Re: Freeradius 2.0 - vmps feature, inaccuracies on FreeNAC
Hi, of course, a a GPLed, ActiveX / Java / other browser-based endpoint posture assessment client, for use in fallback non-802.1x (walled-garden) mode. could also work after 802.1x It is actually quite important. If you are in a roaming scenario where your EAP session goes to your home ISP, it makes no sense to tie the posture information into the EAP session - it's the *access network* at the roaming place that needs to know how healthy your computer is. The home ISP at the other end of the world doesn't care that much. My general preference is that any NAC solution should keep *authentication* (EAP session) and *health assessments* in seperate channels. I'm happy that Cisco is following that line of thinking in their NAC solution, by offering a web-based or downloadable client *after* the EAP session if need be. It still *can* be tied into EAP, but it's optional. IMO, the way to go. Anyone implementing a NAC solution (i.e.: you) should keep this in mind, I'm glad you do. BTW, are you following the discussions in the IETF concerning NAC and friends (the nea - network endpoint assassment wg)? If this wg produces implementable results, your solution should be in line with it to ensure interoperability... It's another topic that I'm overall sceptical of NAC, IMO a network should only reactively shut a client down *after* it did something wrong, not proactively sniff around the local environment and lock it away at once. But NAC is here to stay I guess. :-( Greetings, Stefan Winter -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NAC
Stefan Winter wrote: It is actually quite important. If you are in a roaming scenario where your EAP session goes to your home ISP, it makes no sense to tie the posture information into the EAP session - it's the *access network* at the roaming place that needs to know how healthy your computer is. The home ISP at the other end of the world doesn't care that much. It cares a little. It may want to require certain software updates, too. But the local network cares more. My general preference is that any NAC solution should keep *authentication* (EAP session) and *health assessments* in seperate channels. That makes sense, but not everyone sees it that way, unfortunately. BTW, are you following the discussions in the IETF concerning NAC and friends (the nea - network endpoint assassment wg)? If this wg produces implementable results, your solution should be in line with it to ensure interoperability... I'm sure you've seen my messages on NEA... I have serious doubts about it. For a number of reasons. It's another topic that I'm overall sceptical of NAC, IMO a network should only reactively shut a client down *after* it did something wrong, not proactively sniff around the local environment and lock it away at once. But NAC is here to stay I guess. :-( I understand it's useful to set requirements for network access. You need a username, password, and a system that isn't susceptible to viruses. The pro-active scanning is nearly impossible to implement correctly. NEA largely seems like a group of people who want to standardize a pre-existing solution, and are surprised that there are people with different points of view. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.0 - vmps feature, accuracies on FreeNAC
Thomas Dagonnier wrote: Would you agree to close that part of the discussion ? Fine. sorry, this was a late email and I forgot important details like had in mind with additionnal (NAC) features and the for windows is implied by the vast majority of windows-based computers. wpa_supplicant works on Windows. It's already been accepted into nearly all Linux BSD distributions, too. so indeed, the most likely candidates are SecureW2 and open1x/opensea xsupplicant, but none of them are there yet. Notice how the OpenSEA announcement included a quote from me, and mentioning FreeRADIUS? so there's no plan, but a properly formatted, cleaned version would find its place ? As always, patches are welcome. Would you be open to implement Microsoft's IF-TNCCS-SOH in that context ? If someone sends a patch, yes. I'm too busy to do the work myself. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxying doesn't work!
We have a working FreeRADIUS 1.1.4 running since a lot of months.
Now we have to proxy the requests for a realm (gtenet.it) to a given
RADIUS server, but our server seems to ignore the proxy configuration!
I have set proxy_requests = yes and included the proxy.conf file
(I'm sure of these, looked at the debug output).
Here it is our proxy.conf file:
proxy server {
synchronous = no
retry_delay = 5
retry_count = 3
dead_time = 120
default_fallback = yes
post_proxy_authorize = no
}
realm gtenet.it {
type= radius
authhost= 195.103.212.53:1645
accthost= 195.103.212.53:1646
secret = X
}
When a request for [EMAIL PROTECTED] is received, it goes through the
authorization and then instead of being proxied it goes through
authentication and obviously fail!
Here it is the output of the server in debug mode:
Jul 10 18:55:29 aragorn radiusd[23262]: Going to the next request
Jul 10 18:55:29 aragorn radiusd[23262]: Waking up in 6 seconds...
Jul 10 18:55:29 aragorn radiusd[23262]: rad_lowerpair: User-Name now
'[EMAIL PROTECTED]'
Jul 10 18:55:29 aragorn radiusd[23262]: rad_lowerpair: User-Password
now ''
Jul 10 18:55:29 aragorn radiusd[23262]: rad_rmspace_pair: User-Name now
'[EMAIL PROTECTED]'
Jul 10 18:55:29 aragorn radiusd[23262]: rad_rmspace_pair: User-Password
now ''
Jul 10 18:55:29 aragorn radiusd[23262]: Processing the authorize
section of radiusd.conf
Jul 10 18:55:29 aragorn radiusd[23262]: modcall: entering group
authorize for request 72
Jul 10 18:55:29 aragorn radiusd[23262]: modcall[authorize]: module
preprocess returns ok for request 72
Jul 10 18:55:29 aragorn radiusd[23262]: modcall[authorize]: module
nm returns noop for request 72
Jul 10 18:55:29 aragorn radiusd[23262]: modcall[authorize]: module
chap returns noop for request 72
Jul 10 18:55:29 aragorn radiusd[23262]: modcall[authorize]: module
mschap returns noop for request 72
Jul 10 18:55:29 aragorn radiusd[23262]: rlm_pap: WARNING! No known
good password found for the user. Authentication may fail because of this.
Jul 10 18:55:29 aragorn radiusd[23262]: modcall[authorize]: module
pap returns noop for request 72
Jul 10 18:55:29 aragorn radiusd[23262]: modcall: leaving group authorize
(returns ok) for request 72
Jul 10 18:55:29 aragorn radiusd[23262]: auth: No authenticate method
(Auth-Type) configuration found for the request: Rejecting the user
Jul 10 18:55:29 aragorn radiusd[23262]: auth: Failed to validate the user.
Any hints of what could be the problem?
Thanks.
--
___
__
|- [EMAIL PROTECTED]
|ederico Giannici http://www.neomedia.it
___
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying doesn't work!
Hi Federico!
Check default radiusd.conf and search for realm and suffix. It
looks like you're not calling rlm_realm in authorize.
th.
On 7/11/07, Federico Giannici [EMAIL PROTECTED] wrote:
We have a working FreeRADIUS 1.1.4 running since a lot of months.
Now we have to proxy the requests for a realm (gtenet.it) to a given
RADIUS server, but our server seems to ignore the proxy configuration!
I have set proxy_requests = yes and included the proxy.conf file
(I'm sure of these, looked at the debug output).
Here it is our proxy.conf file:
proxy server {
synchronous = no
retry_delay = 5
retry_count = 3
dead_time = 120
default_fallback = yes
post_proxy_authorize = no
}
realm gtenet.it {
type= radius
authhost= 195.103.212.53:1645
accthost= 195.103.212.53:1646
secret = X
}
When a request for [EMAIL PROTECTED] is received, it goes through the
authorization and then instead of being proxied it goes through
authentication and obviously fail!
Here it is the output of the server in debug mode:
Jul 10 18:55:29 aragorn radiusd[23262]: Going to the next request
Jul 10 18:55:29 aragorn radiusd[23262]: Waking up in 6 seconds...
Jul 10 18:55:29 aragorn radiusd[23262]: rad_lowerpair: User-Name now
'[EMAIL PROTECTED]'
Jul 10 18:55:29 aragorn radiusd[23262]: rad_lowerpair: User-Password
now ''
Jul 10 18:55:29 aragorn radiusd[23262]: rad_rmspace_pair: User-Name now
'[EMAIL PROTECTED]'
Jul 10 18:55:29 aragorn radiusd[23262]: rad_rmspace_pair: User-Password
now ''
Jul 10 18:55:29 aragorn radiusd[23262]: Processing the authorize
section of radiusd.conf
Jul 10 18:55:29 aragorn radiusd[23262]: modcall: entering group
authorize for request 72
Jul 10 18:55:29 aragorn radiusd[23262]: modcall[authorize]: module
preprocess returns ok for request 72
Jul 10 18:55:29 aragorn radiusd[23262]: modcall[authorize]: module
nm returns noop for request 72
Jul 10 18:55:29 aragorn radiusd[23262]: modcall[authorize]: module
chap returns noop for request 72
Jul 10 18:55:29 aragorn radiusd[23262]: modcall[authorize]: module
mschap returns noop for request 72
Jul 10 18:55:29 aragorn radiusd[23262]: rlm_pap: WARNING! No known
good password found for the user. Authentication may fail because of this.
Jul 10 18:55:29 aragorn radiusd[23262]: modcall[authorize]: module
pap returns noop for request 72
Jul 10 18:55:29 aragorn radiusd[23262]: modcall: leaving group authorize
(returns ok) for request 72
Jul 10 18:55:29 aragorn radiusd[23262]: auth: No authenticate method
(Auth-Type) configuration found for the request: Rejecting the user
Jul 10 18:55:29 aragorn radiusd[23262]: auth: Failed to validate the user.
Any hints of what could be the problem?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying doesn't work!
On Wed, Jul 11, 2007 at 09:22:32AM +0200, Federico Giannici wrote:
We have a working FreeRADIUS 1.1.4 running since a lot of months.
Now we have to proxy the requests for a realm (gtenet.it) to a given
RADIUS server, but our server seems to ignore the proxy configuration!
I have set proxy_requests = yes and included the proxy.conf file
(I'm sure of these, looked at the debug output).
Here it is our proxy.conf file:
proxy server {
synchronous = no
retry_delay = 5
retry_count = 3
dead_time = 120
default_fallback = yes
post_proxy_authorize = no
}
realm gtenet.it {
type= radius
authhost= 195.103.212.53:1645
accthost= 195.103.212.53:1646
secret = X
}
When a request for [EMAIL PROTECTED] is received, it goes through the
authorization and then instead of being proxied it goes through
authentication and obviously fail!
You need to uncomment the suffix module in the authorize section.
Here it is the output of the server in debug mode:
Jul 10 18:55:29 aragorn radiusd[23262]: Going to the next request
Jul 10 18:55:29 aragorn radiusd[23262]: Waking up in 6 seconds...
Jul 10 18:55:29 aragorn radiusd[23262]: rad_lowerpair: User-Name now
'[EMAIL PROTECTED]'
Jul 10 18:55:29 aragorn radiusd[23262]: rad_lowerpair: User-Password
now ''
Jul 10 18:55:29 aragorn radiusd[23262]: rad_rmspace_pair: User-Name now
'[EMAIL PROTECTED]'
Jul 10 18:55:29 aragorn radiusd[23262]: rad_rmspace_pair: User-Password
now ''
Jul 10 18:55:29 aragorn radiusd[23262]: Processing the authorize
section of radiusd.conf
Jul 10 18:55:29 aragorn radiusd[23262]: modcall: entering group
authorize for request 72
Jul 10 18:55:29 aragorn radiusd[23262]: modcall[authorize]: module
preprocess returns ok for request 72
Jul 10 18:55:29 aragorn radiusd[23262]: modcall[authorize]: module
nm returns noop for request 72
^
I don't know this module. Have you named an instance of a known module
this way?
Jul 10 18:55:29 aragorn radiusd[23262]: modcall[authorize]: module
chap returns noop for request 72
Jul 10 18:55:29 aragorn radiusd[23262]: modcall[authorize]: module
mschap returns noop for request 72
Jul 10 18:55:29 aragorn radiusd[23262]: rlm_pap: WARNING! No known
good password found for the user. Authentication may fail because of this.
Jul 10 18:55:29 aragorn radiusd[23262]: modcall[authorize]: module
pap returns noop for request 72
Jul 10 18:55:29 aragorn radiusd[23262]: modcall: leaving group authorize
(returns ok) for request 72
Jul 10 18:55:29 aragorn radiusd[23262]: auth: No authenticate method
(Auth-Type) configuration found for the request: Rejecting the user
Jul 10 18:55:29 aragorn radiusd[23262]: auth: Failed to validate the user.
Any hints of what could be the problem?
Thanks.
--
___
__
|- [EMAIL PROTECTED]
|ederico Giannici http://www.neomedia.it
___
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco with Freeradius problem.
Hi there, I would like to ask if where in my cisco configuration has a problem. First i used MPD as my LNS and no encountered problem authenticating to the freeradius but when i change my LNS to Cisco it seems i can't log in. What are possible problem in my configuration? Is it in the Cisco or Freeradius has a problem setting. What would be the coz of the problem as stated in the log. I attach the logs for review. Thank you and more power. --coroy Cisco log: *May 22 15:43:51.404: ppp253 PAP: I AUTH-REQ id 186 len 19 from coroy *May 22 15:43:51.404: ppp253 PAP: Authenticating peer coroy *May 22 15:43:51.412: AAA/AUTHEN/PPP (0132): Pick method list 'default' *May 22 15:43:51.412: AAA/ATTR(0132): copy lists *May 22 15:43:51.412: AAA/ATTR(0132): new list: 6459A2A8 old list: 645943E4 *May 22 15:43:51.412: AAA/ATTR(0132): new list: 644B8774 *May 22 15:43: 51.412: AAA/ATTR(0132): add attr: 644B878C 0 0002 Framed-Protocol(62) 4 PPP *May 22 15:43:51.412: AAA/ATTR(0132): add attr: 644B87A0 0 0009 username(318) 5 coroy *May 22 15:43:51.412: AAA/ATTR(0132): add attr: 644B87B4 0 0009 password(226) 8 70 61 73 73 77 6F 72 64 *May 22 15:43:51.412: ppp253 PPP: Sent PAP LOGIN Request *May 22 15:43:51.412: AAA SRV(0132): process authen req *May 22 15:43:51.412: AAA SRV(0132): Authen method=SERVER_GROUP IWC *May 22 15:43:51.412 : AAA/ATTR(0132): cursor init: 63958DC0 644B8774 none unknown *May 22 15:43:51.412: AAA/ATTR(0132): find :644B87A0 0 0009 username(318) 5 coroy *May 22 15:43:51.412: AAA/ATTR(0132): cursor init: 63958E50 644B8774 none unknown *May 22 15:43:51.412: AAA/ATTR(0132): find :644B87A0 0 0009 username(318) 5 coroy *May 22 15:43:51.412: AAA/ATTR(0132): cursor init: 63958D78 644B8774 none none *May 22 15:43:51.412: AAA/ATTR(0132): find next matching service=none, protocol=none *May 22 15:43:51.412: AAA/ATTR(0132): Framed-Protocol ok *May 22 15:43:51.412: AAA/ATTR(0132): find next matching service=none, protocol=none *May 22 15:43:51.412: AAA/ATTR(0132): username ok *May 22 15:43: 51.412: AAA/ATTR(0132): find next matching service=none, protocol=none *May 22 15:43:51.412: AAA/ATTR(0132): password ok *May 22 15:43:51.412: AAA/ATTR(0132): find next matching service=none, protocol=none *May 22 15:43:51.416: AAA/ATTR(0132): not found *May 22 15:43:51.416: AAA/ATTR(0132): cursor init: 63958D78 6459A2A8 none none *May 22 15:43:51.416: AAA/ATTR(0132): find next matching service=none, protocol=none *May 22 15:43:51.416: AAA/ATTR(0132): port-type ok *May 22 15:43:51.416: AAA/ATTR(0132): find next matching service=none, protocol=none *May 22 15:43:51.416: AAA/ATTR(0132): interface ok *May 22 15:43: 51.416: RADIUS(0132): Storing nasport 928 in rad_db *May 22 15:43:51.416: AAA/ATTR(0132): find next matching service=none, protocol=none *May 22 15:43:51.416: AAA/ATTR(0132): clid ok *May 22 15:43:51.416 : AAA/ATTR(0132): find next matching service=none, protocol=none *May 22 15:43:51.416: AAA/ATTR(0132): dnis ok *May 22 15:43:51.416: AAA/ATTR(0132): find next matching service=none, protocol=none *May 22 15:43: 51.416: AAA/ATTR(0132): not found *May 22 15:43:51.416: RADIUS(0132): Config NAS IP: 0.0.0.0 *May 22 15:43:51.416: Getting session id for NET(0132) : db=64596B3C *May 22 15:43: 51.416: RADIUS/ENCODE(0132): acct_session_id: 390 *May 22 15:43:51.416: RADIUS(0132): sending *May 22 15:43:51.416: RADIUS/ENCODE: Best Local IP-Address 10.3.2.130 for Radius-Server 10.3.2.127 *May 22 15:43:51.416: RADIUS(0132): Send Access-Request to 10.3.2.127:1812 id 21646/45, len 94 *May 22 15:43:51.416: RADIUS: authenticator 95 18 5E 04 20 9F B2 6D - 9C D7 2E F0 66 3F B2 EA *May 22 15:43:51.416: RADIUS: Framed-Protocol [7] 6 PPP [1] *May 22 15:43:51.416: RADIUS: User-Name [1] 7 coroy *May 22 15:43:51.416: RADIUS: User-Password [2] 18 * *May 22 15:43:51.416: RADIUS: NAS-Port-Type [61] 6 Virtual [5] *May 22 15:43:51.416: RADIUS: NAS-Port[5] 6 928 *May 22 15:43:51.416: RADIUS: Calling-Station-Id [31] 14 000c2965075c *May 22 15:43:51.416: RADIUS: Called-Station-Id [30] 5 mpd *May 22 15:43:51.416: RADIUS: Service-Type[6] 6 Framed[2] *May 22 15:43:51.416: RADIUS: NAS-IP-Address [4] 6 10.3.2.130 *May 22 15:43:52.084: RADIUS: Received from id 21646/45 10.3.2.127:1812, Access-Accept, len 71 *May 22 15:43:52.084: RADIUS: authenticator A4 72 E4 2B 33 5E B8 AF - AB 4A 21 26 69 66 EB E3 *May 22 15:43:52.084: RADIUS: Service-Type[6] 6 Administrative[6] *May 22 15:43:52.084: RADIUS: Framed-Protocol [7] 6 PPP [1] *May 22 15:43:52.084: RADIUS: Framed-IP-Address [8] 6 10.10.10.45 *May 22 15:43:52.084: RADIUS: Framed-IP-Netmask [9] 6 255.240.0.0 *May 22
Failed to validate the user!
if my RADIUS send me one Access Request packet from Mera softswitch with : User-Name ="192.168.10.10" User-Password=\123\321\324\[" my question is hwo can i find my User Password witch password means ? because i becom one warning : auth: No authenticate method (auth-type)configuration found for the request : Rejecting the user auth: Failed to validate the user warning: Unprintable characters in the password. ?Double-check the shared secret on the server and the NAS! any help! think´s guide meWindows Live Spaces : créez votre blog à votre image ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco with Freeradius problem.
You've misconfigured your FreeRadius server to send attribute the Cisco can't obey, specifically the Filter-Id The cisco sees the reply: *May 22 15:43:52.088: RADIUS: Filter-Id [11] 9 then says *May 22 15:43:52.088: RADIUS/DECODE: invalid ACL type; FAIL and sure enough, the ACL you are returning doesn't exist in the Cisco config you show. Don't send back a Filter-Id reply unless the named ACL exists. Either create the ACL, or don't send it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco with Freeradius problem.
Phil, YES! it works Thank you very much. --coroy On 7/11/07, Phil Mayers [EMAIL PROTECTED] wrote: You've misconfigured your FreeRadius server to send attribute the Cisco can't obey, specifically the Filter-Id The cisco sees the reply: *May 22 15:43:52.088: RADIUS: Filter-Id [11] 9 then says *May 22 15:43:52.088: RADIUS/DECODE: invalid ACL type; FAIL and sure enough, the ACL you are returning doesn't exist in the Cisco config you show. Don't send back a Filter-Id reply unless the named ACL exists. Either create the ACL, or don't send it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed to validate the user!
There is (probably) nothing wrong with your password. Debug points to the problem with shared secret. Fix that. Ivan Kalik Kalik Informatika ISP Dana 11/7/2007, E. abdelghani [EMAIL PROTECTED] piše: if my RADIUS send me one Access Request packet from Mera softswitch with : User-Name =192.168.10.10 User-Password=\123\321\324\[ my question is hwo can i find my User Password witch password means ? because i becom one warning : auth: No authenticate method (auth-type) configuration found for the request : Rejecting the user auth: Failed to validate the user warning: Unprintable characters in the password. ?Double-check the shared secret on the server and the NAS! any help! think´s guide meWindows Live Spaces : créez votre blog ŕ votre image ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying doesn't work!
Tomas Hoger wrote:
Hi Federico!
Check default radiusd.conf and search for realm and suffix. It
looks like you're not calling rlm_realm in authorize.
Yes, that was the problem!
I thought that the realms were handled by some kind of internal magic...
Thanks.
On 7/11/07, Federico Giannici [EMAIL PROTECTED] wrote:
We have a working FreeRADIUS 1.1.4 running since a lot of months.
Now we have to proxy the requests for a realm (gtenet.it) to a given
RADIUS server, but our server seems to ignore the proxy configuration!
I have set proxy_requests = yes and included the proxy.conf file
(I'm sure of these, looked at the debug output).
Here it is our proxy.conf file:
proxy server {
synchronous = no
retry_delay = 5
retry_count = 3
dead_time = 120
default_fallback = yes
post_proxy_authorize = no
}
realm gtenet.it {
type= radius
authhost= 195.103.212.53:1645
accthost= 195.103.212.53:1646
secret = X
}
When a request for [EMAIL PROTECTED] is received, it goes through the
authorization and then instead of being proxied it goes through
authentication and obviously fail!
Here it is the output of the server in debug mode:
Jul 10 18:55:29 aragorn radiusd[23262]: Going to the next request
Jul 10 18:55:29 aragorn radiusd[23262]: Waking up in 6 seconds...
Jul 10 18:55:29 aragorn radiusd[23262]: rad_lowerpair: User-Name now
'[EMAIL PROTECTED]'
Jul 10 18:55:29 aragorn radiusd[23262]: rad_lowerpair: User-Password
now ''
Jul 10 18:55:29 aragorn radiusd[23262]: rad_rmspace_pair: User-Name now
'[EMAIL PROTECTED]'
Jul 10 18:55:29 aragorn radiusd[23262]: rad_rmspace_pair: User-Password
now ''
Jul 10 18:55:29 aragorn radiusd[23262]: Processing the authorize
section of radiusd.conf
Jul 10 18:55:29 aragorn radiusd[23262]: modcall: entering group
authorize for request 72
Jul 10 18:55:29 aragorn radiusd[23262]: modcall[authorize]: module
preprocess returns ok for request 72
Jul 10 18:55:29 aragorn radiusd[23262]: modcall[authorize]: module
nm returns noop for request 72
Jul 10 18:55:29 aragorn radiusd[23262]: modcall[authorize]: module
chap returns noop for request 72
Jul 10 18:55:29 aragorn radiusd[23262]: modcall[authorize]: module
mschap returns noop for request 72
Jul 10 18:55:29 aragorn radiusd[23262]: rlm_pap: WARNING! No known
good password found for the user. Authentication may fail because of this.
Jul 10 18:55:29 aragorn radiusd[23262]: modcall[authorize]: module
pap returns noop for request 72
Jul 10 18:55:29 aragorn radiusd[23262]: modcall: leaving group authorize
(returns ok) for request 72
Jul 10 18:55:29 aragorn radiusd[23262]: auth: No authenticate method
(Auth-Type) configuration found for the request: Rejecting the user
Jul 10 18:55:29 aragorn radiusd[23262]: auth: Failed to validate the user.
Any hints of what could be the problem?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
___
__
|- [EMAIL PROTECTED]
|ederico Giannici http://www.neomedia.it
___
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
Hello I hav one authentificate problem between my Freeradius and NAT(for VOIP) what means that i have : No authenticate method (Auth-Type) so here is my debug : radiusd -X rad_recv: Access-Request packet from host 192.168.100.238:1912, id=2, length=684 User-Name = 192.168.100.180 User-Password = \371\323\025[ NAS-IP-Address = 192.168.100.238 NAS-Port-Type = Async Service-Type = Login-User Called-Station-Id = 907100 Calling-Station-Id = 4002 Cisco-AVPair = xpgk-request-type=number Acct-Session-Id = 47306f08-1-b56089b1 h323-conf-id = h323-conf-id=02B21F32 1DEB1BAB 26450001 A8045DEC Cisco-AVPair = h323-call-id=02B21F32 1DEB1BAB 26440001 A8045DEC h323-gw-id = h323-gw-id=192.168.100.180 Cisco-AVPair = h323-gw-address=192.168.100.180 Cisco-AVPair = h323-incoming-local-address=192.168.100.238 h323-remote-address = h323-remote-address=194.6.239.4 Cisco-AVPair = h323-remote-id=194.6.239.4 Cisco-AVPair = xpgk-h323-id=4FXS-045dec Cisco-AVPair = xpgk-src-number-in=4002 Cisco-AVPair = xpgk-src-number-out=4002 Cisco-AVPair = xpgk-dst-number-in=907100 Cisco-AVPair = xpgk-dst-number-out=907100 h323-setup-time = h323-setup-time=11:05:05.000 CEST Wed Jul 11 2007 Cisco-AVPair = xpgk-route-retries=1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module chap returns noop for request 1 modcall[authorize]: module mschap returns noop for request 1 rlm_realm: No '@' in User-Name = 192.168.100.180, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 1 radius_xlat: '192.168.100.180' rlm_sql (sql): sql_set_user escaped user -- '192.168.100.180' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '192.168.100.180' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 3 query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '192.168.100.180' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '192.168.100.180' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '192.168.100.180' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '192.168.100.180' ORDER BY id' query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '192.168.100.180' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '192.168.100.180' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '192.168.100.180' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 3 rlm_sql (sql): No matching entry in the database for request from user [192.168.100.180] modcall[authorize]: module sql returns notfound for request 1 modcall: leaving group authorize (returns ok) for request 1 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. WARNING: Unprintable characters in the password. ? Double-check the shared secret on the server and the NAS! Delaying request 1 for 1 seconds Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 2 to 192.168.100.238 port 1912 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 2 with timestamp 46949d41 Nothing to do. Sleeping until we see a request. any help? best regards!!! - Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: accounting exec when Acct-Status-Type == Stop
Nobody understood my question. I want to know how to custom a specific account with an specific sh exec. One different for each group of accounts. And I want to do using my database. From: Santiago Balaguer García[EMAIL PROTECTED]Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.orgTo: freeradius-users@lists.freeradius.orgSubject: accounting exec when Acct-Status-Type == StopDate: Tue, 10 Jul 2007 10:58:22 + hello all,i have added the following lines in acct_users fileDEFAULT Acct-Status-Type == StartExec-Program-Wait = "/usr/local/start.sh"DEFAULT Acct-Status-Type == Stop Exec-Program-Wait = "/usr/local/stop.sh"started radius in debug mode and i haven't seen Exec-Program-Wait executing those scripts. It works fine, however, I want to execute different script depending on the user group. Iread froma DB for passing my radius attributes. I pass attribute Exec-Program-Wait and each username executes its one scriptwell. However, how can I say to the freeradius that it does the same when a username does a Acct-Status-Type == stop using my DB instead of acct_users file? Thanks! Ofertas y reservas para viajar por todo el mundo. Organiza y contrata tus viajes aquí. -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Excursiones y escapadas a sitios mágicos. No te lo pierdas en MSN Entretenimiento - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: auth: No authenticate method (Auth-Type) configuration found for therequest: Rejecting the user
You can ask a hundred times in different ways. Answer will still be the same: WARNING: Unprintable characters in the password. ? Double-check the shared secret on the server and the NAS! Ivan Kalik Kalik Informatika ISP Dana 11/7/2007, E A [EMAIL PROTECTED] piše: Hello I hav one authentificate problem between my Freeradius and NAT(for VOIP) what means that i have : No authenticate method (Auth-Type) so here is my debug : radiusd -X rad_recv: Access-Request packet from host 192.168.100.238:1912, id=2, length=684 User-Name = 192.168.100.180 User-Password = \371\323\025[ NAS-IP-Address = 192.168.100.238 NAS-Port-Type = Async Service-Type = Login-User Called-Station-Id = 907100 Calling-Station-Id = 4002 Cisco-AVPair = xpgk-request-type=number Acct-Session-Id = 47306f08-1-b56089b1 h323-conf-id = h323-conf-id=02B21F32 1DEB1BAB 26450001 A8045DEC Cisco-AVPair = h323-call-id=02B21F32 1DEB1BAB 26440001 A8045DEC h323-gw-id = h323-gw-id=192.168.100.180 Cisco-AVPair = h323-gw-address=192.168.100.180 Cisco-AVPair = h323-incoming-local-address=192.168.100.238 h323-remote-address = h323-remote-address=194.6.239.4 Cisco-AVPair = h323-remote-id=194.6.239.4 Cisco-AVPair = xpgk-h323-id=4FXS-045dec Cisco-AVPair = xpgk-src-number-in=4002 Cisco-AVPair = xpgk-src-number-out=4002 Cisco-AVPair = xpgk-dst-number-in=907100 Cisco-AVPair = xpgk-dst-number-out=907100 h323-setup-time = h323-setup-time=11:05:05.000 CEST Wed Jul 11 2007 Cisco-AVPair = xpgk-route-retries=1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module chap returns noop for request 1 modcall[authorize]: module mschap returns noop for request 1 rlm_realm: No '@' in User-Name = 192.168.100.180, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 1 radius_xlat: '192.168.100.180' rlm_sql (sql): sql_set_user escaped user -- '192.168.100.180' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '192.168.100.180' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 3 query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '192.168.100.180' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheckAttribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '192.168.100.180' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '192.168.100.180' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '192.168.100.180' ORDER BY id' query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '192.168.100.180' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreplyAttribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '192.168.100.180' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '192.168.100.180' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 3 rlm_sql (sql): No matching entry in the database for request from user [192.168.100.180] modcall[authorize]: module sql returns notfound for request 1 modcall: leaving group authorize (returns ok) for request 1 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. WARNING: Unprintable characters in the password. ? Double-check the shared secret on the server and the NAS! Delaying request 1 for 1 seconds Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 2 to 192.168.100.238 port 1912 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 2 with timestamp 46949d41 Nothing to do. Sleeping until we see a request. any help? best regards!!! - Ne gardez plus qu'une seule adresse mail ! Copiez vos
RE: accounting exec when Acct-Status-Type == Stop
Probably because your approach is not good. How about writing a *single* sh exec and passing parameters (Acct-Status-Type and SQL-Group) to it. Format would be the same for every user/group and the program sorts out which path is taken. Ivan Kalik Kalik Informatika ISP Dana 11/7/2007, Santiago Balaguer García [EMAIL PROTECTED] piše: Nobody understood my question. I want to know how to custom a specific account with an specific sh exec. One different for each group of accounts. And I want to do using my database. From: Santiago Balaguer García[EMAIL PROTECTED]Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.orgTo: [EMAIL PROTECTED]: accounting exec when Acct-Status-Type == StopDate: Tue, 10 Jul 2007 10:58:22 + hello all, i have added the following lines in acct_users file DEFAULT Acct-Status-Type == Start Exec-Program-Wait = /usr/local/start.sh DEFAULT Acct-Status-Type == Stop Exec-Program-Wait = /usr/local/stop.sh started radius in debug mode and i haven't seen Exec-Program-Wait executing those scripts. It works fine, however, I want to execute different script depending on the user group. I read from a DB for passing my radius attributes. I pass attribute Exec-Program-Wait and each username executes its one script well. However, how can I say to the freeradius that it does the same when a username does a Acct-Status-Type == stop using my DB instead of acct_users file? Thanks! Ofertas y reservas para viajar por todo el mundo. Organiza y contrata tus viajes aquí. -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml Excursiones y escapadas a sitios mágicos. No te lo pierdas en MSN Entretenimiento - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Logging failed authentications....
Thanks...
I've got both working now. File-based logging and mysql too
Regards
Ackbar
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: 10 July 2007 21:32
To: FreeRadius users mailing list
Subject: Re: Logging failed authentications
radiusd.conf
# Log authentication requests to the log file.
#
# allowed values: {no, yes}
#
log_auth = yes
# Log passwords with the authentication requests.
# log_auth_badpass - logs password if it's rejected
# log_auth_goodpass - logs password if it's correct
#
# allowed values: {no, yes}
#
log_auth_badpass = yes
log_auth_goodpass = no
It will be logged in radius.log file
Ivan Kalik
Kalik Informatika ISP
Dana 10/7/2007, Ackbar Joolia [EMAIL PROTECTED] piše:
Hi,
I would like to be able to log failed authentications but I don't find
it anywhere. And ideally I would like to put it into a MySQL table.
Can anyone advice on this please?
Thanks
AJ
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
*** Email COnfidentiality Notice ***
This message is private and confidential.If you have received this in error,
please notify us and remove it from your system. Contact [EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: db_mysql.sql
Is version 1.1.6 missing the db_mysql.sql script? Is it possible to use the one from 1.0.1 or some other version? Or is there a link I've missed somewhere to get it? By the way I APPRECIATE all that you programmers are doing. I can only imagine the long hours put in to make this product work. THANK YOU !! Joel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: db_mysql.sql
http://wiki.freeradius.org/MySQL_DDL_script Ivan Kalik Kalik Informatika ISP Dana 11/7/2007, Joel Eddy [EMAIL PROTECTED] piše: Is version 1.1.6 missing the db_mysql.sql script? Is it possible to use the one from 1.0.1 or some other version? Or is there a link I've missed somewhere to get it? By the way I APPRECIATE all that you programmers are doing. I can only imagine the long hours put in to make this product work. THANK YOU !! Joel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: db_mysql.sql
Hi, Is version 1.1.6 missing the db_mysql.sql script? Is it possible to use the one from 1.0.1 or some other version? Or is there a link I've missed somewhere to get it? By the way I APPRECIATE all that you programmers are doing. I can only imagine the long hours put in to make this product work. last seen in doc/examples/ . alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: db_mysql.sql
On Wed 11 Jul 2007, Joel Eddy wrote: Is version 1.1.6 missing the db_mysql.sql script? Is it possible to use the one from 1.0.1 or some other version? Or is there a link I've missed somewhere to get it? its under doc/example -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
R: db_mysql.sql
Is it possible to use the one from 1.0.1 or some other version? Yes, if you use the mathing sql.conf you can use any db schema (so you don't have to convert old databases to new schemas). Joel HTH, Francesco. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL IP Pool maximum timeout.
To update, turning on interim updates on my NAS, fixed my problem... Thanks for all your help. Peter Nixon wrote: On Tue 10 Jul 2007, Dave wrote: My NAS is currently NOT sending interm updates, but there is an option to use that, just wasn't sure what it did, or how it would apply to me, but it makes sense, that it extends the lease time, do all NAS's send interim updates? on the DSL side of my operation I don't see any interim updates until the user logs off (or lost carrier) (this is a proxied operation to me) I don't have control of that NAS, only my wireless NAS Then we have found the problem. Basically you need to set the expiry time greater then the time in between in interim accounting updates. If you don't get interim accounting updates set the expiry time to larger than your maximim possible session length. Cheers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL IP Pool maximum timeout.
You are welcome. I suppose we should update the docs/wiki to make this clearer.. -Peter On Wed 11 Jul 2007, Dave wrote: To update, turning on interim updates on my NAS, fixed my problem... Thanks for all your help. Peter Nixon wrote: On Tue 10 Jul 2007, Dave wrote: My NAS is currently NOT sending interm updates, but there is an option to use that, just wasn't sure what it did, or how it would apply to me, but it makes sense, that it extends the lease time, do all NAS's send interim updates? on the DSL side of my operation I don't see any interim updates until the user logs off (or lost carrier) (this is a proxied operation to me) I don't have control of that NAS, only my wireless NAS Then we have found the problem. Basically you need to set the expiry time greater then the time in between in interim accounting updates. If you don't get interim accounting updates set the expiry time to larger than your maximim possible session length. -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL IP Pool maximum timeout.
-snip-
that wasn't my understanding of how the expiration works in sqlippool.
The 'allocate-clear' query looks like this:
allocate-clear = UPDATE radippool \
SET NASIPAddress = '', pool_key = 0, CallingStationId = '', \
expiry_time = NOW() - INTERVAL 1 SECOND \
WHERE pool_key = '${pool-key}'
Which, by my understanding, should only clear IP's for which we are
seeing a REPEAT login on the same 'pool-key' (although I think it should
probably add a test for the same NASIPAddress in the WHERE clause, I
keep meaning to ask Peter about that).
Thats probably not a bad idea.
I take that back. It seems like a good idea, but that will break things for
ISPs who have multiple NAS in failover or OSPF groups and therefore can
happily assign the same IP to the same user even if they are connected to a
different physical NAS.
Cheers
--
Peter Nixon
http://peternixon.net/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Interim-Updates
Hello all, We enabled Cisco NAS to send Interim-Updates to the radius server, once an hour. Everything is great except for the following. There are users that use a lot of bandwidth. Seems, NAS wraps Acct-Input-Octets and Acct-Output-Octets at 4 GB. We have few users that may have their bandwidth reset to 0 within hour. When next Interim-Updates is sent, we don't have a proper number. Do I miss something in Radius configuration? Or is something that has to be handled by NAS? Any help is appreciated. Thank you. Irina - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: DB_MYSQL.SQL
For those that need it, like I did you can add this to the end of http://wiki.freeradius.org/MySQL_DDL_script to get your database to create the userinfo table also # # Table structure for table 'userinfo' # CREATE TABLE userinfo ( id int(10) NOT NULL auto_increment, UserName varchar(30), Name varchar(200), Mail varchar(200), Department varchar(200), WorkPhone varchar(200), HomePhone varchar(200), Mobile varchar(200), PRIMARY KEY (id), KEY UserName (UserName), KEY Departmet (Department) ); - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Interim-Updates
Irina said: There are users that use a lot of bandwidth. Seems, NAS wraps Acct-Input-Octets and Acct-Output-Octets at 4 GB. We have few users that may have their bandwidth reset to 0 within hour. When next Interim- Updates is sent, we don't have a proper number. Do I miss something in Radius configuration? Or is something that has to be handled by NAS? The NAS should also send Acct-Input-Gigawords and Acct-Output-Gigawords as well, if it has had to wrap the octets attributes. Irina -- hugh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: DB_MYSQL.SQL
Joel Eddy said: KEY Departmet (Department) Departmet? -- hugh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL IP Pool maximum timeout.
On Wed 11 Jul 2007, Peter Nixon wrote:
-snip-
that wasn't my understanding of how the expiration works in sqlippool.
The 'allocate-clear' query looks like this:
allocate-clear = UPDATE radippool \
SET NASIPAddress = '', pool_key = 0, CallingStationId = '', \
expiry_time = NOW() - INTERVAL 1 SECOND \
WHERE pool_key = '${pool-key}'
Which, by my understanding, should only clear IP's for which we are
seeing a REPEAT login on the same 'pool-key' (although I think it
should probably add a test for the same NASIPAddress in the WHERE
clause, I keep meaning to ask Peter about that).
Thats probably not a bad idea.
I take that back. It seems like a good idea, but that will break things
for ISPs who have multiple NAS in failover or OSPF groups and therefore
can happily assign the same IP to the same user even if they are connected
to a different physical NAS.
I changed my mind 10min after sending this reply. I have added a NASIPAddress
check by default with a comment of why you may want to disable it in certain
circumstances.
Cheers
--
Peter Nixon
http://peternixon.net/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Interim-Updates
On Wed 11 Jul 2007, Irina wrote: Hello all, We enabled Cisco NAS to send Interim-Updates to the radius server, once an hour. Everything is great except for the following. There are users that use a lot of bandwidth. Seems, NAS wraps Acct-Input-Octets and Acct-Output-Octets at 4 GB. We have few users that may have their bandwidth reset to 0 within hour. When next Interim-Updates is sent, we don't have a proper number. Do I miss something in Radius configuration? Or is something that has to be handled by NAS? Any help is appreciated. Thank you. Hi Irina Please check your accounting detail file. If the records have Acct-Input-Gigawords and Acct-Output-Gigawords in them, then your NAS is sending you the extra information you need when the 32bit counts wrap but you are not logging that info to your sql database. The default postgresql configuration has handled Acct-*-Gigawords correctly for several years, but we only recently updates the MySQL configuration to do so. The next release 1.1.7 (and/or 2.0) will have the correct support by default for mysql, but in the mean time you should replace your sql.conf (I am assuming that you are using mysql) with the one from current cvs Regards -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: SQL IP Pool maximum timeout.
Peter Nixon said: I take that back. It seems like a good idea, but that will break things for ISPs who have multiple NAS in failover or OSPF groups and therefore can happily assign the same IP to the same user even if they are connected to a different physical NAS. I changed my mind 10min after sending this reply. I have added a NASIPAddress check by default with a comment of why you may want to disable it in certain circumstances. FYI, I added this to my MySQL config, been running it live for a few days, works fine in my setup. I think this is the right way to go, making it the default, as the certain circumstances would tend to be the exception rather than the rule. I've also tested that accounting on/off change we discussed off-list, and it now correctly frees all relevant IP's after a NAS reboot. Cheers -- hugh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL IP Pool maximum timeout.
On Wed 11 Jul 2007, Hugh Messenger wrote: Peter Nixon said: I take that back. It seems like a good idea, but that will break things for ISPs who have multiple NAS in failover or OSPF groups and therefore can happily assign the same IP to the same user even if they are connected to a different physical NAS. I changed my mind 10min after sending this reply. I have added a NASIPAddress check by default with a comment of why you may want to disable it in certain circumstances. FYI, I added this to my MySQL config, been running it live for a few days, works fine in my setup. I think this is the right way to go, making it the default, as the certain circumstances would tend to be the exception rather than the rule. I've also tested that accounting on/off change we discussed off-list, and it now correctly frees all relevant IP's after a NAS reboot. Great. Looks like rlm_sqlippool is ready to take over the world :-) -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Interim-Updates
Thank you very much for quick replies. Our NAS does send Gigawords, great. I am reading the link Stephan pointed out. I need to apply it on a live radius server. Just to be safe, I will ask few questions, if you don't mind. 1. Can I issue mysql queries while radius is running? 2. Can I issue PROCEDURE queries at MYSQL prompt (including comments?), or should I save it to a file fist then run like mysql -uroot -prootpass radius sql.file 3. In the document Note Don't forget to redefine the delimiter before and after the procedure or you'll get an error! is it part of PROCEDURE sql statements. Or... not sure what it means to redefine the delimiter 4. Do I replace only accounting_update_query Why asking? There are other _alt queries. I don't need to touch them, do I? Thanks again. Irina == - Original Message - From: Stephan Kirsten [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, July 11, 2007 2:55 PM Subject: Re: Interim-Updates - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
listen directive
Is it possible to have radius listen on multiple (but not all) ip's / interfaces on a server? Joe Vieira UNIX Systems Administrator Clark University - ITS 508.793.7287 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Operator rlm_sql question
HI, I have a question regarding the rlm_sql module and the := operator. In going through the documentation, the rlm_sql module goes through the radcheck table, then pulls the reply items from the radreply table. Then the usergroup, radgroupcheck and radgroupreply table. So if I specify for example Framed-IP-Address = 192.168.1.1 in the radreply table for a user, then specify Framed-IP-Address := 255.255.255.254 in a particular group entry in the radgroupreply table, shouldn't the reply item become Framed-IP-Address = 255.255.255.254 in the reply? I was under the impression that the := operator would add the reply item if it didn't exist, or modify the value if it did already exist. I am trying to set up one group where the user gets a static address specified in the radreply table, then another group where they get dynamic specified in the radgroupreply table based upon the NAS-IP-Address check in the radgroupcheck table. But I always seem to get the static address, even though the other reply items are correct for the respective groups. This is with freeradius 1.1.6, with the standard mysql table schema. Thanks, Dave - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL IP Pool maximum timeout.
Peter Nixon wrote: Great. Looks like rlm_sqlippool is ready to take over the world :-) My latest tests look promising. Stock clients work. No, there's no secret agenda. The agenda is public, but the implementation details are secret. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: listen directive
Joe Vieira wrote: Is it possible to have radius listen on multiple (but not all) ip's / interfaces on a server? Yes. Use multiple listen directives. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: listen directive
Joe Vieira wrote: Is it possible to have radius listen on multiple (but not all) ip's / interfaces on a server? Yes. Use multiple listen directives. thanks Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL IP Pool maximum timeout.
On Mon 09 Jul 2007, Hugh Messenger wrote: On Behalf Of Dave said: Yes accounting is working well from the NAS Are you sure the NAS is sending 'interim update' accounting packets, not just start/stop? Here's my understanding of how it works (I'm sure Peter will correct me if I'm wrong!): On an access request, sqlippool will first check to see if this looks like a 'lost stop' case (allocate-clear) by checking to see if there are any assigned IP's in the pool with the same 'pool-key' (NAS-Port in a dialup context) as the request. If so, free up that IP. Then it looks for an IP to assign (allocate-find), by checking for a free or expired IP in the pool, allocates it (allocate-update) and sets the expiry_time to now + lease-duration. On an accounting 'stop', it frees up the IP (stop-clear). On an accounting 'update', it extends the expiry_time by 'lease-duration' seconds (alive-update). There's a little more to it than that (like accounting on/off), but that's the basic life cycle of an IP assignment. So ... if your NAS isn't sending accounting updates, then it will start re-assigning IP's after the initial expiry_time (lease-duration). If your NAS doesn't implement accounting updates, you may have to set session timeouts to less than your lease-duration. I couldn't have summarised it any better :-) -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
