upgrade from 0.6 to 0.7: 2 problems (bugs?)
Hello, I just upgraded from 0.6 to 0.7 and I am experiencing 2 big problems: 1) The 0.7 server is sending a malformed "Class Attribute": Debug: - Sending Access-Accept of id 44 to x.x.192.138:1046 Service-Type = Framed-User Framed-Protocol = PPP Class = 0x - I had not this problem with 0.6 2) Exec-Program-Wait still doesn't work in 0.7 debugging mode but it should as described in Changelog. Debug: modcall: group authtype returns ok radius_xlat: '/usr/local/perl/radius/check_ulg.pl u28' Exec-Program: /usr/local/perl/radius/check_ulg.pl u28 Exec-Program-Wait: value-pairs: Class = "internet",Framed-IP-Address = x.x.39.12 Exec-Program: Abnormal child exit Login incorrect (external check failed): [u28@INTERNET] (from client vpn-intra port 1041) Delaying request 0 for 1 seconds What am I doing wrong? Thanks for your help. Francois. Francois DESSART Network Engineer - SEGI/ULG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius Newbee
Hello all Im a newbee with FreeRadius. Now I have got any problems to configure the server. Finaly, I'd like to have the follow sitation: I have a firewall with one VPN-Key. It work, but 50 Clients with one VPN-Key is not controllably. The solution seems to me a Radius-server. Now is my question, how to configure this server? I have seen that I must use the users file, but I don't know how to add a new user for this job. And must I change any things on the *.conf Files? Thanks a lot and greets Stefan = Gesendet von Stefan Hilfiker ([EMAIL PROTECTED]) http://get.to/Stefhilfiker __ Gesendet von Yahoo! Mail - http://mail.yahoo.de Möchten Sie mit einem Gruß antworten? http://grusskarten.yahoo.de - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding NAS-Port-Type to a Access-Request for certain realms
Hello, I have changed it to using a suffix instead eg: [EMAIL PROTECTED], I added this to the hints file. DEFAULT Suffix = ".xdsl", Strip-User-Name = Yes NAS-Port-Type = xDSL Only problem is the suffix is not being stripped, only the realm is being removed. Anyone know how I can fix this? - OUTPUT - Thread 1 handling request 0, (1 handled so far) User-Name = "[EMAIL PROTECTED]" User-Password = "\333\330\331\017K\343`(B^\252\264\375\374[\225" NAS-IP-Address = 255.255.255.255 NAS-Port-Id = "1" rad_lowerpair: User-Name now '[EMAIL PROTECTED]' modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok rlm_realm: Looking up realm .xxx.xx for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm .xxx.xx rlm_realm: Adding Stripped-User-Name = "bbuilder.xdsl" rlm_realm: Proxying request from user bbuilder.xdsl to realm x.xxx.xx rlm_realm: Adding Realm = ".xxx.xx" rlm_realm: Authentication realm is LOCAL. rlm_realm: auth_port is not set. proxy cancelled modcall[authorize]: module "suffix" returns noop users: Matched DEFAULT at 1 modcall[authorize]: module "files" returns ok modcall: entering group redundant rlm_ldap: - authorize rlm_ldap: performing user authorization for bbuilder.xdsl radius_xlat: '(uid=bbuilder.xdsl)' radius_xlat: 'ou=Internet Service Provider,dc=xxx,dc=xxx,dc=xx' ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap..xxx.xx:389, authentication 0 rlm_ldap: setting TLS mode to 4 rlm_ldap: could not set LDAP_OPT_X_TLS option Success rlm_ldap: bind as / to ldap..xxx.xx:389 rlm_ldap: waiting for bind result ... rlm_ldap: performing search in ou=Internet Service Provider,dc=xxx,dc=xxx,dc=xx, with filter (uid=bbuilder.xdsl) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap1" returns notfound modcall: group redundant returns notfound modcall: group authorize returns notfound rad_check_password: Found Auth-Type Pam auth: type "PAM" modcall: entering group authenticate pam_pass: using pamauth string for pam.conf lookup pam_pass: function pam_authenticate FAILED for . Reason: User not known to the underlying authentication module modcall[authenticate]: module "pam" returns reject modcall: group authenticate returns reject auth: Failed to validate the user. Login incorrect (rlm_ldap: User not found): [[EMAIL PROTECTED]/] (from client localhost port 0) Delaying request 0 for 1 seconds Finished request 0 Going to the next request Thread 1 waiting to be assigned a request rad_recv: Access-Request packet from host 127.0.0.1:34499, id=143, length=75 Sending Access-Reject of id 143 to 127.0.0.1:34499 Ascend-Client-Assign-DNS = DNS-Assign-Yes Ascend-Client-Primary-DNS = xxx Ascend-Client-Secondary-DNS = xxx Ascend-Assign-IP-Pool = 6 Ascend-Maximum-Channels = 1 Allister P Maguire Development Consultant Actonz Management Group Ltd PH: +64 4 915 7711 Attention: This e-mail message is privileged and confidential. If you are not the intended recipient please delete the message and notify the sender. Any views or opinions presented are solely those of the author. Actonz Management Group Ltd PH: +64 4 9157700 FX: +64 4 9157730 http://www.actonz.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Adding NAS-Port-Type to a Access-Request for certain realms
Hello, We are using realms eg: @dialin.mydomain.com & @xdsl.mydomain.com. I want to be able to add NAS-Port-Type=xDSL - Digital Subscriber Line of unknown type, if they are using @xdsl.mydomain.com to the access-request. The reason I want to do this is because the telco we buy these off don't send us this attribute. I will then check to see if the user is autherised to use xdsl. Can I add this to the access-request. Regards Allister P Maguire - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cannot get EAP-TLS to work with FreeRADIUS 0.7
> there is a patch which should be already integrated in the release which > supports that. if it doesn't grep the maillist archives for it, it was oups: if it ISN'T of course... -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cannot get EAP-TLS to work with FreeRADIUS 0.7
> "Please note that WEP is not yet supported in freeradius" > > Is that still the case? The whole reason we're looking at EAP-TLS is to work > around the gross security problems with WLANs - and EAP-TLS provides that > protection by dynamically generating WEP session keys... there is a patch which should be already integrated in the release which supports that. if it doesn't grep the maillist archives for it, it was submitted by Lars Viklund and Henrik Eriksson. if you don't find it, ask them, the addresses should be there. ciao artur -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cannot get EAP-TLS to work with FreeRADIUS 0.7
On Tue, Aug 13, 2002 at 09:35:22AM -0400, Alan DeKok wrote: > Jason Haar <[EMAIL PROTECTED]> wrote: > > I've compiled up 0.7 successfully under Redhat 7.2 with openssl-0.9.6b, but > > when I try to use xsuplicant on a WLAN Linux client, radiusd crashes: > > Uh, no. Your shared libraries are set up wrong. The server asks to > do run-time linking, and *your* run-time linker fails to find that symbol. So you mean Redhat have it wrong again? There's a surprise :-) > Figure out how to get shared libraries working on your > system. It's not the fault of the server that your dynamic linker > can't resolve a symbol. > Seriously? So no-one running Redhat can make this work (I've tried it under RH 7.1 and 7.2)? I've already had someone else e-mail me saying they have the same problem, so it looks pretty generic. The other rlm modules work fine - it's just the eap ones that have this problem (i.e. it's an openssl issue). BTW: I did all the LD_PRELOAD and libdir stuff to no avail. Anyway, now that I've read the docs, I'm wondering if EAP-TLS support is actually finished yet. doc/eap says: "Please note that WEP is not yet supported in freeradius" Is that still the case? The whole reason we're looking at EAP-TLS is to work around the gross security problems with WLANs - and EAP-TLS provides that protection by dynamically generating WEP session keys... -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting is Where?
hi michael i had the same problems under my potato-debian without any sql, i.e. the radutmp, radwtmp and stmp simply haven't existed although they were in all relevant accounting sections etc. at the same time, the details file was full of lines. i tried to create the files with zero length, to make them world-writeable, i tried lot of things but nothing ever happened. three updates and a complete system update later i probably still have the same problems ;-) but it's not very important to me so i didn't check since then. i think, there is some issue (bug) related to that fact which has nothing to do with sql. you should probably take a look to the logs (this probably won't help :-)) and then you should try to strace your server grepping for fopens or somewhat like this. i wanted to do this but i simply didn't have time. the guys will be able to tell what exactly you have to do, i'm not a specialist for those questions. dumb questions: you are sure that your nas sends accounting packets? greetings, artur > Okay... I checked everything. Permissions are permitting, modules are > modulating, etc. -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
errorlog
On Sat, 27 Jul 2002 06:26:05 +0200, [EMAIL PROTECTED] wrote: Looks like he wants a radius.log on sql. >> How to make that in the table of a database the data >> on the reason of refusal in access were inserted? > Huh? I have NO clue what that's supposed to mean. > Alan DeKok. Alexandre Ganso - Diretor Steel Goose Moto Group 6, 7 e 8 de setembro - Aniversario 10 anos Steel Goose - Ouro Branco - MG 500 Four 1974... Não corre. Mas me leva até o fim do mundo. [EMAIL PROTECTED] - ICQ# 3778773 "Too many freaks, not enough circuses" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
counter module counting too many times
On Fri, 26 Jul 2002 04:07:07 +0200, [EMAIL PROTECTED] wrote: The trouble is that these packets are not EXACTLY identical. They use to have some different values - which of course I don't remember now, as I'm far from my radius box now. Something about timeout between NAS send and radius acknowledges it.(at least on my case and someone else which wrote me months ago, but I didn't kept his email) >> I'm using 0.5 and just noticed that when the same acct packet arrive >> more than once to the server, the counter module does not control the >> fact that it is repeated -not even if the acct_uniq module is being >> used- and its count-attribute get added several times. > Yes, that's a problem. > The issue is that the counter module (and much of the server) has no >way of knowing if the accounting packet is a duplicate or not. So >it's difficult to know when to do something with an accounting packet, >and when to ignore it. > The SQL module would know it was duplicate, because it has >persistent storage and lookup. The 'detail' module wouldn't, because >it doesn't do lookups. >> Anyone working on this? > Nope. I'm not sure if there's a simple fix right now. Alexandre Ganso - Diretor Steel Goose Moto Group 6, 7 e 8 de setembro - Aniversario 10 anos Steel Goose - Ouro Branco - MG 500 Four 1974... Não corre. Mas me leva até o fim do mundo. [EMAIL PROTECTED] - ICQ# 3778773 "Too many freaks, not enough circuses" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
counter module counting too many times
On Fri, 26 Jul 2002 04:07:07 +0200, [EMAIL PROTECTED] wrote: Some people had the same trouble some time ago. The only thing I could do to stop this was setting the Acct_Unique_Id as "unique" on radacct table, so mysql server would discard subsequent packets with the same id. My box keeps sending duplicated packets for months, but with this wacky fix I could solve the problem for me. I don't have a clue about how to solve this on systems which don't use sql for accounting. (In fact, this was one of the things which made me switch to sql). >I'm using 0.5 and just noticed that when the same acct packet arrive >more than once to the server, the counter module does not control the >fact that it is repeated -not even if the acct_uniq module is being >used- and its count-attribute get added several times. Just checked the >latest cvs version to find that this behavior remains unchanged; it has >only minor changes. > >Anyone working on this? Alexandre Ganso - Diretor Steel Goose Moto Group 6, 7 e 8 de setembro - Aniversario 10 anos Steel Goose - Ouro Branco - MG 500 Four 1974... Não corre. Mas me leva até o fim do mundo. [EMAIL PROTECTED] - ICQ# 3778773 "Too many freaks, not enough circuses" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Check using regexes
On Sat, 20 Jul 2002 06:26:09 +0200, [EMAIL PROTECTED] wrote: You change the operator to the one used for regexes (Some time out of a computer and six hours by plane from my freeradius box, but i think is ":~" And the number is changed to a regex, one which would mean "it starts with 321 and then whatever". | 4 | group1| Calling-Station-Id| 321 | NULL | >how to check the same multiple attribute using logic OR ? >or using Regexes ? >i read that ICRadius can use OR Logic Patch ... how about freeradius Alexandre Ganso - Diretor Steel Goose Moto Group 6, 7 e 8 de setembro - Aniversario 10 anos Steel Goose - Ouro Branco - MG 500 Four 1974... Não corre. Mas me leva até o fim do mundo. [EMAIL PROTECTED] - ICQ# 3778773 "Too many freaks, not enough circuses" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Uninstall
On Thu, 18 Jul 2002 10:45:04 +0200, [EMAIL PROTECTED] wrote: > At this point, deleting everything you've installed, and installing >the last CVS snapshot on a clean system. Wouldn't it be a nice thing some kind of "uninstaller" stuff? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Upgrading from 0.2
On Fri, 19 Jul 2002 16:20:04 +0200, [EMAIL PROTECTED] wrote: >My question is, are there any documents/files located anywhere that have >instructions on migrating from old versions to the new version, or do I >just have to start from the beginning again? Looks like the second option would be a wiser thing to do. As Alan DeKok said, its so old it scary >:-) Alexandre Ganso - Diretor Steel Goose Moto Group 6, 7 e 8 de setembro - Aniversario 10 anos Steel Goose - Ouro Branco - MG 500 Four 1974... Não corre. Mas me leva até o fim do mundo. [EMAIL PROTECTED] - ICQ# 3778773 "Too many freaks, not enough circuses" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ip pool again
On Tue, 13 Aug 2002, Guillermo Schimmel wrote: > It still doesn't work. > > > > > Hi list: > > > >I'm starting the tests with the ippool module. > > > >I added this line on the users file: > > > > DEFAULT NAS-IP-Address == "10.169.255.11", Auth-Type := > > Accept, Pool-Name := "prueba" > > > >And created an IP pool: > > > > ippool prueba { > >range-start = 10.170.200.1 > >range-stop = 10.170.200.254 > >netmask = 255.255.255.0 > >cache-size = 800 > >session-db = /raddb/db.ippool > >ip-index = /raddb/db.ipindex > > } > > > I can start the server and it works ok, but it doesn't reply with > the Framed-IP-Address attribute. > > >What am I doing wrong? > > > >I'm sorry if this is ANOTHER stupid question. > > > >Thanks a lot for your time. > > > > > > Guillermo Have you added the module in the authorize and accounting sections in radiusd.conf? Make sure also that ippool comes after the files module in the authorize section. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Accounting is Where?
At 03:24 PM 8/13/2002 -0400, Funk, Michael wrote: >Okay... I checked everything. Permissions are permitting, modules are >modulating, etc. > >could this have anything to do with the fact that I'm using SQL to auth and >trying to write to the traditional log files? I see all the goop in the >sql.conf regarding logging. The radius.log file is working fine, just not >accounting! Nope. If you don't include SQL in the accounting section, it won't use SQL to attempt to log anything. The accounting code is there, but it isn't used unless you include SQL in your 'accounting' section of the config. What happens in debug mode when an accounting request is received? -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Accounting is Where?
Okay... I checked everything. Permissions are permitting, modules are modulating, etc. could this have anything to do with the fact that I'm using SQL to auth and trying to write to the traditional log files? I see all the goop in the sql.conf regarding logging. The radius.log file is working fine, just not accounting! -Original Message- From: Chris Parker [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 13, 2002 11:06 AM To: [EMAIL PROTECTED] Subject: Re: Accounting is Where? At 12:04 PM 8/13/2002 -0400, Funk, Michael wrote: >Okay. > >I'm trying to use mySQL to authenticate, but I need to log accounting to >flat files. (The local tables are read-only and I can't afford the >performance hit to log to SQL) > >The auth works fine, but the accounting files aren't being created... Any >ideas? Do you have 'detail' module configured to log detail files properly? Have you checked directory permissions ( the radius process must have write permission to the directory to wrote detail files )? Have you included 'detail' in the 'accounting' block of your 'radiusd.conf' file? -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ip pool again
It still doesn't work. > > Hi list: > >I'm starting the tests with the ippool module. > >I added this line on the users file: > > DEFAULT NAS-IP-Address == "10.169.255.11", Auth-Type := > Accept, Pool-Name := "prueba" > >And created an IP pool: > > ippool prueba { >range-start = 10.170.200.1 >range-stop = 10.170.200.254 >netmask = 255.255.255.0 >cache-size = 800 >session-db = /raddb/db.ippool >ip-index = /raddb/db.ipindex > } > I can start the server and it works ok, but it doesn't reply with the Framed-IP-Address attribute. >What am I doing wrong? > >I'm sorry if this is ANOTHER stupid question. > >Thanks a lot for your time. > > > Guillermo > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: set up radius groups
On Tue, 13 Aug 2002, Sheldon Fougere wrote: > Is there a tarball available for dialup_admin? I don't know how to use CVS. > > Thanks, > Sheldon ftp://ftp.freeradius.org/pub/radius/CVS-snapshots/ for the server nightly CVS snapshots and http://www.freeradius.org/development.html#cvs for instructions on how to use CVS to download the server. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: set up radius groups
Is there a tarball available for dialup_admin? I don't know how to use CVS. Thanks, Sheldon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Kostas Kalevras Sent: Saturday, August 10, 2002 1:53 PM To: [EMAIL PROTECTED] Subject: Re: set up radius groups On Sat, 10 Aug 2002, Aleksandr Kuzminsky wrote: > On Wed, 7 Aug 2002, Rick Eicher II wrote: > > > I have freeradius 0.07 with postgresql. I am looking for some idea of how > > to add/setup radius groups. I have the dialadmin up and running but do not > > see anything there. I am now searching through the archieves and FAQ. > > > > Can anyone point me in the right direction on this? > Use radgroup(check/reply) and usergroup tables. > > --- > Aleksandr Kuzminsky, AK476-RIPE > System Administrator, AK16-UANIC > ISP NBI. I have just commited group support to dialup_admin. Please try it out (cvs update) and tell me if it works. Since I am not using sql in production even a 'yes it works!' would be really helpfull. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SOLVED: Sorry: Re: ip pool: Unknown attribute Pool-Name
I'm sorry. This was really stupid. I was using the old dictionary file, from fr 0.4. Guillermo Schimmel wrote: > > Hi list: > >I'm starting the tests with the ippool module. > >I added this line on the users file: > > DEFAULT NAS-IP-Address == "10.169.255.11", Auth-Type := > Accept, Pool-Name := "prueba" > >And created an IP pool: > > ippool prueba { >range-start = 10.170.200.1 >range-stop = 10.170.200.254 >netmask = 255.255.255.0 >cache-size = 800 >session-db = /raddb/db.ippool >ip-index = /raddb/db.ipindex > } > >Now, when I start the server it says: > > /usr/local/etc/raddb/users[144]: Parse error (check) for entry > DEFAULT: Unknown attribute Pool-Name > >What am I doing wrong? > >I'm sorry if this is a stupid question, but I have looked in the > docs and in the list and can't find any hint. > >Thanks a lot for your time. > > > Guillermo > > > > > > > - List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2 important question
Hooman Amini <[EMAIL PROTECTED]> wrote: > 1- is there any experience hardware requirements for 30/60/ or 100 > concurrent user from different NAS Any hardware should be OK for that. A Pentium III would be fine. > 2- how can I set dictionary files and radius.conf through database? You can't. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radrelay is showing segmentation fault [patch]
On Tue, Aug 13, 2002 at 11:49:56AM -0400, Alan DeKok wrote: > Simon <[EMAIL PROTECTED]> wrote: > > + if (!argv[1]) > > + usage(); > > + if (!strlen(argv[1])) > > + usage(); > > That's *very* bad, as it accesses memory which may not exist. It > would be better to check 'argc' against 'optind', which doesn't access > non-existent elements of arrays. Blah, yeah, sorry, you're obviously correct. It's to hot here to think right now. -- Simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
2 important question
Hi,I gonna get a maintenance image of freeradius.1- is there any experience hardware requirements for 30/60/ or 100 concurrent user from different NAS2- how can I set dictionary files and radius.conf through database?Regards,Hooman AminiDo You Yahoo!? HotJobs, a Yahoo! service - Search Thousands of New Jobs
Re: Accounting is Where?
At 12:04 PM 8/13/2002 -0400, Funk, Michael wrote: >Okay. > >I'm trying to use mySQL to authenticate, but I need to log accounting to >flat files. (The local tables are read-only and I can't afford the >performance hit to log to SQL) > >The auth works fine, but the accounting files aren't being created... Any >ideas? Do you have 'detail' module configured to log detail files properly? Have you checked directory permissions ( the radius process must have write permission to the directory to wrote detail files )? Have you included 'detail' in the 'accounting' block of your 'radiusd.conf' file? -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting is Where?
Okay. I'm trying to use mySQL to authenticate, but I need to log accounting to flat files. (The local tables are read-only and I can't afford the performance hit to log to SQL) The auth works fine, but the accounting files aren't being created... Any ideas? Michael Funk Network Administrator Supra Telecom - Quincy 217-592-5031 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radrelay is showing segmentation fault [patch]
Simon <[EMAIL PROTECTED]> wrote: > The segmentation fault otoh is a stupid bug by me. Patch included > against current cvs, some very minor documentation updates are included > to. Be good if this could be applied. Added, except for: > + if (!argv[1]) > + usage(); > + if (!strlen(argv[1])) > + usage(); That's *very* bad, as it accesses memory which may not exist. It would be better to check 'argc' against 'optind', which doesn't access non-existent elements of arrays. I've change the patch a bit, and committed it. Thanks. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ip pool: Unknown attribute Pool-Name
Hi list: I'm starting the tests with the ippool module. I added this line on the users file: DEFAULT NAS-IP-Address == "10.169.255.11", Auth-Type := Accept, Pool-Name := "prueba" And created an IP pool: ippool prueba { range-start = 10.170.200.1 range-stop = 10.170.200.254 netmask = 255.255.255.0 cache-size = 800 session-db = /raddb/db.ippool ip-index = /raddb/db.ipindex } Now, when I start the server it says: /usr/local/etc/raddb/users[144]: Parse error (check) for entry DEFAULT: Unknown attribute Pool-Name What am I doing wrong? I'm sorry if this is a stupid question, but I have looked in the docs and in the list and can't find any hint. Thanks a lot for your time. Guillermo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (no subject)
Javier Santos" <[EMAIL PROTECTED]> wrote: > Then I descompress the radius on windows, then ftp to unix Huh? Why the heck would you do that? > /download# tar zxvf freeradius.tar.gz > tar: z: unknown option So use 'gunzup'. This is beginners Unix. > /download# tar -xvf freeradius.tar.gz > tar: directory checksum error At which point any files which *are* pulled from the archive are garbage. > /download/freeradius-0.7# ./configure > ksh: ./configure: not found Figure out how to use 'gzip' and 'gunzip'. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: (no subject)
You are using the Solaris tar which does not support the "z" option. Fist you will use gunzip to unzip it. Then use tar w/out the "z" option. The other possibility is to download and install gnu tar which does support the z option and also fixes a few things that the Solaris tar breaks. Aaron Weiker -Original Message- From: Javier Santos [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 13, 2002 10:37 AM To: [EMAIL PROTECTED] Subject: (no subject) Hello When I try to make a procedure to install radius there are a problem with commands, tar zxvf freeradius.tar.gz. Then I descompress the radius on windows, then ftp to unix but when a run ./configure does not run. how i install on solaris 5.8 with another commands. Thanks. /download# ls freeradius-0.7 freeradius-0.7.tar.gz freeradius.tar.gz /download# tar zxvf freeradius.tar.gz tar: z: unknown option Usage: tar {txruc}[vfbFXhiBEelmopwnq[0-7]] [-k size] [tapefile] [blocksize] [exc lude-file] [-I include-file] files ... /download# tar -xvf freeradius.tar.gz tar: directory checksum error /download# /download# ls freeradius-0.7 freeradius-0.7.tar.gz freeradius.tar.gz /download# /download# cd freeradius-0.7 /download/freeradius-0.7# ls COPYRIGHT READMEconfigure.in ltconfig scripts CREDITS acconfig.hdebianltmain.sh src INSTALL aclocal.m4dialup_admin man todo LICENSE config.guess doc missing Make.inc.in config.subinstall-shraddb Makefile configure libltdl redhat /download/freeradius-0.7# ./configure ksh: ./configure: not found /download/freeradius-0.7# Navega con el internet gratis de Amnet! Visitar http://www.amnetsal.com! para cualquier consulta llamar al 247-8000 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(no subject)
Hello When I try to make a procedure to install radius there are a problem with commands, tar zxvf freeradius.tar.gz. Then I descompress the radius on windows, then ftp to unix but when a run ./configure does not run. how i install on solaris 5.8 with another commands. Thanks. /download# ls freeradius-0.7 freeradius-0.7.tar.gz freeradius.tar.gz /download# tar zxvf freeradius.tar.gz tar: z: unknown option Usage: tar {txruc}[vfbFXhiBEelmopwnq[0-7]] [-k size] [tapefile] [blocksize] [exc lude-file] [-I include-file] files ... /download# tar -xvf freeradius.tar.gz tar: directory checksum error /download# /download# ls freeradius-0.7 freeradius-0.7.tar.gz freeradius.tar.gz /download# /download# cd freeradius-0.7 /download/freeradius-0.7# ls COPYRIGHT READMEconfigure.in ltconfig scripts CREDITS acconfig.hdebianltmain.sh src INSTALL aclocal.m4dialup_admin man todo LICENSE config.guess doc missing Make.inc.in config.subinstall-shraddb Makefile configure libltdl redhat /download/freeradius-0.7# ./configure ksh: ./configure: not found /download/freeradius-0.7# Navega con el internet gratis de Amnet! Visitar http://www.amnetsal.com! para cualquier consulta llamar al 247-8000 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radrelay is showing segmentation fault [patch]
On Mon, Aug 12, 2002 at 03:19:24PM +0530, Atanu Das wrote: > Hello FreeRadius Users, > > radrelay program is showing segmentation fault. I followed the procedure as >mentioned in the document of "radrelay" program. > > radrelay -n test > > Segmentation Fault Actually, you didn't follow the procedure described in the radrelay documentation, you didn't supply a detailfile name. You should have done something like: ./radrelay -n test detail-combined The segmentation fault otoh is a stupid bug by me. Patch included against current cvs, some very minor documentation updates are included to. Be good if this could be applied. -- Simon diff -urN --exclude=CVS radiusd.orig/man/man8/radrelay.8 radiusd/man/man8/radrelay.8 --- radiusd.orig/man/man8/radrelay.8Wed Jul 10 10:09:12 2002 +++ radiusd/man/man8/radrelay.8 Tue Aug 13 15:54:17 2002 @@ -13,7 +13,7 @@ .RB [ \-n .IR shortname ] .RB [ \-r -.IR remote-server ] +.IR remote-server[:port] ] .RB [ \-s .IR secret ] .RB [ \-S @@ -49,8 +49,11 @@ this way. Do not use the -r, -s or -S parameters in combination with -n. .IP "\-r \fIremote-server\fP" -The remote server that will be recieving the accounting packets. -The -r parameter can't be used in combination with -n. +The hostname or IP address of the remote server. Optionally a UDP port +can be specified. If no UDP port is specified, it is looked up in +\fI/etc/services\fP. The service name looked for is \fBradacct\fP for +accounting packets. If a service is not found in \fI/etc/services\fP, +1813 is used. The -r parameter can't be used in combination with -n. .IP "\-s \fIsecret\fP" Remote server secret. @@ -62,13 +65,6 @@ .IP \-x Enable debug mode, -x will activate radrelay internal debugging, -xx will also activate librad debugging. - -.IP "server[:port]" -The hostname or IP address of the remote server. Optionally a UDP port -can be specified. If no UDP port is specified, it is looked up in -\fI/etc/services\fP. The service name looked for is \fBradacct\fP for -accounting packets. If a service is not found in \fI/etc/services\fP, -1813 is used. .IP "detailfile" The detail file to use, this will be appended to the base accounting diff -urN --exclude=CVS radiusd.orig/src/main/radrelay.c radiusd/src/main/radrelay.c --- radiusd.orig/src/main/radrelay.cWed Jul 10 10:09:14 2002 +++ radiusd/src/main/radrelay.c Tue Aug 13 15:50:19 2002 @@ -800,6 +800,10 @@ usage(); if (r_args.secret != NULL && shortname != NULL) usage(); + if (!argv[1]) + usage(); + if (!strlen(argv[1])) + usage(); /* * If we've been given a shortname, try to fetch the secret and - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting-start proxy error
>> It works fine for authentication request/accept and accounting-stop, but >> my NAS complains about the accounting-start messages: > > Then it's most likely a problem with the attributes in the > accounting start packet. > >> WARNING: Identifier does not match - ignoring response >> WARNING: Invalid response signature - check secret! > > If the first message is true, then the second is a caused by the > first. > > You say that the NAS complains about the accounting-start packet, > but FreeRADIUS never sends one to the NAS, it only sends an > Accounting-Response packet. So where does this message come from, and > when does it happen? Sorry, my mistake, I meant Accounting-Request. This is what Freeradius gets from the NAS: rad_recv: Accounting-Request packet from host xxx.xxx.xxx.xxx:, id=120, length=149 Acct-Delay-Time = 8 NAS-IP-Address = xxx.xxx.xxx.xxx Service-Type = Framed-User Framed-Protocol = PPP NAS-Identifier = "" Acct-Status-Type = Start Acct-Session-Id = "3b7a0001" Acct-Authentic = RADIUS User-Name = "x" This is what Freeradius proxies to MS IAS: Sending Accouting-Request of id 22 to xxx.xxx.xxx.xxx: Acct-Delay-Time = 8 NAS-IP-Address = xxx.xxx.xxx.xxx Service-Type = Framed-User Framed-Protocol = PPP NAS-Identifier = "" Acct-Status-Type = Start Acct-Session-Id = "3b7a0001" Acct-Authentic = RADIUS User-Name = "x" Proxy-State = "120" Freeradius gets the following back from MS IAS: rad_recv: Accouting-Response packet from xxx.xxx.xxx.xxx:, id=22, length=25 Proxy-State = 0x313230 And sends it on to the NAS: Sending Accouting-Response of id 120 to xxx.xxx.xxx.xxx:xx And the NAS generates the error: WARNING: Identifier does not match - ignoring response WARNING: Invalid response signature - check secret! Josh Howlett, Networking and Digital Communications Group, Information Systems & Computing, University of Bristol. email: [EMAIL PROTECTED] | phone: +44 (0)117 928 7850 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to rotate detail accounting files properly
"Francois Dessart" <[EMAIL PROTECTED]> wrote: > I'm looking for the best and cleanest way to rotate "detail" accounting > log files. > > Could you tell me how I should do? Don't. :) Instead, set: detailfile = ${radacctdir}/%{Client-IP-Address}/%Y%m%d-detail Which will cause the detail files to be automatically created every day. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cannot get EAP-TLS to work with FreeRADIUS 0.7
Jason Haar <[EMAIL PROTECTED]> wrote: > I've compiled up 0.7 successfully under Redhat 7.2 with openssl-0.9.6b, but > when I try to use xsuplicant on a WLAN Linux client, radiusd crashes: Uh, no. Your shared libraries are set up wrong. The server asks to do run-time linking, and *your* run-time linker fails to find that symbol. > radiusd: relocation error: /usr/lib/rlm_eap_tls-0.7.so: undefined symbol: > SSL_set_msg_callback_arg > > I then tried compiling 0.7 under openssl-0.9.7 and under > openssl-engine-0.9.6g (using LD_PRELOAD/etc) with the same error. Figure out how to get shared libraries working on your system. It's not the fault of the server that your dynamic linker can't resolve a symbol. See the FAQ and the comments around 'libdir' in radiusd.conf. The ONLY way to fix the problem is to fix your linker. There's NOTHING you can do to the server which will fix the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius, Where to Begin
"Matt" <[EMAIL PROTECTED]> wrote: > Is there a step by step guide that would help me to get freeRadius going? The FAQ, the docs, but not much more. > I would also like a web page that I could log into to update the > user database and check user bandwidth useage. Is this all possible > with freeRadius? Did you try *looking* in the distribution? 'dialup_admin', which is included with the server, does most of that. It's not extremely documented, but it's there. > I installed the latest FreeRadius build on Redhat 7.3 but have been unable > to get anywhere with it. Here is my logfile output. ... > Mon Aug 12 19:38:07 2002 : Error: rlm_unix: You MUST specify a shadow > password file! So... did you READ the message you posted to the list? I really don't understand what the problem is. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to rotate detail accounting files properly
Hello, I'm looking for the best and cleanest way to rotate "detail" accounting log files. Could you tell me how I should do? Thanks for your help. Francois. Francois DESSART Network Engineer - SEGI/ULG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Possible bugfix for authentication in rlm_mysql.c
Hi, I have just been "getting to know" freeradius (using version 0.7), and ran into a minor problem... I wanted to use sql to set the attributes, but do the password authentication in another module, so I commented out "authenticate_query" in sql.conf. This did not work... On closer inspection, rlm_sql.c has the test: if (inst->config->authenticate_query){ ... but in the config parsing a default of "" (empty string) is specified, so even if the config string is commented out, it still tries to authenticate. Changing this to: if((inst->config->authenticate_query) && (strlen(inst->config->authenticate_query) > 0)){... works like a charm. Attached is a patch to implement this change, if you want it. Thanks, -justin PS. Aside from this glitch, my experience with freeradius is wholly positive. Well documented, easy to use, very flexible, etc... Great work! --- freeradius-0.7/src/modules/rlm_sql/rlm_sql.cThu Jul 25 17:54:23 2002 +++ ../cellid/freeradius-0.7/src/modules/rlm_sql/rlm_sql.c Tue Aug 13 12:59:00 +2002 @@ -462,7 +462,7 @@ pairfree(&reply_tmp); pairfree(&check_tmp); - if (inst->config->authenticate_query){ + if ((inst->config->authenticate_query) && +(strlen(inst->config->authenticate_query) > 0)){ radius_xlat(querystr, MAX_QUERY_LEN, inst->config->authenticate_query, request, sql_escape_func); /* Remove the username we (maybe) added above */