Re: configuration parameters for perl module in rlm_perl
Cornelius Kölbel wrote: I would like to avoid having the perl module read an additional configuration file. Then edit the source code to rlm_perl, and add those features. Is there a possibility to add such paramters somewhere in the freeradius config like in /etc/freeradius/modules/perl and than have the perl module access these parameters? No. Why is it a problem to read a configuration file? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configuration parameters for perl module in rlm_perl
Am 14.09.2013 14:50, schrieb Alan DeKok: Cornelius Kölbel wrote: I would like to avoid having the perl module read an additional configuration file. Then edit the source code to rlm_perl, and add those features. Is there a possibility to add such paramters somewhere in the freeradius config like in /etc/freeradius/modules/perl and than have the perl module access these parameters? No. Thanks for the clarification! Why is it a problem to read a configuration file? Just to avoid to many config files... But now I will do so. Thanks a lot Cornelius Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration check
* globally writable I mean On Tue, Nov 27, 2012 at 8:55 AM, James Devine fxmul...@gmail.com wrote: I ran into an issue where proxy.conf was globally readable for some reason, freeradius wouldn't start because of this and this wasn't picked up by radiusd -C. Can this check be added? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration check
James Devine wrote: I ran into an issue where proxy.conf was globally readable for some reason, proxy.conf should NEVER be globally readable. freeradius wouldn't start because of this and this wasn't picked up by radiusd -C. Can this check be added? File permissions are enforced by the operating system, not by FreeRADIUS. If radiusd runs as user radiusd, but you do the check as root, there isn't much that the server can do. You need to do the check as the user running radius. e.g.: su radiusd radiusd -C instead of radiusd -C Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration check
James Devine wrote: * globally writable I mean It already checks that. $ chmod a+w raddb/proxy.con $ radiusd -XC ... Configuration file ./raddb//proxy.conf is globally writable. Refusing to start due to insecure configuration. Errors reading or parsing ./raddb//debug.conf If you don't see this, it's because you're running a very old version without that check, or raddb/proxy.conf isn't actually globally writable. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration check
radiusd -XC seems to produce what I was looking for, thanks. On Tue, Nov 27, 2012 at 9:10 AM, Alan DeKok al...@deployingradius.comwrote: James Devine wrote: * globally writable I mean It already checks that. $ chmod a+w raddb/proxy.con $ radiusd -XC ... Configuration file ./raddb//proxy.conf is globally writable. Refusing to start due to insecure configuration. Errors reading or parsing ./raddb//debug.conf If you don't see this, it's because you're running a very old version without that check, or raddb/proxy.conf isn't actually globally writable. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configuration overview
Alan Batie wrote: I've been using freeradius for quite a while now, but never really grokked the config file. There is lots of documentation that gives you a narrow peep hole into the specific section it's concerned with and how to do common basic things, but there's nothing I've found that really talks about the structure of it and how everything interacts, which makes it hard to even know where to start to do something new, much less anything even slightly out of the ordinary. I don't suppose there's something out there that I've missed by chance? doc/aaa.rst Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configuration freeradius for no simultaneous use
Толик Шавловский wrote: So, i indicated nastype = cisco will freeradius connect to nas in this case? Only if the server receives accounting packets, AND a user session is still open, AND that user tries to log in a second time from a different location. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configuration freeradius for no simultaneous use
On Fri, Dec 2, 2011 at 2:31 PM, tolik_shavlov...@mail.ru tolik_shavlov...@mail.ru wrote: Hi, i need your help in configuration freeradius for no simultaneous use. simultanouse use limit is somewhat ... awkward. So, i need one active user per login/password. I configured user as follow: te...@wimax.com Cleartext-Password := test Framed-Filter-Id = SP=data:MSF=data;, Simultaneous-Use = 1, but my WIMAX CPEs (also WiFi users) continue connecting with the same login/password. what can be the issue? For starters: - do you have accounting active? some setups (e.g. some types of wireless AP with radius/802.1x auth) can't send accounting. simultaneous use check can't work in that setup - do you have some kind of simultaneous check active, either with sql/radutmp/whatever? See raddb/sites-available/default, look for session section. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configuration freeradius for no simultaneous use
tolik_shavlov...@mail.ru wrote: i need your help in configuration freeradius for no simultaneous use. doc/Simultaneous-Use See also the Wiki. Have you read that documentation and followed the instructions there? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration Problem with FreeRadius, Unix Authentication, and WRT54G2 WAP
On Thu, Aug 26, 2010 at 5:25 AM, Jonathan Black frodowearinther...@gmail.com wrote: +- entering group authenticate rlm_unix: Attribute User-Password is required for authentication. Your iphone is probably doing EAP/MSCHAPv2, which does not send user password in plain text (which is required by rlm_unix). If you want to use EAP with rlm_unix, you'd need to use an EAP method that provides plain text password (like EAP-PEAP-GTC), possibly disabling all other EAP methods (like EAP/MSCHAP-v2) on radius server. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configuration freeradius with mysql
Have you decommented the $INCLUDE sql.conf line in radiusd.conf?
I had the same problem when I compiled freeradius-2.1.8. If I compiled
freeradius without libmysqlclient15-dev package the problem appeared.
Try it.
2010/5/14 dorra aa dj_dido2...@hotmail.com
hi
i installed mysql.
and i modify in /etc/freeradius/sql.conf:
readclients=yes
also, i decommented in /etc/freeradius/radiusd.conf:
accounting
{
sql}
authorize
{...
sql}
i run again freeradius -X:
but it seems failed because of sql: this is the output
[...]
sql: postauth_query = INSERT into radpostauth (user, pass, reply, date)
values ('%{User-Name}', '%{User-Password:-Chap-Password}',
'%{reply:Packet-Type}', NOW())
sql: safe-characters =
@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and
linked
rlm_sql (sql): Attempting to connect to r...@localhost:/radius
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_s! ql_mysql #0
rlm_sql_mysql: Starting connect to MySQL server for #0
rlm_sql_mysql: Couldn't connect socket to MySQL server r! o...@localhost
:radius
rlm_sql_mysql: Mysql error 'Access denied for user 'root'@'localhost'
(using password: YES)'
# but i check it and it's ok i have in sql.conf: sql{server = localhost
login = root
password = rootpass}
rlm_sql (sql): Failed to connect DB handle #0
rlm_sql (sql): starting 1
rlm_sql (sql): starting 2
rlm_sql (sql): starting 3
rlm_sql (sql): starting 4
rlm_sql (sql): Failed to connect to any SQL server.
#but i begin with installing mysql-server and i add a user in the database
rlm_sql (sql): - generate_sql_clients
rlm_sql (sql): Query: SELECT * FROM nas
rlm_sql (sql): Ignoring unconnected handle 4..
rlm_sql (sql): Ignoring unconnected handle 3..
rlm_sql (sql): Ignoring unconnected handle 2..
rlm_sql (s! ql): Ignoring unconnected handle 1..
rlm_sql (sql): Ignoring unconn ected handle 0..
rlm_sql (sql): There are no DB handles to use! sk! ipped 5, tried to
connect 0
rlm_sql (sql): generate_sql_clients() r eturned error
rlm_sql (sql): Closing sqlsocket 4
rlm_sql (sql): Closing sqlsocket 3
rlm_sql (sql): Closing sqlsocket 2
rlm_sql (sql): Closing sqlsocket 1
rlm_sql (sql): Closing sqlsocket 0
radiusd.conf[14]: sql: Module instantiation failed.
radiusd.conf[1860] Unknown module sql.
radiusd.conf[1789] Failed to parse authorize section.
--
Hotmail: Trusted email with Microsoft’s powerful SPAM protection. Sign up
now. https://signup.live.com/signup.aspx?id=60969
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration trouble (2.1.8 for use with WiMAX)
Hi Alan, Thanks for pointing out what I am doing wrong. Being a newbie to the whole field of AAA, can you give me a few pointers where/what I can read up to configure EAP for the TLS method (rather than MD5)? I appreciate your help. Best Regards, Sumedh Sathaye | | From: | | --| |Alan DeKok al...@deployingradius.com | --| | | To:| | --| |FreeRadius users mailing list freeradius-users@lists.freeradius.org | --| | | Date: | | --| |05/13/2010 01:05 AM | --| | | Subject: | | --| |Re: Configuration trouble (2.1.8 for use with WiMAX) | --| | | Sent by: | | --| |freeradius-users-bounces+sathaye=us.ibm@lists.freeradius.org | --| Sumedh Sathaye wrote: Run-log from radiusd -X is also included at the end of this message. Here is the message that indicates that EAP is not computing MSK and EMSK: [wimax] No EAP-MSK or EAP-EMSK. Cannot create WiMAX keys. You're using an EAP method that doesn't provide the MSK. Use something mandated by the WiMAX spec instead of EAP-MD5. e.g. EAP-TLS, PEAP, or TTLS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html inline: graycol.gifinline: ecblank.gif- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration trouble (2.1.8 for use with WiMAX)
Sumedh Sathaye wrote: Thanks for pointing out what I am doing wrong. Being a newbie to the whole field of AAA, can you give me a few pointers where/what I can read up to configure EAP for the TLS method (rather than MD5)? I appreciate your help. See the Wiki my web page: deployingradius.com My web page gives complete end to end instructions for testing EAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration trouble (2.1.8 for use with WiMAX)
Sumedh Sathaye wrote: Run-log from radiusd -X is also included at the end of this message. Here is the message that indicates that EAP is not computing MSK and EMSK: [wimax] No EAP-MSK or EAP-EMSK. Cannot create WiMAX keys. You're using an EAP method that doesn't provide the MSK. Use something mandated by the WiMAX spec instead of EAP-MD5. e.g. EAP-TLS, PEAP, or TTLS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration trouble (2.1.8 for use with WiMAX)
It seems that it could not generate EAP-MSK first,maybe you can check that.
On Thu, May 13, 2010 at 2:49 AM, Sumedh Sathaye sath...@us.ibm.com wrote:
Dear all,
I am trying to use FreeRadius 2.1.8 for AAA in a wimax network. The problem
I am facing is that the WiMAX-MSK keys are not generated by FreeRadius. Can
someone help me figure out what I am not doing OR doing incorrectly?
I have configured the raddb/sites-available/default and
raddb/modules/wimax files per instructions included in the files
themselves. For reference, here are the configuration stanzas in the
post-auth section of default:
update request {
WiMAX-MN-NAI = %{User-Name}
}
update reply {
WiMAX-FA-RK-Key = 0x00
WiMAX-MSK = %{EAP-MSK}
}
wimax
Run-log from radiusd -X is also included at the end of this message. Here
is the message that indicates that EAP is not computing MSK and EMSK:
[wimax] No EAP-MSK or EAP-EMSK. Cannot create WiMAX keys.
Thank you in advance, and I apologize if this question has been answered
before -- I did not find answers/pointers in the FAQ or the Wiki.
Best Regards,
Sumedh
--
FreeRADIUS Version 2.1.8, for host x86_64-unknown-linux-gnu, built on May
11 2010 at 23:50:30
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/cui
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/modules/
detail.example.com
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/ntlm_auth
including configuration file /usr/local/etc/raddb/modules/otp
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/perl
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file
/usr/local/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/unix
including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file
RE: Configuration trouble (2.1.8 for use with WiMAX)
Which product are you using? Some WiMax NAS do not send the proper keys to
Freeradius. I have gotten FR to work with pretty much all of the major
brands of WiMax we sell.
David
From:
freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org
[mailto:freeradius-users-bounces+david.peterson=acc-corp@lists.freeradiu
s.org] On Behalf Of Sumedh Sathaye
Sent: Wednesday, May 12, 2010 2:50 PM
To: FreeRadius users mailing list
Subject: Configuration trouble (2.1.8 for use with WiMAX)
Dear all,
I am trying to use FreeRadius 2.1.8 for AAA in a wimax network. The problem
I am facing is that the WiMAX-MSK keys are not generated by FreeRadius. Can
someone help me figure out what I am not doing OR doing incorrectly?
I have configured the raddb/sites-available/default and
raddb/modules/wimax files per instructions included in the files
themselves. For reference, here are the configuration stanzas in the
post-auth section of default:
update request {
WiMAX-MN-NAI = %{User-Name}
}
update reply {
WiMAX-FA-RK-Key = 0x00
WiMAX-MSK = %{EAP-MSK}
}
wimax
Run-log from radiusd -X is also included at the end of this message. Here
is the message that indicates that EAP is not computing MSK and EMSK:
[wimax] No EAP-MSK or EAP-EMSK. Cannot create WiMAX keys.
Thank you in advance, and I apologize if this question has been answered
before -- I did not find answers/pointers in the FAQ or the Wiki.
Best Regards,
Sumedh
--
FreeRADIUS Version 2.1.8, for host x86_64-unknown-linux-gnu, built on May 11
2010 at 23:50:30
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/cui
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/ntlm_auth
including configuration file /usr/local/etc/raddb/modules/otp
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/perl
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file
/usr/local/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file
RE: Configuration trouble (2.1.8 for use with WiMAX)
David, thanks for your reply. I am using a simulated WIMAX ASN gateway from
the BOC-WiMAX distribution. It's available at:
http://opensource.bolloretelecom.eu/projects/boc-wimax/
Sounds like you have insights into keys that NAS equipment does not send to
FreeRadius. Can you share that information with me?
Best Regards,
Sumedh
|
| From: |
|
--|
|David Peterson dav...@wirelessconnections.net
|
--|
|
| To:|
|
--|
|'FreeRadius users mailing list' freeradius-users@lists.freeradius.org
|
--|
|
| Date: |
|
--|
|05/12/2010 03:23 PM
|
--|
|
| Subject: |
|
--|
|RE: Configuration trouble (2.1.8 for use with WiMAX)
|
--|
|
| Sent by: |
|
--|
|freeradius-users-bounces+sathaye=us.ibm@lists.freeradius.org
|
--|
Which product are you using? Some WiMax NAS do not send the proper keys to
Freeradius. I have gotten FR to work with pretty much all of the major
brands of WiMax we sell.
David
From: freeradius-users-bounces
+david.peterson=acc-corp@lists.freeradius.org [
mailto:freeradius-users-bounces
+david.peterson=acc-corp@lists.freeradius.org] On Behalf Of Sumedh
Sathaye
Sent: Wednesday, May 12, 2010 2:50 PM
To: FreeRadius users mailing list
Subject: Configuration trouble (2.1.8 for use with WiMAX)
Dear all,
I am trying to use FreeRadius 2.1.8 for AAA in a wimax network. The problem
I am facing is that the WiMAX-MSK keys are not generated by FreeRadius. Can
someone help me figure out what I am not doing OR doing incorrectly?
I have configured the raddb/sites-available/default and
raddb/modules/wimax files per instructions included in the files
themselves. For reference, here are the configuration stanzas in the
post-auth section of default:
update request {
WiMAX-MN-NAI = %{User-Name}
}
update reply {
WiMAX-FA-RK-Key = 0x00
WiMAX-MSK = %{EAP-MSK}
}
wimax
Run-log from radiusd -X is also included at the end of this message. Here
is the message that indicates that EAP is not computing MSK and EMSK:
[wimax] No EAP-MSK or EAP-EMSK. Cannot create WiMAX keys.
Thank you in advance, and I apologize if this question has been answered
before -- I did not find answers/pointers in the FAQ or the Wiki.
Best Regards,
Sumedh
--
FreeRADIUS Version 2.1.8, for host x86_64-unknown-linux-gnu, built on May
11 2010 at 23:50:30
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local
RE: Configuration trouble (2.1.8 for use with WiMAX)
I have looked into BOC-WIMAX and it looks interesting but fairly incomplete.
I have not tried to get it working 100% so I have only a little experience.
Some of the NAS simply want to talk to FR via EAP-TTLS and receive only a
Framed-Filter-Id response. Is there a manufacturer you are looking to work
with in particular or is this an attempt to get BOC-WiMax working as your
ASN?
David
From:
freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org
[mailto:freeradius-users-bounces+david.peterson=acc-corp@lists.freeradiu
s.org] On Behalf Of Sumedh Sathaye
Sent: Wednesday, May 12, 2010 3:43 PM
To: David Peterson-WirelessConnections; FreeRadius users mailing list
Subject: RE: Configuration trouble (2.1.8 for use with WiMAX)
David, thanks for your reply. I am using a simulated WIMAX ASN gateway from
the BOC-WiMAX distribution. It's available at:
http://opensource.bolloretelecom.eu/projects/boc-wimax/
Sounds like you have insights into keys that NAS equipment does not send to
FreeRadius. Can you share that information with me?
Best Regards,
Sumedh
Inactive hide details for David Peterson ---05/12/2010 03:23:47 PM---Which
product are you using? Some WiMax NAS do not sendDavid Peterson
---05/12/2010 03:23:47 PM---Which product are you using? Some WiMax NAS do
not send the proper keys to Freeradius. I have gott
From:
David Peterson dav...@wirelessconnections.net
To:
'FreeRadius users mailing list' freeradius-users@lists.freeradius.org
Date:
05/12/2010 03:23 PM
Subject:
RE: Configuration trouble (2.1.8 for use with WiMAX)
Sent by:
freeradius-users-bounces+sathaye=us.ibm@lists.freeradius.org
_
Which product are you using? Some WiMax NAS do not send the proper keys to
Freeradius. I have gotten FR to work with pretty much all of the major
brands of WiMax we sell.
David
From:
freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org
[mailto:freeradius-users-bounces+david.peterson=acc-corp@lists.freeradiu
s.org] On Behalf Of Sumedh Sathaye
Sent: Wednesday, May 12, 2010 2:50 PM
To: FreeRadius users mailing list
Subject: Configuration trouble (2.1.8 for use with WiMAX)
Dear all,
I am trying to use FreeRadius 2.1.8 for AAA in a wimax network. The problem
I am facing is that the WiMAX-MSK keys are not generated by FreeRadius. Can
someone help me figure out what I am not doing OR doing incorrectly?
I have configured the raddb/sites-available/default and
raddb/modules/wimax files per instructions included in the files
themselves. For reference, here are the configuration stanzas in the
post-auth section of default:
update request {
WiMAX-MN-NAI = %{User-Name}
}
update reply {
WiMAX-FA-RK-Key = 0x00
WiMAX-MSK = %{EAP-MSK}
}
wimax
Run-log from radiusd -X is also included at the end of this message. Here
is the message that indicates that EAP is not computing MSK and EMSK:
[wimax] No EAP-MSK or EAP-EMSK. Cannot create WiMAX keys.
Thank you in advance, and I apologize if this question has been answered
before -- I did not find answers/pointers in the FAQ or the Wiki.
Best Regards,
Sumedh
--
FreeRADIUS Version 2.1.8, for host x86_64-unknown-linux-gnu, built on May 11
2010 at 23:50:30
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/cui
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr
RE: Configuration radius
I am doing a project in network mesh, wireless mesh. After making the implementation of my network, I want to do authentication and security of my network using Radius. But I have no information of this side and I found many documents that I do not understand. Please help me to find a clear document and without difficulty. I want to do the Radius on two machines: a server and a client. What are the commands to type to each machine. Start with this page on the wiki: http://freeradius.org/doc/ Install FreeRADIUS on one system. Then use radtest as a client to test your server installation. Tim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration test issue
Guillaume Rousse wrote: Hello list. I'm trying to automatize configuration testing at each change. However, I'm facing a situation where testing report failure, whereas running freeradius works OK. With this following configuration: DEFAULT Auth-Type := LDAP, Huntgroup-Name == AdminNet, ldap1-LDAP-Group == admins Errors reading /etc/raddb/users /etc/raddb/users[19]: Parse error (check) for entry DEFAULT: Invalid octet string admins for attribute name ldap1-LDAP-Group It doesn't instantiate the modules when it is just checking the config. So the ldap-LDAP-Group attribute isn't created by the LDAP module. So, can I do something here to fix the validation test :) ? Add the ldap1-LDAP-Group attribute to raddb/dictionary as a string attribute. The value doesn't matter (though follow the guidelines in raddb/dictionary) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration test issue
Le 13/01/2010 16:39, Alan DeKok a écrit : So, can I do something here to fix the validation test :) ? Add the ldap1-LDAP-Group attribute to raddb/dictionary as a string attribute. The value doesn't matter (though follow the guidelines in raddb/dictionary) Perfect, many thanks. -- BOFH excuse #167: excessive collisions not enough packet ambulances - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration of FreeRADIUS on Ubuntu/Debian with OPEN-LDAP Authentication
Hi, I googled it lot but did not come to any comprehensive solution. http://wiki.freeradius.org/Rlm_ldap you need to ensure that the FreeRADIUS LDAP module can talk to your LDAP server - check the LDAP configuration in FreeRADIUS to ensure that the configuration, password etc etc is fine (modules/ldap in FR 2.x) then, enabled the ldap section in the required part of your configuration - ie you want to authenticate users or authorise them via ldap? uncomment the required line in eg inner-server (if using EAP) or default otherwise. the config file supplied by default should be fairly verbose - i cant say what the version you get after the pakcage maintainer has done their work on it - but , if in doubt, download the source tarball from freeradius.org and check the default contents of the raddb directory! finally, run in full debug mode radiusd -X and sniff/lof the LDAP server to ensure things are doing what you expect alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration of FreeRADIUS on Ubuntu/Debian with OPEN-LDAP Authentication
On Tue, Sep 29, 2009 at 12:45 AM, Ryaz Khan rk...@ezesolve.com wrote: I googled it lot but did not come to any comprehensive solution. You'll probably learn this the hard way anyway, but don't try to google for freeradius. Most of those hits will be outdated, even if it is on the topic you're searching for. 1) Search the docs installed with freerad. 2) Search the freerad website/wiki. 3) This mailing list. ~Justin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration sample CDMA-EVDO
Hi, Aldo. There's nothing special for freeradius providing AAA services for cdma ev-do. We're running CDMA (1xRTT, 1xEV-DO rev0/revA) network with ~25k peak online users on two servers running FR. Drop me a message if you're interested in details. -- Alexander Aldo wrote: Hello, could please somebody provide a configuration sample of a CDMA network which provides EVDO using RADIUS? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration trouble with fail-over
Guillaume Rousse wrote: What's wrong with just looking recursively for the name under which the module has been instanciated in the authorization section, without interpreting fail-over behaviour at all ? Because it may be listed under multiple Auth-Type sections. This is something that people do, and is valid. The problem is a common one in computer science: write a program that understands what another program is doing. This problem is generally known to be impossible. Here the communication occurs between the main program, and one of its module, the relationship is a bit tighter. The problem is interpreting the meaning of the configuration in an authenticate section, including sections, sub-sections, unlang, and redundant sections. Then, automatically making the server do the right thing in the authorize section, based on it's interpretation of the authenticate section. This is hard. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration trouble with fail-over
Alan DeKok a écrit :
Guillaume Rousse wrote:
It is not documented in the rlm_ldap file shipped in top-level directory
(at least for release 2.0.0). The fact that there is a huge redundancy
between this file and comments in default configuration files doesn't
help maintaining a reference documentation.
The configuration files are up-to-date. Other documentation files may
not be.
As always, we welcome patches to help fix code or documentation.
Here is a trivial one.
... if you have suggestions for how to make
that determination, I'm interested.
No, especially as I got no clue about freeradius internals.
There's no need to understand the internals. All you need to do is
understand the configuration, and to come up with some simple logic for
the right thing to do.
What's wrong with just looking recursively for the name under which the
module has been instanciated in the authorization section, without
interpreting fail-over behaviour at all ?
The problem is a common one in computer science: write a program that
understands what another program is doing. This problem is generally
known to be impossible.
Here the communication occurs between the main program, and one of its
module, the relationship is a bit tighter.
--
Guillaume Rousse
Moyens Informatiques - INRIA Futurs
Tel: 01 69 35 69 62
diff -Naur freeradius-server-2.0.3/doc/rlm_ldap
freeradius-server-2.0.3-drop-redundant-documentation/doc/rlm_ldap
--- freeradius-server-2.0.3/doc/rlm_ldap2008-02-14 08:03:42.0
+0100
+++ freeradius-server-2.0.3-drop-redundant-documentation/doc/rlm_ldap
2008-04-30 11:23:20.0 +0200
@@ -26,236 +26,7 @@
3. CONFIGURATION
-Add following subsection to the modules{} section of radiusd.conf to control
-the rlm_ldap module:
-
- modules { ...
-
- ldap {
-
-# server: LDAP server hostname/ip address
-#
-# Optionaly could contain space separated list of host[:port], but
-# redundancy/resiliency is better acheived configuring multiple rlm_ldap
-# module instances and invocing them in redundand/failover
-# configuration in authorize/authenticate sections
-#
-# You can also pass an ldap url like ldap://localhost
-# That way you can also specify alternative ldap schemas like
-# ldaps:// or ldapi://
-# The port directive will be ignored in that case
-#
-# default: settings for your system, as set in etc/openldap/ldap.conf
-#
- server = localhost
-
-# port: LDAP server port
-#
-# If LDAP server port is set to 636 (ldaps), SSL connection is enforced.
-# This feature is useful for LDAP servers which support SSL, but don't
-# do TLS negotiation (like Novell eDirectory).
-#
-# default: 389 (ldap)
-#
- port = 636
-
-# net_timeout: # of seconds to wait for response of the server (network
-# failures) default: 10
-#
- net_timeout = 1
-
-# timeout: # seconds to wait for LDAP query to finish default: 20
-#
- timeout = 2
-
-# timelimit: # of seconds server has to process the query (server-side
-# time limit) default: 20
-#
- timelimit = 5
-
-# ldap_debug: debug flag for LDAP SDK (see OpenLDAP documentation)
-# default: 0x (no debugging messages)
-# Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
- ldap_debug = 0x0028
-
-# identity: DN under which LDAP searches are done password: pasword
-# which authenticate this DN default: anonymous bind, no password
-# required NOTE: searches are done now over unencrypted connection!
-#
-# identity = cn=admin,o=My Org,c=UA password = mypass
-
-
-# ldap_connections_number: The number of ldap connections that the
-# module will keep open to use in requests. Usually it will not need to
-# be larger than 5-10 connections default: 5
-
- ldap_connections_number = 5
-
-# basedn = Base of LDAP searches
-#
- basedn = o=My Org,c=UA
-
-# filter: LDAP search filter, to locate user object using name supplied
-# by client during Radius authentication
-#
-# default: filter = (uid=%u)
-
-# base_filter: The LDAP search filter used for base scope searches, like
-# when searching for the default or regular profiles
-#
-# deafault: base_filter = (objectclass=radiusprofile)
-
- filter = (uid=%u)
-
-# start_tls: When set to yes the StartTLS extended operation is used to
-# start TLS transport encryption.
- start_tls = no
-
-# tls_mode: When set to yes OR the server port is 636 we try to connect
with TLS
-# Start TLS should be prefered, tls_mode is provided only for ldap servers
-# like Active Directory which do not support it.
-# default: no
-
- tls_mode = no
-
-# tls_cacertfile: A PEM-encoded file that contains the CA Certificates
that
-#
Re: Configuration trouble with fail-over
Guillaume Rousse wrote:
I've recently upgraded my freeradius servers from 1.1.7 to 2.0.0,
2.0.3 has been out for a while...
and
I've been hit badly by the change in the handling of LDAP-UserDn
attribute, as detailed in
http://www.nabble.com/Re%3A-LDAP-Groups-and-EAP-p14886209.html
This was fixed in CVS head, in what will be 2.0.4.
I think this ought to be documented in rlm_ldap documentation (as well
as minor other changes, such as the new tls subsection).
The new tls sub-section isn't required. The old-style configuration
*should* work.
I also tried to clean up my configuration a little bit. I think a found
a bug in the handling of set_auth_type directive. From what I
understood, this directive governs the setting of the Auth-Type
attribute to 'LDAP' during the authorisation phase. However, whatever
its value, it's automatically disabled when launching radius at startup:
Tue Apr 29 14:07:17 2008 : Debug: rlm_ldap: Over-riding set_auth_type,
as we're not listed in the authenticate section.
Yes... the LDAP module is now aware that you may have *multiple*
copies of the LDAP module running.
Here is my autenticate section, using two ldap modules in fail-over:
authenticate {
Auth-Type LDAP {
redundant {
ldap1
ldap2
ldap1 != LDAP.
handled
}
}
}
If I drop failover, everything work as expected. Should I report this as
a bug ?
No.
So far, the only workaround I found is to force the Auth-Type attribute
in the user file:
Yes. The old behavior was wrong.
But I can't make my mind if it is a good solution or not. According to
the comment in default configuration file: In general, you SHOULD NOT
set the Auth-Type attribute.
In general. In some cases, it works. In this case, the knowledge
that you want to do LDAP authentication is buried inside of a
redundant section.
According to Alan answer in
http://www.nabble.com/Re%3A-Force-Auth-Type-p15069162.html
The LDAP module setting Auth-Type to LDAP is a bit of a hack.
Yes. If you use the LDAP server as a *database*, then there's no need
to set Auth-Type. The FreeRADIUS just figures it out.
The only reasons to use Auth-Type = LDAP is when you're using LDAP as
an *authentication* server, not as a database.
Which one should I believe ?
All of them. There are generalizations, which are usually true. In
addition, there are specific corner cases where the generalizations
aren't true.
Alan deKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration trouble with fail-over
Alan DeKok a écrit :
I think this ought to be documented in rlm_ldap documentation (as well
as minor other changes, such as the new tls subsection).
The new tls sub-section isn't required. The old-style configuration
*should* work.
It does. But clarification between what's old and what's new syntax
doesn't harm.
I also tried to clean up my configuration a little bit. I think a found
a bug in the handling of set_auth_type directive. From what I
understood, this directive governs the setting of the Auth-Type
attribute to 'LDAP' during the authorisation phase. However, whatever
its value, it's automatically disabled when launching radius at startup:
Tue Apr 29 14:07:17 2008 : Debug: rlm_ldap: Over-riding set_auth_type,
as we're not listed in the authenticate section.
Yes... the LDAP module is now aware that you may have *multiple*
copies of the LDAP module running.
I guess you mean 'not aware'
Here is my autenticate section, using two ldap modules in fail-over:
authenticate {
Auth-Type LDAP {
redundant {
ldap1
ldap2
ldap1 != LDAP.
Right, but that seems to be only a syntax difference, refering to a
named instance of the LDAP module. One would expect the code to be more
robust, or at least the problem documented somewhere.
[..]
Which one should I believe ?
All of them. There are generalizations, which are usually true. In
addition, there are specific corner cases where the generalizations
aren't true.
I need the second solution (ldap as an autentication server), so I need
to have Auth-Type set.
If I understand correctly, there no way to help the rlm_module
understand I'm using it for autentication, as I use a complex synta, so
I have to set it up explicitely, right ? In this case, I think this
deserve some explanation in the rlm_ldap documentation, such as:
Warning, if the LDAP module is not directly referenced to in
authentication section, such as a failover configuration using named
aliases, this setting will be disabled.
--
Guillaume Rousse
Moyens Informatiques - INRIA Futurs
Tel: 01 69 35 69 62
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration trouble with fail-over
Guillaume Rousse wrote: It does. But clarification between what's old and what's new syntax doesn't harm. The new syntax is documented, and is preferred. If you try the old one (undocumented and deprecated), it works. What needs clarification? Right, but that seems to be only a syntax difference, refering to a named instance of the LDAP module. One would expect the code to be more robust, or at least the problem documented somewhere. It is very difficult to determine what is *supposed* to happen inside of an authentication section. if you have suggestions for how to make that determination, I'm interested. And the problem is documented: the debug log prints out a warning message, as you saw. If I understand correctly, there no way to help the rlm_module understand I'm using it for autentication, as I use a complex synta, so I have to set it up explicitely, right ? Yes. In this case, I think this deserve some explanation in the rlm_ldap documentation, such as: Warning, if the LDAP module is not directly referenced to in authentication section, such as a failover configuration using named aliases, this setting will be disabled. The same problem applies to other modules, so it needs to be documented in one place. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration trouble with fail-over
Alan DeKok a écrit : Guillaume Rousse wrote: It does. But clarification between what's old and what's new syntax doesn't harm. The new syntax is documented, and is preferred. If you try the old one (undocumented and deprecated), it works. What needs clarification? It is not documented in the rlm_ldap file shipped in top-level directory (at least for release 2.0.0). The fact that there is a huge redundancy between this file and comments in default configuration files doesn't help maintaining a reference documentation. Right, but that seems to be only a syntax difference, refering to a named instance of the LDAP module. One would expect the code to be more robust, or at least the problem documented somewhere. It is very difficult to determine what is *supposed* to happen inside of an authentication section. if you have suggestions for how to make that determination, I'm interested. No, especially as I got no clue about freeradius internals. And the problem is documented: the debug log prints out a warning message, as you saw. If I understand correctly, there no way to help the rlm_module understand I'm using it for autentication, as I use a complex synta, so I have to set it up explicitely, right ? Yes. In this case, I think this deserve some explanation in the rlm_ldap documentation, such as: Warning, if the LDAP module is not directly referenced to in authentication section, such as a failover configuration using named aliases, this setting will be disabled. The same problem applies to other modules, so it needs to be documented in one place. Indeed. -- Guillaume Rousse Moyens Informatiques - INRIA Futurs Tel: 01 69 35 69 62 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration trouble with fail-over
Guillaume Rousse wrote: It is not documented in the rlm_ldap file shipped in top-level directory (at least for release 2.0.0). The fact that there is a huge redundancy between this file and comments in default configuration files doesn't help maintaining a reference documentation. The configuration files are up-to-date. Other documentation files may not be. As always, we welcome patches to help fix code or documentation. ... if you have suggestions for how to make that determination, I'm interested. No, especially as I got no clue about freeradius internals. There's no need to understand the internals. All you need to do is understand the configuration, and to come up with some simple logic for the right thing to do. The problem is a common one in computer science: write a program that understands what another program is doing. This problem is generally known to be impossible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration for Cisco DSL Users
You will need to do debug ppp negotiation to see is IP address allocation the problem. If it is, you can always use Freeradius ippool (or sqlippool in latest versions) to alocate IPs. Ivan Kalik Kalik Informatika ISP Dana 22/9/2007, DFN Systems Office [EMAIL PROTECTED] piše: I'm new both to freeradius and the *nix operating system. I have successfully implemented freeradius for users dialing in through Portmaster3 Access Servers using FreeRadius 1.0.1-1 on Fedora. I am currently authenticating DSL users locally on a Cisco 7206VXR Router. I would like to authenticate the DSL users on the FreeRadius Server, but attempts have been unsuccessful. The Accounting works. Even now with DSL Users set to Auth locally on the Router, Radius is faithfully logging the activity. With Radius Auth, the DSL modem will not connect and I get no entry in the Radius accounting log. AAA Debug is virtually Identical to the Local Auth output! The only difference was the line Method=local changed to Method=Radius. Both log entry sets have Status = PASS and both show the virtual-access change to up! So now I'm thinking the AAA/Radius is working but I have a communications issue. When a DSL user authenticates locally, he then gets an IP address from the local pool on the Cisco. When the same DSL User authenticates on Radius, all communication seems to stop. Here are the relevant config sections from the Cisco. aaa new-model aaa authentication login default line [*currently set to local] aaa authentication ppp default group radius local [see*above] aaa authorization network default group radius local aaa accounting delay-start aaa accounting network default start-stop group radius interface Loopback1 description DSL ip address 206.206.89.1 255.255.255.0 secondary ip address 206.206.88.161 255.255.255.240 secondary ip address 206.206.86.1 255.255.255.0 interface Virtual-Template2 description DFN NEW Template ip unnumbered Loopback1 ip mroute-cache peer default ip address pool OsoGranDSL OsoGranDsl2 ppp authentication pap radius-server host [omitted] auth-port 1645 acct-port 1646 radius-server host [omitted] auth-port 1645 acct-port 1646 radius-server key [omitted] Heres an example entry from my users file: username Auth-Type := Local, User-Password == omitted User-Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Address = 255.255.255.254, Framed-Netmask = 255.255.255.255, Framed-Routing = Broadcast-Listen, Framed-Filter-Id = std.ppp, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP I think I'm close, and I have a hunch the users file settings that work for PortMasters may not be good for Cisco. Any suggestions or sample configs would be appreciated. Bill Green Dfn Systems - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configuration for realm with prefix and suffix
On Thu, 2007-08-23 at 20:40 -0600, Mike Cisar wrote:
Running FreeRADIUS 1.1.3, usernames are in 'username' format in a unix
passwd file. Our dialup users are proxied to us in '[EMAIL PROTECTED]'
format and to this point everything has been working just fine.
Now the tougher part... We've gained access to some additional POPs and
although the suffix is the same, we are proxied these with a prefix as
well... so what we get is in the form prefix/[EMAIL PROTECTED] I'm
having trouble wrapping my head around how to configure our server to deal
with these.
Any thoughts or pointers are appreciated.
You'll need to use the hints file. The realm module won't run twice.
e.g. one way to strip the prefix/ and drop it would be:
DEFAULT User-Name =~ .*/([EMAIL PROTECTED])
User-Name := %{1}
...or, if the prefix were the realm and you wanted the username with the @ in
it:
DEFAULT User-Name =~ (.*)/([EMAIL PROTECTED])
User-Name := %{2},
Realm := %{1}
HTH
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: configuration for realm with prefix and suffix
well... so what we get is in the form prefix/[EMAIL PROTECTED]
I'm having trouble wrapping my head around how to configure our server
to
with these.
You'll need to use the hints file. The realm module won't run twice.
e.g. one way to strip the prefix/ and drop it would be:
DEFAULT User-Name =~ .*/([EMAIL PROTECTED])
User-Name := %{1}
Thanks Phil, I'll give that a try and see if it does the trick.
Cheers,
Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Configuration issue - unknown client
-Original Message-
From:
[EMAIL PROTECTED]
org
[mailto:[EMAIL PROTECTED]
eradius.org] On Behalf Of Dan O'Reilly
Sent: August 13, 2007 6:58 PM
To: FreeRadius users mailing list
Cc: FreeRadius users mailing list
Subject: Re: Configuration issue - unknown client
My /etc/raddb/clients.conf:
client 192.168.0.11 {
secret = foobar
}
Here's the output from radiusd -X:
danolaptop freeradius-1.1.7 # /usr/local/sbin/radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
Have you tried moving your config files to /usr/local/etc/raddb/ as that
is where freeradius is looking for them, not in /etc/raddb/*
Jeff.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Configuration issue - unknown client
D'OH! massive forehead slap
You're right, I apparently have a reading disability of some sort. That
made it work, thanks!
At 06:39 AM 8/14/2007, Jeff Crowe wrote:
-Original Message-
From:
[EMAIL PROTECTED]
org
[mailto:[EMAIL PROTECTED]
eradius.org] On Behalf Of Dan O'Reilly
Sent: August 13, 2007 6:58 PM
To: FreeRadius users mailing list
Cc: FreeRadius users mailing list
Subject: Re: Configuration issue - unknown client
My /etc/raddb/clients.conf:
client 192.168.0.11 {
secret = foobar
}
Here's the output from radiusd -X:
danolaptop freeradius-1.1.7 # /usr/local/sbin/radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
Have you tried moving your config files to /usr/local/etc/raddb/ as that
is where freeradius is looking for them, not in /etc/raddb/*
Jeff.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
+---++
| Dan O'Reilly | There are 10 types of people in this |
| Principal Engineer| world: those who understand binary |
| Process Software | and those who don't.|
| http://www.process.com||
+---++
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration issue - unknown client
On 8/13/07, Dan O'Reilly [EMAIL PROTECTED] wrote: This is my first stab at Freeradius. I have the server installed on Sabayon Linux, and the radtest script runs fine. I've done basically no configuration to it, because I'm not sure what to configure. I'm writing a client on another system (it's VMS if that's germane). I format send a request packet to the server system, and get (running radiusd -X): rad_recv: Access-Request packet from host 192.168.0.11:1812, id=67, length=47 Ignoring request from unknown client 192.168.0.11:1812 You need to add new clients to clients.conf. FreeRADIUS will only talk to clients in this file. -- Nicholas Hall [EMAIL PROTECTED] 262.208.6271 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration issue - unknown client
Same issue. Here's my /etc/raddb/clients.conf: client 192.168.0.11 secret foobar At 04:15 PM 8/13/2007, Nicholas Hall wrote: On 8/13/07, Dan O'Reilly mailto:[EMAIL PROTECTED][EMAIL PROTECTED] wrote: This is my first stab at Freeradius. I have the server installed on Sabayon Linux, and the radtest script runs fine. I've done basically no configuration to it, because I'm not sure what to configure. I'm writing a client on another system (it's VMS if that's germane). I format send a request packet to the server system, and get (running radiusd -X): rad_recv: Access-Request packet from host http://192.168.0.11:1812192.168.0.11:1812, id=67, length=47 Ignoring request from unknown client http://192.168.0.11:1812192.168.0.11:1812 You need to add new clients to clients.conf. FreeRADIUS will only talk to clients in this file. -- Nicholas Hall mailto:[EMAIL PROTECTED][EMAIL PROTECTED] 262.208.6271 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- +---++ | Dan O'Reilly | There are 10 types of people in this | | Principal Engineer| world: those who understand binary | | Process Software | and those who don't.| | http://www.process.com|| +---++ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration issue - unknown client
On 8/13/07, Dan O'Reilly [EMAIL PROTECTED] wrote:
Same issue. Here's my /etc/raddb/clients.conf:
client 192.168.0.11
secret foobar
Shouldn't that be:
client 192.168.0.11 {
secret = foobar
}
--
Nicholas Hall
[EMAIL PROTECTED]
262.208.6271
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration issue - unknown client
I had it that way and it didn't work either.
At 04:27 PM 8/13/2007, Nicholas Hall wrote:
On 8/13/07, Dan O'Reilly mailto:[EMAIL PROTECTED][EMAIL PROTECTED] wrote:
Same issue. Here's my /etc/raddb/clients.conf:
client http://192.168.0.11192.168.0.11
secret foobar
Shouldn't that be:
client http://192.168.0.11192.168.0.11 {
secret = foobar
}
--
Nicholas Hall
mailto:[EMAIL PROTECTED][EMAIL PROTECTED]
262.208.6271
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
+---++
| Dan O'Reilly | There are 10 types of people in this |
| Principal Engineer| world: those who understand binary |
| Process Software | and those who don't.|
| http://www.process.com||
+---++
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration issue - unknown client
On 8/13/07, Dan O'Reilly [EMAIL PROTECTED] wrote:
I had it that way and it didn't work either.
At 04:27 PM 8/13/2007, Nicholas Hall wrote:
On 8/13/07, Dan O'Reilly mailto:[EMAIL PROTECTED][EMAIL PROTECTED]
wrote:
Same issue. Here's my /etc/raddb/clients.conf:
client http://192.168.0.11192.168.0.11
secret foobar
Shouldn't that be:
client http://192.168.0.11192.168.0.11 {
secret = foobar
}
Dan, please follow the examples in clients.conf and then post your complete
radius debug output (radiusd -X)
--
Nicholas Hall
[EMAIL PROTECTED]
262.208.6271
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration issue - unknown client
My /etc/raddb/clients.conf:
client 192.168.0.11 {
secret = foobar
}
Here's the output from radiusd -X:
danolaptop freeradius-1.1.7 # /usr/local/sbin/radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = /usr/local
main: localstatedir = /usr/local/var
main: logdir = /usr/local/var/log/radius
main: libdir = /usr/local/lib
main: radacctdir = /usr/local/var/log/radius/radacct
main: hostname_lookups = no
main: snmp = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /usr/local/var/log/radius/radius.log
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /usr/local/var/run/radiusd/radiusd.pid
main: user = (null)
main: group = (null)
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/local/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
pap: auto_header = yes
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = (null)
unix: group = (null)
unix: radwtmp = /usr/local/var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = md5
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = Password:
gtc: auth_type = PAP
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = /usr/local/etc/raddb/huntgroups
preprocess: hints = /usr/local/etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = /usr/local/etc/raddb/users
files: acctusersfile = /usr/local/etc/raddb/acct_users
files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users
files: compat = no
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = /usr/local/var/log/radius/radutmp
radutmp: username = %{User-Name}
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Re: Configuration doubt
Osvaldohp wrote: This is my users file: mike Auth-Type = System, User-Password == mike Session-Timeout := 3600, What i am doing wrong? You're telling the server to look in /etc/passwd for the users password, and then also telling it what the users password is. Don't set Auth-Type. Use 1.1.6. Use Cleartext-Password, not User-Password, as suggested in the FAQ. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration doubt
On Monday 16 July 2007 08:05:15 Alan DeKok wrote: Osvaldohp wrote: This is my users file: mike Auth-Type = System, User-Password == mike Session-Timeout := 3600, What i am doing wrong? You're telling the server to look in /etc/passwd for the users password, and then also telling it what the users password is. Don't set Auth-Type. Use 1.1.6. Use Cleartext-Password, not User-Password, as suggested in the FAQ. Alan DeKok. Don't forget to use the ':=' operator for the Cleartext-Password attribute, in addition to all of the above. -Kevin signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration doubt
Help you with what? If you managed to add the password to the check table what could be the problem in adding Session-Timeout to the reply table? Ivan Kalik Kalik Informatika ISP Dana 16/7/2007, Osvaldohp [EMAIL PROTECTED] piše: I have a hotSpot that give access to the internet for my users. I use IPCOP with advproxy addon like a point controller. So when a user try to aceess the internet IPCOP (advproxy) ask for a username and password and then try to authenticate the user in the radius server. Everything is great so far my only problem is i can't limit the user to access the internet using Session-timeout attribute. I really don't know what i have to do now. Can someone help me? Message sent using Prodepa Webmail 2.7.9 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration doubt
Hi Ivan. It worked just fine. Just what I needed! Thanks a lot. On 7/12/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: You can use huntgroups: nasA NAS-IP-Address == aaa.aaa.aaa.aaa User-Name = jane, User-Name = peter nasB NAS-IP-Address == bbb.bbb.bbb.bbb User-Name = john, User-Name = peter nasC NAS-IP-Address == ccc.ccc.ccc.ccc User-Name = john, User-Name = peter nasD NAS-IP-Address == ddd.ddd.ddd.ddd User-Name = george, User-Name = peter John can use B and C, Jane only A, George only D while Peter can use them all. If John tries to connect to A he will be rejected even if his credentials (user/pass) are correct. This also works with (SQL, Ldap) groups. This doesn't scale very well. It's a quick and easy solution for a small number of devices and users (groups). Ivan Kalik Kalik Informatika ISP Dana 12/7/2007, Thiago Drechsel [EMAIL PROTECTED] piše: Hi all. I'm new with freeradius. I'd like some help to configure my Radius server, in order to acomplish the following task: I have a radius server, called R. This radius authenticates users wha want to access our lab equipments, called A, B, C, D and etc. I want to restrict access to these equipments to some users, using radius. For example, user john only can access equipments B and C, but can't access equipments A and D. Can anyone help me with this task? Thanks in advance Thiago - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration doubt
You can use huntgroups: nasA NAS-IP-Address == aaa.aaa.aaa.aaa User-Name = jane, User-Name = peter nasB NAS-IP-Address == bbb.bbb.bbb.bbb User-Name = john, User-Name = peter nasC NAS-IP-Address == ccc.ccc.ccc.ccc User-Name = john, User-Name = peter nasD NAS-IP-Address == ddd.ddd.ddd.ddd User-Name = george, User-Name = peter John can use B and C, Jane only A, George only D while Peter can use them all. If John tries to connect to A he will be rejected even if his credentials (user/pass) are correct. This also works with (SQL, Ldap) groups. This doesn't scale very well. It's a quick and easy solution for a small number of devices and users (groups). Ivan Kalik Kalik Informatika ISP Dana 12/7/2007, Thiago Drechsel [EMAIL PROTECTED] piše: Hi all. I'm new with freeradius. I'd like some help to configure my Radius server, in order to acomplish the following task: I have a radius server, called R. This radius authenticates users wha want to access our lab equipments, called A, B, C, D and etc. I want to restrict access to these equipments to some users, using radius. For example, user john only can access equipments B and C, but can't access equipments A and D. Can anyone help me with this task? Thanks in advance Thiago - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration for EAP-SIM
locate src/tests/eapsim Ivan Kalik Kalik Informatika ISP Dana 6/7/2007, Garvin Haslett [EMAIL PROTECTED] piše: Can anyone direct me to an example eap.conf entry to use EAP-SIM? I have looked but I don't see an example. Cheers, Garvin. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configuration
Hi, i want to configure my freeradius server to be a proxy server! can i have the config of the modification of freeradius's files? My proxy's server must turn with IAS of windows server 2003! thanks! you've already posted them. exactly why its not working is another issue altogether! - is your FR box set as a client in the IAS? is your FR box configured to handled unknown EAP types? is you FR box firewalled? is your IAS firewalled? please show us some radiusd -X output! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configuration
There is nothing you need to modify in radiusd.conf - proxying is enabled by default. All you need to do is enter info about IAS server into proxy.conf. IAS uses both 1812/1813 and 1645/1646 ports for authentication/accounting by default, so take your pick. Instructions in proxy.conf about setting up proxy realms are quite clear. Ivan Kalik Kalik Informatika ISP Dana 20/4/2007, parfait kouassi nda [EMAIL PROTECTED] piše: i want to configure my freeradius server to be a proxy server! can i have the config of the modification of freeradius's files? My proxy's server must turn with IAS of windows server 2003! thanks! _ MSN Messenger : discutez en direct avec vos amis ! http://www.msn.fr/msger/default.asp - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
re: configuration
my last coonfiguration of these files is:
radiusd.conf
proxy_request = yes
proxy.conf
realm gie.local {
type = radius
authhost = LOCAL
accthost = LOCAL
}
realm DEFAULT {
type = radius
authhost = araignee.gie.local:1812
accthost = araignee.gie.local:1813
secret = parfait
nostrip
}
Clients.conf
client 192.168.0.2 {
secret = parfait
shortname = araignee.gie.local
}
when i do configuration in all flies my freeradius reject my packets!
this is the show of radiusd -X!
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
main: prefix = /usr/local
main: localstatedir = /usr/local/var
main: logdir = /usr/local/var/log/radius
main: libdir = /usr/local/lib
main: radacctdir = /usr/local/var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 1812
main: allow_core_dumps = no
main: log_stripped_names = yes
main: log_file = /usr/local/var/log/radius/radius.log
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = /usr/local/var/run/radiusd/radiusd.pid
main: user = (null)
main: group = nobody
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/local/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 0
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = (null)
unix: group = (null)
unix: radwtmp = /usr/local/var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = md5
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = Password:
gtc: auth_type = PAP
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = /usr/local/etc/raddb/huntgroups
preprocess: hints = /usr/local/etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = /usr/local/var/log/radius/radutmp
radutmp: username = %{User-Name}
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.3.1:1812, id=19,
length=130
Re: configuration
Hi,
my last coonfiguration of these files is:
radiusd.conf
proxy_request = yes
proxy.conf
realm gie.local {
type = radius
authhost = LOCAL
accthost = LOCAL
}
realm DEFAULT {
type = radius
authhost = araignee.gie.local:1812
accthost = araignee.gie.local:1813
secret = parfait
nostrip
}
you are totally aware that this configuration means that your FR box
will see any gie.local and attempt the AAA itself. is this what you want?
from your debug logs it looks like you really want everything to be sent
to your IAS - so why are you attempting to handle gie.local or anything
at all if all you want to do is proxy?
ie remove the realm gie.local stuff and just keep the DEFAULT if your
FR isnt configured to handle those clients!
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: re: configuration
You are not sending gie.local to your IAS but dealing with them locally.
Change realm gie.local back to realm LOCAL and it should start to proxy
such requests.
Ivan Kalik
Kalik Informatika ISP
Dana 20/4/2007, parfait kouassi nda [EMAIL PROTECTED] piše:
my last coonfiguration of these files is:
radiusd.conf
proxy_request = yes
proxy.conf
realm gie.local {
type = radius
authhost = LOCAL
accthost = LOCAL
}
realm DEFAULT {
type = radius
authhost = araignee.gie.local:1812
accthost = araignee.gie.local:1813
secret = parfait
nostrip
}
Clients.conf
client 192.168.0.2 {
secret = parfait
shortname = araignee.gie.local
}
when i do configuration in all flies my freeradius reject my packets!
this is the show of radiusd -X!
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
main: prefix = /usr/local
main: localstatedir = /usr/local/var
main: logdir = /usr/local/var/log/radius
main: libdir = /usr/local/lib
main: radacctdir = /usr/local/var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 1812
main: allow_core_dumps = no
main: log_stripped_names = yes
main: log_file = /usr/local/var/log/radius/radius.log
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = /usr/local/var/run/radiusd/radiusd.pid
main: user = (null)
main: group = nobody
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/local/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 0
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = (null)
unix: group = (null)
unix: radwtmp = /usr/local/var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = md5
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = Password:
gtc: auth_type = PAP
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = /usr/local/etc/raddb/huntgroups
preprocess: hints = /usr/local/etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = /usr/local/var/log/radius/radutmp
radutmp: username = %{User-Name}
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid =
Re: configuration problem in Freeradius.
Hi! Assuming you don't have a user/passwd johndoe/hello in your /etc/passwd (see comment in lines above the matching DEFAULT l. 157) your debug output shows a correctly working freeradius. Speculating further: if you like to have an Access-Accept on that test without creating a system user johndoe you should add something like: johndoe User-Password:=hello to the users file (preferably before l. 157, see man users and the comments in the file itself) Anything else would require your telling us so. (What do you want to achieve, by which means, what is the behaviour of the server?) regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration of users file
Mike Cisar [EMAIL PROTECTED] wrote: But beyond that, how can I then skip over the 20 or so poola/poolb checks which do not apply for accelleration requests? Maybe there's a cleaner way of doing this? The users file isn't really mean for complex processing like that. You're running into it's limitations, which are pretty severe. So essentially what I need to do is an initial determination of whether the request is dialup, accelleration, or NNTP (well basically if it's accelleration or nntp, with dialup being the default path if it's neither of the former). My suggestion is to use rlm_passwd. Define server-side attributes like Where-From with values like dialup, acceleration, and nntp. Use rlm_passwd to match the client IP's to Where-From. Go down a particular branch of processing depending on which of the three flavors of request it is, and then drop back out of those checks into a common branch The users file can do that. P.S. Is there a syntax by which I can specify something like... DEFAULT Client-IP-Address == (207.102.99.65 or 207.102.99.66 or 207.102.99.67), Group != poolb, Auth-Type :=Reject Nope. or somehow pre-define a group of NAS' to use in place such as... clientpoola = 207.102.99.65, 207.102.99.66, 207.102.99.67 DEFAULT Client-IP-Address == clientpoola, Group != poolb, Auth-Type :=Reject rather than specifiying a separate stanza for each Client-IP-Address as I have in my existing config? rlm_passwd. Map the client IP's to a common where-from, and key off of that in the users file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration item User-Password is required for authentication problem
=?ISO-8859-2?Q?Tom=E1=B9_Kom=E1rek?= [EMAIL PROTECTED] wrote: The problem is probably in the line: rlm_digest: Configuration item User-Password is required for authentication. Can anybody help me how to overcome this problem??? Try telling the server what the users password is. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configuration change without restarting???
Hi, Is there anyway that we can apply some conf changes without restarting radiusd? http://www.freeradius.org/faq/ SIGHUP is what you are looking for alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
