Re: ttls with mschapV2 authentication problem
Thanks for your advices! It works fine now. I was using an older version(1.0.1) of radius before and ttls with mschapV2 authentication seemed to go fine, even if I was using == operator instead of := Anyway, it is ok now. Thanks again Phil Mayers wrote: Cristian Novac wrote: Could someone please take a look at the attached log file and give me a hint about how to solve the problem. The log file tells you how to solve the problem: WARNING: Found User-Password == WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See man rlm_pap for more information. users: Matched entry ERTVR_BE at line 146 ++[files] returns ok rad_check_password: Found Auth-Type mschap auth: type MSCHAP +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for [EMAIL PROTECTED] with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect What are the users entries at lines 146 and 367? Fix the correct one to set Cleartext-Password with := e.g. usernameCleartext-Password := password - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Modifying User-Name and User-Password attributes in a module
Hi!
Thanks, You're right, unlang is a powerful tool. I just finished reading
it's man page. it has very interesting features. (accessing run-time
The suggested way of working with this software is
1. read the man page and other documentation
2. ask the mailing list
3. modify source code
Your complete inversion of this order didn't seem to work well.
variables is wonderful). Your assumptions on my scenario is almost true
and I do believe that your suggestion (regex in unlang) can completely
remove any need for using a module in order to modify a request.
However, In this specific scenario, I need much more further processing
which should be done before I can decide to send a REJECT or ACCEPT. For
example, I have to send extracted OTP to a remote authentication manager
which it's answer would determine final authentication result.
In more detail it should be something like: open a socket, create a
specific request packet, send it, wait for answer, parse the answer
packet, and do further processing based on received answer from 2FA server.
Also, if we consider multi threading operation, there might be more
issues that need to be taken care of.
Nevertheless, I believe even using a powerful tool like unlang cannot
eliminate the need for an extra module. However, having a significant
part of the whole job done by unlang this might only need a small python
or perl module.
Yes. rlm_perl can be used to safely embed perl into pakcet processing, and it
should even be thread-safe, if perl is compiled accordingly.
In your scenario, I guess you would want to use the mangling we talked about
to send the request to the remote RADIUS proxy, and then when its answer
comes back do your out-of-band perl post-processing. The place for this is in
the post-auth { } section. Yes, in post-auth you can turn a Access-Accept
from a remote reply into a reject. Make your rlm_perl module return failure
as return code and you're done.
Well, even if I just need to use a update in configuration files to do
the job, I need to do it in right the place, I mean request, reply,
proxy or proxy_reply. candidates for this one (password modification)
are request and proxy. I wonder if doing it in proxy can confuse
freeradius for doing further process on it.
I'm not sure. All I can say is that I do all my mangling during authorize { },
and it works. pre-proxy might as well, you just have to try it.
Again. Thanks for your great and helpful suggestions.
Sometimes I'm tempted to kick my butt because I give free consultancy. I
accept Ferraris as gratuity gifts, you know? ;-)
Stefan
--
Stefan WINTER
Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de
la Recherche
Ingenieur Forschung Entwicklung
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1
http://www.restena.lu Fax: +352 422473
signature.asc
Description: This is a digitally signed message part.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RFC 3576 support
Hello everyone, Is Freeradius able to send Change of Authorization Messages and Disconnect messages (RFC 3576) According to http://www.freeradius.org/features/ Freeradius supports RFC 3576. According to this http://wiki.freeradius.org/RFC: Freeradius does not support RFC 3576. I can't find any information on the site on how ro configure this. From this it appears only a test client RadClient is supporting this: http://www.usenet-forums.com/freeradius-users/280002-re-change-authorization.html Is there any development? Has RFC 3576 support has been introduced for Server and not for client. I want to send CoA and DM form the server. Thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: starting FreeRADIUS server
Bhavin,
on 04/11/2008 05:32 AM patel bhavin said the following:
Hi,
I have installed radius server but when i enter radius -X. It shows the
following error.
radiusd: Opening IP addresses and Ports
listen {
type = auth
ipaddr = *
port = 0
ERROR: Failed to open socket:
/usr/local/etc/raddb/radiusd
.conf[210]: Error binding to port for 0.0.0.0 http://0.0.0.0/ port 1812
OS level issue. Maybe there is a service (probably freeradius) already
listening on the port. You can use the netstat command to verify.
What should I do?
I want to install Free radius for simple authentication with JAAS.
Thanking you,
--
Bhavinkumar G Patel
Thanks,
- Gaurav
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
short question
could someone tell me what effect has the following line from the users file if matched: DEFAULT Auth-Type = Local and what's the difference between this line and this one: DEFAULT Auth-Type := Local Thank you! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RFC 3576 support
vmx vmx wrote: Hello everyone, Is Freeradius able to send Change of Authorization Messages and Disconnect messages (RFC 3576) According to http://www.freeradius.org/features/ Freeradius supports RFC 3576. According to this http://wiki.freeradius.org/RFC: Freeradius does not support RFC 3576. FreeRADIUS does not currently support 3575, it's on the development roadmap. When support is added to the server core it will only be for *proxying* CoA messages not generating them. You can generate your own CoA messages using the radius client bundled with the server distribution. It is unlikely that the FreeRADIUS daemon itself will ever support CoA message generation. Arran I can't find any information on the site on how ro configure this. From this it appears only a test client RadClient is supporting this: http://www.usenet-forums.com/freeradius-users/280002-re-change-authorization.html Is there any development? Has RFC 3576 support has been introduced for Server and not for client. I want to send CoA and DM form the server. Thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dan Schaffer is out of the office.
I will be out of the office starting 04/11/2008 and will not return until 04/14/2008. Thank you and have a nice day, Dan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FW: Hello,
hi, client using PEAP? how have you stored the password and what type of password are you trying to use? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: All attributes in rlm_sql_log or rlm_sql ?
Hi,
Is there a way of using either rlm_sql_log or the post-auth query within
rlm_sql to log all the request and/or reply attributes to mysql ?
as part of our PERL bit of handling we spew out all of the attributes to
a debug log when we want ('if file exists' logic to turn it off and on)
you could trivially do the same to dump the stuff to SQL instead.
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy requests dependent on length of password
Hi, Hello everyone, i want to use freeradius as a proxy for other radius-systems. In my environment, i have two backend radius systems for the authentication of the users. the freeradiusserver must decide which packets he will send to which system. the only difference between the packets is the length of the password. for example: radiussystem A gets all the packets with passwords that are 6 characters long radiussystem B gets all the packets with passwords that are 12 characters long Is this possible to realise with freeradius? If yes, how can i do that? I read about the proxy.conf that this works with realms, but i don't have any realms... is there another solution? unlang or perl could do the length of password checking. once you check the length you set logically the current request using the 'update' method as described for those other cases you've seen - ie you have virtual realms that the end user doesnt enter themselves. then in proxy.conf you simply say where those realms go to. and 'strip' to ensure no wierd realm stuff might appear. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with proxy-radius function
AnyOne?
Error: Rejecting request 20696 due to lack of any response from home server
X.X.X.X port 1646
Error: Ignoring request from unknown home server X.X.X.X port 1646
How I can fix that ?
banga wrote:
Hello All.
I Use freeradius 2.0.3 only for accounting purpose.
More than that, I have dozen realms that should be counted locally, and
only one that should be proxed to redundant AAA servers.
My current configuration is the next:
cat clients.conf
client test1 {
ipaddr = 192.168.100.1
secret = somesecret
shortname = test1
nastype = other
}
client test2 {
ipaddr = 192.168.100.2
secret = somesecret
shortname = test2
nastype = other
}
cat proxy.conf
proxy server {
default_fallback = no
}
home_server test1 {
type = acct
ipaddr = 192.168.100.1
port = 1646
secret = somesecret
status_check = request
}
home_server test2 {
type = acct
ipaddr = 192.168.100.2
port = 1646
secret = somesecret
status_check = request
}
home_server_pool test {
type = fail-over
home_server = test1
home_server = test2
}
Re: Problem with proxy-radius function
banga wrote: AnyOne? Error: Rejecting request 20696 due to lack of any response from home server X.X.X.X port 1646 Error: Ignoring request from unknown home server X.X.X.X port 1646 How I can fix that ? I think what's happening is that the home server is sending the response from the wrong port. You would have to show *more* of the debug log to be sure. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: short question
Cristian Novac wrote: could someone tell me what effect has the following line from the users file if matched: DEFAULT Auth-Type = Local and what's the difference between this line and this one: DEFAULT Auth-Type := Local $ man users There *is* documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: assert failed event.c and perl performance
Julien Leloup wrote: The same configuration, in FreeRadius 2.0.1 worked fine, but when I recompiled Perl 5.8.8 with IThreads support, I also upgraded FreeRadius in 2.0.3 and now I'm going through an error, only when the home server is not alive, or not responding : Grab the latest CVS. It has a fix. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RFC 3576 support
Alan DeKok wrote: Arran Cudbard-Bell wrote: FreeRADIUS does not currently support 3575, it's on the development roadmap. When support is added to the server core it will only be for *proxying* CoA messages not generating them. You can generate your own CoA messages using the radius client bundled with the server distribution. I think it's possible to do both. A goal of the project is to do almost everything RADIUS related. So generating proxying CoA are both on the roadmap. Ok just the asynchronous nature of CoA requests... It's not really the servers job to process feedback from the various SNMP probes, IDS's , or track changes in the authorisation of users or their equipment. I guess I can see very few usage cases for CoA where the server will actually make the decision to send a CoA request on it's own, so why not just use the client or client libraries ? How were you thinking of triggering CoA events? Didn't you say there were issues with an instance of the server being both a CoA proxy and a CoA generator ? If someone is interested in it, there's always the possibility of accelerating the time frame... Have to wait for vendor support *grumble*. Let me know when you get your trapeze kit so we can compare notes :) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ENV variables in external scripts
Hi, Hi, After a brief review of the logic, i managed to get it working. My apologies for the trouble and thank you for your time. rlm_perl related question once again: When performing credential based Auth, how could I simply fall-though to the next check when there isn't a match. generally you'd do the 'ok = return' thing - just like EAP etc. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RFC 3576 support
Arran Cudbard-Bell wrote: Ok just the asynchronous nature of CoA requests... It's not really the servers job to process feedback from the various SNMP probes, IDS's , or track changes in the authorisation of users or their equipment. Yes. That's what proxying is for. I guess I can see very few usage cases for CoA where the server will actually make the decision to send a CoA request on it's own, so why not just use the client or client libraries ? if user uses more than 2G of bandwidth, then kick them off. This is a valid decision for a server to make. Forking an external program means that it's independent of the server core, and is more difficult to integrate with SQL, etc. How were you thinking of triggering CoA events? Didn't you say there were issues with an instance of the server being both a CoA proxy and a CoA generator ? Yes. If you're going to proxy CoA requests, there's no need to *generate* a CoA request for the one you're proxying. On the other hand, if you're receiving an accounting request, it may make sense to generate a CoA request. Have to wait for vendor support *grumble*. Let me know when you get your trapeze kit so we can compare notes :) Will do. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: libpam-radius-auth password problem
Fabio Pedretti wrote: It appears that this error is get when users are not already on the machine. Yes, it's a PAM problem. The libpam-radius-auth plugin is powerful but has the limit that users have to be previously created on the machine and this is not practical when you have thousand of users that could access to the machine (e.g. universities informatic laboratories). A similar plugin for Windows (pGina + RADIUS plugin) is able to automatically create the users after first succesful authentication. Because Windows has a different API. Would be nice if a future version will be able to also create users - what a useradd myuser would do - after first succesful authentication. Sure. Send a patch. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Restrict to initial NAS used to logon
NAS-Identifier is not stored in radacct by default. But you can add it to
or replace NAS-IP-Address with it in radacct table and accounting
queries.
radacct is used for - accounting. You need to put NAS-Identifier check in
radcheck to stop users from connecting from other APs. You can a script
at logon to insert it or run outside script at certain intervals that
will set it up for you. Anyway you need to:
- check radacct if user has logged on before
- if not insert NAS-Identifier check into radcheck table with the value
of the current request
If you add NAS-Identifier field into radacct table you don't need to add
anything into radcheck. Just run a script at logon that will:
- check radacct to see if user had logged on before
- if he had check that value of NAS-Identifier in the request matches the
one in radacct table
Ivan Kalik
Kalik Informatika ISP
Dana 10/4/2008, Tuc at T-B-O-H.NET [EMAIL PROTECTED] piše:
Is anyone doing anything like this already?
They usually use equipment that sends a NAS identifier.
Hi,
Sorry for a second followup, but I just looked over
the radacct file and don't see anywhere that NAS-Identifier would
be stored. Or are you saying that I need to still use the
%{NAS-Identifier} in some sort of check-name?
Thanks, Tuc
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RFC 3576 support
Arran Cudbard-Bell wrote: FreeRADIUS does not currently support 3575, it's on the development roadmap. When support is added to the server core it will only be for *proxying* CoA messages not generating them. You can generate your own CoA messages using the radius client bundled with the server distribution. I think it's possible to do both. A goal of the project is to do almost everything RADIUS related. So generating proxying CoA are both on the roadmap. If someone is interested in it, there's always the possibility of accelerating the time frame... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with proxy-radius function
What I can say ..
[EMAIL PROTECTED]:/var/log/radius# tcpdump -i eth0 host X.X.X.X
12:38:19.725549 IP aaa.copy.net.1094 X.X.X.X.1646: RADIUS, Accounting Request
(4), id: 0xca length: 387
12:38:19.725660 IP aaa.copy.net.1094 X.X.X.X.1646: RADIUS, Accounting Request
(4), id: 0xa8 length: 589
12:38:19.726122 IP aaa.copy.net.1094 X.X.X.X.1646: RADIUS, Accounting Request
(4), id: 0x26 length: 571
12:38:19.726298 IP aaa.copy.net.1094 X.X.X.X.1646: RADIUS, Accounting Request
(4), id: 0x82 length: 589
12:38:19.755292 IP X.X.X.X.1646 aaa.copy.net.1094: RADIUS, Accounting
Response (5), id: 0xca length: 24
12:38:19.755297 IP X.X.X.X.1646 aaa.copy.net.1094: RADIUS, Accounting
Response (5), id: 0xa8 length: 24
12:38:19.758275 IP X.X.X.X.1646 aaa.copy.net.1094: RADIUS, Accounting
Response (5), id: 0x82 length: 24
12:38:19.761917 X.X.X.X.1646 aaa.copy.net.1094: RADIUS, Accounting Response
(5), id: 0x26 length: 24
Looks like traffic goes between port 1094(my side - different time different)
and 1646
Is It correct? I thing it should be between port 1813 and 1646 ...
Is It because
listen {
ipaddr = my.ip.addres
port = 0
type = acct
}
?
P.S
On website
http://www.freeradius.org/getting.html
Link to daily snapshot not work.
ftp://ftp.freeradius.org/pub/radius/CVS-snapshots/
- Original Message
From: Alan DeKok [EMAIL PROTECTED]
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Friday, April 11, 2008 12:23:10 PM
Subject: Re: Problem with proxy-radius function
banga wrote:
AnyOne?
Error: Rejecting request 20696 due to lack of any response from home server
X.X.X.X port 1646
Error: Ignoring request from unknown home server X.X.X.X port 1646
How I can fix that ?
I think what's happening is that the home server is sending the
response from the wrong port. You would have to show *more* of the
debug log to be sure.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with proxy-radius function
Ivan Popov wrote: What I can say .. [EMAIL PROTECTED]:/var/log/radius mailto:[EMAIL PROTECTED]:/var/log/radius# tcpdump -i eth0 host X.X.X.X sigh While this is interesting, you were asked for debugging output. Is It correct? I thing it should be between port 1813 and 1646 ... The traffic looks OK. There may be something else going wrong, and the debug output may show it. Is it possible to run the server in debug mode? If not, why? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with proxy-radius function
Hello
Debug is difficult because of Segmentation Fault.
I will try to rebuild radius (in the night) with last patch , that you already
provide.
Is It something wrong whth my configuration?
I decide to disable all nonused modules. Maybe I disable something major?
[EMAIL PROTECTED] radiusd -X
FreeRADIUS Version 2.0.4, for host i686-pc-linux-gnu, built on Apr 7 2008 at
10:36:05
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including configuration file /etc/raddb/sql.conf
including configuration file /etc/raddb/sql/postgresql/dialup.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including dictionary file /etc/raddb/dictionary
main {
prefix = /usr
localstatedir = /var
logdir = /var/log/radius
libdir = /usr/lib
radacctdir = /var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 8192
allow_core_dumps = no
pidfile = /var/run/radiusd/radiusd.pid
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = yes
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
}
client MAIN_NAS {
ipaddr = 192.168.101.1
netmask = 32
require_message_authenticator = no
secret = key
shortname = nas1
nastype = other
}
client jds {
ipaddr = 192.168.0.1
require_message_authenticator = no
secret = superkey
shortname = jds
nastype = other
}
client jds2 {
ipaddr = 192.168.0.2
require_message_authenticator = no
secret = superkey
shortname = jds2
nastype = other
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server jds1 {
ipaddr = 192.168.0.1
port = 1646
type = acct
secret = superkey
response_window = 30
max_outstanding = 65536
zombie_period = 40
status_check = request
ping_check = none
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 300
status_check_timeout = 4
}
home_server jds2 {
ipaddr = 192.168.0.2
port = 1646
type = acct
secret = superkey
response_window = 30
max_outstanding = 65536
zombie_period = 40
status_check = request
ping_check = none
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 300
status_check_timeout = 4
}
home_server_pool jds {
type = fail-over
home_server = jds1
home_server = jds2
}
realm domain.com {
acct_pool = jds
nostrip
}
radiusd: Instantiating modules
instantiate {
}
radiusd: Loading Virtual Servers
server {
modules {
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = suffix
delimiter = @
ignore_default = no
ignore_null = no
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = Calling-Station-Id, Acct-Session-Id, 3GPP2-Correlation-Id
}
Module: Linked to module rlm_sql
Module: Instantiating sql
sql {
driver = rlm_sql_postgresql
server = localhost
port =
login = rad
password = ..
radius_db = radius
read_groups = yes
sqltrace = no
sqltracefile = /var/log/radius/sqltrace.sql
readclients = no
deletestalesessions = yes
num_sql_socks = 48
sql_user_name = %{User-Name}
default_user_profile =
nas_query = SELECT id,nasname,shortname,type,secret FROM nas
authorize_check_query =
authorize_reply_query =
authorize_group_check_query =
authorize_group_reply_query =
accounting_onoff_query =
accounting_update_query =
accounting_update_query_alt =
accounting_start_query = INSERT into radacct (AcctSessionId,
AcctUniqueId, CallingStationId, AcctStartTime, AcctStopTime,
superkeyActiveTime,
Re: short question
http://wiki.freeradius.org/Operators Ivan Kalik Kalik Informatika ISP Dana 11/4/2008, Cristian Novac [EMAIL PROTECTED] piše: could someone tell me what effect has the following line from the users file if matched: DEFAULT Auth-Type = Local and what's the difference between this line and this one: DEFAULT Auth-Type := Local Thank you! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.0.3 crashing when in proxy mode Segmentation fault.
Vikash Badal wrote: Once I set up the server to proxy, the following issue occured. ... Thu Apr 10 06:49:06 2008 : Error: Rejecting request 31 due to lack of any response from home server 196.26.56.8 port 1646 Thu Apr 10 06:49:06 2008 : Debug: Finished request 31. Thu Apr 10 06:49:06 2008 : Debug: Cleaning up request 31 ID 169 with timestamp +442 Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x28401100 (LWP 100207)] Grab the latest CVS. I've added a fix. This issue happens only in debugging mode, so it shouldn't affect a normally running server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with proxy-radius function
Hi, P.S On website http://www.freeradius.org/getting.html Link to daily snapshot not work. ftp://ftp.freeradius.org/pub/radius/CVS-snapshots/ just grab the CVS directly as per the info on http://www.freeradius.org/download.html then it wont be as stale - the FTP snapshots may be up to 24 hours old - and therefore older than the 'i just fixed it' emails. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RFC 3576 support
Alan DeKok wrote: Arran Cudbard-Bell wrote: Ok just the asynchronous nature of CoA requests... It's not really the servers job to process feedback from the various SNMP probes, IDS's , or track changes in the authorisation of users or their equipment. Yes. That's what proxying is for. I guess I can see very few usage cases for CoA where the server will actually make the decision to send a CoA request on it's own, so why not just use the client or client libraries ? if user uses more than 2G of bandwidth, then kick them off. This is a valid decision for a server to make. (that was one of the very few) Forking an external program means that it's independent of the server core, and is more difficult to integrate with SQL, etc. It's useful knowing the secrets for the NAS you want to send a CoA request too. In which case if you are going to include CoA generation, it would be good to have a way of signalling the server to generate a CoA request. In our implementation were not looking to trigger CoA as a result of anything available in the RADIUS protocol, but instead from data received from the aforementioned probes and systems. How were you thinking of triggering CoA events? Didn't you say there were issues with an instance of the server being both a CoA proxy and a CoA generator ? Yes. If you're going to proxy CoA requests, there's no need to *generate* a CoA request for the one you're proxying. Ok take eduroam for example. A change in user authorisation at their home site may result in the generation of a CoA request for the user to be disconnected at the remote site, this would be proxied by the remote sites RADIUS server. That same server may also wish to generate it's own CoA request for the same user, because a local IDS system / traffic analysis probe has detected a bot net etc.. running on their equipment. Thus you have CoA requests being proxied, and CoA requests being generated, both going to the same NAS. If that's not the kind of conflict you were talking about...? On the other hand, if you're receiving an accounting request, it may make sense to generate a CoA request. Have to wait for vendor support *grumble*. Let me know when you get your trapeze kit so we can compare notes :) Will do. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RFC 3576 support
Arran Cudbard-Bell wrote: Ok take eduroam for example. A change in user authorisation at their home site may result in the generation of a CoA request for the user to be disconnected at the remote site, this would be proxied by the remote sites RADIUS server. That same server may also wish to generate it's own CoA request for the same user, because a local IDS system / traffic analysis probe has detected a bot net etc.. running on their equipment. Not at the same time. The packets will be ordered. e.g CoA by local server because of botnet, to put them into a quarantine VLAN. Then, a CoA from the remote server, saying that they've just been fired, and they should be disconnected. If it's the other way around, the local system proxies the disconnect request. There's no need to put them into a quarantine vlan, because they've been disconnected. The requests *may* rarely happen at about the same time. But that's for the NAS to figure out. It's possible for the NAS to disconnect the user, ACK that, and then send a NAK to the CoA request, because the user has been disconnected. You might need logic on the server to handle these corner cases, but it's really not much different than out of order accounting packets, for example. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to delete a attribute
Hello! How can I delete a attribute in request via unlang code? Michael - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to delete a attribute
Mikhail Novikov wrote: Hello! How can I delete a attribute in request via unlang code? $ man unlang Look for remove Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_ldap error
rlm_ldap: reading ldap-radius mappings from file /etc/raddb/ldap.attrmap Hello, I want to receive as Reply-Message carLicense value. When I debug a radiusd session I can see the erro mentionned below (line marked by a star). Have you an idea to eliminate this ? rlm_ldap: reading ldap-radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP carLicense mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type ... rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... * rlm_ldap: parsing carLicense failed: big brother is watching you Regards -- Jean Frontin System team I R I T Université Paul-Sabatier 118, rte de Narbonne 31062 Toulouse cedex 9 France tel (33)(0)5 61 55 63 03 mail [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap error
Remove this: rlm_ldap: LDAP carLicense mapped to RADIUS $GENERIC$ and add it as a replyItem mapping for Reply-Message. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ldap-UserDn not set correctly in 2.0.3
It appears that the LDAP module in 2.0.3 is not setting the Ldap-UserDn in
a way that is available for further analysis. The problem shows up when
using edir_account_policy_check = yes and also when evaluating
Ldap-UserDn with unlang or from other modules as described below in my
previous post.
Does anyone have insight into this problem?
Jason
I'm testing upgrading from 1.1.7 to 2.0.3 and have run into a problem with
the LDAP module. The problem appears in 2 places. First, I'm using the
--with-edir option so I have
password_attribute = nspmPassword
and
edir_account_policy_check = yes
set. However, in 2.0.3, when I set edir_account_policy_check = yes, I
get this error:
+- entering group post-auth
rlm_ldap: User's FQDN not in config items list.
++[ldap] returns fail
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE
If I don't set edir_account_policy_check, then authentication is
successful, but the second problem shows up. A little background:
In 1.1.7 I'm setting VLANs via the 'users' file like this:
DEFAULT Ldap-UserDn =~ ou=is,ou=n,o=emu
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = 3
and I've tried this in 2.0.3, but I've also tried unlang
if (Ldap-UserDn =~ /ou=is,ou=n,o=emu/i) {
update reply {
Tunnel-Type := VLAN
Tunnel-Medium-Type := IEEE-802
Tunnel-Private-Group-Id := 3
}
}
Neither of these work in 2.0.3. The VLAN does not get set. Files returns
noop, and unlang shows in debug output
++? if (Ldap-UserDn =~ /ou=is,ou=n,o=emu/i)
(Attribute Ldap-UserDn was not found)
I did some digging and I think I know why this is. In rlm_ldap.c
beginning at line 1306 is
/*
* Adding new attribute containing DN for LDAP object associated with
* given username
*/
pairadd(check_pairs, pairmake(Ldap-UserDn, user_dn, T_OP_EQ));
However, in 1.1.7 the code is
pairadd(request-packet-vps, pairmake(Ldap-UserDn, user_dn, T_OP_EQ));
If I add this line to 2.0.3 just after the existing pairadd line and
recompile, then everything just works -- edir policy check works and I can
set VLANs using files module or unlang.
Is this a bug in 2.0.3 or am I missing something in my new config file
that would make the Ldap-UserDn available?
Jason
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 2.0.3 gives duplicate NULL realm error
On Tue, 2008-04-08 at 10:14 +0100, John Horne wrote:
On Tue, 2008-04-08 at 08:18 +0200, Alan DeKok wrote:
John Horne wrote:
It seems that radiusd doesn't like the NULL realm after the DEFAULT. I
swapped these two around, and radiusd started up fine.
? I can start up the server fine with those realms, in any order.
Yes, with 2.0.2 I had the NULL realm in proxy.conf last. However, with
2.0.3 I have swapped these around a couple of times now, and it always
fails (duplicate realm error) if the NULL realm is last and the DEFAULT
realm is present. If I comment out the DEFAULT realm, although the NULL
realm is still last, then radiusd starts up. So it seems to be an
interaction between both the DEFAULT and NULL realms being present.
Okay, I've looked into this a bit further. The Changelog shows that a
change to realms (the 'realm_find' function in realms.c) was made in FR
2.0.2 (which explains why my FR 2.0.1 worked):
* Fall back to DEFAULT realm if no realm was found.
Based on a patch from Vincent Magnin.
I found a copy of the patch, and removed it from the 2.0.3 source code.
Starting radiusd then worked regardless of what order the DEFAULT/NULL
realms were in.
The NULL realm is configured as:
realm NULL {
auth_pool = local_proxies
}
If I comment out the 'auth_pool' line, then radiusd starts up (having
put the above patch back in). However, from the code (realms.c, line
1174 onwards) this is probably due to FR treating the NULL realm as an
old-style realm and, hence, allowing it.
I am at this point now stuck. The 'duplicate realm' message occurs
because of the result of 'realm_find' for the NULL realm. However,
realm_find (in realms.c at line 1323) shows:
===
REALM *realm_find(const char *name)
{
REALM myrealm;
REALM *realm;
if (!name) name = NULL;
myrealm.name = name;
realm = rbtree_finddata(realms_byname, myrealm);
if (realm) return realm;
/*
* Couldn't find a realm. Look for DEFAULT.
*/
myrealm.name = DEFAULT;
return rbtree_finddata(realms_byname, myrealm);
}
===
For some reason the NULL realm is not being found (using
rbtree_finddata), and so it then looks for the DEFAULT realm. But we
have already seen the DEFAULT realm.
If I change the code to look for the 'myrealm.name = DEFAULTx' realm,
then radiusd starts up okay (or rather there is no error message; it is
possible though that radiusd now thinks it has no NULL realm configured,
although 'radiusd -XC' indicates that it has seen it).
I am not sure that the above code ('realm_find') is correct though. It
changes 'myrealm.name' to DEFAULT, and then returns the
pointer/structure (I assume) of the DEFAULT realm. However, this was
called from line 1174 which is expecting the NULL realm (and has 'name2'
set to that). I don't think just looking for the DEFAULT realm is
enough, it needs to change other variables such as 'name2'. (I may be
completely wrong about all this though!)
If I change the NULL realm in proxy.conf to:
realm NULL {
# auth_pool = local_proxies
authhost = localhost
}
I then get from radiusd:
realm NULL {
/etc/raddb/proxy.conf[107]: No shared secret supplied for realm:
DEFAULT
} # realm NULL
Which seems to indicate that the DEFAULT and NULL realms are indeed
getting mixed up. The 'DEFAULT' name in the error message comes from the
'r' structure (which it got from within 'realm_find' when it couldn't
find the NULL realm); the 'NULL' parts come from the variable 'name2'.
This is as far as I have got. The 'rbtree_finddata' code (in
src/lib/rbtree.c, line 494) starts to get a bit too convoluted for me,
but as to why the NULL realm is not found seems to be the root of the
'duplicate realm' error.
Regards,
John.
--
---
John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287
E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with proxy-radius function
Ivan Popov wrote: Debug is difficult because of Segmentation Fault. doc/bugs Is It something wrong whth my configuration? I decide to disable all nonused modules. Maybe I disable something major? I don't think so. This should work, and it works in my tests. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stale Sessions
Hi, No one has any ideas or suggestions? If I can solve this issue I will have a 'perfect' freeradius installation. And FYI I upgraded my server to a dual core 2BG of RAM and still the same issue resides. radutmp issueS? what are you using to make sessions unique? perhaps they are not unique enough. also, some NASs do have issues with sending this sort of thing properly. most posts on this topic have, historically, stated that if you have a session time-out of eg 1 hour, then just run a script which will close any session that has not bene updated for at least an hour - because ,logically, that session is now dead and gone. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
postgres accounting schema
hi, I wonder how many of you have needed to change the postgres schema for radacct table - the default value of VARCHAR(32) for the AcctSessionId seems to be very low - our user-names are often that long by themselves! (domain and full path when using machine auth for example) I've submitted a patch via the bugs system to put this up to something safer. perhaps time that we all peer through the current supplied values and what we are each using after we've fixed things? If others can start with sane values (no matter if its MySQL, PostgresQL, Orcale etc) then that can only be a good thing for our community. There was also talk about certain indexes and procedures recently. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NAS sql
hi, any reason why the NAS schema is not part of the database schema? nas.sql and schema.sql rather than just schema.sql? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Stale Sessions
Thanks for the reply. However, these are Internet customers coming from DSL or Dial up. I assume the Cisco and portmasters are sending unique session IDs. I will try creating a session timeout of 2 days, then create a script for updating the accounting stop time. Thanks all. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, April 11, 2008 12:40 PM To: FreeRadius users mailing list Subject: Re: Stale Sessions Hi, No one has any ideas or suggestions? If I can solve this issue I will have a 'perfect' freeradius installation. And FYI I upgraded my server to a dual core 2BG of RAM and still the same issue resides. radutmp issueS? what are you using to make sessions unique? perhaps they are not unique enough. also, some NASs do have issues with sending this sort of thing properly. most posts on this topic have, historically, stated that if you have a session time-out of eg 1 hour, then just run a script which will close any session that has not bene updated for at least an hour - because ,logically, that session is now dead and gone. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
The password is required once
I'm using a PEAP-Mschapv2 autentication with freeradius. When a client wants to autenticate for the first time, windows askes for the credentials where you must put your user name and password. When this client wants to autenticate for the second time, windows doesn't ask his credentials (user name and password) again. How can I obligate windows to ask the client credentials before every authentication - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS sql
[EMAIL PROTECTED] wrote: any reason why the NAS schema is not part of the database schema? nas.sql and schema.sql rather than just schema.sql? The schema.sql file is for the normal dialup/ISP/policy management. The IP pool, NAS, etc. schemas are all in separate files. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The password is required once
Hi, I'm using a PEAP-Mschapv2 autentication with freeradius. When a client wants to autenticate for the first time, windows askes for the credentials where you must put your user name and password. When this client wants to autenticate for the second time, windows doesn't ask his credentials (user name and password) again. How can I obligate windows to ask the client credentials before every authentication Windows caches this stuff. to get it to forget, you need to remove that information. REGEDIT4 [-HKEY_CURRENT_USER\Software\Microsoft\Eapol\UserEapInfo] alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS sql
Hi, The schema.sql file is for the normal dialup/ISP/policy management. The IP pool, NAS, etc. schemas are all in separate files. ah! would it be best to have them in one and get people to drop the tables they dont want? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS sql
[EMAIL PROTECTED] wrote: ah! would it be best to have them in one and get people to drop the tables they dont want? I don't think so. It may be easier to have an SQL bootstrap script that creates the appropriate tables, based on a couple of questions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP/MS-CHAPv2 authentication to active directory
Hello, I'm trying to get 802.1x authentication going using PEAP/MS-CHAPv2 but cant quite get it going (I think I'm pretty cloise though) so I'm hoping someone here can take a look at my debug output below and perhaps offer some helpful advice. Here's the specifics: Ubuntu 7.10, freeRADIUS 1.1.7, Samba 3.0. Note that there are calls to a freeNAC perl module called check_mac that performs mac-auth-bypass vlan assignment for non-802.1x compliant devices. I've followed the freeNAC instructions and tried some slight variations that I've found posted elsewhere but still not gettting it. I've gotten to the point where I can issue the ntlm_auth command manually and authenticate to AD so Samba, Winbind, and Kerberos seem to be OK. When I attempt to get freeRADIUS to do the ntlm_auth for me as described in the freeNAC docs and other web resources like deployingradius.com and the freeradius wiki, I keep getting logon failures. See attached radius debug output below. I'm just attaching the last part of the debug because for one it's quite large and two, it seems to be going well up to a certain point. My EAP-TLS tunnel appears to be getting setup fine but it just act as if my password is wrong. I'm using a Windows XP SP2 client with a recent PEAP patch added and have tried entering username/password/domain both manually and automatically. I am not validating the server cert at this point. Following is the end of the radius debug: . . . rad_recv: Access-Request packet from host 111.111.28.101:1645, id=245, length=264 User-Name = SANDIA\\mgmitch Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = 00-05-74-43-BD-3F Calling-Station-Id = 00-0A-E4-23-CD-16 EAP-Message = 0x020800601900170301005590558ffa6f1d6b8a4bad64a0b8958aa4c140f2c145163dc92ee5b73ae341713f0466627a1454f0ad3f787b9ab756c8e07050b693f28f17f721c200525f544119a36d2d30e31ae5db2f44f8636bdc03c4f71a422436 Message-Authenticator = 0xb7b52cd2660e4b2695c96dc035368275 Cisco-NAS-Port = GigabitEthernet1/4 NAS-Port = 50104 NAS-Port-Type = Ethernet State = 0x5a5253d83424d1e321022fa6ebfd1ece NAS-IP-Address = 111.111.28.101 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module preprocess returns ok for request 6 perl_pool: item 0x8062e8a0 asigned new request. Handled so far: 3 found interpetator at address 0x8062e8a0 perl_pool total/active/spare [3/0/3] Unreserve perl at address 0x8062e8a0 modcall[authorize]: module check_mac returns ok for request 6 modcall[authorize]: module mschap returns noop for request 6 rlm_realm: No '@' in User-Name = SANDIA\mgmitch, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 6 rlm_eap: EAP packet type response id 8 length 96 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x020800491a020800443191a4d2d65459406cb3e67baa8f903a12fde26c946d2f343603ffe6e34f2ad40987f990c82eeecf550053414e4449415c6d676d69746368 PEAP: Setting User-Name to SANDIA\mgmitch PEAP: Adding old state with 56 ed PEAP: Sending tunneled request EAP-Message = 0x020800491a020800443191a4d2d65459406cb3e67baa8f903a12fde26c946d2f343603ffe6e34f2ad40987f990c82eeecf550053414e4449415c6d676d69746368 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = SANDIA\\mgmitch State = 0x56ed3aacd660b70c9a6a4fde3b0858f9 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module preprocess returns ok for request 6 perl_pool: item 0x809a4090 asigned new request. Handled so far: 3 found interpetator at address 0x809a4090 perl_pool total/active/spare [3/0/3] Unreserve perl at address 0x809a4090 modcall[authorize]: module check_mac returns ok for request 6 modcall[authorize]: module mschap returns noop for request 6 rlm_realm: No '@' in User-Name = SANDIA\mgmitch, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 6 rlm_eap: EAP packet type response id 8 length 73 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 6 modcall: leaving group authorize (returns updated) for request 6
Re: NAS list update without restarting radius server.
Hi,
I had actually kept this email in my queue to implement
someday. Today is someday. But I have a question.
The config file contains IP addresses, which the nas.sql
doesn't. How do I sync up the format of the clients.conf with
the nas.sql?
client nas_shortname {
ipaddr = ??
(or)
ipv6addr =
netmask =
secret = nas_secret
require_message_authenticator =
shortname = nas_shortname
nastype = nas_type
virtual_server =
}
Thanks, Tuc
Hi,
in sql.conf it says:
Set readclients to 'yes' to read radius clients from the database
('nas' table)
Clients will ONLY be read on server startup. For performance
and security reasons, finding clients via SQL queries CANNOT
be done live while the server is running.
Best,
Walter
Am 22.01.2008 um 19:30 schrieb Pawel Cieplinski:
Hi there
Everything works fine so far, but after adding a new NAS to DB,
radius server need restart to read this data, I am trying to
manipulate nas list without restarting freeradius, but due to lack
od documentation could you help me with that please.
Pawel Cieplinski
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS list update without restarting radius server.
IP address (or DNS name) goes into nasname field.
Ivan Kalik
Kalik Informatika ISP
Dana 11/4/2008, Tuc at T-B-O-H.NET [EMAIL PROTECTED] piše:
Hi,
I had actually kept this email in my queue to implement
someday. Today is someday. But I have a question.
The config file contains IP addresses, which the nas.sql
doesn't. How do I sync up the format of the clients.conf with
the nas.sql?
client nas_shortname {
ipaddr = ??
(or)
ipv6addr =
netmask =
secret = nas_secret
require_message_authenticator =
shortname = nas_shortname
nastype = nas_type
virtual_server =
}
Thanks, Tuc
Hi,
in sql.conf it says:
Set readclients to 'yes' to read radius clients from the database
('nas' table)
Clients will ONLY be read on server startup. For performance
and security reasons, finding clients via SQL queries CANNOT
be done live while the server is running.
Best,
Walter
Am 22.01.2008 um 19:30 schrieb Pawel Cieplinski:
Hi there
Everything works fine so far, but after adding a new NAS to DB,
radius server need restart to read this data, I am trying to
manipulate nas list without restarting freeradius, but due to lack
od documentation could you help me with that please.
Pawel Cieplinski
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Restrict to initial NAS used to logon
Hi,
I will have to consider the NAS-Identifier replacing NAS-IP-Address.
This is not for our use, this is at a customer site. I'm leary about using
a field for something other than its intention (Or adding a field that is
unexpected) due to the possibility of them installing a package later on
that has certainly expectations of the data being a certain way).
I later realized that SOMETHING would need to be set in the
radcheck , but was hoping for it to be a bit self contained. I
see things like the Simultaneous use, and the ability to check max
access-period, and was hoping I could somehow tell the system
to SELECT the nasname (if that field existed) from radacct, and
compare against the current nasname from the record. If there was
no current, go ahead. If there was a current, if it matched go
ahead. Maybe even something with the COUNT of unique nasname,
and if it was 0 , its ok. If its 1, better match the current one.
NAS-Identifier is not stored in radacct by default. But you can add it to
or replace NAS-IP-Address with it in radacct table and accounting
queries.
radacct is used for - accounting. You need to put NAS-Identifier check in
radcheck to stop users from connecting from other APs. You can a script
at logon to insert it or run outside script at certain intervals that
will set it up for you. Anyway you need to:
- check radacct if user has logged on before
- if not insert NAS-Identifier check into radcheck table with the value
of the current request
If you add NAS-Identifier field into radacct table you don't need to add
anything into radcheck. Just run a script at logon that will:
- check radacct to see if user had logged on before
- if he had check that value of NAS-Identifier in the request matches the
one in radacct table
I was trying to avoid as much outside stuff as possible. I guess I
could perl it if it means that much to me. I was just hopinf after seeing
some of the sqlcounter stuff, if there was some way to accomplish it
that way.
Thanks, Tuc
Ivan Kalik
Kalik Informatika ISP
Dana 10/4/2008, Tuc at T-B-O-H.NET [EMAIL PROTECTED] pi?e:
Is anyone doing anything like this already?
They usually use equipment that sends a NAS identifier.
Hi,
Sorry for a second followup, but I just looked over
the radacct file and don't see anywhere that NAS-Identifier would
be stored. Or are you saying that I need to still use the
%{NAS-Identifier} in some sort of check-name?
Thanks, Tuc
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS list update without restarting radius server.
Hi,
If I choose DNS name, and I don't fully qualify it,
does it follow the standard BIND rules of using the domain
setting, or going down the search path?
Reason I'm trying to avoid the IP or the FQDN is that
I was hoping to use the nasname along with the secret in
the UAM program I'm using for a Secret per NAS situation.
The hotspots are already using just a nasname currently (Which
is just something like SBC-1427). (Then again, getting the
client to put all the NAS into DNS is going to be a tough
sell too)
Thanks, Tuc
IP address (or DNS name) goes into nasname field.
Ivan Kalik
Kalik Informatika ISP
Dana 11/4/2008, Tuc at T-B-O-H.NET [EMAIL PROTECTED] pi?e:
Hi,
I had actually kept this email in my queue to implement
someday. Today is someday. But I have a question.
The config file contains IP addresses, which the nas.sql
doesn't. How do I sync up the format of the clients.conf with
the nas.sql?
client nas_shortname {
ipaddr = ??
(or)
ipv6addr =
netmask =
secret = nas_secret
require_message_authenticator =
shortname = nas_shortname
nastype = nas_type
virtual_server =
}
Thanks, Tuc
Hi,
in sql.conf it says:
Set readclients to 'yes' to read radius clients from the database
('nas' table)
Clients will ONLY be read on server startup. For performance
and security reasons, finding clients via SQL queries CANNOT
be done live while the server is running.
Best,
Walter
Am 22.01.2008 um 19:30 schrieb Pawel Cieplinski:
Hi there
Everything works fine so far, but after adding a new NAS to DB,
radius server need restart to read this data, I am trying to
manipulate nas list without restarting freeradius, but due to lack
od documentation could you help me with that please.
Pawel Cieplinski
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
