Re: mac authentication, log rejected device in radius.log

2013-10-18 Thread John Douglass
On 10/18/2013 11:00 AM, Alan DeKok wrote: Bertalan Voros wrote: I have one question, I would like to log a message in radius.log when a device is rejected based on its mac address. I would like to put a message saying that the device was unauthorised and the Calling-Station-Id into the

Re: Case statement error

2013-10-14 Thread A . L . M . Buxey
Hi, Ah... a fix wasn't pulled over from v3.0.x to master. I've just done that now. server now starts with such switch/case config present. cheers! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Username format

2013-10-14 Thread Dean, Barry
I think I know the answer to this question but I wanted to check with the Gurus! Does FreeRADIUS give a fig about what the username is? If it were all numeric, say 123456789 I guess it is happy with that? It's just a string to FreeRADIUS? If there was to be an issue, it would be the back end

RE: Case statement error

2013-10-14 Thread Franks Andy (RLZ) IT Systems Engineer
Thank both, that's great news. I really need to teach myself some C.. Cheers Andy -Original Message- From: freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradiu s.org] On Behalf Of

Re: Dynamic VLAN assignment depending on LDAP user group and MAC address

2013-10-14 Thread Matthew Newton
On Fri, Oct 11, 2013 at 05:41:07PM +0100, Fabrizio Vecchi wrote: As you can see, the device wasn't listed in the file, the authentication went fine, saying that the tunnel that I should get has ID 40, but that wasn't overwritten by the authorized_macs check... Add DEFAULT Auth-Type := Reject

Re: Dynamic VLAN assignment depending on LDAP user group and MAC address

2013-10-14 Thread Matthew Newton
On Mon, Oct 14, 2013 at 10:40:19AM +0100, Matthew Newton wrote: On Fri, Oct 11, 2013 at 05:41:07PM +0100, Fabrizio Vecchi wrote: As you can see, the device wasn't listed in the file, the authentication went fine, saying that the tunnel that I should get has ID 40, but that wasn't

Re: Username format

2013-10-14 Thread A . L . M . Buxey
Hi, Does FreeRADIUS give a fig about what the username is? If it were all numeric, say 123456789 I guess it is happy with that? It's just a string to FreeRADIUS? FreeRADIUS is just a RADIUS serverand hence any decisions made by it are all down to defined policies. so if you have

Re: Case statement error

2013-10-14 Thread Alan DeKok
Franks Andy (RLZ) IT Systems Engineer wrote: Hi again, Sorry to bang on about this, but I'm struggling still. Brand new machine, Ubuntu 13.04 server, never had freeradius installed on it. Pulled from git, - (FreeRADIUS Version 3.1.0 (git #209982d), I didn't see the 3.1.0... At this

Terminate dsl ppp sessions daily

2013-10-14 Thread Volker Lieder
Hi list, we use freeradius for our dsl user authentication. We want to disconnect some users via radius at fixed times, e.g. 04:00 am. Which attribute and value should / can i use? Session-Timeout doesnt do the job. Regards, Volker Lieder - List info/subscribe/unsubscribe? See

Re: Generating timing stats for ntlm_auth

2013-10-14 Thread Jonathan Gazeley
On 10/10/13 15:03, a.l.m.bu...@lboro.ac.uk wrote: Samba 4 is lurvely... apparently 100% compatible with existing AD installations, although, as always, it's a bit finicky and info is a bit thin on the ground (and I've not written up a guide when I set my test environment up that uses an S4

Re: Terminate dsl ppp sessions daily

2013-10-14 Thread Arran Cudbard-Bell
On 14 Oct 2013, at 15:52, Volker Lieder v.lie...@uvensys.de wrote: Hi list, we use freeradius for our dsl user authentication. We want to disconnect some users via radius at fixed times, e.g. 04:00 am. Which attribute and value should / can i use? Session-Timeout doesnt do the job.

3.0.0 return code priority / change?

2013-10-14 Thread Phil Mayers
All, Seems that the return code priority is behaving different in 3.0 - specifically the following config: authorize { updated files if (noop) { ... } } ...gives: (0) authorize { (0) [updated] = updated (0) [files] = noop (0) ? if (noop) (0) ? if (noop) - FALSE i.e.

Re: Generating timing stats for ntlm_auth

2013-10-14 Thread Phil Mayers
On 14/10/13 16:01, Jonathan Gazeley wrote: On 10/10/13 15:03, a.l.m.bu...@lboro.ac.uk wrote: Samba 4 is lurvely... apparently 100% compatible with existing AD installations, although, as always, it's a bit finicky and info is a bit thin on the ground (and I've not written up a guide when I set

Re: Terminate dsl ppp sessions daily

2013-10-14 Thread Volker Lieder
Hi, we tried to calculate it via expr. How would you calculate it? Regards, Volker Am 14.10.2013 um 17:03 schrieb Arran Cudbard-Bell: On 14 Oct 2013, at 15:52, Volker Lieder v.lie...@uvensys.de wrote: Hi list, we use freeradius for our dsl user authentication. We want to

Re: Terminate dsl ppp sessions daily

2013-10-14 Thread Arran Cudbard-Bell
On 14 Oct 2013, at 16:27, Volker Lieder v.lie...@uvensys.de wrote: Hi, we tried to calculate it via expr. How would you calculate it? Pretty sure the expiration module does exactly this. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List

Re: 3.0.0 return code priority / change?

2013-10-14 Thread Phil Mayers
On 14/10/13 16:18, Phil Mayers wrote: i.e. the noop from the files module is ignored. This is a change from 2.x where the most recent module return code can be checked. Have I missed the change, or is this not intentional? Looks like this happened in the modcall.c rewrite (d0aa96709cea)

Re: 3.0.0 return code priority / change?

2013-10-14 Thread Phil Mayers
On 14/10/13 17:15, Phil Mayers wrote: On 14/10/13 16:18, Phil Mayers wrote: i.e. the noop from the files module is ignored. This is a change from 2.x where the most recent module return code can be checked. Have I missed the change, or is this not intentional? Looks like this happened in

configure freeradius to use UPN instead of samaccountname

2013-10-14 Thread Angelica Delgado
We have our freeradius setup to authenticate with Active Directory for EAP. Currently, it uses the samaccountname but we want to use UPN instead. We get NT_STATUS_NO_SUCH_USER when testing with ntlm through command line. ntlm_auth --request-nt-key --domain=test.local --username=tu...@pub.com

Re: configure freeradius to use UPN instead of samaccountname

2013-10-14 Thread Alan DeKok
Angelica Delgado wrote: We have our freeradius setup to authenticate with Active Directory for EAP. Currently, it uses the samaccountname but we want to use UPN instead. We get NT_STATUS_NO_SUCH_USER when testing with ntlm through command line. ntlm_auth --request-nt-key

RE: configure freeradius to use UPN instead of samaccountname

2013-10-14 Thread stefan.paetow
You might want to do an LDAP lookup first on your UPN to find the samAccountName, then use that with ntlm_auth. Stefan From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf

RE: Case statement error

2013-10-13 Thread Franks Andy (RLZ) IT Systems Engineer
Hi again, Sorry to bang on about this, but I'm struggling still. Brand new machine, Ubuntu 13.04 server, never had freeradius installed on it. Pulled from git, - (FreeRADIUS Version 3.1.0 (git #209982d), for host x86_64-unknown-linux-gnu, built on Oct 13 2013 at 18:42:55) ./configure Make Make

Re: Case statement error

2013-10-13 Thread A . L . M . Buxey
Hi, this error is also present with 3.1.0 when using the provided orginate-coa virtual-server - so its reproducable with a minimally adjusted configuration (just drop originate-coa from sites-available to sites-enabled) alan - List info/subscribe/unsubscribe? See

Book for freeradius 3.0

2013-10-13 Thread Osvaldo T Crispim Filho
Is there any book about the new version of FreeRADIUS 3.0? -- - Osvaldo T Crispim Filho - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Case statement error

2013-10-13 Thread Alan DeKok
a.l.m.bu...@lboro.ac.uk wrote: this error is also present with 3.1.0 when using the provided orginate-coa virtual-server - so its reproducable with a minimally adjusted configuration (just drop originate-coa from sites-available to sites-enabled) Ah... a fix wasn't pulled over from v3.0.x

Re: Dynamic VLAN assignment depending on LDAP user group and MAC address

2013-10-12 Thread Alan DeKok
Fabrizio Vecchi wrote: First of all, sorry if my email is very long, I am just trying not to leave any important details out. :) That's good. So far, I managed to do the dynamic VLAN assignment, but cannot seem to get it to work together with the MAC checking. They key thing to remember

Problems with compiling freeradius on Ubuntu Linux

2013-10-12 Thread Andrei Petru Mura
Hello, I imported FreeRADIUS from git on Eclipse, and tried to build it, but this error occurs while building the project: *threads.h:47:2: error: #error WITH_THREADS defined, but pthreads not available* * * Can anybody guide me how to solve this issue? Thanks. - List info/subscribe/unsubscribe?

Re: Problems with compiling freeradius on Ubuntu Linux

2013-10-12 Thread Arran Cudbard-Bell
On 12 Oct 2013, at 17:40, Andrei Petru Mura mapand...@gmail.com wrote: Hello, I imported FreeRADIUS from git on Eclipse, and tried to build it, but this error occurs while building the project: threads.h:47:2: error: #error WITH_THREADS defined, but pthreads not available Can anybody

Re: Dynamic VLAN assignment depending on LDAP user group and MAC address

2013-10-12 Thread Fabrizio Vecchi
Hi Alan and thanks for the reply. On 12 October 2013 13:42, Alan DeKok al...@deployingradius.com wrote: So far, I managed to do the dynamic VLAN assignment, but cannot seem to get it to work together with the MAC checking. Get them working independently. Then, put the pieces together.

Re: Dynamic VLAN assignment depending on LDAP user group and MAC address

2013-10-12 Thread Alan DeKok
Fabrizio Vecchi wrote: I guess at the end of the day my question boils down to the following: where should I put the MAC check, so that the user gets assigned to the right VLAN? In post-auth. If I put it in the authorize part of sites-enabled/default, the VLAN update request will get

Re: clone break freeradius

2013-10-11 Thread A . L . M . Buxey
hi, you must ensure you 'sign out' of the AD before you clone as otherwise both objects are the same...and, as you have found, doing something with the cloen breaks the first server. or just dont bind to the AD before cloning. to fix, you need to ensure that both machines have their own

RE: clone break freeradius

2013-10-11 Thread stefan.paetow
Did you also change the MAC address for the network adapter in the VMWare settings? Otherwise VMWare believes (and possibly your network too) the two machines are the same. After changing the MAC address, reconfigure your network settings on the clone and reboot. Delete the trust (computer)

RE: Case statement error

2013-10-11 Thread Franks Andy (RLZ) IT Systems Engineer
Hi again. I'm confused now. I've recompiled, renamed all old folder under /usr/local and done a complete reinstall. I've pared it all down and simply put switch %{control:Tmp-String-0} { case { update control { Tmp-String-0 := new value } } } In the default VS. I still get

Dynamic VLAN assignment depending on LDAP user group and MAC address

2013-10-11 Thread Fabrizio Vecchi
Hi everyone. First of all, sorry if my email is very long, I am just trying not to leave any important details out. :) In my Company, I'd like to setup a freeradius based wifi authentication following the same principle: First check if a user is using the Company's laptop (or phone) by checking

Eaps TTLS and Plain Text

2013-10-11 Thread Gilbert T. Gutierrez, Jr.
I have a Free Radius Server (2.1.10-5 packaged with CentOS 6) that is configured to handle radius authentication eaps ttls in a tunnel (Motorola/Cambium Canopy Product). I want to be able to authenticate plain text requests from other devices that do not support eaps. Can Free Radius handle

Re: Eaps TTLS and Plain Text

2013-10-11 Thread Alan DeKok
Gilbert T. Gutierrez, Jr. wrote: I have a Free Radius Server (2.1.10-5 packaged with CentOS 6) that is configured to handle radius authentication eaps ttls in a tunnel (Motorola/Cambium Canopy Product). I want to be able to authenticate plain text requests from other devices that do not

Dynamic VLAN assignment depending on LDAP user group and MAC address

2013-10-11 Thread Fabrizio Vecchi
Hi everyone. First of all, sorry if my email is very long, I am just trying not to leave any important details out. :) In my Company, I'd like to setup a freeradius based wifi authentication following the same principle: First check if a user is using the Company's laptop (or phone) by checking

MSCHAPv2 use_tunneling_reply problem

2013-10-11 Thread Tekán Dávid
Hi all! I have a problem with users using the anonymous identity field during connecting. It turned out that for privacy reasons it is hidden outside of the tunnel. I found that by setting use_tunneling_reply to yes i can transfer the inner username outside of the tunnel, and the correct (not

Re: MSCHAPv2 use_tunneling_reply problem

2013-10-11 Thread Alan Buxey
So what you're saying is that even though the users are using anonymous outerid and want anonymity you want to release their id to the site they are at? -- Sent from my Android device with K-9 Mail. Please excuse my brevity.- List info/subscribe/unsubscribe? See

freeradius 2.2.0 on Fedora and oracle module

2013-10-10 Thread Puzzel
Hi there, Im trying use freeradius with oracle database. I've used guide on this site http://wiki.freeradius.org/modules/Rlm_sql_oracle to compile oracle driver. I'e installed oracle instant client from rpm packages (basic + devel) When i use ./configure

Re: freeradius 2.2.0 on Fedora and oracle module

2013-10-10 Thread A . L . M . Buxey
Hi, I'e installed oracle instant client from rpm packages (basic + devel) okay. if you've done this rather than manually installing from Oracle then its most likely that the paths are different...you will need to check where your Oracle files have been installed and use those paths instead

Re: freeradius 2.2.0 on Fedora and oracle module

2013-10-10 Thread Fajar A. Nugraha
On Thu, Oct 10, 2013 at 2:22 PM, Puzzel puzzel1...@gmail.com wrote: --with-oracle-include-dir=/usr/lib/oracle/11.2/client64 ** ** configure: WARNING: oracle headers not found. Use --with-oracle-include-dir=path.configure: WARNING: silently not building rlm_sql_oracle.

RE: freeradius 2.2.0 on Fedora and oracle module

2013-10-10 Thread Puzzel
Yes, you are right, the oracle inlcude path was in the different location (/usr/include/oracle/11.2/client64 not /usr/lib...). Now i've got another problem. ./configure --with-oracle-lib-dir=/usr/lib/oracle/11.2/client64/lib --with-oracle-include-dir=/usr/include/oracle/11.2/client64 checking

Re: freeradius 2.2.0 on Fedora and oracle module

2013-10-10 Thread Arran Cudbard-Bell
On 10 Oct 2013, at 09:22, Puzzel puzzel1...@gmail.com wrote: Yes, you are right, the oracle inlcude path was in the different location (/usr/include/oracle/11.2/client64 not /usr/lib...). Now i've got another problem. ./configure --with-oracle-lib-dir=/usr/lib/oracle/11.2/client64/lib

RE: freeradius 2.2.0 on Fedora and oracle module

2013-10-10 Thread Puzzel
Tnx Arran, ./configure went fine and then created all.mk file. What to do next? make don't work. I'm sorry i'm not very much experienced in linux. -Original Message- From: freeradius-users-bounces+puzzel1982=gmail@lists.freeradius.org

Re: well almost got FR 3.0 to compile on OS X :-)

2013-10-10 Thread Alex Sharaz
o.k deinstalled the package and package manager I was using, installed homebrew, installed latest openssl and talloc and ….. just compiled and installed. Simples! Thanks for that A On 9 Oct 2013, at 11:54, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 9 Oct 2013, at 11:21, Alex

Re: freeradius 2.2.0 on Fedora and oracle module

2013-10-10 Thread Arran Cudbard-Bell
On 10 Oct 2013, at 10:31, Puzzel puzzel1...@gmail.com wrote: Tnx Arran, ./configure went fine and then created all.mk file. What to do next? make don't work. I'm sorry i'm not very much experienced in linux. You need to do make in the top level directory not in the module directory.

Re: well almost got FR 3.0 to compile on OS X :-)

2013-10-10 Thread Arran Cudbard-Bell
On 10 Oct 2013, at 10:44, Alex Sharaz alex.sha...@york.ac.uk wrote: o.k deinstalled the package and package manager I was using, installed homebrew, installed latest openssl and talloc and ….. just compiled and installed. Simples! Hmm wonder what rudix was doing to mess up talloc

Generating timing stats for ntlm_auth

2013-10-10 Thread Phil Mayers
All, We're seeing bursts of: Thu Oct 10 11:52:14 2013 : Info: WARNING: Child is hung for request 47516341 in component authenticate module peap. Thu Oct 10 11:52:16 2013 : Info: WARNING: Module rlm_eap became unblocked for request 47516341 ...since the return of our students this year. I

Re: well almost got FR 3.0 to compile on OS X :-)

2013-10-10 Thread Alex Sharaz
On 10 Oct 2013, at 12:02, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 10 Oct 2013, at 10:44, Alex Sharaz alex.sha...@york.ac.uk wrote: o.k deinstalled the package and package manager I was using, installed homebrew, installed latest openssl and talloc and ….. just compiled and

Re: freeradius 2.2.0 on Fedora and oracle module

2013-10-10 Thread Arran Cudbard-Bell
On 10 Oct 2013, at 12:34, Puzzel puzzel1...@gmail.com wrote: When i do make at top level, i'm getting this output: make Makefile:10: *** Missing 'Make.inc' Run './configure [options]' and retry. Stop. - Missing - Something is not there that should be. - 'Make.inc' - The thing that should

Re: Generating timing stats for ntlm_auth

2013-10-10 Thread A . L . M . Buxey
Hi, Thu Oct 10 11:52:16 2013 : Info: WARNING: Module rlm_eap became unblocked for request 47516341 ...since the return of our students this year. I am 99% sure this is ntlm_auth being slow, and I have a strong suspicion this is related to some changes in our AD infrastructure over the

RE: freeradius 2.2.0 on Fedora and oracle module

2013-10-10 Thread Puzzel
I've made configure at top level ./configure --with-oracle-lib-dir=/usr/lib/oracle/11.2/client64/lib --with-oracle-include-dir=/usr/include/oracle/11.2/client64 Then i made make, but i still can't find rlm_sql_oracle.so file. :/ -Original Message- From:

Re: Generating timing stats for ntlm_auth

2013-10-10 Thread Alan DeKok
Phil Mayers wrote: In order to prove this to the AD team, I need to gather some timing stats for ntlm_auth; can anyone think of an easy way to do this within FreeRADIUS? I had patches for this a while ago. But they won't apply to the current code. The idea was to update the modsingle

Re: Generating timing stats for ntlm_auth

2013-10-10 Thread Phil Mayers
On 10/10/13 12:56, a.l.m.bu...@lboro.ac.uk wrote: Hi, Thu Oct 10 11:52:16 2013 : Info: WARNING: Module rlm_eap became unblocked for request 47516341 ...since the return of our students this year. I am 99% sure this is ntlm_auth being slow, and I have a strong suspicion this is related to

Re: freeradius 2.2.0 on Fedora and oracle module

2013-10-10 Thread Arran Cudbard-Bell
On 10 Oct 2013, at 13:39, Puzzel puzzel1...@gmail.com wrote: I've made configure at top level ./configure --with-oracle-lib-dir=/usr/lib/oracle/11.2/client64/lib --with-oracle-include-dir=/usr/include/oracle/11.2/client64 Then i made make, but i still can't find rlm_sql_oracle.so file. :/

Re: freeradius 2.2.0 on Fedora and oracle module

2013-10-10 Thread Alan DeKok
Puzzel wrote: I've made configure at top level ./configure --with-oracle-lib-dir=/usr/lib/oracle/11.2/client64/lib --with-oracle-include-dir=/usr/include/oracle/11.2/client64 If the build is having issues, you should READ the output of configure. It tells you what it's building, and what

Re: freeradius 2.2.0 on Fedora and oracle module

2013-10-10 Thread John Dennis
On 10/10/2013 08:39 AM, Puzzel wrote: I've made configure at top level ./configure --with-oracle-lib-dir=/usr/lib/oracle/11.2/client64/lib --with-oracle-include-dir=/usr/include/oracle/11.2/client64 Then i made make, but i still can't find rlm_sql_oracle.so file. :/ Try reading the output

RE: Generating timing stats for ntlm_auth

2013-10-10 Thread stefan.paetow
authentications (as microsoft call it) - but I'm also looking at samba4 - as it has a new option that will balance ntlm_auth against all known boxes rather than the first box it latches onto - to spread the load. Samba 4 is lurvely... apparently 100% compatible with existing AD

Re: Generating timing stats for ntlm_auth

2013-10-10 Thread A . L . M . Buxey
Hi, Any chance you can point me in the direction of these? heres one: http://support.microsoft.com/kb/2688798 Semi-related, but to my annoyance we're seeing rather less SSL resumption than I would expect, given that iOS and Android both do it by default. Cisco wireless problem? theres

Re: Generating timing stats for ntlm_auth

2013-10-10 Thread A . L . M . Buxey
Hi, Samba 4 is lurvely... apparently 100% compatible with existing AD installations, although, as always, it's a bit finicky and info is a bit thin on the ground (and I've not written up a guide when I set my test environment up that uses an S4 server for EAP-MSCHAPv2). But at least it

RE: Generating timing stats for ntlm_auth

2013-10-10 Thread stefan.paetow
it can also BE an AD master etc. anyway, you dont know how tempting it was to yum install samba4 on our production system ;-) Indeed. That's exactly what I'm using it for. :-) I'd certainly like to see some samba3.x versus samba4 benchmarks in this sort of context Yes, versus Windows 2008

Re: FR3 Debugging Switches

2013-10-10 Thread Phil Mayers
On 09/10/13 19:09, Alan DeKok wrote: That is *exactly* what the server does for TCP. ...in which case my comment is entirely redundant, please disregard! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Generating timing stats for ntlm_auth

2013-10-10 Thread Brian Julin
Phil wrote: I could wrap ntlm_auth in a script that times it and lots the info, but I'm slightly wary of that - it might perturb the timings. Any obvious/easy thing I'm missing? You might be able to run FR under gdb (or attach/resume a running FR), and set breakpoints with commands that

Re: Generating timing stats for ntlm_auth

2013-10-10 Thread Phil Mayers
On 10/10/13 17:16, Brian Julin wrote: You might be able to run FR under gdb (or attach/resume a running FR), and set breakpoints with commands that resume after running the GDB commands. That's in inventive one, but I'm not *that* desperate yet! - List info/subscribe/unsubscribe? See

Error messages in debug on 3.0

2013-10-10 Thread Phil Mayers
I've just ported our config to 3.0 and I'm seeing a few error messages; they don't seem to be critical but are concerning me. Specifically I'm seeing: ERROR: Conditional evaluation failed due to internal sanity check. ...whenever I try to compare against absent attributes. What's the correct

Re: Error messages in debug on 3.0

2013-10-10 Thread Phil Mayers
On 10/10/13 18:32, Phil Mayers wrote: I've just ported our config to 3.0 and I'm seeing a few error messages; they don't seem to be critical but are concerning me. Specifically I'm seeing: We're also getting: Info: Invalid operator for item Sql-Group: reverting to '==' ...which is logged to

Re: Error messages in debug on 3.0

2013-10-10 Thread Arran Cudbard-Bell
On 10 Oct 2013, at 18:32, Phil Mayers p.may...@imperial.ac.uk wrote: I've just ported our config to 3.0 and I'm seeing a few error messages; they don't seem to be critical but are concerning me. Specifically I'm seeing: ERROR: Conditional evaluation failed due to internal sanity

Re: Error messages in debug on 3.0

2013-10-10 Thread Phil Mayers
On 10/10/13 18:51, Arran Cudbard-Bell wrote: possibly if (outer.request Hmm, no same thing, and worse it's squashing Module-Failure-Message :o( - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Error messages in debug on 3.0

2013-10-10 Thread Alan DeKok
Phil Mayers wrote: I've just ported our config to 3.0 and I'm seeing a few error messages; they don't seem to be critical but are concerning me. Specifically I'm seeing: ERROR: Conditional evaluation failed due to internal sanity check. That should be fixed. Either it can be deleted,

Re: Generating timing stats for ntlm_auth

2013-10-10 Thread Jonathan Gazeley
On 10/10/13 15:01, a.l.m.bu...@lboro.ac.uk wrote: Hi, Any chance you can point me in the direction of these? heres one: http://support.microsoft.com/kb/2688798 Semi-related, but to my annoyance we're seeing rather less SSL resumption than I would expect, given that iOS and Android both do

Re: Error messages in debug on 3.0

2013-10-10 Thread Arran Cudbard-Bell
On 10 Oct 2013, at 22:23, Alan DeKok al...@deployingradius.com wrote: Phil Mayers wrote: I've just ported our config to 3.0 and I'm seeing a few error messages; they don't seem to be critical but are concerning me. Specifically I'm seeing: ERROR: Conditional evaluation failed due to

clone break freeradius

2013-10-10 Thread trevor obba
I configured freeradius version 2.2.0 running on Ubuntu 12.04 to authenticate against active directory and it is working fine until I decide to clone (vmware) the machine. Once the machine is clone I changed the IP address, hostname in (/etc/hosts and /etc/hostname) and also changed the name in

unlang - delete attribute - !*

2013-10-09 Thread Hachmer, Tobias
Hello list, I want to delete one reply attribute from the reply list if the access-request is originating not from a special NAS-IP-Address. Currently I have solved this by adding this unlang code in authorize section: if(!NAS-IP-Address == x.x.x.x) { update reply {

Re: unlang - delete attribute - !*

2013-10-09 Thread Arran Cudbard-Bell
On 9 Oct 2013, at 07:05, Hachmer, Tobias tobias.hach...@stadt-frankfurt.de wrote: Hello list, I want to delete one reply attribute from the reply list if the access-request is originating not from a special NAS-IP-Address. Currently I have solved this by adding this unlang code in

AW: unlang - delete attribute - !*

2013-10-09 Thread Hachmer, Tobias
Hello Arran, thanks for the answer. This has worked! Regards, Tobias Hachmer -Ursprüngliche Nachricht- Von: freeradius-users-bounces+tobias.hachmer=stadt-frankfurt...@lists.freeradius.org [mailto:freeradius-users-bounces+tobias.hachmer=stadt-frankfurt...@lists.freeradius.org] Im

Usage of Session-Timeout

2013-10-09 Thread Volker Lieder
Hi, we upgraded a freeradius setup from 1.x to 2.1.10+dfsg-2+squeeze1 on Debian Squeeze. Within the old version, we used a database config for groups with an attribute Session-Timeout and the value `%{expr:06:00}` With new version freeradius send an error while looking in debug mode like: Tue

well almost got FR 3.0 to compile on OS X :-)

2013-10-09 Thread Alex Sharaz
Just got a wee bit of trouble linking in the talloc libraries, but I'm sure its not insurmountable A - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

load balancing radius with F5 devices

2013-10-09 Thread Alex Sharaz
Hi, Is anyone out there load balancing RADIUS with an F5 load balancer? We're doing it here, but I can't help thinking that the actual load balancing algorithm need some tweaking. As far as I'm aware ( systems section support the F5 boxes) 1). We're using round robin to spread the load over

Re: Managing Data Volume Control More Than 4GB FR CoovaChilli

2013-10-09 Thread Russell Mike
Dear Aran C. Bell Thanks for everything, Here is update. 1.) All-In-MB counter works. Please note, when a user has downloaded his quota, counter do not force log off . Saying other way, if the user is online, he would remain online until he log off him self or stop browsing. But point to be

Re: load balancing radius with F5 devices

2013-10-09 Thread Fajar A. Nugraha
On Wed, Oct 9, 2013 at 3:41 PM, Alex Sharaz alex.sha...@york.ac.uk wrote: While we have 900 switches doing mac and 802.1x based auth, we can have 6000+ users on our wireless network all authenticating to RADIUS via 3 RAS clients. Looking at the back end server log files, it does look as if, in

Re: load balancing radius with F5 devices

2013-10-09 Thread Michael Schwartzkopff
Am Mittwoch, 9. Oktober 2013, 09:41:19 schrieb Alex Sharaz: Hi, Is anyone out there load balancing RADIUS with an F5 load balancer? We're doing it here, but I can't help thinking that the actual load balancing algorithm need some tweaking. As far as I'm aware ( systems section support the

Re: well almost got FR 3.0 to compile on OS X :-)

2013-10-09 Thread A . L . M . Buxey
Hi, Just got a wee bit of trouble linking in the talloc libraries, but I'm sure its not insurmountable Alan uses OSX so I'm *SURE* it compiles fine with the right support stuff present - you should have been compiling it before the official release ;-) alan - List

Re: load balancing radius with F5 devices

2013-10-09 Thread Olivier Beytrison
On 09.10.2013 10:41, Alex Sharaz wrote: Hi, Is anyone out there load balancing RADIUS with an F5 load balancer? We're doing it here, but I can't help thinking that the actual load balancing algorithm need some tweaking. I have f5 loadbalancers but atm I don't use them for our RADIUS

Re: load balancing radius with F5 devices

2013-10-09 Thread Alex Sharaz
On 9 Oct 2013, at 10:16, Fajar A. Nugraha l...@fajar.net wrote: On Wed, Oct 9, 2013 at 3:41 PM, Alex Sharaz alex.sha...@york.ac.uk wrote: While we have 900 switches doing mac and 802.1x based auth, we can have 6000+ users on our wireless network all authenticating to RADIUS via 3 RAS

Re: load balancing radius with F5 devices

2013-10-09 Thread Olivier Beytrison
On 09.10.2013 11:25, Olivier Beytrison wrote: On 09.10.2013 10:41, Alex Sharaz wrote: I was wondering if there's a way off having a bit more granularity in terms of how the f5 load balances incoming RADIUS requests. Another nice thing to do is to do persistence based on radius AVP

RE: load balancing radius with F5 devices

2013-10-09 Thread Vincent, Fabien
Hi, Just to give some infos if I can help (this mailing has helped me a lot !) I have F5 BigIP devices in two 2 DCs. They have each a VirtualServer with a shared IP (not activated in VLANs used to communicate between the 2 DC to avoid IP conflits, a much simple config for NAS - only one IP

Re: well almost got FR 3.0 to compile on OS X :-)

2013-10-09 Thread Alex Sharaz
you don't know how hard it was to wait till the official release :-) A On 9 Oct 2013, at 10:19, a.l.m.bu...@lboro.ac.uk wrote: Hi, Just got a wee bit of trouble linking in the talloc libraries, but I'm sure its not insurmountable Alan uses OSX so I'm *SURE* it compiles fine with the

Re: load balancing radius with F5 devices

2013-10-09 Thread Alex Sharaz
Many thanks for this Olivier, much appreciated Rgds A On 9 Oct 2013, at 11:07, Olivier Beytrison oliv...@heliosnet.org wrote: On 09.10.2013 11:25, Olivier Beytrison wrote: On 09.10.2013 10:41, Alex Sharaz wrote: I was wondering if there's a way off having a bit more granularity in terms of

Re: well almost got FR 3.0 to compile on OS X :-)

2013-10-09 Thread Alex Sharaz
On 9 Oct 2013, at 10:19, a.l.m.bu...@lboro.ac.uk wrote: Hi, Just got a wee bit of trouble linking in the talloc libraries, but I'm sure its not insurmountable Alan uses OSX so I'm *SURE* it compiles fine with the right support stuff present - you should have been compiling it

Re: well almost got FR 3.0 to compile on OS X :-)

2013-10-09 Thread Arran Cudbard-Bell
On 9 Oct 2013, at 11:21, Alex Sharaz alex.sha...@york.ac.uk wrote: you don't know how hard it was to wait till the official release :-) A brew install talloc brew link talloc ./configure make make install ? Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List

Re: Freeradius 3 and DHCP

2013-10-09 Thread Rok Kosir
On 10/08/2013 07:09 PM, Arran Cudbard-Bell wrote: On 8 Oct 2013, at 17:44, Phil Mayers p.may...@imperial.ac.uk wrote: On 08/10/13 17:01, Rok Kosir wrote: authentication to mysql), when i run freeradius -X, i get Segmentation Fault when it reaches dhcp listner. See doc/bugs. and skip to

Re: Usage of Session-Timeout

2013-10-09 Thread Alan DeKok
Volker Lieder wrote: Within the old version, we used a database config for groups with an attribute Session-Timeout and the value `%{expr:06:00}` Which never worked. 06:00 isn't a number. You can't just invent syntax and use i. With new version freeradius send an error while looking in

Re: Managing Data Volume Control More Than 4GB FR CoovaChilli

2013-10-09 Thread Alan DeKok
Russell Mike wrote: All-In-MB counter works. Please note, when a user has downloaded his quota, counter do not force log off . The counter modules DOES NOT DO THAT. To see why, ask yourself what does FreeRADIUS see when the user has downloaded his quota? The answer is nothing. The

Case statement error

2013-10-09 Thread Franks Andy (RLZ) IT Systems Engineer
Hi All. I have some code in an sql policy: sql_check_user_present { update control { Tmp-String-0 := %{sql_pwifi:SELECT COUNT(*) from voucher v left join state s on v.id=s.voucher_id where v.id=s.voucher_id and v.code='%{User-Name}' and (s.state='Inactive' or s.state='Active')} } switch

FR3 Debugging Switches

2013-10-09 Thread Adam Bishop
It appears the debugging switches don't work quite as I'd expect in FreeRADIUS 3 when RadSec is configured. # radiusd -fxx -l stdout Works as expected (threaded debugging with no timestamps), however: # radiusd -fXx -l stdout snip Wed Oct 9 14:44:18 2013 : Error:

Re: Freeradius 3 and DHCP

2013-10-09 Thread Arran Cudbard-Bell
On 9 Oct 2013, at 11:56, Rok Kosir rok.ko...@cosylab.com wrote: On 10/08/2013 07:09 PM, Arran Cudbard-Bell wrote: On 8 Oct 2013, at 17:44, Phil Mayers p.may...@imperial.ac.uk wrote: On 08/10/13 17:01, Rok Kosir wrote: authentication to mysql), when i run freeradius -X, i get

Re: Case statement error

2013-10-09 Thread Alan DeKok
Franks Andy (RLZ) IT Systems Engineer wrote: Trying version #d166290 results in Which is old. The bug has already been fixed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Managing Data Volume Control More Than 4GB FR CoovaChilli

2013-10-09 Thread Russell Mike
Thanks Alan. D So if you want to do something when the users traffic is over the quota, you have to do it in the accounting section. Could you please kindly indicate what should i do there ? i tried to perform the check again when user is online by adding counter entry in * session* section. but

Re: FR3 Debugging Switches

2013-10-09 Thread Alan DeKok
Adam Bishop wrote: It appears the debugging switches don't work quite as I'd expect in FreeRADIUS 3 when RadSec is configured. Yes. Because of OpenSSL limitations, the server MUST have multiple threads when using radsec. # radiusd -fxx -l stdout Works as expected (threaded debugging

Re: FR3 Debugging Switches

2013-10-09 Thread A . L . M . Buxey
Hi, It appears the debugging switches don't work quite as I'd expect in FreeRADIUS 3 when RadSec is configured. # radiusd -fxx -l stdout yep. if you try 'radiusd -X' it will tell you to run it like that. # radiusd -fXx -l stdout # ./sbin/radiusd -Cfxx -l stdout single thread

  1   2   3   4   5   6   7   8   9   10   >