Re: IP Address Assignment
Hi There is FW between NAS and private network. If the ip address assignment is controlled by radius. Then I can restrict where the dialup users go to after the authentication. My NAS configure: aaa new-model aaa authentication login default radius aaa authentication ppp default radius interface Group-Async1 ip unnumbered Ethernet0 no ip directed-broadcast encapsulation ppp async default routing async mode interactive peer default ip address pool poo -del for use radius no cdp enable ppp authentication pap chap group-range 1 30 and user profile: userA Auth-Type := Local, Password == userA, Pool-Name := RAS Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Routing = Broadcast-Listen, Framed-MTU = 1500, Framed-Compression = Van-Jacobson-TCP-IP Can you point out the mistake due to failure connection? K --- Kostas Kalevras [EMAIL PROTECTED] wrote: On Yes you can. The question is why should you? THe Cico access servers can do ip pool assignment/managemnet on their own. -- Kostas Kalevras Network Operations Center ___ Do You Yahoo!? Get your free @yahoo.com.hk address at http://mail.english.yahoo.com.hk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Lockout
On Fri, 20 Sep 2002, Nick Marino wrote: How can you lock a user other than changing thier password when authenticating against a mysql database? Set Auth-Type to Reject for that user -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP Address Assignment
On Fri, 20 Sep 2002, [iso-8859-1] ho k wrote: Hi There is FW between NAS and private network. If the ip address assignment is controlled by radius. Then I can restrict where the dialup users go to after the authentication. You can send back a reply item stating the nas ip pool from which an IP should be allocated. and user profile: userA Auth-Type := Local, Password == userA, Pool-Name := RAS Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Routing = Broadcast-Listen, Framed-MTU = 1500, Framed-Compression = Van-Jacobson-TCP-IP Can you point out the mistake due to failure connection? K Can you also post your ippool, authorize/post-auth and accounting sections of your radiusd.conf? Could you also post a debug output (radiusd -X) of an Access-Request? -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ippool
On Thu, 19 Sep 2002, Homer Parker wrote: Having a bit of a time getting an Orinoco AS-2000 to get an ip address from the ippool module.. I authenticate just fine, it just falls through the users file to the dial-up stuff before it gets a match... Here's some info: users file DEFAULT NAS-IP-Address == 172.16.1.8, Auth-Type := Pam, Group == wireless64, Pool-Name := wireless64 DEFAULT Auth-Type := Pam, Group == wireless64, Pool-Name := wireless64 DEFAULT Group == wireless128, Pool-Name := wireless128 DEFAULT Group == wireless192, Pool-Name := wireless192 DEFAULT Group == wireless256, Pool-Name := wireless256 DEFAULT Auth-Type := Pam, Huntgroup-Name == wireless64, Pool-Name := wireless64 DEFAULT Huntgroup-Name == wireless128, Pool-Name := wireless128 DEFAULT Huntgroup-Name == wireless192, Pool-Name := wireless192 DEFAULT Huntgroup-Name == wireless256, Pool-Name := wireless256 radiusd.conf authorize { preprocess files } authenticate { pam } I am not sure that you can do group membership checks with the pam module. Try using the unix module for that (just put it in the instantiate section to register it's groupcmp function). -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP Address Assignment
Hi User profile: b NAS-IP-Address == 192.168.31.10, Auth-Type := Local, Password == b, Pool-Name := RAS1 Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Routing = Broadcast-Listen, Framed-MTU = 1500, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT NAS-IP-Address == 192.168.59.244, Auth-Type := Accept, Pool-Name := RAS Fall-Through = 1 DEFAULT NAS-IP-Address == 192.168.31.10, Auth-Type := Accept, Pool-Name := RAS1 Fall-Through = 1 DEFAULT Auth-Type := CHAPPAP Fall-Through = 1 DEFAULT Service-Type == Framed-User Framed-MTU = 1500, Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP radiusd.conf: ippool RAS { range-start = 192.168.59.193 range-stop = 192.168.59.195 netmask = 255.255.255.0 cache-size = 3 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex } ippool RAS1 { range-start = 192.168.31.193 range-stop = 192.168.31.195 netmask = 255.255.255.0 cache-size = 3 session-db = ${raddbdir}/db1.ippool ip-index = ${raddbdir}/db1.ipindex } } Authorize { preprocess chap suffix sql files RAS RAS1 } authenticate { unix authtype CHAPPAP { chap pap } } accounting { unix sql RAS RAS1 radutmp } debug output: Module: Loaded IPPOOL ippool: session-db = /usr/local/etc/raddb/db.ippool ippool: ip-index = /usr/local/etc/raddb/db.ipindex ippool: range-start = 192.168.59.193 IP address [192.168.59.193] ippool: range-stop = 192.168.59.195 IP address [192.168.59.195] ippool: netmask = 255.255.255.0 IP address [255.255.255.0] ippool: cache-size = 3 Module: Instantiated ippool (RAS) ippool: session-db = /usr/local/etc/raddb/db1.ippool ippool: ip-index = /usr/local/etc/raddb/db1.ipindex ippool: range-start = 192.168.31.193 IP address [192.168.31.193] ippool: range-stop = 192.168.31.195 IP address [192.168.31.195] ippool: netmask = 255.255.255.0 IP address [255.255.255.0] ippool: cache-size = 3 Module: Instantiated ippool (RAS1) Module: Loaded radutmp radutmp: filename = /usr/local/var/log/radius/radutmp radutmp: username = %{User-Name} radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp. Ready to process requests. rad_recv: Access-Request packet from host 192.168.31.10:1645, id=112, length=92 NAS-IP-Address = 192.168.31.10 NAS-Port = 30 NAS-Port-Type = Async User-Name = b Called-Station-Id = 190962 Calling-Station-Id = 85290200959 User-Password = t\365\000\261\324[\324\025_Z\r\324\306\035\217\356 Service-Type = Framed-User Framed-Protocol = PPP modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_chap: Could not find proper Chap-Password attribute in request modcall[authorize]: module chap returns noop rlm_realm: Looking up realm NULL for User-Name = b rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop radius_xlat: 'b' sql_set_user: escaped user -- 'b' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'b' ORD ER BY id' rlm_sql: Reserving sql socket id: 3 rlm_sql: User b not found radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radg roupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = ' b' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radg roupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = ' b' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' sql_set_user: escaped user -- 'DEFAULT' radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radg roupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = ' DEFAULT' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radg roupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = ' DEFAULT' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql: DEFAULT not found rlm_sql: Released sql socket id: 3 modcall[authorize]: module sql returns notfound users: Matched b at 150 modcall[authorize]: module files returns ok modcall[authorize]: module RAS
Re[2]: Group reject. Group* attribute bug in users file?
Dear [EMAIL PROTECTED], Group-Name == slow checks for Group-Name attribute in check list (that is list of attributes received in RADIUS request). format = *User-Name:User-Password:Group-Name adds Group-Name attribute to config items list. So there will never be Group-Name in check list. Changing Group-Name to Group will give no result. I can change rlm_passwd to be able to add something to replay attributes list. In this case you will be able to directly add Pool-Name from passwd file to RADIUS reply. --Friday, September 20, 2002, 2:58:15 PM, you wrote to [EMAIL PROTECTED]: mmr I have similar problem. I try group-based authenticate. mmr in radius.conf: mmr passwd raddb_userlist { mmr filename = /etc/raddb/userlist mmr format = *User-Name:User-Password:Group-Name mmr authtype = MS-CHAP mmr hashsize = 1000 mmr ignorenislike = no mmr allowmultiplekeys = no mmr } mmr in /etc/raddb/userlist: mmr mmike:mike:fast mmr users file (with line numbers): mmr 185:DEFAULT Group-Name == slow, Pool-Name := ippool-1-slow mmr 186:Fall-Through = Yes mmr 187: mmr 188:DEFAULT Group-Name == fast, Pool-Name := ippool-1-fast mmr 189:Fall-Through = Yes mmr 190: mmr 191:DEFAULT Service-Type == Framed-User mmr 192:Framed-MTU = 1500, mmr 193:Service-Type = Framed-User, mmr 194:Fall-Through = Yes mmr now i run radiusd: mmr # radiusd -xx mmr ... mmr modcall: entering group authorize mmr modcall[authorize]: module preprocess returns ok mmr rlm_passwd: Added User-Password: mike mmr rlm_passwd: Added Group-Name: fast Group-Name attribute added with value fast mmr rlm_passwd: Adding Auth-Type: MS-CHAP mmr mmr users: Matched DEFAULT at 191 mmr modcall[authorize]: module files returns ok mmr ... mmr MATCH found at line 191 only. Hm.. what about line 188?!!! mmr I try use Group attr instead Group-Name. Result is the same. mmr Its like a bug? I have install freeradius 0.7.1 on slackware 8.0 with shadow password Installation was ok and basic functions are working. I have experience problems wen i try to deny access to one of the groups on the radius server Following instruction did not help. I try : DEFAULT Group == users , Auth-Type :=Reject DEFAULT Group == users , Auth-Type :=Reject DEFAULT Group == users , Auth-Type =Reject DEFAULT Group == users , Auth-Type =Reject And more before: DEFAULT Auth-Type := System but nothing work. User marcin , group users was always able to authenticate. This is a debug of the auth process: rad_recv: Access-Request packet from host 216.168.1.38:4751, id=131, length=81 NAS-IP-Address = 216.168.1.38 Calling-Station-Id = 204.251.93.250 User-Name = marcin?X0040;hostplus.net User-Password = \274\252\2162\275\rS+\305F.\240\007Ia modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_realm: Looking up realm hostplus.net for User-Name = marcin?X0040;hostplus.net rlm_realm: Found realm hostplus.net rlm_realm: Adding Stripped-User-Name = marcin rlm_realm: Proxying request from user marcin to realm hostplus.net rlm_realm: Adding Realm = hostplus.net rlm_realm: Authentication realm is LOCAL. rlm_realm: auth_port is not set. proxy cancelled modcall[authorize]: module suffix returns noop users: Matched DEFAULT at 6 modcall[authorize]: module files returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type System auth: type System modcall: entering group authenticate modcall[authenticate]: module unix returns ok modcall: group authenticate returns ok Login OK: [marcin?X0040;hostplus.net] (from client supernews port 0 cli 204.251.93.250) Sending Access-Accept of id 131 to 216.168.1.38:4751 Finished request 4 Going to the next request And one more thing. Will i be able to limit access based on Called-Station-id ? If so what would be a process to set this up? mmr - mmr List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- ~/ZARAZA ×åëîâåê ýòî òàéíà... ÿ çàíèìàþñü ýòîé òàéíîé ÷òîáû áûòü ÷åëîâåêîì. (Äîñòîåâñêèé) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
My Question about the freeradius
Hi,everybody I have some questions about freeradius.I have set up EAP/TLS authentication between Supplicant and Freeradius similar to that described at http://www.missl.cs.umd.edu/wireless/eaptls/.And it is written in IEEE 802.11-02/389 IEEE 802.1x Pre-Authenticationthat the RADIUS server transfer the premaster secret to NAS in ACCESS_ACCEPT packet encapsulating its VENDOR_SPECIFIC (vendor-id=MS_MPPE_RECV_KEY) attribute. But I can't get that attribute in ACCESS_ACCEPT packet.How can I get the premaster key from the server? I hope for your answer,thank you very much.:-) __ === ÐÂÀËÃâ·Ñµç×ÓÓÊÏä (http://mail.sina.com.cn) ÐÂÀ˶þÊÖÊг¡£ºÒ»ÔªÍ¶È룬ʮ·Ö¾ªÏ²£¬°Ù·ÖÂúÒâ (http://classad.sina.com.cn/2shou/) ÊýÍòÕÅÊÖ»úͼƬÊýÍòÊ׶ÌÐÅÁåÉùÈÎÄãÌôÑ¡£¬Ã¿Ì춼ÓиüР(http://sms.sina.com.cn/cgi-bin/sms/smspic.cgi) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[3]: Group reject. Group* attribute bug in users file?
Dear [EMAIL PROTECTED], Group-Name == slow checks for Group-Name attribute in check list (that is list of attributes received in RADIUS request). format = *User-Name:User-Password:Group-Name adds Group-Name attribute to config items list. So there will never be Group-Name in check list. Changing Group-Name to Group will give no result. Can I move attribute from config items list to check list? Or how i can check config attribute? I can change rlm_passwd to be able to add something to replay attributes list. In this case you will be able to directly add Pool-Name from passwd file to RADIUS reply. No. this is bad idea to add Pool-Name to Reply. Imagine, I have 2 NASes with 2 ip-pool for each (ippool-1-fast, ippool-1-slow for 1-st NAS and ippool-2-fast, ippool-2-slow for 2-ns NAS). So we have 4 different ip-pools. User can connect to any of NASes. rlm_passwd returns slow or fast for the user. If user from slow group connected to NAS#1, Pool-Name have to changed to ippool-1-slow. If user connected to NAS#1, then Pool-Name := ippool-2-slow. Can you explain me how I can make such choice? mmr I have similar problem. I try group-based authenticate. mmr in radius.conf: mmr passwd raddb_userlist { mmr filename = /etc/raddb/userlist mmr format = *User-Name:User-Password:Group-Name mmr authtype = MS-CHAP mmr hashsize = 1000 mmr ignorenislike = no mmr allowmultiplekeys = no mmr } mmr in /etc/raddb/userlist: mmr mmike:mike:fast mmr users file (with line numbers): mmr 185:DEFAULT Group-Name == slow, Pool-Name := ippool-1-slow mmr 186:Fall-Through = Yes mmr 187: mmr 188:DEFAULT Group-Name == fast, Pool-Name := ippool-1-fast mmr 189:Fall-Through = Yes mmr 190: mmr 191:DEFAULT Service-Type == Framed-User mmr 192:Framed-MTU = 1500, mmr 193:Service-Type = Framed-User, mmr 194:Fall-Through = Yes mmr now i run radiusd: mmr # radiusd -xx mmr ... mmr modcall: entering group authorize mmr modcall[authorize]: module preprocess returns ok mmr rlm_passwd: Added User-Password: mike mmr rlm_passwd: Added Group-Name: fast Group-Name attribute added with value fast mmr rlm_passwd: Adding Auth-Type: MS-CHAP mmr mmr users: Matched DEFAULT at 191 mmr modcall[authorize]: module files returns ok mmr ... mmr MATCH found at line 191 only. Hm.. what about line 188?!!! mmr I try use Group attr instead Group-Name. Result is the same. mmr Its like a bug? I have install freeradius 0.7.1 on slackware 8.0 with shadow password Installation was ok and basic functions are working. I have experience problems wen i try to deny access to one of the groups on the radius server Following instruction did not help. I try : DEFAULT Group == users , Auth-Type :=Reject DEFAULT Group == users , Auth-Type :=Reject DEFAULT Group == users , Auth-Type =Reject DEFAULT Group == users , Auth-Type =Reject And more before: DEFAULT Auth-Type := System but nothing work. User marcin , group users was always able to authenticate. This is a debug of the auth process: rad_recv: Access-Request packet from host 216.168.1.38:4751, id=131, length=81 NAS-IP-Address = 216.168.1.38 Calling-Station-Id = 204.251.93.250 User-Name = marcin?X0040;hostplus.net User-Password = \274\252\2162\275\rS+\305F.\240\007Ia modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_realm: Looking up realm hostplus.net for User-Name = marcin?X0040;hostplus.net rlm_realm: Found realm hostplus.net rlm_realm: Adding Stripped-User-Name = marcin rlm_realm: Proxying request from user marcin to realm hostplus.net rlm_realm: Adding Realm = hostplus.net rlm_realm: Authentication realm is LOCAL. rlm_realm: auth_port is not set. proxy cancelled modcall[authorize]: module suffix returns noop users: Matched DEFAULT at 6 modcall[authorize]: module files returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type System auth: type System modcall: entering group authenticate modcall[authenticate]: module unix returns ok modcall: group authenticate returns ok Login OK: [marcin?X0040;hostplus.net] (from client supernews port 0 cli 204.251.93.250) Sending Access-Accept of id 131 to 216.168.1.38:4751 Finished request 4 Going to the next request And one more thing. Will i be able to limit access based on Called-Station-id ? If so what would be a process to set this up? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Segmentation Fault
Thanks to help who helped me solve my previous problem while compiling freeradius. The error message listed below comes out when I run radiusd -xx . I am using freeradius-snapshot-20020920 and freetds-0.60 running on a redhat Linux 7.X. ', '%{Acct-Delay-Time}') sql: group_membership_query = sql: connect_failure_retry_delay = 60 sql: simul_count_query = sql: simul_verify_query = rlm_sql: Driver rlm_sql_freetds loaded and linked rlm_sql: Attempting to connect to [EMAIL PROTECTED]:/radius rlm_sql: starting 0 rlm_sql: Attempting to connect #0 Segmentation fault (core dumped) Please take note that as suggested in the archive, I already deleted all old rlm_* libraries. I even installed a new redhat box to make sure that only the libraries that are needed will be installed. Steps on how to troubleshoot this problem will be greatly appreciated. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ippool
On Fri, 20 Sep 2002 11:45:51 +0300 (EEST) Kostas Kalevras [EMAIL PROTECTED] wrote: I am not sure that you can do group membership checks with the pam module. Try using the unix module for that (just put it in the instantiate section to register it's groupcmp function). I'll give that a try, thanks! --- Homer Parker LAN/WAN, Wireless Networking, PC Sales/Service Linux, OS/2, Windows9x, Windows NT/2000 Support PC Services 129 W 8th #101 Russell, KS 67665 785.483.7602 [EMAIL PROTECTED] http://www.pcsrvc.com Either you can say I'm for Open Source, open standards, or I'm against standards. Either you can say I'm for giving customers and communities a choice or I'm against giving customers and communities a choice. - Sam Palmisano, IBM President and COO at LinuxWorld Expo 2001 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question regarding Proxy-State [33] Attribute
Hi List, We are currently trying to get FreeRadius 0.7.1 to work with our VopRadius server. This is how it flows. Our users dial into the Qwest Network. The Qwest NAS sends a request to Qwest's radius proxy servers - Qwest proxy servers send a request to one of our proxy servers - our proxy server sends the request to our VopRadius server - VopRadius authenicates the user. Sounds easy right? This is what we are running into. On top of some errors about accounting (FreeRadius wants us to add ALL of qwest's NAS boxes to the clients file.. ick) we are not getting authenticated. The only reason that this would happen is because our proxy server is NOT sending back a Proxy-State [33] attribute. How can I make sure that FreeRadius sends this attr back? If I can't get it to do this, can someone please advise a software package that can do this? Thank you and have a good day. Brandon Lehmann Network Support Specialist Networld Online Inc. 1243 Napoleon Street Fremont, OH 43420 800-644-6638 [EMAIL PROTECTED] www.nwonline.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: My Question about the freeradius
hi if you install the newest version of freeradius (try the newest snapshot but it should be in the version 0.7 already integrated) you will have this feature. you just have to pay attention on the compilation process of the rlm_eap_tls module. if you have more questions on it, feel free to ask... ciao artur lu_luwang wrote: Hi,everybody I have some questions about freeradius.I have set up EAP/TLS authentication between Supplicant and Freeradius similar to that described at http://www.missl.cs.umd.edu/wireless/eaptls/.And it is written in IEEE 802.11-02/389 IEEE 802.1x Pre-Authenticationthat the RADIUS server transfer the premaster secret to NAS in ACCESS_ACCEPT packet encapsulating its VENDOR_SPECIFIC (vendor-id=MS_MPPE_RECV_KEY) attribute. But I can't get that attribute in ACCESS_ACCEPT packet.How can I get the premaster key from the server? I hope for your answer,thank you very much.:-) __ === ÐÂÀËÃâ·Ñµç×ÓÓÊÏä (http://mail.sina.com.cn) ÐÂÀ˶þÊÖÊг¡£ºÒ»ÔªÍ¶È룬ʮ·Ö¾ªÏ²£¬°Ù·ÖÂúÒâ (http://classad.sina.com.cn/2shou/) ÊýÍòÕÅÊÖ»úͼƬÊýÍòÊ׶ÌÐÅÁåÉùÈÎÄãÌôÑ¡£¬Ã¿Ì춼ÓиüР(http://sms.sina.com.cn/cgi-bin/sms/smspic.cgi) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- _ Artur Hecker Groupe Accès et Mobilité hecker[at]enst[dot]fr Département Informatique et Réseaux +33 1 45 81 750746, rue Barrault 75634 Paris cedex 13 http://www.infres.enst.fr ENST Paris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE:EAP-MD5 fails to authenticate users
Indeed SteelBelted and Microsoft IAS issues very short State attributes that the NAS doesn´t truncate.Is possible to change the State attribute max length in freeradius? (I know is a workaround to solve the problem temporally)Ragards and thanks for your answer.JorgeArtur Hecker [EMAIL PROTECTED] wrote: take a look at the state attributes. your NAS is truncating the State attribute which was issued by Radius to 64 hexadecimal characters, i.e. 256bit (64*4): issued: 0x6d2728c26e0a5e55a7067440895cbafc619d893d72e45a66b2612d2defb73fafc8b0590f received: 0x6d2728c26e0a5e55a7067440895cbafc619d893d72e45a66b2612d2defb73faf The software on your NAS must have been written by the same peoplewho wrote the Merit RADIUS server. i have no idea if this behaviour is RFC-correct or not. the problem doesn't or didn't occur with other radius servers, probably because their state attributes are always/were by chance shorter. Mangling the State attribute is explicitely prohibited by the RFC's. Raghu, Alan, what do you think? are the state attributes too long or is the NAS firmware broken? I wouldn't object to making the State attribute shorter, but the NASis definitely broken. Jorge: you can try to take a look in the radius RFC if you can find a limitation for the state attribute... http://www.freeradius.org/rfc/attributes.html and click on 'State'. Alan DeKok.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MD5 fails to authenticate users
hi jorge it's definitely possible to change the maximum length of the State attribute by changing the provided source code. however, i have no idea on how to do it exactly. perhaps Alan could help. or you could try to take a look yourself, it can't be difficult. ciao artur -- _ Artur Hecker Groupe Accès et Mobilité hecker[at]enst[dot]fr Département Informatique et Réseaux +33 1 45 81 750746, rue Barrault 75634 Paris cedex 13 http://www.infres.enst.fr ENST Paris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question regarding Proxy-State [33] Attribute
At 09:51 AM 9/20/2002 -0400, Brandon Lehmann wrote: Hi List, We are currently trying to get FreeRadius 0.7.1 to work with our VopRadius server. This is how it flows. Our users dial into the Qwest Network. The Qwest NAS sends a request to Qwest's radius proxy servers - Qwest proxy servers send a request to one of our proxy servers - our proxy server sends the request to our VopRadius server - VopRadius authenicates the user. Sounds easy right? This is what we are running into. On top of some errors about accounting (FreeRadius wants us to add ALL of qwest's NAS boxes to the clients file.. ick) we are not getting authenticated. Huh? Uhh, no. You don't need to do that unless Qwest's NAS are going to talk to your radius server directly. If requests are proxied through Qwest's radius servers, then you only have to add their Radius server IPs to your clients file. The only reason that this would happen is because our proxy server is NOT sending back a Proxy-State [33] attribute. How can I make sure that FreeRadius sends this attr back? If I can't get it to do this, can someone please advise a software package that can do this? If Qwest's server sends it to you, then FreeRADIUS will send it back. You can find out what you are receiving from Qwest and what you are sending back by running the server in Debug mode ( radiusd -x -x ). Good luck. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question regarding Proxy-State [33] Attribute
Brandon Lehmann [EMAIL PROTECTED] wrote: This is what we are running into. On top of some errors about accounting (FreeRadius wants us to add ALL of qwest's NAS boxes to the clients file.. ick) No, that's definitely not true. The ONLY addresses which are required to be in the 'clients' file are the machines which send packets to the server. The only reason that this would happen is because our proxy server is NOT sending back a Proxy-State [33] attribute. How can I make sure that FreeRadius sends this attr back? Look at the output of debugging mode? Also, try upgrading to the latest CVS snapshot. It has a few more fixes which didn't make it into 0.7.1. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ignoring request from unknown client
Hi I am running radiusd in debugging mode radiusd -fxxyz -p 1812 Returns these results: (ip's *'d out)rad_recv: Access-Request packet from host ***.**.16.64:4610, id=0, length=61Ignoring request from unknown client ***.**.16.64:4610 Any suggestions? Need more info?
SQL and accounting data
I have a question about moving accounting data out of a SQL database. We are planning on running freeradius 0.7.1 on RH 7.3 using mySQL for accounting. What do people do here to move the old accounting data out of the radacct table in such a way that you don't loose any new accounting records? We are ready to implement and am looking for some suggestions on how this could be done safely... --- I have not failed. I've just found 10,000 ways that won't work. - Thomas Edison Michael Hendrix [EMAIL PROTECTED] Systems Engineer / SysAdmin Team Leader Logical Net / Capital Net (518) 292-4509 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ignoring request from unknown client
At 10:33 AM 9/20/2002 -0500, [EMAIL PROTECTED] wrote: Hi I am running radiusd in debugging mode radiusd -fxxyz -p 1812 Returns these results: (ip's *'d out) rad_recv: Access-Request packet from host ***.**.16.64:4610, id=0, length=61 Ignoring request from unknown client ***.**.16.64:4610 That ip is not in your clients file? -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ignoring request from unknown client
Two possible scenarios: 1) You don't have this client defined in your clients.conf file. 2) Someone is sending you radius requests you don't know about. Go whack 'em. (Note that 1 doesn't preclude 2 from happening. :) ) Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center So for the IT Manager Role, you want someone who's absolute crap, looks reasonable on paper, and won't cause too much trouble. ... Well I don't have any MCSEs on my books at the moment, but I could call around.-- Simon Travaglia [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 09/20/2002 10:33 AM Please respond to freeradius-users To: [EMAIL PROTECTED] cc: Subject:Ignoring request from unknown client Hi I am running radiusd in debugging mode radiusd -fxxyz -p 1812 Returns these results: (ip's *'d out) rad_recv: Access-Request packet from host ***.**.16.64:4610, id=0, length=61 Ignoring request from unknown client ***.**.16.64:4610 Any suggestions? Need more info? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MD5 fails to authenticate users
Fernandez, Jorge [EMAIL PROTECTED] wrote: Is possible to change the State attribute max length in freeradius? (I know is a workaround to solve the problem temporally) Sure. Edit the source code, and submit a patch to the list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL and accounting data
Some suggestions: 1) Setup the sql query so that it inserts into the radacct_MM table, or something similar. You can do this by using 'radacct_%Y%m' for the table name. One problem with this would be at the end of the month when a new table is used, the accounting stop records won't match up with their start records. 2) Add a timestamp field to the table and have it set to NOW() when the record is updated. Then write a script to move the old data to another table after some period of time. Just some ideas that popped into my head. I'm sure there's an easier solution out there somewhere Kevin On Friday 20 September 2002 11:40, Mike Hendrix wrote: I have a question about moving accounting data out of a SQL database. We are planning on running freeradius 0.7.1 on RH 7.3 using mySQL for accounting. What do people do here to move the old accounting data out of the radacct table in such a way that you don't loose any new accounting records? We are ready to implement and am looking for some suggestions on how this could be done safely... --- I have not failed. I've just found 10,000 ways that won't work. - Thomas Edison Michael Hendrix [EMAIL PROTECTED] Systems Engineer / SysAdmin Team Leader Logical Net / Capital Net (518) 292-4509 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question regarding Proxy-State [33] Attribute
On Fri, 20 Sep 2002, Brandon Lehmann wrote: The only reason that this would happen is because our proxy server is NOT sending back a Proxy-State [33] attribute. How can I make sure that FreeRadius sends this attr back? If I can't get it to do this, can someone please advise a software package that can do this? If the Proxy-State attribute is getting lost somewhere, it's most likely being stripped off by the VopRADIUS server, which, of course, it shouldn't be doing. I can confirm that the FreeRADIUS CVS snapshot dated 08/16/2002 does receive Proxy-State attributes from QWest NAS correctly, does proxy them correctly (to, in my case, a Radiator server *shudder*), and does return them to the QWest client correctly. It has been behaving exactly as it should according to the RFC through various releases and CVS iterations for about a year. Does your FreeRADIUS server show a successful authentication, but then the actual session fails to come up, or does the FreeRADIUS server show a failed authentication? On a QWest-specific note, unless your realm is already in production, Proxy-State shouldn't preclude a successful connection at the NAS end. Franklin -- Franklin Trumpy, NFA, MNGS, GSc | Say not, I have found the truth, Sr. UNIX Systems Administrator | but rather, I have found a truth. Lighthouse Communications | [EMAIL PROTECTED] | Say not, I have found the path of the soul. (515)244-1115 | Say rather, I have met the soul walking (888)953-3278 | upon my path. http://www.lh.net | | -Kahlil Gibran, _The Prophet_, 1923 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question regarding Proxy-State [33] Attribute
At 01:31 PM 9/20/2002 -0500, Franklin Trumpy wrote: On Fri, 20 Sep 2002, Brandon Lehmann wrote: The only reason that this would happen is because our proxy server is NOT sending back a Proxy-State [33] attribute. How can I make sure that FreeRadius sends this attr back? If I can't get it to do this, can someone please advise a software package that can do this? If the Proxy-State attribute is getting lost somewhere, it's most likely being stripped off by the VopRADIUS server, which, of course, it shouldn't be doing. Which FreeRADIUS handles very gracefully. It also handles Merit servers which decide to mangle attributes. Any Proxy-State attributes that are received in a reply from a remote server are discarded by FreeRADIUS. The Proxy-State attributes that were sent in the *original* request are copied into the reply to send back to Qwest. IE, the server already handles the case of a remote server stripping or mangling the Proxy-State(s). Hence the request to run it in debug to see what Qwest is sending, and what is being sent back to them. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Realms?
Hello everyone, I am trying to get realms to work correctly in FreeRadius with no success. I've tried reading some postings and the documentation but still with no success. Is it possible for me to setup users in certain realms so that they would access a different portion of the tree in LDAP? If so does anyone have any suggestions or example that I could follow? Thanks ahead, Thai Q. Tran Email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Have a prob, not quite sure what... Help!!?!?
rad_recv: Access-Request packet from host ***.**.16.19:1711, id=213, length=59 User-Name = "test" User-Password = "b\031)\352\243\201\357|3\356,\351\213j\361?" NAS-IP-Address = 255.255.255.255 NAS-Port-Id = "1812"modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok rlm_realm: Looking up realm NULL for User-Name = "test" rlm_realm: No such realm NULL modcall[authorize]: module "suffix" returns noop modcall[authorize]: module "files" returns notfoundradius_xlat: 'test'sql_set_user: escaped user -- 'test'radius_xlat: 'SELECT users.ID,username,networks.name as net FROM users,network WHERE users.network=networks.ID Username = 'test''rlm_sql: Reserving sql socket id: 4MYSQL check_error: 1146 receivedrlm_sql_getvpdata: database query errorrlm_sql: SQL query error; rejecting userrlm_sql: Released sql socket id: 4 modcall[authorize]: module "sql" returns failmodcall: group authorize returns failThere was no response configured: rejecting request 0Server rejecting request 0.Finished request 0Going to the next request--- Walking the entire request list ---Waking up in 1 seconds...--- Walking the entire request list ---Waking up in 1 seconds...--- Walking the entire request list ---Sending Access-Reject of id 213 to ***.**.16.19:1711Waking up in 4 seconds...--- Walking the entire request list ---Cleaning up request 0 ID 213 with timestamp 3d8b6fcfNothing to do. Sleeping until we see a request. Thanks for all the help guys!
RE: Question regarding Proxy-State [33] Attribute
Chris, This is the result from my debug (radiusd -x -x) rad_recv: Accounting-Request packet from host 209.211.205.27:46810, id=250, length=445 Thread 2 assigned request 6 --- Walking the entire request list --- Threads: total/active/spare threads = 5/1/4 Waking up in 5 seconds... Thread 2 handling request 6, (2 handled so far) User-Name = [EMAIL PROTECTED] NAS-IP-Address = 63.152.3.66 NAS-Port = 7190 Service-Type = Framed-User Cisco-AVPair = disc-cause-ext=1043 Cisco-AVPair = pre-bytes-in=250 Cisco-AVPair = pre-bytes-out=216 Cisco-AVPair = pre-paks-in=8 Cisco-AVPair = pre-paks-out=6 Cisco-AVPair = pre-session-time=27 Cisco-AVPair = connect-progress=101 Cisco-AVPair = nas-rx-speed=26400 Cisco-AVPair = nas-tx-speed=38000 Cisco-NAS-Port = Async3/07*Serial7/0:1:22 Calling-Station-Id = 4193321376 Acct-Status-Type = Stop Acct-Delay-Time = 0 Acct-Input-Octets = 0 Acct-Output-Octets = 8 Acct-Session-Id = 02000C91 Acct-Authentic = RADIUS Acct-Session-Time = 0 Acct-Input-Packets = 0 Acct-Output-Packets = 1 NAS-Port-Type = Async X-Ascend-Pre-Input-Octets = 250 X-Ascend-Pre-Output-Octets = 216 X-Ascend-Pre-Input-Packets = 8 X-Ascend-Pre-Output-Packets = 6 X-Ascend-Disconnect-Cause = 43 X-Ascend-Connect-Progress = 101 X-Ascend-Data-Rate = 26400 X-Ascend-PreSession-Time = 27 X-Ascend-Xmit-Rate = 38000 modcall: entering group preacct modcall[preacct]: module preprocess returns noop rlm_realm: Looking up realm nwonline.net for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm DEFAULT rlm_realm: Proxying request from user test to realm DEFAULT rlm_realm: Adding Realm = DEFAULT rlm_realm: Preparing to proxy accounting request to realm DEFAULT modcall[preacct]: module suffix returns ok modcall: group preacct returns ok modcall: entering group accounting radius_xlat: '/usr/local/var/log/radius/radacct/detail.log' rlm_detail: /usr/local/var/log/radius/radacct/detail.log expands to /usr/local/var/log/radius/radacct/detail.log rlm_detail: Freeradius-Proxied-To set to 208.231.144.20 modcall[accounting]: module detail returns ok radius_xlat: '[EMAIL PROTECTED]' Accounting: logout: login entry for NAS nas14.arlington1.va.us.da.qwest port 7190 not found modcall[accounting]: module radutmp returns ok modcall: group accounting returns ok Sending Accounting-Request of id 4 to 208.231.144.20:1646 User-Name = [EMAIL PROTECTED] NAS-IP-Address = 63.152.3.66 NAS-Port = 7190 Service-Type = Framed-User Cisco-AVPair = 1043 Cisco-AVPair = 250 Cisco-AVPair = 216 Cisco-AVPair = 8 Cisco-AVPair = 6 Cisco-AVPair = 27 Cisco-AVPair = 101 Cisco-AVPair = 26400 Cisco-AVPair = 38000 Cisco-NAS-Port = Async3/07*Serial7/0:1:22 Calling-Station-Id = 4193321376 Acct-Status-Type = Stop Acct-Delay-Time = 0 Acct-Input-Octets = 0 Acct-Output-Octets = 8 Acct-Session-Id = 02000C91 Acct-Authentic = RADIUS Acct-Session-Time = 0 Acct-Input-Packets = 0 Acct-Output-Packets = 1 NAS-Port-Type = Async X-Ascend-Pre-Input-Octets = 250 X-Ascend-Pre-Output-Octets = 216 X-Ascend-Pre-Input-Packets = 8 X-Ascend-Pre-Output-Packets = 6 X-Ascend-Disconnect-Cause = 43 X-Ascend-Connect-Progress = 101 X-Ascend-Data-Rate = 26400 X-Ascend-PreSession-Time = 27 X-Ascend-Xmit-Rate = 38000 Proxy-State = 250 Thread 2 waiting to be assigned a request rad_recv: Accounting-Response packet from host 208.231.144.20:1646, id=4, length=25 Thread 3 assigned request 6 rl_next: returning NULL Waking up in 5 seconds... Thread 3 handling request 6, (2 handled so far) Proxy-State = 0x323530 Sending Accounting-Response of id 250 to 209.211.205.27:46810 Finished request 6 Going to the next request Thread 3 waiting to be assigned a request From what it looks like, Qwest is not sending me proxy-state attributes. This is really interesting as they told us that these were required. My testing will still not let me log on. Brandon Lehmann Network Support Specialist Networld Online Inc. 1243 Napoleon Street Fremont, OH 43420 800-644-6638 [EMAIL PROTECTED] www.nwonline.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Chris Parker Sent: Friday, September 20, 2002 2:36 PM To: [EMAIL PROTECTED] Subject: Re: Question regarding Proxy-State [33] Attribute At 01:31 PM 9/20/2002 -0500, Franklin Trumpy wrote: On Fri, 20 Sep 2002, Brandon Lehmann wrote: The only reason that this would happen is because our proxy server is NOT sending back a Proxy-State [33]
RE: Realms?
On Fri, 20 Sep 2002, Thai Tran wrote: Hello everyone, I am trying to get realms to work correctly in FreeRadius with no success. I've tried reading some postings and the documentation but still with no success. Is it possible for me to setup users in certain realms so that they would access a different portion of the tree in LDAP? If so does anyone have any suggestions or example that I could follow? Thanks ahead, Thai Q. Tran Email: [EMAIL PROTECTED] Yes. You add the realms in proxy.conf and in the ldap configuration section you use %{Realm} when setting the basedn. Something like: basedn = ou=%{Realm},dc=company,dc=com The realm module should be before ldap in the authorize section. Also remember to put Stripped-User-Name in your ldap filter like: filter = (uid=%{Stripped-User-Name:-{User-Name}}) Hope this helps -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL and accounting data
I wrote a script to import rad detail files into the SQL table. Kinda rough around the edges, but it's a start. You can get the script at: http://users.2z.net/rpuhek/scripts_public/radius/detail2db.pl --Rich Mike Hendrix wrote: I have a question about moving accounting data out of a SQL database. We are planning on running freeradius 0.7.1 on RH 7.3 using mySQL for accounting. What do people do here to move the old accounting data out of the radacct table in such a way that you don't loose any new accounting records? We are ready to implement and am looking for some suggestions on how this could be done safely... --- I have not failed. I've just found 10,000 ways that won't work. - Thomas Edison Michael Hendrix [EMAIL PROTECTED] Systems Engineer / SysAdmin Team Leader Logical Net / Capital Net (518) 292-4509 -- _ Rich Puhek ETN Systems Inc. 2125 1st Ave East Hibbing MN 55746 tel: 218.262.1130 email: [EMAIL PROTECTED] _ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Question regarding Proxy-State [33] Attribute
At 03:19 PM 9/20/2002 -0400, Brandon Lehmann wrote: Chris, This is the result from my debug (radiusd -x -x) rad_recv: Accounting-Request packet from host 209.211.205.27:46810, id=250, length=445 Thread 2 assigned request 6 --- Walking the entire request list --- Threads: total/active/spare threads = 5/1/4 Waking up in 5 seconds... Thread 2 handling request 6, (2 handled so far) User-Name = [EMAIL PROTECTED] NAS-IP-Address = 63.152.3.66 NAS-Port = 7190 Service-Type = Framed-User Cisco-AVPair = disc-cause-ext=1043 Cisco-AVPair = pre-bytes-in=250 Cisco-AVPair = pre-bytes-out=216 Cisco-AVPair = pre-paks-in=8 Cisco-AVPair = pre-paks-out=6 Cisco-AVPair = pre-session-time=27 Cisco-AVPair = connect-progress=101 Cisco-AVPair = nas-rx-speed=26400 Cisco-AVPair = nas-tx-speed=38000 Cisco-NAS-Port = Async3/07*Serial7/0:1:22 Calling-Station-Id = 4193321376 Acct-Status-Type = Stop Acct-Delay-Time = 0 Acct-Input-Octets = 0 Acct-Output-Octets = 8 Acct-Session-Id = 02000C91 Acct-Authentic = RADIUS Acct-Session-Time = 0 Acct-Input-Packets = 0 Acct-Output-Packets = 1 NAS-Port-Type = Async X-Ascend-Pre-Input-Octets = 250 X-Ascend-Pre-Output-Octets = 216 X-Ascend-Pre-Input-Packets = 8 X-Ascend-Pre-Output-Packets = 6 X-Ascend-Disconnect-Cause = 43 X-Ascend-Connect-Progress = 101 X-Ascend-Data-Rate = 26400 X-Ascend-PreSession-Time = 27 X-Ascend-Xmit-Rate = 38000 Qwest isn't sending you a Proxy-State attribute. Kindly ask them how you are supposed to return one if they aren't sending one? http://www.freeradius.org/rfc/rfc2865.html#Proxy-State -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Question regarding Proxy-State [33] Attribute
Thanks Chris... Funny how that works... They are both slow at fixing problems and mindless in setting up their own specifications. Thanks again. If I need anymore help, now I know where to get it :) Brandon Lehmann Network Support Specialist Networld Online Inc. 1243 Napoleon Street Fremont, OH 43420 800-644-6638 [EMAIL PROTECTED] www.nwonline.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Chris Parker Sent: Friday, September 20, 2002 3:36 PM To: [EMAIL PROTECTED] Subject: RE: Question regarding Proxy-State [33] Attribute At 03:19 PM 9/20/2002 -0400, Brandon Lehmann wrote: Chris, This is the result from my debug (radiusd -x -x) rad_recv: Accounting-Request packet from host 209.211.205.27:46810, id=250, length=445 Thread 2 assigned request 6 --- Walking the entire request list --- Threads: total/active/spare threads = 5/1/4 Waking up in 5 seconds... Thread 2 handling request 6, (2 handled so far) User-Name = [EMAIL PROTECTED] NAS-IP-Address = 63.152.3.66 NAS-Port = 7190 Service-Type = Framed-User Cisco-AVPair = disc-cause-ext=1043 Cisco-AVPair = pre-bytes-in=250 Cisco-AVPair = pre-bytes-out=216 Cisco-AVPair = pre-paks-in=8 Cisco-AVPair = pre-paks-out=6 Cisco-AVPair = pre-session-time=27 Cisco-AVPair = connect-progress=101 Cisco-AVPair = nas-rx-speed=26400 Cisco-AVPair = nas-tx-speed=38000 Cisco-NAS-Port = Async3/07*Serial7/0:1:22 Calling-Station-Id = 4193321376 Acct-Status-Type = Stop Acct-Delay-Time = 0 Acct-Input-Octets = 0 Acct-Output-Octets = 8 Acct-Session-Id = 02000C91 Acct-Authentic = RADIUS Acct-Session-Time = 0 Acct-Input-Packets = 0 Acct-Output-Packets = 1 NAS-Port-Type = Async X-Ascend-Pre-Input-Octets = 250 X-Ascend-Pre-Output-Octets = 216 X-Ascend-Pre-Input-Packets = 8 X-Ascend-Pre-Output-Packets = 6 X-Ascend-Disconnect-Cause = 43 X-Ascend-Connect-Progress = 101 X-Ascend-Data-Rate = 26400 X-Ascend-PreSession-Time = 27 X-Ascend-Xmit-Rate = 38000 Qwest isn't sending you a Proxy-State attribute. Kindly ask them how you are supposed to return one if they aren't sending one? http://www.freeradius.org/rfc/rfc2865.html#Proxy-State -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\ -- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Have a prob, not quite sure what... Help!!?!?
On Friday 20 September 2002 15:00, [EMAIL PROTECTED] wrote: radius_xlat: 'SELECT users.ID,username,networks.name as net FROM users,network WHERE users.network=networks.ID Username = 'test'' Unless something new has been released, I don't think you can use ampersands in mysql queries. Try using 'AND' instead. Kevin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Question regarding Proxy-State [33] Attribute
Just as a fun Record. I have resolved this issue... Read below for some fun stuff. START CUT -Original Message- From: Ballew, Dean A [mailto:[EMAIL PROTECTED]] Sent: Friday, September 20, 2002 4:49 PM To: Brandon Lehmann; Radius Testing Cc: Dan-CPM; Stephen Goff Subject: RE: Worldteq - Status of Realm Activation: IP Change Brandon, Please try again. Your realm was pointing (test server only) to another company that previously owned this realm... Proxy-state will not be sent in your dialtests. Proxy-state will be implemented with our system upgrades in the near future. Dean -Original Message- From: Brandon Lehmann [mailto:[EMAIL PROTECTED]] Sent: Friday, September 20, 2002 3:22 PM To: '[EMAIL PROTECTED]' Cc: '[EMAIL PROTECTED]'; Stephen Goff Subject: FW: Worldteq - Status of Realm Activation: IP Change When testing the realms I have run into a few problems. Viewing our radius logs, I do NOT see a Proxy-State attribute being sent from the test radius proxies. It looks like the users are authenticating ok, but the session will not start with the test numbers. If you could please let me know why this may be happening, it would be greatly appreciated. A snapshot of a logfile from you guys would work even better if the trouble is indeed on our end. All dialup tests were done w/ the user '[EMAIL PROTECTED]'. Thanks for your help. Brandon Lehmann Network Support Specialist Networld Online Inc. 1243 Napoleon Street Fremont, OH 43420 800-644-6638 [EMAIL PROTECTED] www.nwonline.net END CUT --- The really funny thing is... that we are the only ones that have ever owned that realm... interesting.. sounds like no one ever set it up to me. Thanks to all of you that helped! Brandon Lehmann Network Support Specialist Networld Online Inc. 1243 Napoleon Street Fremont, OH 43420 800-644-6638 [EMAIL PROTECTED] www.nwonline.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Chris Parker Sent: Friday, September 20, 2002 3:36 PM To: [EMAIL PROTECTED] Subject: RE: Question regarding Proxy-State [33] Attribute At 03:19 PM 9/20/2002 -0400, Brandon Lehmann wrote: Chris, This is the result from my debug (radiusd -x -x) rad_recv: Accounting-Request packet from host 209.211.205.27:46810, id=250, length=445 Thread 2 assigned request 6 --- Walking the entire request list --- Threads: total/active/spare threads = 5/1/4 Waking up in 5 seconds... Thread 2 handling request 6, (2 handled so far) User-Name = [EMAIL PROTECTED] NAS-IP-Address = 63.152.3.66 NAS-Port = 7190 Service-Type = Framed-User Cisco-AVPair = disc-cause-ext=1043 Cisco-AVPair = pre-bytes-in=250 Cisco-AVPair = pre-bytes-out=216 Cisco-AVPair = pre-paks-in=8 Cisco-AVPair = pre-paks-out=6 Cisco-AVPair = pre-session-time=27 Cisco-AVPair = connect-progress=101 Cisco-AVPair = nas-rx-speed=26400 Cisco-AVPair = nas-tx-speed=38000 Cisco-NAS-Port = Async3/07*Serial7/0:1:22 Calling-Station-Id = 4193321376 Acct-Status-Type = Stop Acct-Delay-Time = 0 Acct-Input-Octets = 0 Acct-Output-Octets = 8 Acct-Session-Id = 02000C91 Acct-Authentic = RADIUS Acct-Session-Time = 0 Acct-Input-Packets = 0 Acct-Output-Packets = 1 NAS-Port-Type = Async X-Ascend-Pre-Input-Octets = 250 X-Ascend-Pre-Output-Octets = 216 X-Ascend-Pre-Input-Packets = 8 X-Ascend-Pre-Output-Packets = 6 X-Ascend-Disconnect-Cause = 43 X-Ascend-Connect-Progress = 101 X-Ascend-Data-Rate = 26400 X-Ascend-PreSession-Time = 27 X-Ascend-Xmit-Rate = 38000 Qwest isn't sending you a Proxy-State attribute. Kindly ask them how you are supposed to return one if they aren't sending one? http://www.freeradius.org/rfc/rfc2865.html#Proxy-State -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\ -- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Have a prob, not quite sure what... Help!!?!?
rlm_sql: Reserving sql socket id: 4 MYSQL check_error: 1146 received rlm_sql_getvpdata: database query error rlm_sql: SQL query error; rejecting user rlm_sql: Released sql socket id: 4 modcall[authorize]: module sql returns fail modcall: group authorize returns fail There was no response configured: rejecting request 0 Server rejecting request 0. user is rejected because something is wrong with your mysql configuration or setup. try verifying that. ciao artur -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Check-radiusd-config
Anyone know why I am getting the below message when I run check-radius-config? And there is no other radius server running. Module: Instantiated radutmp (radutmp) auth bind: Address already in use There appears to be another RADIUS server already running on the authentication port UDP 32768. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
segmentation fault with gdb output
Attached is the gdb output of my freeradius-snapshot-20020920 and freetds-0.6.0 running on Redhat Linux 7.1. I am attempting freeradius to connect to an MS SQL 2k database. Core was generated by `radiusd -xx'. Program terminated with signal 11, Segmentation fault. #0 0x4012bb5d in ?? () (gdb) bt #0 0x4012bb5d in ?? () #1 0x401f11a6 in ?? () #2 0x401fca97 in ?? () #3 0x401f4d01 in ?? () #4 0x40029da5 in ?? () #5 0x401e9210 in ?? () #6 0x401e933f in ?? () #7 0x401e8115 in ?? () #8 0x08054dca in ?? () #9 0x08055b46 in ?? () #10 0x08055bac in ?? () #11 0x080550ea in ?? () #12 0x08055321 in ?? () #13 0x0804c03c in ?? () #14 0x0804c7aa in ?? () #15 0x400c2177 in ?? () segmentation fault also happens in my freebsd-4.X box. Any help will be greatly appreciated. thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hmmm version 0.8
Anyone see version 0.8 released anywhere. according to this link it was released on 8-22 and shows the complete changelog for it.. http://www.freeradius.org/radiusd/doc/ChangeLog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html