Type = Framed-User NAS-Port-Type = Virtual NAS-Port = 123703984 Calling-Station-Id = 00121231234 3GPP-PDP-Type = 0 3GPP-SGSN-Address = x.x.x.x 3GPP-GGSN-Address = x.x.x.x +- entering group authorize {...} ... ++[logintime] returns noop [pap] No clear-text password in the request. Not performing PAP. ++[pap] returns noop WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. CHAP-Password is correct. expand: The elders of the internet have granted you access - The elders of the internet have granted you access Login OK: [void/CHAP-Password] (from client XXX_APN port 100795256 cli 00121231234) The elders of the internet have granted you access +- entering group post-auth {...} ... Is the transmission of the 'blank password' the responsibility of the NAS or can the password be manipulated in the FR settings / configs? Thanks Wynand - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The story of PAP, CHAP and the blank password
Hi, WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. i'd follow that advice. FR knows what to do when it sees suitable things. anyway, the 'void' is being sent by the NAS - and its being sent CHAP'd too can your kit not do the usual naff thing of sending the CSI as the password so you just have a simple pair 00121231234:00121231234 ? thats whats usually done in these sorts of 'just let them on' environments alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting - Acct-Interim-Interval
Greetings, * We have added the attribute Acct-Interim-Interval = 150 to the radgroupreply * However we are not getting accounting packets back on a 150sec frequency * We are getting the accounting packets on the start and stop of the connection * The reporting back (accounting packets), is that the responsibility og the NAS / RADIUS / Client ? Thanks Wynand - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting - Acct-Interim-Interval
On 16/03/11 11:15, Wynand Meijer wrote: Greetings, * We have added the attribute Acct-Interim-Interval = 150 to the radgroupreply Ok. That's a lot shorter than most people set (300 is common, 1800 in some cases) but it's legal. It MUST NOT be 60. * However we are not getting accounting packets back on a 150sec frequency Are you sure the Acct-Interim-Interval is actually being sent in the reply? Have you checked by running under debug mode, or with a packet sniffer? * We are getting the accounting packets on the start and stop of the connection Are you sure the NAS supports interim accounting? * The reporting back (accounting packets), is that the responsibility og the NAS / RADIUS / Client ? The NAS. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting - Acct-Interim-Interval
Phil Mayers wrote: * The reporting back (accounting packets), is that the responsibility og the NAS / RADIUS / Client ? The NAS. Blame the NAS for *everything*. :) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The story of PAP, CHAP and the blank password
Thanks for the feedback, We have made contact with the NAS 'provider' and requested they resolve the issue by replacing the string void with nothing. As the passed string is the 'cause' of the problem we would rather them fix it than we try and hack around it. If these errors keep persisting we will look into a solution as you suggested like 00121231234:00121231234 or 00121231234: Thanks Wynand On 16/03/2011 13:12, Alan Buxey wrote: Hi, WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. i'd follow that advice. FR knows what to do when it sees suitable things. anyway, the 'void' is being sent by the NAS - and its being sent CHAP'd too can your kit not do the usual naff thing of sending the CSI as the password so you just have a simple pair 00121231234:00121231234 ? thats whats usually done in these sorts of 'just let them on' environments alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL Unlang !
I am looking forward for a short example on how to store a SQL query to a variable which can be used in next condition in UNLANG. I have no knowledge of unlang but i got a fair amount of idea with the condition checks , just need a little insight on the result stores . For Ex. result1 = {some sql query} result2 = {some sql query} update control Session-Timeout := Result1 - Result 2 Thanks in advance Suman On 3/16/2011 4:09 PM, Alan DeKok wrote: Suman Dash wrote: Hi Alan, Did you managed to look into the issue ? No. or maybe any hints on how to use DATETIME in Expiration instead of String ? Honestly, in 2.1.10, you can just write SELECT statements directly in unlang. update reply { Session-Timeout := %{sql: SELECT ...} } Couple that with a few other things, and you should be able to replace the sqlcounter module entirely. i.e. I don't use that module, and I know little or nothing about it. I have little time to do anything with it. Alan DeKok. __ Information from ESET NOD32 Antivirus, version of virus signature database 5924 (20110303) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The story of PAP, CHAP and the blank password
Hi, Need a doc/pointer on FreeRadius+OpenLDAP+Mobile-OTP configuration, I would be implementing this in a SuSE server. Can any one help me how to do it? Regards, Neo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL Unlang !
On 16/03/11 12:44, Suman Dash wrote: I am looking forward for a short example on how to store a SQL query to a variable which can be used in next condition in UNLANG. I have no knowledge of unlang but i got a fair amount of idea with the condition checks , just need a little insight on the result stores . FreeRadius comes with several Tmp-X variables defined (see dictionary.freeradius.internal) or you can define your own. e.g. authorize { ... update request { Tmp-Integer-0 := %{sql: ...} } update request { Tmp-Integer-1 := %{sql: ...} } update reply { Session-Timeout := %{expr:%{Tmp-Integer-0} - %{Tmp-Integer-1}} } ... } Or do the maths in the SQL query itself. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The story of PAP, CHAP and the blank password
On Wed, Mar 16, 2011 at 06:19:08PM +0530, pradyumna dash wrote: Hi, Need a doc/pointer on FreeRadius+OpenLDAP+Mobile-OTP configuration, I would be implementing this in a SuSE server. Can any one help me how to do it? Regards, Neo I thought there was a link to a how-to for this on the mobile-otp website. I am getting ready to do it here as well with Redhat. Cheers, Ken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(Fwd) Seg Fault - 3.0
--- Forwarded message follows --- From: Breuer Nicolas nicolas.bre...@belcenter.biz To: freeradius-de...@lists.freeradius.org Subject:Seg Fault - 3.0 Date sent: Wed, 16 Mar 2011 15:23:22 +0100 Hello I discovered a Seg Fault on the release 3.0 on the GIT server. Seems happening on the first auth. (30) Login OK: [XXX] (from client XXX) (30) # Executing section post-auth from file /etc/XXX.conf (30) +- entering group post-auth {...} (30) ++? if (reply:Framed-IP-Address) (30) ? Evaluating (reply:Framed-IP-Address) - FALSE (30) ++? if (reply:Framed-IP-Address) - FALSE (30) ++- entering else else {...} rlm_sql (ACCOUNTING-01): Reserving sql socket id: 14 (30) [IP-POOLING-01] expand: %{User-Name} - XXX (30) [IP-POOLING-01] sql_set_user escaped user -- 'XXX' (30) [IP-POOLING-01] expand: BEGIN - BEGIN (30) [IP-POOLING-01] expand: COMMIT - COMMIT (30) [IP-POOLING-01] expand: SELECT ip_address FROM radippool WHERE pool_name = '%{reply:Pool-Suffix}*%{Huntgroup-Name}' AND expiry_time NOW() ORDER BY rand(), pool_name, expiry_time LIMIT 1 FOR UPDATE - SELECT ip_address FROM radippool WHERE pool_name = 'BC*' AND expiry_time NOW() ORDER BY rand(), pool_name, expiry_time LIMIT 1 FOR UPDATE Segmentation fault I see the expand of variable HuntGroup-Name didn't get any values... Maybe the reason of Seg fault ? --- End of forwarded message --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (Fwd) Seg Fault - 3.0
Breuer Nicolas wrote: ... Segmentation fault See doc/bugs I see the expand of variable HuntGroup-Name didn't get any values... Maybe the reason of Seg fault ? We don't know. You need to supply more information for us to know. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help required in Free Radius Debug Output
Hi, I am using Free readius version 1.1.7 on Ubuntu9.1, After installation I tried to check by editing the users file(etc/freeradius/users) by typing the following on the top and saved it testing Cleartext-Password := password Next i did radtest testing password 127.0.0.1 0 testing123 and follwing is my debug output Packet 0 rad_recv: Access-Request packet from host 127.0.0.1:45704, id=54, length=59 User-Name = testing User-Password = password NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = testing, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 153 modcall[authorize]: module files returns ok for request 0 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. modcall[authorize]: module pap returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type System auth: type System Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 modcall[authenticate]: module unix returns notfound for request 0 modcall: leaving group authenticate (returns notfound) for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 54 to 127.0.0.1 port 45704 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 54 with timestamp 4d80c9e9 Nothing to do. Sleeping until we see a request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help required in Free Radius Debug Output
hi, you havent given the full output of radiusd -X you also appear to have done more than just add that user to the users file something is setting the authentication to 'System' - do you have some DEFAULT Auth-Type = System at line 153 of the users file? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problems with mac auth and huntgroups
Hi i m using freeradius 2.1.10 i have setup mac auth based authentication like it s written here http://wiki.freeradius.org/Mac-Auth it works quite well my problems is now i want to combine that with huntgroups i have put in my /etc/raddb/huntgroups the following line radfiltuxmacs NAS-IP-Address == 157.159.7.108, NAS-Port-Id == 19-21 and i have modified the authorized_macs this way 00188bd041e4Huntgroup-Name == radfiltuxmacs Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802, Tunnel-Private-Group-Id := 15, Fall-Through = no with the Huntgroup-Name it doesn't works here is the log Wed Mar 16 16:19:55 2011 : Debug: [thread] Received Access-Request packet from host 157.159.7.108 port 1025, id=38, leng th=197 Wed Mar 16 16:19:55 2011 : Debug: [thread] Framed-MTU = 1466 Wed Mar 16 16:19:55 2011 : Debug: [thread] NAS-IP-Address = 157.159.7.108 Wed Mar 16 16:19:55 2011 : Debug: [thread] NAS-Identifier = radfilsw Wed Mar 16 16:19:55 2011 : Debug: [thread] User-Name = 00188bd041e4 Wed Mar 16 16:19:55 2011 : Debug: [thread] Service-Type = Framed-User Wed Mar 16 16:19:55 2011 : Debug: [thread] Framed-Protocol = PPP Wed Mar 16 16:19:55 2011 : Debug: [thread] NAS-Port = 20 Wed Mar 16 16:19:55 2011 : Debug: [thread] NAS-Port-Type = Ethernet Wed Mar 16 16:19:55 2011 : Debug: [thread] NAS-Port-Id = 20 Wed Mar 16 16:19:55 2011 : Debug: [thread] Called-Station-Id = 00-23-47-33-7e-ec Wed Mar 16 16:19:55 2011 : Debug: [thread] Calling-Station-Id = 00-18-8b-d0-41-e4 Wed Mar 16 16:19:55 2011 : Debug: [thread] Connect-Info = CONNECT Ethernet 100Mbps Full duplex Wed Mar 16 16:19:55 2011 : Debug: [thread] CHAP-Password = 0x14d8e8e4d846868af6005c652fa9294207 Wed Mar 16 16:19:55 2011 : Debug: [thread] Message-Authenticator = 0x3f7d3084a4e8c0e1507b1b196132d645 Wed Mar 16 16:19:55 2011 : Debug: [thread] # Executing section authorize from file /etc/raddb/sites-enabled/default Wed Mar 16 16:19:55 2011 : Debug: [thread] +- entering group authorize {...} Wed Mar 16 16:19:55 2011 : Debug: ++[preprocess] returns ok Wed Mar 16 16:19:55 2011 : Debug: ++- entering policy rewrite_calling_station_id {...} Wed Mar 16 16:19:55 2011 : Debug: +++? if (request:Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2} )[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) Wed Mar 16 16:19:55 2011 : Debug: ? Evaluating (request:Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a- f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) - TRUE Wed Mar 16 16:19:55 2011 : Debug: +++? if (request:Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2} )[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) - TRUE Wed Mar 16 16:19:55 2011 : Debug: +++- entering if (request:Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0 -9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) {...} Wed Mar 16 16:19:55 2011 : Debug: expand: %{1}%{2}%{3}%{4}%{5}%{6} - 00188bd041e4 Wed Mar 16 16:19:55 2011 : Debug: [request] returns ok Wed Mar 16 16:19:55 2011 : Debug: +++- if (request:Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2} )[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) returns ok Wed Mar 16 16:19:55 2011 : Debug: +++ ... skipping else for request 0: Preceding if was taken Wed Mar 16 16:19:55 2011 : Debug: ++- policy rewrite_calling_station_id returns ok Wed Mar 16 16:19:55 2011 : Debug: ++? if (User-Name =~ /^%{Calling-Station-ID}$/i) Wed Mar 16 16:19:55 2011 : Debug: expand: ^%{Calling-Station-ID}$ - ^00188bd041e4$ Wed Mar 16 16:19:55 2011 : Debug: ? Evaluating (User-Name =~ /^%{Calling-Station-ID}$/i) - TRUE Wed Mar 16 16:19:55 2011 : Debug: ++? if (User-Name =~ /^%{Calling-Station-ID}$/i) - TRUE Wed Mar 16 16:19:55 2011 : Debug: ++- entering if (User-Name =~ /^%{Calling-Station-ID}$/i) {...} Wed Mar 16 16:19:55 2011 : Debug: +++[control] returns ok Wed Mar 16 16:19:55 2011 : Debug: ++- if (User-Name =~ /^%{Calling-Station-ID}$/i) returns ok Wed Mar 16 16:19:55 2011 : Debug: [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /var/log/radius/radacct/157.159.7.108/auth-detail-20110316 Wed Mar 16 16:19:55 2011 : Debug: [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /v ar/log/radius/radacct/157.159.7.108/auth-detail-20110316 Wed Mar 16 16:19:55 2011 : Debug: [auth_log] expand: %t - Wed Mar 16 16:19:55 2011 Wed Mar 16 16:19:55 2011 : Debug: ++[auth_log] returns ok Wed Mar 16 16:19:55 2011 : Debug: [chap] WARNING: Auth-Type already set. Not setting to CHAP Wed Mar 16 16:19:55 2011 : Debug: ++[chap] returns noop Wed Mar 16 16:19:55 2011 : Debug: ++[mschap] returns noop Wed Mar 16 16:19:55 2011 : Debug: [suffix] No '@' in User-Name = 00188bd041e4, looking up realm NULL Wed Mar 16 16:19:55 2011 : Debug: [suffix] Found realm NULL Wed
RE: Sending attribute with sub-attributes
OK set up radsniff and am seeing the following access-accept: Access-Request Id 34172.16.4.2:1812 - 172.16.4.14:1812 +28.495 User-Name = {sm=1}fa9855191e4832141998a03a7f827...@wimax.com EAP-Message = 0x020600d0158000c61603010086108200804b0afe388db371ab697ea9a00c4f4e8b 57cf5def239b801972d3bb8131d327e0a4f84a78b4e1084e4b27439fb7b025013b1950689de6 c28997f09b34694141e0f81def057e61e6a4c069def68c0160419fc68d332f001ad29adcb7fa 462ee8b9ad2bb4b99edd890f51c8bea74d42d0b8b5a860e83aa02ee4397fdff5948166601403 01000101160301003033b07664e55c63d8c752131c02235aaf88bda8e166ba71080c17335e52 01d3aecccae5019bbde607b9dcb08d05733047 Message-Authenticator = 0xdf908effc4e4f5d3f7dfa19d28a9cca3 NAS-Identifier = 4motion NAS-IP-Address = 172.16.4.2 Calling-Station-Id = 00-26-82-CA-6D-B0 WiMAX-BS-Id = 0xfff32901 NAS-Port-Type = 27 Framed-MTU = 2000 Service-Type = Framed-User WiMAX-GMT-Timezone-offset = 0 WiMAX-Release = 1.0 WiMAX-Accounting-Capabilities = IP-Session-Based WiMAX-Hotlining-Capabilities = Hotline-Profile-Id WiMAX-Attr-1793 = 0x028a State = 0x71bea04575b8b51c6b3e400a0b7eaac2 Access-Challenge Id 34 172.16.4.14:1812 - 172.16.4.2:1812 +28.500 EAP-Message = 0x010700451580003b1403010001011603010030e524056fa3a81b105c96239b9e88d105 06e63b5a0b71257d6c3ddef0a93e0b1234af032a18ef2f0eff217596a2ec63a9 Message-Authenticator = 0xdd2059b4ee01295ee23b010784ad8e82 State = 0x71bea04574b9b51c6b3e400a0b7eaac2 Access-Request Id 35172.16.4.2:1812 - 172.16.4.14:1812 +28.625 User-Name = {sm=1}fa9855191e4832141998a03a7f827...@wimax.com EAP-Message = 0x020700c015001703010020af88796d54ff518c6fc9c4cbd7c870e75d4a301b57a650afc8f9 564a6472ed0f1703010090e532047e4b7e0af770e6aef6dba034560c7e3980c204d866559d96 aebe29311030c0e58ee6356857be034b68a6ca8ed2a80fc02273152f1cb692ba6b3da1335d4e 5dd60e726f8d522321d3af5afc7e0dece805e70aeb1d1f20ae5f05bd9a0df4280abc9769311b b0d64f7653367fb4f9e75ac99b1faf8da602b174f4a4bc7d3eabe8692c6dc71301c44fdfad2c 854c48 Message-Authenticator = 0xb1ceae83822d784a23d3e8614aca1367 NAS-Identifier = 4motion NAS-IP-Address = 172.16.4.2 Calling-Station-Id = 00-26-82-CA-6D-B0 WiMAX-BS-Id = 0xfff32901 NAS-Port-Type = 27 Framed-MTU = 2000 Service-Type = Framed-User WiMAX-GMT-Timezone-offset = 0 WiMAX-Release = 1.0 WiMAX-Accounting-Capabilities = IP-Session-Based WiMAX-Hotlining-Capabilities = Hotline-Profile-Id WiMAX-Attr-1793 = 0x028a State = 0x71bea04574b9b51c6b3e400a0b7eaac2 Access-Challenge Id 35 172.16.4.14:1812 - 172.16.4.2:1812 +28.626 EAP-Message = 0x0108005f15800055170301005062cea2e66a8eec902121e911deb72b6464b8ab4861b9 4730d4f9ccb21af518afe16c18f12f305041b2c6df60e6fdc02bad7849141eca3b6c3e27f9a1 2790af090615185f8270e3be4de91ec9343699c2 Message-Authenticator = 0xebe75e60f6789cde3b7dce50e64516ad State = 0x71bea04577b6b51c6b3e400a0b7eaac2 Access-Request Id 36172.16.4.2:1812 - 172.16.4.14:1812 +28.689 User-Name = {sm=1}fa9855191e4832141998a03a7f827...@wimax.com EAP-Message = 0x020800061500 Message-Authenticator = 0x5683416041e6648a72b51ef5d0d92c8e NAS-Identifier = 4motion NAS-IP-Address = 172.16.4.2 Calling-Station-Id = 00-26-82-CA-6D-B0 WiMAX-BS-Id = 0xfff32901 NAS-Port-Type = 27 Framed-MTU = 2000 Service-Type = Framed-User WiMAX-GMT-Timezone-offset = 0 WiMAX-Release = 1.0 WiMAX-Accounting-Capabilities = IP-Session-Based WiMAX-Hotlining-Capabilities = Hotline-Profile-Id WiMAX-Attr-1793 = 0x028a State = 0x71bea04577b6b51c6b3e400a0b7eaac2 Access-Accept Id 36 172.16.4.14:1812 - 172.16.4.2:1812 +28.690 WiMAX-Attr-4381 = 0x010676707773020531323303040001 WiMAX-Packet-Data-Flow-Id = 1 WiMAX-Direction = Bi-Directional WiMAX-Transport-Type = Ethernet WiMAX-Uplink-QOS-Id = 1 WiMAX-Downlink-QOS-Id = 1 WiMAX-Attr-2844 = 0x01030202060001040303080600c8 WiMAX-QoS-Id = 1 WiMAX-Schedule-Type = Best-Effort WiMAX-Traffic-Priority = 4 WiMAX-Maximum-Sustained-Traffic-Rate = 524288 EAP-Message = 0x03080004 Message-Authenticator = 0xd3e1212d3ef4d04b512b7212c58858f3 User-Name = {sm=1}FA9855191E4832141998A03A7F827633 WiMAX-MSK = 0x9dec7a253fe31755903407d2fac5130fa96e8fe4469dbb6d825fa7bc7f23a2a74fdba9a5d8 d2e0dbe34f89d54495895ce557134c92fe4fd2e9c8b9fb1bc90261f7865036ed45c03b5a4c61 73ac3d58afaff4 Is there more detail we can get from radsniff? David -Original Message- From: freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org
Seg Fault - 3.0 - More Info needed
Hello Alan, Could you precise wich infos you need to go further ? Thanks --- End of forwarded message --- Hello I discovered a Seg Fault on the release 3.0 on the GIT server. Seems happening on the first auth. (30) Login OK: [XXX] (from client XXX) (30) # Executing section post-auth from file /etc/XXX.conf (30) +- entering group post-auth {...} (30) ++? if (reply:Framed-IP-Address) (30) ? Evaluating (reply:Framed-IP-Address) - FALSE (30) ++? if (reply:Framed-IP-Address) - FALSE (30) ++- entering else else {...} rlm_sql (ACCOUNTING-01): Reserving sql socket id: 14 (30) [IP-POOLING-01] expand: %{User-Name} - XXX (30) [IP-POOLING-01] sql_set_user escaped user -- 'XXX' (30) [IP-POOLING-01] expand: BEGIN - BEGIN (30) [IP-POOLING-01] expand: COMMIT - COMMIT (30) [IP-POOLING-01] expand: SELECT ip_address FROM radippool WHERE pool_name = '%{reply:Pool-Suffix}*%{Huntgroup-Name}' AND expiry_time NOW() ORDER BY rand(), pool_name, expiry_time LIMIT 1 FOR UPDATE - SELECT ip_address FROM radippool WHERE pool_name = 'BC*' AND expiry_time NOW() ORDER BY rand(), pool_name, expiry_time LIMIT 1 FOR UPDATE Segmentation fault I see the expand of variable HuntGroup-Name didn't get any values... Maybe the reason of Seg fault ? --- End of forwarded message --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Sending attribute with sub-attributes
After some excellent tutelage from Mr. Wiechman, I am getting different access-accept. However, it's showing Breezecom attributes which seem out of place. Access-Accept Id 86 172.16.4.14:1812 - 172.16.4.2:1812 +26.680 Breezecom-Attr1 = vpws Breezecom-Attr1 = \000\000\000{ Breezecom-Attr1 = \000\001 WiMAX-Packet-Data-Flow-Id = 1 WiMAX-Direction = Bi-Directional WiMAX-Transport-Type = Ethernet WiMAX-Uplink-QOS-Id = 1 WiMAX-Downlink-QOS-Id = 1 Breezecom-Attr11 = \000\000\000\002 Breezecom-Attr11 = \000\000\000\001 Breezecom-Attr11 = \003 Breezecom-Attr8 = \000\000\000\310 WiMAX-QoS-Id = 1 WiMAX-Schedule-Type = Best-Effort WiMAX-Traffic-Priority = 4 WiMAX-Maximum-Sustained-Traffic-Rate = 524288 EAP-Message = 0x03080004 Message-Authenticator = 0x8f55919c4b4c60477f2db19bb718991e User-Name = {sm=1}002C4FF731202A48C2F17C5DB5C47019 WiMAX-MSK = 0x9981c3c5526316c7187b884c6877162d8158025a98d212500cfe1a9809fc011a7f12796947 7a38a93b493304783d6cbb4b581f3a50a011fd04b78cba8b3f20caed618b15c1a23af3d1bb03 4c6812d5ad822b Is there another dictionary that is driving the Breezecom-Attr or does Freeradius just figure out its Alvarion and assign that internally? David -Original Message- From: freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org [mailto:freeradius-users-bounces+david.peterson=acc-corp.net@lists.freeradiu s.org] On Behalf Of David Peterson Sent: Wednesday, March 16, 2011 1:42 PM To: FreeRadius users mailing list Subject: RE: Sending attribute with sub-attributes OK set up radsniff and am seeing the following access-accept: Access-Request Id 34172.16.4.2:1812 - 172.16.4.14:1812 +28.495 User-Name = {sm=1}fa9855191e4832141998a03a7f827...@wimax.com EAP-Message = 0x020600d0158000c61603010086108200804b0afe388db371ab697ea9a00c4f4e8b 57cf5def239b801972d3bb8131d327e0a4f84a78b4e1084e4b27439fb7b025013b1950689de6 c28997f09b34694141e0f81def057e61e6a4c069def68c0160419fc68d332f001ad29adcb7fa 462ee8b9ad2bb4b99edd890f51c8bea74d42d0b8b5a860e83aa02ee4397fdff5948166601403 01000101160301003033b07664e55c63d8c752131c02235aaf88bda8e166ba71080c17335e52 01d3aecccae5019bbde607b9dcb08d05733047 Message-Authenticator = 0xdf908effc4e4f5d3f7dfa19d28a9cca3 NAS-Identifier = 4motion NAS-IP-Address = 172.16.4.2 Calling-Station-Id = 00-26-82-CA-6D-B0 WiMAX-BS-Id = 0xfff32901 NAS-Port-Type = 27 Framed-MTU = 2000 Service-Type = Framed-User WiMAX-GMT-Timezone-offset = 0 WiMAX-Release = 1.0 WiMAX-Accounting-Capabilities = IP-Session-Based WiMAX-Hotlining-Capabilities = Hotline-Profile-Id WiMAX-Attr-1793 = 0x028a State = 0x71bea04575b8b51c6b3e400a0b7eaac2 Access-Challenge Id 34 172.16.4.14:1812 - 172.16.4.2:1812 +28.500 EAP-Message = 0x010700451580003b1403010001011603010030e524056fa3a81b105c96239b9e88d105 06e63b5a0b71257d6c3ddef0a93e0b1234af032a18ef2f0eff217596a2ec63a9 Message-Authenticator = 0xdd2059b4ee01295ee23b010784ad8e82 State = 0x71bea04574b9b51c6b3e400a0b7eaac2 Access-Request Id 35172.16.4.2:1812 - 172.16.4.14:1812 +28.625 User-Name = {sm=1}fa9855191e4832141998a03a7f827...@wimax.com EAP-Message = 0x020700c015001703010020af88796d54ff518c6fc9c4cbd7c870e75d4a301b57a650afc8f9 564a6472ed0f1703010090e532047e4b7e0af770e6aef6dba034560c7e3980c204d866559d96 aebe29311030c0e58ee6356857be034b68a6ca8ed2a80fc02273152f1cb692ba6b3da1335d4e 5dd60e726f8d522321d3af5afc7e0dece805e70aeb1d1f20ae5f05bd9a0df4280abc9769311b b0d64f7653367fb4f9e75ac99b1faf8da602b174f4a4bc7d3eabe8692c6dc71301c44fdfad2c 854c48 Message-Authenticator = 0xb1ceae83822d784a23d3e8614aca1367 NAS-Identifier = 4motion NAS-IP-Address = 172.16.4.2 Calling-Station-Id = 00-26-82-CA-6D-B0 WiMAX-BS-Id = 0xfff32901 NAS-Port-Type = 27 Framed-MTU = 2000 Service-Type = Framed-User WiMAX-GMT-Timezone-offset = 0 WiMAX-Release = 1.0 WiMAX-Accounting-Capabilities = IP-Session-Based WiMAX-Hotlining-Capabilities = Hotline-Profile-Id WiMAX-Attr-1793 = 0x028a State = 0x71bea04574b9b51c6b3e400a0b7eaac2 Access-Challenge Id 35 172.16.4.14:1812 - 172.16.4.2:1812 +28.626 EAP-Message = 0x0108005f15800055170301005062cea2e66a8eec902121e911deb72b6464b8ab4861b9 4730d4f9ccb21af518afe16c18f12f305041b2c6df60e6fdc02bad7849141eca3b6c3e27f9a1 2790af090615185f8270e3be4de91ec9343699c2 Message-Authenticator = 0xebe75e60f6789cde3b7dce50e64516ad State = 0x71bea04577b6b51c6b3e400a0b7eaac2 Access-Request Id 36172.16.4.2:1812 - 172.16.4.14:1812 +28.689 User-Name = {sm=1}fa9855191e4832141998a03a7f827...@wimax.com EAP-Message = 0x020800061500
Re: The story of PAP, CHAP and the blank password
In Wed, Mar 16, 2011 at 10:21 AM, Kenneth Marshall k...@rice.edu wrote: On Wed, Mar 16, 2011 at 06:19:08PM +0530, pradyumna dash wrote: Hi, Need a doc/pointer on FreeRadius+OpenLDAP+Mobile-OTP configuration, I would be implementing this in a SuSE server. Can any one help me how to do it? Regards, Neo I thought there was a link to a how-to for this on the mobile-otp website. I am getting ready to do it here as well with Redhat. Here's one that I did for WiKID one-time password system. I bet that the first half on openldap and freeradius would be exactly the same: http://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-two-factor-authentication-to-openldap-and-freeradius/?searchterm=freeradius HTH, Nick Cheers, Ken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
same username different password on different NAS
I am just learning about freeradius now, and would like to see if I can use it to manage access and logging for users at a few hundred locations. Each remote office has between 1 and 50 users, and at first glance freeradius will do the job, but I just noticed a problem with overlapping usernames. I am not sure if I need to use virtual servers, or if there is a better / easier way. The problem is that each location may have a user with the same login name as a different location. For a simple example, each site could have a login of manager, but the manager username at each site would probably pair up with a different password. Without using virtual servers, is there a way to link the username manager to the NAS name or IP of the location? I'm picturing something like the radcheck table containing an additional field for NAS such that freeradius would key off the combined of NAS address and username fields, rather than just the username field. I am not opposed to using virtual servers if that is a better idea, but I'm worried about the overhead of several hundred of them... Any ideas or pointers to docs would be appreciated. -Richard - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: same username different password on different NAS
hi, you have pretty much got the idea already - you have to pair the username with the NAS-IP-Address - in SQL with radcheck, in users file by putting the correct matching description on the first line (as per examples). alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: same username different password on different NAS
Sound like a configuration (a job for : ) realms. Each location would be a different realm, so the seemingly overlapping username manger would in fact be a unique manager@realm-X. Thoughts? -craig On Wednesday, March 16, 2011, Richard Thornton rtho...@yahoo.com wrote: I am just learning about freeradius now, and would like to see if I can use it to manage access and logging for users at a few hundred locations. Each remote office has between 1 and 50 users, and at first glance freeradius will do the job, but I just noticed a problem with overlapping usernames. I am not sure if I need to use virtual servers, or if there is a better / easier way. The problem is that each location may have a user with the same login name as a different location. For a simple example, each site could have a login of manager, but the manager username at each site would probably pair up with a different password. Without using virtual servers, is there a way to link the username manager to the NAS name or IP of the location? I'm picturing something like the radcheck table containing an additional field for NAS such that freeradius would key off the combined of NAS address and username fields, rather than just the username field. I am not opposed to using virtual servers if that is a better idea, but I'm worried about the overhead of several hundred of them... Any ideas or pointers to docs would be appreciated. -Richard - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Seg Fault - 3.0 - More Info needed
Breuer Nicolas wrote: Hello Alan, Could you precise wich infos you need to go further ? Yes. I was precise. Read the file doc/bugs. This is documented. Follow the instructions there. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sending attribute with sub-attributes
David Peterson wrote: After some excellent tutelage from Mr. Wiechman, I am getting different access-accept. However, it's showing Breezecom attributes which seem out of place. edit the dictionary file, and delete the dictionary.alvarion reference. Also, do git pull from the master branch. Some fixes went in today. Is there another dictionary that is driving the Breezecom-Attr or does Freeradius just figure out its Alvarion and assign that internally? Alvarion has ~3 incompatible vendor-specific dictionaries. And each is broken in weird and wonderful ways. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: same username different password on different NAS
That gives me a good place to start. Sounds so much easier to manage. Much Thanks! -Richard From: Craig Campbell craig.campb...@ccraft.ca To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wed, March 16, 2011 2:44:01 PM Subject: Re: same username different password on different NAS Sound like a configuration (a job for : ) realms. Each location would be a different realm, so the seemingly overlapping username manger would in fact be a unique manager@realm-X. Thoughts? -craig On Wednesday, March 16, 2011, Richard Thornton rtho...@yahoo.com wrote: I am just learning about freeradius now, and would like to see if I can use it to manage access and logging for users at a few hundred locations. Each remote office has between 1 and 50 users, and at first glance freeradius will do the job, but I just noticed a problem with overlapping usernames. I am not sure if I need to use virtual servers, or if there is a better / easier way. The problem is that each location may have a user with the same login name as a different location. For a simple example, each site could have a login of manager, but the manager username at each site would probably pair up with a different password. Without using virtual servers, is there a way to link the username manager to the NAS name or IP of the location? I'm picturing something like the radcheck table containing an additional field for NAS such that freeradius would key off the combined of NAS address and username fields, rather than just the username field. I am not opposed to using virtual servers if that is a better idea, but I'm worried about the overhead of several hundred of them... Any ideas or pointers to docs would be appreciated. -Richard - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius failover-through proxy or other way?
On 03/16/2011 07:00 PM, freeradius-users-requ...@lists.freeradius.org wrote: Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-requ...@lists.freeradius.org You can reach the person managing the list at freeradius-users-ow...@lists.freeradius.org When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. Re: SQL Counter Escape String ! (Alan DeKok) 2. Re: SQL Counter Escape String ! (Suman Dash) 3. Re: freeradius failover-through proxy or other way? (Alan DeKok) -- Message: 1 Date: Wed, 16 Mar 2011 11:39:54 +0100 From: Alan DeKokal...@deployingradius.com Subject: Re: SQL Counter Escape String ! To: su...@clydontech.com, FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID:4d80937a.5010...@deployingradius.com Content-Type: text/plain; charset=ISO-8859-1 Suman Dash wrote: Hi Alan, Did you managed to look into the issue ? No. or maybe any hints on how to use DATETIME in Expiration instead of String ? Honestly, in 2.1.10, you can just write SELECT statements directly in unlang. update reply { Session-Timeout := %{sql: SELECT ...} } Couple that with a few other things, and you should be able to replace the sqlcounter module entirely. i.e. I don't use that module, and I know little or nothing about it. I have little time to do anything with it. Alan DeKok. -- Message: 2 Date: Wed, 16 Mar 2011 16:13:49 +0530 From: Suman Dashsu...@clydontech.com Subject: Re: SQL Counter Escape String ! To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID:4d809465.2050...@clydontech.com Content-Type: text/plain; charset=iso-8859-1; Format=flowed Much thanks Alan, That was some really good advice on how to make the thing work. So now i have to write unlang statement in preprocess so that it directly gives the Session-Timeout . Please correct me if i am wrong. Thanks Again On 3/16/2011 4:09 PM, Alan DeKok wrote: Suman Dash wrote: Hi Alan, Did you managed to look into the issue ? No. or maybe any hints on how to use DATETIME in Expiration instead of String ? Honestly, in 2.1.10, you can just write SELECT statements directly in unlang. update reply { Session-Timeout := %{sql: SELECT ...} } Couple that with a few other things, and you should be able to replace the sqlcounter module entirely. i.e. I don't use that module, and I know little or nothing about it. I have little time to do anything with it. Alan DeKok. __ Information from ESET NOD32 Antivirus, version of virus signature database 5924 (20110303) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com -- next part -- An HTML attachment was scrubbed... URL:https://lists.freeradius.org/pipermail/freeradius-users/attachments/20110316/6e29e23e/attachment.html -- Message: 3 Date: Wed, 16 Mar 2011 11:50:00 +0100 From: Alan DeKokal...@deployingradius.com Subject: Re: freeradius failover-through proxy or other way? To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID:4d8095d8.2080...@deployingradius.com Content-Type: text/plain; charset=ISO-8859-1 Martin Lambev wrote: After rading all wiki - freeradius, still is not clear to me, is it possible to do failover-through proxy, and how to organize the things that I want to accomplish. Explanation fallow: See raddb/proxy.conf. Now I have the fallowing setup: node 1 - NAS (pptp, openvpn) - server 2 (freeradius + mysql as backed) I red in documentation about 2 or 3 mysql db and how to do fail-over, load-balancing and redundancy, but If I do it like that when freeradius server fail, the whole setup is down. Exactly. I want to add another node as second NAS so the things will become like this: node 1 - NAS (pptp, openvpn) - server 2 AAA (freeradius+mysql) node 3 - NAS ( l2tp) -^ I want to have redundancy in case server 2 AAA (freeradius + mysql as backend) fail, second server 4 AAA to take over with exactly the same setup (freeradius + mysql backend).. Should I use freeradius proxy on every node??? other solution? So the thigs needs to become like this: The NASes should do fail-over by listing a primary secondary RADIUs server. node 1 - NAS (+freeradius proxy?)--| Internet |---server 2 master (freeradius+mysql, location ex.US ) node 3 - NAS (+freeradius proxy?)--| Internet |---server 4 slave (freeradius+mysql