Re[2]: Help - ASN-GW throwing error - Validation of attributes failed
Hi, ask ASN-GW vendor if it passed IOT with FR. 15 марта 2012, 09:58 от Rathod Subhashchandra rat...@tataelxsi.co.in: Dear Fajar, I went through the documentation of ASN-GW. I could not find configuring AAA parameters except AAA IP address. I am not quite clear which attribute is causing the problem. For EAP-TTLS, almost same ACCESS-ACCEPT attributes are through. But for EAP-TLS I am facing this issue. I am attaching the AAA wireshark logs. Please let me know your valuable feedback. Thanks ! Rathod. -Original Message- From: Fajar A. Nugraha [mailto:l...@fajar.net] Sent: Thursday, March 15, 2012 11:00 AM To: rat...@tataelxsi.co.in; FreeRadius users mailing list Subject: Re: Help - ASN-GW throwing error - Validation of attributes failed On Thu, Mar 15, 2012 at 12:21 PM, Rathod Subhashchandra rat...@tataelxsi.co.in wrote: Wireshark logs @ ASN-GW I could not attach wireshark pcap logs due to size constraint. I have took print screen of only ACCESS-ACCEPT message copied to MS word. While that information might be interesting for ASN support/list/forum, this list is not it. What are the mandatory fields in Access-Accept and their valid values? Service-Type attribute value is 2. ASN-GW is adding this attribute. Is this valid for EAP-TLS? I am guessing this should be 8. I don't have control over ASN-GW parameters modification. Please let me know what fields are invalid in above ACCESS-ACCEPT. Did you try asking the NAS vendor? If you know what attributes are needed, you can configure FR to send it. If you don't know what they are, then you should ask the NAS vendor, or at least read its documentation. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: High Avaibility
Hi, if your NAS does not support 2 radius servers you can use load balancer (ex fortinet). 01 марта 2012, 15:37 от Phil Mayers p.may...@imperial.ac.uk: On 01/03/12 10:16, Anto wrote: Hello In the coming days I will set up a freeradius server for access control and accounting. I've been looking for information on freeradius and high availability, since my idea is to have two servers in case one fails, continue to operate with the other, but I just found information. So I turn to the list, in case I can recommend someone with experience on stage. I do not know if it is feasible to have a server as master and one slave, when the main falls, the other up the interface. If there is some kind of balancer radius and use both servers, etc.. This is a very vague question. You're going to get a lot of either too-vague or too-specific answers. A few things you need to specify: 1. When you say high availability what are you hoping to achieve? 2. How long can you tolerate when an unscheduled outage for? 1 second or 60? 3. Do your RADIUS servers talk to external data sources (SQL, LDAP)? 4. Do you care about load-balancing, or just high-availability? I'll make a few comments: Most NASes support 2 (or more) RADIUS servers, and will fail over when they detect an outage. For resilience, you just need to build two RADIUS servers on different IPs, and specify these in your NAS. You don't need a load-balancer or other complications, and they will just make things less reliable. Making redundant RADIUS servers is easy; you just build two machines, and run FreeRADIUS on each with the same config. The hard bit is replicating any data sources between them (LDAP, SQL) and handling writes such as accounting packets into SQL, SQL session counters, and so on. You need to be more specific about what you're doing and what you want to achieve. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure redundant radius?
hi, u can build oracle solaris cluster ( two servers are in cluster with same IP) or u can use brodhop device to use one IP for two different servers. anatolii 30 декабря 2011, 23:02 от Christ Schlacta li...@aarcane.org: I've got a number of devices all of which only have the option for one radius IP address (not hostname!) to be configured. How can I configure this type of device for failover (and optionally balance)? is there some PROPER way to do this? or am I limited to only being able to have one fr server configured for these particular devices? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[8]: semulteneius-use with cisco nas
Dear Fajar,
here is the debug:
=
rad_recv: Access-Request packet from host 10.169.33.11 port 1645, id=242,
length=168
User-Name = user
Framed-MTU = 1400
Called-Station-Id = 0013.1a08.9340
Calling-Station-Id = 001b.7770.9159
Service-Type = Login-User
Message-Authenticator = 0x1b9f8a18ab599eb355a6b95009ad3876
EAP-Message =
0x020c00261900170301001bb38d66eaaca02000d41d031c3b819c732c2073d8ae808cdf61d43a
NAS-Port-Type = Wireless-802.11
NAS-Port = 13495
State = 0xc9003ff4c00c263b902065cf0bcf43fd
NAS-IP-Address = 10.169.33.11
NAS-Identifier = ap
(49) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(49) group authorize {
(49) - entering group authorize {...}
(49) [preprocess] = ok
(49) [chap] = noop
(49) [mschap] = noop
(49) [digest] = noop
(49) suffix : No '@' in User-Name = user, looking up realm NULL
(49) suffix : No such realm NULL
(49) [suffix] = noop
(49) eap : EAP packet type response id 12 length 38
(49) eap : Continuing tunnel setup.
(49) [eap] = ok
(49) Found Auth-Type = ?
(49) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(49) group authenticate {
(49) - entering group authenticate {...}
(49) eap : Request found, released from the list
(49) eap : EAP/peap
(49) eap : processing type peap
(49) peap : processing EAP-TLS
(49) peap : eaptls_verify returned 7
(49) peap : Done initial handshake
(49) peap : eaptls_process returned 7
(49) peap : FR_TLS_OK
(49) peap : Session established. Decoding tunneled attributes.
(49) peap : Peap state send tlv success
(49) peap : Received EAP-TLV response.
(49) peap : Success
(49) peap : Using saved attributes from the original Access-Accept
User-Name = user
(49) eap : Freeing handler
(49) [eap] = ok
(49) Login OK: [user/via Auth-Type = ?] (from client 10.169.33.11/24 port
13495 cli 001b.7770.9159)
(49) # Executing section post-auth from file
/usr/local/etc/raddb/sites-enabled/default
(49) group post-auth {
(49) - entering group post-auth {...}
(49) sql : expand: %{User-Name} - user
(49) sql : sql_set_user escaped user -- 'user'
(49) sql : expand: %{User-Password} -
(49) sql : ... expanding second conditional
(49) sql : expand: %{Chap-Password} -
(49) sql : expand: INSERT INTO radpostauth (username,
pass, reply, authdate) VALUES ( '%{SQL-User-Name}',
'%{%{User-Password}:-%{Chap-Password}}','%{reply:Packet-Type}', '%S')
-INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ('user', '', 'Access-Accept', '2011-12-14 10:59:49')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES ('user', '',
'Access-Accept', '2011-12-14 10:59:49')
rlm_sql (sql): Reserved connection (12)
rlm_sql (sql): Released connection (12)
(49) [sql] = ok
(49) sql_log : Processing sql_log_postauth
(49) sql_log : expand: %{User-Name} - user
(49) sql_log : expand: %{%{User-Name}:-DEFAULT} - user
(49) sql_log : sql_set_user escaped user -- 'user'
(49) sql_log : WARNING: Deprecated conditional expansion :-. See man
unlang for details
(49) sql_log : ... expanding second conditional
(49) sql_log : expand: Chap-Password - Chap-Password
(49) sql_log : expand: INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES
('%{User-Name}', '%{User-Password:-Chap-Password}',
'%{reply:Packet-Type}', '%S'); - INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES('user',
'Chap-Password', 'Access-Accept', '2011-12-14 10:59:49');
(49) sql_log : expand: /usr/local/var/log/radius/radacct/sql-relay -
/usr/local/var/log/radius/radacct/sql-relay
(49) [sql_log] = ok
(49) [exec] = noop
(49)policy remove_reply_message_if_eap {
(49) - entering policy remove_reply_message_if_eap {...}
(49)? if (reply:EAP-Message reply:Reply-Message)
(49) ? Evaluating (reply:EAP-Message ) - TRUE
(49) ? Evaluating (reply:Reply-Message) - FALSE
(49)? if (reply:EAP-Message reply:Reply-Message) - FALSE
(49) else else {
(49)- entering else else {...}
(49) [noop] = noop
(49)- else else returns noop
(49) - policy remove_reply_message_if_eap returns noop
Sending Access-Accept of id 242 to 10.169.33.11 port 1645
User-Name = user
MS-MPPE-Recv-Key =
0xffb3f4f01af8ea5b71cfe309205a5436aad8c57caf0cf40d6b37fbd193df34f6
MS-MPPE-Send-Key =
0x500ebf88f7a74a9095d357c31ac48010e62b655ebd53573d2d418a1e1332c732
EAP-Message = 0x030c0004
Message-Authenticator = 0x
(49) Finished request 49.
Waking up in 0.1 seconds.
rad_recv: Accounting-Request packet from host 10.169.33.11 port 1646, id=204,
Re[2]: semulteneius-use with cisco nas
Hi,
this is my radwho output for 1st user (last string for 12-12-2011):
freebsd# radwho
Login Name What TTY When From Location
user user shell 999 Thu 14:38 10.169.33.11
user user shell 999 Thu 15:03 10.169.33.11
user user shell 999 Thu 17:25 10.169.33.11
user user shell 999 Thu 17:26 10.169.33.11
user user shell 999 Mon 10:45 10.169.33.11
this is seen from NAS, i cannot add file with prntscrs, but use session is
active in NAS.
then, i connect 2nd user via same NAS:
freebsd# radwho
Login Name What TTY When From Location
user user shell 999 Thu 14:38 10.169.33.11
user user shell 999 Thu 15:03 10.169.33.11
user user shell 999 Thu 17:25 10.169.33.11
user user shell 999 Thu 17:26 10.169.33.11
user user shell 999 Mon 10:45 10.169.33.11
user user shell 999 Mon 10:50 10.169.33.11
this is seen from NAS, also.
so, first user is recorded.
I also wanted to add configuration files, but it is not allowed by maillist
policy.
part of clients.conf:
freebsd# cat clients.conf
client 10.169.33.11/24 {
#require_message_authenticator = no
secret = 12345
nastype = cisco
login = snmp
password= public
}
freeradius server connects via snmp to NAs, i checked with snmpget.
so, what can be wrong in my configuration?
BR,
Anatolii
10 декабря 2011, 05:52 от Alan DeKok al...@deployingradius.com:
tolik_shavlov...@mail.ru wrote:
i am really not experienced with freeradius and mysql. I made everything
with your website.
I kindly ask you for help.
i made test in the following manner:
1. connect 1st laptop via Ap (NAS) with user/user
2. connect second laptop
simult-use feature should block second one, as i understood.
IF CERTAIN CONDITIONS ARE MET.
from your previuos emailing i understood that acounting is send if we
use database, so I configured authentication from mysql.
in the debug i see Accounting-Request packet and Accounting-Response.
can you describe what is not met??
Read doc/Simultaneous-Use, Section 3. It documents what happens for
Simultaneous-Use to work.
Go check it against the debug output. Run radwho after the first
login to see if FreeRADIUS has recorded that the user has logged in.
If that information isn't recorded, Simultaneous-Use won't work.
Don't blame FreeRADIUS. Blame the NAS which is sending useless data.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[3]: semulteneius-use with cisco nas
Also, I can add that i checked with sniffter and didn't see that freeradius
connects to NAS via snmp.
12 декабря 2011, 13:25 от Толик Шавловскийtolik_shavlov...@mail.ru:
Hi,
this is my radwho output for 1st user (last string for 12-12-2011):
eradius
freebsd# radwho
Login Name What TTY When From Location
user user shell 999 Thu 14:38 10.169.33.11
user user shell 999 Thu 15:03 10.169.33.11
user user shell 999 Thu 17:25 10.169.33.11
user user shell 999 Thu 17:26 10.169.33.11
user user shell 999 Mon 10:45 10.169.33.11
this is seen from NAS, i cannot add file with prntscrs, but use session is
active in NAS.
then, i connect 2nd user via same NAS:
freebsd# radwho
Login Name What TTY When From Location
user user shell 999 Thu 14:38 10.169.33.11
user user shell 999 Thu 15:03 10.169.33.11
user user shell 999 Thu 17:25 10.169.33.11
user user shell 999 Thu 17:26 10.169.33.11
user user shell 999 Mon 10:45 10.169.33.11
user user shell 999 Mon 10:50 10.169.33.11
this is seen from NAS, also.
so, first user is recorded.
I also wanted to add configuration files, but it is not allowed by maillist
policy.
part of clients.conf:
freebsd# cat clients.conf
client 10.169.33.11/24 {
#require_message_authenticator = no
secret = 12345
nastype = cisco
login = snmp
password= public
}
freeradius server connects via snmp to NAs, i checked with snmpget.
so, what can be wrong in my configuration?
BR,
Anatolii
10 декабря 2011, 05:52 от Alan DeKok al...@deployingradius.com:
tolik_shavlov...@mail.ru wrote:
i am really not experienced with freeradius and mysql. I made everything
with your website.
I kindly ask you for help.
i made test in the following manner:
1. connect 1st laptop via Ap (NAS) with user/user
2. connect second laptop
simult-use feature should block second one, as i understood.
IF CERTAIN CONDITIONS ARE MET.
from your previuos emailing i understood that acounting is send if we
use database, so I configured authentication from mysql.
in the debug i see Accounting-Request packet and Accounting-Response.
can you describe what is not met??
Read doc/Simultaneous-Use, Section 3. It documents what happens for
Simultaneous-Use to work.
Go check it against the debug output. Run radwho after the first
login to see if FreeRADIUS has recorded that the user has logged in.
If that information isn't recorded, Simultaneous-Use won't work.
Don't blame FreeRADIUS. Blame the NAS which is sending useless data.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[4]: semulteneius-use with cisco nas
Dear all,
can u help me with the problem??
12 декабря 2011, 13:32 от Толик Шавловскийtolik_shavlov...@mail.ru:
Also, I can add that i checked with sniffter and didn't see that freeradius
connects to NAS via snmp.
12 декабря 2011, 13:25 от Толик Шавловскийtolik_shavlov...@mail.ru:
Hi,
this is my radwho output for 1st user (last string for 12-12-2011):
eradius
freebsd# radwho
Login Name What TTY When From Location
user user shell 999 Thu 14:38 10.169.33.11
user user shell 999 Thu 15:03 10.169.33.11
user user shell 999 Thu 17:25 10.169.33.11
user user shell 999 Thu 17:26 10.169.33.11
user user shell 999 Mon 10:45 10.169.33.11
this is seen from NAS, i cannot add file with prntscrs, but use session is
active in NAS.
then, i connect 2nd user via same NAS:
freebsd# radwho
Login Name What TTY When From Location
user user shell 999 Thu 14:38 10.169.33.11
user user shell 999 Thu 15:03 10.169.33.11
user user shell 999 Thu 17:25 10.169.33.11
user user shell 999 Thu 17:26 10.169.33.11
user user shell 999 Mon 10:45 10.169.33.11
user user shell 999 Mon 10:50 10.169.33.11
this is seen from NAS, also.
so, first user is recorded.
I also wanted to add configuration files, but it is not allowed by maillist
policy.
part of clients.conf:
freebsd# cat clients.conf
client 10.169.33.11/24 {
#require_message_authenticator = no
secret = 12345
nastype = cisco
login = snmp
password= public
}
freeradius server connects via snmp to NAs, i checked with snmpget.
so, what can be wrong in my configuration?
BR,
Anatolii
10 декабря 2011, 05:52 от Alan DeKok al...@deployingradius.com:
tolik_shavlov...@mail.ru wrote:
i am really not experienced with freeradius and mysql. I made everything
with your website.
I kindly ask you for help.
i made test in the following manner:
1. connect 1st laptop via Ap (NAS) with user/user
2. connect second laptop
simult-use feature should block second one, as i understood.
IF CERTAIN CONDITIONS ARE MET.
from your previuos emailing i understood that acounting is send if we
use database, so I configured authentication from mysql.
in the debug i see Accounting-Request packet and Accounting-Response.
can you describe what is not met??
Read doc/Simultaneous-Use, Section 3. It documents what happens for
Simultaneous-Use to work.
Go check it against the debug output. Run radwho after the first
login to see if FreeRADIUS has recorded that the user has logged in.
If that information isn't recorded, Simultaneous-Use won't work.
Don't blame FreeRADIUS. Blame the NAS which is sending useless data.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[3]: git timeout
it installed disabling the dhcp. thanks a lot 09 декабря 2011, 15:05 от tolik_shavlov...@mail.ru tolik_shavlov...@mail.ru: hi, i made gmake. 09 декабря 2011, 14:33 от Paul Thornton [via FreeRadius] [hidden email]: On 09/12/2011 10:16, [hidden email] wrote: /usr/include/net/if_arp.h:88: error: field 'arp_pa' has incomplete type /usr/include/net/if_arp.h:89: error: field 'arp_ha' has incomplete type /usr/include/net/if_arp.h:115: error: expected specifier-qualifier-list before 'u_long' gmake[4]: *** [dhcp.lo] Error 1 gmake[4]: Leaving directory `/tmp/freeradius-server/src/lib' gmake[3]: *** [lib] Error 2 gmake[3]: Leaving directory `/tmp/freeradius-server/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/tmp/freeradius-server/src' gmake[1]: *** [src] Error 2 gmake[1]: Leaving directory `/tmp/freeradius-server' gmake: *** [all] Error 2 i downloaded from $ git clone git://git.freeradius.org/freeradius-server.git $ cd freeradius-server $ git fetch origin v2.1.x:v2.1.x $ git checkout v2.1.x Rather than using 'make' on FreeBSD, try 'gmake'. That will run Gnu Make as Alan suggested. Paul. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- If you reply to this email, your message will be added to the discussion below: http://freeradius.1045715.n5.nabble.com/git-timeout-tp5058438p5061320.html To unsubscribe from git timeout, click here. NAML -- View this message in context: Re[2]: git timeout Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[3]: authentetication with mysql and NAS type= other
= Framed-User
NAS-IP-Address = 10.169.33.11
Acct-Delay-Time = 15
# Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 13258,Client-IP-Address =
10.169.33.11,NAS-IP-Address = 10.169.33.11,Acct-Session-Id =
3308,User-Name = user'
[acct_unique] Acct-Unique-Session-ID = 45341f9e68e705da.
++[acct_unique] returns ok
[suffix] No '@' in User-Name = user, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
++[files] returns noop
# Executing section accounting from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group accounting {...}
[detail] expand: /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d -
/var/log/radacct/10.169.33.11/detail-20111207
[detail] /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to
/var/log/radacct/10.169.33.11/detail-20111207
[detail] expand: %t - Wed Dec 7 10:17:51 2011
++[detail] returns ok
++[unix] returns fail
Finished request 88.
Cleaning up request 88 ID 90 with timestamp +229
Going to the next request
Ready to process requests.
===
simulteneous-use not working(( mysql select * from radcheck;
++-+++--+
| id | username | attribute | op | value |
++-+++--+
| 11 | user | Cleartext-Password | := | user |
| 3 | [hidden email] | Cleartext-Password | := | test |
| 5 | [hidden email] | Cleartext-Password | := | test |
| 10 | user | Simultaneous-Use | := | 1 |
| 8 | [hidden email] | Framed-Filter-Id | := | SP=data:MSF=data |
| 9 | [hidden email] | Framed-Filter-Id | := | SP=data:MSF=data |
++-+++--+
08 декабря 2011, 11:59 от tolik_shavlov...@mail.ru tolik_shavlov...@mail.ru:
oh, sorry
but that username could be authenticated)
mysql select * from radcheck;
++-+++--+
| id | username | attribute | op | value |
++-+++--+
| 11 | user | Cleartext-Password | := | user |
| 3 | [hidden email] | Cleartext-Password | := | test |
| 5 | [hidden email] | Cleartext-Password | := | test |
| 10 | user | Simultaneous-Use | := | 1 |
| 8 | [hidden email] | Framed-Filter-Id | := | SP=data:MSF=data |
| 9 | [hidden email] | Framed-Filter-Id | := | SP=data:MSF=data |
++-+++--+
08 декабря 2011, 11:51 от Alan DeKok-2 [via FreeRadius] [hidden email]:
Толик Шавловский wrote:
Hi,
mysql use freeradius;
Database changed
mysql select * from radcheck;
++-+++--+
| id | username | attribute | op | value |
++-+++--+
| 1 | user | Password | == | user |
Change that to Cleartext-Password and :=, like the other entries.
all usernames are authenticated for WiFi.
Wimax cannot.
Post the debug output for WiMAX. Honestly, I don't see why *anyone*
needs to be told this.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
If you reply to this email, your message will be added to the discussion below:
http://freeradius.1045715.n5.nabble.com/authentetication-with-mysql-and-NAS-type-other-tp5055689p5057987.html
To unsubscribe from authentetication with mysql and NAS type= other, click
here.
NAML
--
View this message in context: Re[2]: authentetication with mysql and NAS type=
other
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: git timeout
freebsd# ping git.freeradius.org PING git.freeradius.org (88.190.25.44): 56 data bytes 64 bytes from 88.190.25.44: icmp_seq=0 ttl=48 time=48.211 ms 64 bytes from 88.190.25.44: icmp_seq=1 ttl=48 time=48.253 ms 64 bytes from 88.190.25.44: icmp_seq=2 ttl=48 time=48.967 ms ^C --- git.freeradius.org ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 48.211/48.477/48.967/0.347 ms freebsd# git clone git://git.freeradius.org/freeradius-server.git Cloning into freeradius-server... git.freeradius.org[0: 88.190.25.44]: errno=Operation timed out fatal: unable to connect a socket (Operation timed out) i have conectivity 08 декабря 2011, 16:17 от Alan Buxey a.l.m.bu...@lboro.ac.uk: Hi, freebsd# /usr/local/bin/git clone git://git.freeradius.org/freeradius-server.git Cloning into freeradius-server... git.freeradius.org[0: 88.190.25.44]: errno=Operation timed out fatal: unable to connect a socket (Operation timed out) check your connectivity... $ git clone git://git.freeradius.org/freeradius-server.git Cloning into freeradius-server... remote: Counting objects: 77877, done. remote: Compressing objects: 100% (20580/20580), done. remote: Total 77877 (delta 60984), reused 73352 (delta 57120) Receiving objects: 100% (77877/77877), 14.57 MiB | 6.66 MiB/s, done. Resolving deltas: 100% (60984/60984), done. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: packet in freeradius
Hi, after auth each packet will go throu NAS (Ap, Router) 08 декабря 2011, 10:28 от Harish Mandowara hari...@cdac.in: Hi all, After authentication by Freeradius each and every packet is going through server. Or after authentication access point or router will handle all this thing. -- Warm Regards Harish Mandowara -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[6]: authentetication with mysql and NAS type= other
Hi, mysql use freeradius; Database changed mysql select * from radcheck; ++-+++--+ | id | username| attribute | op | value| ++-+++--+ | 1 | user| Password | == | user | | 3 | t...@wimax.com | Cleartext-Password | := | test | | 5 | te...@wimax.com | Cleartext-Password | := | test | | 10 | user| Simultaneous-Use | := | 1| | 8 | t...@wimax.com | Framed-Filter-Id | := | SP=data:MSF=data | | 9 | te...@wimax.com | Framed-Filter-Id | := | SP=data:MSF=data | ++-+++--+ user is for WiFi test and tes1 is for WimAX. all usernames are authenticated for WiFi. Wimax cannot. I don't know why it uses username = 'KeepAliveUserNameAndPassword', like in the debug?? when i used users file in FR with the same usernames, it was ok. I really use same usernames for auth in my Wimax CPEs. 07 декабря 2011, 20:17 от Fajar A. Nugraha l...@fajar.net: On Wed, Dec 7, 2011 at 11:02 PM, tolik_shavlov...@mail.ru tolik_shavlov...@mail.ru wrote: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'KeepAliveUserNameAndPassword' ORDER BY id SELECT groupname FROM radusergroup WHERE username = 'KeepAliveUserNameAndPassword' ORDER BY priority What do you get when you execute those two queries in mysql directly? [sql] User KeepAliveUserNameAndPassword not found the sql module says the user is not found. It doesn't lie. === login and password are correct! And how did you know that? Did you setup the tables correctly? Hint: execute those two queries above. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: problem with packet management on freebsd
Hi, thanks for your answer. but your link http://www.freebsd.org/cgi/ports.cgi?query=freeradiusamp;stype=allamp;sektion=net has th anly fr-mysql version: freeradius-mysql-1.1.8_4 i need freebsd FR version with mysql. BR, 06 декабря 2011, 12:12 от Fajar A. Nugraha l...@fajar.net: On Tue, Dec 6, 2011 at 3:01 PM, tolik_shavlov...@mail.ru tolik_shavlov...@mail.ru wrote: Hi, i have the problem with packet management running on freebsd: FreeBSD# pkg_add -r freeradius-mysql-1.1.8_4.tbz Error: Unable to get ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-9-stable/Latest/freeradius-mysql-1.1.8_4.tbz: File unavailable (e.g., file not found, no access) pkg_add: unable to fetch 'ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-9-stable/Latest/freeradius-mysql-1.1.8_4.tbz' by URL but i can access by ftp ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-9-stable/Latest/ and download freeradius-mysql-1.1.8_4.tbz what can be a problem? thanks You should really ask freebsd maintainters for that. It's unlikely that anyone on this list will be able to help you. I wouldn't recommend you use FR-1.x though. Following the link from http://wiki.freeradius.org/Packages: http://www.freebsd.org/cgi/ports.cgi?query=freeradiusamp;stype=allamp;sektion=net There's a link there for up-to-date 2.1.12. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[6]: problem with packet management on freebsd
ok. thanks for helps. 06 декабря 2011, 13:01 от Fajar A. Nugraha l...@fajar.net: On Tue, Dec 6, 2011 at 3:54 PM, tolik_shavlov...@mail.ru tolik_shavlov...@mail.ru wrote: I used version 2.1.12 and it didn't have mysql driver . Then build the package yourself. It shouldn't bee too hard. I you had used Ubuntu, I can give you the link for the latest package. But since you use freebsd, then you're on your own :) -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: freeradius2 installation error
Dear Alan, its from the source. but error is the same as with ports. 06 декабря 2011, 20:31 от Alan DeKok al...@deployingradius.com: tolik_shavlov...@mail.ru wrote: cd freeradius2 freebsd_v8# make === Vulnerability check disabled, database not found Go ask the FreeBSD people why their ports are broken. We didn't write that software, and can't help you fix it. the same while installing from source(( No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[6]: freeradius2 installation error
thanks for great explanation. i could install Fr from ports (the main problem was in ldap, so i installed without ldap) BR 06 декабря 2011, 20:13 от Fajar A. Nugraha l...@fajar.net: On Tue, Dec 6, 2011 at 10:51 PM, tolik_shavlov...@mail.ru tolik_shavlov...@mail.ru wrote: Dear Fajar, i failed to intergate FR + mysql, i was informed that my FR is without mysql module. then why didn't you ask that in the first place? It'd save lots of time. i am in process of building from the source. so, after: 1. i build mysql-server Not necessarily. Binary tar/package from http://dev.mysql.com/downloads/mysql should also work. Personally, I'd avoid having to build mysql from source. It takes a VERY long time. Also, you don't really need the server. FR only needs the client part (with corresponding headers/libs). Anyway, whatever method you use (build from ports, compile manually, installing binary package, whatever) you need to make sure that mysql headers and libraries are available. One way (though not the ONLY way) to verify this is by running mysql_config, then look at include and libs output, then see if the files are there. For example, on my Ubuntu box: #= $ mysql_config Usage: /usr/bin/mysql_config [OPTIONS] Options: --cflags [-I/usr/include/mysql -fno-omit-frame-pointer -g -pipe -Wno-uninitialized -DUNIV_LINUX] --include[-I/usr/include/mysql] --libs [-Wl,-Bsymbolic-functions -rdynamic -L/usr/lib/mysql -lmysqlclient -L/usr/lib/ -lssl -lcrypto] --libs_r [-Wl,-Bsymbolic-functions -rdynamic -L/usr/lib/mysql -lmysqlclient_r -L/usr/lib/ -lssl -lcrypto] --plugindir [/usr/lib/mysql/plugin] --socket [/var/run/mysqld/mysqld.sock] --port [0] --version[5.3.2-MariaDB-beta] --libmysqld-libs [-Wl,-Bsymbolic-functions -rdynamic -L/usr/lib/mysql -lmysqld -ldl -lwrap -lrt -L/usr/lib/ -lssl -lcrypto] $ ls /usr/include/mysql/ client_plugin.h my_alloc.h my_getopt.h mysqld_ername.h my_valgrind.h services.h typelib.h decimal.hmy_attribute.h my_global.h mysqld_error.h my_xml.h service_thd_alloc.h errmsg.h my_compiler.hmy_list.hmysql_embed.h plugin_auth_common.h sql_common.h keycache.h my_config.h my_net.h mysql.h plugin_auth.h sql_state.h ma_dyncol.h my_dbug.hmy_no_pthread.h mysql_time.h plugin.h sslopt-case.h m_ctype.hmy_decimal_limits.h my_pthread.h mysql_version.h service_my_snprintf.h sslopt-longopts.h m_string.h my_dir.h mysql_com.h my_sys.h service_progress_report.h sslopt-vars.h $ ls /usr/lib/*mysqlclient* /usr/lib/libmysqlclient.a /usr/lib/libmysqlclient_r.so /usr/lib/libmysqlclient_r.so.16.0.0 /usr/lib/libmysqlclient.so.16 /usr/lib/libmysqlclient.la/usr/lib/libmysqlclient_r.so.15 /usr/lib/libmysqlclient.so /usr/lib/libmysqlclient.so.16.0.0 /usr/lib/libmysqlclient_r.a /usr/lib/libmysqlclient_r.so.15.0.0 /usr/lib/libmysqlclient.so.15 /usr/lib/libmysqlclient_r.la /usr/lib/libmysqlclient_r.so.16 /usr/lib/libmysqlclient.so.15.0.0 #= 2. install mysql driver for Rf correct? Just build freeradius following the simple instruction in the wiki. IF mysql headers and drivers are there, AND you have a working mysql_config somewhere (/usr/bin/, /usr/local/bin, whatever) then mysql support should be built in by default. However, IF the headers/libs are NOT in the default places, you might have to specify some parameters to configure: --with-mysql-include-dir=DIR Directory where the mysql includes may be found --with-mysql-lib-dir=DIR Directory where the mysql libraries may be found --with-mysql-dir=DIRBase directory where mysql is installed In any case, make sure you READ the output from ./configure. Hint: it's easier to do so if you redirect the output to a file, something like ./configure | tee configure-output.txt The output should show whether the configure script was able to find mysql headers/libs or not. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[4]: configuration freeradius for no simultaneous use
Dear Alan, i am not good acquainted with freeradius. So, from doc/Simultaneous-use i understood that freeradius requres script, which will connect to NAS and check user session. Am i right? 02 декабря 2011, 12:43 от Fajar A. Nugraha l...@fajar.net: On Fri, Dec 2, 2011 at 3:37 PM, tolik_shavlov...@mail.ru tolik_shavlov...@mail.ru wrote: Dear Alan, i added Simultaneous-Use = 1 to user profile in users file. Did you read the doc? Or the reply I sent earlier? It requires MORE than just that. -- FAN - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[7]: configuration freeradius for no simultaneous use
Hi again, as i found naslist and naspass are old configuration files, now their functionality is used in clients.conf file. So, i indicated nastype = cisco will freeradius connect to nas in this case? 02 декабря 2011, 14:39 от tolik_shavlov...@mail.ru tolik_shavlov...@mail.ru: Hi, according to doc: === 3. IMPLEMENTATION The server keeps a list of logged-in users in the /var/log/radutmp file. This is also called the session database. When you execute radwho, all that radwho really does is list the entries in this file in a pretty format. Only when someone tries to login who _already_ has an active session according to the radutmp file, the server executes the perl script /usr/local/sbin/checkrad (or /usr/sbin/checkrad, it checks for the presence of both and in that order). This script queries the terminal server to see if the user indeed already has an active session. The script uses SNMP for Livingston Portmasters and Ciscos, finger for Portslave, Computone and Ascend, and Net::Telnet for USR/3Com TC. Since the script has been witten in perl, it's easy to adjust for any type of terminal server. There are implementations in the script for checks using SNMP, finger, and telnet, so it should be easy to add your own check routine if your terminal server is not supported yet. You can find the script in the file src/checkrad.pl. You need to set the correct type in the file /etc/raddb/naslist so that checkrad KNOWS how it should interrogate the terminal server. At this time you can define the following types: = my /usr/local/etc/raddb doesn't has naslist ans naspassword files. If i configure them manually, so freeradius will connect to NAS (we use cisco) via snmp and check user session? So, in such way i don't need script? thanks. 02 декабря 2011, 13:53 от Fajar A. Nugraha-2 [via FreeRadius] [hidden email]: 2011/12/2 Толик Шавловский [hidden email]: Dear Alan, I assume you want help from anyone, not just Alan, so I'll add some comments here. i am not good acquainted with freeradius. So, from doc/Simultaneous-use i understood that freeradius requres script, which will connect to NAS and check user session. Am i right? That's one way to do that (and possibly the most accurate way). But not the ONLY way. You can make it work without the script, if you store accounting data in sql. See (for example) raddb/sql/mysql/dialup.conf, look for simul_count_query and simul_verify_query. But again, you need to store accounting data for it to work. -- Fajar 02 декабря 2011, 12:43 от Fajar A. Nugraha [hidden email]: On Fri, Dec 2, 2011 at 3:37 PM, [hidden email] [hidden email] wrote: Dear Alan, i added Simultaneous-Use = 1 to user profile in users file. Did you read the doc? Or the reply I sent earlier? It requires MORE than just that. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- If you reply to this email, your message will be added to the discussion below: http://freeradius.1045715.n5.nabble.com/configuration-freeradius-for-no-simultaneous-use-tp5040887p5041277.html To unsubscribe from configuration freeradius for no simultaneous use, click here. NAML -- View this message in context: Re[6]: configuration freeradius for no simultaneous use Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
