RE: Problem with ip pools
Still no luck. I made a connection, the disconnect but the IP it is always in the databases. I would like to understand if accounting is working well. Only thing I know is that files in [EMAIL PROTECTED]:/usr/local/var/log/radius/radacct/192.168.10.8 are being fullfiled. (192.168.10.8 is a cisco router which acts as a NAS forwarding NAS requests). [EMAIL PROTECTED]:/usr/local/var/log/radius/radacct/192.168.10.8# cat auth-detail-20050331 Packet-Type = Access-Request Thu Mar 31 14:31:55 2005 Framed-Protocol = PPP User-Name = "" CHAP-Password = NAS-Port-Type = Virtual NAS-Port = 135 Calling-Station-Id = "" Called-Station-Id = "" Service-Type = Framed-User NAS-IP-Address = 192.168.10.8 Client-IP-Address = 192.168.10.8 CHAP-Challenge = [EMAIL PROTECTED]:/usr/local/var/log/radius/radacct/192.168.10.8# cat reply-detail-20050331 Packet-Type = Access-Accept Thu Mar 31 14:31:55 2005 Framed-Protocol = PPP Framed-MTU = 576 Framed-IP-Address = 192.168.52.79 Framed-IP-Netmask = 255.255.255.0 Does this means that accounting is working ? Regards, -- Sebastien Cantos <[EMAIL PROTECTED]> Network / System Manager Neopost DIVA > -Message d'origine- > De : [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] De la > part de Sébastien Cantos > Envoyé : jeudi 31 mars 2005 14:26 > À : freeradius-users@lists.freeradius.org > Objet : RE: Problem with ip pools > > Hi, > > The main_pool line in the accounting section of the > radiusd.conf file was commented ... Maybe that was my mistake. > Ok for the rlm_ippool_tool I'm gonna use it to see if my > modification of radiusd.conf is working or not. I was not > using accounting at all so I forgot about it but it seems > that I will have to configure it well to get the ip_pool working. > Thank for answering. > > Best regards, > -- > Sebastien Cantos <[EMAIL PROTECTED]> > Network / System Manager > Neopost DIVA > > > -Message d'origine- > > De : [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] De la > > part de Kostas Kalevras > > Envoyé : jeudi 31 mars 2005 13:47 > > À : freeradius-users@lists.freeradius.org > > Objet : Re: Problem with ip pools > > > > On Thu, 31 Mar 2005, S?bastien Cantos wrote: > > > > > Hi, > > > > > > I'm using ip pools to manage my client ips from the radius side. > > > Here's my conf: > > > * users file : > > > DEFAULT Service-Type == Framed-User, Pool-Name := "main_pool" > > >Framed-Protocol = PPP, > > >Framed-MTU = 576 > > > > > > * radiusd.conf file: > > >ippool main_pool { > > >range-start = 192.168.52.2 > > >range-stop = 192.168.52.254 > > >netmask = 255.255.255.0 > > >cache-size = 800 > > >session-db = ${raddbdir}/db.ippool > > >ip-index = ${raddbdir}/db.ipindex > > >} > > > > > > Everything is working well for some days then my clients > > could not get > > > anymore ips from the radius. I've found a way to correct > > this by deletinf > > > the db.ip* files and restarting the radius but this is > not *clean*. > > > Is there a way to dump the content of the ippool database ? > > > I want to understand how ips are freed from the pool > > because I think that > > > there's a problem when a client disconnects. It seems that > > ips stay in the > > > pool as used even if the client has disconnected. > > > Thanks in advance for your help. > > > > There's rlm_ippool_tool which might help you in > > src/modules/rlm_ippool. > > rlm_ippool depends on accounting working ok. If it is not > > working then you might > > get into problems. The module *does* have a few more methods > > of finding out > > stale records and deleting them: > > 1. maximum-timeout directive. You can set that to the maximum > > session time > > expected in your network (if that can be calculated) in order > > to make sure no ip > > remains active for more time than maximum-timeout. > > 2. Each time an authentication request is performed from a > > nas ip/port pair > > which has already an ip allocated that ip is cleaned up. That > > means that as long > > as your ip pool is as large as your nas ports number it will > > be difficult to run > > out of available ip's. > > > > My
Problem with ip pools
Hi, I'm using ip pools to manage my client ips from the radius side. Here's my conf: * users file : DEFAULT Service-Type == Framed-User, Pool-Name := "main_pool" Framed-Protocol = PPP, Framed-MTU = 576 * radiusd.conf file: ippool main_pool { range-start = 192.168.52.2 range-stop = 192.168.52.254 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex } Everything is working well for some days then my clients could not get anymore ips from the radius. I've found a way to correct this by deletinf the db.ip* files and restarting the radius but this is not *clean*. Is there a way to dump the content of the ippool database ? I want to understand how ips are freed from the pool because I think that there's a problem when a client disconnects. It seems that ips stay in the pool as used even if the client has disconnected. Thanks in advance for your help. Regargs, -- Sebastien Cantos <[EMAIL PROTECTED]> Network / System Manager Neopost DIVA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_ldap - Attribute "User-Password" is required for authentication
So maybe it's a NAS problem. Are you sure that the NAS is sending the userpassword in the request ? -- Sebastien Cantos <[EMAIL PROTECTED]> Network / System Manager Neopost DIVA > -Message d'origine- > De : [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] De la > part de guest01 > Envoyé : mardi 8 mars 2005 16:16 > À : freeradius-users@lists.freeradius.org > Objet : Re: rlm_ldap - Attribute "User-Password" is required > for authentication > > Sébastien Cantos wrote: > > >>I had the same problem a few weeks ago. In fact the ldap > wasn't returning > >>the user-password so it wasn't working. Chack with > ldapsearch to make the > >>querry directly to the ldap as if you were the radius and I > think that you > >>will see that the userpassword is not returned. > > > > > Thxs for your help, but it still doesn't work :-( > > Ok, I store the passwords in cleartext (just base64encoded), > ldapsearch > works: > > ldapsearch -x -D "cn=Manager,dc=gibraltar,dc=local" -w secret > "(&(objectclass=gibraltaruser)(uid=testuser))" userPassword > # extended LDIF > # > # LDAPv3 > # base <> with scope sub > # filter: (&(objectclass=gibraltaruser)(uid=testuser)) > # requesting: userPassword > # > > # testuser, users, gibraltar.local > dn: uid=testuser,ou=users,dc=gibraltar,dc=local > userPassword:: MTIzNDU2 > > # search result > search: 2 > result: 0 Success > > > >Make sure that the user/password in radiusd.conf for the > user that will make > >the search in the ldap is valid. I think that the radius is binding > >anonymously on the ldap so it can read passwords. Another > thing to note is > >that you have to store passwords in clear text into the ldap. > > >ldap { > >server = "myserver.mydomain.com" > >identity = > >"cn=some_user_that_can_read_passwords_on_the_ldap" > >password = "password_for_this_user" > > > > hm, my LDAP is still in testing, therefor everyone is allowed > everthing... But I also tried it > with the rootdn, but no difference. But I don't think thats > the problem, > because the > authorization-part works fine, "user testuser authorized to use remote > access", > just that damned authentication part ... > > rad_recv: Access-Request packet from host 127.0.0.1:1025, > id=55, length=54 > Service-Type = Framed-User > Framed-Protocol = PPP > User-Name = "testuser" > NAS-IP-Address = 69.25.27.173 > NAS-Port = 0 > Processing the authorize section of radiusd.conf > modcall: entering group authorize for request 0 > users: Matched DEFAULT at 153 > users: Matched DEFAULT at 172 > users: Matched DEFAULT at 185 > modcall[authorize]: module "files" returns ok for request 0 > rlm_ldap: - authorize > rlm_ldap: performing user authorization for testuser > radius_xlat: '(&(objectclass=gibraltarUser)(uid=testuser))' > radius_xlat: 'ou=users,dc=gibraltar,dc=local' > rlm_ldap: ldap_get_conn: Checking Id: 0 > rlm_ldap: ldap_get_conn: Got Id: 0 > rlm_ldap: attempting LDAP reconnection > rlm_ldap: (re)connect to localhost:389, authentication 0 > rlm_ldap: bind as cn=Manager,dc=gibraltar,dc=local/secret to > localhost:389 > rlm_ldap: waiting for bind result ... > rlm_ldap: Bind was successful > rlm_ldap: performing search in ou=users,dc=gibraltar,dc=local, with > filter (&(objectclass=gibraltarUser)(uid=testuser)) > rlm_ldap: checking if remote access for testuser is allowed > by isVPNUser > rlm_ldap: performing search in > uid=testuser,ou=radius,dc=gibraltar,dc=local, with filter > (objectclass=radiusprofile) > rlm_ldap: Adding radiusAuthType as Auth-Type, value LDAP & op=21 > rlm_ldap: looking for check items in directory... > rlm_ldap: looking for reply items in directory... > rlm_ldap: user testuser authorized to use remote access > rlm_ldap: ldap_release_conn: Release Id: 0 > modcall[authorize]: module "ldap" returns ok for request 0 > modcall: group authorize returns ok for request 0 > rad_check_password: Found Auth-Type LDAP > auth: type "LDAP" > Processing the authenticate section of radiusd.conf > modcall: entering group Auth-Type for request 0 > rlm_ldap: - authenticate > rlm_ldap: Attribute "User-Password" is required for authentication. > modcall[authenticate]: module "ldap" returns invalid for request 0 > modcall: group Auth
RE: rlm_ldap - Attribute "User-Password" is required for authentication
I had the same problem a few weeks ago. In fact the ldap wasn't returning the user-password so it wasn't working. Chack with ldapsearch to make the querry directly to the ldap as if you were the radius and I think that you will see that the userpassword is not returned. > rlm_ldap: bind as / to localhost:389 > rlm_ldap: waiting for bind result ... > rlm_ldap: Bind was successful > rlm_ldap: performing search in ou=users,dc=gibraltar,dc=local, with Make sure that the user/password in radiusd.conf for the user that will make the search in the ldap is valid. I think that the radius is binding anonymously on the ldap so it can read passwords. Another thing to note is that you have to store passwords in clear text into the ldap. ldap { server = "myserver.mydomain.com" identity = "cn=some_user_that_can_read_passwords_on_the_ldap" password = "password_for_this_user" Regards, -- Sebastien Cantos <[EMAIL PROTECTED]> Network / System Manager Neopost DIVA > -Message d'origine- > De : [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] De la > part de guest01 > Envoyé : mardi 8 mars 2005 15:44 > À : freeradius-users@lists.freeradius.org > Objet : Re: rlm_ldap - Attribute "User-Password" is required > for authentication > > hm, radius is very strange Can anyone please help me? > this is the logfile output after testing with radexample: > > rad_recv: Access-Request packet from host 127.0.0.1:1025, > id=40, length=66 > User-Name = "testuser" > User-Password = "123456" > Service-Type = Authenticate-Only > NAS-IP-Address = 127.0.0.1 > NAS-Port = 0 > Processing the authorize section of radiusd.conf > modcall: entering group authorize for request 0 > modcall[authorize]: module "preprocess" returns ok for request 0 > users: Matched DEFAULT at 152 > modcall[authorize]: module "files" returns ok for request 0 > rlm_ldap: - authorize > rlm_ldap: performing user authorization for testuser > radius_xlat: '(&(objectclass=gibraltarUser)(uid=testuser))' > radius_xlat: 'ou=users,dc=gibraltar,dc=local' > rlm_ldap: ldap_get_conn: Checking Id: 0 > rlm_ldap: ldap_get_conn: Got Id: 0 > rlm_ldap: attempting LDAP reconnection > rlm_ldap: (re)connect to localhost:389, authentication 0 > rlm_ldap: bind as / to localhost:389 > rlm_ldap: waiting for bind result ... > rlm_ldap: Bind was successful > rlm_ldap: performing search in ou=users,dc=gibraltar,dc=local, with > filter (&(objectclass=gibraltarUser)(uid=testuser)) > rlm_ldap: checking if remote access for testuser is allowed > by isVPNUser > rlm_ldap: looking for check items in directory... > rlm_ldap: looking for reply items in directory... > rlm_ldap: user testuser authorized to use remote access > rlm_ldap: ldap_release_conn: Release Id: 0 > modcall[authorize]: module "ldap" returns ok for request 0 > modcall: group authorize returns ok for request 0 > rad_check_password: Found Auth-Type LDAP > auth: type "LDAP" > Processing the authenticate section of radiusd.conf > modcall: entering group Auth-Type for request 0 > rlm_ldap: - authenticate > rlm_ldap: login attempt by "testuser" with password "123456" > rlm_ldap: user DN: uid=testuser,ou=users,dc=gibraltar,dc=local > rlm_ldap: (re)connect to localhost:389, authentication 1 > rlm_ldap: bind as > uid=testuser,ou=users,dc=gibraltar,dc=local/123456 to > localhost:389 > rlm_ldap: waiting for bind result ... > rlm_ldap: Bind was successful > rlm_ldap: user testuser authenticated succesfully > modcall[authenticate]: module "ldap" returns ok for request 0 > modcall: group Auth-Type returns ok for request 0 > Sending Access-Accept of id 40 to 127.0.0.1:1025 > Finished request 0 > Going to the next request > --- Walking the entire request list --- > Waking up in 6 seconds... > --- Walking the entire request list --- > Cleaning up request 0 ID 40 with timestamp 422db560 > Nothing to do. Sleeping until we see a request. > > and this is the output after trying to connect via pptpd with > winxp prof. > Ready to process requests. > rad_recv: Access-Request packet from host 127.0.0.1:1025, > id=41, length=54 > Service-Type = Framed-User > Framed-Protocol = PPP > User-Name = "testuser" > NAS-IP-Address = 66.150.161.140 > NAS-Port = 0 > Processing the authorize section of radiusd.conf > modcall: entering group authorize for request 0 > modcall[authorize]: module "preprocess" returns ok for request 0 > users: Matched DEFAULT at 152 > users: Matched DEFAULT at 171 > users: Matched DEFAULT at 183 > modcall[authorize]: module "files" returns ok for request 0 > rlm_ldap: - authorize > rlm_ldap: performing user authorization for testuser > radius_xlat: '(&(objectclass=gibraltarUser)(uid=testuser))' > radius_xlat: 'ou=users,dc=gibraltar,dc=local' > rlm_ldap: ldap_get_conn: Checking Id: 0 > rlm_ldap: ldap_get_conn: Got Id: 0 > rlm_ldap:
RE: Ip pool management
Ok it works with : DEFAULT Service-Type == Framed-User, Pool-Name := "main_pool" Framed-Protocol = PPP, Framed-MTU = 576 Thanks a lot for your help. Kind Regards, -- Sebastien Cantos <[EMAIL PROTECTED]> Network / System Manager Neopost DIVA > -Message d'origine- > De : [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] De la > part de Alan DeKok > Envoyé : jeudi 3 mars 2005 17:41 > À : freeradius-users@lists.freeradius.org > Objet : Re: Ip pool management > > "Sébastien Cantos" <[EMAIL PROTECTED]> wrote: > > The problem is that it is complaining: > > rlm_ippool: could not find Pool-Name attribute > > The *module* is printing that message because the Pool-Name > attribute is not found in the list of check items. > > > For my *newbie* understanding, if the Pool-name is a check item it > > should be in the request I get from my clients. > > No. Nothing in the server documentation would lead you to that > conclusion. The documentation would lead you to the *correct* > conclusion, which is that the "check" items are not the > "request" items. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Ip pool management
Yes you are right. Luaching the server in debug mode told me that Pool-name is a check item and that it should be on the first line. The problem is that it is complaining: rlm_ippool: could not find Pool-Name attribute For my *newbie* understanding, if the Pool-name is a check item it should be in the request I get from my clients. I'm true ? If yes, I can't modify the I got from the NAS (it's not mine). So is there a way to use ippool without this check item ? Thanks for your help. Regards, -- Sebastien Cantos <[EMAIL PROTECTED]> Network / System Manager Neopost DIVA > -Message d'origine- > De : [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] De la > part de Alan DeKok > Envoyé : mercredi 2 mars 2005 18:50 > À : freeradius-users@lists.freeradius.org > Objet : Re: Ip pool management > > "Sébastien Cantos" <[EMAIL PROTECTED]> wrote: > > I've followed instructions in radiusd.conf : > > My users file looks like this: > > DEFAULT Service-Type == Framed-User > > Pool-Name := osiris-pool, > > You did not follow the instructions in radiusd.conf. The > "Pool-Name" attribute should go on the first line. > > If you had run the server in debugging mode, the server would have > told you this. > > Alan DeKok. > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Ip pool management
Hi, I've followed instructions in radiusd.conf : My users file looks like this: DEFAULT Service-Type == Framed-User Pool-Name := osiris-pool, Framed-Protocol = PPP, Framed-MTU = 576 And in my radiusd.conf I've: post-auth { # Get an address from the IP Pool. # main_pool osiris-pool ... } modules { ... ippool osiris-pool { range-start = 192.168.52.1 range-stop = 192.168.52.254 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex } } I get this error : rlm_ippool: could not find Pool-Name attribute And my client doesn't get back the IP. I surely miss something Could someone help me please ? Regards, -- Sebastien Cantos <[EMAIL PROTECTED]> Network / System Manager Neopost DIVA > -Message d'origine- > De : [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] De la > part de Alan DeKok > Envoyé : mardi 1 mars 2005 18:50 > À : freeradius-users@lists.freeradius.org > Objet : Re: Ip pool management > > "Sébastien Cantos" <[EMAIL PROTECTED]> wrote: > > I would like to configure my radius to give the first > available IP in the > > subnet 192.168.52.0/24 without carrying about the NAS modem number. > > Is there a way to configure this ? > > Read radiusd.conf. Look for "ippool" > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ip pool management
Hi, I've something like this in my user file: DEFAULT Service-Type == Framed-User Framed-Protocol = PPP, Framed-MTU = 576, Framed-IP-Address = 192.168.52.1+, Framed-IP-Netmask = 255.255.255.0 I've noticed that the IP on the client side depends on the NAS modem number. For example if modem is number 1 the IP is 192.168.52.1, is modem is number 10, ip is 192.168.52.10. I would like to configure my radius to give the first available IP in the subnet 192.168.52.0/24 without carrying about the NAS modem number. Is there a way to configure this ? Regards, -- Sebastien Cantos <[EMAIL PROTECTED]> Network / System Manager Neopost DIVA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius with LDAP
Rlm_ldap needs some openldap libraries to compile well on solaris. One solution is to install OpenLDAP even if you use Sun LDAP. This way the module will compile. Regards, -- Sebastien Cantos <[EMAIL PROTECTED]> Network / System Manager Neopost DIVA > -Message d'origine- > De : [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] De la > part de Michael Mitchell > Envoyé : vendredi 18 février 2005 13:30 > À : freeradius-users@lists.freeradius.org > Objet : Re: FreeRadius with LDAP > > dbx is your friend... > > But check to see that the ldap module actually built... unless you've > got things installed in the default places, it can take a > little work to > get the ldap module to compile on Solaris... > > > > > José Berenguer wrote: > > Hello! > > > > We are trying to authenticate the last version of > freeradius (1.0.1) > > in Solaris 9 against LDAP and we are always getting the > same error when > > we try to start radius with the command: > > > >/usr/local/sbin/radiusd -S -X > > > > You can view the "radiusd.conf" and "users" files, and > the error we > > get is this: > > > > Module: Loaded exec > > exec: wait = yes > > exec: program = "(null)" > > exec: input_pairs = "request" > > exec: output_pairs = "(null)" > > exec: packet_type = "(null)" > > rlm_exec: Wait=yes but no output defined. Did you mean output=none? > > Module: Instantiated exec (exec) > > Module: Loaded expr > > Module: Instantiated expr (expr) > > Module: Loaded PAP > > pap: encryption_scheme = "crypt" > > Module: Instantiated pap (pap) > > Module: Loaded CHAP > > Module: Instantiated chap (chap) > > Segmentation Fault > > > > Anyone can help us? > > > > Thanks very much! > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP + CHAP problem
Hello, I'm trying to figure out how to make freeradius work with LDAP and CHAP authentification. My user file looks like this: DEFAULT Service-Type = Framed-User Framed-Protocol = PPP, Framed-IP-Address = 192.168.10.100+, Framed-IP-Netmask = 255.255.255.0 And in my radiusd.conf I've something like this: modules { ... chap { authtype = CHAP } ldap { server = "myserver" basedn = "ou=devices,o=group,dc=toto,dc=com" filter = "(cn=%u)" ldap_connections_number = 5 password_header = "{clear}" password_attribute = userPassword timeout = 4 timelimit = 3 net_timeout = 1 } } authorize { chap ldap files } authenticate { Auth-Type CHAP { chap } Auth-Type LDAP { ldap } } Everithing is working well with the radtest utility whci sends User-Password Attribute, but when I try to authentificate a client that sends Chap-password I've the following output: rlm_ldap: user authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 users: Matched DEFAULT at 4 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type CHAP auth: type "CHAP" Processing the authenticate section of radiusd.conf modcall: entering group authtype for request 0 rlm_chap: login attempt by "" with CHAP password rlm_chap: Could not find clear text password for user modcall[authenticate]: module "chap" returns invalid for request 0 modcall: group authtype returns invalid for request 0 auth: Failed to validate the user. Login incorrect (rlm_chap: Clear text password not available): [/] (from client radiusFT port 99 cli 490760808) I've read a lot of posts and FAQs vut didn't find any solution. Can anyone help me in solving this problem please ? Thanks in advances Best regards, -- Sebastien Cantos <[EMAIL PROTECTED]> Network / System Manager Neopost DIVA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html