Don't try to "fix" RADIUS. RADIUS is fine.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
t.
> I believe I saw a request for dynamic home servers recently. Looks like
> that might be something for me as well.
Maybe. Or, having less work to say "this client can also receive CoA
requests".
That might be easy to add for 3.0.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ly, no. New features are hard to do for 2.1.x.
Alan DeKok
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
as suggested *everywhere*?
> With other AAA, based also on FR, it is not happeing.
What "other" AAA? Where did you get that other AAA from?
And if it's based on FreeRADIUS, copy the configuration over. It's
not hard.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
connection). So I want to know if there is some way to configure a
> keepalive on the ldap connection of freeradius.
...
> Is there any way to configure this keepalive?
In 2.1.12, the keepalive configuration is documented in raddb/modules/ldap
Alan DeKok.
-
List info/subscri
>
> As far as I understand, none of these values is for a keepalive. Is
> there any other parameter?
See https://github.com/alandekok/freeradius-server/tree/v2.1.x
Download a "tar" file. It is a pre-release version of 2.1.12. Then
see raddb/modules/ldap, as
here
it doesn't receive packets.
> regarding the other AAA I don't have access to it.
Then how do you know it works?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
is nothing related to this
It doesn't show the server receiving a Disconnect-Request?
It doesn't show the shared secret for the client IP address? You
can't use that shared secret in the "radclient" command above?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
t using the FreeRADIUS server. You're using "radclient".
The secret is passed on the command line.
You have two choices:
1) use the same shared secret that the NAS is using
2) the NAS is broken, and doesn't implement Disconnect-NAK properly.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
p command, so openldap idle_timeout is still
> applied.
Well... poke the server occasionally using "radclient".
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
lupadmin the online user page list users only by null acctstoptime,
> but doesn't check( and how would it be possible ) if records belong to a
> rejected request in radpostauth.
See above.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ke auth_ntlm
> does?
Do LDAP queries.
> .. I know how to call ntlm_auth with plaintext credentials and
> return a success but can't seem to get freeradius to use that as an
> auth-type.
See the Active Directory guide on my web page: http://deployingradius.com
Alan
Det Det wrote:
> I have Activation attribute in radcheck table (which has a date VALUE)
> in old RADIUS server. I don't find this attribute in FreeRADIUS. I get
> this error. any idea?
What is "Activation"?
It's not a standard RADIUS attribute. FreeRADIUS does
is still alive.
This is RADIUS. The RADIUS server has no idea what the user session
is doing.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Arran Cudbard-Bell wrote:
> On 9 Sep 2011, at 10:51, Alan DeKok wrote:
>> As Arran said, you can't. This is RADIUS. It's not perfect.
>
>
> You know being ignored is like my third favourite pass time, right behind
> spanking cats, and plotting world
e modified the default behavior of the server. You need to make
sure that your modifications work.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ation.
If you want to log rejects, you can do that. You can even customize
the "post-auth" section to write into the accounting database. But it's
a configuration which will *not* be in the default configuration.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
gt; user is rejected due to check on simultaneous login
>
> but looking in radacct we can find two sessions for the same user without
> stoptime.
That's what the "checkrad" program is for. See doc/Simultaneous-Use.
This is documented, and it works.
Alan De
"anything not explicitly
> allowed, is forbidden", but I don't think you'll ever make a vendor read
> the RFCs like that..
Vendors don't read the RFCs. Really.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
4 (Acct-Seccion-ID) in access-request packets.
>
>
> So it seems IOS based Cisco access servers can do this as well, but it's
> not the default.
That's nice, and really should be the default everywhere.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
his with files. See raddb/dynamic_clients in
2.1.12. (When it comes out)
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
r-text password to "radclient". It should show up in the
debug output as User-Password = "admin123".
Put the hex version of the SHA has into the "users" file, as:
emsadminSHA-Password := 0x123456789abcdef
It WILL work.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
e advantages of storing NASs in a table
> is pretty significant. make changes, call quick restart script, done.
Uh... no. My message (again) talked about adding clients dynamically.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
e multiple solutions, please advise them all, so I can
> choose a one most fit the needs.
Try harder.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
to
> block them.
Exactly... Perhaps this is even in the FAQ, for the OP to read??
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
appreciated by all list
> members. But, to be honest, a suggestion like the one given above is purely
> ridiculous and is (almost) the same as not replying at all.
Explain *why* it's ridiculous. I'd love to know.
Q: I can't be bothered to do work for myself, can you
r or does anyone have any
> thoughts on the matter?
radrelay. Copy the accounting packets to ONE radius server, and have
it write to the DB. It does conflict resolution, and there are no problems.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
itecture and value
> bigger than 2^32 octets (like 100GB). Very strange behavior.
The sqlcounter module uses 32-bit integers in it's source code.
Changing that to 64-bit integers would help.
That requires source code patches.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http:
). All I'm saying is
> this: it would probably make everybody's life easier if less assumptions,
> interpretations, etc. took place on mailing lists. Please think about it.
> (I didn't "cry", either. It would really help if you take people's concerns
> seriously. Please try to take that into account.)
I take their concerns seriously. Look at the deluge of features and
bug fixes that go in based on peoples email to this list.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
is likely to be?
See the FAQ. Configure an IP and shared secret in clients.conf. Add
a "known good" user/password. Profit!
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
"
How do you change the database? Well... you got the data *into* it in
the first place, didn't you?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
at actually work for wireless access?
> I've Googled up several HOWTO-type documents, and they all involve
> creating a bunch of SSL certificates.
http://deployingradius.com/
There's an "EAP howto". It's detailed, explanatory, and works.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
er to see what the existing queries look
> like". it narrows the search paramters to one folder and one man-page
> without taking forever and enables the OP to find the answer quickly and
> easily. I've gotten similar answers before, and used them to their
> fullest.
Sure. An
uot;
That's used to signify "end of string" in C.
The solution... get the NAS to follow RFC 4679. ADSL-Agent-Circuit-Id
is a printable string, not a 4-octet binary blob.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
DaveA wrote:
> WARNING: Internal sanity check failed in event handler...
>
> If I revert my change on the prod box, everything goes back to normal.
>
> Ideas?
Try v2.1.x from git.freeradius.org. It fixes this, among others.
Alan DeKok.
-
List info/subscribe/unsubs
Is the list down, or are people quiet?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
reciate any help and I should probably mention that I am pretty
> new to radius (yesterday was my first time installing it. :)
It's dead easy. :)
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
r recovered.
> Had to be restarted.
> Even with no database queries outstanding.
>
> Dont know if 2.1.12 has more "difficulty" with slow databases?
It shouldn't.
> Unfortunately dont have more info, so this can probably be ignored.
There are ways of addr
Alan Buxey wrote:
> Hi,
> Just to confirm 2.1.12 is behaving itself (other than the GID issue for
> control socket)
I don't see a way to fix that, other than to have the system report
that the *primary* group for monit is "radiusd"
Or... hack the control socket in
Ali Majdzadeh wrote:
> I’m running freeradius 1.1.8
Upgrade.
> My external program returns 0 (means OK) and freeRADIUS getting it and
> returns back to the BRAS, so why freeradius gives such error?!
No idea.
Try 2.1.12 (when it comes out in a few days)
Alan DeKok.
-
conf?
And if the "preacct" section is in radiusd.conf, odds are you're
running 1.1.x, which doesn't support "unlang" logic.
Upgrade.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
clear out one "dead" request from queue
If the dead requests originally arrived at a higher rate than the new
requests, it can take a long time to clean them out.
new:
for each new request
clear out all "dead" requests from queue
Much bet
Marinko Tarlać wrote:
> Alan please do not forget to add this "fix" to changelog so it will be
> easier for a new FR users...
to do...? It doesn't require anyone to do anything. There are no
configuration changes. It's just code internal to the server.
Alan De
Marinko Tarlać wrote:
> Of course we don't need to do anything but if this small change inside code
> is announced in changelog, more people will upgrade to 2.1.12 and they
> will stop bothering us on this list with the same questions, over and
> over again :)
Good point.
A
ry change breaks other stuff too, e.g. below:
I've pushed a fix already.
Alan DeKok
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fajar A. Nugraha wrote:
> Is it commit 68593c7 ?
637690d7bd6
> I can't figure out from reading the code, does the fix mean setting
> Auth-Type:=Accept will still work?
The commit above reverted the change which broke the server.
Everything will still work as before.
Alan
James J J Hooper wrote:
> This doesn't seem to have reached github yet.
Weird. Re-done.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sekchel lee wrote:
Ask a question. It's not hard.
If this issue is not important enough to write a useful message, it's
not important enough for us to give a useful reply.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Lorenzo Milesi wrote:
> Hi.
> I have a Freeradius server with MySQL backend, which has worked great so far.
> Right now we're increasing the users accounting here, and we're facing some
> login issues. Freeradius is used as an accounting service for Chillispot.
>
> I tried increasing num_sql_s
iled to load module "sql".
> /usr/local/etc/raddb/sites-enabled/default[14]: Failed to parse "sql" entry.
See the FAQ.
See also the "configure" and "make" process. Read the output.
Nothing else can debug the reason why the postgresql module isn't there.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
y debug using a encrypted user password (which fails):
It fails because you didn't tell the server what the correct password was.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Christ Schlacta wrote:
> I thought if you had a certificate signed by a trusted root CA, you were
> good and didn't need to install anything on the client.
It's true that you don't need to install anything on the client. It's
*not* true that it's a good i
> debian package.
So it's not the RADIUS server which is the problem. That amount of
CPU power is more than enough.
> Any ideas?
Fix the database.
If you don't think it's the DB, configure a test server on the same
machine which doesn't use the DB. It will ha
uld find that by myself, only
> explanation is that test system setup would take ~3-4 hrs and I can't do
> testing on production - whereas I count on you being able to tell right
> from wrong in about ~5 sec).
Asking good questions is good.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
one fails, it will automatically try the next ?
Packets are sent to home servers, not to RADIUS clients.
To configure fail-over, see raddb/proxy.conf. This is documented.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
d* broke the server. Either say what you did, or
good luck solving it yourself.
i.e. See the FAQ for useless comments like "it doesn't work", which is
what your messages amount to.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IUS* server likely thinks the DB is slow. I don't care what
kind of lies the DB log tells you. Go check for yourself.
If you're not going to *think* in order to track down the problem, you
have no hope of fixing the problem.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
t; Usually I can see the passwords.
> Could be some encoding problem on the client side?
> What looks strange to me is that some pw are fine, some are screwed this way.
Odds are client X has the correct shared secret, and client Y does
not. So... the passwords are broken for some clients, an
like it's mixing
> up output.
> I don't know if this is a problem, or if it was doing it already, but still
> looks strange.
It's an old version. Upgrade.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Francois Gaudreault wrote:
> I thought it might be useful for some users to add the
> dictionnary.symbol file below :
Added, thanks.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
with = .
read dialip.conf. Look for "safe-characters"
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
that.
> If I understand correct i need to configure a "home_server_pool", and remove
> the realm DEFAULT that I have today ?
Yes.
> Or is it possible to do something like
> the following (to configure to MS NPS)
No.
> If the above is not possibe, is this the right way...
Auth-Type for you.
In 3.0, the "Auth-Type = Local" warnings will likely go away, because
the server *won't* set it. Instead, you'll just get "no Auth-Type"
> Do I need to concern myself with the warning?
Yes. Use the "pap" module as noted above.
S
> Is that the "local" module?
No. It's internal hacks in the server core.
> Thanks again for super support!
> Even paid support cannot get close to this.
Thanks.
As always, good questions get good answers.
Alan DeKok.
-
List info/subscribe/unsubscribe?
ed passwords by using ntlm and
> the rlm_mschap module?
You can use SQL to store anything, include NT-Passwords.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
at the database is not actually my
> *main* problem right now.
So... find out why the Interim-Updates are slow. They're not slow in
the default configuration.
Check the DB. Are the fields indexed? Likely not...
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Andreas Rudat wrote:
> I want to use a ssh tunnel between radius and my user database on
> another machine, anyone tried that? I think it should work port
> forwarding on port 139 of samba or sql port?
It's generally a bad idea. If the tunnel goes away, so does your user
dat
Miha wrote:
> Problem is that I have put
> manually values for attributes in Accept packet (values should be from
> Access-Request) .
What does that mean?
How do you "manually add values" ?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to debug it, and what to expect. If you
follow the directions it *will* work.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Andreas Rudat wrote:
> HI Alan,
>
> yes that is what I want, but my ldap doesn't work atm ;-)
See the FAQ for "it doesn't work"
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
cator}"
And you don't need the "request" portion. The documentation says the
"request" list is used by default.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fred wrote:
> Hello,
> Could someone explain difference between a home_server and a
> virtual_server in freeradius 2 (2.1.10+) ?
raddb/sites-available/README
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ke much sense to accept the user,
and then reject them.
Instead, reject the user earlier in the packet processing.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
t know where to fix
> it.
READ the debug output, and think about it. Odds are that the NAS is
*not* sending Acct-Input-Octets. This information will be in the debug
output. If that happens, THINK. What should happen when you try to
expand something that doesn't exist?
Alan
te+type+X%3F
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
er to manage updates or deletetion of records ?
How? Please explain using the existing schema.
> Am i missing something ?
Propose a new schema which is (a) compatible with the existing usage,
and (b) has the features you want.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www
t;,i used DaloRadius,but found out there are few help
> for this web base management system online, and the MANUAL will cost
> $250.And also the additional mySQL tables makes me more confused.
Why? What is confusing about them?
Ask a question. Saying "I'm confused" means
stand it, why are you running it?
> Is it possible to do the same thing in this version?
No.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
lm_sql_mysql.so" in "/usr/lib/freeradius" folder.
> Anyone can help me?
This question is in the FAQ. Read it.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fabien COMBERNOUS wrote:
> here a patch proposed :
A bit of explanation would help.
It looks reasonable, but I'd want someone to try it before putting it
into the server.
> --- schema_orig.sql2011-09-28 10:42:08.0 +0200
*PLEASE* use full paths. There are 4-5 SQL backends in t
t; authenticate with fallback.radius.my.domain
>
> am I correct?
Yes.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I've put new images of 2.1.12 on the web site:
http://git.freeradius.org/pre/
If there are no objections, I will release 2.1.12 on Friday, using
those exact files.
Please test && report any show-stoppers.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freera
the
code which refers to PQinitSSL
A longer term fix is to update the "configure" script to look for
PQinitSSL.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
atabases are running
> properly!
FIX THAT.
Nothing else will solve the problem.
You are sending the server more packets than it can handle.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
DaveA wrote:
> Thanks for your fast response.
>
> By server, do you mean FreeRadius or the back end?
The message says:
Check that all databases are running properly!
What does that mean to you?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius
ap, AD and flat files. Nothing has changed except the version
> I'm using.
Then the solution is obvious, isn't it?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
atly appreciated.
Set up a fake user account with a username "test", and password
"hello". Do the same test. If you get the same error, submit the debug
output to bugzilla.freeradius.org. I'll see if there's a way for the
server to figure out the correct thing t
Fred wrote:
> To be able to use this, we have to explicitly set HOSTNAME environment
> BEFORE launching freeradius.
IIRC, the server doesn't use $ENV{HOSTNAME} by default.
But yes, it's annoying that the environment has useful things deleted.
Alan DeKok.
-
List info/subsc
Arran Cudbard-Bell wrote:
> Which standard says that the MSCHAPv2 identity and the PEAP Inner identity
> have to match?
Nothing, really.
The issue is more sanity and security.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
t; Access-Accept in the post-auth section.
It is not possible.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
denizaydin wrote:
> Is there any method that you can suggest for reverting Reject message?
(a) Don't reject the user.
(b) modify the source to the server
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-good commit)
Weird...
> Removing the un-named:
>
> server {
> }
>
> enclosing blocks makes everything work again.
>
> I haven't had time to hunt down the commit which might have changed
> this, but just a heads-up.
I've pushed a fix
Alan DeKok.
-
Lis
Fred MAISON wrote:
> Ho Phil,
> Could you explain the interest of un-named server ?
The "authorize", etc. sections should really be inside of a "server"
block. It will make future functionality easier to add.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http
After some delay, and after a few last-minute fixes, we've managed to
release Version 2.1.12. The full changelog is as follows:
FreeRADIUS 2.1.12 Fri 30 Sept 2011 16:57:38 CEST, urgency=medium
Feature improvements
* Updates to dictionary.erx, dictionary.siemens, dictionary.starent,
dictionar
te" sub is called
> and not "authenticate" sub.
That makes NO sense at all.
You have TWO "authenticate" subroutines, and you expect that Perl will
magically call the one you want?
Computers don't work that way.
> How can I enable "authenticate&
So posting the debug output with *no* packets received is useless.
If the server never receives a packet, then the problem is *not*
RADIUS. You have a network problem. Go fix the network. No amount of
poking the RADIUS server will make IP routing work correctly.
Alan DeKok.
-
List info/sub
at the server receives packets. If you had
bothered to run it in debugging mode for packets from localhost, you
would see what it does.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
tions here.
If you keep asking network questions on a RADIUS list, you can be
unsubscribed from the list.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ng an accounting session without first
authenticating the user.
> Do you have any idea of how to correct this ?
Fix the switch so that it sends Access-Requests when a user connects
to it.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
{
update control {
Proxy-To-Realm := "nameOfRealm"
}
}
}
A seven line config. Can't get much simpler than that.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
401 - 500 of 15417 matches
Mail list logo
