Re: Max-Daily-Session and counter module
Oliver Zimmermann wrote: I have the problem understanding how the counter module works. Lets say I want to provide a Maximum Daily Session linit of 3600 seconds for a user on freeradius-0.7. Is the following scenario right? (sorry I can't test it for the moment): users file: -- DEFAULT Max-Daily-Session = 3600 Fall-Through = 1 John_DPassword = FZ768wRll, NAS-IP-Address = 214.32.39.2, Simultaneous-Use = 1 Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-MTU = 1500, Idle-Timeout = 3600, Port-Limit = 1 ... Hi, I tested this setup now with a Max-Daily-Session = 3, to provocate a reject - but I still get Login OK. In the logs I saw rlm_counter: Could not find Check item value pair and modcall[accounting]: module counter returns noop which I cannot interprete. Irritating for me is the line rlm_counter: Counter attribute Daily-Session-Time is number 1063 because it has this value in every session. Please take a look on the session log, thanks in advance: starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no read_config_files: reading dictionary read_config_files: reading clients read_config_files: reading realms read_config_files: reading naslist main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = root main: group = root main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: proxy_requests = no proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 security: max_attributes = 200 security: reject_delay = 1 main: debug_level = 0 read_config_files: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded System unix: cache = no unix: passwd = /etc/passwd unix: shadow = /etc/shadow unix: group = /etc/group unix: radwtmp = /usr/local/var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded Counter counter: filename = /usr/local/etc/raddb/db.counter counter: key = User-Name counter: reset = daily counter: count-attribute = Acct-Session-Time counter: counter-name = Daily-Session-Time counter: check-name = Max-Daily-Session counter: allowed-servicetype = Framed-User counter: cache-size = 5000 rlm_counter: Counter attribute Daily-Session-Time is number 1063 rlm_counter: Current Time: 1039422801, Next reset 1039474800 Module: Instantiated counter (counter) Module: Loaded realm realm: format = suffix realm: delimiter = @ Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = /usr/local/etc/raddb/users files: acctusersfile = /usr/local/etc/raddb/acct_users files: compat = cistron auth_type_fixup: Auth-Type [1000] auth_type_fixup: Password [2] auth_type_fixup: NAS-IP-Address [4] auth_type_fixup: Simultaneous-Use [1034] auth_type_fixup: Auth-Type [1000] auth_type_fixup: Password [2] auth_type_fixup: Simultaneous-Use [1034] auth_type_fixup: Auth-Type [1000] auth_type_fixup: Password [2] auth_type_fixup: NAS-IP-Address [4] auth_type_fixup: Simultaneous-Use [1034] [/usr/local/etc/raddb/users]:4 Cistron compatibility checks for entry DEFAULT ... ?Changing 'Max-Daily-Session =' to 'Max-Daily-Session +=' [/usr/local/etc/raddb/users]:7 Cistron compatibility checks for entry U.Abdinghoff ... ?Changing 'Password =' to 'Password ==' ?Changing 'NAS-IP-Address =' to 'NAS-IP-Address ==' ?Changing 'Simultaneous-Use =' to 'Simultaneous-Use +=' [/usr/local/etc/raddb/users]:15 Cistron compatibility checks for entry helinet010 ... ?Changing 'Password =' to 'Password ==' ?Changing 'Simultaneous-Use =' to 'Simultaneous-Use +=' [/usr/local/etc/raddb/users]:23 Cistron compatibility checks for entry schmidt.online ... ?Changing 'Password =' to 'Password ==' ?Changing 'NAS-IP-Address =' to 'NAS-IP-Address ==' ?Changing 'Simultaneous-Use =' to 'Simultaneous-Use +=' Module: Instantiated files (files) Module: Loaded preprocess preprocess: huntgroups = /usr/local/etc/raddb/huntgroups preprocess: hints = /usr/local/etc/raddb/hints preprocess: with_ascend_hack = no
Re: Just plain problems
Hello, You may list content of db file by command: rlm_dbm_cat -f /usr/local/etc/raddb/users or just some records by: rlm_dbm_cat -f /usr/local/etc/raddb/users elitest note: /usr/local/etc/raddb/users.db - your users database. please send me that output and i will try to help you Friday, December 6, 2002, 4:26:50 PM, [EMAIL PROTECTED] wrote: nmn Here's the facts: nmn FreeRadius ver 0.8 nmn OS FreeBSD nmn User name and password has been verified to be accurate. nmn Trying to do test authentication from a Livingston PM4 (hey, it's what I nmn had laying around) nmn Only one entry in the users file: nmn DEFAULT Auth-Type := System, Simultaneous-Use := 1 nmn Framed-IP-Address = 255.255.255.254, nmn Framed-MTU = 1500, nmn Service-Type = Framed-User, nmn Framed-Protocol = PPP, nmn Framed-Compression = Van-Jacobson-TCP-IP, nmn Framed-Routing = None nmn Objective: If user is not defined in user file, have FreeRadius fall nmn through and use the system's authentication process. nmn Here's the output from the debugging: nmn Ready to process requests. nmn rad_recv: Access-Request packet from host 208.187.24.17:1332, id=9, length=59 nmn User-Name = elitest nmn User-Password = test nmn NAS-IP-Address = 208.187.24.17 nmn NAS-Port = 99 nmn modcall: entering group authorize nmnmodcall[authorize]: module preprocess returns ok nmn rlm_realm: No '@' in User-Name = elitest, looking up realm NULL nmn rlm_realm: No such realm NULL nmnmodcall[authorize]: module suffix returns noop nmn rlm_dbm: try open database file: /usr/local/etc/raddb/users nmn rlm_dbm: Call parse_user: nmn sm_parse_user.c: check for loops nmn Add elitest to user list nmn rlm_dbm: User elitest not foud in database nmn Remove elitest from user list nmn sm_parse_user.c: check for loops nmn Add DEFAULT to user list nmn rlm_dbm: User DEFAULT not foud in database nmn Remove DEFAULT from user list nmnmodcall[authorize]: module dbm returns notfound nmn modcall: group authorize returns ok nmn auth: No authenticate method (Auth-Type) configuration found for the nmn request: Re nmn jecting the user nmn auth: Failed to validate the user. nmn Delaying request 0 for 1 seconds nmn Finished request 0 nmn Can someone PLEASE help me? I am probably doing something stupid, but nmn desperately need help. I WILL EVEN PAY FOR SOMEONE WELL VERSED IN nmn FREERADIUS TO CONSULT ON THE PHONE. nmn Thanks, nmn Gary nmn - nmn List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Andrei Koulik. System administrator, Sandy Info Ltd. (ISP), Nizhny Novgorod, Russia - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: Just plain problems
Hello, Friday, December 6, 2002, 5:09:46 PM, Jason Lixfeld wrote: JL Good morning Gary, JL rlm_dbm: User DEFAULT not foud in database JL looks to be the culprit. I don't know offhand if the characters are JL put into the output and is only there as a delimiter or if that is JL infact what is being passed to the dbm module. If it's the former, I'm JL at a loss, but if it's the latter then there may be something adding JL those characters to the entry which the module can't match because of JL course it doesn't actually exist. added on output to do visible whites at word ends. actually records are stored and tested without characters. They are used in debug output only. not used because hello is more nice-looking then \hello\ in source code. JL One thing I might be able to suggest is to remove the dbm module from JL the equation and see if you can auth against a plain text users file. JL If that works, then it's something with the dbm module, I'd suspect. JL On Fri, 2002-12-06 at 08:26, [EMAIL PROTECTED] wrote: Here's the facts: FreeRadius ver 0.8 OS FreeBSD User name and password has been verified to be accurate. Trying to do test authentication from a Livingston PM4 (hey, it's what I had laying around) Only one entry in the users file: DEFAULT Auth-Type := System, Simultaneous-Use := 1 Framed-IP-Address = 255.255.255.254, Framed-MTU = 1500, Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP, Framed-Routing = None Objective: If user is not defined in user file, have FreeRadius fall through and use the system's authentication process. Here's the output from the debugging: Ready to process requests. rad_recv: Access-Request packet from host 208.187.24.17:1332, id=9, length=59 User-Name = elitest User-Password = test NAS-IP-Address = 208.187.24.17 NAS-Port = 99 modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_realm: No '@' in User-Name = elitest, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop rlm_dbm: try open database file: /usr/local/etc/raddb/users rlm_dbm: Call parse_user: sm_parse_user.c: check for loops Add elitest to user list rlm_dbm: User elitest not foud in database Remove elitest from user list sm_parse_user.c: check for loops Add DEFAULT to user list rlm_dbm: User DEFAULT not foud in database Remove DEFAULT from user list modcall[authorize]: module dbm returns notfound modcall: group authorize returns ok auth: No authenticate method (Auth-Type) configuration found for the request: Re jecting the user auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Can someone PLEASE help me? I am probably doing something stupid, but desperately need help. I WILL EVEN PAY FOR SOMEONE WELL VERSED IN FREERADIUS TO CONSULT ON THE PHONE. Thanks, Gary - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple cisco-avpair entries
Hi, I am trying to create a new user with few cisco-avpair attributes but radius only reply one of the values defined on the original users file. ciscouser Password == cisco Service-Type = Outbound-User, Cisco-AVPair = ipsec:key-exchange=ike, Cisco-AVPair = ipsec:addr-pool=ippool, Tunnel-Password = :1:ciscopass, Tunnel-Medium-Type = :1:IP, Tunnel-Type = :1:ESP but radius only serves the first Cisco-AVPair attribute... [root@proxy raddb]# radtest 3000client cisco 127.0.0.1:1645 1 testing123 Sending Access-Request of id 43 to 127.0.0.1:1645 User-Name = ciscouser User-Password = \375ZQ\366}\375w\320\251;\360\345\223\266\r NAS-IP-Address = proxy.intra.csc.es NAS-Port = 1 rad_recv: Access-Accept packet from host 127.0.0.1:1645, id=43, length=98 Service-Type = Outbound-User Filter-Id = std.ppp Cisco-AVPair = ipsec:key-exchange=ike Tunnel-Password:1 = ciscopass Tunnel-Medium-Type:1 = IP Tunnel-Type:1 = ESP [root@proxy raddb]# Any ideas? Regards, Jordi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MYSQL check_error: 1065 received
well... I upgraded to freeradius 0.8, and it's ok now... Genoud Richard a écrit: hello everyone ! I got freeradius0.7.1, with mysql module and I got this error on a radclient request : echo User-Name = user, Password=guess | radclient 127.0.0.1 auth guess I had previously a postgreSQL database, and i managed to had it running. I compiled the mysql module, changed the radius.conf file, setting up my data based... but there's still a problem. The DB seems to be ok. freeradius manages to connect to it, but there's this error. anyone got an idea ? here's the log: [...] Module: Loaded SQL sql: driver = rlm_sql_mysql sql: server = 10.0.1.18 sql: port = sql: login = dbuser sql: password = guess sql: radius_db = radiusdb sql: acct_table = radacct sql: acct_table2 = radacct sql: authcheck_table = radcheck sql: authreply_table = radreply sql: groupcheck_table = radgroupcheck sql: groupreply_table = radgroupreply sql: usergroup_table = usergroup sql: nas_table = nas sql: dict_table = dictionary sql: sqltrace = yes sql: sqltracefile = /usr/local/var/log/radius/sqltrace.sql sql: deletestalesessions = yes sql: num_sql_socks = 5 sql: sql_user_name = %{User-Name} sql: authorize_check_query = SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id sql: authorize_reply_query = SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id sql: authorize_group_check_query = SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id sql: authorize_group_reply_query = SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id sql: authenticate_query = sql: accounting_onoff_query = UPDATE radacct SET AcctStopTime='%S', AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime), AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay = %{Acct-Delay-Time} WHERE AcctSessionTime=0 AND AcctStopTime=0 AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime = '%S' sql: accounting_update_query = UPDATE radacct SET FramedIPAddress = '%{Framed-IP-Address}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStopTime = 0 sql: accounting_start_query = INSERT into radacct (RadAcctId, AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('', '%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0') sql: accounting_start_query_alt = UPDATE radacct SET AcctStartTime = '%S', AcctStartDelay = '%{Acct-Delay-Time}', ConnectInfo_start = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}' AND AcctStopTime = 0 sql: accounting_stop_query = UPDATE radacct SET AcctStopTime = '%S', AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets = '%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}', AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}', ConnectInfo_stop = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}' AND AcctStopTime = 0 sql: accounting_stop_query_alt = INSERT into radacct (RadAcctId, AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('', '%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '0', '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}',
Authenticating with MS-CHAP
I'm having trouble with MS-CHAP. I' trying 2 authenticate with MS-CHAP, but I'm not very successful. I'm obviously missing a point a point here when it comes to authentication with MS-CHAP. I'm using freeradius 0.8 and radclient: echo User-Name = jonn, CHAP-Password = MEMEME | radclient -x xxx.xxx.xx.xxx:1812 auth testing123 Sending Access-Request of id 112 to xxx.xxx.xx.xxx:1812 User-Name = jonn CHAP-Password = 0x704552484cb6fb830e6584c947df285671 rad_recv: Access-Reject packet from host xxx.xxx.xx.xxx:1812, id=112, length=20 The output of the radius server is: rad_recv: Access-Request packet from host xxx.xxx.xx.xxx:32778, id=112, length=45 User-Name = jonn CHAP-Password = 0x704552484cb6fb830e6584c947df285671 modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_realm: No '@' in User-Name = jonn, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop users: Matched DEFAULT at 79 modcall[authorize]: module files returns ok modcall[authorize]: module mschap returns notfound modcall: group authorize returns ok rad_check_password: Found Auth-Type MS-CHAP auth: type MS-CHAP modcall: entering group authenticate rlm_mschap: No LM/NT password configured. Check authorization. modcall[authenticate]: module mschap returns invalid modcall: group authenticate returns invalid auth: Failed to validate the user. in the users file, I have the following: # # Please read the documentation file ../doc/processing_users_file, # or 'man 5 users' (after installing the server) for more information. # # This file contains authentication security and configuration # information for each user. Accounting requests are NOT processed # through this file. Instead, see 'acct_users', in this directory. # # The first field is the user's name and can be up to # 253 characters in length. This is followed (on the same line) with # the list of authentication requirements for that user. This can # include password, comm server name, comm server port number, protocol # type (perhaps set by the hints file), and huntgroup name (set by # the huntgroups file). # # If you are not sure why a particular reply is being sent by the # server, then run the server in debugging mode (radiusd -X), and # you will see which entries in this file are matched. # # When an authentication request is received from the comm server, # these values are tested. Only the first match is used unless the # Fall-Through variable is set to Yes. [root@pc13-62 raddb]# cat /tmp/tmp2 I'm having trouble with MS-CHAP. I' trying 2 authenticate with MS-CHAP, but I'm not very successful. I'm obviously missing a point a point here when it comes to authentication with MS-CHAP. I'm using freeradius 0.8 and radclient: echo User-Name = jonn, CHAP-Password = MEMEME | radclient -x xxx.xxx.xx.xxx:1812 auth testing123 Sending Access-Request of id 112 to xxx.xxx.xx.xxx:1812 User-Name = jonn CHAP-Password = 0x704552484cb6fb830e6584c947df285671 rad_recv: Access-Reject packet from host xxx.xxx.xx.xxx:1812, id=112, length=20 The output of the radius server is: rad_recv: Access-Request packet from host xxx.xxx.xx.xxx:32778, id=112, length=45 User-Name = jonn CHAP-Password = 0x704552484cb6fb830e6584c947df285671 modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_realm: No '@' in User-Name = jonn, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop users: Matched DEFAULT at 79 modcall[authorize]: module files returns ok modcall[authorize]: module mschap returns notfound modcall: group authorize returns ok rad_check_password: Found Auth-Type MS-CHAP auth: type MS-CHAP modcall: entering group authenticate rlm_mschap: No LM/NT password configured. Check authorization. modcall[authenticate]: module mschap returns invalid modcall: group authenticate returns invalid auth: Failed to validate the user. in the users file, I have the following: # # Please read the documentation file ../doc/processing_users_file, # or 'man 5 users' (after installing the server) for more information. # # This file contains authentication security and configuration # information for each user. Accounting requests are NOT processed # through this file. Instead, see 'acct_users', in this directory. # # The first field is the user's name and can be up to # 253 characters in length. This is followed (on the same line) with # the list of authentication requirements for that user. This can # include password, comm server name, comm server port number, protocol # type (perhaps set by the hints file), and huntgroup name (set by # the huntgroups file). # # If you
Re: Authenticating with MS-CHAP
Dear Jonn-Erik Farmen, First, MS-CHAP uses MS-CHAP-Password, not CHAP-Password attribute. Second, in order to configure Password for user for MS-CHAP you need := operator instead of ==. --Monday, December 9, 2002, 1:46:32 PM, you wrote to [EMAIL PROTECTED]: JEF I'm having trouble with MS-CHAP. I' trying 2 authenticate with MS-CHAP, JEF but I'm not JEF very successful. I'm obviously missing a point a point here when it comes JEF to JEF authentication with MS-CHAP. I'm using freeradius 0.8 and radclient: JEF echo User-Name = jonn, CHAP-Password = MEMEME | radclient -x JEF xxx.xxx.xx.xxx:1812 auth testing123 JEF Sending Access-Request of id 112 to xxx.xxx.xx.xxx:1812 JEF User-Name = jonn JEF CHAP-Password = 0x704552484cb6fb830e6584c947df285671 JEF rad_recv: Access-Reject packet from host xxx.xxx.xx.xxx:1812, id=112, JEF length=20 JEF The output of the radius server is: JEF rad_recv: Access-Request packet from host xxx.xxx.xx.xxx:32778, id=112, JEF length=45 JEF User-Name = jonn JEF CHAP-Password = 0x704552484cb6fb830e6584c947df285671 JEF modcall: entering group authorize JEF modcall[authorize]: module preprocess returns ok JEF rlm_realm: No '@' in User-Name = jonn, looking up realm NULL JEF rlm_realm: No such realm NULL JEF modcall[authorize]: module suffix returns noop JEF users: Matched DEFAULT at 79 JEF modcall[authorize]: module files returns ok JEF modcall[authorize]: module mschap returns notfound JEF modcall: group authorize returns ok JEF rad_check_password: Found Auth-Type MS-CHAP JEF auth: type MS-CHAP JEF modcall: entering group authenticate JEF rlm_mschap: No LM/NT password configured. Check authorization. JEF modcall[authenticate]: module mschap returns invalid JEF modcall: group authenticate returns invalid JEF auth: Failed to validate the user. JEF in the users file, I have the following: JEF # JEF # Please read the documentation file ../doc/processing_users_file, JEF # or 'man 5 users' (after installing the server) for more JEF information. JEF # JEF # This file contains authentication security and configuration JEF # information for each user. Accounting requests are NOT processed JEF # through this file. Instead, see 'acct_users', in this directory. JEF # JEF # The first field is the user's name and can be up to JEF # 253 characters in length. This is followed (on the same line) JEF with JEF # the list of authentication requirements for that user. This can JEF # include password, comm server name, comm server port number, JEF protocol JEF # type (perhaps set by the hints file), and huntgroup name (set by JEF # the huntgroups file). JEF # JEF # If you are not sure why a particular reply is being sent by the JEF # server, then run the server in debugging mode (radiusd -X), and JEF # you will see which entries in this file are matched. JEF # JEF # When an authentication request is received from the comm server, JEF # these values are tested. Only the first match is used unless the JEF # Fall-Through variable is set to Yes. JEF [root@pc13-62 raddb]# cat /tmp/tmp2 JEF I'm having trouble with MS-CHAP. I' trying 2 authenticate with MS-CHAP, JEF but I'm not JEF very successful. I'm obviously missing a point a point here when it comes JEF to JEF authentication with MS-CHAP. I'm using freeradius 0.8 and radclient: JEF echo User-Name = jonn, CHAP-Password = MEMEME | radclient -x JEF xxx.xxx.xx.xxx:1812 auth testing123 JEF Sending Access-Request of id 112 to xxx.xxx.xx.xxx:1812 JEF User-Name = jonn JEF CHAP-Password = 0x704552484cb6fb830e6584c947df285671 JEF rad_recv: Access-Reject packet from host xxx.xxx.xx.xxx:1812, id=112, JEF length=20 JEF The output of the radius server is: JEF rad_recv: Access-Request packet from host xxx.xxx.xx.xxx:32778, id=112, JEF length=45 JEF User-Name = jonn JEF CHAP-Password = 0x704552484cb6fb830e6584c947df285671 JEF modcall: entering group authorize JEF modcall[authorize]: module preprocess returns ok JEF rlm_realm: No '@' in User-Name = jonn, looking up realm NULL JEF rlm_realm: No such realm NULL JEF modcall[authorize]: module suffix returns noop JEF users: Matched DEFAULT at 79 JEF modcall[authorize]: module files returns ok JEF modcall[authorize]: module mschap returns notfound JEF modcall: group authorize returns ok JEF rad_check_password: Found Auth-Type MS-CHAP JEF auth: type MS-CHAP JEF modcall: entering group authenticate JEF rlm_mschap: No LM/NT password configured. Check authorization. JEF modcall[authenticate]: module mschap returns invalid JEF modcall: group authenticate returns invalid JEF auth: Failed to validate the user. JEF in the users file, I have the following: JEF # JEF # Please read the documentation file ../doc/processing_users_file, JEF # or 'man 5 users' (after installing the
Re[2]: Just plain problems
Sunday, December 8, 2002, 4:51:04 AM, [EMAIL PROTECTED] wrote: Hey, Man. Alan doesn't wrote rlm_dbm and documentation for it. So all bugs and discordancy belongs to authors of module and documentation see 6. ACKNOWLEDGMENTS Author- Andrei Koulik [EMAIL PROTECTED] Documentation - BjÛrn NordbÛ [EMAIL PROTECTED] try to contact with [EMAIL PROTECTED] I am sure it will be more useful then public blame of whole project and Alan especially. nmn At 07:58 PM 12/7/2002 -0500, you wrote: First I cannot use rlm_dbm_parser to create a dbm file. I don't use rlm_dbm, and the default configuration doesn't use it, either. My second problem may be related to the first. After testing my configuration and plain text users file (which work without a hitch) I create a users.db file using builddbm, a program from an earlier version of radius (not FreeRadius). Then it won't work. Do you run python programs through Perl, and complain when they don't work? So that's the problem. Whenever I try to switch to dbm things fall apart. The strange thing is that I am using a radiusd.conf and users files from a working version of FreeRadius as my model. So when you said you were using the default configuration that ships with the server, you lied. Thanks. I don't think I'm interested in helping you much any more. Alan DeKok. nmn - nmn List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple cisco-avpair entries
On Mon, Dec 09, 2002 at 11:32:22AM +0100, [EMAIL PROTECTED] wrote: From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Multiple cisco-avpair entries I am trying to create a new user with few cisco-avpair attributes but radius only reply one of the values defined on the original users file. ciscouser Password == cisco Service-Type = Outbound-User, Cisco-AVPair = ipsec:key-exchange=ike, Cisco-AVPair = ipsec:addr-pool=ippool, Tunnel-Password = :1:ciscopass, Tunnel-Medium-Type = :1:IP, Tunnel-Type = :1:ESP but radius only serves the first Cisco-AVPair attribute... Take a look at man 5 users, operators section, after that try += instead of = -- Best regards, Alexey Chetroi --- Smile... Tomorrow will be worse. (c) Murphy's law - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS Problem
Hi, I have a wireless network with cisco aironet 350 AP and a cisco card and I use win xp as supplicant. If I don't use (in win XP) the the key is provided for me automatically it's all ok. When I enable that option I have same problems, the authentication is ok the cisco ap write status=EAP Authenticated, BOOTP/DHCP but it's not possible take the ip address with the DHCP and the connection is not enable, the cisco aironet client utilities indicate that the radio connection is good. I have read that in the authentication exchange freeradius send the session key (with MPPE) at the AP. It's possible that I have not configured the cisco AP or Freeradius in the right manner. Thanks Daniele Brevi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Account Help
Hi, I'm a new user from Radius and I'm getting some problems I have XtRadius Version xtradius-1.0beta3-3 and when I'm doing an account my script don´t work If I use Users File 42: DEFAULT Acct-Status-Type = "Stop" 43: Exec-Program-Account = "/usr/lib/cgi-bin/account.pl %u" 44: 45: DEFAULT NAS-Port-Type = 16, Auth-Type = External 46: Exec-Program-Wait = "/usr/lib/cgi-bin/autentica.pl %u %w", 47: Service-Type = Framed-User, 48: Framed-Protocol = PPP, 49: Class = ALF, 50: Fall-Through = 0 I get this /usr/sbin/radiusd -sfxxyz -l STDOUT [/etc/raddb/hints:42] WARNING: Check item "Exec-Program-Account" found in reply item list for user "DEFAULT". This attribute MUST go on the first line with the other check items. or if I use Users File 42: DEFAULT Acct-Status-Type = "Stop", Exec-Program-Account = "/usr/lib/cgi-bin/account.pl %u" 43: 44: 45: DEFAULT NAS-Port-Type = 16, Auth-Type = External 46: Exec-Program-Wait = "/usr/lib/cgi-bin/autentica.pl %u %w", 47: Service-Type = Framed-User, 48: Framed-Protocol = PPP, 49: Class = ALF, 50: Fall-Through = 0 I get but no accounts were saved. /usr/sbin/radiusd -sfxxyz -l STDOUT Starting - reading configuration files ... Ready to process requests. radrecv: Request from host 10.5.108.73 code=4, id=6, length=58 User-Name = "[EMAIL PROTECTED]" Acct-Status-Type = Stop Acct-Session-Id = "2368" NAS-Port-Type = 16 users: Matched DEFAULT at 42 Sending Accounting Ack of id 6 to 10.5.108.73 (nas alefalcao) The Script is working fine, if I run "/usr/lib/cgi-bin/autentica.pl alfspsp" the account is saved. Is it possible anybody help me? Alex
Re: EAP-TLS Problem
hi the thread name is actually wrong since this is not a problem in EAP-TLS. I have a wireless network with cisco aironet 350 AP and a cisco card and I use win xp as supplicant. If I don't use (in win XP) the the key is provided for me automatically it's all ok. nice, so EAP-TLS is working just fine. what you want is dynamic wep keys. When I enable that option I have same problems, the authentication is ok the cisco ap write status=EAP Authenticated, BOOTP/DHCP but it's not possible take the ip address with the DHCP and the connection is not enable, the cisco aironet client utilities indicate that the radio connection is good. exactly, because the WEP keys are not the same at the supplicant and the client (ap). I have read that in the authentication exchange freeradius send the session key (with MPPE) at the AP. It's possible that I have not configured the cisco AP or Freeradius in the right manner. very probably even. in the future requests, please provide the version of freeradius and the complete debug output (radiusd -s -X). however, you have a good basis for succeeding, so further requests might not be necessary :-) your EAP-TLS authentication works fine, you say. congratulation, since that's the difficult part of the whole story. now just grab the newest version of FR available, compile the rlm_eap_tls, verify that you have some *mppe*.c files in the concerned directory and that there are no compilation/linking errors. then, start the new server and look at the radiusd -s -X output. if the Access-Accept sent to the AP350 contains two MPPE-*-Key attributes with values, everything should be ok for freeradius so far (when updating, update the dictionaries too). then, you only need to alter the config of the AP350 appropriately (activate encryption and either provide a wep-key in the Slot1 or set the broadcast key rotation interval to 0). greetings artur -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating with MS-CHAP (fwd)
Dear Jonn-Erik Farmen, First, MS-CHAP uses MS-CHAP-Password, not CHAP-Password attribute. Second, in order to configure Password for user for MS-CHAP you need := operator instead of ==. --Monday, December 9, 2002, 1:46:32 PM, you wrote to [EMAIL PROTECTED]: Thank you for your reponse, I wasn't able to see that MS-CHAP-Password was among the standard RADIUS attributes, and replacing == with := in the users file didn't help much: # echo User-Name = jonn, MS-CHAP-Password = MEMEME | radclient -x xxx.xxx.xxx.xxx:1812 auth testing123 radclient:Unknown attribute MS-CHAP-Password JEF I'm having trouble with MS-CHAP. I' trying 2 authenticate with MS-CHAP, JEF but I'm not JEF very successful. I'm obviously missing a point a point here when it comes JEF to JEF authentication with MS-CHAP. I'm using freeradius 0.8 and radclient: JEF echo User-Name = jonn, CHAP-Password = MEMEME | radclient -x JEF xxx.xxx.xx.xxx:1812 auth testing123 JEF Sending Access-Request of id 112 to xxx.xxx.xx.xxx:1812 JEF User-Name = jonn JEF CHAP-Password = 0x704552484cb6fb830e6584c947df285671 JEF rad_recv: Access-Reject packet from host xxx.xxx.xx.xxx:1812, id=112, JEF length=20 JEF The output of the radius server is: JEF rad_recv: Access-Request packet from host xxx.xxx.xx.xxx:32778, id=112, JEF length=45 JEF User-Name = jonn JEF CHAP-Password = 0x704552484cb6fb830e6584c947df285671 JEF modcall: entering group authorize JEF modcall[authorize]: module preprocess returns ok JEF rlm_realm: No '@' in User-Name = jonn, looking up realm NULL JEF rlm_realm: No such realm NULL JEF modcall[authorize]: module suffix returns noop JEF users: Matched DEFAULT at 79 JEF modcall[authorize]: module files returns ok JEF modcall[authorize]: module mschap returns notfound JEF modcall: group authorize returns ok JEF rad_check_password: Found Auth-Type MS-CHAP JEF auth: type MS-CHAP JEF modcall: entering group authenticate JEF rlm_mschap: No LM/NT password configured. Check authorization. JEF modcall[authenticate]: module mschap returns invalid JEF modcall: group authenticate returns invalid JEF auth: Failed to validate the user. JEF in the users file, I have the following: JEF # JEF # Please read the documentation file ../doc/processing_users_file, JEF # or 'man 5 users' (after installing the server) for more JEF information. JEF # JEF # This file contains authentication security and configuration JEF # information for each user. Accounting requests are NOT processed JEF # through this file. Instead, see 'acct_users', in this directory. JEF # JEF # The first field is the user's name and can be up to JEF # 253 characters in length. This is followed (on the same line) JEF with JEF # the list of authentication requirements for that user. This can JEF # include password, comm server name, comm server port number, JEF protocol JEF # type (perhaps set by the hints file), and huntgroup name (set by JEF # the huntgroups file). JEF # JEF # If you are not sure why a particular reply is being sent by the JEF # server, then run the server in debugging mode (radiusd -X), and JEF # you will see which entries in this file are matched. JEF # JEF # When an authentication request is received from the comm server, JEF # these values are tested. Only the first match is used unless the JEF # Fall-Through variable is set to Yes. JEF [root@pc13-62 raddb]# cat /tmp/tmp2 JEF I'm having trouble with MS-CHAP. I' trying 2 authenticate with MS-CHAP, JEF but I'm not JEF very successful. I'm obviously missing a point a point here when it comes JEF to JEF authentication with MS-CHAP. I'm using freeradius 0.8 and radclient: JEF echo User-Name = jonn, CHAP-Password = MEMEME | radclient -x JEF xxx.xxx.xx.xxx:1812 auth testing123 JEF Sending Access-Request of id 112 to xxx.xxx.xx.xxx:1812 JEF User-Name = jonn JEF CHAP-Password = 0x704552484cb6fb830e6584c947df285671 JEF rad_recv: Access-Reject packet from host xxx.xxx.xx.xxx:1812, id=112, JEF length=20 JEF The output of the radius server is: JEF rad_recv: Access-Request packet from host xxx.xxx.xx.xxx:32778, id=112, JEF length=45 JEF User-Name = jonn JEF CHAP-Password = 0x704552484cb6fb830e6584c947df285671 JEF modcall: entering group authorize JEF modcall[authorize]: module preprocess returns ok JEF rlm_realm: No '@' in User-Name = jonn, looking up realm NULL JEF rlm_realm: No such realm NULL JEF modcall[authorize]: module suffix returns noop JEF users: Matched DEFAULT at 79 JEF modcall[authorize]: module files returns ok JEF modcall[authorize]: module mschap returns notfound JEF modcall: group authorize returns ok JEF rad_check_password: Found Auth-Type MS-CHAP JEF auth: type MS-CHAP JEF
Re[2]: Authenticating with MS-CHAP
Dear Jonn-Erik Farmen, It was my fault, I ment MS-CHAP-Response attribute. Anyway it will will not be easy to test MS-CHAP with radtest. Because MS-CHAP-Response is not some kind of password, it's composed as DES hash of MS-CHAP-Challenge and NT and LM hashes of password (NT is MD4 hash of Unicode password, LM is DES hash of OEM password). So, you have some reading tonight (RFC 2433 and RFC 2548) if you wanna calculate MS-CHAP-Response manually. --Monday, December 9, 2002, 5:19:44 PM, you wrote to [EMAIL PROTECTED]: JEF On Mon, 9 Dec 2002, 3APA3A wrote: Dear Jonn-Erik Farmen, First, MS-CHAP uses MS-CHAP-Password, not CHAP-Password attribute. Second, in order to configure Password for user for MS-CHAP you need := operator instead of ==. --Monday, December 9, 2002, 1:46:32 PM, you wrote to [EMAIL PROTECTED]: JEF Thank you for your reponse, JEF I wasn't able to see that MS-CHAP-Password was among the standard RADIUS JEF attributes, and replacing == with := in the users file didn't help much: JEF # echo User-Name = jonn, MS-CHAP-Password = MEMEME | radclient -x JEF xxx.xxx.xxx.xxx:1812 auth testing123 JEF radclient:Unknown attribute MS-CHAP-Password JEF I'm having trouble with MS-CHAP. I' trying 2 authenticate with MS-CHAP, JEF but I'm not JEF very successful. I'm obviously missing a point a point here when it comes JEF to JEF authentication with MS-CHAP. I'm using freeradius 0.8 and radclient: JEF echo User-Name = jonn, CHAP-Password = MEMEME | radclient -x JEF xxx.xxx.xx.xxx:1812 auth testing123 JEF Sending Access-Request of id 112 to xxx.xxx.xx.xxx:1812 JEF User-Name = jonn JEF CHAP-Password = 0x704552484cb6fb830e6584c947df285671 JEF rad_recv: Access-Reject packet from host xxx.xxx.xx.xxx:1812, id=112, JEF length=20 JEF The output of the radius server is: JEF rad_recv: Access-Request packet from host xxx.xxx.xx.xxx:32778, id=112, JEF length=45 JEF User-Name = jonn JEF CHAP-Password = 0x704552484cb6fb830e6584c947df285671 JEF modcall: entering group authorize JEF modcall[authorize]: module preprocess returns ok JEF rlm_realm: No '@' in User-Name = jonn, looking up realm NULL JEF rlm_realm: No such realm NULL JEF modcall[authorize]: module suffix returns noop JEF users: Matched DEFAULT at 79 JEF modcall[authorize]: module files returns ok JEF modcall[authorize]: module mschap returns notfound JEF modcall: group authorize returns ok JEF rad_check_password: Found Auth-Type MS-CHAP JEF auth: type MS-CHAP JEF modcall: entering group authenticate JEF rlm_mschap: No LM/NT password configured. Check authorization. JEF modcall[authenticate]: module mschap returns invalid JEF modcall: group authenticate returns invalid JEF auth: Failed to validate the user. JEF in the users file, I have the following: JEF # JEF # Please read the documentation file ../doc/processing_users_file, JEF # or 'man 5 users' (after installing the server) for more JEF information. JEF # JEF # This file contains authentication security and configuration JEF # information for each user. Accounting requests are NOT processed JEF # through this file. Instead, see 'acct_users', in this directory. JEF # JEF # The first field is the user's name and can be up to JEF # 253 characters in length. This is followed (on the same line) JEF with JEF # the list of authentication requirements for that user. This can JEF # include password, comm server name, comm server port number, JEF protocol JEF # type (perhaps set by the hints file), and huntgroup name (set by JEF # the huntgroups file). JEF # JEF # If you are not sure why a particular reply is being sent by the JEF # server, then run the server in debugging mode (radiusd -X), and JEF # you will see which entries in this file are matched. JEF # JEF # When an authentication request is received from the comm server, JEF # these values are tested. Only the first match is used unless the JEF # Fall-Through variable is set to Yes. JEF [root@pc13-62 raddb]# cat /tmp/tmp2 JEF I'm having trouble with MS-CHAP. I' trying 2 authenticate with MS-CHAP, JEF but I'm not JEF very successful. I'm obviously missing a point a point here when it comes JEF to JEF authentication with MS-CHAP. I'm using freeradius 0.8 and radclient: JEF echo User-Name = jonn, CHAP-Password = MEMEME | radclient -x JEF xxx.xxx.xx.xxx:1812 auth testing123 JEF Sending Access-Request of id 112 to xxx.xxx.xx.xxx:1812 JEF User-Name = jonn JEF CHAP-Password = 0x704552484cb6fb830e6584c947df285671 JEF rad_recv: Access-Reject packet from host xxx.xxx.xx.xxx:1812, id=112, JEF length=20 JEF The output of the radius server is: JEF rad_recv: Access-Request packet from host xxx.xxx.xx.xxx:32778, id=112, JEF length=45 JEF
Re[2]: Just plain problems
Let's take what I said step by step and see where I blamed the whole project and/or Alan. First I cannot use rlm_dbm_parser to create a dbm file. That is a simple statement of fact. I didn't elaborate in that email because I had given more detail in earlier emails. And if you will read the entire thread, you will see that I never blamed anyone or anything for this situation. I presented facts and ask questions. I thought that is how you debugged things. My second problem may be related to the first. After testing my configuration and plain text users file (which work without a hitch) I create a users.db file using builddbm, a program from an earlier version of radius (not FreeRadius). Again a simple statement of fact to help Alan understand what I had tried. I didn't say it was suppose to work, I just stated that I had tried it. I guess a cynical eye could take the statement which worked without a hitch as a criticism, but it was again just a statement of fact to let Alan know that the entire installation wasn't broken, but that some things worked. So that's the problem. Whenever I try to switch to dbm things fall apart. The strange thing is that I am using a radiusd.conf and users files from a working version of FreeRadius as my model. Again a simple statement of fact. I freely admitted that things go awry when I tried to make the change to using dbm. Again if you will read the entire thread you will see that I several times admitted that it was probably something I was doing that was causing the problem. My problem is that Alan, after offering his services for hire took statements that have to be twisted dramatically to even begin to be considered critical or confrontational, was condescending and even called me a liar. I NEVER did anything except state facts and ask questions. If Alan felt that this was a problem he didn't want to tackle, all he had to do was politely state I don't think I can help you with this issue. Remember, I was responding to Alan's OFFER of his services for hire. I didn't demand his services, I had merely stated in several emails that I even willing to pay someone for help and he responded. I might not have been clear in outlining EVERY step that I took, but I was trying to present enough facts while still being brief. And new facts were developing as time passed. I wasn't setting on my hands between emails waiting for someone to solve my problem, I was trying different things. I have no doubt that this may have confused the matter somewhat. But I was doing the best I could with what information I had available. Gary At 01:55 PM 12/9/2002 +0300, you wrote: Sunday, December 8, 2002, 4:51:04 AM, [EMAIL PROTECTED] wrote: Hey, Man. Alan doesn't wrote rlm_dbm and documentation for it. So all bugs and discordancy belongs to authors of module and documentation see 6. ACKNOWLEDGMENTS Author- Andrei Koulik [EMAIL PROTECTED] Documentation - BjÛrn NordbÛ [EMAIL PROTECTED] try to contact with [EMAIL PROTECTED] I am sure it will be more useful then public blame of whole project and Alan especially. nmn At 07:58 PM 12/7/2002 -0500, you wrote: First I cannot use rlm_dbm_parser to create a dbm file. I don't use rlm_dbm, and the default configuration doesn't use it, either. My second problem may be related to the first. After testing my configuration and plain text users file (which work without a hitch) I create a users.db file using builddbm, a program from an earlier version of radius (not FreeRadius). Then it won't work. Do you run python programs through Perl, and complain when they don't work? So that's the problem. Whenever I try to switch to dbm things fall apart. The strange thing is that I am using a radiusd.conf and users files from a working version of FreeRadius as my model. So when you said you were using the default configuration that ships with the server, you lied. Thanks. I don't think I'm interested in helping you much any more. Alan DeKok. nmn - nmn List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re[2]: Just plain problems
[EMAIL PROTECTED] wrote: Let's take what I said step by step and see where I blamed the whole project and/or Alan. You said you couldn't get something to work. I'm not disagreeing with that. My point, that I've said repeatedly, is that I can't help you with rlm_dbm questions. Again a simple statement of fact. I freely admitted that things go awry when I tried to make the change to using dbm. Again if you will read the entire thread you will see that I several times admitted that it was probably something I was doing that was causing the problem. And I said repeatedly if you're having problems with it, to NOT use rlm_dbm. I don't think many people here can help you with questions about that module. My problem is that Alan, after offering his services for hire took statements that have to be twisted dramatically to even begin to be considered critical or confrontational, was condescending and even called me a liar. shrug You said at one point what you wanted to do (without referencing dbm, or other FreeRADIUS internals). You said you had hadn't changed the default configuration that the server ships with. You then said you had tried using the DBM module. At the minimum, you're disagreeing with yourself. My response then, as now, is that the default configuration shipped with the server does what you claimed you wanted. I have no clue why you're stuck on using the DBM module. Alan felt that this was a problem he didn't want to tackle, all he had to do was politely state I don't think I can help you with this issue. Remember, I was responding to Alan's OFFER of his services for hire. I didn't demand his services, I had merely stated in several emails that I even willing to pay someone for help and he responded. I responded, saying I was willing to help. You responded, with contradictory stories about what you were doing. I declined to participate further. I wasn't setting on my hands between emails waiting for someone to solve my problem, I was trying different things. I have no doubt that this may have confused the matter somewhat. Exactly. If you can't tell a consistent story about what you're doing, then how the hell do you expect anyone else to understand it, and to help you? But I was doing the best I could with what information I had available. I don't deny that. But with the information you've given me, I'm confused as to what you're doing, and why. And I'm doubly confused as to why you're spending time arguing with me, instead of using a solution I proposed to get your system working. Get off the DBM bandwagon. I don't know why you're so horny about using it, and I don't care. Understand how the server works FIRST, and THEN try something more complicated. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Just plain problems
Simon wrote: Look, there are plenty of people using FreeRadius successfully. I got it set up with MySQL and I have never configured a radius server before. It wasn't too hard. Alan wrote: Yeah, but you had probably installed and configured software before. There's a certain sub-set of people who expect that installing complicated servers should be blindingly obvious, even if they've never seen a computer before. I had never installed nor configured software on a Linux box in my life. In fact, I hadn't used Unix for nearly 10 years (and even then I was far from expert) and had never used Linux. I bought a second hand PC, bought the Red Hat Linux 7.2 Bible, and got Linux running. I downloaded FreeRADIUS and MySQL and configured and installed both with help from the FreeRADIUS FAQ, the included docs, this mailing list archive and other sources easily found on the web. I got FreeRADIUS up and running with very few problems. All it takes is some reading, some experimenting and some patience if this is new to you. If I can do this, anybody can. Many thanks to Alan, Chris and so many of the rest of you that contribute to this project. Steve Coleman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
users file replacement with sql_check and sql_reply
Is it possible to replace "users" file functionality like: Prefix == "pref_" Auth_Typbe := PAP Compression := Van-Jacobson-TCP-IP with values, returned by sql_check and sql_reply? Thanks in advance, B.
HInts, Huntgroups and Users Files
Title: HInts, Huntgroups and Users Files Good morning, I am very new to Radus Server and especially new to freeradius. I have inherited a very old Ascend Radius Server that is running on a SUN box. I want to move this to Linux and run it under freeradius. The USERS file on the Sun box is just a flat text file, which contains the usernames, passwords, and attributes such as Framed-Protocol, Filter-ID, etc., but it appears that freeradius handles thing differently. If the username and passwords are not placed in the users file, then where are they put. The "How the USERS file is processed" states "After the items of a request have been mangled by the "hints" and "huntgroups" files, the users file is processed." What does this mean? Do I put the username and passwords in the "hints" file or what? Can anyone help me out here? Thanks Ken
Re: HInts, Huntgroups and Users Files
At 08:46 AM 12/9/2002 -0800, Miller, Kenneth L NWP wrote: Good morning, I am very new to Radus Server and especially new to freeradius. I have inherited a very old Ascend Radius Server that is running on a SUN box. I want to move this to Linux and run it under freeradius. The USERS file on the Sun box is just a flat text file, which contains the usernames, passwords, and attributes such as Framed-Protocol, Filter-ID, etc., but it appears that freeradius handles thing differently. If the username and passwords are not placed in the users file, then where are they put. The How the USERS file is processed states After the items of a request have been mangled by the hints and huntgroups files, the users file is processed. What does this mean? Do I put the username and passwords in the hints file or what? No, it uses a users file in the same way as your old Ascend Radius server. It has the additional files hints and huntgroups which *may* be used, but are definitely not required in a basic config. In fact, if you aren't using them, comment their contents out entirely. You should be able to modify the Ascend users file to be used under FreeRADIUS. Note that the syntax is slightly different under FreeRADIUS and that some of the attribute names may be changed slightly. IE: Framed-Address becomes Framed-IP-Address under FreeRADIUS. If your Ascend file looks like: someuserPassword = letmein Framed-Address = 255.255.255.254 Framed-Netmask = 255.255.255.255 ... You could convert it to FreeRADIUS syntax: someuserAuth-Type := LOCAL, User-Password == letmein Framed-IP-Address = 255.255.255.254 Framed-IP-Netmask = 255.255.255.255 ( note the 'operators'; :=, ==, =; have different meanings )! Hope this helps, -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HInts, Huntgroups and Users Files
if you installed freeradius into linux then look at man 5 users if you still have questions then you are welcome to send email =) PS. also see the sample users file which came with freeradius Evren On Mon, 9 Dec 2002, Miller, Kenneth L NWP wrote: Good morning, I am very new to Radus Server and especially new to freeradius. I have inherited a very old Ascend Radius Server that is running on a SUN box. I want to move this to Linux and run it under freeradius. The USERS file on the Sun box is just a flat text file, which contains the usernames, passwords, and attributes such as Framed-Protocol, Filter-ID, etc., but it appears that freeradius handles thing differently. If the username and passwords are not placed in the users file, then where are they put. The How the USERS file is processed states After the items of a request have been mangled by the hints and huntgroups files, the users file is processed. What does this mean? Do I put the username and passwords in the hints file or what? Can anyone help me out here? Thanks Ken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
usage.cgi problems
Has anyone worked up a new variation of the usage.cgi script that will allow users to check their usage online? I can't seem to get mine working properly. Thanks, Scott - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: usage.cgi problems
At 11:27 AM 12/9/2002 -0700, Scott Miller wrote: Has anyone worked up a new variation of the usage.cgi script that will allow users to check their usage online? I can't seem to get mine working properly. See the 'dialup_admin' project which is packaged with the server. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: config/link help
[EMAIL PROTECTED] wrote: When i start freeradius i get this message below. I can authenticate through mysql using -X or -xx and can still authenticate after calling radiusd. ... Grab the CVS snapshot tomorrow. It should have the bug fixed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Max-Daily-Session and counter module
On Sun, 8 Dec 2002, Oliver Zimmermann wrote: I have the problem understanding how the counter module works. Lets say I want to provide a Maximum Daily Session linit of 3600 seconds for a user on freeradius-0.7. Is the following scenario right? (sorry I can't test it for the moment): users file: -- DEFAULT Max-Daily-Session = 3600 Fall-Through = 1 John_DPassword = FZ768wRll, NAS-IP-Address = 214.32.39.2, Simultaneous-Use = 1 Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-MTU = 1500, Idle-Timeout = 3600, Port-Limit = 1 ... _ radiusd.conf: ... counter { filename = ${raddbdir}/db.counter key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } authorize { counter suffix files The counter module should come *after* the files module so that Max-Daily-Session has been set when it runs. Also add the counter module in the instantiate section. } accounting { detail counter unix radutmp } session { radutmp } --- If someone knows how to realize the same with Daily-Session-Time is appreciated too Thank you Oliver - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Max-Daily-Session and counter module
On Mon, 9 Dec 2002, oz wrote: Oliver Zimmermann wrote: I have the problem understanding how the counter module works. Lets say I want to provide a Maximum Daily Session linit of 3600 seconds for a user on freeradius-0.7. Is the following scenario right? (sorry I can't test it for the moment): users file: -- DEFAULT Max-Daily-Session = 3600 Fall-Through = 1 John_DPassword = FZ768wRll, NAS-IP-Address = 214.32.39.2, Simultaneous-Use = 1 Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-MTU = 1500, Idle-Timeout = 3600, Port-Limit = 1 ... Hi, I tested this setup now with a Max-Daily-Session = 3, to provocate a reject - but I still get Login OK. In the logs I saw rlm_counter: Could not find Check item value pair and modcall[accounting]: module counter returns noop which I cannot The counter module will do some work on an accounting-stop not an accounting-start. interprete. Irritating for me is the line rlm_counter: Counter attribute Daily-Session-Time is number 1063 because it has this value in every session. Please take a look on the session log, thanks in advance: That's the number assigned to the Daily-Session-Time attribute, you shouldn't worry about it. starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no read_config_files: reading dictionary read_config_files: reading clients read_config_files: reading realms read_config_files: reading naslist main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = root main: group = root main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: proxy_requests = no proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 security: max_attributes = 200 security: reject_delay = 1 main: debug_level = 0 read_config_files: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded System unix: cache = no unix: passwd = /etc/passwd unix: shadow = /etc/shadow unix: group = /etc/group unix: radwtmp = /usr/local/var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded Counter counter: filename = /usr/local/etc/raddb/db.counter counter: key = User-Name counter: reset = daily counter: count-attribute = Acct-Session-Time counter: counter-name = Daily-Session-Time counter: check-name = Max-Daily-Session counter: allowed-servicetype = Framed-User counter: cache-size = 5000 rlm_counter: Counter attribute Daily-Session-Time is number 1063 rlm_counter: Current Time: 1039422801, Next reset 1039474800 Module: Instantiated counter (counter) Module: Loaded realm realm: format = suffix realm: delimiter = @ Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = /usr/local/etc/raddb/users files: acctusersfile = /usr/local/etc/raddb/acct_users files: compat = cistron auth_type_fixup: Auth-Type [1000] auth_type_fixup: Password [2] auth_type_fixup: NAS-IP-Address [4] auth_type_fixup: Simultaneous-Use [1034] auth_type_fixup: Auth-Type [1000] auth_type_fixup: Password [2] auth_type_fixup: Simultaneous-Use [1034] auth_type_fixup: Auth-Type [1000] auth_type_fixup: Password [2] auth_type_fixup: NAS-IP-Address [4] auth_type_fixup: Simultaneous-Use [1034] [/usr/local/etc/raddb/users]:4 Cistron compatibility checks for entry DEFAULT ... ?Changing 'Max-Daily-Session =' to 'Max-Daily-Session +=' [/usr/local/etc/raddb/users]:7 Cistron compatibility checks for entry U.Abdinghoff ... ?Changing 'Password =' to 'Password ==' ?Changing 'NAS-IP-Address =' to 'NAS-IP-Address ==' ?Changing 'Simultaneous-Use =' to 'Simultaneous-Use +=' [/usr/local/etc/raddb/users]:15 Cistron compatibility checks for entry helinet010 ... ?Changing 'Password =' to 'Password ==' ?Changing 'Simultaneous-Use =' to 'Simultaneous-Use +=' [/usr/local/etc/raddb/users]:23 Cistron
please kindly get back to me
REQUEST FOR URGENT BUSINESS ASSISTANCE -- Your contact was availed to me by the chamber of commerce. It was given to me because of my diplomatic status as I did not disclose the actual reasons for which I sought your contact. But I was assured That you are reputable and trustworthy if you will be of assistance. I am Laurent Mpeti Kabila (Jnr) the second son of Late President LAURENT DESIRE KABILA the immediate Past president of the DEMOCRATIC REPUBLIC OF CONGO in Africa who was murdered by his opposition through his personal bodyguards in his bedroom on Tuesday 16th January, 2001. I have the privilege of being mandated by my father colleagues to seek your immediate and urgent co-operation to receive into your bank account the sum of US $25m.(twenty-five million Dollars) and some thousands carats of Diamond. This money and treasures was lodged in a vault with a security firm in Europe and South-Africa. SOURCES OF DIAMONDS AND FUND In August 2000, my father as a defence minister and president has a meeting with his cabinet and armychief about the defence budget for 2000 to 2001 which was US $700m. so he directed one of his best friend. Frederic Kibasa Maliba who was a minister of mines and a political party leader known as the Union Sacree de, I opposition radicale et ses allies (USORAL) to buy arms with US $200m on 5th January 2001; for him to finalized the arms deal, my father was murdered. f.K. Maliba (FKM) and I have decided to keep the money with a foreigner after which he will use it to contest for the political election. Inspite of all this we have resolved to present your or your company for the firm to pay it into your nominated account the above sum and diamonds. This transaction should be finalized within seven (7) working days and for your co-operation and partnership, we have unanimously agreed that you will be entitled to 5.5% of the money when successfully receive it in your account. The nature of your business is not relevant to the successful execution of this transaction what we require is your total co-operation and commitment to ensure 100% risk-free transaction at both ends and to protect the persons involved in this transaction, strict confidence and utmost secrecy is required even after the successful conclusion of this transaction. If this proposal is acceptable to you, kindly provide me with your personal telephone and fax through my E-mail box for immediate commencement of the transaction. All correspondence is for the attention of my counsel: I count on your honour to keep my secret, SECRET. Looking forward for your urgent reply Thanks. Best Regards MPETI L. KABILA (Jnr) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: usage.cgi problems
I'm not finding it. I've looked in /usr/local/src and in my /var/www/cgi-bin, but found nothing about dialup_admin. I am running: ICRadius 0.17b RedHat 7.2 (all updates) MySQL 3.23.28 Thanks, Scott Miller - Original Message - From: Chris Parker [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, December 09, 2002 11:35 AM Subject: Re: usage.cgi problems At 11:27 AM 12/9/2002 -0700, Scott Miller wrote: Has anyone worked up a new variation of the usage.cgi script that will allow users to check their usage online? I can't seem to get mine working properly. See the 'dialup_admin' project which is packaged with the server. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: usage.cgi problems
Scott Miller [EMAIL PROTECTED] wrote: I'm not finding it. I've looked in /usr/local/src and in my /var/www/cgi-bin, but found nothing about dialup_admin. I am running: ICRadius 0.17b Then why are you asking questions on the FreeRADIUS list? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: usage.cgi problems
Hello, From what I read in the proxy file, after the huntgroups file is processed.. it's off to the realm for proxy. Here is my issue. Today I have freeradius .8 allowing certain NPANXX from the Calling-Station-ID Attribute when you come from a tollfree number. ie: DEFAULT Called-Station-ID =~ 800|888|866, Calling-Station-ID =~ NPANXX Fall-Through = No This works great. We are being merged into another Radius implementation that does not have the ability to filter on Calling-Station-ID. I would like to frontend the lesser implementation with freeradius such that I can filter the Calling-Station-ID as before (to reject any NPANXX not on the list) and then after processing the user file proceed to proxy (based on realm) to the lesser implementation. Currently I : authorize { preprocess files sql } How do I replace sql with the proxy process? Can I do that? Thanks, John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy Config Using Auth Attributes
Is is possible to setup proxy radius not based so much on realms but based on Key/Value pairs in the authentication packets? For example, I have many resellers and I need to be able to proxy requests based on DNIS (CalledStationID) or even just the last 4 digits of the DNIS. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS not authing via SQL
Greetings; I've been trying to make FR auth using its SQL module (through MySQL to be specific) and am having no luck whatsoever. I've thoroughly consulted the frontios.com/freeradius.html documentation and just can't seem to make this work. I swear, if someone helps me work this out, I'll write the freakin' FreeRADIUS SQL auth documentation myself, 'cos this is bugging me. The relevant parts of the radiusd.conf: authorize { preprocess suffix sql files } authentication { } preacct { preprocess suffix files } accounting { acct_unique detail unix# wtmp file sql radutmp } My SQL data: mysql select * from usergroup; ++--+---+ | id | UserName | GroupName | ++--+---+ | 2 | testuser | dynamic | ++--+---+ mysql select * from radcheck; ++--+---++--+ | id | UserName | Attribute | op | Value| ++--+---++--+ | 2 | testuser | Password | == | testpass | ++--+---++--+ mysql select * from radgroupreply; ++---+++-+--+ | id | GroupName | Attribute | op | Value | prio | ++---+++-+--+ | 1 | dynamic | Auth-Type | := | Local |0 | | 2 | dynamic | Service-Type | = | Framed-User |0 | | 3 | dynamic | Framed-Protocol| = | PPP |0 | | 4 | dynamic | Framed-Compression | = | Van-Jacobsen-TCP-IP |0 | | 5 | dynamic | Framed-MTU | = | 1500|0 | ++---+++-+--+ The command I'm using to test: [jphindin@server bin]$ ./radtest testuser testpass localhost 66 *password* Sending Access-Request of id 251 to 127.0.0.1:1812 User-Name = testuser User-Password = \017j\264\354\345\300\311\311\014\317j\215a\310cM NAS-IP-Address = server NAS-Port = 66 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=251, length=20 The relevant 'radiusd -X' output: rad_recv: Access-Request packet from host 127.0.0.1:33643, id=102, length=60 User-Name = testuser User-Password = testpass NAS-IP-Address = 255.255.255.255 NAS-Port = 66 modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_realm: No '@' in User-Name = testuser, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop radius_xlat: 'testuser' rlm_sql (sql): sql_set_user escaped user -- 'testuser' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'testuser' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 3 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'testuser' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'testuser' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'testuser' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'testuser' ORDER BY id' rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'testuser' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'testuser' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'testuser' AND usergroup.GroupName = radgroupreply. GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 3 modcall[authorize]: module sql returns ok users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type System auth: type System auth: Failed to validate the user. Login incorrect: [testuser/testpass] (from client localhost port 66) JP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radiusd.conf
Hello! Can someone send me a radiusd.conf example that would show a connection for an AS5200 or similar? I have FreeRadius running on Suse 8.0. I'm currently a wireless provider going to dial-up also. When I try to connect, the Cisco box says that it can't find the Radius server. I have port 1645 loaded on both units as well as the key secret. I'm thinking I'm still missing something in the radiusd.conf file. Thanks, Bill - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: usage.cgi problems
yep, you're right, wrong list. Sorry about my oversight. Scott - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, December 09, 2002 2:21 PM Subject: Re: usage.cgi problems Scott Miller [EMAIL PROTECTED] wrote: I'm not finding it. I've looked in /usr/local/src and in my /var/www/cgi-bin, but found nothing about dialup_admin. I am running: ICRadius 0.17b Then why are you asking questions on the FreeRADIUS list? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radiusd.conf
This doesn't exactly answer your question, but I found it helpful. Goto www.dialways.com and download radping. It is a win client to test radius servers. Once you get that working, then worry about your cisco box. Tim -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Bill Sent: Monday, December 09, 2002 5:01 PM To: [EMAIL PROTECTED] Subject: radiusd.conf Hello! Can someone send me a radiusd.conf example that would show a connection for an AS5200 or similar? I have FreeRadius running on Suse 8.0. I'm currently a wireless provider going to dial-up also. When I try to connect, the Cisco box says that it can't find the Radius server. I have port 1645 loaded on both units as well as the key secret. I'm thinking I'm still missing something in the radiusd.conf file. Thanks, Bill - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd.conf
On Mon, 09 Dec 2002 17:01:05 -0600 Bill [EMAIL PROTECTED] wrote: Hello! Can someone send me a radiusd.conf example that would show a connection for an AS5200 or similar? I have FreeRadius running on Suse 8.0. I'm currently a wireless provider going to dial-up also. When I try to connect, the Cisco box says that it can't find the Radius server. I have port 1645 loaded on both units as well as the key secret. I'm thinking I'm still missing something in the radiusd.conf file. Thanks, Greetings, Did you specify port 1645 on your FreeRadius daemon? By default it uses port 1812 for authentication. -- ·William Ragsdale ·http://www.netonecom.net ·Server Administrator ·Office Hours ·NetOne Communications, Inc. ·Work: 231-734-2917 10AM - 7PM ·2186 US 10 ·FAX: 231-734-6395 ·Sears, MI 49679 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Your Web Site Performance Report
Title: InternetSeer : Weekly Report Your Weekly Web Site Performance ReportFor December 2, 2002 - December 8, 2002Dear Bruce, It is not too late to send holiday greetings and promotions to your customers and prospects. In minutes, anyone can create and send an email campaign with ready-to-use templates. No technical skill is required. Choose from over 50 templates including promotions, newsletters and holiday greetings. Sign up now for your 60 day FREE trial! Kane Bender, VP eBusiness Development Start Selling Your Products Online 88% of Internet shoppers use a credit card for their online purchases. Don't lose another sale because you don't take credit cards. SecureNetShop offers everything you need. Shopping Cart gives you the ability to sell products on your Web site. Store Builder allows you to easily sell multiple products over the internet. Merchant Account provides you with an INSTANT MERCHANT ACCOUNT. No set up fee for a limited time, a $295 value. Click here and start selling your products online today! 24/7 Tech Support For When Your Away! For about $1 a day, InternetSeer's engineers will watch over your site 24 hours a day, 7 days a week to make sure it's up and running so you don't lose customers or credibility. Upon detecting an error with your Web site our engineers will: Manually recheck your Web site Run diagnostic tests Get your Web site back Online No setup fees and no hassles! Special Offer! Join today and take 20% off! Don't leave your site vulnerable, click here for 24/7 coverage. http://lists.cistron.nl/pipermail/freeradius-...DayMonTueWedThuFriSatSunWeeklyTotalDate12/0212/0312/0412/0512/0612/0712/08OutagesTime on error00::::00% Uptime100.0100.0100.0100.0Connect time0.150.180.130.07Outages- number of times we were unable to access this URLTime on Error- the total time this URL was not available (hr:min)% Uptime- the percentage this URL was available for the dayConnect Time- the average time in seconds to connect to this URL** Data not available Customer Service & Account Management Information Log in at www.internetseer.com to keep your account up to date. Your login name is, [EMAIL PROTECTED]. Forgot your password?, Get it now. Add Additional URL's to your Weekly Performance Report with Priority Club. Get your Web site back Online with our Personalized Tech service 24 hours a day. Maintain your Web site or network security with our new Security Check. If you have any questions regarding your Performance Reports, visit our help site, or email us at [EMAIL PROTECTED]. Subscriber Sponsored Listings Get your FREE WebSite or WebStore Today! Sign up now for a FREE 15 Day Trial Account (no credit card needed) and start building your own web site in minutes. Real Time IIS Monitor View visitors on your web sites in real time using 'WhosOn.' Get real time alerts & exception reports via email or SMS. Free evaluation downloads from: http://www.whos-on.net Silent Tracking of Your Outgoing Emails Know when your email gets read, number of times it is read, where it is opened, whom it was forwarded to! You can even send self-deleting emails... Advertise Your Product Here Promote your product or service. For more information click the link above. Spotlight Guaranteed Search Engine Listings Express Plus Service gets your site listed on 20 top search engines in 72 hours and keeps it there. PLUS sign up before November 28th and we'll provide a FREE list of the top keywords used on search engines for your product or service. A $99 Value. Act Now! RESOURCES Advanced Monitoring Business Credit Business Software Domain Registration E-mail Marketing Hosting Services Intranets Long Distance Merchant Accounts Page Optimization Pay-for-Performance Shopping Cart Search Submissions Traffic Analysis Web Design Website Security
Re: radiusd.conf
good point, cisco use 1645 default if you dont specify in the configuration. =) Evren On Mon, 9 Dec 2002, William Ragsdale wrote: On Mon, 09 Dec 2002 17:01:05 -0600 Bill [EMAIL PROTECTED] wrote: Hello! Can someone send me a radiusd.conf example that would show a connection for an AS5200 or similar? I have FreeRadius running on Suse 8.0. I'm currently a wireless provider going to dial-up also. When I try to connect, the Cisco box says that it can't find the Radius server. I have port 1645 loaded on both units as well as the key secret. I'm thinking I'm still missing something in the radiusd.conf file. Thanks, Greetings, Did you specify port 1645 on your FreeRadius daemon? By default it uses port 1812 for authentication. -- ·William Ragsdale ·http://www.netonecom.net ·Server Administrator ·Office Hours ·NetOne Communications, Inc. ·Work: 231-734-2917 10AM - 7PM ·2186 US 10 ·FAX: 231-734-6395 ·Sears, MI 49679 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can't authenticate with MySQL
I have got FR 0.8 MySQL up and running on LINUX 8, but I cannot authenticate. Where am I going wrong? Mike Paneth I issue the following test message [root@Psyche root]# radtest root emptar1 localhost 0 testing123 and get the following response Sending Access-Request of id 197 to 127.0.0.1:1812 User-Name = root User-Password = \303\343W\035W\376\372\016\277\315\311x\220\341\255- NAS-IP-Address = Psyche NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=197, length=20 [root@Psyche root]# radtest bob bobbob localhost 0 testing123 Sending Access-Request of id 201 to 127.0.0.1:1812 User-Name = bob User-Password = \272-\207W\306\206\372\316\200\214\202q\002WeQ NAS-IP-Address = Psyche NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=201, length=20 The user bob has been set up on MySQL mysql select * from radcheck; ++--+---++--+ | id | UserName | Attribute | Value | op | ++--+---++--+ | 1 | bob | password | bobbob | NULL | ++--+---++--+ 1 row in set (0.00 sec) mysql select * from radacct; Empty set (0.00 sec) mysql select * from usergroup; ++--+---+ | id | UserName | GroupName | ++--+---+ | 1 | bob | dynamic | ++--+---+ 1 row in set (0.00 sec) Looking at the FR dialog I get the following. rad_recv: Access-Request packet from host 127.0.0.1:32769, id=201, length=55 User-Name = bob User-Password = bobbob NAS-IP-Address = 255.255.255.255 NAS-Port = 0 modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_realm: No '@' in User-Name = bob, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop radius_xlat: 'bob' rlm_sql (sql): sql_set_user escaped user -- 'bob' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'bob' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 0 rlm_sql: The 'op' field for attribute 'password = bobbob' is NULL, or non-existent. rlm_sql: You MUST FIX THIS if you want the configuration to behave as you expect. radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'bob' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'bob' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'bob' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 0 modcall[authorize]: module sql returns ok users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type System auth: type System modcall: entering group authenticate modcall[authenticate]: module unix returns notfound modcall: group authenticate returns notfound auth: Failed to validate the user. Delaying request 4 for 1 seconds Finished request 4 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't authenticate with MySQL
do you think its even checking the mysql database? did you try to run freeradius with -xx option? by the way the op field should be := shouldnt it ? Evren On Tue, 10 Dec 2002, Mike Paneth wrote: I have got FR 0.8 MySQL up and running on LINUX 8, but I cannot authenticate. Where am I going wrong? Mike Paneth I issue the following test message [root@Psyche root]# radtest root emptar1 localhost 0 testing123 and get the following response Sending Access-Request of id 197 to 127.0.0.1:1812 User-Name = root User-Password = \303\343W\035W\376\372\016\277\315\311x\220\341\255- NAS-IP-Address = Psyche NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=197, length=20 [root@Psyche root]# radtest bob bobbob localhost 0 testing123 Sending Access-Request of id 201 to 127.0.0.1:1812 User-Name = bob User-Password = \272-\207W\306\206\372\316\200\214\202q\002WeQ NAS-IP-Address = Psyche NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=201, length=20 The user bob has been set up on MySQL mysql select * from radcheck; ++--+---++--+ | id | UserName | Attribute | Value | op | ++--+---++--+ | 1 | bob | password | bobbob | NULL | ++--+---++--+ 1 row in set (0.00 sec) mysql select * from radacct; Empty set (0.00 sec) mysql select * from usergroup; ++--+---+ | id | UserName | GroupName | ++--+---+ | 1 | bob | dynamic | ++--+---+ 1 row in set (0.00 sec) Looking at the FR dialog I get the following. rad_recv: Access-Request packet from host 127.0.0.1:32769, id=201, length=55 User-Name = bob User-Password = bobbob NAS-IP-Address = 255.255.255.255 NAS-Port = 0 modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_realm: No '@' in User-Name = bob, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop radius_xlat: 'bob' rlm_sql (sql): sql_set_user escaped user -- 'bob' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'bob' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 0 rlm_sql: The 'op' field for attribute 'password = bobbob' is NULL, or non-existent. rlm_sql: You MUST FIX THIS if you want the configuration to behave as you expect. radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'bob' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'bob' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'bob' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 0 modcall[authorize]: module sql returns ok users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type System auth: type System modcall: entering group authenticate modcall[authenticate]: module unix returns notfound modcall: group authenticate returns notfound auth: Failed to validate the user. Delaying request 4 for 1 seconds Finished request 4 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dictionary...
Hello list I have just built the Freeradius on a FreeBSD with support for postgres. The system builds ok but I cannot find any information about how to load the dictionary into the sql table (dictionary). Would someone send me an example of how the table would be?? an 'select * from dictionary' would help... Thanks for any help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
:= or ==
so what would it matter if it is := ? I use that one in my conf files? I checked man 5 users but it is not very clear to me what it means by 'repalaces' etc. Evren On Mon, 9 Dec 2002, Ray wrote: On Monday 09 December 2002 6:51, you wrote: [root@Psyche root]# radtest root emptar1 Sending Access-Request of id 197 to 127.0.0.1:1812 User-Name = root rad_recv: Access-Accept packet from host [root@Psyche root]# radtest bob bobbob Sending Access-Request of id 201 to 127.0.0.1:1812 User-Name = bob rad_recv: Access-Reject packet from host The user bob has been set up on MySQL mysql select * from radcheck; ++--+---++--+ | id | UserName | Attribute | Value | op | | 1 | bob | password | bobbob | NULL | 1 row in set (0.00 sec) the op in radcheck should be == (though := and the others are valid) mysql select * from radacct; radacct is just an accounting table, radtest normally doesn't cause anything to show up here, nor do you normally manually add anything to it. mysql select * from usergroup; ++--+---+ | id | UserName | GroupName | | 1 | bob | dynamic | is there anything setup in radgroupcheck or radgroupreply? if not, then there isn't much point in assigning groups. though you could just do something like MySQL insert into radgroupreply values (null, 'dynamic', 'Framed-MTU', '576', ':='); modcall: entering group authenticate modcall[authenticate]: module unix returns notfound it says bob/bobbob is not a user on your machine, but since your trying to auth via MySQL you probably aren't looking to auth via real users. if so then in radius.conf you should comment out the unix from the auth section. i've only been playing with FR for the past few month a few hours here and there. so don't assume i know what i'm talking about, but if it works for you, then great. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: := or ==
the only thing that seems to give any clue for := vs == is doc/rlm_attr_filter [snip] o The operators used for specifying the attributes are as follows: =- NOT ALLOWED. If used, it becomes == := - Set ( used to ensure a specific a/v is present ) == - Equal ( exact ) =* - Always Equal ( will allow all values for attribute ) !* - Always Not Equal ( will block all values for attribute ) != - Not equal = - Greater than or equal to = - Less than or equal to - Greater than - Less than If you have regular expressions enabled you also have: =~ - Regular expression equal !~ - Regular expression not equal [/snip] so in theory, if these operators are the same everywhere (just an assumption, but i don't feel like digging into the source to find out for sure) then a radcheck with password := 123456 would set the password to 123456 and password == 123456 would see if the password is 123456 On Monday 09 December 2002 8:03, you wrote: so what would it matter if it is := ? I use that one in my conf files? I checked man 5 users but it is not very clear to me what it means by 'repalaces' etc. Evren - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius using PAM to authenticate thru NT domain
Hello guys, I am trying to configure a freeradius server to authenticate users in an NT Domain. I am using RedHat 7.3, but I am a newbie with smb related things. I don't understand PAM very well, so I don't know if my PAM_SMB configuration is working (I did it using authconfig) Anybody can send me a working radiusd PAM file (my files are above)? Is this way ( freradius - PAM - pam_smb - NT Domain) the best way to authenticate these users ? I see in the experimental.conf about a SMB authication type , but I don't know how to use it. Please, any comments, links, howto, anything are welcome. :) Rodolfo My radiusd PAM file is: #%PAM-1.0 auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_nologin.so accountrequired /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth sessionrequired /lib/security/pam_stack.so service=system-auth sessionoptional /lib/security/pam_console.so and the system-auth PAM file is: #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. authrequired /lib/security/pam_env.so authsufficient/lib/security/pam_unix.so likeauth nullok authsufficient/lib/security/pam_smb_auth.so use_first_pass nolocal authrequired /lib/security/pam_deny.so account required /lib/security/pam_unix.so passwordrequired /lib/security/pam_cracklib.so retry=3 type= passwordsufficient/lib/security/pam_unix.so nullok use_authtok md5 shadow passwordrequired /lib/security/pam_deny.so session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: := or ==
I dont understand actually, if == checks if the a/v is 'equal' then it must also ensure that it is present. About := replacing passwords =) I feel like from another planet. It might only work in a reply item I think. Wouldnt the person authenticate all the time if it was replacing the a/v pairs in the request? Anyhow I will change to == just to obey the standarts although I think := is working also for me... Evren On Mon, 9 Dec 2002, Ray a PowerWeb Tech wrote: the only thing that seems to give any clue for := vs == is doc/rlm_attr_filter [snip] o The operators used for specifying the attributes are as follows: =- NOT ALLOWED. If used, it becomes == := - Set ( used to ensure a specific a/v is present ) == - Equal ( exact ) =* - Always Equal ( will allow all values for attribute ) !* - Always Not Equal ( will block all values for attribute ) != - Not equal = - Greater than or equal to = - Less than or equal to - Greater than - Less than If you have regular expressions enabled you also have: =~ - Regular expression equal !~ - Regular expression not equal [/snip] so in theory, if these operators are the same everywhere (just an assumption, but i don't feel like digging into the source to find out for sure) then a radcheck with password := 123456 would set the password to 123456 and password == 123456 would see if the password is 123456 On Monday 09 December 2002 8:03, you wrote: so what would it matter if it is := ? I use that one in my conf files? I checked man 5 users but it is not very clear to me what it means by 'repalaces' etc. Evren - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: := or ==
both are right, but they have there place (assuming i'm reading the docs right, and assuming my other assumtions about it are correct) := in the replies and == in the checks unless your doing something that the check needs to be something else. i agree, i can't see using anything other then := in the replies. On Monday 09 December 2002 8:19, you wrote: I dont understand actually, if == checks if the a/v is 'equal' then it must also ensure that it is present. About := replacing passwords =) I feel like from another planet. It might only work in a reply item I think. Wouldnt the person authenticate all the time if it was replacing the a/v pairs in the request? Anyhow I will change to == just to obey the standarts although I think := is working also for me... Evren On Mon, 9 Dec 2002, Ray a PowerWeb Tech wrote: the only thing that seems to give any clue for := vs == is doc/rlm_attr_filter [snip] o The operators used for specifying the attributes are as follows: =- NOT ALLOWED. If used, it becomes == := - Set ( used to ensure a specific a/v is present ) == - Equal ( exact ) =* - Always Equal ( will allow all values for attribute ) !* - Always Not Equal ( will block all values for attribute ) != - Not equal = - Greater than or equal to = - Less than or equal to - Greater than - Less than If you have regular expressions enabled you also have: =~ - Regular expression equal !~ - Regular expression not equal [/snip] so in theory, if these operators are the same everywhere (just an assumption, but i don't feel like digging into the source to find out for sure) then a radcheck with password := 123456 would set the password to 123456 and password == 123456 would see if the password is 123456 On Monday 09 December 2002 8:03, you wrote: so what would it matter if it is := ? I use that one in my conf files? I checked man 5 users but it is not very clear to me what it means by 'repalaces' etc. Evren --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
set up question
Hello! I have a question. I have a Cisco AS5200. It was suggested that I place the public IP's into the AS5200, however there are provisions in freeradius to do this also. Which is the correct way, put the Public IP's into the RAS or the radius? Thanks, Bill - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html