Re: Pending release of 2.1.9

[Alan DeKok]

John Dennis wrote:
> It passes basic sanity checking. It builds, installs, and runs. I have
> tested with radtest and with each of the eapol_test scripts. I do not
> have a stress testing environment, I think others do and it would be
> good to hear from them.

  OK.

> The Changelog notes several feature additions. I thought this was a bug
> fix update only. In fairness some of the feature additions were in the
> area of documentation, that's great and I don't have a problem with
> features which do not change code and make it easier for users to use.
> But shouldn't the other features have been reserved for the 2.2.x branch
> and limit 2.1.9 to only bug fixes?

  The features are:

- show stats for detail files
  Arguably a bug that it wasn't there originally.
  Added because people ran into problems where they couldn't see
  what was going on with a detail file
  The control socket isn't enabled in the default install, either.

- documentation

- better DHCP Option 82 support
  Arguably a bug: DHCP servers need Option 82 support.
  This affects only people who use DHCP. (i.e. not many)

- enabled "server" in NAS table
  arguably a bug that it wasn't there a year ago.
  Only affects *new* installations who use SQL.

  For me, all of these fall into the "arguably a bug fix" area.  There
are no major code changes, and will not affect existing systems.

> The one bug I was most concerned about I don't see specifically called
> out and I'm wondering what the disposition of that was. Sorry, but I'm
> going to be a little vague rather than citing a bug number. There was a
> problem reported by several people that resulted in a server crash and
> only seemed to appear under high load conditions after the server was up
> for a while. Alan said he was having a hard time reproducing it, that
> logically it seemed impossible from static code inspection, but
> acknowledged it was real because it had been reported often enough. Does
> that ring a bell? Does this update address that issue?

  Yes.  Bug #35.  There's a work-around which should help.

  I've run *billions* of packets through the server on the same machine
as people who claim to have problems.  I've been unable to reproduce the
issue.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Pending release of 2.1.9

[Alan DeKok]

Johan Meiring wrote:
> There is a log of warnings though.
> Small subset says this.
> -
> dpkg-shlibdeps: warning: symbol radlog used by
> debian/freeradius/usr/lib/freeradius/rlm_checkval-2.1.9.so found in none
> of the libraries.

  It's in the server core.  There's no "libfreeradius-server.so", though
perhaps there could be.

  In any case, the warnings are minor.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius-server-2.1.8

[Mihamina Rakotomandimby]

> dorra aa  :
> and ther is nothing in the output of radiusd -X

I think your computer is not clean and you cant figure out how to work
with it.
My advices:
- Take a clean Linux install
- Use the packages providede with the distribution
- Optionally, change school...

-- 
   Architecte Informatique chez Blueline/Gulfsat:
Administration Systeme, Recherche & Developpement
 +261 3456 000 19
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: How to implement EAP-TLS with freeradius and wpa_supplicant?

[Zheng, Jiajia]

Alan DeKok wrote:
> Zheng, Jiajia wrote:
>> But as I mentioned that the same CA works fine with EAP-TTLS. Why it
>> goes wrong with EAP-TLS? 
> 
>   EAP-TLS requires that the CA be authorized to sign client
> certificates.  See the certificate creation scripts in 2.1.8, they may
> have fixes for this.
> 
Thanks! I'll have a try. 

bests, 
jiajia
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius with mysql failed

[dorra aa]

hi
i installed mysql.

and i modify in /etc/freeradius/sql.conf:
readclients=yes

also, i decommented in /etc/freeradius/radiusd.conf:
accounting
{
sql}
authorize
{...
sql}

i run again freeradius -X:
but it seems failed because of sql: this is the output
[...]
 sql: postauth_query = "INSERT into radpostauth (user, pass, reply, date) 
values ('%{User-Name}', '%{User-Password:-Chap-Password}', 
'%{reply:Packet-Type}', NOW())"
 sql: safe-characters = 
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
rlm_sql (sql): Attempting to connect to r...@localhost:/radius
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
rlm_sql_mysql: Starting connect to MySQL server for #0
rlm_sql_mysql: Couldn't connect socket to MySQL server r...@localhost:radius
rlm_sql_mysql: Mysql error 'Access denied for user 'root'@'localhost' (using 
password: YES)'
# but i check it and it's ok i have in sql.conf: sql{server = "localhost"
login = "root"
password = "rootpass"}
rlm_sql (sql): Failed to connect DB handle #0
rlm_sql (sql): starting 1
rlm_sql (sql): starting 2
rlm_sql (sql): starting 3
rlm_sql (sql): starting 4
rlm_sql (sql): Failed to connect to any SQL server.
#but i begin with installing mysql-server and i add a user in the database
rlm_sql (sql): - generate_sql_clients
rlm_sql (sql): Query: SELECT * FROM nas
rlm_sql (sql): Ignoring unconnected handle 4..
rlm_sql (sql): Ignoring unconnected handle 3..
rlm_sql (sql): Ignoring unconnected handle 2..
rlm_sql (sql): Ignoring unconnected handle 1..
rlm_sql (sql): Ignoring unconnected handle 0..
rlm_sql (sql): There are no DB handles to use! skipped 5, tried to connect 0
rlm_sql (sql): generate_sql_clients() returned error
rlm_sql (sql): Closing sqlsocket 4
rlm_sql (sql): Closing sqlsocket 3
rlm_sql (sql): Closing sqlsocket 2
rlm_sql (sql): Closing sqlsocket 1
rlm_sql (sql): Closing sqlsocket 0
radiusd.conf[14]: sql: Module instantiation failed. 
radiusd.conf[1860] Unknown module "sql".
radiusd.conf[1789] Failed to parse authorize section. 

  
_
Your E-mail and More On-the-Go. Get Windows Live Hotmail Free.
https://signup.live.com/signup.aspx?id=60969-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Fwd: SSL issues

[Sergio Belkin]

Hi,

I am using a radius-openldap-EAP/TTLS|EAP/PEAP scheme and often I've got the
following error from a Windows 7 client trying to connect using EAP/PEAP.
Client lacked CA cert, but I've found clients that are able to import it.
Finally client connected using EAP/TTLS with SecureW2. But I wonder if there
was a problem with the client or there are a misconfiguration or a failing
certificate. Below my data, thanks in advance!

/var/log/radius/radius.log

Thu May 13 11:18:07 2010 : Error: TLS Alert read:fatal:unknown CA
Thu May 13 11:18:07 2010 : Error: TLS_accept:failed in SSLv3 read client
certificate A
Thu May 13 11:18:07 2010 : Error: rlm_eap: SSL error error:14094418:SSL
routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
Thu May 13 11:18:07 2010 : Error: SSL: SSL_read failed inside of TLS (-1),
TLS session fails.
Thu May 13 11:18:49 2010 : Error: TLS Alert read:fatal:unknown CA
Thu May 13 11:18:49 2010 : Error: TLS_accept:failed in SSLv3 read client
certificate A
Thu May 13 11:18:49 2010 : Error: rlm_eap: SSL error error:14094418:SSL
routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
Thu May 13 11:18:49 2010 : Error: SSL: SSL_read failed inside of TLS (-1),
TLS session fails.

My radius Configuration:

FreeRADIUS Version 2.1.1, for host x86_64-unknown-linux-gnu, built on Oct 21
2008 at 15:14:37
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/modules/unix
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/sql.conf
including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf
including configuration file /usr/local/etc/raddb/sql/mysql/counter.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/status
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
including configuration file /usr/local/etc/raddb/sites-enabled/default
including conf

Re: Pending release of 2.1.9

[Johan Meiring]

On 2010/05/13 07:16 PM, Josip Rodin wrote:


Simply install *both* packages, like the dependencies tell you to...



OOPS...

Idiot mode.
I didn't look properly.

The one without "-common" *does* exist.

Apologies for time wasting..

--


Johan Meiring
Cape PC Services CC
Tel: (021) 883-8271
Fax: (021) 886-7782

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius privilege separation

[Josip Rodin]

On Thu, May 13, 2010 at 03:23:37PM +0200, Michał Dopierała wrote:
> It is possible in freeradius to have one user who has full privilege level
> to one equipment (one cisco router privilege lvl15), and limited privilege
> level to other equipment (other router with smaller privilege e.g. lvl10
> which will be configured on router)?
> How to separate it?
> My current configuration of users:
> 
>  mdopierala  Auth-Type := PAP, Crypt-Password = "passwrd"
> Service-Type = "Administrative-User",
> Cisco-AVPair="shell:priv-lvl=15",
> Brocade-Auth-Role ="Administrator"

Yes, just answer differently to each client (router) by assigning them to
different virtual hosts.

You can probably keep the authentication part in the users file if you want,
but you can move the repetitive part of the authorization to unlang.
Then your per-user attributes can be checked automatically with logic such
as:

if ("%{reply:Service-Type}" == "Login-User") {
update reply {
Cisco-AVPair = "shell:priv-lvl=1"
}
}
elsif ("%{reply:Service-Type}" == "Administrative-User") {
update reply {
Cisco-AVPair = "shell:priv-lvl=15"
}
}
else {
reject
}

-- 
 2. That which causes joy or happiness.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Pending release of 2.1.9

[Josip Rodin]

On Thu, May 13, 2010 at 06:52:28PM +0200, Johan Meiring wrote:
> After building I end up with various packages.
>
> freeradius-common
> freeradius-mysql
> etc
>
> When building previous versions (tried 2.1.7), the "packages" were different.
> freeradius(note - no "-common")
> freeradius-mysql
> etc
>
> I realise the official debian packages has a "freeradius" and a
> "freeradius-common", but the debian packages built from source never had 
> a "-common".
>
> When installing 2.1.9, I installed the "-common" instead of the non  
> "-common" one.  When trying to install freeradius-mysql afterwards, it  
> complained about not finding dependency "freeradius" (without -common).
>
> There is something "wrong" with the package names.

This was already changed in 2.1.8, actually.

Simply install *both* packages, like the dependencies tell you to...

-- 
 2. That which causes joy or happiness.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Pending release of 2.1.9

[Johan Meiring]

On 2010/05/13 12:57 PM, Alan DeKok wrote:

   I've put pre releases of 2.1.9 on the web:

http://git.freeradius.org/pre/

   Please try them, and note any issues.  If there aren't problems, we
can release 2.1.9 real soon now.




Builds fine on debian lenny using dpkg-buildpackage

There is a log of warnings though.
Small subset says this.
-
dpkg-shlibdeps: warning: symbol radlog used by 
debian/freeradius/usr/lib/freeradius/rlm_checkval-2.1.9.so found in none of 
the libraries.
dpkg-shlibdeps: warning: symbol cf_section_parse used by 
debian/freeradius/usr/lib/freeradius/rlm_checkval-2.1.9.so found in none of 
the libraries.
dpkg-shlibdeps: warning: symbol debug_flag used by 
debian/freeradius/usr/lib/freeradius/rlm_checkval-2.1.9.so found in none of 
the libraries.
dpkg-shlibdeps: warning: symbol rad_malloc used by 
debian/freeradius/usr/lib/freeradius/rlm_checkval-2.1.9.so found in none of 
the libraries.
dpkg-shlibdeps: warning: symbol log_debug used by 
debian/freeradius/usr/lib/freeradius/rlm_checkval-2.1.9.so found in none of 
the libraries.

-

The warnings above also happen for other modules.
rlm_mysql
rlm_pam
rlm_dbm
etc..



After building I end up with various packages.

freeradius-common
freeradius-mysql
etc

When building previous versions (tried 2.1.7), the "packages" were different.
freeradius(note - no "-common")
freeradius-mysql
etc

I realise the official debian packages has a "freeradius" and a
"freeradius-common", but the debian packages built from source never had a 
"-common".


When installing 2.1.9, I installed the "-common" instead of the non 
"-common" one.  When trying to install freeradius-mysql afterwards, it 
complained about not finding dependency "freeradius" (without -common).


There is something "wrong" with the package names.

Also, the version in debian/changelog still contains "git".

Hope that helps.


--


Johan Meiring
Cape PC Services CC
Tel: (021) 883-8271
Fax: (021) 886-7782

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: free NAS ?

[Timothy]

You're not meaning something like coova-chilli (a captive portal) 
http://www.coova.org/ are you ?

Timothy

On 07/05/2010 20:46, VU VAN HUNG wrote:

sunhualing wrote:

hostapd as a NAS, authenticator
wpa-supplicant as a supplicant


On Fri, May 7, 2010 at 1:31 AM, Jeff Voskamp > wrote:


On 05/06/2010 01:27 PM, John McDonnell wrote:

On May 6th, 2010 at 1:09 PM, Randal Carpenter wrote:
Try openfiler, at http://www.openfiler.com/, it emulates both
SAN and NAS
equipment.





On Thu, May 6, 2010 at 5:56 AM, VU VAN
HUNGmailto:vanhung2...@gmail.com>>  
wrote:



   Hi all,
   I just wonder that are there any open source software
that have same
functionalities like Network Access Server ?
   Because I see that there's Asterisk, which 's like a PBX.
   Best,
   Hung,
   -
   List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


There's always FreeNAS as well... http://freenas.org/freenas


Wrong NAS - those ones are Network Attached Storage, not Network
Access Server.

Dang TLA overload.

Jeff

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html




-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html
hostapd only for authentication, I have tried to google but found 
nothing. I want to find a  free NAS supporting accounting for radius 
server. Just found this one. Check it out !

https://www.rahunas.org/trac/
Hung,
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Pending release of 2.1.9

[John Dennis]

On 05/13/2010 06:57 AM, Alan DeKok wrote:

   I've put pre releases of 2.1.9 on the web:

http://git.freeradius.org/pre/

   Please try them, and note any issues.  If there aren't problems, we
can release 2.1.9 real soon now.


Thank you for your hard work Alan! I'd like to thank you and everyone 
who worked on this for their contributions to the open source community. 
We all owe you a debt of gratitude.


As to 2.1.9 ...

It passes basic sanity checking. It builds, installs, and runs. I have 
tested with radtest and with each of the eapol_test scripts. I do not 
have a stress testing environment, I think others do and it would be 
good to hear from them.


The Changelog notes several feature additions. I thought this was a bug 
fix update only. In fairness some of the feature additions were in the 
area of documentation, that's great and I don't have a problem with 
features which do not change code and make it easier for users to use. 
But shouldn't the other features have been reserved for the 2.2.x branch 
and limit 2.1.9 to only bug fixes?


The one bug I was most concerned about I don't see specifically called 
out and I'm wondering what the disposition of that was. Sorry, but I'm 
going to be a little vague rather than citing a bug number. There was a 
problem reported by several people that resulted in a server crash and 
only seemed to appear under high load conditions after the server was up 
for a while. Alan said he was having a hard time reproducing it, that 
logically it seemed impossible from static code inspection, but 
acknowledged it was real because it had been reported often enough. Does 
that ring a bell? Does this update address that issue?




--
John Dennis 

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Deny connection to users

[Hermidio A. Rodriguez Chavez]

Hi all.

It's posible to when a user disconnect from the directive 
Session-Timeout deny connect again in the following 30 Min?


Thanks in advance!!

Hermidio

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Access request-access reject

[dorra aa]

no plz sorry i'm not so well in english.
thank you Alan :))) it's working now
see it:
r...@pfe-laptop:/home/pfe# radtest abc 123 localhost 1812 testing123
Sending Access-Request of id 185 to 127.0.0.1 port 1812
User-Name = "abc"
User-Password = "123"
NAS-IP-Address = 255.255.255.255
NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=185, length=20

thakkksss

> Date: Thu, 13 May 2010 13:07:45 +0100
> From: a.l.m.bu...@lboro.ac.uk
> To: freeradius-users@lists.freeradius.org
> Subject: Re: Access request-access reject
> 
> Hi,
> 
> > > comment this line out and restart the daemon
> > > remove calls to 'unix' from your configuration
> > > if you dont want to even think about /etc/passwd
> > i commented it like that:
> > #DEFAULT Auth-Type = System
> > Fall-Through = 1
> 
> comment out both lines.the DEFAULT line and the fall-through
> 
> and you didnt read my original email...which is a pity, where i said
> to comment out calls to 'unix' in your config if you dont use it or
> need it.   as you are not reading what i am telling you then i'm afraid
> i wont bother replying to you again over this issue  :-(
> 
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  
_
Hotmail: Trusted email with powerful SPAM protection.
https://signup.live.com/signup.aspx?id=60969-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius privilege separation

[Michał Dopierała]

Hi!

It is possible in freeradius to have one user who has full privilege level
to one equipment (one cisco router privilege lvl15), and limited privilege
level to other equipment (other router with smaller privilege e.g. lvl10
which will be configured on router)?
How to separate it?
My current configuration of users:

 mdopierala  Auth-Type := PAP, Crypt-Password = "passwrd"
Service-Type = "Administrative-User",
Cisco-AVPair="shell:priv-lvl=15",
Brocade-Auth-Role ="Administrator"

and part of clienf.conf

client 192.168.1.1 {
secret = community
shortname = router1
}
client 192.168.1.2 {
secret = community
shortname = router2
}


I'm waiting for response
Michal Dopierala
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: i found two freeradius

[dorra aa]

> 
> > yestaerday  i create that file:
> > cd ~
> > apt-get source freeradius
> > and i woked in the users of: cd  freeradius-1.1.7/
> 
> that would just be the original source code of the program.
> 
> > but now i find another freeradius in: /etc/freeradius.
> 
> that would be the directory created and filled with correct
> files from the install of freeradius
> 
> 
> if you run radiusd -X  you will clearly see which directory is in
> use by the program. delete the one not in use
ok i see that:
# freeradius -X
Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /etc/freeradius/proxy.conf
Config:   including file: /etc/freeradius/clients.conf
Config:   including file: /etc/freeradius/snmp.conf
Config:   including file: /etc/freeradius/eap.conf
Config:   including file: /etc/freeradius/sql.conf
that mean i must delete   ~/freeradius-1.1.7 that i have created with the 
debian : freeradius_1.1.7-1ubuntu0.2_i386.deb. that don't result any problem in 
my work?
because im using a document with this debian
  
_
Your E-mail and More On-the-Go. Get Windows Live Hotmail Free.
https://signup.live.com/signup.aspx?id=60969-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Query regarding update reason

[Alan DeKok]

Vijay Badola wrote:
> I have a query regarding Update-Reason field in PPAQ attribute of
> Access-Request for prepaid case.
> 
> According to WiMax specification the size of this AVP is 4
> byte(including tag and length).

  *Which* WiMAX specification?

  The geniuses involved in WiMAX *changed* the definition of multiple
attributes when they updated the specifications.

> And according to dictionary.wimax supplied by freeradius size of
> Update-Reason field is 4 byte means total size of AVP is 6 byte.

  We're compatible with the specification we quote at the top of
dictionary.wimax.

> Can we change the size of Update-Reason field to 2 byte in
> dictionary.wimax to make over all AVP size 4 byte, to decode this AVP at
> server properly (when incoming Access-Request has 4 byte for
> update-reason AVP)? Or What is other way to achieve it?

  The dictionaries are text for a reason: you can edit them.

> Please correct me if my understading is wrong?

  WiMAX is completely wrong.  The specs are ridiculously complicated.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Simultneous-Use + SQL + Checkrad

[Alan DeKok]

Galatóczki István wrote:
> I use Freeradius 2.0.4(deb pack) with Mysql 5.0.51. 

  You should really upgrade to 2.1.8.

> The online users check not work in the NAS with checkrad script my network.
> 
> I read the list and forums but not founded solution. 
> I have read and followed the step of below comment:
> http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg58506.html
> 
> my config: 
> radcheck table: Simultaneous-Use: =1 
> -sites-enabled/default-
> accounting ( 
>  sql sqlippool 

  The IPPool module does not do simultaneous-use tracking.

> ) 
> session ( 
> sql 
> ) 
> uncomment: simul_count_query... in dialup.conf 
> 
> include: sql.conf etc.. in the radiusd.conf 
> 
> Question: working the checkrad script without radutmp? 

  No.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Query regarding update reason

[Vijay Badola]

Hi, 

I have a query regarding Update-Reason field in PPAQ attribute of
Access-Request for prepaid case. 

According to WiMax specification the size of this AVP is 4 byte(including
tag and length).

And according to dictionary.wimax supplied by freeradius size of
Update-Reason field is 4 byte means total size of AVP is 6 byte.

 

Can we change the size of Update-Reason field to 2 byte in dictionary.wimax
to make over all AVP size 4 byte, to decode this AVP at server properly
(when incoming Access-Request has 4 byte for update-reason AVP)? Or What is
other way to achieve it? 

Please correct me if my understading is wrong?

 

,

*

P We have responsibility to the environment.
Before printing this e-mail or any other document, let's ask ourselves
whether we need a hard copy.

 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Access request-access reject

[Alan Buxey]

Hi,

> > comment this line out and restart the daemon
> > remove calls to 'unix' from your configuration
> > if you dont want to even think about /etc/passwd
> i commented it like that:
> #DEFAULT Auth-Type = System
> Fall-Through = 1

comment out both lines.the DEFAULT line and the fall-through

and you didnt read my original email...which is a pity, where i said
to comment out calls to 'unix' in your config if you dont use it or
need it.   as you are not reading what i am telling you then i'm afraid
i wont bother replying to you again over this issue  :-(

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: i found two freeradius

[Alan Buxey]

Hi,

> yestaerday  i create that file:
> cd ~
> apt-get source freeradius
> and i woked in the users of: cd  freeradius-1.1.7/

that would just be the original source code of the program.

> but now i find another freeradius in: /etc/freeradius.

that would be the directory created and filled with correct
files from the install of freeradius


if you run radiusd -X  you will clearly see which directory is in
use by the program. delete the one not in use

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

i found two freeradius

[dorra aa]

yestaerday  i create that file:
cd ~

apt-get source freeradius
and i woked in the users of: cd  freeradius-1.1.7/
but now i find another freeradius in: /etc/freeradius.
I
don't know how it is created there? and does it have any influence in
my radius, because i do mychanges in file: users of cd 
freeradius-1.1.7/.
may i delete the second freeradius that i do not created??  
  
_
Hotmail: Trusted email with Microsoft’s powerful SPAM protection.
https://signup.live.com/signup.aspx?id=60969-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Pending release of 2.1.9

[Alan DeKok]

  I've put pre releases of 2.1.9 on the web:

http://git.freeradius.org/pre/

  Please try them, and note any issues.  If there aren't problems, we
can release 2.1.9 real soon now.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: When to ldap?

[Alan DeKok]

Dean, Barry wrote:
> The issue is that the self same configuration in FreeRADIUS 2.0.2 works! But 
> with 2.1.8 it fails.

  Yes... the behavior changed slightly in the past 2 years.

  Read raddb/modules/ldap in 2.1.8.  Look for "auth_type".  This is
documented.

> "FR 2.0.2 reports 'rad_check_password: Found Auth-Type ldap' then goes on to 
> authenticate a user against LDAP, whereas FR 2.1.8 reports that there is no 
> Auth-Type set and does not attempt LDAP authentication."

  Yes.  Older versions had the LDAP module set the Auth-Type... which is
wrong.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Access request-access reject

[dorra aa]

> Date: Thu, 13 May 2010 11:01:10 +0100
> From: a.l.m.bu...@lboro.ac.uk
> To: freeradius-users@lists.freeradius.org
> Subject: Re: Access request-access reject
> 
> Hi,
> 
> > I found in users file that line:
> > DEFAULTAuth-Type = System
> 
> comment this line out and restart the daemon
> remove calls to 'unix' from your configuration
> if you dont want to even think about /etc/passwd
i commented it like that:
#DEFAULT Auth-Type = System
Fall-Through = 1 
 also in file radiusd.conf:
authenticate {
#
#  PAP authentication, when a back-end database listed
#  in the 'authorize' section supplies a password.  The
#  password can be clear-text, or encrypted.
Auth-Type PAP {
pap
}

#
#  Most people want CHAP authentication
#  A back-end database listed in the 'authorize' section
#  MUST supply a CLEAR TEXT password.  Encrypted passwords
#  won't work.
Auth-Type CHAP {
chap
}

#
#  MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}

#
#  If you have a Cisco SIP server authenticating against
#  FreeRADIUS, uncomment the following line, and the 'digest'
#  line in the 'authorize' section.
#digest

#
#  Pluggable Authentication Modules.
#pam

#
#  See 'man getpwent' for information on how the 'unix'
#  module checks the users password.  Note that packets
#  containing CHAP-Password attributes CANNOT be authenticated
#  against /etc/passwd!  See the FAQ for details.
#  
unix

# Uncomment it if you want to use ldap for authentication
#
# Note that this means "check plain-text password against
# the ldap database", which means that EAP won't work,
# as it does not supply a plain-text password.
#Auth-Type LDAP {
#ldap
#}

#
#  Allow EAP authentication.
eap
}
i commented :unix
...
and i have this output in the deamon:
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:40128, id=130, length=55
User-Name = "abc"
User-Password = "123"
NAS-IP-Address = 255.255.255.255
NAS-Port = 1812
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "abc", looking up realm NULL
rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 0
users: Matched entry DEFAULT at line 153
users: Matched entry abc at line 216
  modcall[authorize]: module "files" returns ok for request 0
rlm_pap: Found existing Auth-Type, not changing it.
  modcall[authorize]: module "pap" returns noop for request 0
modcall: leaving group authorize (returns ok) for request 0
  rad_check_password:  Found Auth-Type System
auth: type "System"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
  modcall[authenticate]: module "unix" returns notfound for request 0
modcall: leaving group authenticate (returns notfound) for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 130 to 127.0.0.1 port 40128
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 130 with timestamp 4bebd86e
Nothing to do.  Sleeping until we see a request.

> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  
_
Hotmail: Free, trusted and rich email service.
https://signup.live.com/signup.aspx?id=60969-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: When to ldap?

[Dean, Barry]

On 13 May 2010, at 10:15, Alan DeKok wrote:

> Dean, Barry wrote:
> ...
>>  [ldap] performing search in OU=UOL,DC=adserer,DC=liv,DC=ac,DC=uk, with 
>> filter (sAMAccountName=user)
>> [ldap] looking for check items in directory...
>> [ldap] looking for reply items in directory...
>> WARNING: No "known good" password was found in LDAP.  Are you sure that the 
>> user is configured correctly?
> 
>  I mean, really... what's the issue?

The issue is that the self same configuration in FreeRADIUS 2.0.2 works! But 
with 2.1.8 it fails.

The difference in the debug output is:

++[logintime] returns noop
rlm_pap: WARNING! No "known good" password found for the user.  Authentication 
may fail because of this.
++[pap] returns noop
  rad_check_password:  Found Auth-Type ldap
auth: type "LDAP"
+- entering group LDAP
rlm_ldap: - authenticate

In FR 2.0.2 this "rad_check_password" is causing LDAP authentication, whereas 
is FR 2.1.8 the same section of debug output says:

++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may 
fail because of this.
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the request: 
Rejecting the user
Failed to authenticate the user.

> ...
>> [pap] WARNING! No "known good" password found for the user.  Authentication 
>> may fail because of this.
> 
>  That should be a hint.

True. My problem was why was LDAP not being attempted for this basic request. 
No EAP, just a username and a password, which works just fine with FR 2.0.2.

In fact with 2.0.2 either:

if (!EAP-Message) {
ldap
}

or

ldap

Works in the authorise section as the Non-EAP request calls ldap either way.

With FR 2.1.8, both fail. They follow the same path and produce the "No 
authentication method ..." error.

All the complex EAP/TTLS/PEAP/MSCHAP etc stuff is working with FR 2.1.8 with my 
config, just the simple stuff is broken.

Maybe my question should have been:

"FR 2.0.2 reports 'rad_check_password: Found Auth-Type ldap' then goes on to 
authenticate a user against LDAP, whereas FR 2.1.8 reports that there is no 
Auth-Type set and does not attempt LDAP authentication."


Complete output for working one:

rad_recv: Access-Request packet from host 192.168.0.10 port 33158, id=66, 
length=49
User-Name = "user"
User-Password = "password"
NAS-IP-Address = 192.168.0.10
server radius {
+- entering group authorize
++[preprocess] returns ok
expand: /log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> 
/log/radacct/192.168.0.10/auth-detail-20100513
rlm_detail: /log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to 
/log/radacct/192.168.0.10/auth-detail-20100513
expand: %t -> Thu May 13 10:46:02 2010
++[auth_log] returns ok
++? if ("%{User-Name}" =~ /forbidden/i)
expand: %{User-Name} -> user
? Evaluating ("%{User-Name}" =~ /forbidden/i) -> FALSE
++? if ("%{User-Name}" =~ /forbidden/i) -> FALSE
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "user", looking up realm NULL
rlm_realm: Found realm "NULL"
rlm_realm: Adding Stripped-User-Name = "user"
rlm_realm: Proxying request from user user to realm NULL
rlm_realm: Adding Realm = "NULL"
rlm_realm: Authentication realm is LOCAL.
++[suffix] returns noop
  rlm_eap: No EAP-Message, not doing EAP
++[eap-eduroam] returns noop
users: Matched entry user at line 203
++[files] returns ok
++? if (!EAP-Message)
? Evaluating !(EAP-Message) -> FALSE
++? if (!EAP-Message) -> TRUE
++- entering if (!EAP-Message)
rlm_ldap: - authorize
rlm_ldap: performing user authorization for user
expand: %{Stripped-User-Name} -> user
expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> 
(sAMAccountName=user)
expand: OU=UOL,DC=adserver,DC=liv,DC=ac,DC=uk -> 
OU=UOL,DC=adserver,DC=liv,DC=ac,DC=uk
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to adserver.liv.ac.uk:389, authentication 0
rlm_ldap: bind as CN=radius-account,OU=Service 
Accounts,OU=UOL,DC=adserver,DC=liv,DC=ac,DC=uk/special-password to 
adserver.liv.ac.uk:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in OU=UOL,DC=adserver,DC=liv,DC=ac,DC=uk, with 
filter (sAMAccountName=user)
rlm_ldap: No default NMAS login sequence
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the 
user is configured correctly?
rlm_ldap: Setting Auth

Re: Access request-access reject

[Alan Buxey]

Hi,

> I found in users file that line:
> DEFAULTAuth-Type = System

comment this line out and restart the daemon
remove calls to 'unix' from your configuration
if you dont want to even think about /etc/passwd

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Access request-access reject

[dorra aa]

> users: Matched entry DEFAULT at line 153
> > users: Matched entry abc at line 216
> > modcall[authorize]: module "files" returns ok for request 0
> > modcall: leaving group authorize (returns ok) for request 0
>  > rlm_pap: Found existing Auth-Type, not changing it.
> > rad_check_password: Found Auth-Type System
>  > modcall[authenticate]: module "unix" returns notfound for request 0
> 
> It shouldn't be using an auth-type of "System", that means to lookup the 
> user in the /etc/passwd (/etc/shadow) file. But you don't have a user on 
> your system named "abc" so the not found result makes sense, right?
> 
> Why is it trying to find "abc" amongst the unix users on your system? 
> The answer is right above, look at the lines labeled "users:", that's 
> your users file, also look at the line that says "Found Auth-Type, not 
> changing it". So somthing in your users file forced the user "abc" to 
> have an Auth-Type of "system" or "unix", it also tells you which lines 
> in the users files it matched. Go fix your users file so it doesn't do that.
I found in users file that line:
DEFAULTAuth-Type = System
i decommented it but same problem. i think i must change it to other attribut?
> I'm guessing in your attempts to get things working you may have mangled 
> the example users file, you might want to start with the unaltered users 
> file and just add your test user.
> 
> All this is documented in the link I sent you a week ago:
> http://deployingradius.com/documents/configuration/pap.html
> 
> -- 
> John Dennis 
_
Hotmail: Trusted email with powerful SPAM protection.
https://signup.live.com/signup.aspx?id=60969-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to implement EAP-TLS with freeradius and wpa_supplicant?

[Alan DeKok]

Zheng, Jiajia wrote:
> But as I mentioned that the same CA works fine with EAP-TTLS. Why it goes 
> wrong with EAP-TLS?

  EAP-TLS requires that the CA be authorized to sign client
certificates.  See the certificate creation scripts in 2.1.8, they may
have fixes for this.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: When to ldap?

[Alan DeKok]

  

Dean, Barry wrote:
...
>   [ldap] performing search in OU=UOL,DC=adserer,DC=liv,DC=ac,DC=uk, with 
> filter (sAMAccountName=user)
> [ldap] looking for check items in directory...
> [ldap] looking for reply items in directory...
> WARNING: No "known good" password was found in LDAP.  Are you sure that the 
> user is configured correctly?

  Again...
...
> [pap] WARNING! No "known good" password found for the user.  Authentication 
> may fail because of this.

  See the form at:

http://networkradius.com/freeradius.html

  It will *highlight* the information you need to know.

> I have seen the dire warnings about "Don't set Auth-Type = LDAP" so I have 
> not ventured there as I am sure there are dragons.

  The warnings are there because people set it, and the try to do EAP.
For some reason, no LDAP server implements EAP.

  Your choices are:

a) fix your LDAP server to return a password
b) force Auth-Type := LDAP *only* for certain kinds of packets

  If you're trying to do EAP with this LDAP server (I presume it's
Active Directory), see my web site at http://deployingradius.com/.  It
has complete instructions.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: When to ldap?

[Alan DeKok]

Dean, Barry wrote:
...
>   [ldap] performing search in OU=UOL,DC=adserer,DC=liv,DC=ac,DC=uk, with 
> filter (sAMAccountName=user)
> [ldap] looking for check items in directory...
> [ldap] looking for reply items in directory...
> WARNING: No "known good" password was found in LDAP.  Are you sure that the 
> user is configured correctly?

  I mean, really... what's the issue?

...
> [pap] WARNING! No "known good" password found for the user.  Authentication 
> may fail because of this.

  That should be a hint.

  Paste the debugging output into the form at:


> ++[pap] returns noop
> No authenticate method (Auth-Type) configuration found for the request: 
> Rejecting the user
> Failed to authenticate the user.
> Login incorrect: [user] (from client EZProxy port 0)
> } # server radius
> Using Post-Auth-Type Reject
> +- entering group REJECT {...}
> [attr_filter.access_reject] expand: %{User-Name} -> user
>  attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 0 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> rad_recv: Access-Request packet from host 192.168.0.10 port 63775, id=111, 
> length=49
> Waiting to send Access-Reject to client EZProxy port 63775 - ID: 111
> Sending delayed reject for request 0
> Sending Access-Reject of id 111 to 192.168.0.10 port 63775
> Waking up in 4.9 seconds.
> Cleaning up request 0 ID 111 with timestamp +32
> 
>>> I presume:
>>>
>>>   if (!EAP-Message) {
>>>ldap
>>>}
>>>
>>> Fails to set Auth-Type LDAP?
>>  Yes.  It *shouldn't*, either.  That was a mistake from 1.x.
> 
>   I have seen the dire warnings about "Don't set Auth-Type = LDAP" so I 
> have not ventured there as I am sure there are dragons.
> 
> --
> Barry Dean
> Principal Programmer/Analyst
> Networks Group
> Computing Services Department
> Tel: 0151 795 9540
> 
> 
> 
> 
> 
> 
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: When to ldap?

[Dean, Barry]

On 13 May 2010, at 06:54, Alan DeKok wrote:

> Dean, Barry wrote:
>> I am working on a new radius config and have been trying to avoid the lookup 
>> in LDAP I have been seeing for the outer identity.
>> 
>> I have moved to 2.1.8 with the inner-tunnel virtual host enabled.
>> 
>> I have an authorise section for the relevant virtual server that has:
> 
>  *which* virtual server?

I have 3 virtual servers on this host, one is for just local 
authentication, one is for the JANET Roaming Service and one is for our local 
Guest Wireless service. The config section I posted was from the local auth 
virtual server.

Complete config:

# Local auth
#
server radius {
listen {
ipaddr = 
port = 0
type = auth
}
listen {
ipaddr = 
port = 0
type = acct
}
proxy_requests  = no

$INCLUDE local-clients.conf

authorize {
preprocess
auth_log
if ("%{User-Name}" =~ /forbidden/i) {
update reply {
Reply-Message = "Cannot use this user account"
}
reject
}
chap
mschap
suffix
eap {
ok = return
}
files
if (!EAP-Message) {
ldap
}
expiration
logintime
pap
}

authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
Auth-Type LDAP {
ldap
}
Auth-Type EAP {
eap
}
eap
}

preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
radutmp
attr_filter.accounting_response
}

session {
radutmp
}

post-auth {
Post-Auth-Type REJECT {
attr_filter.access_reject
}
reply_log
}
pre-proxy {
pre_proxy_log
}

post-proxy {
eap
post_proxy_log
}
}


> 
>> The "if(!EAP-Message)" works a treat at preventing an LDAP lookup for the 
>> outer identity, but if I want to send a basic User-Name/User-Password type 
>> auth request after checking with LDAP and returning "Remote access is 
>> permitted", I then see:
>> 
>> No authenticate method (Auth-Type) configuration found for the request: 
>> Rejecting the user
> 
>  And the *rest* of the debug log says ?

Complete log is:
rad_recv: Access-Request packet from host 192.168.0.10 port 63775, id=111, 
length=49
User-Name = "user"
User-Password = "password"
NAS-IP-Address = 192.168.0.10
server radius {
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]  expand: /log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> 
/log/radacct/192.168.0.10/auth-detail-20100513
[auth_log] /log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to 
/log/radacct/192.168.0.10/auth-detail-20100513
[auth_log]  expand: %t -> Thu May 13 09:47:31 2010
++[auth_log] returns ok
++? if ("%{User-Name}" =~ /forbidden/i)
expand: %{User-Name} -> user
? Evaluating ("%{User-Name}" =~ /forbidden/i) -> FALSE
++? if ("%{User-Name}" =~ /forbidden/i) -> FALSE
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "user", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "user"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap-eduroam] No EAP-Message, not doing EAP
++[eap-eduroam] returns noop
++[files] returns noop
[ldap] performing user authorization for user
[ldap]  expand: %{Stripped-User-Name} -> user
[ldap]  expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> 
(sAMAccountName=user)
[ldap]  expand: OU=UOL,DC=adserver,DC=liv,DC=ac,DC=uk -> 
OU=UOL,DC=adserver,DC=liv,DC=ac,DC=uk
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] attempting LDAP reconnection
  [ldap] (re)connect to adse

SAMBA Version

[Colin Byelong]

Hi,

I was reading the archives and saw that some of the later versions of 
SAMBA had a bug so it couldn't be used for ntlm_auth/Eap-PEAP.

Does anyone know if this is now fixed ?

We are running Fedora core 12 and it ships with SAMBA 3.4.7

Thanks

Colin

--
---


Colin Byelong Email: c.byel...@ucl.ac.uk
Senior Network Development Officer
Network Group
Information Systems Division
University College London
Gower Street  Phone: 020 7679-2572
London WC1E 6BT


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Simultneous-Use + SQL + Checkrad

[Galatóczki István]

Hi All! 

I use Freeradius 2.0.4(deb pack) with Mysql 5.0.51. 
The online users check not work in the NAS with checkrad script my network.

I read the list and forums but not founded solution. 
I have read and followed the step of below comment:
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg58506.html

my config: 
radcheck table: Simultaneous-Use: =1 
-sites-enabled/default-
accounting ( 
 sql sqlippool 
) 
session ( 
sql 
) 
uncomment: simul_count_query... in dialup.conf 

include: sql.conf etc.. in the radiusd.conf 

Question: working the checkrad script without radutmp? 

Steve  
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html