Re: Looking up clients in SQL/oracle?
Ryan Castellucci <[EMAIL PROTECTED]> wrote: > I can't figure out how to get FreeRADIUS (0.8.1) to look up clients (NAS > units) in oracle SQL. I know the schema has places for this information, > but I'd like to be able to use it. Thanks. The schema exists, but the server never uses it to look up clients. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Looking up clients in SQL/oracle?
I can't figure out how to get FreeRADIUS (0.8.1) to look up clients (NAS units) in oracle SQL. I know the schema has places for this information, but I'd like to be able to use it. Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Stupid Drunk Whores..
Check Out Random Chicks Getting Picked Up In A Bar They Start Out With A Few Too Many Drinks They End Up Naked, Humiliated, And Hungover..And Bent Over http://redir.impulsive.com/redir?id=3219&u=517364333&b=6071 We appreciate your patronage, and thank you for opting in.To cancel your subscription to this newsletter, http://www.yipit.com/finish/[EMAIL PROTECTED]&source_id=15&mojo=517364333">click here. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS & MySql
Jim wrote: On Fri, 14 Mar 2003, Travis Best wrote: auth: Failed to validate the user. Login incorrect: [test1/test1] (from client localhost port 0) Is the user in your radcheck/radreply tables? Jim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html the user is in the radcheck but not in the radreply does it need to be in both -- Travis M. Best "Systems Administrator" SunQwest Internet Services 1040 Walnut St Sunbury, PA 17801 Phone: 866-344-9509 Direct: 570-279-1746 -- This message has been scanned for viruses and dangerous content by SunQwest MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS & MySql
On Fri, 14 Mar 2003, Travis Best wrote: > auth: Failed to validate the user. > Login incorrect: [test1/test1] (from client localhost port 0) Is the user in your radcheck/radreply tables? Jim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Insane Pu%%sy ....
Have You Ever Met A Woman Who Is Not Insane?? Of Course Not Check Out The CRAZY Biathches You Wont Believe The Things These Whacked Out Chicks Are Doing - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius howto/need info
On Friday 14 March 2003 19:33, Bryan Koschmann - GKT wrote: > On Fri, 14 Mar 2003, tarvid wrote: > |http://www.frontios.com/freeradius.html got me going. Once "file" > |authentication worked i settled for sql accounting > | > |but i did export an old icradius database by patching in a "==" operator > | and duplicating a couple of fields in the old accounting records. > | > |There is a text to sql converter but I have never used it. > | > |If you are desparate and will settle for less my config notes are around > |someplace. > > Thanks for the link! I think it will give me a better basis on getting > started. > > Would you be able to send me a couple rows from the database, so I can see > some real world examples (nwames changed to protect the customer of course > > :) ) Don't worry about it if it's a hassle, I'm just trying to get a good > > grasp before I dive into all this. > > Thanks, > > Bryan > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html mysql> select * from radcheck order by username limit 10; +--+---+---++---+ | id | UserName | Attribute | op | Value | +--+---+---++---+ | 3293 | 24th_virginia | Auth-Type | == | Crypt-Local | | 3294 | 24th_virginia | Password | == | SDAZ49.6SbKeE | | 4293 | 3swyrs| Auth-Type | == | Crypt-Local | | 4294 | 3swyrs| Password | == | $sPrs8fiXWyhM | | 3445 | 4reeces | Auth-Type | == | Crypt-Local | | 3446 | 4reeces | Password | == | RAtLD.G6wNfpU | | 3706 | aaron87 | Auth-Type | == | Crypt-Local | | 3707 | aaron87 | Password | == | $sy4.P1Uto40. | | 3081 | abransco | Auth-Type | == | Crypt-Local | | 3082 | abransco | Password | == | XJW7.LFJYhhXk | +--+---+---++---+ mysql> select * from radreply limit 3; ++-+---++---+ | id | UserName| Attribute | op | Value | ++-+---++---+ | 12 | hrblock2| Framed-IP-Address | == | 12.43.223.196 | | 21 | waltersdrug | Framed-IP-Address | == | 12.43.223.198 | | 19 | ford| Framed-IP-Address | == | 12.43.223.194 | ++-+---++---+ mysql> select * from radacct order by acctstarttime limit 2; +---+---+--+--+---+--+---+-+-+-+-+---+---+--+-+--+-+--++-++-++---+ | RadAcctId | AcctSessionId | AcctUniqueId | UserName | Realm | NASIPAddress | NASPortId | NASPortType | AcctStartTime | AcctStopTime | AcctSessionTime | AcctAuthentic | ConnectInfo_start | ConnectInfo_stop | AcctInputOctets | AcctOutputOctets | CalledStationId | CallingStationId | AcctTerminateCause | ServiceType | FramedProtocol | FramedIPAddress | AcctStartDelay | AcctStopDelay | +---+---+--+--+---+--+---+-+-+-+-+---+---+--+-+--+-+--++-++-++---+ | 1546806 | 0005 | a932bd30c115e6ee | barb | | 66.242.243.1 | 9 | Async | -00-00 00:00:00 | 2003-03-09 22:43:04 | 908 | RADIUS| | | 82565 | 372259 | 2766622040 | | User-Request | Framed-User | PPP| 66.242.243.23 | 0 | 0 | | 1546807 | 0005 | 4fc67df93aa5df19 | tarvid | | 66.242.243.2 |30 | Async | -00-00 00:00:00 | 2003-03-09 23:09:16 |1219 | RADIUS| | | 140943 | 1347807 | 2766622040 | | User-Request | Framed-User | PPP| 66.242.243.73 | 0 | 0 | +---+---+--+--+---+--+---+-+-+-+-+---+---+--+-+--+-+--++-++-++---+ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius howto/need info
On Friday 14 March 2003 19:33, Bryan Koschmann - GKT wrote:
> On Fri, 14 Mar 2003, tarvid wrote:
> |http://www.frontios.com/freeradius.html got me going. Once "file"
> |authentication worked i settled for sql accounting
> |
> |but i did export an old icradius database by patching in a "==" operator
> | and duplicating a couple of fields in the old accounting records.
> |
> |There is a text to sql converter but I have never used it.
> |
> |If you are desparate and will settle for less my config notes are around
> |someplace.
>
> Thanks for the link! I think it will give me a better basis on getting
> started.
>
> Would you be able to send me a couple rows from the database, so I can see
> some real world examples (nwames changed to protect the customer of course
>
> :) ) Don't worry about it if it's a hassle, I'm just trying to get a good
>
> grasp before I dive into all this.
>
> Thanks,
>
> Bryan
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
My notes are attached.
Title: freeradius-0.8.1-1mdk configuration
freeradius 0.8.1-1mdk configuration
This is the package generated by Oden Eriksson for the
cooker contrib library on Sun Mar 02 2003. The goal here is to
provide the information to get the package working in the
simplest manner.
clients.conf
We have four clients - two for dialins and two for testing.
The minimum default configuration would be one client -
localhost - so that the program radtest can run. The "secret"
must be known to the user of radtest.
as5200-e1 - dialins
as5200-e2 - dialins
nuhorace - to enable radtest
diva.ls.net - to enable ntradping
Each entry has the form -
client client-ip {
secret = radius-secret
shortname = client-hostname
nastype = cisco|other|portslave
login = client-username
password= client-password
}
login and password are optional and are used when RADIUS
must connect to the client via a login session for certain
operations (such as detecting simultaneous use).
radiusd.conf
I could not get the default configuration (system
authentication) to work. I downloaded, compiled and installed
the source from http://freeradius.org and got exactly the same
error.
I am not sure that all of the following are required - I was
less than methodical in my testing - but the following did make
file authentication work (reading passwords directly instead of
making system calls).
user = root
group = root
RADIUS must be able to read /etc/shadow for "file" (as
opposed to system) authentication to work. I will take up this
matter on the freeradius mailiing list to get some insight.
sudo or chroot might be alternatives. ip access control is
inherent in freeradius (see clients.conf above).
log_auth = yes
Enables writing requests to /var/log/radius/radius.log. We
use this file often to check for failed logins.
log_auth_badpass = yes
log_auth_goodpass = yes
Logging bad passwords is essential to good management.
Logging good passwords in clear text is not such a good idea
but while setting up radius it does tell you whether there was
no password or a good password (no passwords being a common
error). Obviously permissions of this file (running as root)
should be 600. Once user, group and permissions are worked out,
they should be added to msec.
lower_user = yes
lower_pass = yes
nospace_user = after
nospace_pass = after
These are convenience items of debateable merit and
security. Mixing case in passwords is good for security but the
cause of much headaches for sysadmins.
proxy_requests = no
#$INCLUDE ${confdir}/proxy.conf
There is no good reason to require proxy configuration for a
basic install. This turns it off.
cache = yes
Essential for performance on Linux systems. This does
require a "HUP" (reload) when users are added.
passwd = /etc/passwd
shadow = /etc/shadow
group = /etc/group
I think the default is adequate but I uncommented all three.
/etc/shadow has all the information required.
sql
I added this to the accounting section after unix and before
radutmp which enabled logging to mysql and requires setting up
sql.conf.
sql.conf
password = ""
I simply turned off the root password for sql. I only permit
root from localhost and I find this preferable to having the
root password lying around in clear text.
sqltrace = yes
This logs every sql operation. This can be enormously
helpful in debugging more complex installations and even when
rebuilding access records.
cisco aaa
The cisco readme in freeradius is misleading and
inappropriate for simple freeradius configuration
Re: freeradius howto/need info
On Fri, 14 Mar 2003, tarvid wrote: |http://www.frontios.com/freeradius.html got me going. Once "file" |authentication worked i settled for sql accounting | |but i did export an old icradius database by patching in a "==" operator and |duplicating a couple of fields in the old accounting records. | |There is a text to sql converter but I have never used it. | |If you are desparate and will settle for less my config notes are around |someplace. Thanks for the link! I think it will give me a better basis on getting started. Would you be able to send me a couple rows from the database, so I can see some real world examples (nwames changed to protect the customer of course :) ) Don't worry about it if it's a hassle, I'm just trying to get a good grasp before I dive into all this. Thanks, Bryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RADIUS & MySql
I am trying to get radius to authencate to mysql and having trouble
below is a copy of the log when running radiusd -x please help i need to
get this working like yesterday
Thanks,
Travis
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = "/usr/local"
main: localstatedir = "/usr/local/var"
main: logdir = "/usr/local/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir = "/usr/local/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/usr/local/var/log/radius/radius.log"
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = no
main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "before"
main: lower_pass = "before"
main: nospace_user = "before"
main: nospace_pass = "before"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: servers_per_realm = 15
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: ignore_password = no
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
Module: Instantiated mschap (mschap)
Module: Loaded Pam
pam: pam_auth = "passwd"
Module: Instantiated pam (pam)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded preprocess
preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"
preprocess: hints = "/usr/local/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
Module: Instantiated realm (suffix)
Module: Loaded SQL
sql: driver = "rlm_sql_mysql"
sql: server = "localhost"
sql: port = ""
sql: login = "root"
sql: password = "?Tcm_Rad!"
sql: radius_db = "radius"
sql: acct_table = "radacct"
sql: acct_table2 = "radacct"
sql: authcheck_table = "radcheck"
sql: authreply_table = "radreply"
sql: groupcheck_table = "radgroupcheck"
sql: groupreply_table = "radgroupreply"
sql: usergroup_table = "usergroup"
sql: nas_table = "nas"
sql: dict_table = "dictionary"
sql: sqltrace = no
sql: sqltracefile = "/usr/local/var/log/radius/sqltrace.sql"
sql: deletestalesessions = yes
sql: num_sql_socks = 5
sql: sql_user_name = "%{User-Name}"
sql: default_user_profile = ""
sql: query_on_not_found = no
sql: authorize_check_query = "SELECT id,UserName,Attribute,Value,op
FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id"
sql: authorize_reply_query = "SELECT id,UserName,Attribute,Value,op
FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id"
sql: authorize_group_check_query = "SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username =
'%{SQL-User-Name}' AND usergroup.GroupName = radgroupcheck.GroupName
ORDER BY radgroupcheck.id"
sql: authorize_group_reply_query = "SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username =
'%{SQL-User-Name}' AND usergroup.GroupName = radgroupreply.GroupName
ORDER BY radgroupreply.id"
sql: accounting_onoff_query = "UPDATE radacct SET AcctStopTime='%S',
AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime),
AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay =
%{Acct-Delay-Time} WHERE AcctSessionTime=0 AND AcctStopTime=0 AND
NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime <= '%S'"
sql: accounting_update_query = "UPDATE radacct SET Fram
Re: stale logins/sessions or Simultaneous-Use behavior
"Josh Kleensang" <[EMAIL PROTECTED]> wrote: > Is there any way (don't you love it when emails start > out that way...) to have freeradius arbitrarily kill a > session (record a session stop time and forget about it) > when another session is started with the same username? Write an external script to do that. It can be run from the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius howto/need info
On Friday 14 March 2003 03:19 pm, Bryan Koschmann - GKT wrote: > Hello, > > I was wondering, does anyone have something like a howto to setup > freeradius with mysql? This is what I would like in the end: > http://www.frontios.com/freeradius.html got me going. Once "file" authentication worked i settled for sql accounting but i did export an old icradius database by patching in a "==" operator and duplicating a couple of fields in the old accounting records. There is a text to sql converter but I have never used it. If you are desparate and will settle for less my config notes are around someplace. jim Tarvid - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius howto/need info
Hello, I was wondering, does anyone have something like a howto to setup freeradius with mysql? This is what I would like in the end: freeradius authenticates users against mysql database. this includes all default, static address, multiple logins, etc. accounting is logged in mysql database (to see all login times, addresses, etc). failed login requests and other are logged to a text file. this is so I can watch requests realtime if needed or check history as to why they were getting denied. keep ability to use radwho for users currently logged in. if this is available from the database, that is fine. this also includes a radlast to see past logins, but i'm sure that is easy to pull from the database I'm assuming this is all fairly simplistic, but I'm coming from an older Cistron server, and freeradius has quite a bit of extra configuration, so I am a bit lost. If anyone can give me a hand, or maybe send me some of their own examples (maybe a fake user entry from the database) I would be greatly appreciative. Thanks in advance, Bryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius, LDAP to a remote Active Directory Server
Small typo
dc=yourcompany not rovingplanet
--
I found the correct
configuration settings for
LDAP to Active directory
in radiusd.conf
Ldap section or
radiusd.conf
Ldap {
…
identity = "cn=Admin,cn=Users,dc=yourcompany,dc=com"
password =
"youradminpassword"
basedn = "dc=yourcompany,dc=com"
# stripped name
filter =
"(SamAccountName=%U)"
or
# full name
filter =
"(SamAccountName=%u)"
}
Ron Wahler
-Original Message-
From: Ron Wahler
Sent: Tuesday, March
11, 2003 10:01 AM
To: [EMAIL PROTECTED]
Subject: FreeRadius, LDAP to a
remote Active Directory Server
Has anyone integrated
FreeRadius/LDAP to a Remote Active Directory Server?
I am trying to integrate the two and
need some examples of radiusd.conf for the
LDAP to Active Directory.
I also tried uid=ron
And [EMAIL PROTECTED]
I have no organization just a
list of users under users directory in active directory.
The error that concerns me is
Tue Mar 11 08:40:06 2003 :
Error: rlm_ldap: ldap_search() failed: Operations error
Any one have a radiusd.conf that
shows a good example ?
Thanks,
Ron
Tue Mar 11 08:40:06 2003 :
Debug: ldap_get_conn: Got Id: 0
Tue Mar 11 08:40:06 2003 :
Debug: rlm_ldap: attempting LDAP reconnection
Tue Mar 11 08:40:06 2003 :
Debug: rlm_ldap: closing existing LDAP connection
Tue Mar 11 08:40:06 2003 :
Debug: rlm_ldap: (re)connect to 10.0.0.13:389, authentication 0
Tue Mar 11 08:40:06 2003 :
Debug: rlm_ldap: bind as / to 10.0.0.13:389
Tue Mar 11 08:40:06 2003 :
Debug: rlm_ldap: waiting for bind result ...
Tue Mar 11 08:40:06 2003 :
Debug: rlm_ldap: performing search in dn=roncompany,dn=com, with filter
(uid=ron@
roncompany.com)
Tue Mar 11 08:40:06 2003 :
Error: rlm_ldap: ldap_search() failed: Operations error
Tue Mar 11 08:40:06 2003 :
Debug: rlm_ldap: search failed
Tue Mar 11 08:40:06 2003 :
Debug: ldap_release_conn: Release Id: 0
Tue Mar 11 08:40:06 2003 :
Debug: modcall[authorize]: module "ldap" returns fail
Tue Mar 11 08:40:06 2003 :
Debug: modcall: group authorize returns fail
Tue Mar 11 08:40:06 2003 :
Debug: Finished request 16
Tue Mar 11 08:40:06 2003 :
Debug: Going to the next request
What is in my radiusd.conf
file…..
ldap {
#server = "ldap.your.domain"
server = "10.0.0.13"
#identity = "cn=Administrator"
#password =
#basedn = "o=roncompany.com"
basedn = "dn=roncompany,dn=com"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
start_tls = no
# set this to 'yes' to use TLS encrypted connections to the
# LDAP database by passing the LDAP_OPT_X_TLS_TRY option to
# the ldap library.
tls_mode = no
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
# ldap_cache_timeout = 120
# ldap_cache_size = 0
ldap_connections_number = 5
# password_header = "{clear}"
password_attribute = userPassword
# groupname_attribute = cn
#
groupmembership_filter
="(|(&(objectClass=GroupOfNames)(member=%{LdapUserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
# groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# access_attr_used_for_allow = yes
}
�
Re: Simultaneous use stops working.
On Fri, 14 Mar 2003, Kristina Pfaff-Harris wrote: > Okay, this is really bizarre. After awhile, Simultaneous-Use just stops > working and lets people log on more than once. (I haven't figured out how > long "awhile" is at the moment. Definitely overnight, possibly a couple of > hours.) At that point, it seems to stop running checkrad -- at least, > there's not the usual delay while checkrad checks if someone is logged on: > authorization happens almost instantly. > > Restarting the server makes it work again. Possible hint: it occurs to me that if the server can't check the database (I'm using sql for sessions), it will possibly never actually run checkrad? Our MySQL server is pretty loaded, so I'm wondering if maybe the server just can't connect to check the users online db. Can anyone tell me where to look for a timeout of this kind? (rlm_sql_mysql? Somewhere else?) Or am I totally off-base here? :-) Thanks for any hints. K. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius, LDAP to a remote Active Directory Server
I found the correct configuration settings
for
LDAP to Active directory in radiusd.conf
Ldap section or radiusd.conf
Ldap {
…
identity = "cn=Admin,cn=Users,dc=rovingplanet,dc=com"
password = "youradminpassword"
basedn = "dc=yourcompany,dc=com"
# stripped name
filter = "(SamAccountName=%U)"
or
# full name
filter = "(SamAccountName=%u)"
}
Ron Wahler
-Original Message-
From: Ron Wahler
Sent: Tuesday, March 11, 2003
10:01 AM
To: [EMAIL PROTECTED]
Subject: FreeRadius, LDAP to a
remote Active Directory Server
Has anyone integrated
FreeRadius/LDAP to a Remote Active Directory Server?
I am trying to integrate the two and
need some examples of radiusd.conf for the
LDAP to Active Directory.
I also tried uid=ron
And [EMAIL PROTECTED]
I have no organization just a
list of users under users directory in active directory.
The error that concerns me is
Tue Mar 11 08:40:06 2003 : Error:
rlm_ldap: ldap_search() failed: Operations error
Any one have a radiusd.conf that
shows a good example ?
Thanks,
Ron
Tue Mar 11 08:40:06 2003 : Debug:
ldap_get_conn: Got Id: 0
Tue Mar 11 08:40:06 2003 : Debug:
rlm_ldap: attempting LDAP reconnection
Tue Mar 11 08:40:06 2003 : Debug:
rlm_ldap: closing existing LDAP connection
Tue Mar 11 08:40:06 2003 : Debug:
rlm_ldap: (re)connect to 10.0.0.13:389, authentication 0
Tue Mar 11 08:40:06 2003 : Debug:
rlm_ldap: bind as / to 10.0.0.13:389
Tue Mar 11 08:40:06 2003 : Debug:
rlm_ldap: waiting for bind result ...
Tue Mar 11 08:40:06 2003 : Debug:
rlm_ldap: performing search in dn=roncompany,dn=com, with filter (uid=ron@
roncompany.com)
Tue Mar 11 08:40:06 2003 : Error:
rlm_ldap: ldap_search() failed: Operations error
Tue Mar 11 08:40:06 2003 : Debug:
rlm_ldap: search failed
Tue Mar 11 08:40:06 2003 : Debug:
ldap_release_conn: Release Id: 0
Tue Mar 11 08:40:06 2003 :
Debug: modcall[authorize]: module "ldap" returns fail
Tue Mar 11 08:40:06 2003 : Debug:
modcall: group authorize returns fail
Tue Mar 11 08:40:06 2003 : Debug:
Finished request 16
Tue Mar 11 08:40:06 2003 : Debug:
Going to the next request
What is in my radiusd.conf
file…..
ldap {
#server = "ldap.your.domain"
server = "10.0.0.13"
#identity = "cn=Administrator"
#password =
#basedn = "o=roncompany.com"
basedn = "dn=roncompany,dn=com"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
start_tls = no
# set this to 'yes' to use TLS encrypted connections to the
# LDAP database by passing the LDAP_OPT_X_TLS_TRY option to
# the ldap library.
tls_mode = no
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
# ldap_cache_timeout = 120
# ldap_cache_size = 0
ldap_connections_number = 5
# password_header = "{clear}"
password_attribute = userPassword
# groupname_attribute = cn
# groupmembership_filter
="(|(&(objectClass=GroupOfNames)(member=%{LdapUserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
# groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# access_attr_used_for_allow = yes
}
�
stale logins/sessions or Simultaneous-Use behavior
Is there any way (don't you love it when emails start out that way...) to have freeradius arbitrarily kill a session (record a session stop time and forget about it) when another session is started with the same username? For example: User joefoo logs in at 13:05:00 user joefoo logs in again at 13:20:00 the server allows the second joefoo to authenticate and gain access but terminates the first joefoo session and gives it a stop time of 13:20:00. This functionality is useful in an environment where one doesn't always get the accounting stop packets but is sure that a duplicate login wont actually happen because all of an upstream radius server/proxy. I know that checkrad is supposed to verify if the session is there or not but I don't have access to the NAS servers and cannot directly verify the login. It may be useful to add an option to Simultaneous-Use where the module would allow up to the number of sessions specified (eg 5) but upon the 6th login would kill the oldest of the 5 previous sessions. Thanks, Josh Kleensang Vice President, Engineering Lunar Gravity Networks 402-898-GRAV x 101 http://www.lunargravity.com BEGIN:VCARD VERSION:2.1 N:Kleensang;Joshua FN:Joshua Kleensang ORG:Lunar Gravity TITLE:Vice President, Engineering TEL;WORK;VOICE:(402) 898-4728 ADR;WORK:;;2437 South 130th Circle;Omaha;Nebraska;68144;United States of America LABEL;WORK;ENCODING=QUOTED-PRINTABLE:2437 South 130th Circle=0D=0AOmaha, Nebraska 68144=0D=0AUnited States of Ame= rica EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20020423T192545Z END:VCARD
Re: Problem with free-radius compilation with AIX4.3
"Jay Kumar" <[EMAIL PROTECTED]>m wrote: > I am trying to install free-radius-0.8.1. I was able to run the > configure script with one minor correction. I then tried to do the ' > make'. I am getting the error listed below. The problem seems to be with > the declaration of an array with a variable value. Can anyone suggest > work-around to get past this. Use GCC, or grab the latest CVS snapshot. That should work better. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: expr in sql doesn't work?
Dmitry Glushenok <[EMAIL PROTECTED]> wrote:
> I use freeradius-0.8.1 with mysql.
> In radiusd.conf expr listed in modules and in instantiate.
> In mysql at Framed-IP-Address i've put following line:
>
> `%{expr: sql: SELECT inetipaddress FROM users.accounts WHERE username = 'glush'}`
>
> But no SELECT from users.accounts happens at processing logon.
You didn't tell them to happen.
The macros are documented as %{foo:...}. You have NOT done that
with the SQL query.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius & Cisco VPN 3000
"Lars Knudsen" <[EMAIL PROTECTED]> wrote: > I have configured the group/users in /etc/raddb/users (and understand > the security implications) like this: > > user1 Auth-Type := Local, User-Password == "passwd1" > group1Auth-Type := Local, User-Password == "passwd2" > CVPN3000-IPSec-Authentication = "2" Huh? What do you think that configuration does? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Typo in radius.h
At 07:08 PM 3/14/2003 +0200, Andriy I Pylypenko wrote: hi, I'm using freeradius-0.8.1. There is a typo in src/include/radius.h: #define PW_FRAMED_POOL 89 According to rfc2869 this must be 88. Dictionary contains the correct value. If submitting a patch, please patch against the current CVS head. This has already been corrected in the lastest CVS, but thank you for noticing and supplying the patch! -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Typo in radius.h
Andriy I Pylypenko <[EMAIL PROTECTED]> wrote: > I'm using freeradius-0.8.1. > > There is a typo in src/include/radius.h: > > #define PW_FRAMED_POOL 89 > > According to rfc2869 this must be 88. Dictionary contains the correct > value. It's fixed in the latest CVS version. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Work time limitation
Hello! Is it possible to terminate session and disconnect user at some point of time? In example, some client is to given a limited time to login - Login-Time = Wk0100-0600. How to disconnect him at 6:00? Is there a possibility to calculate Session-Timeout dinamically depending on the login time and Login-Time attribute? Or another way? I use freeradius 0.8.1 and user-level ppp (FreeBSD) as NAS. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Typo in radius.h
hi, I'm using freeradius-0.8.1. There is a typo in src/include/radius.h: #define PW_FRAMED_POOL 89 According to rfc2869 this must be 88. Dictionary contains the correct value. Kind regards, Andriy I Pylypenko PAI1-RIPE*** src/include/radius.h.orig Fri Mar 14 18:55:42 2003 --- src/include/radius.hFri Mar 14 18:55:57 2003 *** *** 97,103 #define PW_ARAP_CHALLENGE_RESPONSE84 #define PW_NAS_PORT_ID_STRING 87 ! #define PW_FRAMED_POOL89 #define PW_DIGEST_RESPONSE206 #define PW_DIGEST_ATTRIBUTES 207 --- 97,103 #define PW_ARAP_CHALLENGE_RESPONSE84 #define PW_NAS_PORT_ID_STRING 87 ! #define PW_FRAMED_POOL88 #define PW_DIGEST_RESPONSE206 #define PW_DIGEST_ATTRIBUTES 207
Simultaneous use stops working.
Okay, this is really bizarre. After awhile, Simultaneous-Use just stops working and lets people log on more than once. (I haven't figured out how long "awhile" is at the moment. Definitely overnight, possibly a couple of hours.) At that point, it seems to stop running checkrad -- at least, there's not the usual delay while checkrad checks if someone is logged on: authorization happens almost instantly. Restarting the server makes it work again. Has anyone seen this before, or have any ideas where I might check for what's going on? K. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with free-radius compilation with AIX4.3
Hi, I am trying to install free-radius-0.8.1. I was able to run the configure script with one minor correction. I then tried to do the ' make'. I am getting the error listed below. The problem seems to be with the declaration of an array with a variable value. Can anyone suggest work-around to get past this. Line 524 in files.c has the following type decalaration. The maximum_proxies gets the value from a configured parameter and so is not a fixed value. REALM *rr_array[maximum_proxies]; Making all in main... gmake[3]: Entering directory `/aps/qa/radius/freeradius-0.8.1/src/main' cc -g -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DNDEBUG -I../include -c files.c 1506-507 (W) No licenses available. Contact your program supplier to add additional users. Compilation will proceed shortly. "files.c", line 524.25: 1506-195 (S) Integral constant expression with a value greater than zero is required. gmake[3]: *** [files.o] Error 1 gmake[3]: Leaving directory `/aps/qa/radius/freeradius-0.8.1/src/main' gmake[2]: *** [common] Error 1 gmake[2]: Leaving directory `/aps/qa/radius/freeradius-0.8.1/src' gmake[1]: *** [all] Error 2 gmake[1]: Leaving directory `/aps/qa/radius/freeradius-0.8.1/src' gmake: *** [common] Error 1 make: 1254-004 The error code from the last command is 2. Thanks -Jay. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS & MYSQL
Did you install MySQL by compiling from source, or using a precompiled binary distribution from www.mysql.com ? You might want to try compiling from source if you haven't done so. I have observed on a recent FreeRADIUS upgrade that using the MySQL 3.23.55 precompiled binary distribution (at least for FreeBSD 4.x), that some libraries that FreeRADIUS rlm_mysql requires to compile are not included in the package. Compiling MySQL from source made all of the libraries that were needed and I was able to install FreeRADIUS with MySQL support after that. -- Mark P. Hennessy [EMAIL PROTECTED] On Fri, 14 Mar 2003, Pedro Alvarez-Tabío wrote: > Date: Fri, 14 Mar 2003 11:35:16 +0100 > From: Pedro Alvarez-Tabío <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > To: [EMAIL PROTECTED] > Subject: FreeRADIUS & MYSQL > > Hello, > > I'm having problems with configuring freeRADIUS with MySQL. > > I have done (Linux RH 7.3): > > - Installed MySQL > - freeRADIUS: > ./configure --localstatedir=/var --sysconfdir=/etc > --with-mysql-include-dir=/usr/local/mysql/include >--with-mysql-lib-dir=/usr/local/mysql/lib > --with-mysql-dir=/usr/local/mysql > make > make install > - Added sql to the authorize and accounting sections in radiusd.conf > - Added user information to the following tables in radius database: usergroup, > radcheck, radreply, radgroupreply > - Added "/usr/local/mysql/lib" and "/usr/local " to "/etc/ld.so.conf" and > executed ldconfig > > When starting freeRADIUS, apparently everythig is ok until the following error > occurs: > > rlm_sql (sql): Could not link driver rlm_sql_mysql: file not found > rlm_sql (sql): Make sure it (and all its dependent libraries!) are in the search > path of your system's ld. > radiusd.conf[14]: sql: Module instantiation failed. > > I would really like to know which is exactly the library(ies) it is attempting to > load at runtime. I really don't know what I'm doing wrong. > > Thanks in advance for your help. > > Pedro > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS & MYSQL solve it :)
Carlo Tovazzi wrote: try to launch ./configure in /freeradius-0.8.1/src/modules/rlm_sql/ probably is absent the rlm module for sql > rlm_sql (sql): Make sure it (and all its dependent libraries!) are in the search > ath of your system's ld. > radiusd.conf[14]: sql: Module instantiation failed. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I sure this part is working the accounting is working with mysql just not auth -- Travis M. Best "Systems Administrator" SunQwest Internet Services 1040 Walnut St Sunbury, PA 17801 Phone: 866-344-9509 Direct: 570-279-1746 -- This message has been scanned for viruses and dangerous content by SunQwest MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
expr in sql doesn't work?
Hello,
I use freeradius-0.8.1 with mysql.
In radiusd.conf expr listed in modules and in instantiate.
In mysql at Framed-IP-Address i've put following line:
`%{expr: sql: SELECT inetipaddress FROM users.accounts WHERE username = 'glush'}`
But no SELECT from users.accounts happens at processing logon.
In ChangeLog version 0.8.
" * Preliminary 'expression' module, to allow you to do cool things
like:Session-Timeout = `%{expr:3600 - %{sql:SELECT ...}}`"
That is don't work now? Or i have wrong syntax?
In debug log (-x -x) no messages from expr, just:
Debug: Module: Loaded expr
Debug: Module: Instantiated expr (expr)
and:
Sending Access-Accept of id 201 to 127.0.0.1:32816
Session-Octets-Limit = 877068731
Framed-IP-Address = `%{expr: sql: SELECT inetipaddress FROM users.accounts
WHERE username = 'glush'}`
...
--
regards,
Dmitry
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS & MYSQL solve it :)
try to launch ./configure in /freeradius-0.8.1/src/modules/rlm_sql/ probably is absent the rlm module for sql > rlm_sql (sql): Make sure it (and all its dependent libraries!) are in the search > ath of your system's ld. > radiusd.conf[14]: sql: Module instantiation failed. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS & MYSQL
Did you add the tables?? on radius database mysql -uroot -prootpass radius < db_mysql.sql you can find db_mysql.sql in the path where you unpacked tarball of freeradius then it's in these directory freeradius-0.8.1/src/modules/rlm_sql/drivers/rlm_sql_mysql/db_mysql.sql because in that .sql there are all options for accouting and something like that bye At 11:35 AM 3/14/2003 +0100, you wrote: Hello, I'm having problems with configuring freeRADIUS with MySQL. I have done (Linux RH 7.3): - Installed MySQL - freeRADIUS: ./configure --localstatedir=/var --sysconfdir=/etc --with-mysql-include-dir=/usr/local/mysql/include --with-mysql-lib-dir=/usr/local/mysql/lib --with-mysql-dir=/usr/local/mysql make make install - Added sql to the authorize and accounting sections in radiusd.conf - Added user information to the following tables in radius database: usergroup, radcheck, radreply, radgroupreply - Added "/usr/local/mysql/lib" and "/usr/local " to "/etc/ld.so.conf" and executed ldconfig When starting freeRADIUS, apparently everythig is ok until the following error occurs: rlm_sql (sql): Could not link driver rlm_sql_mysql: file not found rlm_sql (sql): Make sure it (and all its dependent libraries!) are in the search path of your system's ld. radiusd.conf[14]: sql: Module instantiation failed. I would really like to know which is exactly the library(ies) it is attempting to load at runtime. I really don't know what I'm doing wrong. Thanks in advance for your help. Pedro
FreeRADIUS & MYSQL
Hello, I'm having problems with configuring freeRADIUS with MySQL. I have done (Linux RH 7.3): - Installed MySQL - freeRADIUS: ./configure --localstatedir=/var --sysconfdir=/etc --with-mysql-include-dir=/usr/local/mysql/include --with-mysql-lib-dir=/usr/local/mysql/lib --with-mysql-dir=/usr/local/mysql make make install - Added sql to the authorize and accounting sections in radiusd.conf - Added user information to the following tables in radius database: usergroup, radcheck, radreply, radgroupreply - Added "/usr/local/mysql/lib" and "/usr/local " to "/etc/ld.so.conf" and executed ldconfig When starting freeRADIUS, apparently everythig is ok until the following error occurs: rlm_sql (sql): Could not link driver rlm_sql_mysql: file not found rlm_sql (sql): Make sure it (and all its dependent libraries!) are in the search path of your system's ld. radiusd.conf[14]: sql: Module instantiation failed. I would really like to know which is exactly the library(ies) it is attempting to load at runtime. I really don't know what I'm doing wrong. Thanks in advance for your help. Pedro - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I need some details about certificates
K I'm a little bit sleepy, I found all stuff on the main website, I running CA.all file execute but there is maybe an error on row 25 --->>> echo "newreq.pem" | CA.pl -newca Where can i find this CA.PL?? At 10:15 AM 3/14/2003 -0800, you wrote: Using Redhat linux 8 + Freeradius 0.81 1) what can i do for make various certificates? default:cert = /etc/1x/r/cert-clt.der default:key = /etc/1x/r/cert-clt.pem default:root = /etc/1x/r/root.pem I made cert-clt.pem with << make cert-clt.pem >> under /usr/share/ssl/certs/ but I don't know how to make .der and root.pem 2) what are these files? dh_file = /usr/local/etc/raddb//DH random_file = /usr/local/etc/raddb//random 3) Is necessary to use CA_file = /usr/local/etc/raddb/.../CA.pem for a radius with TLS configuration? Very Thx for the support regards Carlo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I need some details about certificates
Using Redhat linux 8 + Freeradius 0.81 1) what can i do for make various certificates? default:cert = /etc/1x/r/cert-clt.der default:key = /etc/1x/r/cert-clt.pem default:root = /etc/1x/r/root.pem I made cert-clt.pem with << make cert-clt.pem >> under /usr/share/ssl/certs/ but I don't know how to make .der and root.pem 2) what are these files? dh_file = /usr/local/etc/raddb//DH random_file = /usr/local/etc/raddb//random 3) Is necessary to use CA_file = /usr/local/etc/raddb/.../CA.pem for a radius with TLS configuration? Very Thx for the support regards Carlo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius & Cisco VPN 3000
Hi, Im trying to get the above mentioned combo working. freeradius is version: "radiusd: FreeRADIUS Version 0.8.1, for host i686-pc-linux-gnu, built on Mar 13 2003 at 18:00:13" The Cisco is running version: "Cisco Systems, Inc./VPN 3000 Concentrator Version 3.6.7.A Feb 06 2003 23:29:48" vpn3005-3.6.7.A-k9.bin I can get the Cisco to send authentication requests for a group to freeradius, and freeradius replying back to the Cisco. To get the Cisco to send the request for user authentication to freeradius, I understand you have to send the right attributes back to the Cisco [1], "IPSec Authentication = RADIUS". I include the following in my /etc/raddb/dictionary: $INCLUDE dictionary.cisco $INCLUDE dictionary.cisco.vpn3000 I have configured the group/users in /etc/raddb/users (and understand the security implications) like this: user1 Auth-Type := Local, User-Password == "passwd1" group1Auth-Type := Local, User-Password == "passwd2" CVPN3000-IPSec-Authentication = "2" I can see the value is sent back to the Cisco, see [2], but the Cisco never asks for authentication of the user. I tried with values 0..4 of the CVPN3000-IPSec-Authentication without any change in behaviour. Am I doing something wrong or overseeing something simple? Any help apriciated. [1]: http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2284/products_tech_note09186a00800948c1.shtml [2]: x:/etc/raddb # radiusd -A -f -s -x Starting - reading configuration files ... Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded preprocess Module: Instantiated preprocess (preprocess) Module: Loaded files Module: Instantiated files (files) Module: Loaded realm Module: Instantiated realm (suffix) Module: Loaded Acct-Unique-Session-Id Module: Instantiated acct_unique (acct_unique) Module: Loaded detail Module: Instantiated detail (detail) Module: Loaded radutmp Module: Instantiated radutmp (radutmp) Can't connect to SNMP agent with SMUX: Connection refused Listening on IP address *, ports 1812/udp and 1813/udp. Ready to process requests. rad_recv: Access-Request packet from host x.y.z.a:1296, id=1, length=100 User-Name = "group1" User-Password = "pass2" NAS-Port = 0 Service-Type = Framed-User Framed-Protocol = PPP Tunnel-Client-Endpoint:0 = "80.y.243.x" Attr-201588758 = 0x0005 NAS-IP-Address = x.y.z.a NAS-Port-Type = Virtual rlm_chap: Could not find proper Chap-Password attribute in request Login OK: [group1/pass2] (from client x.y.z.a port 0) Sending Access-Accept of id 1 to x.y.z.a:1296 CVPN3000-IPSec-Authentication = 2 -- Dangaard Telecom IT A/S Lars Knudsen Technical Engineer Phone: +45 73303270 Fax: +45 73303271 E-mail: Mailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
