Re: '/usr/local/lib/rlm_* is not an ELF file' ERROR
Sorry, all works. I fix: Auth-Type := System instead Auth-Type := Local But I still have errors: radiusd: '/usr/local/lib/rlm_unix.a' is not an ELF file :( Thanks! > When I try to authorize local user via system passwd file I get Auth-Reject > packet. radius says: > modcall: group authorize returns ok > rad_check_password: Found auth-type Local > auth: type Local > auth: Failed to validate the user. > user declared in /etc/raddb/users as: > DEFAULT Auth-Type := Local > Service-Type = Framed-User, > Ascend-Assign-IP-Pool = 1, > Framed-Protocol = PPP, > Framed-MTU = 576 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
'/usr/local/lib/rlm_* is not an ELF file' ERROR
When I try to authorize local user via system passwd file I get Auth-Reject packet. radius says: modcall: group authorize returns ok rad_check_password: Found auth-type Local auth: type Local auth: Failed to validate the user. user declared in /etc/raddb/users as: DEFAULT Auth-Type := Local Service-Type = Framed-User, Ascend-Assign-IP-Pool = 1, Framed-Protocol = PPP, Framed-MTU = 576 whenever I run my freeradius, I have errors: radiusd: '/usr/local/lib/rlm_unix.a' is not an ELF file radiusd: '/usr/local/lib/rlm_preprocess.a' is not an ELF file radiusd: '/usr/local/lib/rlm_realm.a' is not an ELF file radiusd: '/usr/local/lib/rlm_files.a' is not an ELF file radiusd: '/usr/local/lib/rlm_detail.a' is not an ELF file radiusd: '/usr/local/lib/rlm_radutmp.a' is not an ELF file It is possible "rlm_unix.a' is not an ELF file" error is cause of my failures? Compiling made after ./configure --sysconfdir=/etc --localstatedir=/var --with-threads=no I have 2.0.36 Linux box with gnulibc1 as system library. ar: supported targets: elf32-i386 a.out-i386-linux coff-i386 elf32-m68k coff-m68k ieee a.out-m68k-linux a.out-sunos-big elf32-sparc srec symbolsrec tekhex binary ihex trad-core Thanks! Mike. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-0.2 on FreeBSD 4.3
Hi You mean radius server to it's client, It's Ok. But user to radius client it goes clear text. So there for why giving infomation on your server to others. chami [EMAIL PROTECTED] wrote: > chami <[EMAIL PROTECTED]> wrote: > > And it is recommend to use Auth-Type = Local rather than > > System. because radius send it's data in a clear text. > > No, it doesn't. Please read the RFC's. > > > In that case someone can hack your system easily. And try using > > DEFAULT values in $INCLUDE users.slip file. > > My personal recommendation is to use Auth-Type := System, and to use > PAP authentication on the NAS. CHAP is mostly a waste of time. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and /etc/shells
>> I'm not able to find explicit documentation that the password attribute >> must be on the first line. The examples all do it that way, but there >> wasn't anything I could find that explicitly said that was required. > > 'man users' explains this, but it doesn't specificially mention the >'Password' attribute. To quote: > > The check items are a list of attributes used to match the > incoming request. If the username matches, AND all of the > check items match the incoming request, then the reply > items are added to the list of attributes which will be > used in the reply to that request. This process is > repeated for all of the entries in the users file. Actually, from the sample users file: # This file contains security and configuration information # for each user. The first field is the user's name and # can be up to 253 characters in length. This is followed (on # the same line) with the list of authentication requirements # for that user. This can include password, comm server name, # comm server port number, protocol type (perhaps set by the "hints" # file), and huntgroup name (set by the "huntgroups" file). While I'll be the first to admit that it doesn't jump out and grab you by the cohones, it IS in there. Somewhere. :) Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center "Monday" is the term used to signify the eighth day of my work week.
Re: FreeRadius and /etc/shells
Ben Hockenhull <[EMAIL PROTECTED]> wrote: > auth: Failed to validate the user. > Sending Access-Reject of id 93 to 10.0.20.100:2054 > > But I couldn't get any more specific detail as to why it failed to > validate the user, even if I'd run radiusd -x -x -x. Is there something > else I should be trying? Not really. The 'Failed to validate the user' means that the password is incorrect, or wasn't found. Hmm... I'll re-visit the problem code in rad_check_password. It should print out a few more helpful error messages, and some of the code is *weird*. > I'm not able to find explicit documentation that the password attribute > must be on the first line. The examples all do it that way, but there > wasn't anything I could find that explicitly said that was required. 'man users' explains this, but it doesn't specificially mention the 'Password' attribute. To quote: The check items are a list of attributes used to match the incoming request. If the username matches, AND all of the check items match the incoming request, then the reply items are added to the list of attributes which will be used in the reply to that request. This process is repeated for all of the entries in the users file. > Sure enough. That was the problem. Thanks for the pointer. It works > now. It might be helpful to include an explicit note in the documentation > that explains that the placement of the password attribute is critical. > New users to any radius will probably build their user files based on the > examples, but people converting from another radius server may not. Hmmm.. all of the Livingston compatible servers I'm aware of use the original Livingston format for the 'users' file. FreeRADIUS follows this behaviour. > Coming from Merit RADIUS, there were several ways in which one could > structure the users file, so my assumption was that this was one of > several valid ways and I didn't really think anything of it. That's the problem. Don't believe *anything* that Merit does. Nothing else works like Merit does, because Merit sucks. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and /etc/shells
> The Password attribute MUST be on the first line. See the sample > 'users' file. > > Note also that when you run the server in debugging mode, you get an > error message telling you what the problem is, and how to fix it. I ran radiusd -x and it would tell me: modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "suffix" returns ok users: Matched exampleuser at 155 modcall[authorize]: module "files" returns ok modcall: group authorize returns ok rad_check_password: Found auth-type Local auth: type Local auth: Failed to validate the user. Sending Access-Reject of id 93 to 10.0.20.100:2054 But I couldn't get any more specific detail as to why it failed to validate the user, even if I'd run radiusd -x -x -x. Is there something else I should be trying? I'm not able to find explicit documentation that the password attribute must be on the first line. The examples all do it that way, but there wasn't anything I could find that explicitly said that was required. Coming from Merit RADIUS, there were several ways in which one could structure the users file, so my assumption was that this was one of several valid ways and I didn't really think anything of it. I converted other bits of syntax from one server to the other, and was able to get radiusd to start up without any complaints, so I assumed that my file formatting was correct. Maybe it would be useful to add this check to the other checks that radiusd performs upon startup. > And this is most likely the source of your problem. Put the > password attribute on the same line as the username, and it should > work. Sure enough. That was the problem. Thanks for the pointer. It works now. It might be helpful to include an explicit note in the documentation that explains that the placement of the password attribute is critical. New users to any radius will probably build their user files based on the examples, but people converting from another radius server may not. Regards, Ben - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and /etc/shells
Ben Hockenhull <[EMAIL PROTECTED]> wrote: > I'm migrating from Merit RADIUS to FreeRADIUS 0.2 and I'm running into > trouble. On Merit RADIUS, I can set up users who exist only in the > /etc/raddb/users file, and not in /etc/passwd, and use local password > authentication right in the users file. That should work. > Trying to do the same thing with FreeRADIUS, I run into authentication > problems, and I think that it is due to the fact that the users in > question do not exist in /etc/passwd, and thus have no shell to compare to > /etc/shells. That doesn't make any difference. If the password is local (not system), then /etc/shells is NEVER checked. > An example /etc/raddb/users entry follows: > > exampleuser Auth-Type := Local > Password == "foo", The Password attribute MUST be on the first line. See the sample 'users' file. Note also that when you run the server in debugging mode, you get an error message telling you what the problem is, and how to fix it. And this is most likely the source of your problem. Put the password attribute on the same line as the username, and it should work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and /etc/shells
What you're trying to do should work; I have several users set up that way (not in shadow or passwd, but only in the freeradius users file). They don't have any shells defined either. Try running freeradius in debug ( /X ) mode; that should give lots of hints as to what's going wrong. Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center "Monday" is the term used to signify the eighth day of my work week. |+---> || Ben | || Hockenhull | || <[EMAIL PROTECTED]| || >| || | || 08/20/2001 | || 03:20 PM | || Please | || respond to | || freeradius-us| || ers | || | |+---> >--| | | | To: [EMAIL PROTECTED] | | cc: (bcc: Vincent Giovannone/Rush/RSH) | | Subject: FreeRadius and /etc/shells| >--| I'm migrating from Merit RADIUS to FreeRADIUS 0.2 and I'm running into trouble. On Merit RADIUS, I can set up users who exist only in the /etc/raddb/users file, and not in /etc/passwd, and use local password authentication right in the users file. Trying to do the same thing with FreeRADIUS, I run into authentication problems, and I think that it is due to the fact that the users in question do not exist in /etc/passwd, and thus have no shell to compare to /etc/shells. I read about adding /RADIUSD/ANY/SHELL to /etc/shells, abut that does not seem to have helped. Any ideas? I'm sure this can be done, but I can't seem to find it documented. I don't want to have to add every user to /etc/passwd. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius and /etc/shells
I'm migrating from Merit RADIUS to FreeRADIUS 0.2 and I'm running into trouble. On Merit RADIUS, I can set up users who exist only in the /etc/raddb/users file, and not in /etc/passwd, and use local password authentication right in the users file. Trying to do the same thing with FreeRADIUS, I run into authentication problems, and I think that it is due to the fact that the users in question do not exist in /etc/passwd, and thus have no shell to compare to /etc/shells. I read about adding /RADIUSD/ANY/SHELL to /etc/shells, abut that does not seem to have helped. Any ideas? I'm sure this can be done, but I can't seem to find it documented. I don't want to have to add every user to /etc/passwd. An example /etc/raddb/users entry follows: exampleuser Auth-Type := Local Password == "foo", Service-Type = Framed-User, Framed-Protocol = PPP, Idle-Timeout = 15, Framed-IP-Address = 10.8.168.107, Framed-IP-Netmask = 255.255.252.0, Framed-Routing = None, Framed-MTU = 1500, Framed-Compression = Van-Jacobson-TCP-IP Ben -- Ben Hockenhull [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User&Pass all fall through?
Mike Lester <[EMAIL PROTECTED]> wrote: > can this work for a single user? > > for example? > batmanAuth-Type := Accept Try it and see. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User&Pass all fall through?
> DEFAULT Auth-Type := Accept > Reply-Message = "I don't know who you are, or what password you gave, but >you're in!" can this work for a single user? for example? batman Auth-Type := Accept Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User&Pass all fall through?
"Fabian Thylmann" <[EMAIL PROTECTED]> wrote: > I am trying to figure out the freeradius user system. I do not yet > understand it fully and also have no way to really test it since I have no > dialin hardware here.. That's what 'radclient' is for. It comes with the server, and is used to tsend it test packets. > I am trying to setup a configuration that will ok ANY user and password as > ok... > is that possible in any way? I need this since I want stats on the users but > want to allow any username and do not want to setup every user one-by-one. Yes. DEFAULT Auth-Type := Accept Reply-Message = "I don't know who you are, or what password you gave, but you're in!" Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: compile w/ mysql
Nick Davis <[EMAIL PROTECTED]> wrote: > Is there a way I can just make it work? Can I edit the Makefile such that it > will make the mysql module and work properly? Do you have any other ideas? Edit the Makefile. It's your only hope for now. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
User&Pass all fall through?
Hey, I am trying to figure out the freeradius user system. I do not yet understand it fully and also have no way to really test it since I have no dialin hardware here.. I am trying to setup a configuration that will ok ANY user and password as ok... is that possible in any way? I need this since I want stats on the users but want to allow any username and do not want to setup every user one-by-one. Thanks for the info, Fabian Thylmann - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ./configure can't find mysql.h
Paul Foxton <[EMAIL PROTECTED]> wrote: > Trying to use mysql for authentication and authorization, when I run > configure I get the following error: "warning: mysql headers not found. use > --with-mysql-include-dir=" > > Ok, I'm probly going to get told off for this, I know this question has been > asked on this list before and I apologise if there's something in the > archives I've missed. Bad user. There, you've been told off. > I've been through all relevant the posts in the archive I could find and > tried the various fixes suggested and still no joy. > > this is my configure command: > > ./configure --with-mysql-include-dir=/usr/local/mysql/mysql/include > --with-mysql-lib-dir=/usr/local/lib --with-mysql-dir=/usr/local/mysql/mysql > > I've confirmed that mysql.h is in my includes directory. OK... > Since the configure script seems to be appending mysql/mysql.h to my > includes directory I've tried adding a further /mysql dir inside this > directory with mysql.h inside it, and also then a symbolic link as follows: > >ln -s ./mysql Yeah. The default is for mysql to install the include files that way. On my system, they're in: [aland@gomul pam_radius]$ locate mysql.h /usr/include/mysql/mysql.h So the 'configure' script works correctly there. Your milage may vary. > I've pretty much drawn a blank now - should I try downloading > freeradius-snapshot-20010820.tar.gz? I read in one post that the configure > script wasn't actually checking for the include directory in the command > line - could this be the problem? I'm not sure. I *hate* depending on external software. Most of the problems with the "server" are really problems with getting it to interact with other software. And depending on the software version, the system administrator, or the phase of the moon, it may or may not work. (sigh) The definitive solution would be to create the 'Makefile' yourself for the mysql module, by hand. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-0.2 on FreeBSD 4.3
chami <[EMAIL PROTECTED]> wrote: > And it is recommend to use Auth-Type = Local rather than > System. because radius send it's data in a clear text. No, it doesn't. Please read the RFC's. > In that case someone can hack your system easily. And try using > DEFAULT values in $INCLUDE users.slip file. My personal recommendation is to use Auth-Type := System, and to use PAP authentication on the NAS. CHAP is mostly a waste of time. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-0.2 on FreeBSD 4.3
Nimal Ratnayake <[EMAIL PROTECTED]> wrote: > On FreeBSD systems there is no shadow file (there is /etc/master.passwd > which is readable by root only). I have user=root and group=nobody and > it seems to work fine. That will work, but it's not as secure as could be. Once the user is root, then it can change the group membership to anything it wants. But if it works, that's a step forward. > My apologies. But I checked the doc directory and the FAQ on website > before posting to the list. It would be nice if this can be included in > the FAQ. I'll see what I can do. But the problem is that there is little, if any, documentation on the server. Please, if you have *any* suggestions for how to get things done, write a paragraph or two, and mail it to the list. The server can only get better with input from people using it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with MAX3030 talking to Freeradius
"WQ FreeRadius" <[EMAIL PROTECTED]> wrote: > Mate i have restarted a few times and got the original error message by > running in Debug mode... Am just about to launch computer out the window! There's not much I can say to help you, sorry. When I test it, I add clients to raddb/clients, or raddb/clients.conf. The test programs can then send radius packets from that client, and see the response. Maybe you're not editing the same clients file that the server is loading. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: compile w/ mysql
>> I am trying to compile freeradius-snapshot-20010730 with mysql. For some >> reason I am unable to get it to work properly. I hope someone can assist me >> with this problem. >> >> Here is what the output of the ./configure script says: >> >> checking for mysql/mysql.h... yes >> checking for mysql_init in -lmysqlclient... no >> configure: warning: mysql libraries not found. Use >> --with-mysql-lib-dir=. >> configure: warning: sql submodule 'mysql' disabled >> >> Here is the command that I am trying to run: >> >> ./configure --with-thread-pool --with-mysql-include-dir=/usr/include/mysql/ >> --with-mysql-lib-dir=/usr/lib/mysql/ --with-mysql-dir=/usr/bin/ > After doing the top-level compile, try doing: > cd src/modules/rlm_sql/drivers/rlm_sql_mysql > ./configure --with-mysql-include-dir=/usr/include/mysql/ > --with-mysql-lib-dir=/usr/lib/mysql/ --with-mysql-dir=/usr/bin/ The output of this is the same as I get from the top-level compile. Is there a way I can just make it work? Can I edit the Makefile such that it will make the mysql module and work properly? Do you have any other ideas? Thanks for the help thus far! -- Nick Davis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
2 things...about groups and time limits and rhelms..
2 things i have found. could be helpfull for others... first, in 'users' file, all entrys are with @domain.com when trying the 'group' things/examples, i was given a clue that it was unix 'groups' as applied to the users account is what controlled the 'groups' examples... so, if we have a user unix account of 'batman' and in the radius users file we have '[EMAIL PROTECTED]' then the groups will not work, even if we use the 'strip' command in the realms file for the 'local' domain...all of our users have an @domain in the users file, however, their unix account just has username...so, the short answer is to add a user in unix exactically like whats in the radius users file...then set the group permissions..works, but is kinda un-practical, or get a fix that would use the radius users file as expected, '[EMAIL PROTECTED]' and let groups be just 'batman'... secondly, when doing proxy authentication, a username comes in like: User-Name = " [EMAIL PROTECTED]" (note leading spaces) and gets passed to another radius server, where its authenticated as "[EMAIL PROTECTED]" and is in detail record for the user as " [EMAIL PROTECTED]".. while that may be a big in the 'other' radius server, thats not the issue here... it is about the detail records that are created for the proxy authentication... having leading 'whitespace' it makes it hard to import detail records into our billing program, since it takes the 'User-Name' litterally, and trys to match " [EMAIL PROTECTED]" to "[EMAIL PROTECTED]" which is whats in the access database... any chance we could get the server to 'ignore leading spaces' in the User-Name attrib/log and just output the string? Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: free radius only working in debug mode
"steve" <[EMAIL PROTECTED]> wrote: > Well I DID READ the radiusd.conf file And YES I did > change that part to "group=shadow" And I still did not work That is > why I posted here... I had to change to "user=root" and "group=root" to make > the thing work.. Did you try 'ls -l /etc/shadow' ?? That would tell you the user/group ownership, and access priviledges of /etc/shadow. You can then edit radiusd.conf, to make it work. The comments about configuring on various operatings systems *might* have caught your interest, to double-check what to do on your own operating systems. > Ummm.. Maybe you should but that in your bloody .conf file I'm sorry. The server doesn't come with sufficient documentation to cover every possibility that every system administrator can encounter. And writing 'configure' scripts to detect and handle every possibility is very difficult. If you would be willing to write such documentation, or post patches to the 'configure' scripts, then we would be delighted to add it to the source tree. Please don't be surprised if a free server doesn't work perfectly as you desire, right out of the box. And to answer the questions as to why I'm so rude on these topics: I find it *incredibly* frustrating when I write code, documentation, answer messages for free on the list, and people *still* demand that I do more, so that they can do less work themselves. I've said this before, if you don't like my free advice, I will be endlessly polite, patient, and helpful for the low-low price of $100 U.S. per hour. Until then, don't be surprised if you get what you paid for. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
./configure can't find mysql.h
freeradius 0.2, RH linux 7.1, MySQL 3.23.41 source distributon Trying to use mysql for authentication and authorization, when I run configure I get the following error: "warning: mysql headers not found. use --with-mysql-include-dir=" Ok, I'm probly going to get told off for this, I know this question has been asked on this list before and I apologise if there's something in the archives I've missed. I've been through all relevant the posts in the archive I could find and tried the various fixes suggested and still no joy. this is my configure command: ./configure --with-mysql-include-dir=/usr/local/mysql/mysql/include --with-mysql-lib-dir=/usr/local/lib --with-mysql-dir=/usr/local/mysql/mysql I've confirmed that mysql.h is in my includes directory. I've run this command both in the base freeradius installation directory and then in the rlm_sql_mysql dir. Since the configure script seems to be appending mysql/mysql.h to my includes directory I've tried adding a further /mysql dir inside this directory with mysql.h inside it, and also then a symbolic link as follows: >ln -s ./mysql I've pretty much drawn a blank now - should I try downloading freeradius-snapshot-20010820.tar.gz? I read in one post that the configure script wasn't actually checking for the include directory in the command line - could this be the problem? Thanks, Paul *ducks* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: further freeradius docos?
Hi Jeff, I can't help on the admin utility, but theres a script you can run in the /src/modules/rlm_sql/drivers/rlm_sql_mysql dir called db_mysql.sql which creates the tables for you. hope this helps and good luck : ) Paul > -Original Message- > From: Jeff Mills [mailto:[EMAIL PROTECTED]] > Sent: 20 August 2001 05:30 > To: [EMAIL PROTECTED] > Subject: further freeradius docos? > > > Hi all. > I'm attempting to set up freeradius at work for a new > dialin system > we are to adopt. We've been told by our telco that we need a > radius server > on our site to authenticate the dialin users. I'm attempting to set up > freeradius on a Linux box with mysql, but I dont have much > experience on > either yet. My problem is: > 1) I need to make this easy for other admins to use who dont > have Linux > knowledge, so the ideal thing would be a web administration > type thing. > 2) I cant seem to find any help on setting up the mysql > database for tables > and fields required and the like. > > I have downloaded and installed dialup admin for freeradius > which doesnt > seem to do much except query the database. > Is there any other docs or GUI's that can help set up and maintain the > server for freeradius? > > Regards, > > Jeff Mills > NSW Network Administrator > P&O Cold Logistics > Phone : (02) 9688 8200 > Fax : (02) 9688 2610 > Direct: (02) 9688 8264 > Email : [EMAIL PROTECTED] > Web : http://www.pocoldlogistics.com > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
