Re: Re[6]: Strange Reject problem
To follow up on Alan's reply.
Angelos's Guidelines for debugging radius.
A) Windows errors don't mean a thing even to microsoft
b) A Login OK does not mean that your dialup will be successful, where a
Login Incorrect is always a failure
c) Keep at hand the Access Server Admin
d) run tcpdump -X -s 1500 udp and port 1645 or port 1812
e) Watch the output REAALLLYYY carefully you will see entries like
10:30:27.769065 radion.unix.gr.datametrics
fasteth00-00.the03.cas.unix.gr.datametrics: rad-access-accept
151 [id 153] Attr[ Service_type{#519} Framed_proto{#268}
Framed_mtu{1500} Framed_compress{#284} Idle_timeout{15:00 min} Service_type{#519}
Framed_proto{#264} Framed_ipaddr{NAS_select}
Session_timeout{229:29:36 hours} Reply{Login succefull. Maximum
session time 9 days 13 hours 29 minutes 36 seconds} ] (DF)
f)Verify these settings with the Access Server
in case of mismatch you have problems like the weird windows error codes
Your milage may vary
On Wed, 20 Nov 2002, Alan DeKok wrote:
William Ragsdale [EMAIL PROTECTED] wrote:
Right, Except that the Windows Dialup User doesn't get a invalid
password error (691) they get a The PPP link control protocol was
terminated (734).
The RADIUS server doesn't control those error messages.
The old radius generates the 691 error, while every version of Freeradius
generates the 734. I do not understand what is different about FreeRadius
that is causing this.
Then use 'tcpdump' to find out. Look at the Access-Reject sent by
the other server, and look at the Access-Reject sent by FreeRADIUS.
They will contain different attributes.
Configure FreeRADIUS to send the same attributes as the old server,
and you will get the old error in PPP.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Default Gateway
On Wed, 20 Nov 2002, Jamil Buchalla Neto wrote: How do I set the default gateway for the users? When they connect the default gateway is becoming the same as theier IP Address. That is the case in all PPP connections,you shoulw worry ONLY for the default gateway of your access server - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Please give advise about Max-Session-Time
Hi,
i'm back with the same questions...
may be Alan or Kostas have time to advise me or tell me where should i
read about it
Max-Session-Time and Login-Time it's not work
i have 0.7.1 snapshots 20021110 (i will use 0.8, but i guess the
configuration it's mostly the same)
I have in radiusd.conf
counter counternever {
filename = ${raddbdir}/db.never
key = User-Name
count-attribute = Acct-Session-Time
reset = never
counter-name = RAD-Session-Time
check-name = RAD-Max-Session-Time
allowed-servicetype = Framed-User
cache-size = 5000
}
#this is not used ... yet
counter countermonthly {
filename = ${raddbdir}/db.monthly
key = User-Name
count-attribute = Acct-Session-Time
reset = monthly
counter-name = RAD-Monthly-Session-Time
check-name = RAD-Max-Monthly-Session-Time
allowed-servicetype = Framed-User
cache-size = 5000
}
authorize {
preprocess
files {
fail = 1
notfound = 2
ok = return
}
sql
}
authenticate {
}
preacct {
}
accounting {
counternever
radutmp
sradutmp
sql
}
session {
radutmp
sql
}
post-auth {
}
I have the next mysql tables:
usergroup:
id UserName GroupName
184 test DefaultOra
radgroupcheck:
id GroupName Attribute Valueop
14 DefaultOra Service-Type Framed-User ==
15 DefaultOra Framed-Protocol PPP ==
16 DefaultOra NAS-Port-Type Async==
17 DefaultOra Auth-Type Local:=
18 DefaultOra Framed-Compression Van-Jacobson-TCP-IP :=
35 DefaultOra Simultaneous-Use 1 :=
radgroupreply
id GroupName Attribute Valueop prio
2 DefaultOra Framed-Filter-Idsecure := 0
i've tried to put RAD-Max-Session-Time in radreply with :=
with ==
radcheck with :=
with ==
but it's not work
the same thing for Login-Time (in radreply or radcheck) but not work.
Please advise me. where should i look for trouble
radiusd -X doesn't say nothing about sending Access-Accept (like i
see for Framed-Filter-Id := 'secure' )
i must see something like this for RAD-Max-Session-Time?
or for Session-Timeout, whitch is calculated by counter module,
based on Max and user counter?
--
Remus
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
after hours shared secret bug
Has anyone noticed freeradius giving errors for accounting packets with Invalid shared secrets? I am using freeradius as a proxy. It proxeis some domains off of a clone of livingston radius. Under Normal Conditions it works like a charmer with some Nases generating up to 1 Gig in detail log per month. Sometimes , mostly under heavy load, both radiuses nag about invalid shared secret which goes away after a while. I have not been able to pinpoint the problem, yet I will try to tcpdump and grab the raw data, I was just wondering if anyone has seen this behaviour in the wild. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: Max-Session-Time
GP Did you ever get this to work? GP Gene no still search ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: after hours shared secret bug
--On 21 November 2002 09:40 +0200 Angelos Karageorgiou [EMAIL PROTECTED] wrote: Has anyone noticed freeradius giving errors for accounting packets with Invalid shared secrets? Yes, we have that problem here... We're running FreeRADIUS 0.8, we have it 'talking' to three other companies / sites... Two of them work fine for both Auth, and Accouting. One remote system runs RADIATOR, the other two I don't know what they run, and can't find out [simply because, in their wisdom, they won't tell us]. For the third - auth works fine, accounting always shows Invalid Signature. The people running the third system are not brilliantly helpful. They insist they've thoroughly checked their side, and they are signing the packets with the same shared secret as the Auth packets (which work fine). Sometimes , mostly under heavy load, both radiuses nag about invalid shared secret which goes away after a while. Ours always does this with no regard to load, but to only 1 out of 3 systems. Interestingly, the people using RADITOR also talk to the 3rd problem site, and don't have the same problem with it (and we can talk to that RADIATOR site fine). I have not been able to pinpoint the problem, yet I will try to tcpdump and grab the raw data, I was just wondering if anyone has seen this behaviour in the wild. I've got tcpdump's here - I'm not sure (because of the way the secrets work) that you can do anything with them, other than tell whether or not the packet was signed with the one you have (i.e. you can't tell what secret was used to sign a packet, only that it does or doesn't match yours). Be interesting to know if you could run this test outside FreeRADIUS (i.e. Heres a packet, does it have a valid signature?). Theres another guy on the list at the moment, who also has problems with Invalid Signature - but he's also battling port number problems as well... -Kp - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
0.8 sql
Hello all. Can any body say: Where is in 0.8FR in sql.conf define the authenticate_query? Why it there is not here? May be authenticate_query processed in context of standart attribute? Best regards. Fedor V.Zelenkin. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dialup_admin, Acct-Terminate-Cause
Hello, failed_logins.php3 from dialup_admin: SELECT AcctStopTime,UserName,NASIPAddress,NASPortId,AcctTerminateCause,CallingStationId FROM $config[sql_accounting_table] WHERE AcctStopTime = '$now_str' AND AcctStopTime = '$prev_str' AND (AcctTerminateCause LIKE 'Login-Incorrect%' OR AcctTerminateCause LIKE 'Invalid-User%' OR AcctTerminateCause LIKE 'Multiple-Logins%') $callerid_str ORDER BY AcctStopTime $order $limit;); In my radacct table the field AcctTerminateCause is empty. How can I resolve this problem? Thank you, Svetlana - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Default Gateway
20-Nov-02 at 15:24, Jeremy Parr ([EMAIL PROTECTED]) wrote : Deleting the old gateway sounds like a bug. Maybe you could assign an IP address to the TC that is on the same subnet as the old gateway, delete the old gateway, and then change the ip address back. The default gateway has to be on the same subnet as the NAS anyway, that's for sure... -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP/TLS testing: SSL_set_my_callback
Hi: I'm trying to test open1x implementation usinga Linux client (xsupplicant), Cisco's 350 AP (authenticator) and FreeRadius-0.7.1 (authentication server). The FreeRadius loading is fine and it receives an Access-Request but complains about symbol (SSL_set_my_callback) during the authentication phase: Any help would be highly appreciated. The FreeRadiusLOG is as follows: Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp. Ready to process requests. rad_recv: Access-Request packet from host 192.168.11.20:1165, id=141, length=122 User-Name = "adam-ctl" NAS-IP-Address = 192.168.11.20 Called-Station-Id = "004096577e54" Calling-Station-Id = "00080997" NAS-Identifier = "AP350" NAS-Port = 29 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = "\002\215\000\r\001adam-ctl" Message-Authenticator = 0xfb6183135ae6ee2969375a0ac87a6f88 modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "eap" returns updated rlm_realm: Looking up realm NULL for UserName = "adam-ctl" rlm_realm: No such realm NULL modcall[authorize]: module "suffix" returns noop users: Matched adam-ctl at 89 modcall[authorize]: module "files" returns ok modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate rlm_eap: processing type tls lt-radiusd: error while loading shared libraries: /usr/local/lib/rlm_eap_tls-0.7.1.so: undefined symbol: SSL_set_my_callback Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now
Re: EAP/TLS testing: SSL_set_my_callback
hi it's the same problem for nearly all the people trying to install EAP/TLS and should be mentioned in one of the both available FAQs. this would be the 20th time, i answer this one :) try ldd /usr/local/lib/rlm_eap_tls-0.7.1.so do you have errors? correct those. lt-radiusd: error while loading shared libraries: /usr/local/lib/rlm_eap_tls-0.7.1.so: undefined symbol: SSL_set_my_callback probably you will need to alter the rlm_eap_tls makefile and to recompile. add -lcrypto after -lssl in the LIBS line. ciao artur -- Artur Hecker Groupe Accès et Mobilité hecker[at]enst[dot]fr Département Informatique et Réseaux +33 1 45 81 7507 46, rue Barrault 75634 Paris cedex 13 http://www.infres.enst.fr ENST Paris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap_identity or username attribute? (to Artur and lars)
hi If the realm is stripped away, wouldn't this work just fine as long as you just verify the User-Name against the certificate and ignore the EAP identity? e.g., but then you propose to not verify the equality of all THREE fields. Yes. As we have discussed the important point is to verify that the User-Name used for authorization (and accounting) corresponds to the certificate used for authentication. The EAP identity shouldn't really matter if the User-Name is used directly for this verification. ok, so we would agree at: use some handler id_equality(..., ...) for the verification of the equality of User-Name and the certified identity. make this handler configurable in radius.conf. provide common radius variables and in particular the realm suffixes and the configured realms to the handler in some form. (the best would be to provide the standard handler in this form, so everybody could modify the actual metrics). something like that? ciao artur -- Artur Hecker Groupe Accès et Mobilité hecker[at]enst[dot]fr Département Informatique et Réseaux +33 1 45 81 7507 46, rue Barrault 75634 Paris cedex 13 http://www.infres.enst.fr ENST Paris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: after hours shared secret bug
On Thu, Nov 21, 2002 at 09:03:18AM +, Karl Pielorz wrote: I've got tcpdump's here - I'm not sure (because of the way the secrets work) that you can do anything with them, other than tell whether or not the packet was signed with the one you have Which, luck has it, is enough to debug this problem. Well, debug is going too far, let's say direct blame. If you can email a packet dump for one or two radius packets which fail to verify, I'm sure someone will find it interesting enough to do the work, perhaps even myself. :-) You should include freeradius-devel, I'm sure there's folks there that are not also on freeradius-users. /fc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS testing: SSL_set_my_callback
Hi Artur: Tried your suggestions, but the problem persists. "ldd /usr/local/lib/rlm_eap_tls-0.7.1.so" doesn't return any errors (below). I modified the freeradius-0.7.1/src/modules/rlm_eap/types/rlm_eap_tls/Makefile as:"RLM_LIBS += -lssl -lcrypto" root ldd /usr/local/lib/rlm_eap_tls-0.7.1.so libcrypto.so.0.9.6 = /usr/lib/libcrypto.so.0.9.6 (0x40029000) libssl.so.0.9.6 = /usr/lib/libssl.so.0.9.6 (0x400ea000) libnsl.so.1 = /lib/libnsl.so.1 (0x40118000) libresolv.so.2 = /lib/libresolv.so.2 (0x4012e000) libthread.so.0 = /lib/libpthread.so.0 (0x4014) libc.so.6 = /lib/libc.so.6 (0x40156000) libdl.so.2 = /lib/libdl.so.2 (0x40273000) /lib/ld-linux.so.2 = /lib/ld-linux.so.2 (0x8000) Artur Hecker [EMAIL PROTECTED] wrote: hiit's the same problem for nearly all the people trying to install EAP/TLS and should be mentioned in one of the both available FAQs. this would be the 20th time, i answer this one :)try ldd /usr/local/lib/rlm_eap_tls-0.7.1.sodo you have errors? correct those. lt-radiusd: error while loading shared libraries: /usr/local/lib/rlm_eap_tls-0.7.1.so: undefined symbol: SSL_set_my_callbackprobably you will need to alter the rlm_eap_tls makefile and to recompile. add -lcrypto after -lssl in the LIBS line.ciaoartur-- Artur Hecker Groupe Accès et Mobilitéhecker[at]enst[dot]fr Département Informatique et Réseaux+33 1 45 81 7507 46, rue Barrault 75634 Paris cedex 13http://www.infres.enst.fr ENST Paris- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.htmlDo you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now
Freeradius and expire date
Hi to all We use freeradisu 0.7 with LDAP and i want to ask this: can i configure freeradius so the account of a user has an expiration date? Åõ÷áñéóôþ Costas A. Christonis Networking Communications Centre Gallos Campus - University of Crete tel: +30-8310-77044 email: [EMAIL PROTECTED] http://www.ucnet.uoc.gr/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply-Message
did succeed someone in 'put' messages, send by freeradius with Reply-Message attribute, on windows screen? i know it's a windows problem, but how can i trick it? thx. i think this is very useful for all ISP admin's -- Remus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Message
--On 21 November 2002 16:50 +0200 Remus Anca [EMAIL PROTECTED] wrote: did succeed someone in 'put' messages, send by freeradius with Reply-Message attribute, on windows screen? i know it's a windows problem, but how can i trick it? thx. i think this is very useful for all ISP admin's -- Remus I don't think any of the actual Windows PPP stacks support this, i.e. it's not going to work :( I can't see any way you can work around it either, if it's not support by the client - it's not supported :-( [And how many ISP's wish it was supported? :)] -Kp - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: trouble compiling
spamdump [EMAIL PROTECTED] wrote: Thanks for the reply Alan. I looked at the configure source and it seems that this file is made within. However, the only line that I could see was one which echoed a new line into the file. I'm still puzzled as to what to do about the errors? Since you haven't bothered to post the errors, I'd guess it's your responsibility to read them, understand them, and figure out the problem yourself. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Users file
Drew Weaver [EMAIL PROTECTED] wrote: Howdy, quick question, if I have all of my users stores in the users file.. Ala User1 password == password Will the DEFAULT settings at the bottom of this file apply to these users? Yes. Do I need to put timeout limits and everything on EACH user or will DEFAULT still work? Default works, so long as you have 'Fall-Through = Yes' for the previous entries. The 'users' file which is shipped with the user has examples of this, and comments as to how it works. Did you read it? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS testing: SSL_set_my_callback
Hello: Some deductions fromthe existing problem of variable: SSL_set_msg_callback The command ldd rlm_eap_tls-0.7.1 showsthat libcrypto.so.0.9.6 and libssl.so.0.9.6 are being picked up from /usr/lib/. I think that their versionsshould instead be picked up from the snapshot version of openssl which are in /usr/local/openssl/lib/. AmI correct? If so, which file do I need to make the change in? root ldd /usr/local/lib/rlm_eap_tls-0.7.1.so libcrypto.so.0.9.6 = /usr/lib/libcrypto.so.0.9.6 (0x40029000) libssl.so.0.9.6 = /usr/lib/libssl.so.0.9.6 (0x400ea000) libnsl.so.1 = /lib/libnsl.so.1 (0x40118000) libresolv.so.2 = /lib/libresolv.so.2 (0x4012e000) libthread.so.0 = /lib/libpthread.so.0 (0x4014) libc.so.6 = /lib/libc.so.6 (0x40156000) libdl.so.2 = /lib/libdl.so.2 (0x40273000) /lib/ld-linux.so.2 = /lib/ld-linux.so.2 (0x8000) Nikhil Chauhan [EMAIL PROTECTED] wrote: Hi Artur: Tried your suggestions, but the problem persists. "ldd /usr/local/lib/rlm_eap_tls-0.7.1.so" doesn't return any errors (below). I modified the freeradius-0.7.1/src/modules/rlm_eap/types/rlm_eap_tls/Makefile as:"RLM_LIBS += -lssl -lcrypto" root ldd /usr/local/lib/rlm_eap_tls-0.7.1.so libcrypto.so.0.9.6 = /usr/lib/libcrypto.so.0.9.6 (0x40029000) libssl.so.0.9.6 = /usr/lib/libssl.so.0.9.6 (0x400ea000) libnsl.so.1 = /lib/libnsl.so.1 (0x40118000) libresolv.so.2 = /lib/libresolv.so.2 (0x4012e000) libthread.so.0 = /lib/libpthread.so.0 (0x4014) libc.so.6 = /lib/libc.so.6 (0x40156000) libdl.so.2 = /lib/libdl.so.2 (0x40273000) /lib/ld-linux.so.2 = /lib/ld-linux.so.2 (0x8000) Artur Hecker [EMAIL PROTECTED] wrote: hiit's the same problem for nearly all the people trying to install EAP/TLS and should be mentioned in one of the both available FAQs. this would be the 20th time, i answer this one :)try ldd /usr/local/lib/rlm_eap_tls-0.7.1.sodo you have errors? correct those. lt-radiusd: error while loading shared libraries: /usr/local/lib/rlm_eap_tls-0.7.1.so: undefined symbol: SSL_set_my_callbackprobably you will need to alter the rlm_eap_tls makefile and to recompile. add -lcrypto after -lssl in the LIBS line.ciaoartur-- Artur Hecker Groupe Accès et Mobilitéhecker[at]enst[dot]fr Département Informatique et Réseaux+33 1 45 81 7507 46, rue Barrault 75634 Paris cedex 13http://www.infres.enst.fr ENST Paris- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Do you Yahoo!?Yahoo! Mail Plus - Powerful. Affordable. Sign up nowDo you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now
Re: Reply-Message
Remus Anca [EMAIL PROTECTED] wrote: did succeed someone in 'put' messages, send by freeradius with Reply-Message attribute, on windows screen? i know it's a windows problem, but how can i trick it? Read the FAQ? It's not rocket science. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS testing: SSL_set_my_callback
Hello: Some deductions fromthe existing problem of variable: SSL_set_msg_callback The command ldd rlm_eap_tls-0.7.1 showsthat libcrypto.so.0.9.6 and libssl.so.0.9.6 are being picked up from /usr/lib/. I think that their versionsshould instead be picked up from the snapshot version of openssl which are in /usr/local/openssl/lib/. AmI correct? If so, which file do I need to make the change in? root ldd /usr/local/lib/rlm_eap_tls-0.7.1.so libcrypto.so.0.9.6 = /usr/lib/libcrypto.so.0.9.6 (0x40029000) libssl.so.0.9.6 = /usr/lib/libssl.so.0.9.6 (0x400ea000) libnsl.so.1 = /lib/libnsl.so.1 (0x40118000) libresolv.so.2 = /lib/libresolv.so.2 (0x4012e000) libthread.so.0 = /lib/libpthread.so.0 (0x4014) libc.so.6 = /lib/libc.so.6 (0x40156000) libdl.so.2 = /lib/libdl.so.2 (0x40273000) /lib/ld-linux.so.2 = /lib/ld-linux.so.2 (0x8000) Nikhil Chauhan [EMAIL PROTECTED] wrote: Hi Artur: Tried your suggestions, but the problem persists. "ldd /usr/local/lib/rlm_eap_tls-0.7.1.so" doesn't return any errors (below). I modified the freeradius-0.7.1/src/modules/rlm_eap/types/rlm_eap_tls/Makefile as:"RLM_LIBS += -lssl -lcrypto" root ldd /usr/local/lib/rlm_eap_tls-0.7.1.so libcrypto.so.0.9.6 = /usr/lib/libcrypto.so.0.9.6 (0x40029000) libssl.so.0.9.6 = /usr/lib/libssl.so.0.9.6 (0x400ea000) libnsl.so.1 = /lib/libnsl.so.1 (0x40118000) libresolv.so.2 = /lib/libresolv.so.2 (0x4012e000) libthread.so.0 = /lib/libpthread.so.0 (0x4014) libc.so.6 = /lib/libc.so.6 (0x40156000) libdl.so.2 = /lib/libdl.so.2 (0x40273000) /lib/ld-linux.so.2 = /lib/ld-linux.so.2 (0x8000) Artur Hecker [EMAIL PROTECTED] wrote: hiit's the same problem for nearly all the people trying to install EAP/TLS and should be mentioned in one of the both available FAQs. this would be the 20th time, i answer this one :)try ldd /usr/local/lib/rlm_eap_tls-0.7.1.sodo you have errors? correct those. lt-radiusd: error while loading shared libraries: /usr/local/lib/rlm_eap_tls-0.7.1.so: undefined symbol: SSL_set_my_callbackprobably you will need to alter the rlm_eap_tls makefile and to recompile. add -lcrypto after -lssl in the LIBS line.ciaoartur-- Artur Hecker Groupe Accès et Mobilitéhecker[at]enst[dot]fr Département Informatique et Réseaux+33 1 45 81 7507 46, rue Barrault 75634 Paris cedex 13http://www.infres.enst.fr ENST Paris- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Do you Yahoo!?Yahoo! Mail Plus - Powerful. Affordable. Sign up nowDo you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now
Re: EAP/TLS testing: SSL_set_my_callback
check the rights, it could be that the server can't reach the libs when started as nobody. ah, and consider updating. -- Artur Hecker Groupe Accès et Mobilité hecker[at]enst[dot]fr Département Informatique et Réseaux +33 1 45 81 7507 46, rue Barrault 75634 Paris cedex 13 http://www.infres.enst.fr ENST Paris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius and expire date
The password expiry is the responsibility of the LDAP server, not the RADIUS server. Look into the options on your LDAP server. Mark Capelle Date: Thu, 21 Nov 2002 16:21:37 +0200 From: Costas Christonis [EMAIL PROTECTED] Organization: Univercity of Crete To: [EMAIL PROTECTED] Subject: Freeradius and expire date Reply-To: [EMAIL PROTECTED] Hi to all We use freeradisu 0.7 with LDAP and i want to ask this: can i configure freeradius so the account of a user has an expiration date? Costas A. Christonis Networking Communications Centre Gallos Campus - University of Crete tel: +30-8310-77044 email: [EMAIL PROTECTED] http://www.ucnet.uoc.gr/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using MYSQL for accounting only
I'm using LDAP for authentication and authorization across several radius servers. I'm thinking that using a single mysql server for accounting from all my radius servers might be a significant advantage over using multiple detail files on multiple servers and parsing these detail files with a script. Before I dive into this, I'd like to get opinions from others who are using mysql for accounting: 1) anyone using mysql for accounting only - using another authentication and authorization? If so is the setup as simple as using the sql schema included with freeradius and just including sql in the accounting section of the radiusd.conf file? 2) are there significant gains to be made in terms of access to data and report generation using mysql over perl scripts or other programs written to parse the detail file and generate flat files with relevant information? My guess is that with a mysql database of accounting data, I should be able to access just about any kind of information I wanted from a properly formed sql query (like ip address usage data, time-on-line information for customers and just about any other kind of trending data I could imagine). Am I correct in that assumption or are there significant hurdles to using a mysql accounting-only system that I should be aware of? 3) If the idea of using mysql as an accounting system makes sense, are there existing tools that anyone knows of that are already written to generate various reports on radius accounting data? Thanks, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS testing: SSL_set_my_callback
ah yes, you are right. which pathes do you have in your makefile? of openssl which are in /usr/local/openssl/lib/. Am I correct? If so, which file do yepp, definitely. you could also try to alter your ld.config in /etc and add the new pathes before the old ones, just for the test. later, if it works, you can use LD_PRELOAD environment variable in a script starting freeradius. ciao artur -- Artur Hecker Groupe Accès et Mobilité hecker[at]enst[dot]fr Département Informatique et Réseaux +33 1 45 81 7507 46, rue Barrault 75634 Paris cedex 13 http://www.infres.enst.fr ENST Paris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using MYSQL for accounting only
On Thu, 21 Nov 2002, Mike Denka wrote: I'm using LDAP for authentication and authorization across several radius servers. I'm thinking that using a single mysql server for accounting from all my radius servers might be a significant advantage over using multiple detail files on multiple servers and parsing these detail files with a script. Before I dive into this, I'd like to get opinions from others who are using mysql for accounting: 1) anyone using mysql for accounting only - using another authentication and authorization? If so is the setup as simple as using the sql schema included with freeradius and just including sql in the accounting section of the radiusd.conf file? I am using ldap auth and sql (MySQL + InnoDB tables) accounting for the Greek Schools Network. Works quite well. It's really as simple as you describe it. I am also using radrelay to sync accounting (two radius servers, each one with full accounting information). There's no need to keep only one mysql server. You can just use radrelay and keep the same info on multiple mysql servers (fail over). 2) are there significant gains to be made in terms of access to data and report generation using mysql over perl scripts or other programs written to parse the detail file and generate flat files with relevant information? My guess is that with a mysql database of accounting data, I should be able to access just about any kind of information I wanted from a properly formed sql query (like ip address usage data, time-on-line information for customers and just about any other kind of trending data I could imagine). Am I correct in that assumption or are there significant hurdles to using a mysql accounting-only system that I should be aware of? Gains: 1. SQL queries for reports/stats 2. Live data. You can immediately look at the history of a user through a web interface or look at the currently logged in users. 3. SQL session handling (double login detection) works much better (faster) than radutmp. 3) If the idea of using mysql as an accounting system makes sense, are there existing tools that anyone knows of that are already written to generate various reports on radius accounting data? Well, you are using sql so creating reports is just a matter of running the correct query on your sql data. In any case, dialup_admin has a stats page which you could use. Thanks, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using MYSQL for accounting only
On Thu, 21 Nov 2002 08:41:08 -0800 Mike Denka [EMAIL PROTECTED] wrote: 1) anyone using mysql for accounting only - using another authentication and authorization? If so is the setup as simple as using the sql schema included with freeradius and just including sql in the accounting section of the radiusd.conf file? Yes, we run mysql for accounting only. The setup was incredibly simple as well as customization. That's about all you will need for the default installation. Specific server information is in sql.conf. 2) are there significant gains to be made in terms of access to data and report generation using mysql over perl scripts or other programs written to parse the detail file and generate flat files with relevant information? My guess is that with a mysql database of accounting data, I should be able to access just about any kind of information I wanted from a properly formed sql query (like ip address usage data, time-on-line information for customers and just about any other kind of trending data I could imagine). Am I correct in that assumption or are there significant hurdles to using a mysql accounting-only system that I should be aware of? Yes. As long as you store the data, it's much easier to access. It is also easy to add to the schema and log additional data requiring changes only to sql.conf and the table structure. (mailing list archive and docs/variables.txt will prove valuable here) 3) If the idea of using mysql as an accounting system makes sense, are there existing tools that anyone knows of that are already written to generate various reports on radius accounting data? Sorry, haven't investigated. Thanks, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: fail to load rlm_eap_md5 in freeRadius 0.8
Dave Mason [EMAIL PROTECTED] wrote: A quick update. At first I ran configure with --disable-shared to force a static link. If I take that out and use a dynamic link (and set my LD_LIBRARY_PATH) it works fine. For some reason, the static link must not be picking up everything it needs. Is there something else I need to do for a static link? The static linking stage doesn't find static libs needed by sub-modules, like rlm_eap_md5. It's a bug, and it should be addressed before 1.0. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using MYSQL for accounting only
any problem running both accoutning methods (the detail file and the mysqldb)? --On Thursday, November 21, 2002 11:51 AM -0500 Dave Vondracek [EMAIL PROTECTED] wrote: On Thu, 21 Nov 2002 08:41:08 -0800 Mike Denka [EMAIL PROTECTED] wrote: 1) anyone using mysql for accounting only - using another authentication and authorization? If so is the setup as simple as using the sql schema included with freeradius and just including sql in the accounting section of the radiusd.conf file? Yes, we run mysql for accounting only. The setup was incredibly simple as well as customization. That's about all you will need for the default installation. Specific server information is in sql.conf. 2) are there significant gains to be made in terms of access to data and report generation using mysql over perl scripts or other programs written to parse the detail file and generate flat files with relevant information? My guess is that with a mysql database of accounting data, I should be able to access just about any kind of information I wanted from a properly formed sql query (like ip address usage data, time-on-line information for customers and just about any other kind of trending data I could imagine). Am I correct in that assumption or are there significant hurdles to using a mysql accounting-only system that I should be aware of? Yes. As long as you store the data, it's much easier to access. It is also easy to add to the schema and log additional data requiring changes only to sql.conf and the table structure. (mailing list archive and docs/variables.txt will prove valuable here) 3) If the idea of using mysql as an accounting system makes sense, are there existing tools that anyone knows of that are already written to generate various reports on radius accounting data? Sorry, haven't investigated. Thanks, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Daniel Monjar IS Manager, Technical Services bioMérieux, Inc. Durham, NC US - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MD5 crypt() password compilation bug
Josh Wilsdon [EMAIL PROTECTED] wrote: I just spent a few hours tracking down a really annoying problem with the new 0.8 freeradius. I was having a terrible time getting any authentications to work until I started adding debug information to the source. To make a long story short, if you are using crypt() passwords that are MD5 encrypted (they start with $1$..) it will not work if the Makefile places the -lcrypto before the -lcrypt, because it will use the crypt() function of libcrypto which does not seem to recognize md5 passwords. If this happens to you, change the line in the Makefile (src/main/Makefile) from: Ah, the light dawns. Thank you *very* much for that esoteric fix. I've added the fix to the source. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks, and a new Qestion
Greetings,
Thank you for all the help with the wierd MS Windows error codes. The
TCPDUMP on the BSDi system doesn't show the attributes...so I guess I'll
live with the new error message.
I have a new question, and the answer is probably obvious, but I can't
seem to find it. How do I specify freeradius to use the client.conf
'shortname' field as the directory in the radacct/{shortname}/detail entry
in the radiusd.conf file? I see {Client-IP-Address} but I don't know the
name of the varialbe for the short name.
--
·William Ragsdale ·http://www.netonecom.net
·Server Administrator ·Office Hours ·NetOne Communications, Inc.
·Work: 231-734-2917 10AM - 7PM ·2186 US 10
·FAX: 231-734-6395 ·Sears, MI 49679
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Using MYSQL for accounting only
I was doing this with no issues. :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Daniel Monjar Sent: Thursday, November 21, 2002 11:10 AM To: [EMAIL PROTECTED] Subject: Re: Using MYSQL for accounting only any problem running both accoutning methods (the detail file and the mysqldb)? --On Thursday, November 21, 2002 11:51 AM -0500 Dave Vondracek [EMAIL PROTECTED] wrote: On Thu, 21 Nov 2002 08:41:08 -0800 Mike Denka [EMAIL PROTECTED] wrote: 1) anyone using mysql for accounting only - using another authentication and authorization? If so is the setup as simple as using the sql schema included with freeradius and just including sql in the accounting section of the radiusd.conf file? Yes, we run mysql for accounting only. The setup was incredibly simple as well as customization. That's about all you will need for the default installation. Specific server information is in sql.conf. 2) are there significant gains to be made in terms of access to data and report generation using mysql over perl scripts or other programs written to parse the detail file and generate flat files with relevant information? My guess is that with a mysql database of accounting data, I should be able to access just about any kind of information I wanted from a properly formed sql query (like ip address usage data, time-on-line information for customers and just about any other kind of trending data I could imagine). Am I correct in that assumption or are there significant hurdles to using a mysql accounting-only system that I should be aware of? Yes. As long as you store the data, it's much easier to access. It is also easy to add to the schema and log additional data requiring changes only to sql.conf and the table structure. (mailing list archive and docs/variables.txt will prove valuable here) 3) If the idea of using mysql as an accounting system makes sense, are there existing tools that anyone knows of that are already written to generate various reports on radius accounting data? Sorry, haven't investigated. Thanks, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Daniel Monjar IS Manager, Technical Services bioMérieux, Inc. Durham, NC US - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Thanks, and a new Qestion
William Ragsdale [EMAIL PROTECTED] wrote:
I have a new question, and the answer is probably obvious, but I can't
seem to find it. How do I specify freeradius to use the client.conf
'shortname' field as the directory in the radacct/{shortname}/detail entry
in the radiusd.conf file?
You can't right now, sorry.
As always, patches are welcome.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using MYSQL for accounting only
Nope, we run both perfectly. I added the mysql config long after detail was running properly and had no problems caused by the additional accounting method. On Thu, 21 Nov 2002 12:09:58 -0500 Daniel Monjar [EMAIL PROTECTED] wrote: any problem running both accoutning methods (the detail file and the mysqldb)? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Locking user to a NAS
I have FR running with LDAP authentication, MySQL accounting. I have two different networks (moving to 4 soon) that provide me with dialup services. Doing the billing, I've noticed that I am being billed for more accounts that I have. When I consolidated the reports, I found that I had users hopping from one network to another, and generating billings on both. Nice. So, my problem is, how do I keep this from happening. I've played with different setups, but I can't seem to find the magic incantation. Thanks, Tim -- Tim Sailer (at home) Coastal Internet,Inc. Network and Systems Operations PO Box 671 http://www.buoy.comRidge, NY 11961 [EMAIL PROTECTED][EMAIL PROTECTED] (631)924-3728 (888) 924-3728 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Locking user to a NAS
At 12:56 PM 11/21/2002 -0500, [EMAIL PROTECTED] wrote: I have FR running with LDAP authentication, MySQL accounting. I have two different networks (moving to 4 soon) that provide me with dialup services. Doing the billing, I've noticed that I am being billed for more accounts that I have. When I consolidated the reports, I found that I had users hopping from one network to another, and generating billings on both. Nice. So, my problem is, how do I keep this from happening. I've played with different setups, but I can't seem to find the magic incantation. You could accomplish this with Hunt-Groups. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radzap don't clear entry
I'm using FR v.0.7.1 and I can't clear any entry from radwtmp using radzap. FR v.0.8 also [root@server2 tico]# radlast |grep annelore annelore 002:maripa 200.203.239.195 Mon Nov 11 23:48 still logged in (it's an old session) [root@server2 tico]# radzap maripa 2 annelore maripa: host not found. (in naslist: 200.203.239.214 maripa portslave, but it can't resolve nasname?) [root@server2 tico]# radzap 200.203.239.214 2 annelore /usr/bin/radzap: zapping termserver 200.203.239.214, port 2, user annelore (it seems ok!) [root@server2 tico]# radlast |grep annelore annelore 002:maripa 200.203.239.195 Mon Nov 11 23:48 still logged in (oh, no, it's still there!!??!!) Any ideas? Thanks in advance. Tico - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Using MYSQL for accounting only
No problem for me except that I wouldn't see any reason to burn the resources to run both methods if one was sufficient. Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Daniel Monjar Sent: Thursday, November 21, 2002 9:10 AM To: [EMAIL PROTECTED] Subject: Re: Using MYSQL for accounting only any problem running both accoutning methods (the detail file and the mysqldb)? --On Thursday, November 21, 2002 11:51 AM -0500 Dave Vondracek [EMAIL PROTECTED] wrote: On Thu, 21 Nov 2002 08:41:08 -0800 Mike Denka [EMAIL PROTECTED] wrote: 1) anyone using mysql for accounting only - using another authentication and authorization? If so is the setup as simple as using the sql schema included with freeradius and just including sql in the accounting section of the radiusd.conf file? Yes, we run mysql for accounting only. The setup was incredibly simple as well as customization. That's about all you will need for the default installation. Specific server information is in sql.conf. 2) are there significant gains to be made in terms of access to data and report generation using mysql over perl scripts or other programs written to parse the detail file and generate flat files with relevant information? My guess is that with a mysql database of accounting data, I should be able to access just about any kind of information I wanted from a properly formed sql query (like ip address usage data, time-on-line information for customers and just about any other kind of trending data I could imagine). Am I correct in that assumption or are there significant hurdles to using a mysql accounting-only system that I should be aware of? Yes. As long as you store the data, it's much easier to access. It is also easy to add to the schema and log additional data requiring changes only to sql.conf and the table structure. (mailing list archive and docs/variables.txt will prove valuable here) 3) If the idea of using mysql as an accounting system makes sense, are there existing tools that anyone knows of that are already written to generate various reports on radius accounting data? Sorry, haven't investigated. Thanks, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Daniel Monjar IS Manager, Technical Services bioMérieux, Inc. Durham, NC US - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Using MYSQL for accounting only
Thanks to Dave and Kostas for the feedback. Sounds great. So now I'm wondering how you age the accounting data if it all goes to a mysql db. You would certainly not want to keep accounting data indefinitely. So what process do you guys use to throw out the old stuff to make way for the new? (Forgive me if this is obvious in the context of databases - I'm really not a very literate database guy). Thanks again, Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kostas Kalevras Sent: Thursday, November 21, 2002 8:51 AM To: [EMAIL PROTECTED] Subject: Re: Using MYSQL for accounting only On Thu, 21 Nov 2002, Mike Denka wrote: I'm using LDAP for authentication and authorization across several radius servers. I'm thinking that using a single mysql server for accounting from all my radius servers might be a significant advantage over using multiple detail files on multiple servers and parsing these detail files with a script. Before I dive into this, I'd like to get opinions from others who are using mysql for accounting: 1) anyone using mysql for accounting only - using another authentication and authorization? If so is the setup as simple as using the sql schema included with freeradius and just including sql in the accounting section of the radiusd.conf file? I am using ldap auth and sql (MySQL + InnoDB tables) accounting for the Greek Schools Network. Works quite well. It's really as simple as you describe it. I am also using radrelay to sync accounting (two radius servers, each one with full accounting information). There's no need to keep only one mysql server. You can just use radrelay and keep the same info on multiple mysql servers (fail over). 2) are there significant gains to be made in terms of access to data and report generation using mysql over perl scripts or other programs written to parse the detail file and generate flat files with relevant information? My guess is that with a mysql database of accounting data, I should be able to access just about any kind of information I wanted from a properly formed sql query (like ip address usage data, time-on-line information for customers and just about any other kind of trending data I could imagine). Am I correct in that assumption or are there significant hurdles to using a mysql accounting-only system that I should be aware of? Gains: 1. SQL queries for reports/stats 2. Live data. You can immediately look at the history of a user through a web interface or look at the currently logged in users. 3. SQL session handling (double login detection) works much better (faster) than radutmp. 3) If the idea of using mysql as an accounting system makes sense, are there existing tools that anyone knows of that are already written to generate various reports on radius accounting data? Well, you are using sql so creating reports is just a matter of running the correct query on your sql data. In any case, dialup_admin has a stats page which you could use. Thanks, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radzap don't clear entry
Tico Kamide [EMAIL PROTECTED] wrote: [root@server2 tico]# radzap maripa 2 annelore maripa: host not found. (in naslist: 200.203.239.214 maripa portslave, but it can't resolve nasname?) Nope. The name must be in DNS. [root@server2 tico]# radzap 200.203.239.214 2 annelore /usr/bin/radzap: zapping termserver 200.203.239.214, port 2, user annelore (it seems ok!) [root@server2 tico]# radlast |grep annelore annelore 002:maripa 200.203.239.195 Mon Nov 11 23:48 still logged in (oh, no, it's still there!!??!!) Any ideas? Run the server in debugging mode while you zap an entry. See what it says. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialup_admin, Acct-Terminate-Cause
Svetlana Vyslanko [EMAIL PROTECTED] wrote: In my radacct table the field AcctTerminateCause is empty. How can I resolve this problem? Fix your NAS to send the attribute. It's in the FAQ. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: after hours shared secret bug
Angelos Karageorgiou [EMAIL PROTECTED] wrote: Sometimes , mostly under heavy load, both radiuses nag about invalid shared secret which goes away after a while. That sounds like a race condition, where some 'static' variable is being clobbered by two threads. The problem is that I don't immediately see where/how that can be happening. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS testing: SSL_set_my_callback
My radius_run script-file has the following paths: LD_LIBRARY_PATH=/usr/local/openssl/lib LD_PRELOAD=/usr/local/openssl/lib/libcrypto.so I tried to add /usr/local/openssl before /usr/local in the /etc/ld.so.conf. It still picks up utilities from /usr/local/openssl/lib/ ;-( Artur Hecker [EMAIL PROTECTED] wrote: ah yes, you are right.which pathes do you have in your makefile? of openssl which are in /usr/local/openssl/lib/. Am I correct? If so, which file doyepp, definitely.you could also try to alter your ld.config in /etc and add the new pathes before the old ones, just for the test. later, if it works, you can use LD_PRELOAD environment variable in a script starting freeradius.ciaoartur-- Artur Hecker Groupe Accès et Mobilitéhecker[at]enst[dot]fr Département Informatique et Réseaux+33 1 45 81 7507 46, rue Barrault 75634 Paris cedex 13http://www.infres.enst.fr ENST Paris- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.htmlDo you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now
Re: Using MYSQL for accounting only
21-Nov-02 at 10:09, Mike Denka ([EMAIL PROTECTED]) wrote : No problem for me except that I wouldn't see any reason to burn the resources to run both methods if one was sufficient. Redundancy, especially if you're relying on accounting to actually bill your customers... -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(no subject)
Hi,
I'm working with postgresql and pap authorize module..I have an entry in the
radcheck table of my database that contains a clear text passwod for the user,
so I change this value in the pap module in radius.conf like this:
pap {
encryption_scheme = clear
}
-
This mail sent through IMP: http://horde.org/imp/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using MYSQL for accounting only
Mike, I haven't really looked into this, as I've only run the mysql accounting for a couple months, and we need the data much longer to reconcile with some of our providers. I'm planning on doing it by hand with a simple sql statment based on AcctStartTime or AcctStopTime for the time being. I have seen reference to dialup_admin being able to handle this as well. I've not yet had time to investigate dialup_admin though. I'm sure I've missed alot of the DB nuances, as I'm an SA, not a DBA. But it gets the job done. :) dave On Thu, 21 Nov 2002 10:13:39 -0800 Mike Denka [EMAIL PROTECTED] wrote: Thanks to Dave and Kostas for the feedback. Sounds great. So now I'm wondering how you age the accounting data if it all goes to a mysql db. You would certainly not want to keep accounting data indefinitely. So what process do you guys use to throw out the old stuff to make way for the new? (Forgive me if this is obvious in the context of databases - I'm really not a very literate database guy). Thanks again, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type/Autz-Type in users file
Move the files line below the Autz-Type's in your authorize section. Thanks for the help this is working now ! This should be corrected in the Autz-Type file in the doc directory ? Christophe. Yes, it should. I shall submit a patch to the devel list. Kevin Bonner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
postgresql + freeradius
Hi, I'm working with postgresql and pap authorize module..I have an entry in the
radcheck table of my database that contains a clear text passwod for the user,
so I change this value in the pap module in radius.conf like this:
pap {
encryption_scheme = clear
}
and this is my entry:
id | username | attribute | value | op
+--+---+--+
1 | mcelleri | User-Password | camaleon | :=
but when I prove to login with radtest ...the debug mode radiusd -X , gives me
this :
rad_recv: Access-Request packet from host 127.0.0.1:1148, id=224, length=58
User-Name = mcelleri
User-Password = \025\361)\306e\206X\300v\373\216\213\235\016\354\360
NAS-IP-Address = 255.255.255.255
NAS-Port-Id = 10
rad_rmspace_pair: User-Name now 'mcelleri'
rad_rmspace_pair: User-Password now 'camaleon'
modcall: entering group authorize
modcall[authorize]: module preprocess returns ok
rlm_realm: Looking up realm NULL for User-Name = mcelleri
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop
users: Matched mcelleri at 2
modcall[authorize]: module files returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type PAP
auth: type PAP
modcall: entering group authtype
rlm_pap: login attempt by mcelleri with password camaleon
rlm_pap: Could not find password for user mcelleri
modcall[authenticate]: module pap returns invalid
modcall: group authtype returns invalid
auth: Failed to validate the user.
Login incorrect (rlm_pap: User password not available): [mcelleri/camaleon]
(from client localhost port 0)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
I should use another type of authorization module?
-
This mail sent through IMP: http://horde.org/imp/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
using freeradius with a binary mysql
I'm running 0.7.1 (getting around to compiling 0.8) on Tru64 Unix 5.1. I am using the binary distribution of mysql and having a problem getting freeradius to know that mysql is installed and make the rlm_mysql files. I tried the --with-mysql-include-dir with no luck. I need to either convince freeradius configure that I have mysql or to make the rlm_sql_mysql driver file by hand and move it where it needs to be... can I take this file off of a working Linux install? -- Daniel Monjar IS Manager, Technical Services bioMérieux, Inc. Durham, NC US - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radzap don't clear entry
Alan, I put server in debugging mode, zapped an entry and nothing happened... Any other ideas? Tico Run the server in debugging mode while you zap an entry. See what it says. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using freeradius with a binary mysql
At 02:54 PM 11/21/2002 -0500, you wrote: I'm running 0.7.1 (getting around to compiling 0.8) on Tru64 Unix 5.1. I am using the binary distribution of mysql and having a problem getting freeradius to know that mysql is installed and make the rlm_mysql files. I tried the --with-mysql-include-dir with no luck. I need to either convince freeradius configure that I have mysql or to make the rlm_sql_mysql driver file by hand and move it where it needs to be... can I take this file off of a working Linux install? This issue is currently being looked at. For now, see if appending -lz to the end of line 982 helps. Such that: New line 982 reads, LIBS=$old_LIBS -L$try -lmysqlclient -lz . Regards, Chris Brotsos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Locking user to a NAS
On Thu, Nov 21, 2002 at 12:01:42PM -0600, Chris Parker wrote: At 12:56 PM 11/21/2002 -0500, [EMAIL PROTECTED] wrote: I have FR running with LDAP authentication, MySQL accounting. I have two different networks (moving to 4 soon) that provide me with dialup services. Doing the billing, I've noticed that I am being billed for more accounts that I have. When I consolidated the reports, I found that I had users hopping from one network to another, and generating billings on both. Nice. So, my problem is, how do I keep this from happening. I've played with different setups, but I can't seem to find the magic incantation. You could accomplish this with Hunt-Groups. That's what I was playing with, but the only way I can see to do this is to list each user in the users file, which sorta negates the gain of LDAP... Tim -- Tim Sailer (at home) Coastal Internet,Inc. Network and Systems Operations PO Box 671 http://www.buoy.comRidge, NY 11961 [EMAIL PROTECTED][EMAIL PROTECTED] (631)924-3728 (888) 924-3728 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using freeradius with a binary mysql
uh, which file? --On Thursday, November 21, 2002 2:16 PM -0600 Chris Brotsos [EMAIL PROTECTED] wrote: At 02:54 PM 11/21/2002 -0500, you wrote: I'm running 0.7.1 (getting around to compiling 0.8) on Tru64 Unix 5.1. I am using the binary distribution of mysql and having a problem getting freeradius to know that mysql is installed and make the rlm_mysql files. I tried the --with-mysql-include-dir with no luck. I need to either convince freeradius configure that I have mysql or to make the rlm_sql_mysql driver file by hand and move it where it needs to be... can I take this file off of a working Linux install? This issue is currently being looked at. For now, see if appending -lz to the end of line 982 helps. Such that: New line 982 reads, LIBS=$old_LIBS -L$try -lmysqlclient -lz . Regards, Chris Brotsos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Daniel Monjar IS Manager, Technical Services bioMérieux, Inc. Durham, NC US - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Locking user to a NAS
At 03:22 PM 11/21/2002 -0500, [EMAIL PROTECTED] wrote: On Thu, Nov 21, 2002 at 12:01:42PM -0600, Chris Parker wrote: At 12:56 PM 11/21/2002 -0500, [EMAIL PROTECTED] wrote: I have FR running with LDAP authentication, MySQL accounting. I have two different networks (moving to 4 soon) that provide me with dialup services. Doing the billing, I've noticed that I am being billed for more accounts that I have. When I consolidated the reports, I found that I had users hopping from one network to another, and generating billings on both. Nice. So, my problem is, how do I keep this from happening. I've played with different setups, but I can't seem to find the magic incantation. You could accomplish this with Hunt-Groups. That's what I was playing with, but the only way I can see to do this is to list each user in the users file, which sorta negates the gain of LDAP... You could tie them together with a common Group attribute. I believe it is possible to return this via LDAP, though I must admit to not having enough LDAP experience to tell you how to do this. You could then put a DEFAULT entry per Group, allowing or denying access to certain Hunt-Groups. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using freeradius with a binary mysql
no problem, I figured it out... but it didn't help. I noticed it was looking for mysql/mysql.h so I add a soft link like this ln -s /usr/local/mysql/include /usr/local/include/mysql then I did the same for the lib directories. This subterfuge worked for includes but now it is complaining that it can't find the mysql libraries sigh. --On Thursday, November 21, 2002 2:38 PM -0600 Chris Brotsos [EMAIL PROTECTED] wrote: At 03:25 PM 11/21/2002 -0500, you wrote: uh, which file? Old line 982 reads, LIBS=$old_LIBS -L$try -lmysqlclient . New line 982 reads, LIBS=$old_LIBS -L$try -lmysqlclient -lz . /path/to/src/radiusd/src/modules/rlm_sql/drivers/rlm_sql_mysql/configure Sorry 'bout that. Regards, Chris Brotsos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Daniel Monjar IS Manager, Technical Services bioMérieux, Inc. Durham, NC US - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using freeradius with a binary mysql
At 03:51 PM 11/21/2002 -0500, you wrote: no problem, I figured it out... but it didn't help. I noticed it was looking for mysql/mysql.h so I add a soft link like this ln -s /usr/local/mysql/include /usr/local/include/mysql then I did the same for the lib directories. This subterfuge worked for includes but now it is complaining that it can't find the mysql libraries sigh. Well, the -lz mod fixed the problem for me. So let's do a couple more things. 1. Check LD_LIBRARY_PATH. Make sure all necessary paths have been listed (i.e. /usr/local/lib/mysql/). 2. If #1 does not resolve the issue. Include the output from configure. See if config.log includes any useful messages, and if so, include those in your response as well. The soft link should not be necessary. Regards, Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Questions
Hi folks. We have been using the freeradius/dailup admin combo for about a year now, and things seem to be running very smooth. I do have some questions about the diaup admin web interface. Not sure if this is the right place, but it seems that I saw somewhere that they are now part of the same distro.. Anywho - The basic issue is that we have a USRobotics Total Control unit, using hyper DSP/ARC cards. 1. What do I define as my nas type, and how do i know if Im using the flat file, or mysql config? (Someone else has configured the thing.). 2. When i look at Online Users I have 3 users that show to be connected for over 4000 hours - even with the Total control turned off. - How do I fix that? Thanks for any advice.. Don Click IS Special Projects Manager Central Region Metrocall, Inc. 972-687-2074 Desk [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Using MYSQL for accounting only
OK. I'm in the same boat - not being a db-admin. But it seems to me that a database ought to have some kind of feature that allows an admin to 'remove all records built before date and time'. That would seem to be a more efficient way of cleansing a db. I will check out dialup_admin. That is supposed to support mysql databases, I see. Thanks, Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dave Vondracek Sent: Thursday, November 21, 2002 11:28 AM To: [EMAIL PROTECTED] Subject: Re: Using MYSQL for accounting only Mike, I haven't really looked into this, as I've only run the mysql accounting for a couple months, and we need the data much longer to reconcile with some of our providers. I'm planning on doing it by hand with a simple sql statment based on AcctStartTime or AcctStopTime for the time being. I have seen reference to dialup_admin being able to handle this as well. I've not yet had time to investigate dialup_admin though. I'm sure I've missed alot of the DB nuances, as I'm an SA, not a DBA. But it gets the job done. :) dave On Thu, 21 Nov 2002 10:13:39 -0800 Mike Denka [EMAIL PROTECTED] wrote: Thanks to Dave and Kostas for the feedback. Sounds great. So now I'm wondering how you age the accounting data if it all goes to a mysql db. You would certainly not want to keep accounting data indefinitely. So what process do you guys use to throw out the old stuff to make way for the new? (Forgive me if this is obvious in the context of databases - I'm really not a very literate database guy). Thanks again, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Locking user to a NAS
On Thu, 21 Nov 2002 [EMAIL PROTECTED] wrote:
On Thu, Nov 21, 2002 at 12:01:42PM -0600, Chris Parker wrote:
At 12:56 PM 11/21/2002 -0500, [EMAIL PROTECTED] wrote:
I have FR running with LDAP authentication, MySQL accounting. I have
two different networks (moving to 4 soon) that provide me with dialup
services. Doing the billing, I've noticed that I am being billed for more
accounts that I have. When I consolidated the reports, I found that I
had users hopping from one network to another, and generating billings
on both. Nice. So, my problem is, how do I keep this from happening.
I've played with different setups, but I can't seem to find the magic
incantation.
You could accomplish this with Hunt-Groups.
That's what I was playing with, but the only way I can see to do this
is to list each user in the users file, which sorta negates the gain
of LDAP...
Tim
Compile the attached rlm_checkval module. I am using this to do exactly the same
thing. Add the following config section to your radiusd.conf:
checkval nas-check{
item-name = NAS-IP-Address
check-name = NAS-IP-Address
data-type = ipaddr
}
Also add nas-check in your authorize section *after* your ldap module. Add an
allowed NAS-IP-Address in your user ldap entries like:
radiuscheckitem: NAS-IP-Address := XXX.XXX.XXX.XXX
It should work ok
--
Tim Sailer (at home) Coastal Internet,Inc.
Network and Systems Operations PO Box 671
http://www.buoy.comRidge, NY 11961
[EMAIL PROTECTED][EMAIL PROTECTED] (631)924-3728 (888) 924-3728
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
/*
* rlm_checkval.c
*
* Version: $Id: rlm_checkval.c,v 1.4 2001/03/06 17:29:40 aland Exp $
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*
* Copyright 2001 The FreeRADIUS server project
* Copyright 2001 Kostas Kalevras [EMAIL PROTECTED]
*/
#include autoconf.h
#include libradius.h
#include stdio.h
#include stdlib.h
#include string.h
#include radiusd.h
#include modules.h
#include conffile.h
#define RLM_CHECKVAL_STR0
#define RLM_CHECKVAL_INT1
#define RLM_CHECKVAL_IPADDR 2
#define RLM_CHECKVAL_DATE 3
#define RLM_CHECKVAL_BIN4
/*
* Define a structure for our module configuration.
*
* These variables do not need to be in a structure, but it's
* a lot cleaner to do so, and a pointer to the structure can
* be used as the instance handle.
*/
typedef struct rlm_checkval_t {
char*item_name; /* The attribute inside Access-Request ie
Calling-Station-Id */
char*check_name;/* The attribute to check it with ie
Allowed-Calling-Station-Id */
char*data_type; /* string,integer,ipaddr,date,abinary,octets */
chardat_type;
int item_attr;
int chk_attr;
} rlm_checkval_t;
/*
* A mapping of configuration file names to internal variables.
*
* Note that the string is dynamically allocated, so it MUST
* be freed. When the configuration file parse re-reads the string,
* it free's the old one, and strdup's the new one, placing the pointer
* to the strdup'd string into 'config.string'. This gets around
* buffer over-flows.
*/
static CONF_PARSER module_config[] = {
{ item-name, PW_TYPE_STRING_PTR, offsetof(rlm_checkval_t,item_name), NULL,
NULL},
{ check-name, PW_TYPE_STRING_PTR, offsetof(rlm_checkval_t,check_name), NULL,
NULL},
{ data-type,PW_TYPE_STRING_PTR, offsetof(rlm_checkval_t,data_type),NULL,
integer},
{ NULL, -1, 0, NULL, NULL } /* end the list */
};
/*
* Do any per-module initialization that is separate to each
* configured instance of the module. e.g. set up connections
* to external databases, read configuration files, set up
* dictionary entries, etc.
RE: Using MYSQL for accounting only
On Thu, 21 Nov 2002, Mike Denka wrote: Thanks to Dave and Kostas for the feedback. Sounds great. So now I'm wondering how you age the accounting data if it all goes to a mysql db. You would certainly not want to keep accounting data indefinitely. So what process do you guys use to throw out the old stuff to make way for the new? (Forgive me if this is obvious in the context of databases - I'm really not a very literate database guy). Thanks again, Mike In my case, the records are not really needed so the oldest get deleted. Take a look at dialup_admin/bin/truncate_radacct in the cvs. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and expire date
On Thu, 21 Nov 2002, Costas Christonis wrote: Hi to all We use freeradisu 0.7 with LDAP and i want to ask this: can i configure freeradius so the account of a user has an expiration date? Yes. Set the radiusExpiration attribute with a value like: 20 May 2002 (double quotes included) Make sure though that this attribute is included in your ldap schema and in the ldap.attrmap file. Kosta, english! Costas A. Christonis Networking Communications Centre Gallos Campus - University of Crete tel: +30-8310-77044 email: [EMAIL PROTECTED] http://www.ucnet.uoc.gr/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialup_admin, Acct-Terminate-Cause
On Thu, 21 Nov 2002, Svetlana Vyslanko wrote: Hello, failed_logins.php3 from dialup_admin: SELECT AcctStopTime,UserName,NASIPAddress,NASPortId,AcctTerminateCause,CallingStationId FROM $config[sql_accounting_table] WHERE AcctStopTime = '$now_str' AND AcctStopTime = '$prev_str' AND (AcctTerminateCause LIKE 'Login-Incorrect%' OR AcctTerminateCause LIKE 'Invalid-User%' OR AcctTerminateCause LIKE 'Multiple-Logins%') $callerid_str ORDER BY AcctStopTime $order $limit;); In my radacct table the field AcctTerminateCause is empty. How can I resolve this problem? bin/log_badlogins should be left runing and examining radius.log for failed logins (something like: ./log_badlogins /var/radiusd/log/radius.log ) Thank you, Svetlana - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Please give advise about Max-Session-Time
On Thu, 21 Nov 2002, Remus Anca wrote:
Hi,
i'm back with the same questions...
may be Alan or Kostas have time to advise me or tell me where should i
read about it
Max-Session-Time and Login-Time it's not work
i have 0.7.1 snapshots 20021110 (i will use 0.8, but i guess the
configuration it's mostly the same)
I have in radiusd.conf
counter counternever {
filename = ${raddbdir}/db.never
key = User-Name
count-attribute = Acct-Session-Time
reset = never
counter-name = RAD-Session-Time
check-name = RAD-Max-Session-Time
allowed-servicetype = Framed-User
cache-size = 5000
}
#this is not used ... yet
counter countermonthly {
filename = ${raddbdir}/db.monthly
key = User-Name
count-attribute = Acct-Session-Time
reset = monthly
counter-name = RAD-Monthly-Session-Time
check-name = RAD-Max-Monthly-Session-Time
allowed-servicetype = Framed-User
cache-size = 5000
}
authorize {
preprocess
files {
fail = 1
notfound = 2
ok = return
}
sql
}
authenticate {
}
preacct {
}
accounting {
counternever
radutmp
sradutmp
sql
}
session {
radutmp
sql
There's no point in using both radutmp and sql but that's another story.
}
post-auth {
}
I have the next mysql tables:
usergroup:
id UserName GroupName
184 test DefaultOra
radgroupcheck:
id GroupName Attribute Valueop
14 DefaultOra Service-Type Framed-User ==
15 DefaultOra Framed-Protocol PPP ==
16 DefaultOra NAS-Port-Type Async==
17 DefaultOra Auth-Type Local:=
18 DefaultOra Framed-Compression Van-Jacobson-TCP-IP :=
35 DefaultOra Simultaneous-Use 1 :=
radgroupreply
id GroupName Attribute Valueop prio
2 DefaultOra Framed-Filter-Idsecure := 0
i've tried to put RAD-Max-Session-Time in radreply with :=
with ==
radcheck with :=
with ==
but it's not work
You haven't added counternever in your authorize section. Make sure it comes
after the sql module.
the same thing for Login-Time (in radreply or radcheck) but not work.
Hmm, that's strange. As long as you put a valid value (like Al0800-1800) it
should work.
Please advise me. where should i look for trouble
radiusd -X doesn't say nothing about sending Access-Accept (like i
see for Framed-Filter-Id := 'secure' )
i must see something like this for RAD-Max-Session-Time?
or for Session-Timeout, whitch is calculated by counter module,
based on Max and user counter?
--
Remus
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Questions
On Thu, 21 Nov 2002, Don Click wrote: Hi folks. We have been using the freeradius/dailup admin combo for about a year now, and things seem to be running very smooth. I do have some questions about the diaup admin web interface. Not sure if this is the right place, but it seems that I saw somewhere that they are now part of the same distro.. Yes you 're right. Anywho - The basic issue is that we have a USRobotics Total Control unit, using hyper DSP/ARC cards. 1. What do I define as my nas type, and how do i know if Im using the flat file, or mysql config? (Someone else has configured the thing.). 2. When i look at Online Users I have 3 users that show to be connected for over 4000 hours - even with the Total control turned off. - How do I fix that? Use bin/clean_radacct to clean your radacct table from stale entries. dialup_admin only supports fingering cisco devices (that's the only equipment I have access to and I don't have the time to start transforming checkrad) so in your case you should just enable use of radacct in conf/admin.conf (general_finger_type should be empty or commented out) which I assume you already have. Thanks for any advice.. Don Click IS Special Projects Manager Central Region Metrocall, Inc. 972-687-2074 Desk [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: postgresql + freeradius
On Thu, 21 Nov 2002 [EMAIL PROTECTED] wrote:
Hi, I'm working with postgresql and pap authorize module..I have an entry in the
radcheck table of my database that contains a clear text passwod for the user,
so I change this value in the pap module in radius.conf like this:
pap {
encryption_scheme = clear
}
and this is my entry:
id | username | attribute | value | op
+--+---+--+
1 | mcelleri | User-Password | camaleon | :=
but when I prove to login with radtest ...the debug mode radiusd -X , gives me
this :
rad_recv: Access-Request packet from host 127.0.0.1:1148, id=224, length=58
User-Name = mcelleri
User-Password = \025\361)\306e\206X\300v\373\216\213\235\016\354\360
NAS-IP-Address = 255.255.255.255
NAS-Port-Id = 10
rad_rmspace_pair: User-Name now 'mcelleri'
rad_rmspace_pair: User-Password now 'camaleon'
modcall: entering group authorize
modcall[authorize]: module preprocess returns ok
rlm_realm: Looking up realm NULL for User-Name = mcelleri
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop
users: Matched mcelleri at 2
modcall[authorize]: module files returns ok
modcall: group authorize returns ok
I don't see the sql module anywhere in the authorize section!
rad_check_password: Found Auth-Type PAP
auth: type PAP
modcall: entering group authtype
rlm_pap: login attempt by mcelleri with password camaleon
rlm_pap: Could not find password for user mcelleri
modcall[authenticate]: module pap returns invalid
modcall: group authtype returns invalid
auth: Failed to validate the user.
Login incorrect (rlm_pap: User password not available): [mcelleri/camaleon]
(from client localhost port 0)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
I should use another type of authorization module?
-
This mail sent through IMP: http://horde.org/imp/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Questions
the configuration is in the radius.conf, please take a look, and if your using mysql, take a look also sql.conf. - Original Message - From: Don Click [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, November 22, 2002 6:35 AM Subject: Questions Hi folks. We have been using the freeradius/dailup admin combo for about a year now, and things seem to be running very smooth. I do have some questions about the diaup admin web interface. Not sure if this is the right place, but it seems that I saw somewhere that they are now part of the same distro.. Anywho - The basic issue is that we have a USRobotics Total Control unit, using hyper DSP/ARC cards. 1. What do I define as my nas type, and how do i know if Im using the flat file, or mysql config? (Someone else has configured the thing.). 2. When i look at Online Users I have 3 users that show to be connected for over 4000 hours - even with the Total control turned off. - How do I fix that? Thanks for any advice.. Don Click IS Special Projects Manager Central Region Metrocall, Inc. 972-687-2074 Desk [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Max-Session-Time usage
I don't think Max-Session-Time is included in the sql tables for mysql, is it? So I have add it to the table then? Can anyone help out in providing a working example using Max-session-time? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ASSISTANCE
ATTN: SIR, SOLICITING FOR BUSINESS VENTURE AND PARTNERSHIP. MY NAME IS RICHARD COLE CHAIRMAN OF CONTRACT AWARD AND MONITORING COMMITTEE OF THE MINISTRY OF URBAN AND RURAL DEVELOPMENT ,MY DUTY AS EMPOWERED BY THE MAURITIUS GOVERNMENT IS TO PROVIDE THE BASIC AMENITIES,SOCIAL RECREATIONAL ACTIVITIES IN URBAN AND RURAL AREAS,THIS PROGRAMM INCLUDES ASSISTANCE TO DEPRIVED LOCAL COMMUNITIES AND TO CO-ORDINATE PROJECTS AND DEVELOPMENT AT THE NATIONAL LEVEL, FURTHERMORE , FROM THIS PROJECTS WE HAVE BEEN ABLE TO SECURED SOME REASONABLE AMOUNT OF U.S.$21.8(TWENTY ONE MILLION EIGHT HUNDRED THOUSAND U.S.DOLLARS ONLY) AS COMISSION FROM VARIOUS CONTRACTORS RESULTING FROM OVER INVOICING ,HENCE ALL THE NECESSARRY APPROVALS HAS BEEN COMPLETED. THESE APPROVED FUND WAS PACKAGED AND DESPATCHED THROUGH A SECURITY COMPANY FOR ONWARD DELIVERY TO ITS DESTINATION IN EUROPE. THESE FUND ARE FIRST DEPOSITED INTO A VAULT SECURITY BEFORE WE ARRANGE FOR ITS MOVEMENT TO EUROPE THROUGH DIPLOMATIC CHANNEL USING DECOY PURPORTING THAT THE FUND BELONGS TO AN EXPATRIATE/COMPANY, AS WE ARE GOVERNMENT OFFICIALS,WE ARE NOT ALLOWED TO OPERATE FOREIGN BANK ACCOUNT,HENCE WE NEED YOU TO STAND AS THE BENEFICIARY AND CLAIM THE FUND ON OUR BEHALF FROM THE SECURITY COMPANY. PRESENTLY I AM NOW IN EUROPE TO SEARCH FOR A RELIABLE PERSON/COMPANY OF HIGH INTERGRITY /DIGNITY AND ONE WITH CONSCIENCE WHO WILL CLAIM THIS FUND ON OUR BEHALF AS THE BENEFICIARY ,AND WE HAVE AGREED TO GIVE YOU 25%OF THE TOTAL SUM AS COMMISSION FOR YOUR ASSISTANCE/EFFORT.AND 5% WILL BE USED TO SETTLE EVERY EXPENSES INCURRED .WE WILL USE 70% TO INVEST UNDER YOUR RECOMMENDATION AND GUIDE AND GO INTO JOINT VENTURE BUSINESS WITH YOU. I WOULD GREATLY APPRECIATE YOUR ASSISTANCE .ALSO YOU CALL ME ON MY TELEPHONE NUMBER FOR MORE BRIEFING 0031-613 934 500 AS I LOOK FORWARD TO YOUR RESPONSE AS SOON AS POSSIBLE. BEST REGARDS RICHARD COLE alternative email address below: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius 0.8 checkrad
hello guys, i've recently upgraded to freeradius 0.8. everything went well except checkrad. it was not being invoked by the server to verify simultaneous logins on the NAS. do i miss something trivial in the current release? regards, ronald -- [Never be afraid to try something new. Remember, amateurs built the ark, and professionals built the Titanic.] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius 0.8 and mysql
Hi all I have been testing freeradius 0.8 but I cant seem to get the mysql authentication going. When I run it in debug mode, this is what I get: rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to root@localhost:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_mysql #1 rlm_sql_mysql: Starting connect to MySQL server for #1 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 rlm_sql_mysql: Starting connect to MySQL server for #2 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 rlm_sql_mysql: Starting connect to MySQL server for #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 rlm_sql_mysql: Starting connect to MySQL server for #4 rlm_sql (sql): Connected new DB handle, #4 Module: Instantiated sql (sql) Module: Loaded files files: usersfile = /usr/local/etc/raddb/users What seems to be wrong? Help appreciated. Thanks. Chhai Thach Frontier ISP Pty Ltd Internet access in any flavour Phone: +61 8 8241 5166 Fax: +61 8 8241 5123 Web: www.frontierisp.net.au
Segmentation fault in Kerberos Module
Hello, I get Segmentation faults with the Kerberos module. This is how it happens: We have two servers each with Kerberos and Ldap (Active Directory) installed, if we restart any one of them, freeRadius will produce this segmentation fault. It will keep segmenting until the server has shutdown. We have two freeRadius servers, both basicly identical, and he happens to both. Kerberos V is configured on both servers (radius) to use DNS SRV lookups. We did not have the same problems with version 0.7, don't know if it was there in 0.7.1. !!! DEBUG INFO !!! modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_realm: Looking up realm mydomain.com for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm mydomain.com rlm_realm: Adding Stripped-User-Name = jimbo rlm_realm: Proxying request from user jimbo to realm mydomain.com rlm_realm: Adding Realm = mydomain.com rlm_realm: Authentication realm is LOCAL. rlm_realm: auth_port is not set. proxy cancelled modcall[authorize]: module suffix returns noop users: Matched DEFAULT at 8 modcall[authorize]: module files returns ok modcall: entering group redundant rlm_ldap: - authorize rlm_ldap: performing user authorization for jimbo radius_xlat: '(uid=jimbo)' radius_xlat: 'ou=Internet Service Provider,dc=mydomain,dc=com' ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap1.mydomain.com:389, authentication 0 rlm_ldap: bind as / to ldap1.mydomain.com:389 rlm_ldap: bind to ldap1.mydomain.com:389 failed: Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: search failed ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap1 returns fail rlm_ldap: - authorize rlm_ldap: performing user authorization for johnthor radius_xlat: '(uid=jimbo)' radius_xlat: 'ou=Internet Service Provider,dc=mydomain,dc=com' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Internet Service Provider,dc=mydomain,dc=com, with filter (uid=jimbo) rlm_ldap: checking if remote access for johnthor is allowed by radiusNPAllowDialin rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusNASPortType as NAS-Port-Type, value Async op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user jimbo authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap2 returns ok modcall: group redundant returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type Kerberos auth: type Kerberos modcall: entering group authenticate rlm_krb5: krb5 server princ name: radius1.mydomain.com rlm_krb5: [johnthor] krb5_mk_req() failed: Server not found in Kerberos database Segmentation fault Regards Allister P Maguire - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
