Arran Cudbard-Bell wrote:
Techs will also want to test switches in new installs , and they won't
like waiting a day for configuration changes to take effect like
users won't like the service
going down every hour , although we could stagger the server restarts
In reality I expect
peppeska wrote:
rad_recv: Access-Request packet from host 127.0.0.1:1030, id=65, length=54
^^
-Where is User-Password attribute?
Ask the NAS.
what?
In this case I have a suspicion the NAS could be radclient...
How are you sending
[EMAIL PROTECTED] wrote:
I notice that Freeradius tries 6 times to find a user in my LDAP
directory when this user doesn't existe.
err, really? During authorisation (where a search is performed by a priviledged
user) or during authentication (where an attempt may be made to bind to LDAP as
Cory Robson wrote:
I have an mysql backend from my accounting program that contains all my user
details.
I need a php script that I can run from cron that will
Import all new users into freeradius that aren't already in its mysql db
If the user is already in the freeradius db then see if any
Erling Paulsen wrote:
Hi.
Is it possible to make FreeRADIUS rewrite/force an Access Denied reply
into an Access Accept reply? Why on earth would I want this? Well, I
would like to i.e. give a guest-net Vlan back to users that actually
fail authentication, so that when they try to access the
Hi Chris,
Christopher Carver wrote:
Thanks for the reply, Kevin. You got me on the right track, but I still don't
quite have it right. It seems as though the users file can only manipulate
Kevin's solution uses the hints file, not the users file. You'll need to
enable the preprocess
Christopher Carver wrote:
Hello,
How do I rewrite the value of the User-Name attribute based on
Called-Station-Id? I need to do a series of these logical decisions and
replace the username with username@some-isp.com based on what the value of
Called-Station-Id is.
hmm that is a tricky one!
Phil Mayers wrote:
Mitaine Yoann wrote:
When I proxied the request from to server A to the server B, there
wasn't
Client-IP-Address in the packet.
Client-IP-Address is added by the preprocess module. Have you removed
this from authorize? If so, don't do that.
Client-IP-Address is an
Mitaine Yoann wrote:
In my previous email , I forgot to say that when I received a proxing
packet, I tried to match a rule on the radius server B like :
DEFAULT Huntgroup-Name == foo, Autz-Type := Ldap
where foo is defining in huntgroups file as :
foo Client-IP-Address == x.x.x.x
in the
fvt3 wrote:
How do you prevent a user from authenticating after
three unsucessful attempts in freeradius. I am
In short, you can't. There is very little (nothing?) you can do to prevent
someone from attempting to authenticate. Is this behaviour causing you
particular problems though? Load
Jeff Green wrote:
Can anyone else get to http://www.freeradius.org ?
I'm getting redirected to a domain name registration of some ISP.
Seems like the domain names registration has expired ???
Same here.
; DiG 9.3.1 @ns.kloth.net freeradius.org ANY
; (1 server found)
;; global
Do you need to use rlm_counter? If not, you can simply delete the rlm_counter
directory and run configure again then make, or delete rlm_counter from the
MODULES item in Make.inc, and run make again.
The problem is that the compiler can't find gdbm.h. It may not be installed on
your system,
There used to be a DEFAULT stanza in the users configuration file that
set Auth-Type := System which tells the RADIUS server to use /etc/passwd
for authentication. This has caused a few issues like this in the past,
though I thought it had been resolved for 1.0.5.
If is still exists you may have
The first Huntgroup that matches will be used, so in this case vpn will
always match for requests with NAS-IP-Address == localhost.
Jonathan De Graeve wrote:
Hello, I have a weird huntgroup issue.
I have users in a group 'artsen' with HuntgroupName = == ^(vpn|ras)$
I have users in group
Hi,
I have a small patch for the proxy code, in particular for listen.c in CVS HEAD.
When the proxy reply comes back, only the cl-ipaddr is checked against the reply
source address, however it is possible to configure cl-acct_ipaddr differently to
cl-ipaddr (ie different auth and acct home
Yes 192.168.1.1 is the NAS. I thought that's what radclient did - told
the RADIUS server to send a disconnect to the NAS that the client(user)
is connected to. I've tried sending the disconnect to the
NAS(Portmaster). Any particular port?
Not sure about Portmaster, but the general
Or you can just go:
myhuntgroup NAS-IP-Address == A.B.C.*
works just fine :)
Mike
Oliver Graf wrote:
On Mon, Jul 25, 2005 at 01:36:19PM +0200, Erling Paulsen wrote:
I'm using huntgroups to group our NAS-boxes, and I'm wondering if it is
possible to designate whole networks ala.
I've had problems in the past with freeRADIUS and configure on Solaris
9. It didn't seem to always pass what it found in configure in to the
Makefiles, however it was limited to a couple of specific instances, I'm
I'm pretty sure these were patched prior to 1.0.3.
However, I just built 1.0.4
Nope. It reads any number of requests from any number of files,
caches them, and then starts sending data to the server.
Ahh well thats perfect then!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
We have 1500 customers connected to our PPPoE servers, to autenticate we
have 2 freeradius servers connected to a mssql server.
How many authentications per second are you expecting?
With decent hardware you should be able to authenticate all 1500 within
a couple of seconds. I've tested
Nicolas Baradakis wrote:
[EMAIL PROTECTED] wrote:
I will try some more tweaking, but I would like to have a test tool first.
So I could see the differences.
Install a CVS snapshot of FreeRADIUS on the machine which runs the
client. New options -p and -n have been added to radclient to
Alan DeKok wrote:
Mitchell, Michael J [EMAIL PROTECTED] wrote:
I've already done some work to get this working, its pretty much
finished, but I'll try to do finish it off in the next couple of week...
But in the meantime I can provide some patches?
Sure, please put them on bugs.freeradius.org
alan walters wrote:
Sounds great mike.
I understand from what you are saying that this is just not working the way I thought it would. I look forward to seeing your patches.
OK, how did you think it might work? Always willing to do things a
better way...
cheers,
Mike
-
List
Zawacki Jason D Contr AFRL/IFOS wrote:
Hello all.
I'm trying to get ldap instances working on a per client basis. For
example, any authentication requests coming from host example1 should be
authenticated using the ldap example1 instance, and example2 should be
auth'd using the ldap
Firstly, run freeradius is debug mode (radiusd -X) and it will tell you
exactly what it is doing. You should be able to see which attribute it
has retrieved from the directory to add to the reply.
A few things to look at would be:
1) Do you have ldap configured in the authorize section of
Please help ...
As per the FAQ, README, various other documents, and many responses to
questions on this list, please run the server in debug mode (radiusd -X)
to see what it is doing, and why it is not doing what you expect. If you
still can't work it out, post the output back to the list and
Benoît Bianchi wrote:
As you suggest I have already search on the Web for an answer to my trouble,
anyway there wasn't...
I never told you to go away and search for the answer yourself... I told
you that if you run the server in DEBUG mode you'll see what it is
doing, and hopefully where the
guest01 wrote:
Hi
I have a problem with Radius-LDAP Authentication for PPTP, the log says:
rad_recv: Access-Request packet from host 127.0.0.1:1025, id=61, length=54
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = testuser
NAS-IP-Address = 69.25.27.170
Thinking of something..
If the NAS list is check from time to time. The restart might not be
required...
Am I dreaming somehow?
No, you're not dreaming, but currently the NAS list is only read at startup (or
HUP)...
-
List info/subscribe/unsubscribe? See
Nope, thats it. There is no other way. The server should only be down
for a couple of seconds...
Luca Lafranchi wrote:
Mmmhh... with a HUP signal the radius server reload the config data, but the
server may drop a few authentication requests at that time...
Other solutions ?
-
List
Beast wrote:
Hi all,
I have few questions regarding freeradius:
1. What is the correct way to obtain user's connection time,
by using value of Acct-Session-Time or using STOP:Timestamp -
START:Timestamp?
Why Acct-Session-Time value is always higher than stop-start?
The Timestamps are times that
Pradeep Nevatia wrote:
rad_check_password: Found Auth-Type System
auth: type System
modcall: entering group authenticate for request 1
rlm_unix: [pradeep]: invalid password
modcall[authenticate]: module unix returns reject for request 1
modcall: group authenticate returns reject for
Hi Paulo,
Freeradius doesn't support it ...
However, I've got a version of freeRADIUS that I patched/hacked to do
it. If you, or anyone are interested, I can provide some patches,
unsupported basis that are specific to my requirements...
However don't expect this to be something that is ever
Hi J.Ho,
Take a look in config.log. If you're familar with compilers, etc, it
will tell you what the compiler was attempting to do when it failed that
step (essentially it should be looping through a list of directories -
including the one you specified - passing each one as a -L argument to
...
I'm all for trying to make life easier for future upgrades!
Oh, and I'm sure Alan wouldn't say no to patches if you already have
some fixes... ;-)
regards,
Mike
[EMAIL PROTECTED] wrote:
Michael Mitchell schrieb:
I've found a few issues with the configure scripts in the
past where
things weren't
The answer is right there in front of you... radtest is sending the
request to 127.0.0.1:1812
In your radtest line replace the space between the 127.0.0.1 and 3030
with a ':'.
regards,
Mike
Abdul Lateef wrote:
radtest root 123456 127.0.0.1 3030 testing123
Re-sending Access-Request of id 174 to
I'm not sure that Steven ever mentioned that his user database is ldap
(perhaps Steven could clarify this for us?)??
But for what is it worth we use a very similar scheme as described by
Dustin below. For us however, our billing system is the authoritative
database, and LDAP is only used for
I couldn't find a bug report on this, so please point me in the right
direction if this has been raised before. freeradius 1.0.1. Haven't
fully checked 1.0.2 yet, but it doesn't appear in the changelog.
There appears to be a bug in xlat.c (radius_xlat/decode_attribute)
where recursion doesn't
Thanks for the reply Kostas!
Kostas Kalevras wrote:
On Mon, 21 Feb 2005, Mitchell, Michael J wrote:
Latest cvs versions of rlm_preprocess do huntgroup processing.
Great! I'll take a look at the latest rlm_preprocess!
I am not sure you need to run rlm_ldap again in pre-accounting. You
could
Mani,
Assuming you have a Makefile for your module (easiest to copy and modify
an existing one if you don't), then its just a matter of adding your
module to the Make.inc in the top level. Search for rlm_ and it will
become immediately obvious what you have to do...
If you want to have
dbx is your friend...
But check to see that the ldap module actually built... unless you've
got things installed in the default places, it can take a little work to
get the ldap module to compile on Solaris...
José Berenguer wrote:
Hello!
We are trying to authenticate the last version of
Do you need x99 support? If not, you can disable that by removing it
from the Make.inc.
gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5
-Wall -D_GNU_SOURCE -DNDEBUG -I../../include
-DX99_MODULE_NAME=\rlm_x99_token\
-DFREERADIUS -c x99_rlm.c -o x99_rlm.o
In file
Thor Spruyt wrote:
PAP can work with unencrypted passwords in the backend.
CHAP cannot.
I think you mean the other way around ;-)
CHAP *requires* clear text passwords in the backend. PAP can work with
either encrypted or clear text passwords in the backend.
Don't want to confuse people ;-)
-
Hi Joel,
Yep, the default users file sets Auth-Type := System by default. The order, and
behaviour of the modules in your 'authorize' section of radiusd.conf which
Auth-Type is eventually used. I believe that each module will set the Auth-Type
appropriate, *IF* the Auth-Type hasn't already
The easiest (and desgined??) way would be to use the ldap configuration
item:
access_attr = dialupAccess
and optionally
# access_attr_used_for_allow = yes
Read the rlm_ldap file in the doc directory of the source for instructions.
regards,
Mike
Chan Min Wai wrote:
Greeting,
I've been
Take a look at the safe-characters configuration item in sql.conf and
the sql modules.
The '=' in h323-ivr-out=ACCESSCODE:00800112233 is being encoded by
rlm_sql before the record is inserted into the database...
I don't use Postgres, so including '=' in the safe-characters, however,
may have
Do you mean using the same username at the same time, or ever?
A couple of things come to mind:
1. Enable Simultaneous-Use checking to allow only one session per user
at any one time.
2. Use the Calling-Station-Id attribute in your authorization - ie, the
user must call from this phone number
I can't think of anything in those files that would be OS dependent.
Main thing to make sure of is that the installation directory is the
same on both boxes, otherwise the file references in radiusd.conf will
all be pointing to the wrong spot.
Janakan Rajendran wrote:
Hello everyone,
I have
You need to add it to the stable file in src/modules
unless there is another way to do it at configure time???
Mike
Geissbühler Johannes wrote:
Hello
I created a new module with the name rlm_myName
I placed it in the directory src/modules/
I wrote a own Makefile inside the directory
but running
Yes, it is possible. I suggest you read all the documentation in the doc
directory, as well as have a look at the example configuration files in
the raddb directory of the source tarball.
Here's a hint: you need to define your radius client machine in the
clients.conf file.
If you're still
Also on the roadmap (soon) for ldap...
Stefan Winter wrote:
Hello!
I use freeradius to manage administrative sessions on a large number of
routers and switches. For redundancy, I have two boxes. I'd like to
use some sort of a database or directory to configure all of the clients
devices rather
Won't help much, but today I had an issue with a seg fault. Commented
out a bit of code where the error was supposedly happening, seg fault
went away... put the code back in...seg fault didn't return???
Did a make clean; make and everything seemed to be fine again. I guess
in the end I just
There is currently support to read the clients from the sql module.
In addition, I've been working on the same for LDAP... just waiting on
some feedback from Kostas regarding the draft patch I submitted a week
or so ago to the freeradius-devel list... so it should be coming...
regards,
Mike
Your client is sending accounting packets to the port on which
freeRADIUS is listening for proxy responses. Configure the client to
send accounting packets to the correct port (probably 1646), and you
should be good...
Emman S. Loloy wrote:
Hi guys,
anyone knows how to solve this problem?
Sat
54 matches
Mail list logo