Re: FR 2.1.10, fail-over not working
魏景鹏 wrote: I've configured two home_server for a pool with type=fail-over, when the 1st one not start,FR didn't send the request to the 2nd one. FreeRADIUS doesn't check if a home server starts. RADIUS doesn't work that way. The fail-over code works. Fail-over occurs when a home server is down for an extended period of time, and when the proxy keeps trying to send packets to the home server. If you're not seeing failover, it's likely because you're only sending a few testing packets. Send more packets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Disconnect Online User
dulan wrote: i need to disconnect online user automatically when complete his download capacity (like prepaid).how can i configure it in freeradius. You don't. RADIUS doesn't really do that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Disconnect Online User
Chris L wrote: Well, if you know in advance, at AA time, how much the session is allocated to transfer and *IF* your NAS supports something like Acct-Session-Output-Octets, Session-Octets-Limit, etc, you should be able to set that to a specific value as a Reply Item and the NAS *SHOULD* disconnect the user when that limit is reached. Good luck. That isn't standard in RADIUS. One or two pieces of software support it. But most NASes (switches, APs, etc.) do not support it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Disconnect Online User
On 27 Jul 2011, at 08:34, Chris L wrote: On Jul 26, 2011, at 11:19 PM, Alan DeKok wrote: dulan wrote: i need to disconnect online user automatically when complete his download capacity (like prepaid).how can i configure it in freeradius. You don't. RADIUS doesn't really do that. Well, if you know in advance, at AA time, how much the session is allocated to transfer and *IF* your NAS supports something like Acct-Session-Output-Octets, Session-Octets-Limit, etc, you should be able to set that to a specific value as a Reply Item and the NAS *SHOULD* disconnect the user when that limit is reached. Good luck. Call a script and use SNMP to disconnect the user. You should have everything you need in the accounting request. Many more NAS support this than SoH or DM. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory
Hi, have you found a solution or a workaround? I have the same problem, you experienced. I configured freeradius to talk with LDAP on Mac but at the end I realized that in the userPassword field isn't saved the clear-text password of the LDAP user. OpenDirectory doesn't use that field and implements the authentication thru Kerberos. I've just recompiled freeradius with the rlm_opendirectory module enabled and now I'm experiencing the problem you was talking about..., I suppose I have to install freeradius on the same machine as OpenDirectory. I'm pretty upset about it..., it's a little odd Have you got some useful information about it? Let me know, please. Max -- View this message in context: http://freeradius.1045715.n5.nabble.com/Freeradius-PEAP-MSCHAPv2-against-Apple-OpenDirectory-tp2787113p4637821.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to configure radius based on the isakmp group profile
Hi , My cisco sends to radius it's ip address, and isakmp-group-id ( or profile name ) Debug from radius -X : Cisco-AVPair = isakmp-group-id=CiscoGroup Acct-Session-Id = 61286 User-Name = domain\\user Cisco-AVPair = connect-progress=No Progress Acct-Authentic = Local Acct-Status-Type = Start NAS-Port-Type = Virtual NAS-Port = 20 NAS-IP-Address = 10.1.1.1 How should I configure freeradius to accept request for this group (isakmp-group-id=CiscoGroup ) only for users, that are authenticated against Auth-Type := ntlm_auth_vpn_osw ( already used and working ) ? However other groups ( or profiles ) should be authenticated against Auth-Type := vpn_auth_name I tried this settings in the Users file but It doesn't work DEFAULT Auth-Type := ntlm_auth_vpn_osw, NAS-IP-Address == 10.1.1.1, Cisco-AVPair == CiscoGroup Service-Type = Framed-User, Framed-Protocol = PPP, DEFAULT Auth-Type := vpn_auth_name Service-Type = Framed-User, Framed-Protocol = PPP, Thanks pet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure radius based on the isakmp group profile
You're assuming FreeRADIUS will magically strip off the 'isakmp-group-id=' part of the value... AVPairs are Ciscos own invention they are not part of the RADIUS standard. It's difficult to do because the order of AVPairs sometimes changes and the == operator will only check the first instance of the attribute. If you care about it being reliable between Cisco NAS upgrade to 3.0x and i'll send you some unlang policies that deal with Cisco-AVPairs properly. If you don't, you can use the following... authorize { # Comment out files # files # Insert at the end of the authorize section update request { Auth-Type := %{control:Auth-Type} } } post-auth { # Add files.authorize } In the users file change Auth-Type := ntlm_auth_vpn_osw, NAS-IP-Address == 10.1.1.1, Cisco-AVPair == CiscoGroup to Auth-Type == ntlm_auth_vpn_osw, NAS-IP-Address == 10.1.1.1, Cisco-AVPair == isakmp-group-id=CiscoGroup -Arran On 27 Jul 2011, at 09:52, Jevos, Peter wrote: Hi , My cisco sends to radius it’s ip address, and isakmp-group-id ( or profile name ) Debug from radius –X : Cisco-AVPair = isakmp-group-id=CiscoGroup Acct-Session-Id = 61286 User-Name = domain\\user Cisco-AVPair = connect-progress=No Progress Acct-Authentic = Local Acct-Status-Type = Start NAS-Port-Type = Virtual NAS-Port = 20 NAS-IP-Address = 10.1.1.1 How should I configure freeradius to accept request for this group (isakmp-group-id=CiscoGroup ) only for users, that are authenticated against Auth-Type := ntlm_auth_vpn_osw ( already used and working ) ? However other groups ( or profiles ) should be authenticated against Auth-Type := vpn_auth_name I tried this settings in the Users file but It doesn’t work DEFAULT Auth-Type := ntlm_auth_vpn_osw, NAS-IP-Address == 10.1.1.1, Cisco-AVPair == CiscoGroup Service-Type = Framed-User, Framed-Protocol = PPP, DEFAULT Auth-Type := vpn_auth_name Service-Type = Framed-User, Framed-Protocol = PPP, Thanks pet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LDAP SHA1 Password, EAP-PAP and Dynamic VLAN
ok, now i get corret value to switch changing this two value on eap.conf (ttls section): copy_request_to_tunnel = yes use_tunneled_reply = yes i've just a new problem.. after successful auth (also switch add corret VLAN ID), i need to wait about 25-30secs to get connectivity (or DHCP) with MSChapV2 auth i get instant connection and no wait time.. -- View this message in context: http://freeradius.1045715.n5.nabble.com/LDAP-SHA1-Password-EAP-PAP-and-Dynamic-VLAN-tp4635755p4638153.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LDAP SHA1 Password, EAP-PAP and Dynamic VLAN
ok problem solved.. test port on switch wasn't set in portfast mode.. sorry ^_^ -- View this message in context: http://freeradius.1045715.n5.nabble.com/LDAP-SHA1-Password-EAP-PAP-and-Dynamic-VLAN-tp4635755p4638216.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to configure radius based on the isakmp group profile
Sorry, I made a mistake in the email. My cisco sends to radius it's ip address, and isakmp-group-id ( or profile name ) Debug from radius -X : Cisco-AVPair = isakmp-group-id=CiscoGroup Acct-Session-Id = 61286 User-Name = domain\\user Cisco-AVPair = connect-progress=No Progress Acct-Authentic = Local Acct-Status-Type = Start NAS-Port-Type = Virtual NAS-Port = 20 NAS-IP-Address = 10.1.1.1 How should I configure freeradius to accept request for this group (isakmp-group-id=CiscoGroup ) only for users, that are authenticated against Auth-Type := ntlm_auth_vpn_osw ( already used and working ) ? However other groups ( or profiles ) should be authenticated against Auth-Type := vpn_auth_name I tried this settings in the Users file but It doesn't work DEFAULT Auth-Type := ntlm_auth_vpn_osw, NAS-IP-Address == 10.1.1.1, Cisco-AVPair == isakmp-group-id=CiscoGroup Service-Type = Framed-User, Framed-Protocol = PPP, DEFAULT Auth-Type := vpn_auth_name Service-Type = Framed-User, Framed-Protocol = PPP, Thanks pet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
segmentation fault freeradius 2.1.7 using rlm_sql
Hi all, freeRADIUS version 2.1.7 (package freeradius2 on centos 5.6) Radius is configured to store user info (auth) in ldap - running on same machine as freeradius, and use rlm_sql for accounting info (and simultaneous use checks) - running on remote machine. For some unknown reason radiusd keeps getting segmentation faults, every few days and even after several hours of work. Jul 27 04:01:03 RADIUS4 kernel: radiusd[29903]: segfault at 00c8 rip 2aef39fb9cfb rsp 456d6170 error 4 Last lines in the radius.log : [sql] expand:UPDATE radacct SET acctstoptime = '%S', acctsessiontime= '%{Acct-Session-Time}', acctinputoctets= '%{%{Acct-Input-Gigawords}:-0}' 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_stop = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}' -UPDATE radacct SET acctstoptime = '2011-07-27 04:01:03', acctsessiontime= '0', acctinputoctets= '0' 32 | '0', acc! toutputoctets = '0' 32 | [sql] expand: /var/log/radius/sqltrace.sql - /var/log/radius/sqltrace.sql rlm_sql (sql): Trying to (re)connect unconnected handle 12.. rlm_sql (sql): Attempting to connect rlm_sql_mysql #12 since configuration files are quite large, I didn't attach complete dump or radius -X , let me know what other info is needed. Regards, Amir Tal. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help:[freeradius+mysql]destination unreachable(host administratively prohibited)
Did you open your firewall? Redhat-like distros send dest-prohib by default for ports blocked by iptables. Cheers, Harry gary gary.y...@browan.com wrote: Hi All I have trouble about freeradius+mysql. I configured freeradius(2.1.10) +mysql(5.5.14) and selftest by radtest everything is okay. But when I try external nas client it always returns null response. the setup as below. PC(client)===wireless AP(nas,192.168.21.223)===radius server(192.168.21.30) my nas table: mysql select * from nas; +++-+---+--+--+--+---+-+ | id | nasname | shortname | type | ports | secret | server| community | description | +++-+---+--+--+--+---+-+ | 1 | 192.168.21.223 | 192.168.21.223 | other | NULL | testing123 | NULL | NULL| RADIUS Client | | 3 | 127.0.0.1 | localhost | other | NULL | testing123 | NULL | NULL| RADIUS Client | +++-+---+--+--+---+---++ radcheck table: mysql select * from radcheck; +++---+++ | id | username | attribute| op | value | +++---+++ | 1 | gary | User-Password | := | gary | | 2 | test| User-Password | := | test | | 3 | 001d09cb2715 | User-Password | := | test | +++---+++ 192.168.21.223 is the wireless AP(nas) and my radius server is 192.168.21.30. I am using wireshark to capture the packets and it shows destination unreachable(host administratively prohibited). see screenshot as below. Can anyone help me? Best Regards Gary - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Confused with Failed to find IP address
Hi, I am running a Debain server on the domain haskell-solutions.com. I installed freeradius 2.1.11 on that. As the tutorial suggested I added a user account to the top of users file bob Cleartext-Password := hello and on the seperated terminal connecting throw SSH to the haskel server executed radiusd -X -outcome is below. But I get error message and nothing on the other terminal radiusd -X appear ... any idea? /Eddie hasksol:/etc# radtest bob hello *localhost* 0 testing123 radclient:: Failed to find IP address for hasksol radclient: Nothing to send. hasksol:/etc# radtest bob hello *haskell-solutions.com* 0 testing123 radclient:: Failed to find IP address for hasksol radclient: Nothing to send. /hasksol:~# radtest bob wrongpass *178.79.150.152* 0 testing123 radclient:: Failed to find IP address for hasksol radclient: Nothing to send./ /hasksol:~# radtest bob hello *hasksol* 0 testing123 radclient: Failed to find IP address for host hasksol: *Success* hasksol:~# radtest bob *wrongpass* *hasksol* 0 testing123 radclient: Failed to find IP address for host hasksol: *Success * hasksol:~# *ping localhost* PING localhost (127.0.0.1) 56(84) bytes of data. 64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.044 ms 64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.056 ms ^C --- localhost ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 999ms rtt min/avg/max/mdev = 0.044/0.050/0.056/0.006 ms hasksol:~# *ping haskell-solutions.com* PING localhost (127.0.0.1) 56(84) bytes of data. 64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.050 ms 64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.048 ms ^C --- localhost ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1000ms rtt min/avg/max/mdev = 0.048/0.049/0.050/0.001 ms/ * my /etc/hosts* hasksol:/etc# cat hosts 127.0.0.1 localhost haskell-solutions.com www.haskell-solutions.com vpn.haskell-solutions.com* radiusd -X :* hasksol:~# radiusd -X FreeRADIUS Version 2.1.11, for host i686-pc-linux-gnu, built on Jul 25 2011 at 18:49:35 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/smsotp including configuration file /usr/local/etc/raddb/modules/soh including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/rediswho including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/dolaradius_sql.conf including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/cui including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/ntlm_auth including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/unix including configuration file
Disable mysql dbm during freeradius installation
Hi I am installing Freeradius and for my scenario i just need to authenticate from local files and there is no need for DBM or mysql or anything. how do i disable them during installation of freeradius. I tried using --disable-rlm-dbm and similar but it din't work out. How do i disable them from installing? Awaiting any help! Many thanks. Thanks and regards R.Vasanth Ragavendran. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Disable mysql dbm during freeradius installation
Vasanth Ragavendran wrote: I am installing Freeradius and for my scenario i just need to authenticate from local files and there is no need for DBM or mysql or anything. how do i disable them during installation of freeradius. I tried using --disable-rlm-dbm and similar but it din't work out. How do i disable them from installing? Awaiting any help! Many thanks. Why does it matter? They take up ~10K of disk space, and aren't loaded by the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Confused with Failed to find IP address
Eddie wrote: I am running a Debain server on the domain haskell-solutions.com. I installed freeradius 2.1.11 on that. As the tutorial suggested I added a user account to the top of users file bob Cleartext-Password := hello and on the seperated terminal connecting throw SSH to the haskel server executed radiusd -X -outcome is below. But I get error message and nothing on the other terminal radiusd -X appear ... any idea? Read the text you posted to the list. hasksol:/etc# radtest bob hello *localhost* 0 testing123 radclient:: Failed to find IP address for hasksol radclient: Nothing to send. radclient is trying to look up the IP for hasksol. You don't have that in DNS, or in /etc/hosts. And you tried pinging everything but hasksol Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and MacOsx (LDAP vs Kerberos)
Massimiliano Tommasi wrote: You are pretty right ;) I have just recompiled freeradius with that module, which I need... It seems to be what I need but ... I notice a lack of documentation for that module.. I have found nothing at all :( Could you suggest me some doc or/and example of the conf, please? I said: Just list opendirectory in the authorize and authenticate sections. That's it. It's that simple. It doesn't need more documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Disable mysql dbm during freeradius installation
On 07/27/2011 07:42 AM, Vasanth Ragavendran wrote: Hi I am installing Freeradius and for my scenario i just need to authenticate from local files and there is no need for DBM or mysql or anything. how do i disable them during installation of freeradius. I tried using --disable-rlm-dbm and similar but it din't work out. How do i disable them from installing? Awaiting any help! Many thanks. Try --without-mod_name where mod_name is a module name, e.g. --without-rlm-dbm This has to be done at the configure step, then build and install again. Hint, often these kind of questions can be answered by taking a peek at the configure.in file in the appropriate directory. For example src/modules/rlm_dbm/configure.in has: if test x$with_[]modname != xno; then The --with-XXX and --without-XXX are standard autotools idioms. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help:[freeradius+mysql]destination unreachable(host administratively prohibited)
Hi Harry radius server and nas ping no problem each other. checking firewall no problem. the OS is Fedora 12. Best Regards Gary BROWAN COMMUNICATIONS INC. Tel:886-3-600-6899 ext.4842 Fax:886-3-597-2970 e-mail:gary.y...@browan.com - Original Message - From: Harry Hoffman hhoff...@ip-solutions.net To: gary gary.y...@browan.com; freeradius-users@lists.freeradius.org Sent: Wednesday, July 27, 2011 7:19 PM Subject: Re: help:[freeradius+mysql]destination unreachable(host administratively prohibited) Did you open your firewall? Redhat-like distros send dest-prohib by default for ports blocked by iptables. Cheers, Harry gary gary.y...@browan.com wrote: Hi All I have trouble about freeradius+mysql. I configured freeradius(2.1.10) +mysql(5.5.14) and selftest by radtest everything is okay. But when I try external nas client it always returns null response. the setup as below. PC(client)===wireless AP(nas,192.168.21.223)===radius server(192.168.21.30) my nas table: mysql select * from nas; +++-+---+--+--+--+---+-+ | id | nasname | shortname | type | ports | secret | server| community | description | +++-+---+--+--+--+---+-+ | 1 | 192.168.21.223 | 192.168.21.223 | other | NULL | testing123 | NULL | NULL| RADIUS Client | | 3 | 127.0.0.1 | localhost | other | NULL | testing123 | NULL | NULL| RADIUS Client | +++-+---+--+--+---+---++ radcheck table: mysql select * from radcheck; +++---+++ | id | username | attribute| op | value | +++---+++ | 1 | gary | User-Password | := | gary | | 2 | test| User-Password | := | test | | 3 | 001d09cb2715 | User-Password | := | test | +++---+++ 192.168.21.223 is the wireless AP(nas) and my radius server is 192.168.21.30. I am using wireshark to capture the packets and it shows destination unreachable(host administratively prohibited). see screenshot as below. Can anyone help me? Best Regards Gary - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help:[freeradius+mysql]destination unreachable(host administratively prohibited)
ping isn't the same as a open udp port. run the command: /sbin/iptables-save and past the output. If it's not the firewall then it's probably ACLs as those are really the only two things that are going to return a admin-prohib icmp packet. Cheers, Harry On 07/27/2011 09:06 AM, gary wrote: Hi Harry radius server and nas ping no problem each other. checking firewall no problem. the OS is Fedora 12. Best Regards Gary BROWAN COMMUNICATIONS INC. Tel:886-3-600-6899 ext.4842 Fax:886-3-597-2970 e-mail:gary.y...@browan.com - Original Message - From: Harry Hoffman hhoff...@ip-solutions.net To: gary gary.y...@browan.com; freeradius-users@lists.freeradius.org Sent: Wednesday, July 27, 2011 7:19 PM Subject: Re: help:[freeradius+mysql]destination unreachable(host administratively prohibited) Did you open your firewall? Redhat-like distros send dest-prohib by default for ports blocked by iptables. Cheers, Harry gary gary.y...@browan.com wrote: Hi All I have trouble about freeradius+mysql. I configured freeradius(2.1.10) +mysql(5.5.14) and selftest by radtest everything is okay. But when I try external nas client it always returns null response. the setup as below. PC(client)===wireless AP(nas,192.168.21.223)===radius server(192.168.21.30) my nas table: mysql select * from nas; +++-+---+--+--+--+---+-+ | id | nasname | shortname | type | ports | secret | server| community | description | +++-+---+--+--+--+---+-+ | 1 | 192.168.21.223 | 192.168.21.223 | other | NULL | testing123 | NULL | NULL| RADIUS Client | | 3 | 127.0.0.1 | localhost | other | NULL | testing123 | NULL | NULL| RADIUS Client | +++-+---+--+--+---+---++ radcheck table: mysql select * from radcheck; +++---+++ | id | username | attribute| op | value | +++---+++ | 1 | gary | User-Password | := | gary | | 2 | test| User-Password | := | test | | 3 | 001d09cb2715 | User-Password | := | test | +++---+++ 192.168.21.223 is the wireless AP(nas) and my radius server is 192.168.21.30. I am using wireshark to capture the packets and it shows destination unreachable(host administratively prohibited). see screenshot as below. Can anyone help me? Best Regards Gary - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: segmentation fault freeradius 2.1.7 using rlm_sql
Amir Tal wrote: For some unknown reason radiusd keeps getting segmentation faults, every few days and even after several hours of work. Upgrade. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and MacOsx (LDAP vs Kerberos)
That's working, Alan. Thanks. Max Il 27/07/11 14.54, Alan DeKok ha scritto: Massimiliano Tommasi wrote: You are pretty right ;) I have just recompiled freeradius with that module, which I need... It seems to be what I need but ... I notice a lack of documentation for that module.. I have found nothing at all :( Could you suggest me some doc or/and example of the conf, please? I said: Just list opendirectory in the authorize and authenticate sections. That's it. It's that simple. It doesn't need more documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help:[freeradius+mysql]destination unreachable(host administratively prohibited)
Gary, You're looking for 'iptables -nvL | grep 3306' to produce something like this: 0 0 ACCEPT tcp -- * * 192.168.21.2230.0.0.0/0 tcp dpt:3306 -sth sam hooker|s...@noiseplant.com|http://www.noiseplant.com I have not failed, I've just found 10,000 ways that won't work. Thomas Edison - Original Message - ping isn't the same as a open udp port. run the command: /sbin/iptables-save and past the output. If it's not the firewall then it's probably ACLs as those are really the only two things that are going to return a admin-prohib icmp packet. Cheers, Harry On 07/27/2011 09:06 AM, gary wrote: Hi Harry radius server and nas ping no problem each other. checking firewall no problem. the OS is Fedora 12. Best Regards Gary BROWAN COMMUNICATIONS INC. Tel:886-3-600-6899 ext.4842 Fax:886-3-597-2970 e-mail:gary.y...@browan.com - Original Message - From: Harry Hoffman hhoff...@ip-solutions.net To: gary gary.y...@browan.com; freeradius-users@lists.freeradius.org Sent: Wednesday, July 27, 2011 7:19 PM Subject: Re: help:[freeradius+mysql]destination unreachable(host administratively prohibited) Did you open your firewall? Redhat-like distros send dest-prohib by default for ports blocked by iptables. Cheers, Harry gary gary.y...@browan.com wrote: Hi All I have trouble about freeradius+mysql. I configured freeradius(2.1.10) +mysql(5.5.14) and selftest by radtest everything is okay. But when I try external nas client it always returns null response. the setup as below. PC(client)===wireless AP(nas,192.168.21.223)===radius server(192.168.21.30) my nas table: mysql select * from nas; +++-+---+--+--+--+---+-+ | id | nasname | shortname | type | ports | secret | server | community | description | +++-+---+--+--+--+---+-+ | 1 | 192.168.21.223 | 192.168.21.223 | other | NULL | testing123 | NULL | NULL | RADIUS Client | | 3 | 127.0.0.1 | localhost | other | NULL | testing123 | NULL | NULL | RADIUS Client | +++-+---+--+--+---+---++ radcheck table: mysql select * from radcheck; +++---+++ | id | username | attribute | op | value | +++---+++ | 1 | gary | User-Password | := | gary | | 2 | test | User-Password | := | test | | 3 | 001d09cb2715 | User-Password | := | test | +++---+++ 192.168.21.223 is the wireless AP(nas) and my radius server is 192.168.21.30. I am using wireshark to capture the packets and it shows destination unreachable(host administratively prohibited). see screenshot as below. Can anyone help me? Best Regards Gary - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help:[freeradius+mysql]destination unreachable(host administratively prohibited)
Sorry, I meant 'iptables -nvL | grep 1812' should yield something like THIS: 0 0 ACCEPT udp -- * * 192.168.21.223 0.0.0.0/0 udp dpt:1812 -sth You're looking for 'iptables -nvL | grep 3306' to produce something like this: 0 0 ACCEPT tcp -- * * 192.168.21.223 0.0.0.0/0 tcp dpt:3306 -sth sam hooker|s...@noiseplant.com|http://www.noiseplant.com I have not failed, I've just found 10,000 ways that won't work. Thomas Edison - Original Message - ping isn't the same as a open udp port. run the command: /sbin/iptables-save and past the output. If it's not the firewall then it's probably ACLs as those are really the only two things that are going to return a admin-prohib icmp packet. Cheers, Harry On 07/27/2011 09:06 AM, gary wrote: Hi Harry radius server and nas ping no problem each other. checking firewall no problem. the OS is Fedora 12. Best Regards Gary BROWAN COMMUNICATIONS INC. Tel:886-3-600-6899 ext.4842 Fax:886-3-597-2970 e-mail:gary.y...@browan.com - Original Message - From: Harry Hoffman hhoff...@ip-solutions.net To: gary gary.y...@browan.com; freeradius-users@lists.freeradius.org Sent: Wednesday, July 27, 2011 7:19 PM Subject: Re: help:[freeradius+mysql]destination unreachable(host administratively prohibited) Did you open your firewall? Redhat-like distros send dest-prohib by default for ports blocked by iptables. Cheers, Harry gary gary.y...@browan.com wrote: Hi All I have trouble about freeradius+mysql. I configured freeradius(2.1.10) +mysql(5.5.14) and selftest by radtest everything is okay. But when I try external nas client it always returns null response. the setup as below. PC(client)===wireless AP(nas,192.168.21.223)===radius server(192.168.21.30) my nas table: mysql select * from nas; +++-+---+--+--+--+---+-+ | id | nasname | shortname | type | ports | secret | server | community | description | +++-+---+--+--+--+---+-+ | 1 | 192.168.21.223 | 192.168.21.223 | other | NULL | testing123 | NULL | NULL | RADIUS Client | | 3 | 127.0.0.1 | localhost | other | NULL | testing123 | NULL | NULL | RADIUS Client | +++-+---+--+--+---+---++ radcheck table: mysql select * from radcheck; +++---+++ | id | username | attribute | op | value | +++---+++ | 1 | gary | User-Password | := | gary | | 2 | test | User-Password | := | test | | 3 | 001d09cb2715 | User-Password | := | test | +++---+++ 192.168.21.223 is the wireless AP(nas) and my radius server is 192.168.21.30. I am using wireshark to capture the packets and it shows destination unreachable(host administratively prohibited). see screenshot as below. Can anyone help me? Best Regards Gary - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and MacOsx (LDAP vs Kerberos)
I got the first step..., FreeRadius and OpenDirectory are speaking the same language BUT I'm not able to authenticate the users... On the client side I have a function to get the chap and on the server side I don't save the password in hashing manner (i guess) ... When I try to auth, this is the output: rad_recv: Access-Request packet from host 192.168.58.126 port 55684, id=4, length=234 Vendor-14559-Attr-8 = 0x312e322e33 User-Name = root CHAP-Challenge = 0x0edd76439301b38946e175305f4f951f CHAP-Password = 0x0009043c756f718e348b26b5300f0e10ab Service-Type = Login-User Acct-Session-Id = 4e30263e0001 Framed-IP-Address = 10.10.0.1 NAS-Port-Type = Wireless-802.11 NAS-Port = 1 NAS-Port-Id = 0001 Calling-Station-Id = 00-23-DF-8E-F7-7A Called-Station-Id = 00-60-E0-E0-A4-D4 NAS-IP-Address = 10.10.0.15 NAS-Identifier = kenny WISPr-Logoff-URL = http://10.10.0.15:3990/logoff; Message-Authenticator = 0x02107a4aa5448c95bcb1c66989947389 +- entering group authorize {...} ++[preprocess] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = root, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[unix] returns updated ++[files] returns noop rlm_opendirectory: The SACL group com.apple.access_radius does not exist on this system. rlm_opendirectory: The host 192.168.58.126 does not have an access group. rlm_opendirectory: no access control groups, all users allowed. ++[opendirectory] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = CHAP +- entering group CHAP {...} [chap] login attempt by root with CHAP password [chap] Cleartext-Password is required for authentication ++[chap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - root attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 10 for 1 seconds Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 192.168.58.126 port 55684, id=4, length=234 Waiting to send Access-Reject to client lan port 55684 - ID: 4 Waking up in 0.9 seconds. Sending delayed reject for request 10 Sending Access-Reject of id 4 to 192.168.58.126 port 55684 Waking up in 4.9 seconds. Cleaning up request 10 ID 4 with timestamp +1898 Ready to process requests. I have some doubt on the Apple side.., is the server asking for clear password on the apple side? I hope you can help me, one more time. Cheers, Max Il 27/07/11 14.54, Alan DeKok ha scritto: Massimiliano Tommasi wrote: You are pretty right ;) I have just recompiled freeradius with that module, which I need... It seems to be what I need but ... I notice a lack of documentation for that module.. I have found nothing at all :( Could you suggest me some doc or/and example of the conf, please? I said: Just list opendirectory in the authorize and authenticate sections. That's it. It's that simple. It doesn't need more documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- :: P u r p l e s r l :: security and network :: via Vittorio Veneto 8/B :: i-20091 Bresso - Milano :: web: www.purplesrl.com :: Massimiliano Tommasi :: email: m.tomm...@purplesrl.com :: phone: +39 02 36687280 :: fax: +39 02 700511249 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and MacOsx (LDAP vs Kerberos)
Massimiliano Tommasi wrote: I got the first step..., FreeRadius and OpenDirectory are speaking the same language BUT I'm not able to authenticate the users... Please READ the debug output. Honestly, it's not that hard. On the client side I have a function to get the chap and on the server side I don't save the password in hashing manner (i guess) ... You can't do CHAP with OpenDirectory. READ the debug output you posted. I have some doubt on the Apple side.., is the server asking for clear password on the apple side? You can't do CHAP with OpenDirectory. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trying multiple realms
On Jul 26, 2011, at 4:36 PM, Alan DeKok wrote: Charles Plater wrote: Is there any way to try multiple realms inside an update control statement? What I want to do is try proxying to one realm, and if that fails trying the credentials via the local ream. Thanks in advance. Read raddb/proxy.conf. Look for the home server pool section. This works, and is documented. If I'm reading raddb/proxy.conf correctly home_server_pool allows for fail-over and load-balancing configurations. In my case I was to try the same credentials against multiple servers. I'm currently using this bit of unlang to send some requests to another radius server: if (User-Name !~ /^..[0-9][0-9][0-9].*$/) { update control { Proxy-To-Realm := 'med.wayne.edu' } } What I'm looking at doing is to retry failed proxy attempts locally. Is this possible? -- Charles Plater Lead Application Technical Analyst Internet Services +1-313-577-4620 ab3...@wayne.edu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP Groups and Dynamic VLAN assignment
hi guys, i want to assing VLAN based on groups entry and users on LDAP server. Actually my schema is divided in this way: ou=groups -- cn=admin-vlan (with radiusProfile and items to set VLAN ID) -- cn=dev-vlan ou=people -- cn=testusers (that is a uniqueMember of admin-vlan) the only configuration that works is: ldap conf: ldap server1 { # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = x.x.x.x identity = cn=Administrator,dc=mydomain,dc=com password = passs basedn = dc=mydomain,dc=com filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}}) groupname_attribute = cn groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) } users file: DEFAULT Ldap-Group == admin-vlan Service-Type = Framed-User, Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-ID = 10 DEFAULT Ldap-Group == dev-vlan Service-Type = Framed-User, Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-ID = 9 DEFAULT LDAP-Group != admin-vlan, Auth-Type := Reject DEFAULT LDAP-Group != dev-vlan, Auth-Type := Reject there is a possibility to get Tunnel-Private-Group-ID and others from the LDAP groups and not users file? i've read many times docs/rlm_ldap but cant get out of this problem :( Is it possible to do this configuration in conjunction with redundant ldap configuration?? thanks! -- View this message in context: http://freeradius.1045715.n5.nabble.com/LDAP-Groups-and-Dynamic-VLAN-assignment-tp4639157p4639157.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trying multiple realms
Charles Plater wrote: If I'm reading raddb/proxy.conf correctly home_server_pool allows for fail-over and load-balancing configurations. Yes. In my case I was to try the same credentials against multiple servers. RADIUS doesn't do that. It's a *terrible* idea. What I'm looking at doing is to retry failed proxy attempts locally. Is this possible? *Please* use the correct terminology. Do you mean failed, as in failed to get a response, or rejected, as in received a reject packet? If you use vague terminology, it's impossible to help you. The server treats rejects as being definitive. Changing them later to accepts is wrong and broken. Fix your design so that you send the packets to the correct server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trying multiple realms
On 27 Jul 2011, at 17:14, Charles Plater wrote: On Jul 26, 2011, at 4:36 PM, Alan DeKok wrote: Charles Plater wrote: Is there any way to try multiple realms inside an update control statement? What I want to do is try proxying to one realm, and if that fails trying the credentials via the local ream. Thanks in advance. Read raddb/proxy.conf. Look for the home server pool section. This works, and is documented. If I'm reading raddb/proxy.conf correctly home_server_pool allows for fail-over and load-balancing configurations. In my case I was to try the same credentials against multiple servers. I'm currently using this bit of unlang to send some requests to another radius server: if (User-Name !~ /^..[0-9][0-9][0-9].*$/) { update control { Proxy-To-Realm := 'med.wayne.edu' } } What I'm looking at doing is to retry failed proxy attempts locally. Is this possible? Fail in what way. Because a servers down or because the user was rejected? -Arran Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and MacOsx (LDAP vs Kerberos)
You are right, Alan. I hoped there was a solution to this but evidently it's not possible. The only way is to disable the chap on the client-side. Regards, Max Il 27/07/11 17.14, Alan DeKok ha scritto: Massimiliano Tommasi wrote: I got the first step..., FreeRadius and OpenDirectory are speaking the same language BUT I'm not able to authenticate the users... Please READ the debug output. Honestly, it's not that hard. On the client side I have a function to get the chap and on the server side I don't save the password in hashing manner (i guess) ... You can't do CHAP with OpenDirectory. READ the debug output you posted. I have some doubt on the Apple side.., is the server asking for clear password on the apple side? You can't do CHAP with OpenDirectory. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Groups and Dynamic VLAN assignment
stich86 stic...@gmail.com wrote: there is a possibility to get Tunnel-Private-Group-ID and others from the LDAP groups and not users file? i've read many times docs/rlm_ldap but cant get out of this problem :( Next time, try the freeradius-users@ archive too (true of *any* mailing list)? Is it possible to do this configuration in conjunction with redundant ldap configuration?? http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg71133.html Cheers -- Alexander Clouter .sigmonster says: Is there life before breakfast? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius closes
john wrote: The radiusd keeps closing and i have to restart it. I am running 2.1.11 on this server but i have recently upgraded to this and it was happening before. The program uses up all the memory on the computer which is 4GB and I have enclosed a picture of this. I can send what ever config files you need to help me discover this problem. We are using a MySql database to keep track of customer accounts and usage. Try the v2.1.x branch from http://git.freeradius.org That will become 2.1.12 soon. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sql don't re-connect after mysql failure
Hi, I'm using freeradius-2.1.11 and i have problem with mysql connection. If MySQL server goes down, the freeradius don't reconnect until he be restarted. logfile like this, but the mysql server is UP again: rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql: Connected new DB handle, #0 rlm_sql : failed after re-connect *** this error repeats until I go restart freeradius Thanks Jean - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius closes
john j...@rcsaccess.net wrote: The radiusd keeps closing and i have to restart it. I am running 2.1.11 on this server but i have recently upgraded to this and it was happening before. The program uses up all the memory on the computer which is 4GB and I have enclosed a picture of this. I can send what ever config files you need to help me discover this problem. We are using a MySql database to keep track of customer accounts and usage. IIRC the fix you need it: https://github.com/alandekok/freeradius-server/commit/731e733b I recommend, if possible, to just use the v2.1.x tree which is 'stable' just not a marked official release. http://git.freeradius.org/ I am though currently trying to pin down a bug where FreeRADIUS just closes it's-self down for no reason at all. I have run tcpdump during the clean shutdown, and see it is not malformed traffic causing the problem, RAM usage is normal, open FD's is sane, etc etc. Caught the event many times with gdb, but it's not a SIG, just a regular exit(). Currently now running FreeRADIUS in production with -X to see if there is anything in the full debug logs... Just a warning, but I would imagine there would be other grumblings on the list (or I have missed them and it's already fixed...). Cheers -- Alexander Clouter .sigmonster says: I can't stand squealers; hit that guy. -- Albert Anastasia - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Disable mysql dbm during freeradius installation
Thank you so much sir! On Wed, Jul 27, 2011 at 9:01 PM, John Dennis jden...@redhat.com wrote: On 07/27/2011 07:42 AM, Vasanth Ragavendran wrote: Hi I am installing Freeradius and for my scenario i just need to authenticate from local files and there is no need for DBM or mysql or anything. how do i disable them during installation of freeradius. I tried using --disable-rlm-dbm and similar but it din't work out. How do i disable them from installing? Awaiting any help! Many thanks. Try --without-mod_name where mod_name is a module name, e.g. --without-rlm-dbm This has to be done at the configure step, then build and install again. Hint, often these kind of questions can be answered by taking a peek at the configure.in file in the appropriate directory. For example src/modules/rlm_dbm/configure.**in http://configure.in has: if test x$with_[]modname != xno; then The --with-XXX and --without-XXX are standard autotools idioms. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help:[freeradius+mysql]destination unreachable(hostadministratively prohibited)
Hi Harry, Sam The problem solved.Thank you very much. Here is the output of iptables-save. (iptables -nvL | grep 1812 output nothing) *** [root@gary sysconfig]# /sbin/iptables-save # Generated by iptables-save v1.4.5 on Thu Jul 28 11:36:40 2011 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [15:2804] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Thu Jul 28 11:36:40 2011 *** After I remark -A INPUT -j REJECT --reject-with icmp-host-prohibited it work. But iptables -nvL | grep 1812 command still output nothing. Now the iptables-save output. *** [root@gary sysconfig]# /sbin/iptables-save # Generated by iptables-save v1.4.5 on Thu Jul 28 11:41:12 2011 *filter :INPUT ACCEPT [69:8978] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [17:3842] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Thu Jul 28 11:41:12 2011 Best Regards Gary BROWAN COMMUNICATIONS INC. Tel:886-3-600-6899 ext.4842 Fax:886-3-597-2970 e-mail:gary.y...@browan.com - Original Message - From: Sam Hooker s...@noiseplant.com To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, July 27, 2011 10:11 PM Subject: Re: help:[freeradius+mysql]destination unreachable(hostadministratively prohibited) Sorry, I meant 'iptables -nvL | grep 1812' should yield something like THIS: 0 0 ACCEPT udp -- * * 192.168.21.223 0.0.0.0/0 udp dpt:1812 -sth You're looking for 'iptables -nvL | grep 3306' to produce something like this: 0 0 ACCEPT tcp -- * * 192.168.21.223 0.0.0.0/0 tcp dpt:3306 -sth sam hooker|s...@noiseplant.com|http://www.noiseplant.com I have not failed, I've just found 10,000 ways that won't work. Thomas Edison - Original Message - ping isn't the same as a open udp port. run the command: /sbin/iptables-save and past the output. If it's not the firewall then it's probably ACLs as those are really the only two things that are going to return a admin-prohib icmp packet. Cheers, Harry On 07/27/2011 09:06 AM, gary wrote: Hi Harry radius server and nas ping no problem each other. checking firewall no problem. the OS is Fedora 12. Best Regards Gary BROWAN COMMUNICATIONS INC. Tel:886-3-600-6899 ext.4842 Fax:886-3-597-2970 e-mail:gary.y...@browan.com - Original Message - From: Harry Hoffman hhoff...@ip-solutions.net To: gary gary.y...@browan.com; freeradius-users@lists.freeradius.org Sent: Wednesday, July 27, 2011 7:19 PM Subject: Re: help:[freeradius+mysql]destination unreachable(host administratively prohibited) Did you open your firewall? Redhat-like distros send dest-prohib by default for ports blocked by iptables. Cheers, Harry gary gary.y...@browan.com wrote: Hi All I have trouble about freeradius+mysql. I configured freeradius(2.1.10) +mysql(5.5.14) and selftest by radtest everything is okay. But when I try external nas client it always returns null response. the setup as below. PC(client)===wireless AP(nas,192.168.21.223)===radius server(192.168.21.30) my nas table: mysql select * from nas; +++-+---+--+--+--+---+-+ | id | nasname | shortname | type | ports | secret | server | community | description | +++-+---+--+--+--+---+-+ | 1 | 192.168.21.223 | 192.168.21.223 | other | NULL | testing123 | NULL | NULL | RADIUS Client | | 3 | 127.0.0.1 | localhost | other | NULL | testing123 | NULL | NULL | RADIUS Client | +++-+---+--+--+---+---++ radcheck table: mysql select * from radcheck; +++---+++ | id | username | attribute | op | value | +++---+++ | 1 | gary | User-Password | := | gary | | 2 | test | User-Password | := | test | | 3 | 001d09cb2715 | User-Password | := | test | +++---+++ 192.168.21.223 is the wireless AP(nas) and my radius server is
Re: help:[freeradius+mysql]destination unreachable(hostadministratively prohibited)
On Thu, Jul 28, 2011 at 10:48 AM, gary gary.y...@browan.com wrote: After I remark -A INPUT -j REJECT --reject-with icmp-host-prohibited it work. But iptables -nvL | grep 1812 command still output nothing. Now the iptables-save output. *** [root@gary sysconfig]# /sbin/iptables-save # Generated by iptables-save v1.4.5 on Thu Jul 28 11:41:12 2011 *filter :INPUT ACCEPT [69:8978] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [17:3842] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Thu Jul 28 11:41:12 2011 You REALLY should get help from a Linux sysadmin. That config basically means accept all input and output traffic, which is probably not what you want. If you want to enable radius traffic you should add a rule that allows needed port (e.g. udp port 1812 and 1813). If you don't care about firewall then it might be better to turn it off altogether. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help:[freeradius+mysql]destinationunreachable(hostadministratively prohibited)
Hi Fajar Sure. I am replying to say the root cause is firewall issue. The firewall has to be optimized. Thansk for your reply. Best Regards Gary BROWAN COMMUNICATIONS INC. Tel:886-3-600-6899 ext.4842 Fax:886-3-597-2970 e-mail:gary.y...@browan.com - Original Message - From: Fajar A. Nugraha l...@fajar.net To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thursday, July 28, 2011 12:02 PM Subject: Re: help:[freeradius+mysql]destinationunreachable(hostadministratively prohibited) On Thu, Jul 28, 2011 at 10:48 AM, gary gary.y...@browan.com wrote: After I remark -A INPUT -j REJECT --reject-with icmp-host-prohibited it work. But iptables -nvL | grep 1812 command still output nothing. Now the iptables-save output. *** [root@gary sysconfig]# /sbin/iptables-save # Generated by iptables-save v1.4.5 on Thu Jul 28 11:41:12 2011 *filter :INPUT ACCEPT [69:8978] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [17:3842] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Thu Jul 28 11:41:12 2011 You REALLY should get help from a Linux sysadmin. That config basically means accept all input and output traffic, which is probably not what you want. If you want to enable radius traffic you should add a rule that allows needed port (e.g. udp port 1812 and 1813). If you don't care about firewall then it might be better to turn it off altogether. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html