how to convert Class attribute from hex to ascii-string
Hello, In my detail file for RADIUS accounting, the Class attribute is stored in HEX format. I would like to convert it to the original ascii-string before processing; Is it possible and how can I do that?? Thanks for your help. Francois. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Possible bugfix for authentication in rlm_mysql.c
Hi, I have just been getting to know freeradius (using version 0.7), and ran into a minor problem... I wanted to use sql to set the attributes, but do the password authentication in another module, so I commented out authenticate_query in sql.conf. This did not work... On closer inspection, rlm_sql.c has the test: if (inst-config-authenticate_query){ ... but in the config parsing a default of (empty string) is specified, so even if the config string is commented out, it still tries to authenticate. Changing this to: if((inst-config-authenticate_query) (strlen(inst-config-authenticate_query) 0)){... works like a charm. Attached is a patch to implement this change, if you want it. Thanks, -justin PS. Aside from this glitch, my experience with freeradius is wholly positive. Well documented, easy to use, very flexible, etc... Great work! --- freeradius-0.7/src/modules/rlm_sql/rlm_sql.cThu Jul 25 17:54:23 2002 +++ ../cellid/freeradius-0.7/src/modules/rlm_sql/rlm_sql.c Tue Aug 13 12:59:00 +2002 -462,7 +462,7 pairfree(reply_tmp); pairfree(check_tmp); - if (inst-config-authenticate_query){ + if ((inst-config-authenticate_query) +(strlen(inst-config-authenticate_query) 0)){ radius_xlat(querystr, MAX_QUERY_LEN, inst-config-authenticate_query, request, sql_escape_func); /* Remove the username we (maybe) added above */
how to rotate detail accounting files properly
Hello, I'm looking for the best and cleanest way to rotate detail accounting log files. Could you tell me how I should do? Thanks for your help. Francois. Francois DESSART Network Engineer - SEGI/ULG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius, Where to Begin
Matt [EMAIL PROTECTED] wrote: Is there a step by step guide that would help me to get freeRadius going? The FAQ, the docs, but not much more. I would also like a web page that I could log into to update the user database and check user bandwidth useage. Is this all possible with freeRadius? Did you try *looking* in the distribution? 'dialup_admin', which is included with the server, does most of that. It's not extremely documented, but it's there. I installed the latest FreeRadius build on Redhat 7.3 but have been unable to get anywhere with it. Here is my logfile output. ... Mon Aug 12 19:38:07 2002 : Error: rlm_unix: You MUST specify a shadow password file! So... did you READ the message you posted to the list? I really don't understand what the problem is. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cannot get EAP-TLS to work with FreeRADIUS 0.7
Jason Haar [EMAIL PROTECTED] wrote: I've compiled up 0.7 successfully under Redhat 7.2 with openssl-0.9.6b, but when I try to use xsuplicant on a WLAN Linux client, radiusd crashes: Uh, no. Your shared libraries are set up wrong. The server asks to do run-time linking, and *your* run-time linker fails to find that symbol. radiusd: relocation error: /usr/lib/rlm_eap_tls-0.7.so: undefined symbol: SSL_set_msg_callback_arg I then tried compiling 0.7 under openssl-0.9.7 and under openssl-engine-0.9.6g (using LD_PRELOAD/etc) with the same error. shrug Figure out how to get shared libraries working on your system. It's not the fault of the server that your dynamic linker can't resolve a symbol. See the FAQ and the comments around 'libdir' in radiusd.conf. The ONLY way to fix the problem is to fix your linker. There's NOTHING you can do to the server which will fix the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting-start proxy error
It works fine for authentication request/accept and accounting-stop, but my NAS complains about the accounting-start messages: Then it's most likely a problem with the attributes in the accounting start packet. WARNING: Identifier does not match - ignoring response WARNING: Invalid response signature - check secret! If the first message is true, then the second is a caused by the first. You say that the NAS complains about the accounting-start packet, but FreeRADIUS never sends one to the NAS, it only sends an Accounting-Response packet. So where does this message come from, and when does it happen? Sorry, my mistake, I meant Accounting-Request. This is what Freeradius gets from the NAS: rad_recv: Accounting-Request packet from host xxx.xxx.xxx.xxx:, id=120, length=149 Acct-Delay-Time = 8 NAS-IP-Address = xxx.xxx.xxx.xxx Service-Type = Framed-User Framed-Protocol = PPP NAS-Identifier = Acct-Status-Type = Start Acct-Session-Id = 3b7a0001 Acct-Authentic = RADIUS User-Name = x This is what Freeradius proxies to MS IAS: Sending Accouting-Request of id 22 to xxx.xxx.xxx.xxx: Acct-Delay-Time = 8 NAS-IP-Address = xxx.xxx.xxx.xxx Service-Type = Framed-User Framed-Protocol = PPP NAS-Identifier = Acct-Status-Type = Start Acct-Session-Id = 3b7a0001 Acct-Authentic = RADIUS User-Name = x Proxy-State = 120 Freeradius gets the following back from MS IAS: rad_recv: Accouting-Response packet from xxx.xxx.xxx.xxx:, id=22, length=25 Proxy-State = 0x313230 And sends it on to the NAS: Sending Accouting-Response of id 120 to xxx.xxx.xxx.xxx:xx And the NAS generates the error: WARNING: Identifier does not match - ignoring response WARNING: Invalid response signature - check secret! Josh Howlett, Networking and Digital Communications Group, Information Systems Computing, University of Bristol. email: [EMAIL PROTECTED] | phone: +44 (0)117 928 7850 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radrelay is showing segmentation fault [patch]
Simon [EMAIL PROTECTED] wrote: The segmentation fault otoh is a stupid bug by me. Patch included against current cvs, some very minor documentation updates are included to. Be good if this could be applied. Added, except for: + if (!argv[1]) + usage(); + if (!strlen(argv[1])) + usage(); That's *very* bad, as it accesses memory which may not exist. It would be better to check 'argc' against 'optind', which doesn't access non-existent elements of arrays. I've change the patch a bit, and committed it. Thanks. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting is Where?
At 12:04 PM 8/13/2002 -0400, Funk, Michael wrote: Okay. I'm trying to use mySQL to authenticate, but I need to log accounting to flat files. (The local tables are read-only and I can't afford the performance hit to log to SQL) The auth works fine, but the accounting files aren't being created... Any ideas? Do you have 'detail' module configured to log detail files properly? Have you checked directory permissions ( the radius process must have write permission to the directory to wrote detail files )? Have you included 'detail' in the 'accounting' block of your 'radiusd.conf' file? -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
2 important question
Hi,I gonna get a maintenance image of freeradius.1- is there any experience hardware requirements for 30/60/ or 100 concurrent user from different NAS2- how can I set dictionary files and radius.conf through database?Regards,Hooman AminiDo You Yahoo!? HotJobs, a Yahoo! service - Search Thousands of New Jobs
Re: radrelay is showing segmentation fault [patch]
On Tue, Aug 13, 2002 at 11:49:56AM -0400, Alan DeKok wrote: Simon [EMAIL PROTECTED] wrote: + if (!argv[1]) + usage(); + if (!strlen(argv[1])) + usage(); That's *very* bad, as it accesses memory which may not exist. It would be better to check 'argc' against 'optind', which doesn't access non-existent elements of arrays. Blah, yeah, sorry, you're obviously correct. It's to hot here to think right now. -- Simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2 important question
Hooman Amini [EMAIL PROTECTED] wrote: 1- is there any experience hardware requirements for 30/60/ or 100 concurrent user from different NAS Any hardware should be OK for that. A Pentium III would be fine. 2- how can I set dictionary files and radius.conf through database? You can't. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: set up radius groups
Is there a tarball available for dialup_admin? I don't know how to use CVS. Thanks, Sheldon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Kostas Kalevras Sent: Saturday, August 10, 2002 1:53 PM To: [EMAIL PROTECTED] Subject: Re: set up radius groups On Sat, 10 Aug 2002, Aleksandr Kuzminsky wrote: On Wed, 7 Aug 2002, Rick Eicher II wrote: I have freeradius 0.07 with postgresql. I am looking for some idea of how to add/setup radius groups. I have the dialadmin up and running but do not see anything there. I am now searching through the archieves and FAQ. Can anyone point me in the right direction on this? Use radgroup(check/reply) and usergroup tables. --- Aleksandr Kuzminsky, AK476-RIPE System Administrator, AK16-UANIC ISP NBI. I have just commited group support to dialup_admin. Please try it out (cvs update) and tell me if it works. Since I am not using sql in production even a 'yes it works!' would be really helpfull. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ip pool again
It still doesn't work. Hi list: I'm starting the tests with the ippool module. I added this line on the users file: DEFAULT NAS-IP-Address == 10.169.255.11, Auth-Type := Accept, Pool-Name := prueba And created an IP pool: ippool prueba { range-start = 10.170.200.1 range-stop = 10.170.200.254 netmask = 255.255.255.0 cache-size = 800 session-db = /raddb/db.ippool ip-index = /raddb/db.ipindex } I can start the server and it works ok, but it doesn't reply with the Framed-IP-Address attribute. What am I doing wrong? I'm sorry if this is ANOTHER stupid question. Thanks a lot for your time. Guillermo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Accounting is Where?
Okay... I checked everything. Permissions are permitting, modules are modulating, etc. could this have anything to do with the fact that I'm using SQL to auth and trying to write to the traditional log files? I see all the goop in the sql.conf regarding logging. The radius.log file is working fine, just not accounting! -Original Message- From: Chris Parker [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 13, 2002 11:06 AM To: [EMAIL PROTECTED] Subject: Re: Accounting is Where? At 12:04 PM 8/13/2002 -0400, Funk, Michael wrote: Okay. I'm trying to use mySQL to authenticate, but I need to log accounting to flat files. (The local tables are read-only and I can't afford the performance hit to log to SQL) The auth works fine, but the accounting files aren't being created... Any ideas? Do you have 'detail' module configured to log detail files properly? Have you checked directory permissions ( the radius process must have write permission to the directory to wrote detail files )? Have you included 'detail' in the 'accounting' block of your 'radiusd.conf' file? -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Accounting is Where?
At 03:24 PM 8/13/2002 -0400, Funk, Michael wrote: Okay... I checked everything. Permissions are permitting, modules are modulating, etc. could this have anything to do with the fact that I'm using SQL to auth and trying to write to the traditional log files? I see all the goop in the sql.conf regarding logging. The radius.log file is working fine, just not accounting! Nope. If you don't include SQL in the accounting section, it won't use SQL to attempt to log anything. The accounting code is there, but it isn't used unless you include SQL in your 'accounting' section of the config. What happens in debug mode when an accounting request is received? -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ip pool again
On Tue, 13 Aug 2002, Guillermo Schimmel wrote: It still doesn't work. Hi list: I'm starting the tests with the ippool module. I added this line on the users file: DEFAULT NAS-IP-Address == 10.169.255.11, Auth-Type := Accept, Pool-Name := prueba And created an IP pool: ippool prueba { range-start = 10.170.200.1 range-stop = 10.170.200.254 netmask = 255.255.255.0 cache-size = 800 session-db = /raddb/db.ippool ip-index = /raddb/db.ipindex } I can start the server and it works ok, but it doesn't reply with the Framed-IP-Address attribute. What am I doing wrong? I'm sorry if this is ANOTHER stupid question. Thanks a lot for your time. Guillermo Have you added the module in the authorize and accounting sections in radiusd.conf? Make sure also that ippool comes after the files module in the authorize section. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Upgrading from 0.2
On Fri, 19 Jul 2002 16:20:04 +0200, [EMAIL PROTECTED] wrote: My question is, are there any documents/files located anywhere that have instructions on migrating from old versions to the new version, or do I just have to start from the beginning again? Looks like the second option would be a wiser thing to do. As Alan DeKok said, its so old it scary :-) Alexandre Ganso - Diretor Steel Goose Moto Group 6, 7 e 8 de setembro - Aniversario 10 anos Steel Goose - Ouro Branco - MG 500 Four 1974... Não corre. Mas me leva até o fim do mundo. [EMAIL PROTECTED] - ICQ# 3778773 Too many freaks, not enough circuses - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Uninstall
On Thu, 18 Jul 2002 10:45:04 +0200, [EMAIL PROTECTED] wrote: At this point, deleting everything you've installed, and installing the last CVS snapshot on a clean system. Wouldn't it be a nice thing some kind of uninstaller stuff? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Check using regexes
On Sat, 20 Jul 2002 06:26:09 +0200, [EMAIL PROTECTED] wrote: You change the operator to the one used for regexes (Some time out of a computer and six hours by plane from my freeradius box, but i think is :~ And the number is changed to a regex, one which would mean it starts with 321 and then whatever. | 4 | group1| Calling-Station-Id| 321 | NULL | how to check the same multiple attribute using logic OR ? or using Regexes ? i read that ICRadius can use OR Logic Patch ... how about freeradius Alexandre Ganso - Diretor Steel Goose Moto Group 6, 7 e 8 de setembro - Aniversario 10 anos Steel Goose - Ouro Branco - MG 500 Four 1974... Não corre. Mas me leva até o fim do mundo. [EMAIL PROTECTED] - ICQ# 3778773 Too many freaks, not enough circuses - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
counter module counting too many times
On Fri, 26 Jul 2002 04:07:07 +0200, [EMAIL PROTECTED] wrote: Some people had the same trouble some time ago. The only thing I could do to stop this was setting the Acct_Unique_Id as unique on radacct table, so mysql server would discard subsequent packets with the same id. My box keeps sending duplicated packets for months, but with this wacky fix I could solve the problem for me. I don't have a clue about how to solve this on systems which don't use sql for accounting. (In fact, this was one of the things which made me switch to sql). I'm using 0.5 and just noticed that when the same acct packet arrive more than once to the server, the counter module does not control the fact that it is repeated -not even if the acct_uniq module is being used- and its count-attribute get added several times. Just checked the latest cvs version to find that this behavior remains unchanged; it has only minor changes. Anyone working on this? Alexandre Ganso - Diretor Steel Goose Moto Group 6, 7 e 8 de setembro - Aniversario 10 anos Steel Goose - Ouro Branco - MG 500 Four 1974... Não corre. Mas me leva até o fim do mundo. [EMAIL PROTECTED] - ICQ# 3778773 Too many freaks, not enough circuses - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
counter module counting too many times
On Fri, 26 Jul 2002 04:07:07 +0200, [EMAIL PROTECTED] wrote: The trouble is that these packets are not EXACTLY identical. They use to have some different values - which of course I don't remember now, as I'm far from my radius box now. Something about timeout between NAS send and radius acknowledges it.(at least on my case and someone else which wrote me months ago, but I didn't kept his email) I'm using 0.5 and just noticed that when the same acct packet arrive more than once to the server, the counter module does not control the fact that it is repeated -not even if the acct_uniq module is being used- and its count-attribute get added several times. Yes, that's a problem. The issue is that the counter module (and much of the server) has no way of knowing if the accounting packet is a duplicate or not. So it's difficult to know when to do something with an accounting packet, and when to ignore it. The SQL module would know it was duplicate, because it has persistent storage and lookup. The 'detail' module wouldn't, because it doesn't do lookups. Anyone working on this? Nope. I'm not sure if there's a simple fix right now. Alexandre Ganso - Diretor Steel Goose Moto Group 6, 7 e 8 de setembro - Aniversario 10 anos Steel Goose - Ouro Branco - MG 500 Four 1974... Não corre. Mas me leva até o fim do mundo. [EMAIL PROTECTED] - ICQ# 3778773 Too many freaks, not enough circuses - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
errorlog
On Sat, 27 Jul 2002 06:26:05 +0200, [EMAIL PROTECTED] wrote: Looks like he wants a radius.log on sql. How to make that in the table of a database the data on the reason of refusal in access were inserted? Huh? I have NO clue what that's supposed to mean. Alan DeKok. Alexandre Ganso - Diretor Steel Goose Moto Group 6, 7 e 8 de setembro - Aniversario 10 anos Steel Goose - Ouro Branco - MG 500 Four 1974... Não corre. Mas me leva até o fim do mundo. [EMAIL PROTECTED] - ICQ# 3778773 Too many freaks, not enough circuses - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting is Where?
hi michael i had the same problems under my potato-debian without any sql, i.e. the radutmp, radwtmp and stmp simply haven't existed although they were in all relevant accounting sections etc. at the same time, the details file was full of lines. i tried to create the files with zero length, to make them world-writeable, i tried lot of things but nothing ever happened. three updates and a complete system update later i probably still have the same problems ;-) but it's not very important to me so i didn't check since then. i think, there is some issue (bug) related to that fact which has nothing to do with sql. you should probably take a look to the logs (this probably won't help :-)) and then you should try to strace your server grepping for fopens or somewhat like this. i wanted to do this but i simply didn't have time. the guys will be able to tell what exactly you have to do, i'm not a specialist for those questions. dumb questions: you are sure that your nas sends accounting packets? greetings, artur Okay... I checked everything. Permissions are permitting, modules are modulating, etc. -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cannot get EAP-TLS to work with FreeRADIUS 0.7
On Tue, Aug 13, 2002 at 09:35:22AM -0400, Alan DeKok wrote: Jason Haar [EMAIL PROTECTED] wrote: I've compiled up 0.7 successfully under Redhat 7.2 with openssl-0.9.6b, but when I try to use xsuplicant on a WLAN Linux client, radiusd crashes: Uh, no. Your shared libraries are set up wrong. The server asks to do run-time linking, and *your* run-time linker fails to find that symbol. So you mean Redhat have it wrong again? There's a surprise :-) shrug Figure out how to get shared libraries working on your system. It's not the fault of the server that your dynamic linker can't resolve a symbol. Seriously? So no-one running Redhat can make this work (I've tried it under RH 7.1 and 7.2)? I've already had someone else e-mail me saying they have the same problem, so it looks pretty generic. The other rlm modules work fine - it's just the eap ones that have this problem (i.e. it's an openssl issue). BTW: I did all the LD_PRELOAD and libdir stuff to no avail. Anyway, now that I've read the docs, I'm wondering if EAP-TLS support is actually finished yet. doc/eap says: Please note that WEP is not yet supported in freeradius Is that still the case? The whole reason we're looking at EAP-TLS is to work around the gross security problems with WLANs - and EAP-TLS provides that protection by dynamically generating WEP session keys... -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cannot get EAP-TLS to work with FreeRADIUS 0.7
Please note that WEP is not yet supported in freeradius Is that still the case? The whole reason we're looking at EAP-TLS is to work around the gross security problems with WLANs - and EAP-TLS provides that protection by dynamically generating WEP session keys... there is a patch which should be already integrated in the release which supports that. if it doesn't grep the maillist archives for it, it was submitted by Lars Viklund and Henrik Eriksson. if you don't find it, ask them, the addresses should be there. ciao artur -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cannot get EAP-TLS to work with FreeRADIUS 0.7
there is a patch which should be already integrated in the release which supports that. if it doesn't grep the maillist archives for it, it was oups: if it ISN'T of course... -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Adding NAS-Port-Type to a Access-Request for certain realms
Hello, We are using realms eg: dialin.mydomain.com xdsl.mydomain.com. I want to be able to add NAS-Port-Type=xDSL - Digital Subscriber Line of unknown type, if they are using xdsl.mydomain.com to the access-request. The reason I want to do this is because the telco we buy these off don't send us this attribute. I will then check to see if the user is autherised to use xdsl. Can I add this to the access-request. Regards Allister P Maguire - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding NAS-Port-Type to a Access-Request for certain realms
Hello, I have changed it to using a suffix instead eg: [EMAIL PROTECTED], I added this to the hints file. DEFAULT Suffix = .xdsl, Strip-User-Name = Yes NAS-Port-Type = xDSL Only problem is the suffix is not being stripped, only the realm is being removed. Anyone know how I can fix this? - OUTPUT - Thread 1 handling request 0, (1 handled so far) User-Name = [EMAIL PROTECTED] User-Password = \333\330\331\017K\343`(B^\252\264\375\374[\225 NAS-IP-Address = 255.255.255.255 NAS-Port-Id = 1 rad_lowerpair: User-Name now '[EMAIL PROTECTED]' modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_realm: Looking up realm .xxx.xx for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm .xxx.xx rlm_realm: Adding Stripped-User-Name = bbuilder.xdsl rlm_realm: Proxying request from user bbuilder.xdsl to realm x.xxx.xx rlm_realm: Adding Realm = .xxx.xx rlm_realm: Authentication realm is LOCAL. rlm_realm: auth_port is not set. proxy cancelled modcall[authorize]: module suffix returns noop users: Matched DEFAULT at 1 modcall[authorize]: module files returns ok modcall: entering group redundant rlm_ldap: - authorize rlm_ldap: performing user authorization for bbuilder.xdsl radius_xlat: '(uid=bbuilder.xdsl)' radius_xlat: 'ou=Internet Service Provider,dc=xxx,dc=xxx,dc=xx' ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap..xxx.xx:389, authentication 0 rlm_ldap: setting TLS mode to 4 rlm_ldap: could not set LDAP_OPT_X_TLS option Success rlm_ldap: bind as / to ldap..xxx.xx:389 rlm_ldap: waiting for bind result ... rlm_ldap: performing search in ou=Internet Service Provider,dc=xxx,dc=xxx,dc=xx, with filter (uid=bbuilder.xdsl) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap1 returns notfound modcall: group redundant returns notfound modcall: group authorize returns notfound rad_check_password: Found Auth-Type Pam auth: type PAM modcall: entering group authenticate pam_pass: using pamauth string radiusd for pam.conf lookup pam_pass: function pam_authenticate FAILED for bbuilder.xdsl. Reason: User not known to the underlying authentication module modcall[authenticate]: module pam returns reject modcall: group authenticate returns reject auth: Failed to validate the user. Login incorrect (rlm_ldap: User not found): [[EMAIL PROTECTED]/] (from client localhost port 0) Delaying request 0 for 1 seconds Finished request 0 Going to the next request Thread 1 waiting to be assigned a request rad_recv: Access-Request packet from host 127.0.0.1:34499, id=143, length=75 Sending Access-Reject of id 143 to 127.0.0.1:34499 Ascend-Client-Assign-DNS = DNS-Assign-Yes Ascend-Client-Primary-DNS = xxx Ascend-Client-Secondary-DNS = xxx Ascend-Assign-IP-Pool = 6 Ascend-Maximum-Channels = 1 Allister P Maguire Development Consultant Actonz Management Group Ltd PH: +64 4 915 7711 Attention: This e-mail message is privileged and confidential. If you are not the intended recipient please delete the message and notify the sender. Any views or opinions presented are solely those of the author. Actonz Management Group Ltd PH: +64 4 9157700 FX: +64 4 9157730 http://www.actonz.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html