RE: Reply packet code 11... : IGNORED
> Your AP is broken. I checked the intel AP case again. Using windows 2000 server as a radius server, authentication worked fine. Is there a reason why that AP can authenticate with a windows radius server and not with freeRADIUS or am i doing something wrong? The firmware is the latest available. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: External authentication ?
> Yes. But you can also do: > > bob Auth-Type := Accept > Exec-Program-Wait > > > If the program does: exit(1), then the authentication fails. I did try that too and it didn't work. Look, here is an excerpt from my users file: -- tobbe Auth-Type := Accept Exec-Program-Wait = "/home/tobbe/junk/radius_auth.sh %u" -- And here is my shell script: radius_auth.sh -- #!/bin/sh echo "$*" > /tmp/args_from_radiusd.data printenv >> /tmp/args_from_radiusd.data ## 0=GRANTED , 0http://www.freeradius.org/list/users.html
RE: Reply packet code 11... : IGNORED
> you can't be serious : this message is never the last one... this is a > challenge. if this is the last message, the authentication has not been > finished yet. you definitely should have EAP-TLS running correclty > before even thinking about dynamic keys. > The last message has to be Access-Accept. :) I am very sorry... Wrong log file. I tried again. It worked fine! The radius server is sending the WEP key to the client and the AP. I also tried session timeout, this also works fine. Here is the *correct* last response from the radius server: Sending Access-Accept of id 17 to 192.168.1.50:1041 Session-Timeout = 60 MS-MPPE-Recv-Key = 0xc86d140abd8a14c351b5f5fe57d1a80fa9f8cb4cd031df826799f6a5ea26a35d0636652e66 a3d38e20e2c95849b306ebcd12 MS-MPPE-Send-Key = 0xc86ea9f84be30702154115cfc2f365ebd9ac7455de3f00e7b35c659ff600f3300396b1b975 1dd219fbc95faa9c94452edde4 EAP-Message = "\003\005\000\004" Message-Authenticator = 0x Finished request 9 and the last packet after the first re-authentication: Sending Access-Accept of id 22 to 192.168.1.50:1046 Session-Timeout = 60 MS-MPPE-Recv-Key = 0x9d74e62ce37e6361a2847632c373ba5628eccc12c6e06ca347b1b9783e1713a0d4ac0c7628 97fca4dd2cda40b2351271dab9 MS-MPPE-Send-Key = 0x9d73bb620d16b0948f70848be54a316cb2da912aef4a882d2f78bf671f07ecd9ff0a0f6400 625289f67f483ca93d8440cce6 EAP-Message = "\003\006\000\004" Message-Authenticator = 0x Finished request 14 Where can i find out how these keys are created? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply packet code 11... : IGNORED
hi Antonios Lazaridis wrote: > > > Artur Hecker <[EMAIL PROTECTED]> wrote: > > > dynamic wep keys are supported, the doc is outdated. > > > > Fixed, thanks. > > Alan DeKok. > > I downloaded the yesterday's snapshot. > > (The document still says > Please note that WEP is not yet supported in freeradius > > i am not sure if you wanted to change this) hmmm, Alan? :) > The way i understood it, is that WEP is distributed automatically to AP and > client, so i don't have to ad anything, right? kind of, yes. > Using a Cisco 350 AP with 11.07 firmware, didn't work. Authentication > finishes fine, but ping is not possible unless i set WEP keys for AP and > client. 11.07 should work but you should upgrade your firmware, they have 11.23 already!!! it has some nice debug features which you could need. and: don't panic. we will surely get it running since i have the same config/hardware. > How can i check if the server sends a WEP key or not? you should have MPPE-* attributes in your Access-Accept message. if not, stop here and verify the compilation of your rlm_eap_tls module. > Here is the last message that the RADIUS server sends, from the radius log: > (PS: i have tried many times setting AP to Full encryption, optional > encryption and no encryption) it would be Full Encryption though. and unless you do not specify the Broadcast Key Rotation, you have to set the WEP Key in slot 1 (ONE!) and to mark it as transmit key. > Sending Access-Challenge of id 27 to 192.168.1.50:1307 > Session-Timeout = 300 > EAP-Message = > "\0019\0005\r\200\000\000\000+\024\003\001\000\001\001\026\003\001\000 > 1\254\303g\315\230zo\355v\216x\010\213#k\203\200}\362\013/X\005\211\326n\332 > \351\221ky" > Message-Authenticator = 0x > State = > 0xdab9df71610e1c89b0a00ed97ae0d13dbe58923d1e6dbce3b29707f3e14396d7ce40d85b > Finished request 18 you can't be serious : this message is never the last one... this is a challenge. if this is the last message, the authentication has not been finished yet. you definitely should have EAP-TLS running correclty before even thinking about dynamic keys. The last message has to be Access-Accept. verify these points. ciao artur -- _ Artur Hecker Groupe Accès et Mobilité hecker[at]enst[dot]fr Département Informatique et Réseaux +33 1 45 81 750746, rue Barrault 75634 Paris cedex 13 http://www.infres.enst.fr ENST Paris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Reply packet code 11... : IGNORED
> Artur Hecker <[EMAIL PROTECTED]> wrote: > > dynamic wep keys are supported, the doc is outdated. > > Fixed, thanks. > Alan DeKok. I downloaded the yesterday's snapshot. (The document still says Please note that WEP is not yet supported in freeradius i am not sure if you wanted to change this) The way i understood it, is that WEP is distributed automatically to AP and client, so i don't have to ad anything, right? Using a Cisco 350 AP with 11.07 firmware, didn't work. Authentication finishes fine, but ping is not possible unless i set WEP keys for AP and client. How can i check if the server sends a WEP key or not? Here is the last message that the RADIUS server sends, from the radius log: (PS: i have tried many times setting AP to Full encryption, optional encryption and no encryption) Sending Access-Challenge of id 27 to 192.168.1.50:1307 Session-Timeout = 300 EAP-Message = "\0019\0005\r\200\000\000\000+\024\003\001\000\001\001\026\003\001\000 1\254\303g\315\230zo\355v\216x\010\213#k\203\200}\362\013/X\005\211\326n\332 \351\221ky" Message-Authenticator = 0x State = 0xdab9df71610e1c89b0a00ed97ae0d13dbe58923d1e6dbce3b29707f3e14396d7ce40d85b Finished request 18 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + oracle = rlm_sql: failed after re-connect
with this I solved the auth problem, but encountered a problem for the accounting
inserts.
Here I send you the changes I made in sql.conf
>From :
accounting_start_query = "INSERT into radacct (RadAcctId, AcctSessionId,
AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType,
AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start,
ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId,
CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol,
FramedIPAddress, AcctStartDelay,
AcctStopDelay) values('', '%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',
'%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}', '%{Connect-Info}', '',
'0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}',
'%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0')"
To:
accounting_start_query = "INSERT into radacct (RadAcctId, AcctSessionId,
AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType,
AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start,
ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId,
CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol,
FramedIPAddress, AcctStartDelay,
AcctStopDelay) values('', '%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',
'%{NAS-Port-Type}', to_date('%S', '-MM-DD HH24:MI:SS'), '', '0',
'%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}',
'%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0')"
Thanks for your help!
Alan DeKok wrote:
> Diego <[EMAIL PROTECTED]> wrote:
> > This fail after re-connect problem seams to be because in the selet
> > order trys to get the op column also, from the radgroupreply
> > table. which is not created with that column in the scripts.
> >
> > Should I add this column in the orable database?
>
> Yes.
>
> > Where can i get your last changes? Do I have to wait for tonight last cvs
> > snapshot?
>
> Yes.
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error:CHILD:exit on signal (11)???
could you try the current sources from cvs? I've seen a fix go in that fixes some problems on my end... -- Todd Fries .. [EMAIL PROTECTED] (last updated $ToddFries: signature.p,v 1.2 2002/03/19 15:10:18 todd Exp $) Penned by Tiemeyer on Wed, Sep 25, 2002 at 11:24:27PM +0200, we have: | Hello, | | I have a simple question. | After compiling and installing freeradius 0.7.1 on debian as described in | the docs, I tested the daemon with the -X option and it told me a lot of | informations about himself. (Last line: Waiting for incoming requests - or | something like that). | After that I started the daemon with the command radiusd &. | Then I tried to get a connection via an access-point (Lancom) and the daemon | died. | The only line within the log file is the following: | | Error:CHILD:exit on signal (11) | | What does this mean and where can I get some informations about this? | | Greetings and thanks in advance... | | Holger | | | - | List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error:CHILD:exit on signal (11)???
Hello, I have a simple question. After compiling and installing freeradius 0.7.1 on debian as described in the docs, I tested the daemon with the -X option and it told me a lot of informations about himself. (Last line: Waiting for incoming requests - or something like that). After that I started the daemon with the command radiusd &. Then I tried to get a connection via an access-point (Lancom) and the daemon died. The only line within the log file is the following: Error:CHILD:exit on signal (11) What does this mean and where can I get some informations about this? Greetings and thanks in advance... Holger - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: General questions
Ok, thanx. Thor. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: General questions
"Thor Spruyt" <[EMAIL PROTECTED]> wrote: > > You can edit the SQL queries yourself. > > Nothing like an external program I can call or something ? Sure, it can do that too. Read the 'features' web page... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: General questions
> You can edit the SQL queries yourself. Nothing like an external program I can call or something ? Thor. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: port problem
was but using daemon tools now.. I get this error when running check-radius-config. - Original Message - From: "Artur Hecker" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, September 25, 2002 10:50 AM Subject: Re: port problem > > are you using radwatch? > > > Nick Marino wrote: > > nope both are correct in my radius.conf and the services file. > > already checked both and did a scan on ports in use on my system and that > > port is not active that is why I can understand radiusd reporting it. > > > > > > - Original Message - > > From: "Chris Parker" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Wednesday, September 25, 2002 10:24 AM > > Subject: Re: port problem > > > > > > > >>At 09:26 AM 9/25/2002 -0500, Nick Marino wrote: > >> > >>>anyone know why I get this error? there is no other radius server running > >>>and that port is not inuse on the system. > >>> > >>>auth bind: Address already in use > >>> There appears to be another RADIUS server already running on the > >>>authentication port UDP 32768. > > -- > Artur Hecker Groupe Accès et Mobilité > hecker[at]enst[dot]fr Département Informatique et Réseaux > +33 1 45 81 7507 46, rue Barrault 75634 Paris cedex 13 > http://www.infres.enst.frENST Paris > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: General questions
"Thor Spruyt" <[EMAIL PROTECTED]> wrote: > 1) For accounting requests, can FreeRadius proxy and store into a local > mySql database ? Yes. Before proxying the packet, it can do local accounting. > 2) What mechanisms are available to update a user's attributes in a > mySql database when a acct-stop request is received ? (I'd like to > update time and volume limits) You can edit the SQL queries yourself. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
General questions
Hi, I need a radius server for a project and I am comparing some opensource solutions. I read the docs and faqs of FreeRadius, but I'm still puzzled about the following: 1) For accounting requests, can FreeRadius proxy and store into a local mySql database ? 2) What mechanisms are available to update a user's attributes in a mySql database when a acct-stop request is received ? (I'd like to update time and volume limits) 3) Is it possible to do both 1 and 2 or is it either 1 or 2 ? Thanx for your help. Thor SpruytSystem EngineerMobile: +32 (0)475 67 22 65Email: [EMAIL PROTECTED]Website: http://www.wwworks.be Alles omtrent verkoop: http://www.salesguide.be OU: http://www.extranet.ou.nl/studie-profiel/838541466.asp
Re: Reject Group in mysql
On Wed, 25 Sep 2002, Alberto Pereira wrote:
> Hi,
>
> How can I configure a group in mysql to reject the auth package?
> Like on the users file:
>
> DEFAULT Group = emailonly, Auth-Type = Reject
>
> I tried something like:
>
> mysql> select * from radgroupreply where GroupName = "reject";
> ++---+---++--+--+
> | id | GroupName | Attribute | Value | op | prio |
> ++---+---++--+--+
> | 8 | reject| Auth-Type | Reject | NULL |0 |
> ++---+---++--+--+
>
> And put the users in this group, but this don´t work.
>
Try adding the following to radgroupcheck:
insert into radgroupcheck values ('','reject','Auth-Type','Reject',':=');
and remove the entry you mentioned above from the radgroupreply. Make sure
your users that you want to reject are in the group reject listed in
usergroup table and it should work. I have tested it here
---
"I have not failed. I've just found 10,000 ways
that won't work." - Thomas Edison
Michael Hendrix [EMAIL PROTECTED]
Systems Engineer / SysAdmin Team Leader
Logical Net / Capital Net (518) 292-4509
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reject Group in mysql
At 04:37 PM 9/25/2002 -0300, Alberto Pereira wrote: >Hi, > >How can I configure a group in mysql to reject the auth package? >Like on the users file: > >DEFAULT Group = emailonly, Auth-Type = Reject > >I tried something like: > >mysql> select * from radgroupreply where GroupName = "reject"; >++---+---++--+--+ >| id | GroupName | Attribute | Value | op | prio | >++---+---++--+--+ >| 8 | reject| Auth-Type | Reject | NULL |0 | >++---+---++--+--+ > >And put the users in this group, but this don´t work. > >Someone can help me? What syntax would you use in the users file to accomplish that? I'll answer for you, you would use 'Auth-Type := Reject'. Note that ':=' is nowhere in your row above. You could try putting the correct syntax in there. This question is covered every few days on the list. It is answered in several places. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reject Group in mysql
Out of curiosity, why did you not include an operator? Possibly op for this item should be := -- Mark P. Hennessy [EMAIL PROTECTED] On Wed, 25 Sep 2002, Alberto Pereira wrote: > Date: Wed, 25 Sep 2002 16:37:46 -0300 > From: Alberto Pereira <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > To: [EMAIL PROTECTED] > Subject: Reject Group in mysql > > Hi, > > How can I configure a group in mysql to reject the auth package? > Like on the users file: > > DEFAULT Group = emailonly, Auth-Type = Reject > > I tried something like: > > mysql> select * from radgroupreply where GroupName = "reject"; > ++---+---++--+--+ > | id | GroupName | Attribute | Value | op | prio | > ++---+---++--+--+ > | 8 | reject| Auth-Type | Reject | NULL |0 | > ++---+---++--+--+ > > And put the users in this group, but this don´t work. > > Someone can help me? > > Thanks, > > Alberto > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reject Group in mysql
Hi, How can I configure a group in mysql to reject the auth package? Like on the users file: DEFAULT Group = emailonly, Auth-Type = Reject I tried something like: mysql> select * from radgroupreply where GroupName = "reject"; ++---+---++--+--+ | id | GroupName | Attribute | Value | op | prio | ++---+---++--+--+ | 8 | reject| Auth-Type | Reject | NULL |0 | ++---+---++--+--+ And put the users in this group, but this don´t work. Someone can help me? Thanks, Alberto - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The Auth in mysql
Dyego Souza do Carmo <[EMAIL PROTECTED]> wrote: > Please... if anyone use the "Radius an mysql (auth in mysql )" please > send-me a copy of yours configuration files ( raddb/users ; > raddb/radiusd.conf ) and tables rows ! ... Search the mailing list archives. This topic has come up a lot. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
The Auth in mysql
Please... if anyone use the "Radius an mysql (auth in mysql )" please send-me a copy of yours configuration files ( raddb/users ; raddb/radiusd.conf ) and tables rows ! ... I´m tryng to use this radius but the auth in mysql does not work ! : tnks for attencion ! - ++ Dyego Souza do Carmo ++ Dep. Desenvolvimento - E S C R I B A I N F O R M A T I C A - The only stupid question is the unasked one (somewhere in Linux's HowTo) Linux registred user : #230601 -- $ look into "my eyes" look: cannot open my eyes - Reply: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: File Size too big
In article <[EMAIL PROTECTED]>, Alan DeKok <[EMAIL PROTECTED]> wrote: >"Miquel van Smoorenburg" <[EMAIL PROTECTED]> wrote: >> So for freeradius to handle > 2GB files on Linux (and Solaris, and >> almost any other Unix on a 32 bits processor except FreeBSD which >> has 64 bits file offsets by default) you need to compile with flags >> -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 > > Hmm... I wasn't aware of those options. Would there be any impact >with using them? Or should they be turned on in a 'configure' option? I'm not sure. INN has LFS (Large File Summit) support, and they handle it in configure, since apparently some systems force you to link to an extra library. dnl If configuring with large file support, determine the right flags to dnl use based on the platform. This is the wrong approach; autoconf 2.50 dnl comes with a macro that takes the right approach. But this works well dnl enough until we switch to autoconf 2.50 or later. if test x"$inn_enable_largefiles" = xyes ; then AC_MSG_CHECKING(for largefile linkage) case "$host" in *-aix4.[01]*) AC_MSG_RESULT(no) AC_MSG_ERROR([AIX before 4.2 does not support large files]) ;; *-aix4*) AC_MSG_RESULT(ok) LFS_CFLAGS="-D_LARGE_FILES" LFS_LDFLAGS="" LFS_LIBS="" ;; *-hpux*) AC_MSG_RESULT(ok) LFS_CFLAGS="-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64" LFS_LDFLAGS="" LFS_LIBS="" ;; *-irix*) AC_MSG_RESULT(no) AC_MSG_ERROR([Large files not supported on this platform]) ;; *-linux*) AC_MSG_RESULT(maybe) LFS_CFLAGS="-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64" LFS_LDFLAGS="" LFS_LIBS="" AC_DEFINE([_GNU_SOURCE], 1, [Some versions of glibc need this defined for pread/pwrite.]) ;; *-solaris*) AC_MSG_RESULT(ok) AC_PATH_PROG(GETCONF, getconf) if test -z "$GETCONF" ; then AC_MSG_ERROR([getconf required to configure large file support]) fi LFS_CFLAGS=`$GETCONF LFS_CFLAGS` LFS_LDFLAGS=`$GETCONF LFS_LDFLAGS` LFS_LIBS=`$GETCONF LFS_LIBS` ;; *) AC_MSG_RESULT(maybe) LFS_CFLAGS="-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64" LFS_LDFLAGS="" LFS_LIBS="" ;; esac AC_SUBST(LFS_CFLAGS) AC_SUBST(LFS_LDFLAGS) AC_SUBST(LFS_LIBS) fi Mike. -- Computers are useless, they only give answers. --Pablo Picasso - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: File Size too big
"Miquel van Smoorenburg" <[EMAIL PROTECTED]> wrote: > Also, most 32-bit systems do /not/ handle files > 2GB by default. > The application must be compiled with 'large file support'. > > So for freeradius to handle > 2GB files on Linux (and Solaris, and > almost any other Unix on a 32 bits processor except FreeBSD which > has 64 bits file offsets by default) you need to compile with flags > -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 Hmm... I wasn't aware of those options. Would there be any impact with using them? Or should they be turned on in a 'configure' option? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + oracle = rlm_sql: failed after re-connect
Diego <[EMAIL PROTECTED]> wrote: > This fail after re-connect problem seams to be because in the selet > order trys to get the op column also, from the radgroupreply > table. which is not created with that column in the scripts. > > Should I add this column in the orable database? Yes. > Where can i get your last changes? Do I have to wait for tonight last cvs > snapshot? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: port problem
are you using radwatch? Nick Marino wrote: > nope both are correct in my radius.conf and the services file. > already checked both and did a scan on ports in use on my system and that > port is not active that is why I can understand radiusd reporting it. > > > - Original Message - > From: "Chris Parker" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, September 25, 2002 10:24 AM > Subject: Re: port problem > > > >>At 09:26 AM 9/25/2002 -0500, Nick Marino wrote: >> >>>anyone know why I get this error? there is no other radius server running >>>and that port is not inuse on the system. >>> >>>auth bind: Address already in use >>> There appears to be another RADIUS server already running on the >>>authentication port UDP 32768. -- Artur Hecker Groupe Accès et Mobilité hecker[at]enst[dot]fr Département Informatique et Réseaux +33 1 45 81 750746, rue Barrault 75634 Paris cedex 13 http://www.infres.enst.fr ENST Paris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + oracle = rlm_sql: failed after re-connect
This fail after re-connect problem seams to be because in the selet order trys to get the op column also, from the radgroupreply table. which is not created with that column in the scripts. Should I add this column in the orable database? Where can i get your last changes? Do I have to wait for tonight last cvs snapshot? Alan DeKok wrote: > Andrea Gabellini <[EMAIL PROTECTED]> wrote: > > I notice that in the select is missing the Op column. I don't know what FR > > does without it. Pay attention because SQL commands to create tables in the > > distribution don't add this column. > > I've just fixed that for Oracle, thanks. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ippool
On Fri, 20 Sep 2002 11:45:51 +0300 (EEST) Kostas Kalevras <[EMAIL PROTECTED]> wrote: > > I am not sure that you can do group membership checks with the pam > module. Try using the unix module for that (just put it in the > instantiate section to register it's groupcmp function). That was it, thanks! --- Homer Parker - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: port problem
nope both are correct in my radius.conf and the services file. already checked both and did a scan on ports in use on my system and that port is not active that is why I can understand radiusd reporting it. - Original Message - From: "Chris Parker" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, September 25, 2002 10:24 AM Subject: Re: port problem > At 09:26 AM 9/25/2002 -0500, Nick Marino wrote: > >anyone know why I get this error? there is no other radius server running > >and that port is not inuse on the system. > > > >auth bind: Address already in use > > There appears to be another RADIUS server already running on the > >authentication port UDP 32768. > > Check that you have the proper ports defined in /etc/services for > FreeRADIUS to listen on. Or, you can specify the ports to be used > in your 'radiusd.conf' file. I suspect you don't have it defined, or > have it defined with a strange value. > > -Chris > -- > \\\|||/// \ StarNet Inc. \ Chris Parker > \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering > | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 > oOo---(_)---oOo--\-- >\ Wholesale Internet Services - http://www.megapop.net > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: port problem
At 09:26 AM 9/25/2002 -0500, Nick Marino wrote: >anyone know why I get this error? there is no other radius server running >and that port is not inuse on the system. > >auth bind: Address already in use > There appears to be another RADIUS server already running on the >authentication port UDP 32768. Check that you have the proper ports defined in /etc/services for FreeRADIUS to listen on. Or, you can specify the ports to be used in your 'radiusd.conf' file. I suspect you don't have it defined, or have it defined with a strange value. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: IP Addresses for Clients
Thanks for the response, I was able to allow the NAS device assign the IP address to the client, it worked great using the 255.255.255.254 address. But on the radius server is there a way to define a static IP address for each client for each device though, maybe using suffix or prefix's? (For the NAS device is pulling from a pool of IP addresses that is defined on the NAS device randomly giving the numbers to the end users) The Two devices I am working with is a Cisco VPN Concentrator and Dial-Up pool configured on a Cisco Router. Thanks for all your help, Andrew Grimmett -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Yury Bokhoncovich Sent: Wednesday, September 25, 2002 2:53 AM To: [EMAIL PROTECTED] Subject: Re: IP Addresses for Clients Hello! On Tue, 24 Sep 2002, Andrew Grimmett wrote: > I currently have Freeradius 0.7.1 installed and running, how can I > assign multiple static IP address for users that are connecting through > different devices with the radius server? I currently have the users It depends on the matter; in the most cases this can be done by NAS, RADIUS server should be configured to response special "magic" IP: 255.255.255.254 IIRC. -- WBR, Yury Bokhoncovich, Senior System Administrator, NOC of F1 Group. Phone: +7 (3832) 106228, ext.140, E-mail: [EMAIL PROTECTED] Unix is like a wigwam -- no Gates, no Windows, and an Apache inside. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How can I configure freeradius0.7.1 to authenticate in Mysql database?
How can I configure pap module to authenticate in mysql?
I set this :
# PAP module to authenticate users based on their stored password
#
# Supports multiple encryption schemes
# clear: Clear text
# crypt: Unix crypt
#md5: MD5 ecnryption
# sha1: SHA1 encryption.
# DEFAULT: crypt
pap {
encryption_scheme = clear
}
and
authenticate {
# pam
#unix
# Uncomment it if you want to use ldap for authentication
# authtype LDAP {
# ldap
# }
# mschap
# eap
# Uncomment it if you want to support CHAP
# authtype CHAP {
# chap
# }
# Uncomment the following if you want to support PAP and you
# extract user passwords from the user database (LDAP,SQL, etc).
# You should use the 'files'module to set 'Auth-Type := PAP' for
# this to work.
authtype SQL {
pap
}
#
}
But the radius don´t look in database of mysql for user and password.
I don´t see it in mysql.log
How can i configure this?
Thanks,
Alberto
- Original Message -
From: "Nick Marino" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, September 25, 2002 11:47 AM
Subject: Re: How can I configure freeradius0.7.1 to authenticate in Mysql
database?
I am using mysql and pap, anything I can do to help?
specific config entries in the conf files that is.
- Original Message -
From: "Alberto Pereira" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, September 25, 2002 9:30 AM
Subject: How can I configure freeradius0.7.1 to authenticate in Mysql
database?
> Hi,
>
> Someone can help me how How can I configure freeradius0.7.1 to
authenticate
> in Mysql database?
> I read in list archives to put:
> "Auth-Type=Pap"
>
> But it don´t work!
>
> How i can configure Pap to use a mysql table?
>
> Thanks.
>
> Alberto
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How can I configure freeradius0.7.1 to authenticate in Mysql database?
I am using mysql and pap, anything I can do to help? specific config entries in the conf files that is. - Original Message - From: "Alberto Pereira" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, September 25, 2002 9:30 AM Subject: How can I configure freeradius0.7.1 to authenticate in Mysql database? > Hi, > > Someone can help me how How can I configure freeradius0.7.1 to authenticate > in Mysql database? > I read in list archives to put: > "Auth-Type=Pap" > > But it don´t work! > > How i can configure Pap to use a mysql table? > > Thanks. > > Alberto > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How can I configure freeradius0.7.1 to authenticate in Mysql database?
Hi, Someone can help me how How can I configure freeradius0.7.1 to authenticate in Mysql database? I read in list archives to put: "Auth-Type=Pap" But it don´t work! How i can configure Pap to use a mysql table? Thanks. Alberto - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: External authentication ?
Torbjorn Tornkvist <[EMAIL PROTECTED]> wrote: > Thats exactly what I did, but doesn't the entry: > > bobPassword == "bob" >Exec-Program-Wait = "/path/to/program/exec-program-wait" > > mean that the password sent to the Radius server is "bob" ? Yes. But you can also do: bob Auth-Type := Accept Exec-Program-Wait If the program does: exit(1), then the authentication fails. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
port problem
anyone know why I get this error? there is no other radius server running and that port is not inuse on the system. auth bind: Address already in use There appears to be another RADIUS server already running on the authentication port UDP 32768. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: External authentication ?
> > How can I setup my Freeradius server so that > > an external program does the authentication ? > > See 'scripts/exec-program-wait' Thats exactly what I did, but doesn't the entry: bobPassword == "bob" Exec-Program-Wait = "/path/to/program/exec-program-wait" mean that the password sent to the Radius server is "bob" ? If so, its no good since I don't want to list any passwords in the users file. > Have you tried reading the 'doc' directory? 'doc/variables.txt' Thanx. BTW: The smb example in experimental.conf is somewhat misleading the 'server = ntdomain.server.example.com' should really be 'server = servicename' (i.e not necessarily the DNS name). At least it confused me for a while... :-) Cheers /Tobbe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RH 6.2 & Freeradius-0.7
"Joeffrey Betita" <[EMAIL PROTECTED]> wrote: > below is the log when i try to login using Win98. pls help me. all i want > is i can see the user who dialup. on /var/log/radius/radius.log do i have to > edit the file on /raddb/users or clients. thanks for your help. Why would it help to post logs from a PPP daemon? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + oracle = rlm_sql: failed after re-connect
Andrea Gabellini <[EMAIL PROTECTED]> wrote: > I notice that in the select is missing the Op column. I don't know what FR > does without it. Pay attention because SQL commands to create tables in the > distribution don't add this column. I've just fixed that for Oracle, thanks. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply packet code 11... : IGNORED
Artur Hecker <[EMAIL PROTECTED]> wrote: > dynamic wep keys are supported, the doc is outdated. Fixed, thanks. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: External authentication ?
Torbjorn Tornkvist <[EMAIL PROTECTED]> wrote: > How can I setup my Freeradius server so that > an external program does the authentication ? See 'scripts/exec-program-wait' > Also, what '%'-macros are valid together with the Exec-Program > attribute ? Have you tried reading the 'doc' directory? 'doc/variables.txt' Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + oracle = rlm_sql: failed after re-connect
Diego <[EMAIL PROTECTED]> wrote: > I'm trying to use freeradius with oracle. > I managed to make freeradius connect to oracle and try to authentificate > there, but i still cannot get a positive response. > > any sugestions? Don't post the same message twice to the list? Read the message you posted to the list? > rlm_sql: failed after re-connect > rlm_sql_getvpdata: database query error That would appear to be a problem. Why don't you fix that, instead of waiting for answers from the list? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius configuration with Oracle, (continued)
> I think that my problem goes a little deeper than that as I am pretty sure > that I am missing some libraries. Here is a snippet of the warnings that > I receive from running configure. You can always go to the oracle module directory, and build it's Makefile by hand... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RH 6.2 & Freeradius-0.7
On Wed, 25 Sep 2002 18:59:52 +0800 Joeffrey Betita wrote: > below is the log when i try to login using Win98. pls help me. all i > want > is i can see the user who dialup. on /var/log/radius/radius.log do i have > to edit the file on /raddb/users or clients. thanks for your help. You may see radius detail accounting logs in /var/log/radius/radacct/detail/x.x.x.x/, if you enable detail accounting. You may turn SQL accounting on and see logs in your database. And to see who's online you may use just usual who command or radwho. And sending login/password to /var/log/messages is not the job of radius server. I saw you use mgetty and I bet you haven't had configured it correctly. If you want accounting job to be done with FreeRadius, check its config file. -- Balkin Ruslan. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RH 6.2 & Freeradius-0.7
below is the log when i try to login using Win98. pls help me. all i want is i can see the user who dialup. on /var/log/radius/radius.log do i have to edit the file on /raddb/users or clients. thanks for your help. Sep 21 13:44:55 gw mgetty[22948]: data dev=ttyS1, pid=22948, caller='none', conn='28800/ARQ/V34/LAPM/V42BIS', name='', cmd='/usr/sbin/pppd', user='/AutoPPP/' Sep 21 13:44:55 gw pppd[22948]: pppd 2.3.11 started by LOGIN, uid 0 Sep 21 13:44:55 gw pppd[22948]: Using interface ppp1 Sep 21 13:44:55 gw pppd[22948]: Connect: ppp1 <--> /dev/ttyS1 Sep 21 13:44:59 gw kernel: PPP BSD Compression module registered Sep 21 13:44:59 gw kernel: PPP Deflate Compression module registered Sep 21 13:44:59 gw pppd[22948]: found interface eth0 for proxy arp Sep 21 13:44:59 gw pppd[22948]: local IP address 192.168.1.1 Sep 21 13:44:59 gw pppd[22948]: remote IP address 192.168.1.122 Sep 21 15:27:30 gw pppd[22948]: Hangup (SIGHUP) Sep 21 15:27:30 gw pppd[22948]: Modem hangup Sep 21 15:27:30 gw pppd[22948]: Connection terminated. Sep 21 15:27:30 gw pppd[22948]: Connect time 102.6 minutes. Sep 21 15:27:30 gw pppd[22948]: Sent 5317999 bytes, received 790663 bytes. Sep 21 15:27:31 gw pppd[22948]: Exit. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Ruslan Balkin Sent: Wednesday, September 11, 2002 3:37 PM To: [EMAIL PROTECTED] Subject: Re: RH 6.2 & Freeradius-0.7 On Wed, 11 Sep 2002 11:25:19 +0800 Joeffrey Betita wrote: > i did try radtest on another window. it registered my username on > radius.log but when i tried to dial up using Win98 it did not log my > username. also i tried the command /usr/local/sbin/radius -x -A it did > not register anything. thanks for your help. I think you should just start radiusd -X (debug mode) and to look at the console while connecting from Win98. In my homble opinion, Win98 is set to use CHAP authorization while Radius expects PAP or vice-versa, but I didn't tried such a combination and don't know what errors appear in such case. See radiusd -X output AND your dial-in server logs AND ppp daemon log. If connection is broken because of pppd error (e.g. on Russian phone lines :( ) - try disabling certain compression types in pppd. And read EVERY line of radiusd -X output (especially when client is getting connected) - it will help you better, than any mailing list. -- Balkin Ruslan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.386 / Virus Database: 218 - Release Date: 9/9/2002 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.391 / Virus Database: 222 - Release Date: 9/19/2002 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + oracle = rlm_sql: failed after re-connect
which version of FR do you use?
can the machine where freeradius runs connect to the oracle server?
I notice that in the select is missing the Op column. I don't know what FR
does without it. Pay attention because SQL commands to create tables in the
distribution don't add this column.
Andrea
At 22.10 24/09/02, you wrote:
>I'm trying to use freeradius with oracle.
>I managed to make freeradius connect to oracle and try to authentificate
>there, but i still cannot get a positive response.
>
>any sugestions?
>
>
>
>echo "User-Name = diego11" || radclient localhost auth testing123
>
>rad_recv: Access-Request packet from host 127.0.0.1:32904, id=248,
>length=47
> User-Name = "diego11"
> User-Password =
>"V\334\035\356.\210\317\247{q\356\240\305b\357\347"
>modcall: entering group authorize
> modcall[authorize]: module "preprocess" returns ok
>radius_xlat: 'diego11'
>sql_set_user: escaped user --> 'diego11'
>radius_xlat: 'SELECT id,UserName,Attribute,Value FROM radcheck WHERE
>Username = 'diego11' ORDER BY id'
>rlm_sql: Reserving sql socket id: 4
>SELECT id,UserName,Attribute,Value FROM radcheck WHERE Username =
>'diego11' ORDER BY id
>rlm_sql: Attempting to connect #4
>rlm_sql: Connected new DB handle, #4
>SELECT id,UserName,Attribute,Value FROM radcheck WHERE Username =
>'diego11' ORDER BY id
>rlm_sql: failed after re-connect
>rlm_sql_getvpdata: database query error
>rlm_sql: SQL query error; rejecting user
>rlm_sql: Released sql socket id: 4
> modcall[authorize]: module "sql" returns fail
>modcall: group authorize returns fail
>There was no response configured: rejecting request 0
>Server rejecting request 0.
>Finished request 0
>Going to the next request
>--- Walking the entire request list ---
>Waking up in 1 seconds...
>--- Walking the entire request list ---
>Sending Access-Reject of id 248 to 127.0.0.1:32904
>Waking up in 4 seconds...
>MASTER: exit on signal (2)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem compiling Freeradius 0.7.1 on a debian woody system
> >> I believe there are Debian binary packages running around >somewhere, but >> I don't know if they're being actively updated at the moment. > >Tried to find but without luck. > apt-get install radiusd-freeradius (only on Woody - "unstable") - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply packet code 11... : IGNORED
Antonios Lazaridis wrote: > > > normally, you should post the whole log, the configuration of the client > > (intel-AP) and of the concerned users, since otherwise it's generally > > difficult to understand what's wrong. well, i said "normally". in that case as i've already explained to you, your AP is sending wrong packets which it should never send. besides, Alan said the same. try upgrading your firmware. > Here is the freeradius log: > (Intel AP has no special options for this i think, > and for users configuration i use just this: > DEFAULT Auth-Type := EAP > Fall-though =1, > Session-Timeout = 300 > ) the auth-type should actually be System or Local and your authorize section should mention the eap module at the last entry. ciao artur -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply packet code 11... : IGNORED
dynamic wep keys are supported, the doc is outdated. Antonios Lazaridis wrote: > > > Your AP is broken. > > > > Alan DeKok. > > I guess so, > because using another AP (Cisco-350) works fine... > > So now i managed to have an EAP-TLS authentication server. > I create certificates using oenssl, and my client is windowsXP. > Authentication works fine, except for the WEP keys. > > The rlm_eap doc says: > (Please note that WEP is not yet supported in freeradius) > > I guess this means that the radius server doesn't set a WEP key and doesn't > send it to the AP. Is this function under development? > > Thanks, > antonis lazaridis. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: aboout EAP TLS
lu_luwang wrote: > > hi > > >But after patch when I started the server,there is a segment > >fault:./run-radiusd segment > > fault /usr/local/radius/sbin/run-radiusd $@ > > you don't need the patch, it is already included in the sources. please, quote correctly. i can hardly understand what was your original question and what was my reply to it. and why are you repeating the message to the list three times? i've already replied to this message yesterday. so, one more time: you need libcrypto and libssl to be mentioned in the Makefile of rlm_eap_tls, otherwise it won't be built correctly. these libs are part of openSSL package. please follow the instructions in adams description, there is an example Makefile, it should work if you correct the pathes. -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem compiling Freeradius 0.7.1 on a debian woody system
On Tue, Sep 24, 2002 at 07:40:55PM -0500, Steve Langasek wrote: [...] > The line I use for building on Debian is below. > > ./configure --prefix=$(prefix) --exec-prefix=$(exec_prefix) \ > --libdir=$(libdir) --mandir=$(mandir) --with-logdir=$(logdir) \ > --with-thread-pool --enable-ltdl-install=no --enable-strict-dependencies \ > --without-rlm_python --without-rlm_ippool --without-rlm_eap_tls \ > --without-rlm_sql_iodbc > > The key difference I notice between your configure arguments and mine is > the '--disable-ltdl' at the end. Does it work if you omit that argument? I noticed that in version 0.7. I thought to ask debian maintainer (Chad Miller, IIRC) what is the problem, but forgot. > I believe there are Debian binary packages running around somewhere, but > I don't know if they're being actively updated at the moment. Tried to find but without luck. Milan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
External authentication ?
Hi, How can I setup my Freeradius server so that an external program does the authentication ? I've seen this example from the users conf file: tobbe Password == "tobbe" Exec-Program = "/usr/local/radius_auth.sh %u %w %y %g %h" But I don't know the Password, so I would like to have something like: tobbe Auth-Type := External Exec-Program = "/usr/local/radius_auth.sh %u %w %y %g %h" Also, what '%'-macros are valid together with the Exec-Program attribute ? Thanx /Tobbe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius0.7 can not work
I have downloaded and intalled the freeradius0.7.After make and make install,when it ran and received the packet,there will be an error:error while loading shared libraries:/usr/local/radius0.7/lib/rlm_eap_tls-0.7.so: Undefined symbol:SSL_set_msg_callback It seems can not find the openssl libs.I have installed the openssl in /usr/local/openssl.I have modified the eap_tls makefile,and added the libs :ssl,crypto.But it still does not work. I used freeradius0.5 before,there's no such errors.I do not why it get to this.I intalled freeradius0.7 in order to get the premaster key. You must have used freeradius0.7,can you help to run it correctly? __ === ÐÂÀËÃâ·Ñµç×ÓÓÊÏä (http://mail.sina.com.cn) ÐÂÀ˶þÊÖÊг¡£ºÒ»ÔªÍ¶È룬ʮ·Ö¾ªÏ²£¬°Ù·ÖÂúÒâ (http://classad.sina.com.cn/2shou/) ÊýÍòÕÅÊÖ»úͼƬÊýÍòÊ׶ÌÐÅÁåÉùÈÎÄãÌôÑ¡£¬Ã¿Ì춼ÓиüР(http://sms.sina.com.cn/cgi-bin/sms/smspic.cgi) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
