Simple question abot Event-Timestamp
Hello! I need to insert Event-Timestamp in request destinated to some realm. Reading documentation i find only one correct way Here is my preproxy_users DEFAULT Realm == crossroam.com Idle-Timeout := `%{Idle-Timeout:-60}`, - Worked Acct-Interim-Interval := `%{Acct-Interim-Interval:-600}`, - Worked Class := `%{Class:-78578757_4783748}`, - Worked Event-Timestamp := `%{Event-Timestamp:-%{l}}` - Doesn't work. Got this in debug preproxy_users: Matched entry DEFAULT at line 24 radius_xlat: '60' radius_xlat: '600' radius_xlat: '0x31363738375f3934373837' radius_xlat: '' ... Event-Timestamp := Jan 1 1970 03:00:00 MSK How can i add correct event-timestamp using preproxy_users? Or may be there is a another way? -- Russia, St. Petersburg Quantum Communications Valeriy V. Peshkov | [EMAIL PROTECTED] +7 (812) 327-6131 +7 (812) 327-1442 smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius + AP + Access Point Client
How can I authenticate my access pointCLIENT to APin freeradius ?? In my network I have EAP/TLS authenticate and everythinggo well when I authenticate users with windows xp and WLAN cart, but one of myuser have a access point client and this is a problem becouse I dont now how canI configure my freeradius. I need tell my accesspointthat this access point client is authenticateto let in. The best soluton will be check ip and mac of access point client. how can I do that?? thank a lot [EMAIL PROTECTED] -- Najlepszy serwis MOTO w Polsce! http://link.interia.pl/f18a8 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
huntgroups/groups with sql
Hi, I want to use FR to control the access to different ressources (radius clients). I've put my users in 'radcheck', defined groups in 'radgroupcheck' according to Client-IP-Address and put the users in their groups in 'usergroup'. Some users are in more than one group, but they can only access to the first matching group defined in 'radgroupcheck'. Tryed to add 'Fall-Through = Yes' to all 'radgroupcheck' entries, but it didn't work. Now I've found a workaround: I added a column 'groupIPaddr' varchar(15) in 'radgroupcheck'. I put there the Client-IP-Address and changed the query in sql.conf to: authorize_group_check_query = SELECT ${groupcheck_table}.id,${groupcheck_table}.GroupName, ${groupcheck_table}.Attribute,${groupcheck_table}.Value, ${groupcheck_table}.op FROM ${groupcheck_table},${usergroup_table} WHERE ${groupcheck_table}.groupIPaddr ='%{Client-IP-Address}' AND ${usergroup_table}.Username = '%{SQL-User-Name}' AND ${usergroup_table}.GroupName = ${groupcheck_table}.GroupName ORDER BY ${groupcheck_table}.id Now My users have access to all their authorized nasses whatever the order of definition of the groups. Was there an easier/more standard way of doing? Michel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: mod_radius, apache2 and the auth cookie.
Hi Alan, Palmer J.D.F. [EMAIL PROTECTED] wrote: Is it possible to set the timeout for the auth cookie used by the mod_radius authentication module to 0; by Zero I mean no time, not infinite time? You mean re-authenticate for every request? That would require source code changes. Effectively yes, see the description of what I'm trying to do below. Or, is there a way that I can clear the cookie on a failed login? The module doesn't set the cookie on a failed login, so there shouldn't be any problem. If I get a failed login, then try to login again it just uses cached credentials and doesn't prompt for details, if I close and re-open the browser it does then allow me to enter details. I guess it may not be a cookie if one isn't set, but the credentials are being cached somewhere. At present, if a user login fails the user has to close the browser and open another in order to be able to re-enter their credentials, I want to try to get round this if possible. I don't see why that would happen. The module was designed, and tested to work properly in that situation. Can you explain more about what you're doing, how, and what browser you're using? So far this has only been tested with IE on a patched up but otherwise std XP machine. The reason for the authentication is to log into a web-redirect gateway. An iptables rule redirects any un-authenticated IP/MAC pairs to the login page; on a successful login the page (a php page which resides in a protected folder) adds some iptables rules to allow that particular client (IP/MAC pair) through the gateway. This is why it doesn't matter that there is an instant timeout, as the client will not need to access the page again until his/her connection times out and the 'allowing' iptables rules are removed. The removal of stale connections is handled with a cron job script that compares iptables entries to the arp table on the internal interface, if there are iptables rules for an IP/MAC pair, but no arp entry for them then the iptables rules are removed. Quite crude, but it works. In summary, I have index.php that users are redirected to, this page contains a 'Log In' link to a page in a protected folder /gateway/go.php when they click the link they are challenged for credentials, if they are correct then /gateway/go.php loads setting some iptables rules, if it fails then we are currently loading a page called failed.php that explains to the user that they need to shut down the browser and open a new one and try again. An aside to this, is it possible to have a couple of text boxes on the login page where the user/pass are entered which are then sent to mod_radius, as opposed to having a pop up user/pass dialogue box? Thanks, Jezz Palmer. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: etc_passwd module doesnt authenticate
Module: Loaded passwd passwd: filename = /etc/samba/smbpasswd passwd: format = *User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT:: passwd: authtype = MS-CHAP You've configured the passwd module to set Auth-Type = MSCHAP. Don't do that. This is the config file I am using minus all the comments: prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = /usr/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = /usr/lib pidfile = ${run_dir}/radiusd.pid user = radiusd group = radiusd max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = no extended_expressions= no log_stripped_names = yes log_auth = yes log_auth_badpass = yes log_auth_goodpass = yes usercollide = no lower_user = yes lower_pass = no nospace_user = yes nospace_pass = yes checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = yes } proxy_requests = no $INCLUDE ${confdir}/clients.conf snmp= no thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { mschap { authtype = MS-CHAP use_mppe = yes require_encryption = yes require_strong = yes } passwd etc_smbpasswd { filename = /etc/samba/smbpasswd format = *User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT:: # authtype = MS-CHAP hashsize = 100 ignorenislike = no allowmultiplekeys = no } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ntdomain_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users preproxy_usersfile = ${confdir}/preproxy_users compat = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } } authorize { preprocess mschap etc_smbpasswd } authenticate { Auth-Type MS-CHAP { mschap } } I commented it out the Auth-Type = MSCHAP, restarted the radiusd and found out how to test radiusclient. I just copied the NT password from the /etc/sambpasswd file and did the following: echo User-Name = ramses, password = x | radclient 127.0.0.1 auth mysecretkey This is the complete output: [EMAIL PROTECTED] raddb]# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/clients.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = /var/log/radius/radius.log main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = /var/run/radiusd/radiusd.pid main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user = yes main: lower_pass = no main: nospace_user = yes main: nospace_pass = yes main: checkrad = /usr/sbin/checkrad main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = yes main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded preprocess preprocess: huntgroups = /etc/raddb/huntgroups preprocess: hints = /etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded passwd passwd: filename = /etc/samba/smbpasswd passwd: format =
Re: mod_radius, apache2 and the auth cookie.
Hi, Palmer J.D.F. schrieb: If I get a failed login, then try to login again it just uses cached credentials and doesn't prompt for details, if I close and re-open the browser it does then allow me to enter details. Sounds like it might be the browser that's caching the bad credentials :-( This is why it doesn't matter that there is an instant timeout, as the client will not need to access the page again until his/her connection times out and the 'allowing' iptables rules are removed. Note that you need to authenticate for every _file_ that's being transferred, so if your page contains e.g. any graphics (background image, icons, whatever) an instant timeout _will_ matter. Regards, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with User-Name/Stripped-User-Name
Erling Paulsen wrote: Only that, if there is a 'Stripped-User-Name' attribute in the request, it seems that the server automatically uses this instead of 'User-Name' when proxying. Ah, yes. I didn't know the server does that. Question for Alan: in src/main/proxy.c should we check the value of realm.striprealm before overwriting the User-Name with the Stripped-User-Name? I fixed it a little dirty by rewriting the stripped username to the 'Hint' attribute - using %{Hint} in the ldap filter, and then 'User-Name' can be used in all its full glory for EAP proxy to the remote server. If I ever must use the Hint attr I will remake a better solution. You could add an additional attribute at the end of /etc/raddb/dictionnary for that purpose. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
adding user-name to post-proxy logs
hi - i'm logging the pre-proxy and post-proxy logs. this works fine. the proxy-logs show the user-name (and password attribute) and that is fine. however the post-proxy logs don't contain the user-name because the reply from the backend radius server doesn't necessarily send the username as an attribute in the reply packet. since the state must be maintained in the freeradius proxy - is it possible to add it to the logs so that troubleshooting is easier? currently i have to match the timestamps. if i wrote the pre- and post- proxy logs to the same file i am guessing that the send-receive won't neccesarily be consecutive in the logs (like they are in other single-threaded servers!) tariq - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Free Radius Compilation problem
Hi All, I am compiling the free radius server code on Linux kernel 2.4.20. I wanted to use it for thetext file authentication. I am getting the error as follows: sql_mysql.c:39:20: errmsg.h: No such file or directorysql_mysql.c:40:19: mysql.h: No such file or directorygmake[10]: *** [sql_mysql.o] Error 1gmake[9]: *** [common] Error 2gmake[8]: *** [static] Error 2gmake[7]: *** [common] Error 2gmake[6]: *** [static] Error 2gmake[5]: *** [common] Error 2gmake[4]: *** [all] Error 2gmake[3]: *** [common] Error 2gmake[2]: *** [all] Error 2gmake[1]: *** [common] Error 2make: *** [all] Error 2 Whether it is configuration problem or library proble. Help needed. Thanks in advance. Regards, Wable R. U. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
help
Hi, Is there any documentation for freeradius ? How and where to start ? Thanks. -- Best Regards, Liew Toh Seng System Consultant, RedHat Certified Engineer http://www.redhat.com/rhce/rhce803005004313527.html My Directory Sdn Bhd, (http://www.md.com.my) Your Open Source Partner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: help
You should browse to http://www.freeradius.org. There you will find the documents. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Liew Toh Seng Sent: Thursday, July 28, 2005 17:29 PM To: freeradius-users@lists.freeradius.org Subject: help Hi, Is there any documentation for freeradius ? How and where to start ? Thanks. -- Best Regards, Liew Toh Seng System Consultant, RedHat Certified Engineer http://www.redhat.com/rhce/rhce803005004313527.html My Directory Sdn Bhd, (http://www.md.com.my) Your Open Source Partner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help
On Thu, 28 Jul 2005 22:29:04 +0800 Liew Toh Seng [EMAIL PROTECTED] wrote: Hi, Is there any documentation for freeradius ? How and where to start ? Thanks. -- Best Regards, Liew Toh Seng System Consultant, RedHat Certified Engineer http://www.redhat.com/rhce/rhce803005004313527.html http://www.google.com and http://www.freeradius.org/usage.html#help are good places to start, Mr. RedHat Certified Engineer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap: Attribute User-Password is required forauthentication
melvin [EMAIL PROTECTED] on July 24, 2005 at 02:47 -0800 wrote: Hi Kris, Thanks for your reply. I will be very grateful if you could post your config entries to me. Many tks. Hi Melvin, Please see attached. I have included the certs, passwords, etc. as they are currently testing only ones -- and may help you get things going. The user passwords are one of two: whatever or testing123 depending on whether we needed to use a different one somewhere during our testing. :-) Let me know if you have any other questions. Cheers, -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: newbie questions using freeradius as wifi access point
I tried this (adding the with-static-modules=expiration) when configuring. Am I barking up the wrong tree? ./configure --localstatedir=/var --sysconfdir=/etc --with-mysql-include-dir=/usr/include/mysql --with-mysql-lib-dir=/usr/lib/mysql --with-mysql-dir=/usr/bin/mysql --with-experimental-modules --with-static-modules=expiration I dont seem to have this 'rlm_expiration' folder or files underneath Why could this be? /freeradius-1.0.2/modules/rlm_expiration/.libs/rlm_expiration.a am -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, July 27, 2005 7:17 PM To: FreeRadius users mailing list Subject: Re: newbie questions using freeradius as wifi access point Will Carter [EMAIL PROTECTED] wrote: The Max-All-Session attribute is working great if I want to allow a user to buy a block of time and they can use it in increments. But say I want a user to be able to buy a block of time that will expire at a certain time regardless of how long they spend online during that time. Can you give me an idea of the direction I should go to accomplish this? Login-Time, or Expiration. See the README's. Alan DeKok - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Weird situation proxying accounting packets
Hello guys, We use freeradius on a Debian 3.1 system, I've created an hybrid distro using packets from the testing tree to use the FR release 1.0.4 (deb revision 2). This box needs to proxy both auth and acct requests to a customer server that runs Cisco ACS 2.6. The NAS is Cisco AS5300. Proxyied authentication requests are satisfyed correctly, while accounting requests are sent back with a shared secret is incorrect from the customer radius server. Now, why if the secret is verified correctly on authentication I get this error on the accounting requests. Have you ever seen something like this? Notice that we checked out the secrets 1 times and they match perfectly, also, in my proxy.conf as well as in the clients.conf(the equivalent on FR ... I donno what the hell ACS uses) of the customer the shared secret is defined just once, I mean the same directive secret is used both for auth and acct . Is there any library or dictionary issue I've missed to check? Thanks for your attention any help will be really appreciated. Loris pgpSQBRxMnuiE.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + AP + Access Point Client
ManyX [EMAIL PROTECTED] wrote: How can I authenticate my access point CLIENT to AP in freeradius ?? raddb/clients.conf Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Disconnect-Request packet
N White [EMAIL PROTECTED] wrote: Yes 192.168.1.1 is the NAS. Then it's running FreeRADIUS. The error message you quoted above: ad_recv: Disconnect-Request packet from host 192.168.1.2:47874, id=139, length=31 Unknown packet code 40 from client 192.168.1.2:47874 - ID 139 : IGNORED Can ONLY be produced from FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_radius, apache2 and the auth cookie.
Palmer J.D.F. [EMAIL PROTECTED] wrote: You mean re-authenticate for every request? That would require source code changes. Effectively yes, see the description of what I'm trying to do below. Was was pointed out, you'll get authentication dialogs for every gif jpg on the page. This is a BAD idea. If I get a failed login, then try to login again it just uses cached credentials and doesn't prompt for details, if I close and re-open the browser it does then allow me to enter details. Then your browser is broken. So far this has only been tested with IE on a patched up but otherwise std XP machine. Read the rants in the source code for why IE isn't a web browser. The reason for the authentication is to log into a web-redirect gateway. An iptables rule redirects any un-authenticated IP/MAC pairs to the login page; on a successful login the page (a php page which resides in a protected folder) adds some iptables rules to allow that particular client (IP/MAC pair) through the gateway. There are captive portal programs that do this. Search the net for them, they'll probably be simpler to set up, and will work with IE. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: etc_passwd module doesnt authenticate
Ramses van Pinxteren [EMAIL PROTECTED] wrote: You've configured the passwd module to set Auth-Type = MSCHAP. Don't do that. This is the config file I am using minus all the comments: That's nice. It's also irrelevant. I asked you to change *one* thing, not to show your entire config. rad_recv: Access-Request packet from host 127.0.0.1:32774, id=224, length=62 User-Name = ramses User-Password = 95903FD81E9ECFEC17306D272A9441BB Is that really the password? I doubt it very much. rlm_passwd: Added LM-Password: '95903FD81E9ECFEC17306D272A9441BB' to config_items Ah, yes. You're giving the client the hashed password, not the real password. That's wrong. auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user So set Auth-Type. But don't set it to MS-CHAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with User-Name/Stripped-User-Name
Nicolas Baradakis [EMAIL PROTECTED] wrote: Question for Alan: in src/main/proxy.c should we check the value of realm.striprealm before overwriting the User-Name with the Stripped-User-Name? Sure. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: adding user-name to post-proxy logs
Tariq Rashid [EMAIL PROTECTED] wrote: since the state must be maintained in the freeradius proxy - is it possible to add it to the logs so that troubleshooting is easier? currently i have to match the timestamps. Which log are you talking about? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free Radius Compilation problem
Ranjitsinh Wable [EMAIL PROTECTED] wrote: I am getting the error as follows: sql_mysql.c:39:20: errmsg.h: No such file or directory Install the MySQL libraries headers? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Weird situation proxying accounting packets
The reason is that the shared secret is wrong. RADIUS accounting packets are signed by the client and the signature is checked by the server. The authenticator is generated by the client from the packet contents and forms this signature. The server checks this signature. Authentication packets are not signed so no problem is detected by the server. The client checks for the response packet signature. The authenticator is a random number generated by the client. The packet is not signed, but the response packet is signed for the client to check. Why is this so? Authentication packets are trusted by the server. It's the client that must determine if the packet is signed correctly before it accepts authentication. The client doesn't trust the server. The server trusts accounting packets because they are correctly signed. Loris Fadda wrote: Hello guys, We use freeradius on a Debian 3.1 system, I've created an hybrid distro using packets from the testing tree to use the FR release 1.0.4 (deb revision 2). This box needs to proxy both auth and acct requests to a customer server that runs Cisco ACS 2.6. The NAS is Cisco AS5300. Proxyied authentication requests are satisfyed correctly, while accounting requests are sent back with a shared secret is incorrect from the customer radius server. Now, why if the secret is verified correctly on authentication I get this error on the accounting requests. Have you ever seen something like this? Notice that we checked out the secrets 1 times and they match perfectly, also, in my proxy.conf as well as in the clients.conf(the equivalent on FR ... I donno what the hell ACS uses) of the customer the shared secret is defined just once, I mean the same directive secret is used both for auth and acct . Is there any library or dictionary issue I've missed to check? Thanks for your attention any help will be really appreciated. Loris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use
Jeremy Kenney [EMAIL PROTECTED] wrote: We use freeradius with mysql. I am having problems with users dialing into the system more then once from more then one location at the sometime. I.E a simultaneous use problem. I cannot check against the NAS because we don't have our own nases and are doing pass-thru radius authentication. Simultaneous-Use will still work. I need to do some kind of simultaneous use checking I'm really frustrated can someone point me in the right direction. doc/Simultaneous-Use ? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simple question abot Event-Timestamp
Valeriy V. Peshkoff [EMAIL PROTECTED] wrote: How can i add correct event-timestamp using preproxy_users? Or may be there is a another way? I think the version you're using doesn't support reading dates as large numbers. This should work in the CVS head. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: newbie questions using freeradius as wifi access point
Will Carter [EMAIL PROTECTED] wrote: When I configured the freeradius install I used --with-experimental-modules. So, I checked out what rlm*.so modules are in /usr/local/lib/ rlm_expiration is not there Which version of the server are you running? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: newbie questions using freeradius as wifi access point
freeradius-1.0.2 I noticed that the docs I was looking at that mentioned rlm_expiration was a different version. So that explains why I wouldn't have that module. I still should be able to make an insert into radcheck such as the following and expect my nas to get a session-timeout, correct? insert into radcheck (username, attribute, op, value) values ('testUser','Expiration',':=','25 May 2006 15:31') seems that I am having the same sort of problem as this post. http://lists.freeradius.org/mailman/htdig/freeradius-users/2005-March/042308 .html any ideas? -will -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Thursday, July 28, 2005 1:04 PM To: FreeRadius users mailing list Subject: Re: newbie questions using freeradius as wifi access point Will Carter [EMAIL PROTECTED] wrote: When I configured the freeradius install I used --with-experimental-modules. So, I checked out what rlm*.so modules are in /usr/local/lib/ rlm_expiration is not there Which version of the server are you running? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: newbie questions using freeradius as wifi access point
I installed version 1.0.4 reconfigured and tried again. Still getting the same issue. Any ideas? Thanks, will -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Thursday, July 28, 2005 1:04 PM To: FreeRadius users mailing list Subject: Re: newbie questions using freeradius as wifi access point Will Carter [EMAIL PROTECTED] wrote: When I configured the freeradius install I used --with-experimental-modules. So, I checked out what rlm*.so modules are in /usr/local/lib/ rlm_expiration is not there Which version of the server are you running? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: newbie questions using freeradius as wifi access point
I apologize for posting again. Am I correct in thinking that this issue has been addressed after the 1.0.4 release? This post is making me think this. http://lists.freeradius.org/mailman/htdig/freeradius-users/2005-June/044769. html Am I correct to think that if I install one of the nightly builds that is after the 1.0.4, then this issue should be addressed. I actually tried to install the 07282005 snapshot but it wouldn't compile. Thanks and please excuse my ignorance. Any info you can provide would be greatly appreciated. will -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Will Carter Sent: Thursday, July 28, 2005 1:35 PM To: 'FreeRadius users mailing list' Subject: RE: newbie questions using freeradius as wifi access point freeradius-1.0.2 I noticed that the docs I was looking at that mentioned rlm_expiration was a different version. So that explains why I wouldn't have that module. I still should be able to make an insert into radcheck such as the following and expect my nas to get a session-timeout, correct? insert into radcheck (username, attribute, op, value) values ('testUser','Expiration',':=','25 May 2006 15:31') seems that I am having the same sort of problem as this post. http://lists.freeradius.org/mailman/htdig/freeradius-users/2005-March/042308 .html any ideas? -will -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Thursday, July 28, 2005 1:04 PM To: FreeRadius users mailing list Subject: Re: newbie questions using freeradius as wifi access point Will Carter [EMAIL PROTECTED] wrote: When I configured the freeradius install I used --with-experimental-modules. So, I checked out what rlm*.so modules are in /usr/local/lib/ rlm_expiration is not there Which version of the server are you running? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ICRadius to FreeRadius Migration
Hello all. I've been put in a situation in which I am forced to replace our old icradius server. Upon finding support and development for icradius has been discontinued for quite some time, I was persuaded to give FreeRadius a shot due to its widespread acceptance, praise, and most naturally its snappy web front-end. I'm now stuck with the task of migrating our old (mySQL) databases, as we have far too many users to re-enter manually. Wilst I have done my best to make the original icradius tables congruent with the new freeradius setup, my efforts have been rewarded with a week of frustration. Unfortunately, even the wise google has come up nearly empty handed in our searches for a tutorial or even some small scrap of information relevant to quick-and-painless or just slightly painful migration; thus I turn to this mailing list - if anyone has come across and could point myself and fellow archive-searchers in the direction of a resource no matter how mind-tearing or vague, it would be very much appreciated; any place to start is a good place as I'm just picking this up as I go along. My basic setup is as such: Old ICRadius server -- Mandrake 9.1, Apache 2x, icradius 0.18 with php front-end, mysql 4 installed locally New FreeRadius server -- Gentoo Linux, apache 2x, php4x, freeradius 1.0.2-5, freeradius-dialupadmin 1.70, mysql installed elsewhere Standalone mySQL Server - Gentoo Linux, Apache 2x, php4x, phpMyAdmin 2.6.3 (which is what I have done the bulk of my table-tinkering with), mySQL 4.0.24 I presently have the old icradius database sitting in the standalone sql server (while the production and up-to-date version remains on the original server) as 'oldradius' and the freeradius installation-script-generated database as 'radius'. All I've really done thus far is modify the structure of the tables in 'oldradius' so that they can be easily copied. Unfortunately, this presents the problem of having several columns with null or incorrect values. It would really help to know if there are some key default values that will get things done even in the dirtiest of manners if anyone is familliar with the differences between icradius and freeradius in dealing with mySQL. Thanks in advance to any who reply; if nothing at all, it will certainly be beneficial to the apparent lack of documentation on these situations. Karma Foxx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: newbie questions using freeradius as wifi access point
Will Carter [EMAIL PROTECTED] wrote: Am I correct to think that if I install one of the nightly builds that is after the 1.0.4, then this issue should be addressed. I actually tried to install the 07282005 snapshot but it wouldn't compile. Hmm... that's not good. Anyways, the latest snapshots change a *lot* more than you need. I suggest doing a cvs checkout yourself: $ cvs -d :pserver:[EMAIL PROTECTED]:/source login blah $ cvs -d :pserver:[EMAIL PROTECTED]:/source co -r release_1_0 radiusd Should get you 1.0.4 with a few fixes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ICRadius to FreeRadius Migration
Karma Foxx [EMAIL PROTECTED] wrote: All I've really done thus far is modify the structure of the tables in 'oldradius' so that they can be easily copied. Unfortunately, this presents the problem of having several columns with null or incorrect values. Are you willing to say which columns, or do we have to guess? Thanks in advance to any who reply; if nothing at all, it will certainly be beneficial to the apparent lack of documentation on these situations. FreeRADIUS includes documentation on how to configure it. It doesn't include documentation on migrating from other radius server X, version Y, to FreeRADIUS. That kind of documentation is potentially infinite in size. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: newbie questions using freeradius as wifi access point
Ok, now I am completely into new territory. Never did a cvs checkout before. Learn something new every day. Just to be clear before I keep going down this track... My underlying problem is that I am setting an Expiration value in radcheck, but Session-Timeout is not getting being returned in the authorization request that is in line with the Expiration value I inserted. Based on this post: http://lists.freeradius.org/mailman/htdig/freeradius-users/2005-June/044769. html I believe that a fix was made to this problem that is not in the 1.0.4 release and somehow I have to get my hands on a version of freeradius has the fix (rlm_expiration module is in there). Am I correct? Thanks, -will -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Thursday, July 28, 2005 5:23 PM To: FreeRadius users mailing list Subject: Re: newbie questions using freeradius as wifi access point Will Carter [EMAIL PROTECTED] wrote: Am I correct to think that if I install one of the nightly builds that is after the 1.0.4, then this issue should be addressed. I actually tried to install the 07282005 snapshot but it wouldn't compile. Hmm... that's not good. Anyways, the latest snapshots change a *lot* more than you need. I suggest doing a cvs checkout yourself: $ cvs -d :pserver:[EMAIL PROTECTED]:/source login blah $ cvs -d :pserver:[EMAIL PROTECTED]:/source co -r release_1_0 radiusd Should get you 1.0.4 with a few fixes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
german freeradius fourm
Hello, Please apologize that the following is in german only. It's an announcement of a german forum about freeradius. --- Ich hoffe es ist ok das hier auf die Liste zu schreiben Ich habe ein deutschsprachiges Forum zu Freeradius gefunden: www.freeradius.de Es ist noch nicht sehr belebt, aber vielleicht kann man das ja ändern. Enschuldigt bitte, dass ich hier so einfach Werbung dafür mache, aber ich finde es eine gute Sache. Bin persönlich kein Fan von Mailinglisten und finde persönlich einen Austausch auf Deutsch einfacher. Grüße / best regards Peter -- 5 GB Mailbox, 50 FreeSMS http://www.gmx.net/de/go/promail +++ GMX - die erste Adresse für Mail, Message, More +++ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication Responses during error conditions
I am a bit confused now. I understood that if a module returns RLM_MODULE_FAIL that radiusd would not return an authorization reject. However, it appears that it still does. rad_recv: Access-Request packet from host 127.0.0.1:53579, id=193, length=71 User-Name = visitor User-Password = asdfjkle Called-Station-Id = 8053342021 Calling-Station-Id = 3232546586 rad_lowerpair: User-Name now 'visitor' Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 hints: Matched DEFAULT at 59 modcall[authorize]: module preprocess returns ok for request 0 users: Matched entry visitor at line 51 modcall[authorize]: module files returns ok for request 0 rlm_lafn: Found USER_NAME rlm_lafn: Found NAS rlm_lafn: Found Calling ID rlm_lafn: Found Called ID rlm_lafn: Found Hint get_time returns 60 Unable to connect to 0: Can't connect to MSQL server on 0 modcall[authorize]: module lafn returns fail for request 0 modcall: group authorize returns fail for request 0 There was no response configured: rejecting request 0 Server rejecting request 0. Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 193 to 127.0.0.1:53579 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 193 with timestamp 42e96be9 Nothing to do. Sleeping until we see a request. zool# ./visitor Received response ID 193, code 3, length = 20 From radiusd.conf: # Authorization. First preprocess (hints and huntgroups files), authorize { preprocess files lafn } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication Responses during error conditions
Doug Hardie [EMAIL PROTECTED] wrote: I am a bit confused now. I understood that if a module returns RLM_MODULE_FAIL that radiusd would not return an authorization reject. However, it appears that it still does. RADIUS servers are supposed to return Access-Reject's for Access-Accepts, rather than just dropping the packets. modcall: group authorize returns fail for request 0 There was no response configured: rejecting request 0 That's what the server does. If the server *requires* a back-end DB, and that DB is down, then arguable the server can pretend it's down, too. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Disconnect-Request packet
Alan DeKok wrote: N White [EMAIL PROTECTED] wrote: Yes 192.168.1.1 is the NAS. Then it's running FreeRADIUS. The error message you quoted above: ad_recv: Disconnect-Request packet from host 192.168.1.2:47874, id=139, length=31 Unknown packet code 40 from client 192.168.1.2:47874 - ID 139 : IGNORED Can ONLY be produced from FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html That's correct. Read my second reply. So other then writing custom scripts, is there a way for the RADIUS server(FreeRADIUS) to be told to send a disconnect packet to the NAS that a particular user is logged in to(NAS could vary - Portmaster, Cisco, PPPoE Server, VPN Server, etc))? Thanks! -- --- | Nick White | | Network Administrator | | Tele-NET Internet | | http://www.tele-net.net | | [EMAIL PROTECTED] | --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Disconnect-Request packet
N White [EMAIL PROTECTED] wrote: That's correct. Read my second reply. So other then writing custom scripts, is there a way for the RADIUS server(FreeRADIUS) to be told to send a disconnect packet to the NAS that a particular user is logged in to(NAS could vary - Portmaster, Cisco, PPPoE Server, VPN Server, etc))? No. And I *still* don't understand your situation. You claim 192.18.1.1 is the NAS, and you also claim it's FreeRADIUS. That makes no sense. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Disconnect-Request packet
On Thu, Jul 28, 2005 at 06:20:35PM -0700, N White wrote: That's correct. Read my second reply. So other then writing custom scripts, is there a way for the RADIUS server(FreeRADIUS) to be told to send a disconnect packet to the NAS that a particular user is logged in to(NAS could vary - Portmaster, Cisco, PPPoE Server, VPN Server, etc))? Nope, you have to write custom scripts. FreeRADIUS has nothing to do with (and wants nothing to do with) the disconnect packets. Usually, you would have a script that checks for whatever condition you're basing the disconnect on, and calls radclient (or telnet, or whatever the interface your NAS/downstream provides for this) to do the disconnect. (I've also seen SNMP and SOAP, and I really don't think FreeRADIUS is the right tool to automate a phone call to the NOC. ^_^) While you _could_ integrate disconnect into FreeRADIUS using a mechanism similar to checkrad, it'd be pretty daft, since the authentication checks the wrong details (this is an administrative request, not a user request) and sends the wrong way (this is an unsolicited packet to a NAS, not to a RADIUS proxy). This last point seems trivial until you try to proxy backwards through a chain you have only the last hop of, and the last hop doesn't neccessarily know what the previous hop was. (I vaugely remember someone discussing a static reverse-NAS route config file at some point. Luckily, no one tried to turn that into code) Bash and perl are both simpler and easier shells for this than FreeRADIUS. ^_^ -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use Problem
I have posted this twice now I was wondering if someone would be kind enough to possibly answer it Hello, I am a very frustrated free radius user at this point. Its most likely my brain not working right but here is my problem I have a free radius server that does authentication for our slipstream accelerator. The accelerator passes an attribute to the radius server and identifies the client into a group. This works fine. How ever I am having problems else where we currently want to use the same radius server to do dialup authentication. It currently is working to do this. We use freeradius with mysql. I am having problems with users dialing into the system more then once from more then one location at the sometime. I.E a simultaneous use problem. I cannot check against the NAS because we dont have our own nases and are doing pass-thru radius authentication. I need to do some kind of simultaneous use checking Im really frustrated can someone point me in the right direction. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: newbie questions using freeradius as wifi access point
Ok, I am not getting this to work after numerous tries and am feeling frustrated and ignorant. $ cvs -d :pserver:[EMAIL PROTECTED]:/source login $ cvs -d :pserver:[EMAIL PROTECTED]:/source co -r release_1_0 radiusd Is it correct to say that after I successfully execute the 2 commands above that I should have a set of code that I need to compile with configure, make, and make install? When I attempt this, I get a set of files but am not successful at compiling them. Thanks and I appreciate your patience or advice you can give. -will -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Thursday, July 28, 2005 5:23 PM To: FreeRadius users mailing list Subject: Re: newbie questions using freeradius as wifi access point Will Carter [EMAIL PROTECTED] wrote: Am I correct to think that if I install one of the nightly builds that is after the 1.0.4, then this issue should be addressed. I actually tried to install the 07282005 snapshot but it wouldn't compile. Hmm... that's not good. Anyways, the latest snapshots change a *lot* more than you need. I suggest doing a cvs checkout yourself: $ cvs -d :pserver:[EMAIL PROTECTED]:/source login blah $ cvs -d :pserver:[EMAIL PROTECTED]:/source co -r release_1_0 radiusd Should get you 1.0.4 with a few fixes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication Responses during error conditions
On Jul 28, 2005, at 17:09, Alan DeKok wrote: RADIUS servers are supposed to return Access-Reject's for Access-Accepts, rather than just dropping the packets. If the server *requires* a back-end DB, and that DB is down, then arguable the server can pretend it's down, too. I am trying to get the Ascend NASs to switch to the secondary radius server when the primary has a failure condition. I know that no response will cause that, but haven't been able to find any way to make the switch occur with the primary is not working properly. Is there a particular value to send back that would cause the switch? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html