Re: errors There are no DB handles to use and Discarding conflicting packet from client
http://forums.mysql.com/ Alisson wrote: ok.. but what I need to do on my DB? Repair? Create another DB? alter some variable? 2009/10/9 Alan DeKok al...@deployingradius.com mailto:al...@deployingradius.com Alisson wrote: Hi, I have a dedicated server with freeradius 2.05 i'm getting 2 errors Error: Discarding conflicting packet from client net port 25000 - ID: 100 due to recent request 7343. There are no DB handles to use! skipped 0, tried to connect 0 Your database is broken. Fix it. I'm searching on the forums and a lot of people has this problem.. They all have broken databases. I change sql_num_socks = 30 I increase the max_connections=500 I increase everything that what was possible but the problem still happens I see on the forums in alot of web sites and nobody has the solution Really? This question has been asked and answered probably hundreds of times on this list. The answer is always the same: Fix the database. The database is either down, or it is not responding to queries. No amount of forum-shopping or poking at FreeRADIUS will fix the DB. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Att. Alisson F. Gonçalves Sistemas de Informação - UFGD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade James Branch Cabell - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use per NAS
I've got through the same problem, and based in some help I got here from the list I managed to solve the problem with a simple change to sql.conf, modifying the simul_count_query. The original entry: simul_count_query = SELECT COUNT(*) FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0 The one I use: simul_count_query = SELECT COUNT(*) FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0 AND NASIPAddress = '%{ NAS-IP-Address}' Basically, all I am doing is checking if the user is already logged specifically in the current NAS. Just an extra note: You will probably need to play a little with the hints, proxy and users files to get the behavior you wish. In our case, due to some policies from the university, in some NAS we wanted users to type their domains, in other NAS we wanted them without domain. Took some time to make it work Roberto [EMAIL PROTECTED] wrote: http://wiki.freeradius.org/Rlm_sql Ivan Kalik Kalik Informatika ISP Dana 31/8/2007, Svend Eriksen [EMAIL PROTECTED] pi¹e: I'm sorry, but I dont understand what you mean. Can you please explain? reg Svend [EMAIL PROTECTED] skrev: Make multiple sql instances - one for each NAS. Ivan Kalik Kalik Informatika ISP Dana 31/8/2007, Svend Eriksen [EMAIL PROTECTED] pi¹e: On 8/30/07, *Svend Eriksen* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Hi, We run freeradius 1.1.6 against postgresql 8.1. With the current configuration the user can only login one time simultaneously. What I want is that a user can login only one time per NAS, but that the user can login on several NASes at the same time. The reason for this is that a user can move between NASes without the need to logout from the NAS he is leaving. The user can only login to NASes that is in a group that he is a member of (this already works today). Is it also possible to set the Simultaneously-Use as a default value for all users, so we don't have to set it on all the groups? Here are the lines from the database SELECT * FROM radcheck 40 | user1 | Cleartext-Password | := | kebab1 41 | user1 | Expiration | := | Dec 31 2050 00:00:00 SELECT * FROM radusergroup user1 | testusergroup |0 SELECT * FROM nas 7 | 10.0.0.1 http://10.0.0.1 | NAS1 | other | | naspw 8 | 10.0.0.2 http://10.0.0.2 | NAS2 | other | | naspw SELECT * FROM radgroupcheck 15 | testusergroup | NAS-IP-Address | += | 10.0.0.1 http://10.0.0.1 16 | testusergroup | NAS-IP-Address | += | 10.0.0.2 http://10.0.0.2 17 | testusergroup | Simultaneous-Use | := | 1 reg Svend Eriksen Hi, Why don't you just add Simultaneous-Use for each user to radcheck? As I understand you correctly, that would solve the problem, right? I don't know how you actually add the new users, but it can easily be done to give them that attr. as a default one. Kind Regards, Yves This is what I do today. The problem occurs when a user leaves a NAS without logging out, and then tries to connects to another NAS. The second NAS will ask for a new login, but freeradius will answer that the user is already logged in. The solution I am looking for is that a user only can have one simultaneously login per NAS, but that the user can be logged in simultaneously on different NASes. reg Svend - -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.0.0pre1 not starting when reading NAS from mysql
Alan DeKok wrote: Roberto Greiner wrote: I'm having a problem with 2.0.0pre1. Please use the CVS head. I think I'll remove 2.0.0pre1 from the web site. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I just downloaded the CVS and had a minor quirk with it. Teh daemon refuses to start because it does not find the file /usr/share/freeradius/dictionary.dhcp I commented the respective line in /usr/share/freeradius/dictionary and the daemon started. With some search, I found that there is no such file in the cvs tree I received. Note: I compiled/installed using the debian/.deb generation path. Roberto PS: Using the CVS version solved another problem I was having, in that the contents of the mysql table 'radgroupreply' weren't being read. Thank you very much, Roberto Greiner -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
2.0.0pre1 not starting when reading NAS from mysql
') accounting_start_query_alt = UPDATE radacct SET AcctStartTime = '%S', AcctStartDelay = '%{Acct-Delay-Time:-0}', ConnectInfo_start = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}' accounting_stop_query = UPDATE radacct SET AcctStopTime = '%S', AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets = '%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}', AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time:-0}', ConnectInfo_stop = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}' accounting_stop_query_alt = INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{Acct-Delay-Time:-0}') group_membership_query = SELECT GroupName FROM radusergroup WHERE UserName = '%{SQL-User-Name}' ORDER BY priority connect_failure_retry_delay = 60 simul_count_query = SELECT COUNT(*) FROM radacct WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0 simul_verify_query = SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM radacct WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0 postauth_query = INSERT into radpostauth (id, user, pass, reply, date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', '%S') safe-characters = @abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: / } rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_mysql #1 rlm_sql_mysql: Starting connect to MySQL server for #1 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 rlm_sql_mysql: Starting connect to MySQL server for #2 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 rlm_sql_mysql: Starting connect to MySQL server for #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 rlm_sql_mysql: Starting connect to MySQL server for #4 rlm_sql (sql): Connected new DB handle, #4 rlm_sql (sql): Processing generate_sql_clients rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret FROM nas rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): Read entry nasname=127.0.0.1,shortname=local,secret=foobar rlm_sql (sql): Adding client 127.0.0.1 (local) to clients list rlm_sql (sql): generate_sql_clients() returned error rlm_sql (sql): Closing sqlsocket 4 rlm_sql (sql): Closing sqlsocket 3 rlm_sql (sql): Closing sqlsocket 2 rlm_sql (sql): Closing sqlsocket 1 rlm_sql (sql): Closing sqlsocket 0 radiusd.conf[10]: sql: Module instantiation failed. radiusd.conf[2018] Failed to find module sql. radiusd.conf[1928] Failed to parse authorize section. Errors setting up modules -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.0.0pre1 not starting when reading NAS from mysql
Yup, that solved it. :-) thank you very much Roberto [EMAIL PROTECTED] wrote: Hi, I'm having a problem with 2.0.0pre1. o funny - we just came across this ourselves recently! you cannot have a DUPLICATE entry in the naslist any more since 1.1.x series. your entry in the naslist is the same as one in clients.conf - simply make the entry in clients.conf obsolete - eg change it to 127.0.0.2 alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Nas Type
Peter Nixon wrote: On Fri 27 Jul 2007, Roberto Greiner wrote: Hi, I was starting to look at checkrad, and found (based on http://www.freeradius.org/radiusd/doc/Simultaneous-Use) that using other as the NAS-type will actually check only radutmp instead of looking at the actual NAS. Now, Could someone point me what would be the proper NAS type to use for each of the devices below(or the proper reference document to use)? I'm using the following NASes in my network: Monowall pfSense (3Com) Total Control PopTop (in Linux) What I want to do is to use checkrad as one of the steps to make sure that whoever appears as logged is really logged in, because I'm trying to use Simultaneous-use check, and some of the above (notably monowall) doesn't seem to be clearing properly sometimes. As you have already found the docs you know the answer. The 3Com is obviously type tc. If its not on the list it's other. However, if you write a patch to support the devices you mention, we would be happy to include it in FreeRADIUS. Cheers I've re-checked the available options, and found that there is one nas type for the Total Control, besides 'tc': usrhiper. But there are a few errors in the documentation speaking about it (http://www.freeradius.org/radiusd/doc/Simultaneous-Use). The first is the name itself. The page says usrhyper, when the correct is usrhiper, with i instead of y. The second is that it says that for that option, the naspasswd file is not used, which is partially correct. It can use naspasswd, and in that case the login name declared must be SNMP, or it will fail. For the other two devices (monowall and poptop), I don't know how to proceed yet, since neither of them returns connected user information through SNMP :-( Thanks, Roberto -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Nas Type
YvesDM wrote: On 7/30/07, *Roberto Greiner* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: YvesDM wrote: Hi Robert, As for m0n0wall (and I guess pfsense too), you can also use the diable concurrent logins option in the CP setup. This way there will never be simultaneous use from the same nas. Kind Regards, Yves Yes, I've seen that option, and I actually have it enabled. What I don't like with it, is that instead of blocking a user, it accepts the new session and simply disconnects the session that was active. Anyway, thank you very much, Roberto Yes indeed, and that way they will never share their credentials again :-) Anyway if you plan to use simultaneous use on your radius, and have the re-authenticate every minute option in monowall enabled, you will need to allow at least 3 (or 2 don't quite remember) sessions or re-authentication will fail and user gets logged out after 1 minute. Kind regards, Yves Yes, I saw that option, but my monowall server has a peak usage of over 200 simultaneous users. Enabling that would put some strain on freeradius (don't need to say, I know it would take it easily), but mostly on monowall. With 200 users we already had to make some modification to make it stay stable. That strain would probably kill it. :-( Thanks anyway, Roberto -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Nas Type
YvesDM wrote: Hi Robert, As for m0n0wall (and I guess pfsense too), you can also use the diable concurrent logins option in the CP setup. This way there will never be simultaneous use from the same nas. Kind Regards, Yves Yes, I've seen that option, and I actually have it enabled. What I don't like with it, is that instead of blocking a user, it accepts the new session and simply disconnects the session that was active. Anyway, thank you very much, Roberto -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Nas Type
Hi, I was starting to look at checkrad, and found (based on http://www.freeradius.org/radiusd/doc/Simultaneous-Use) that using other as the NAS-type will actually check only radutmp instead of looking at the actual NAS. Now, Could someone point me what would be the proper NAS type to use for each of the devices below(or the proper reference document to use)? I'm using the following NASes in my network: Monowall pfSense (3Com) Total Control PopTop (in Linux) What I want to do is to use checkrad as one of the steps to make sure that whoever appears as logged is really logged in, because I'm trying to use Simultaneous-use check, and some of the above (notably monowall) doesn't seem to be clearing properly sometimes. Thank you very much, Roberto Greiner -- - Marcos Roberto Greiner The optimists believe we are in the best of worlds The pessimists are afraid that this is true Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Wiki error
I know this is probably not the best place to report a problem with the wiki, but I don't have a login in it and there is no page to create one, and the 'bug report' link doesn't get to anywhere. The problem is in the http://wiki.freeradius.org/WPA_HOWTO page. Instead of having anything useful, its filled with links about crap, starting with 'buy diazepam' and going on, all with links pointing to pages in http://wc1.worldcrossing.com and http://people.msoe.edu/~millerni/forums.php. I don't think that this is what is expected to be in the freeradius wiki... :-( Roberto Greiner -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
3Com Total Control not logging
Hi, I just migrated my old GNU-Radius to freeradius 1.1.6 in a Debian Etch box. So far, everything is working, but one odd thing is happening. I'm authenticating users from tree differente types of NAS: One Monowall Box, one pptp box (running PopTop), and one dialup box based on 3Com's Total Control. All three are working fine and authenticating properly, but with one catch. The users from the Total Control box do authenticate properly, but they are not registered in the logs. No entry in the radacct table in MySQL, nothing in radwho nor in radlast. The users are connecting (I've confirmed that), and no error message is generated for the the Total Control users, but no log is generated. Sample entries from the radius.log file: Wed May 9 14:33:27 2007 : Auth: Login OK: [TCuser] (from client totalcontrol port 3604 cli ) Wed May 9 14:33:27 2007 : Auth: Login OK: [Monowalluser] (from client monowall port 112 cli 00:19:7d:4f:ea:52) The only diference I've noticed is that the Total Control entries do not have an address (MAC or IP) at the, which both the Monowall and the pptp users get. Could it be related? All NAS are configured exactly the same way, and their config is stored in the nas table in MySQL. Any ideas of what could be wrong? In GNU-Radius the Total Control box was logging properly. Thank you in advance, Marcos Roberto Greiner -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radwho and radlast error (was libradius error)
Nicolas Baradakis wrote: Roberto Greiner wrote: I've tried another way, setting 'LD_LIBRARY_PATH=/usr/lib/freeradius/', but now I'm getting a new error: ibatubi:/etc# radwho Wed Apr 25 09:58:08 2007 : Error: Unable to open file /usr/local/etc/raddb/radiusd.conf: No such file or directory radwho: Error reading radiusd.conf. This isn't the path set by dpkg-buildpackage during the build. Please run which radwho to double check you aren't running a binary from an older installation. I guess you have two binaries in /usr/bin/radwho and /usr/local/bin/radwho. Actually yes. I found that there really was an old radwho. I uninstalled everything and cleaned the system properly before reinstalling again using the new packages. But radwho is still giving me an error: ibatubi:~# radwho radwho: Error reading /var/log/freeradius/radutmp: No such file or directory In that path, there are only the radacct folder, radius.log and radwtmp. In radius.conf I did the following modifications: Line 296 log_auth = yes Line 650 unix { .. # shadow = /etc/shadow } Lines 1848 and 1859 Authorize { . # eap sql Line 1946 Authenticate { . # unix Line 1987 preacct { # files } Line 2021 accounting { . sql ... } Lines 2039-2043 session { # radutmp sql } The rest of the radius.conf file was left as installed. The radius server itself is working fine. Basides the radwho error, radlast is also not working. It doesn't give any error messages, but the connected users do not appear. Did I mess it with any of the config lines above? ibatubi:/etc# radlast radwtmp begins Fri May 4 10:22:15 2007 Thank you for your help, Marcos Roberto Greiner -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho and radlast error (was libradius error)
Ok, I found the error. Actually, there was no error. Just me is moron. :-p Thank you very much and good weekend for everybody Roberto Roberto Greiner wrote: Nicolas Baradakis wrote: Roberto Greiner wrote: I've tried another way, setting 'LD_LIBRARY_PATH=/usr/lib/freeradius/', but now I'm getting a new error: ibatubi:/etc# radwho Wed Apr 25 09:58:08 2007 : Error: Unable to open file /usr/local/etc/raddb/radiusd.conf: No such file or directory radwho: Error reading radiusd.conf. This isn't the path set by dpkg-buildpackage during the build. Please run which radwho to double check you aren't running a binary from an older installation. I guess you have two binaries in /usr/bin/radwho and /usr/local/bin/radwho. Actually yes. I found that there really was an old radwho. I uninstalled everything and cleaned the system properly before reinstalling again using the new packages. But radwho is still giving me an error: ibatubi:~# radwho radwho: Error reading /var/log/freeradius/radutmp: No such file or directory In that path, there are only the radacct folder, radius.log and radwtmp. In radius.conf I did the following modifications: Line 296 log_auth = yes Line 650 unix { .. # shadow = /etc/shadow } Lines 1848 and 1859 Authorize { . # eap sql Line 1946 Authenticate { . # unix Line 1987 preacct { # files } Line 2021 accounting { . sql ... } Lines 2039-2043 session { # radutmp sql } The rest of the radius.conf file was left as installed. The radius server itself is working fine. Basides the radwho error, radlast is also not working. It doesn't give any error messages, but the connected users do not appear. Did I mess it with any of the config lines above? ibatubi:/etc# radlast radwtmp begins Fri May 4 10:22:15 2007 Thank you for your help, Marcos Roberto Greiner -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: libradius error
Alan DeKok wrote: Roberto Greiner wrote: When I give a 'radwho' command, I receive the following error: radwho: error while loading shared libraries: libradius-1.1.6.so: cannot open shared object file: No such file or directory Try doing: ldd radwho ibatubi:~# ldd /usr/bin/radwho libnsl.so.1 = /lib/tls/i686/cmov/libnsl.so.1 (0xb7f25000) libresolv.so.2 = /lib/tls/i686/cmov/libresolv.so.2 (0xb7f12000) libpthread.so.0 = /lib/tls/i686/cmov/libpthread.so.0 (0xb7eff000) libradius-1.1.6.so = /usr/lib/freeradius/libradius-1.1.6.so (0xb7ee8000) libc.so.6 = /lib/tls/i686/cmov/libc.so.6 (0xb7db7000) /lib/ld-linux.so.2 (0xb7f43000) libcrypt.so.1 = /lib/tls/i686/cmov/libcrypt.so.1 (0xb7d89000) ibatubi:~# radwho radwho: error while loading shared libraries: libradius-1.1.6.so: cannot open shared object file: No such file or directory ibatubi:~# locate libradius-1.1.6.so /usr/lib/freeradius/libradius-1.1.6.so If I understood it correctly, radwho is looking at the correct place. I've tried to uninstall everything again, checking if that library was removed (it was), and then reinstalling. The error remains. Any ideas? The mentioned libradius file is in /usr/lib/freeradius Hmm... that's likely the issue. The dynamic linker doesn't know about /usr/lib/freeradius, and radwho isnt' smart enough to read the config files set up libdir appropriately. Hmmm, I suppose that I should then compile it with static libraries, right? What would be the appropriate way to do it? The wiki only has the default way, and I couldn't find info in 'man dpkg-buildpackage' about it. Thank you very much, Marcos Roberto Greiner -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
libradius error
Hi, I'm having a small problem with radwho/libradius. When I give a 'radwho' command, I receive the following error: radwho: error while loading shared libraries: libradius-1.1.6.so: cannot open shared object file: No such file or directory I've installed FreeRadius following the guidelines for Debian from de wiki, including mysql support. FreeRadius itself works fine, as does access to the mysql base. The mentioned libradius file is in /usr/lib/freeradius, and the radius.conf file has the following entry(it's the pre-installed entry, I didn't change it): libdir = /usr/lib/freeradius So freeradius should find the library file. I'm running FreeRadius version 1.1.6, in a fresh Debian Etch install. Any Ideas? Thank you very much, Marcos Roberto Greiner The -x entry from freeradius is the following (although, as I said, FreeRadius itself works fine). Starting - reading configuration files ... Using deprecated naslist file. Support for this will go away soon. Module: Loaded exec rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded eap rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap rlm_eap: Loaded and initialized type gtc rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess Module: Instantiated preprocess (preprocess) Module: Loaded realm Module: Instantiated realm (suffix) Module: Loaded files Module: Instantiated files (files) Module: Loaded SQL rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_mysql #1 rlm_sql_mysql: Starting connect to MySQL server for #1 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 rlm_sql_mysql: Starting connect to MySQL server for #2 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 rlm_sql_mysql: Starting connect to MySQL server for #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 rlm_sql_mysql: Starting connect to MySQL server for #4 rlm_sql (sql): Connected new DB handle, #4 rlm_sql (sql): - generate_sql_clients rlm_sql (sql): Query: SELECT * FROM nas rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): Read entry nasname=localhost,shortname=local,secret=foobar rlm_sql (sql): Adding client 127.0.0.1 (local) to clients list rlm_sql (sql): Read entry nasname=a.b.c.d,shortname=xxx,secret=s3mf!o/ rlm_sql (sql): Adding client a.b.c.d (xxx) to clients list rlm_sql (sql): Read entry Cut = more entries from the nas table in mysql rlm_sql (sql): Released sql socket id: 4 Module: Instantiated sql (sql) Module: Loaded Acct-Unique-Session-Id Module: Instantiated acct_unique (acct_unique) Module: Loaded detail Module: Instantiated detail (detail) Module: Loaded System Module: Instantiated unix (unix) Module: Loaded radutmp Module: Instantiated radutmp (radutmp) Initializing the thread pool... Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
glibc double free or corruption still happening
Hi, I've installed FreeRadius 1.1.6 to my Debian Etch box, trying to solve the 'glibc double free or corruption', but the error is still happening. To make sure that no old library was causing the problem, I searched for any file and folder which could be from the old freeradius (using locate *radiu* and updatedb, it until no file was to be found). Then I recompiled everything and reinstalled. The problem persisted. Could I have missed some library with the locate I used? Is there a better way to uninstall everything for the upgrade? Any other Ideas? Thank you, Roberto Greiner PS: The Radius -X output: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = yes main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 0 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib *** glibc detected *** double free or corruption (fasttop): 0x800fbcc8 *** Aborted -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: glibc double free or corruption still happening
Nicolas Baradakis wrote: Roberto Greiner wrote: I've installed FreeRadius 1.1.6 to my Debian Etch box, trying to solve the 'glibc double free or corruption', but the error is still happening. To make sure that no old library was causing the problem, I searched for any file and folder which could be from the old freeradius (using locate *radiu* and updatedb, it until no file was to be found). Then I recompiled everything and reinstalled. The problem persisted. Could I have missed some library with the locate I used? Is there a better way to uninstall everything for the upgrade? Any other Ideas? http://wiki.freeradius.org/Build#Building_Debian_packages That did the trick. Everything is working well. But before putting it into production I will try again the previous building and see if I can get the data Alan requested with valgrind. Roberto -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: glibc double free or corruption still happening
Roberto Greiner wrote: Nicolas Baradakis wrote: Roberto Greiner wrote: I've installed FreeRadius 1.1.6 to my Debian Etch box, trying to solve the 'glibc double free or corruption', but the error is still happening. To make sure that no old library was causing the problem, I searched for any file and folder which could be from the old freeradius (using locate *radiu* and updatedb, it until no file was to be found). Then I recompiled everything and reinstalled. The problem persisted. Could I have missed some library with the locate I used? Is there a better way to uninstall everything for the upgrade? Any other Ideas? http://wiki.freeradius.org/Build#Building_Debian_packages That did the trick. Everything is working well. But before putting it into production I will try again the previous building and see if I can get the data Alan requested with valgrind. Roberto Er, it worked now. The build using the instructions from the wiki must have modified some library or something alike. compiling and installing from source is not giving the double free error anymore :-( Roberto -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.1.5 double free or corruption
ChristosH wrote: I'm getting a similar error, except mine's 0x09fc4f10. Apparently this has to do with the Perl library (and means we'll have to recompile) but I have no idea how to upgrade that. I'm on CentOS 4.4 and have run the auto-updater, am on the CentOS Plus repository and have MySQL installed. Thor Spruyt wrote: *** glibc detected *** double free or corruption (fasttop): 0x098a55d8 *** Aborted I'm getting the same problem here. I installed the new Debian Etch (released yesterday), and FreeRadius gave me the same message. As a temporary 'fix', until 1.1.6 (or 2.0) comes out, you can suppress glibc's double check (which is causing that problem) adding the following to the environment variables: MALLOC_CHECK_=0 How you do that, of course, changes depending if you are using bash, csh, etc. Note: beware that there is a _ AFTER the CHECK word! I got the information on this in the following page: http://download.fedora.redhat.com/pub/fedora/linux/core/3/i386/os/RELEASE-NOTES-en.html Just search for glibc on that page. Roberto -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reject user without realm
Hi, I'm trying to use FreeRadius with Realms (using the form [EMAIL PROTECTED]). Basically, if a user uses [EMAIL PROTECTED], I want Radius to authenticate locally. If it's @provider2.com, 3.com, etc, on other servers listed in proxy.conf. The problem I'm having is that if a user adds no realm, only the user, the server is autenticating locally. I wanted it to deny the authentication. How should I proceed? Thank you very much, Roberto My current setup and radius -X follows. I'm using MySQL as database (both for users and accounting) hints file. Added only the following entry: # The following entry is to be authenticated locally DEFAULT Suffix == @domain1.com, Strip-User-Name = Yes Hint = PPP, Service-Type = Framed-User, Framed-Protocol = PPP Users file. Commented the entry referencing to Auth-Type = System. No other changes. Nothing added to huntgroups The radius -X output: rad_recv: Access-Request packet from host a.b.c.d:3793, id=0, length=58 User-Name = [EMAIL PROTECTED] User-Password = user Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 hints: Matched DEFAULT at 36 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = user, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 users: Matched entry DEFAULT at line 172 modcall[authorize]: module files returns ok for request 0 radius_xlat: 'user' rlm_sql (sql): sql_set_user escaped user -- 'user' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'user' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 3 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'user' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'user' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'user' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 3 modcall[authorize]: module sql returns ok for request 0 modcall[authorize]: module pap returns updated for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type pap auth: type PAP Processing the authenticate section of radiusd.conf modcall: entering group PAP for request 0 rlm_pap: login attempt with password user rlm_pap: Using CRYPT encryption. rlm_pap: User authenticated succesfully modcall[authenticate]: module pap returns ok for request 0 modcall: leaving group PAP (returns ok) for request 0 Login OK: [user] (from client dsu24 port 0) Sending Access-Accept of id 0 to a.b.c.d port 3793 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type := Framed-User Framed-Compression := Van-Jacobson-TCP-IP Framed-Protocol := PPP Session-Timeout := 7200 Finished request 0 Going to the next request -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reject user without realm
Arran Cudbard-Bell wrote: Marcos Roberto Greiner wrote: Hi, I'm trying to use FreeRadius with Realms (using the form [EMAIL PROTECTED]). Basically, if a user uses [EMAIL PROTECTED], I want Radius to authenticate locally. If it's @provider2.com, 3.com, etc, on other servers listed in proxy.conf. The problem I'm having is that if a user adds no realm, only the user, the server is autenticating locally. I wanted it to deny the authentication. How should I proceed? Thank you very much, Roberto Ok , so you just want to Reject users who don't provide a realm ? Then you would need an entry in the users file like this DEFAULT User-Name !~ ^([[:alnum:[EMAIL PROTECTED])@([[:alnum:].]+)$, Auth-Type := Reject That didn't work. When the user adds the 'local' domain (provider1.com), the hints file strips the domain for the checking against the database. After that, the new entry in the users file will reject the user, because there is no longer any domain in the login. Roberto -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reject user without realm
Kevin Bonner wrote: On Monday 09 April 2007 14:32:31 Marcos Roberto Greiner wrote: The problem I'm having is that if a user adds no realm, only the user, the server is autenticating locally. I wanted it to deny the authentication. How should I proceed? A username with no realm will match the NULL realm. You can reject NULL realms with: == users == DEFAULT Realm == NULL, Auth-Type := Reject == users == hints file. Added only the following entry: # The following entry is to be authenticated locally DEFAULT Suffix == @domain1.com, Strip-User-Name = Yes Hint = PPP, Service-Type = Framed-User, Framed-Protocol = PPP A realm definition for domain1.com and a small users file entry should do the same thing, as long as you don't add the nostrip option for the realm. The problem here was that I couldn't find the proper entry to add to the users file :-( rad_recv: Access-Request packet from host a.b.c.d:3793, id=0, length=58 User-Name = [EMAIL PROTECTED] User-Password = user Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 hints: Matched DEFAULT at 36 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = user, looking up realm NULL rlm_realm: No such realm NULL This request matches the NULL realm, which should be impossible based on your configuration and the description of how the NULL realm works. The User-Name has a realm in this request, so it should match the DEFAULT realm if it is defined. Since the hints file matched at line 36 here, I assume you actually configured provider1.com instead of domain1.com in your hints file. Is this assumption correct? If not, what is in your hints file at line 36? Kevin Bonner I mistyped domain1 and provider1. The entry at line 36 is provider1. The Hints file I wrote incorrectly in the explanation. It actually contains provider1. I tried to change the 'Strip-User-Name = Yes' to 'Strip-User-Name = NO' in the Hints file, but got the problem that I didn't know what would be to correct entry in the users file. With the change, with the @provider1 domain, the server is replying properly, but without domain, the server didn't replying at all. I then tried your suggestion of adding the 'DEFAULT Realm == NULL, Auth-Type := Reject' entry. Same case as above. Without a domain, the server simply didn't answer, not even a with a reject. BUT, looking at the debug output of Radius -X I found the missing piece. In the proxy.conf file, the NULL entry was commented. I removed the comments, pointed it to LOCAL, and the entry you suggested for the users file (DEFAULT Realm == NULL) kicked in. It's now working as desired. Thank you for your help, Marcos Roberto Greiner -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy question
Hy, I'm having a small problem with the proxy.conf file. I added the following entry to proxy.conf: realm test.com{ type= radius authhost= LOCAL accthost= LOCAL secret = foobar strip } But when I send a user with the test.com domain, it wasn't stripped. The radiusd -X log below shows the behavior: modcall[authorize]: module mschap returns noop for request 0 rlm_realm: Looking up realm test.com for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm test.com rlm_realm: Adding Stripped-User-Name = rgreiner rlm_realm: Proxying request from user rgreiner to realm test.com rlm_realm: Adding Realm = test.com rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module suffix returns noop for request 0 modcall[authorize]: module files returns notfound for request 0 radius_xlat: '[EMAIL PROTECTED]' I've tried removing the realm LOCAL entry from proxy.conf, without result. The realm DEFAULT with authhost = LOCAL or = localhost didn't solve either. The only way I managed to get this to work was to write realm test.com { authhost = a.b.c.d . } With a.b.c.d being the local server's real IP (not the localhost IP). Is that the proper way to do it or am I missing something? Thank you, Roberto -- --- | Marcos Roberto Greiner| | | | Os otimistas acham que estamos no melhor dos mundos | | Os pessimistas tem medo de que isto seja verdade | | Murphy| --- | [EMAIL PROTECTED] | --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy question
Alan DeKok wrote: Roberto Greiner [EMAIL PROTECTED] wrote: But when I send a user with the test.com domain, it wasn't stripped. The radiusd -X log below shows the behavior: Show the *full* log. rad_recv: Access-Request packet from host E.F.G.H:4126, id=4, length=62 User-Name = [EMAIL PROTECTED] User-Password = teste Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module preprocess returns ok for request 3 modcall[authorize]: module chap returns noop for request 3 modcall[authorize]: module mschap returns noop for request 3 rlm_realm: Looking up realm test.com for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm test.com rlm_realm: Adding Stripped-User-Name = rgreiner rlm_realm: Proxying request from user rgreiner to realm test.com rlm_realm: Adding Realm = test.com rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module suffix returns noop for request 3 modcall[authorize]: module files returns notfound for request 3 radius_xlat: '[EMAIL PROTECTED]' rlm_sql (sql): sql_set_user escaped user -- '[EMAIL PROTECTED]' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 0 rlm_sql (sql): User [EMAIL PROTECTED] not found in radcheck radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): User [EMAIL PROTECTED] not found in radgroupcheck rlm_sql (sql): Released sql socket id: 0 rlm_sql (sql): User not found modcall[authorize]: module sql returns notfound for request 3 modcall: leaving group authorize (returns ok) for request 3 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [EMAIL PROTECTED]/teste] (from client dsu24 port 0) Sending Access-Reject of id 4 to 143.107.71.24 port 4126 Finished request 3 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 3 ID 4 with timestamp 4526adb5 Nothing to do. Sleeping until we see a request. -- --- | Marcos Roberto Greiner| | | | Os otimistas acham que estamos no melhor dos mundos | | Os pessimistas tem medo de que isto seja verdade | | Murphy| --- | [EMAIL PROTECTED] | --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.1.3 or 2.0?
Alan DeKok wrote: Roberto Greiner [EMAIL PROTECTED] wrote: I have a server running GNU-Radius 1.3, and was preparing to migrate it to FreeRadius 1.1.3, but on recent messages I noticed that 2.0 is being developed. My doubt is, should I go ahead and install 1.1.3, or wait and go straight for 2.0? The GNU-Radius machine is not giving me troubles for now, and there are no heavy time constraints to make the switch. Should I wait or go now for 1.1.3, updating later to 2.0? I would say 1.1.3 is fine to use. 2.0 will be out in a few months, so you're free to upgrade then, too. Alan DeKok. Ok. Thx Roberto -- --- | Marcos Roberto Greiner| | | | Os otimistas acham que estamos no melhor dos mundos | | Os pessimistas tem medo de que isto seja verdade | | Murphy| --- | [EMAIL PROTECTED] | --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.1.3 or 2.0?
King, Michael wrote: -Original Message- I would say 1.1.3 is fine to use. 2.0 will be out in a few months, so you're free to upgrade then, too. I think question he was trying to get across, is 2.0 going to be significantly different from 1.1.3 from a config standpoint. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Actually it's both: to know if the new version was expect to be ready soon and if the general structure would be too different, but since it's still months before 2.0 is ready, I will go for 1.1.3. :-) Thank you for the feedback, Roberto -- --- | Marcos Roberto Greiner| | | | Os otimistas acham que estamos no melhor dos mundos | | Os pessimistas tem medo de que isto seja verdade | | Murphy| --- | [EMAIL PROTECTED] | --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy question
Alan DeKok wrote: Roberto Greiner [EMAIL PROTECTED] wrote: Show the *full* log. rad_recv: Access-Request packet from host E.F.G.H:4126, id=4, length=62 User-Name = [EMAIL PROTECTED] Is this the log from the home server? If so, why? You already said the username wasn't stripped, so showing that the home server receives it non-stripped is pointless. If this is the log from the proxying server, then it's not doing proxying, so of course it isn't stripping the username. rlm_realm: Adding Stripped-User-Name = rgreiner rlm_realm: Proxying request from user rgreiner to realm test.com rlm_realm: Adding Realm = test.com rlm_realm: Authentication realm is LOCAL. You've marked that realm as something that shouldn't be proxied. Why do you expect it to be proxied? Actually I don't wan't it to be proxied, only that it removes the realm part to handle it locally. But it's comparing the full entry (with realm) against the database name, instead of only the login. Roberto -- --- | Marcos Roberto Greiner| | | | Os otimistas acham que estamos no melhor dos mundos | | Os pessimistas tem medo de que isto seja verdade | | Murphy| --- | [EMAIL PROTECTED] | --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
1.1.3 or 2.0?
Hi, I have a server running GNU-Radius 1.3, and was preparing to migrate it to FreeRadius 1.1.3, but on recent messages I noticed that 2.0 is being developed. My doubt is, should I go ahead and install 1.1.3, or wait and go straight for 2.0? The GNU-Radius machine is not giving me troubles for now, and there are no heavy time constraints to make the switch. Should I wait or go now for 1.1.3, updating later to 2.0? Thank you, Roberto -- --- | Marcos Roberto Greiner| | | | Os otimistas acham que estamos no melhor dos mundos | | Os pessimistas tem medo de que isto seja verdade | | Murphy| --- | [EMAIL PROTECTED] | --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Link MAC adress to user after 1st login
Yves ruff wrote: Jurgen van Vliet wrote: Hi people, hi, At the 1st login of a client, the MAC adress is put into the database At all next logins, if the MAC adress of that client does not match the allready recorded MAC adress the login gets rejected. Imho, linking user and hardware is not a good idea: what if a user get an new network card, a new pc ? Actually, that's something I would also like to know how to do best. We have a similar situation here, but instead of MAC addresses we would need to record the NAS-Port-Id sent by the NAS. The NAS is the access controller for ADSL from a large telecomm here in São Paulo. Does somebody have a good sugestion on how to record such an info (MAC in Jurgen's case, NAS-Port-Id in my case) at the first access, and verify it in the following times? Thank you, Marcos Roberto Greiner -- --- | Marcos Roberto Greiner| | | | Os otimistas acham que estamos no melhor dos mundos | | Os pessimistas tem medo de que isto seja verdade | | Murphy| --- | [EMAIL PROTECTED] | --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use question
I'm intend to use Simultaneous-Use attribute to check logins for 3 different NAS. What I want to do is to allow 1 connection for each user in each box, at the same time. So, user1 should be able to connect to NAS1 and NAS2 at the same time, but not to NAS1 twice. For the user list I'm using the MYSQL with the default schema. If I understand it correctly (based on the /doc/Acct-Type file), to make this work I would have to create 3 Acct-Type entries in the Accounting section of radius.conf, and create 3 different sql.conf files, one for each Acct-Type, right? Also, does it work properly if I make all 3 sql.conf files point to the same database, using only different tables for accounting? Or did I get something wrong? Thank you for your help, Marcos Roberto Greiner -- --- | Marcos Roberto Greiner| | | | Os otimistas acham que estamos no melhor dos mundos | | Os pessimistas tem medo de que isto seja verdade | | Murphy| --- | [EMAIL PROTECTED] | --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use question
After checking the sql.conf file, it really looks that all I need to do is to add the NASIPaddress to the simul_count_query query. Is it just that simple? Damn, and here was I thinking I would have to set three different accounting databases, worry about keeping them in synch, and handle three different sql.conf files. :-P Thanks, I will try that. Marcos Roberto Greiner Chris Knipe wrote: Why not just optimise the SQL query to check for simultaneous users in sql.conf? It's rather easy to just change the SQL query to suit your needs?? Regards, Chris. - Original Message - From: Roberto Greiner [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Friday, August 25, 2006 4:20 PM Subject: Simultaneous-Use question I'm intend to use Simultaneous-Use attribute to check logins for 3 different NAS. What I want to do is to allow 1 connection for each user in each box, at the same time. So, user1 should be able to connect to NAS1 and NAS2 at the same time, but not to NAS1 twice. For the user list I'm using the MYSQL with the default schema. If I understand it correctly (based on the /doc/Acct-Type file), to make this work I would have to create 3 Acct-Type entries in the Accounting section of radius.conf, and create 3 different sql.conf files, one for each Acct-Type, right? Also, does it work properly if I make all 3 sql.conf files point to the same database, using only different tables for accounting? Or did I get something wrong? Thank you for your help, Marcos Roberto Greiner -- --- | Marcos Roberto Greiner| | | | Os otimistas acham que estamos no melhor dos mundos | | Os pessimistas tem medo de que isto seja verdade | | Murphy| --- | [EMAIL PROTECTED] | --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- --- | Marcos Roberto Greiner| | | | Os otimistas acham que estamos no melhor dos mundos | | Os pessimistas tem medo de que isto seja verdade | | Murphy| --- | [EMAIL PROTECTED] | --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SSH authentication
Hi, I need a few tips onto radius authenticated ssh I need some basic info like how to configure linux to authenticate (and account) ssh users with radius, but I couldn't find a guide about it. I have some experience both with Linux and freeradius, but not in using them like I explained. Could somebody point me to some FAQ or guide on how to get this working? Thanks, Marcos Roberto Greiner -- --- | Marcos Roberto Greiner| | | | Os otimistas acham que estamos no melhor dos mundos | | Os pessimistas tem medo de que isto seja verdade | | Murphy| --- | [EMAIL PROTECTED] | --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows - VPN - Radius
If the request contained MSCHAP, yes, the mschap module should return ok. Since the request doesn't contain MSCHAP, the mschap module returns noop. Make the client send MSCHAP, or CHAP-Password, or User-Password. No amount of playing with radiusd.conf will fix the client. Now THAT would be a nice trick. How do you convince Windows to do what you wan't (or expect) it to do??? :-P Well, I tried to change the (few) options the windows VPN client gives for authentication/security, and none made windows send me the CHAP-Password in the request. Anyway, I will try to google some other options. Well, I think I finally found what's happening. Windows IS sending the proper password. The problem is with radiusclient, the program that my VPN server (poptop) uses to interface with radius. It does not have a dictionary.microsoft file by default, and due to this it's discarding some of the pairs Windows is sending. Do I need to say that the pairs discarded are the ones with the password??? I'm trying to solve this problem, but the dictionary.microsoft files I've tried didn't work. The one that comes with freeradius isn't understood by radiusclient, and the one I found in the radiusclient site didn't work properly (did overwrite non-Vendor pairs) Does somebody know where I can get properly working dictionary files for this case? (I know this is not a freeradius question, but I need it to make the client work properly. Sorry) Thank you very much, Marcos Roberto Greiner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows - VPN - Radius
On 6/27/05, Alan DeKok [EMAIL PROTECTED] wrote: Roberto Greiner [EMAIL PROTECTED] wrote: Problem: Windows sends the user info as a Chap challenge, and as a result the Freeradius server reports that the user request came with no password. Did somebody face a similiar problem? Can someone helpme/point in the right direction? The problem isn't that the request doesn't contain a password. The problem is that the user is rejected. Run the server in debug mode to see why. Alan DeKok. Ok. I ran the server in debug mode, but it still says that the request is comming without Password. Specifically, the message says: auth: No User-Password or CHAP-Password attribute in the request. The full log: rad_recv: Access-Request packet from host 127.0.0.1:32799, id=180, length=66 Service-Type = Framed-User Framed-Protocol = PPP User-Name = teste Calling-Station-Id = aa.bb.cc.dd NAS-IP-Address = ee.ff.gg.hh NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module preprocess returns ok for request 3 modcall[authorize]: module mschap returns noop for request 3 rlm_realm: No '@' in User-Name = teste, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 3 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 3 radius_xlat: 'teste' rlm_sql (sql): sql_set_user escaped user -- 'teste' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'teste' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 1 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'teste' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'teste' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'teste' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 1 modcall[authorize]: module sql returns ok for request 3 modcall: group authorize returns ok for request 3 rad_check_password: Found Auth-Type Local auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Login incorrect: [teste/no User-Password attribute] (from client localhost port 0 cli aa.bb.cc.dd) Delaying request 3 for 1 seconds Finished request 3 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 180 to 127.0.0.1:32799 Waking up in 7 seconds... --- Walking the entire request list --- Cleaning up request 3 ID 180 with timestamp 42c2a106 Nothing to do. Sleeping until we see a request. in radius.conf, mschap part is as follows: mschap { authtype = MS-CHAP use_mppe = yes #require_encryption = yes require_strong = yes #with_ntdomain_hack = no #ntlm_auth = /path/to/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} } In the mysql radcheck table, I tried both 'Password' and 'CHAP-Password' as attributes, with no diference at all in the result In the windows box, for authentication, I left enabled in the security menu, the options 'CHAP Protocol', 'Microsoft CHAP' and 'Microsoft CHAP version 2 (MS-CHAP v2)'. One possibility I see is that there may be some wrong configuration in my radius.conf, since the log is saying modcall[authorize]: module mschap returns noop for request 3. Shouldn't it say returns ok or something like that? Thank you, Marcos Roberto - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Windows - VPN - Radius
Hi, I'm having the following problem: I'm trying to establish a VPN server, where most of the clients are Windows XP/2K machines. As VPN server I'm using a Debian Sarge box running PopTop 1.2.1, which sends the autentication MS-CHAPv2 requests to my other Debian Sarge box running Freeradius 1.0.4, using my-sql v. 12.22 as database for users/accounting. Problem: Windows sends the user info as a Chap challenge, and as a result the Freeradius server reports that the user request came with no password. Did somebody face a similiar problem? Can someone helpme/point in the right direction? Thank you, Marcos Roberto Radius.log entries: Mon Jun 27 10:15:16 2005 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Mon Jun 27 10:15:16 2005 : Info: rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked Mon Jun 27 10:15:16 2005 : Info: rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radius Mon Jun 27 10:15:16 2005 : Info: rlm_sql_mysql: Starting connect to MySQL server for #0 Mon Jun 27 10:15:16 2005 : Info: rlm_sql_mysql: Starting connect to MySQL server for #1 Mon Jun 27 10:15:16 2005 : Info: rlm_sql_mysql: Starting connect to MySQL server for #2 Mon Jun 27 10:15:16 2005 : Info: rlm_sql_mysql: Starting connect to MySQL server for #3 Mon Jun 27 10:15:16 2005 : Info: rlm_sql_mysql: Starting connect to MySQL server for #4 Mon Jun 27 10:15:16 2005 : Info: Ready to process requests. Mon Jun 27 10:15:40 2005 : Auth: Login incorrect: [testuser/no User-Password attribute] (from client localhost port 0 cli aaa.bbb.ccc.ddd) (IP address edited) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html