Multiple Password Files
I have been trying to get [EMAIL PROTECTED] to authenticated from /etc/shadow1 [EMAIL PROTECTED] to authenticated from /etc/shadow2 for a while but don't know how. Does freeradius allow this? Surely multiple password files/databases/locations would be supported, since many ISP's with resellers would want this. Craig. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trying to do accounting on freeradius+mysql
Well if I am not mistaken, you can see in dialupadmin, the daily totals etc. But again if I am not mistaken there is mysql commands for adding up the search results. You should either figure out the mysql commands from the mysql manual or dig into dialup_admin files to find how its doing it, then you write your own scripts or use the same commands Perhaps somebody else on the list might have more information but I just wanted to write a quick reply. =) Evren On Tue, 21 Jan 2003, Iq wrote: > Hi Everyone, >I have steup freeradius+mysqlfairly easy with the > following links. > http://www.ccs.neu.edu/home/peterm/freeradiusbuild.html > http://www.frontios.com/freeradius.html > > I did connect for a while to my POP as well using mysql at the backend. But > i don't know how to do accounting. I did setup dialup_admin > www.dialup.goldenwireless.com.au > but I am doing something wring their is it is not working properlyl. I have > all the values in radacct table but I don't know how to calculate the time a > customer is on and the data he has utilized. > "iraja" is the username that get connected to the server rest of the > usernames are just wrong attempts. > > mysql> select * from radacct; > > | RadAcctId | AcctSessionId | AcctUniqueId | UserName | Realm | > NASIPAddress | NASPortId | NASPortType | AcctStartTime | AcctStopTime > | AcctSessionTime | AcctAuthentic | ConnectInfo_start | ConnectInfo_stop | > AcctInputOctets | AcctOutputOctets | CalledStationId | CallingStationId | > AcctTerminateCause | ServiceType | FramedProtocol | FramedIPAddress | > AcctStartDelay | AcctStopDelay | > +---+---+--+--+---+- > -+---+-+-+-+ > -+---+---+---+-- > ---+--+-+--+ > +-++-+-- > --+---+ > | 1 | 71000344 | | p.richardson | | > 203.14.183.2 |16 | Async | -00-00 00:00:00 | 2002-11-26 > 22:26:56 |2197 | RADIUS| | 49333 > LAPM/V42BIS | 434240 | 3449921 | 87966000| > | User-Request | Framed-User | PPP| 203.14.183.82 | > 0 |45 | > | 2 | 7100034B | | iraja| | > 203.14.183.2 |12 | Async | 2002-11-26 22:27:39 | 2002-11-26 > 22:29:08 | 89 | RADIUS| 38666 LAPM/V42BIS | 24000 > LAPM/V42BIS |1399 | 1064 | 87966000| > | User-Request | Framed-User | PPP| 203.14.183.68 | > 0 | 0 | > | 3 | 7100033F | | mbc | | > 203.14.183.2 | 0 | Async | -00-00 00:00:00 | 2002-11-26 > 22:30:45 |4705 | RADIUS| | 49333 > LAPM/V42BIS | 179854 | 1081219 | 87966000| > | User-Request | Framed-User | PPP| 203.14.183.84 | > 0 | 0 | > | 4 | 7100034C | | iraja| | > 203.14.183.2 |11 | Async | 2002-11-26 22:30:46 | 2002-11-26 > 22:36:12 | 326 | RADIUS| 52000 LAPM/V42BIS | 52000 > LAPM/V42BIS | 159179 | 1355687 | 87966000| > | User-Request | Framed-User | PPP| 203.14.183.87 | > 0 | 0 | > | 5 | 71000348 | | colrado | | > 203.14.183.2 | 6 | Async | -00-00 00:00:00 | 2002-11-26 > 22:31:29 | 847 | RADIUS| | 52000 > LAPM/V42BIS | 30517 | 245308 | 87966000| > | User-Request | Framed-User | PPP| 203.14.183.75 | > 0 | 0 | > | 6 | 71000341 | | arma | | > 203.14.183.2 |14 | Async | -00-00 00:00:00 | 2002-11-26 > 22:33:25 |3580 | RADIUS| | 26400 > LAPM/V42BIS | 617265 | 4066119 | 87966000| > | User-Request | Framed-User | PPP| 203.14.183.79 | > 0 | 0 | > | 7 | 71000345 | | hjbems | | > 203.14.183.2 | 5 | Async | -00-00 00:00:00 | 2002-11-26 > 22:33:37 |1988 | RADIUS| | 4 > LAPM/V42BIS | 517318 | 6394135 | 87966000| > | User-Request | Framed-User | PPP| 203.14.183.94 | > 0 | 0 | > +---+---+--+--+---+- > -+---+-+-+-+ > -+---+---+-
Re: HELP: EAP/TLS - XP
hi, thanks for looking at the matter, Artur. > in fact, unless you shortened your post, there seems to be two requests > one after another or am i wrong? because radius actually doesn't do > anything about the wrong request. it denies the next one... well, it's > perhaps normal. well strange is (or is it a normal retry?), that it has two rad_recv of id=95. one at (*A*) and than the other one at (*B*). then he is sending the reject message on the line (*E*) to id=95, but it is not clear to which. However, I think the problem really is between line (*C*) and (*D*) which prevents me from getting an Access-Accept This error seems to happen from time to time, I've found another post in the mailing list (http://www.mail-archive.com/freeradius-users@lists.cistron.nl/msg11598.html). But there isn't a solution (or even a guess, as to where it comes from) around. Advice is appreciated. david rad_recv: Access-Request packet from host 10.56.56.201:6001, id=95, length=180 (*A*) User-Name = "Hera" NAS-IP-Address = 10.56.56.201 Called-Station-Id = "00-02-2d-48-6d-89" Calling-Station-Id = "00-05-3c-06-6e-61" NAS-Identifier = "hercules" State = 0xcbc90276b2c75bcf69c846a00bbb35e62f922b3ea0b9afaf4605a59f14b2fa8fc483abdc Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = "\002\007\000!\r\200\000\000\000\027\025\003\001\000\022^\333$,\363"\275\010\010\374\234\204y\337\306U-g" Message-Authenticator = 0x9095e69b06f47161b67f54139c32e1ef modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "eap" returns updated rlm_realm: No '@' in User-Name = "Hera", looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module "suffix" returns noop users: Matched Hera at 98 modcall[authorize]: module "files" returns ok modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP_TYPE - tls rlm_eap: processing type tls rlm_eap_tls: Length Included <<< TLS 1.0 Alert [length 0002], fatal access_denied (*C*) TLS Alert read:fatal:access denied 2727:error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied:s3_pkt.c:1037:SSL alert number 49 rlm_eap_tls: SSL_read Error Error code is . 6 SSL Error . 6 rlm_eap_tls: BIO_read Error Error code is . 5 Error in SSL . 5 (*D*) modcall[authenticate]: module "eap" returns ok modcall: group authenticate returns ok Delaying request 10 for 1 seconds Finished request 10 Going to the next request Waking up in 5 seconds... rad_recv: Access-Request packet from host 10.56.56.201:6001, id=95, length=180(*B*) Sending Access-Reject of id 95 to 10.56.56.201:6001 (*E*) EAP-Message = "\004\007\000\004" Message-Authenticator = 0x --- Walking the entire request list --- Waking up in 2 seconds... --- Walking the entire request list --- Cleaning up request 6 ID 91 with timestamp 3e2b922e Cleaning up request 7 ID 92 with timestamp 3e2b922e Cleaning up request 8 ID 93 with timestamp 3e2b922e Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 9 ID 94 with timestamp 3e2b922f Cleaning up request 10 ID 95 with timestamp 3e2b922f Nothing to do. Sleeping until we see a request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Trying to do accounting on freeradius+mysql
Hi Everyone, I have steup freeradius+mysqlfairly easy with the following links. http://www.ccs.neu.edu/home/peterm/freeradiusbuild.html http://www.frontios.com/freeradius.html I did connect for a while to my POP as well using mysql at the backend. But i don't know how to do accounting. I did setup dialup_admin www.dialup.goldenwireless.com.au but I am doing something wring their is it is not working properlyl. I have all the values in radacct table but I don't know how to calculate the time a customer is on and the data he has utilized. "iraja" is the username that get connected to the server rest of the usernames are just wrong attempts. mysql> select * from radacct; | RadAcctId | AcctSessionId | AcctUniqueId | UserName | Realm | NASIPAddress | NASPortId | NASPortType | AcctStartTime | AcctStopTime | AcctSessionTime | AcctAuthentic | ConnectInfo_start | ConnectInfo_stop | AcctInputOctets | AcctOutputOctets | CalledStationId | CallingStationId | AcctTerminateCause | ServiceType | FramedProtocol | FramedIPAddress | AcctStartDelay | AcctStopDelay | +---+---+--+--+---+- -+---+-+-+-+ -+---+---+---+-- ---+--+-+--+ +-++-+-- --+---+ | 1 | 71000344 | | p.richardson | | 203.14.183.2 |16 | Async | -00-00 00:00:00 | 2002-11-26 22:26:56 |2197 | RADIUS| | 49333 LAPM/V42BIS | 434240 | 3449921 | 87966000| | User-Request | Framed-User | PPP| 203.14.183.82 | 0 |45 | | 2 | 7100034B | | iraja| | 203.14.183.2 |12 | Async | 2002-11-26 22:27:39 | 2002-11-26 22:29:08 | 89 | RADIUS| 38666 LAPM/V42BIS | 24000 LAPM/V42BIS |1399 | 1064 | 87966000| | User-Request | Framed-User | PPP| 203.14.183.68 | 0 | 0 | | 3 | 7100033F | | mbc | | 203.14.183.2 | 0 | Async | -00-00 00:00:00 | 2002-11-26 22:30:45 |4705 | RADIUS| | 49333 LAPM/V42BIS | 179854 | 1081219 | 87966000| | User-Request | Framed-User | PPP| 203.14.183.84 | 0 | 0 | | 4 | 7100034C | | iraja| | 203.14.183.2 |11 | Async | 2002-11-26 22:30:46 | 2002-11-26 22:36:12 | 326 | RADIUS| 52000 LAPM/V42BIS | 52000 LAPM/V42BIS | 159179 | 1355687 | 87966000| | User-Request | Framed-User | PPP| 203.14.183.87 | 0 | 0 | | 5 | 71000348 | | colrado | | 203.14.183.2 | 6 | Async | -00-00 00:00:00 | 2002-11-26 22:31:29 | 847 | RADIUS| | 52000 LAPM/V42BIS | 30517 | 245308 | 87966000| | User-Request | Framed-User | PPP| 203.14.183.75 | 0 | 0 | | 6 | 71000341 | | arma | | 203.14.183.2 |14 | Async | -00-00 00:00:00 | 2002-11-26 22:33:25 |3580 | RADIUS| | 26400 LAPM/V42BIS | 617265 | 4066119 | 87966000| | User-Request | Framed-User | PPP| 203.14.183.79 | 0 | 0 | | 7 | 71000345 | | hjbems | | 203.14.183.2 | 5 | Async | -00-00 00:00:00 | 2002-11-26 22:33:37 |1988 | RADIUS| | 4 LAPM/V42BIS | 517318 | 6394135 | 87966000| | User-Request | Framed-User | PPP| 203.14.183.94 | 0 | 0 | +---+---+--+--+---+- -+---+-+-+-+ -+---+---+---+-- ---+--+-+--+ +-++-+-- --+---+ I will appreciate any help on how can I get accounting done on the data in mysql (even an sql query will do), for the moment I am using plain text files and getting accounting done by "Optigold ISP" log parser. I want customers to check their usgae using a web base interface. RH7.3 + Freeradius 8 kind regards, Internet Services Administrator Golden IT Ph: +61 (3) 97052511 Fax: +61 (3) 97052544 Email: [EMAIL PROTECTED] Web: www.goldenit.net.au ---
Dynamic IP addresses from FreeRadius questions
Hi, I am setting up the dynamic IP addresses from FreeRadius and I have some questions as follows. 1. I included the rlm_ippool into the Makefile and put dbm in the users file. I do not know why I still get the following an error message as follow. "/usr/local/etc/raddb/users[101]: Parse error (reply) for entry userSecret1Name: Unknown attribute Pool-Name Errors reading /usr/local/etc/raddb/users " 2. Could you check my users, radiusd.conf files to see anything missing/incorrect for the dynamic IP Radius addressing? 3. I also included the run time messages, could you please help me to take a look whether all modules have been installed properly? Thank you very much. Li Lin -- (a) RADIUSD.CONF file modules { ippool ippool { name = ippool session-db = /usr/local/etc/raddb/ippool-sess-db ip-index = /usr/local/etc/raddb/ippool-idx-db range-start = 177.30.0.1 range-stop = 177.30.255.254 netmask = 255.255.0.0 cache-size = 1000 } dbm { usersfile = /usr/local/etc/raddb/users.db } } authorize { preprocess chap mschap suffix files mypool dbm } accounting { acct_unique detail unix# wtmp file radutmp mypool } post-auth { # Get an address from the IP Pool. mypool } ++ (b) USERS file userSecret1Name Auth-Type := Local, Password == "XXX" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-MTU = 1500, Framed-Filter-Id = "std.ppp", Framed-Compression = Van-Jacobsen-TCP-IP, Service-Type = Authenticate-Only, Pool-Name := "mypool", Framed-IP-Address = 177.30.0.1+, (c) Run time messages. /usr/local/etc/raddb#radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "root" main: group = "root" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = no proxy: dead_time = 120 proxy: servers_per_realm = 15 security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: ignore_password = no mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/usr/local/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: preproxy_us
Re: Problem with 1,000,000 users
Well did you check the system messages right before the process is killed? If you ran out of memory and swap, definetely there should be something coming. Or like this other email on the list, you might have hit to some ulimit limits. Evren On Mon, 20 Jan 2003, leaobicalho wrote: > Yes, the freeradius load for memory, but i think that > problem is not memory, because, im have 256RAM, > AtholonXP 1.5XP, and the size of file are only 50MB. > > > are you running out of memory? did you check? > > a guess would be that freeradius is trying to load the > file into memory. > > > > On Mon, 20 Jan 2003, leaobicalho wrote: > > > > > Why when use 1,000,000 of users, with users file, sh > ow > > > this message??? if i use 100,000 no have problem, but > > > > when i use many always have problem...why? my struct > of > > > uses files: > > > login1 auth-type=accept > > > login2 auth-type=accept > > > login3 auth-type=accept > > > login4 auth-type=accept > > > > > > root@lala> radiusd -x > > > Load > > > Loading fastusers > > > Usesfile... > > > Killed > > > root@lala> > > > > > > > > > _ > _ > > > E-mail Premium BOL > > > Antivírus, anti- > spam e até 100 MB de espaço. Assine já! > > > http://email.bol.com.br/ > > > > > > > > > > > > - > > > List info/subscribe/unsubscribe? See http://www.freer > adius.org/list/users.html > > > > > > > > > - > > List info/subscribe/unsubscribe? See http://www.freerad > ius.org/list/users.html > > > > ___ > Animation Design® > www.animationdesign.com.br > > > __ > E-mail Premium BOL > Antivírus, anti-spam e até 100 MB de espaço. Assine já! > http://email.bol.com.br/ > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with 1,000,000 users
Yes, the freeradius load for memory, but i think that problem is not memory, because, im have 256RAM, AtholonXP 1.5XP, and the size of file are only 50MB. > are you running out of memory? did you check? > a guess would be that freeradius is trying to load the file into memory. > > On Mon, 20 Jan 2003, leaobicalho wrote: > > > Why when use 1,000,000 of users, with users file, sh ow > > this message??? if i use 100,000 no have problem, but > > when i use many always have problem...why? my struct of > > uses files: > > login1 auth-type=accept > > login2 auth-type=accept > > login3 auth-type=accept > > login4 auth-type=accept > > > > root@lala> radiusd -x > > Load > > Loading fastusers > > Usesfile... > > Killed > > root@lala> > > > > > > _ _ > > E-mail Premium BOL > > Antivírus, anti- spam e até 100 MB de espaço. Assine já! > > http://email.bol.com.br/ > > > > > > > > - > > List info/subscribe/unsubscribe? See http://www.freer adius.org/list/users.html > > > > > - > List info/subscribe/unsubscribe? See http://www.freerad ius.org/list/users.html > ___ Animation Design® www.animationdesign.com.br __ E-mail Premium BOL Antivírus, anti-spam e até 100 MB de espaço. Assine já! http://email.bol.com.br/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with 1,000,000 users
are you running out of memory? did you check? a guess would be that freeradius is trying to load the file into memory. On Mon, 20 Jan 2003, leaobicalho wrote: > Why when use 1,000,000 of users, with users file, show > this message??? if i use 100,000 no have problem, but > when i use many always have problem...why? my struct of > uses files: > login1 auth-type=accept > login2 auth-type=accept > login3 auth-type=accept > login4 auth-type=accept > > root@lala> radiusd -x > Load > Loading fastusers > Usesfile... > Killed > root@lala> > > > __ > E-mail Premium BOL > Antivírus, anti-spam e até 100 MB de espaço. Assine já! > http://email.bol.com.br/ > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with 1,000,000 users
On Mon, Jan 20, 2003 at 08:12:50PM -0200, leaobicalho wrote: > Why when use 1,000,000 of users, with users file, show > this message??? if i use 100,000 no have problem, but > when i use many always have problem...why? my struct of > uses files: > login1 auth-type=accept > login2 auth-type=accept > login3 auth-type=accept > login4 auth-type=accept > > root@lala> radiusd -x > Load > Loading fastusers > Usesfile... > Killed > root@lala> i'm guessing that either a) you got killed by the OOM killer (out of memory) in newer linux kernels, or b) you ran into a limit (run ulimit -a to check this, although this probably isn't the case, since you're running as root). run "dmesg" after this happens, and check that it hasn't mentioned something about killing your process. Andrew Pilley > > > __ > E-mail Premium BOL > Antivírus, anti-spam e até 100 MB de espaço. Assine já! > http://email.bol.com.br/ > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Any experience with Symbol APs?
I've seen several posts about the inconsistency of wireless access points. I'm trying to use FreeRADIUS 0.8.1, a Symbol AP4131, and EAP/MD5 (on Windows XP, *without* service pack 1). The identity request is received by FreeRADIUS, and the challenge is sent correctly back to the supplicant. But, when the challenge response comes back, the State attribute has been changed. According to the specification this value should be returned unaltered. Perhaps it has been corrupted by a memory bug inside the access point? Has anyone had any success (or failure) with Symbol access points? Chad - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with 1,000,000 users
Why when use 1,000,000 of users, with users file, show this message??? if i use 100,000 no have problem, but when i use many always have problem...why? my struct of uses files: login1 auth-type=accept login2 auth-type=accept login3 auth-type=accept login4 auth-type=accept root@lala> radiusd -x Load Loading fastusers Usesfile... Killed root@lala> __ E-mail Premium BOL Antivírus, anti-spam e até 100 MB de espaço. Assine já! http://email.bol.com.br/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WISP Consultant Needed!
I'm looking for someone experienced with wireless internet provider setups. We will be using Senao wireless routers and require an authentication system (preferable web based) for users to login (or purchase time usage for example). If you're knowledgable in this field, please contact me at: [EMAIL PROTECTED] or 778 288 0278 _ MSN 8 with e-mail virus protection service: 2 months FREE* http://join.msn.com/?page=features/virus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dialup_admin
using apache 2.0 seems to be different setup then what I am used to thanks for the tip though - Original Message - From: "Duane Barnes" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, January 20, 2003 3:02 PM Subject: RE: Dialup_admin > Do you have .php3 enabled as a proper extension in your httpd.conf file? > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of System > Administrator > Sent: Monday, January 20, 2003 2:46 PM > To: [EMAIL PROTECTED] > Subject: Dialup_admin > > can anyone tell me why I get this on the left frame of my dialup admin > install? > > $auth_user = $HTTP_SERVER_VARS["PHP_AUTH_USER"]; > if ($auth_user){ > if (is_file("../html/buttons/$auth_user/buttons.html.php3")) > include("../html/buttons/$auth_user/buttons.html.php3"); > else{ > if (is_file("../html/buttons/default/buttons.html.php3")) >include("../html/buttons/default/buttons.html.php3"); > } > } > else{ > if (is_file("../html/buttons/default/buttons.html.php3")) > include("../html/buttons/default/buttons.html.php3"); > } > ?> > > the example on freeradius.org seems to have the same problem > Redhat 8.0 > freeradius .8.1 > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and ippools
Norbert Wegener <[EMAIL PROTECTED]> wrote: > Just another question: How can I query which ipaddresses of the pool are > in use? Only ping them might not be the best solution. For the IP pools module, I would expect that there could be an associated utility program which would print out that information. I don't know if such a program exists, though. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL Authorization / Authentication
Shannon Johnson" <[EMAIL PROTECTED]> wrote: > My users file isn't very large. I'm not going to pretend to know what > most of this means, That would appear to be the foundation of your problems wrth the SQL module. The SQL configuration mirrors the 'users' file, so if you don't understand the 'users' file, you'll never get the SQL configuration to do what you want. Look over the examples in the 'users' file. Come up with a configuration that you think *should* work. Try it, debug it, and try again. It's exactly the method I use. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL Authorization / Authentication
Shannon, > My users file isn't very large. I'm not going to pretend to know what > most of this means, but suffice it to say that I don't have any dial-in > users, so I'm not sure that the PPP, CSLIP, or SLIP parts apply. If they > don't, should I comment them out? If there is something in your user file that is not being used, you can comment it out, delete it or just leave it. If it's not being used, it is just ignored. My users file looks just like yours, however I don't use it so it really doesn't matter. > Also, I don't think the Default > Auth-type should be System, but I didn't see any other option, besides > Reject. Is there an SQL option? Auth-Type could be System, Reject, sql or a few others too. You base that on what is in the Authorize section of radius.conf. I think you might not be understanging what Alan said in his previous post. > Look through the SQL configuration, seeing why the user doesn't > match. This means look at sql.conf and see how the username and password are entered into the sql queries. Are the queries missing something? > I'd suggest debugging it with the 'users' file first, though. Get > the config working for the user, and then move it over to SQL. That > way you're tracking down one problem at a time. This does NOT mean, look at the users file to see what might be wrong with it. It does mean that if you can't get it to work with sql right away, comment out "sql" in the Authorize and Accounting sections of your radius.conf, and use "files" instead to get radius working in the first place. Once you know it is working and understand what is going on, then you can move on to a more difficult scenario... using sql. Nick -- Nick Davis Associate Systems Administrator [EMAIL PROTECTED] Internet Exposure, Inc. http://www.iexposure.com (612)676-1946 Web Development-Web Marketing-ISP Services - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radiusd dying when closing connection to postgres
Hi, I have installed FR0.8.1 in RedHat7.3. radiusd runs fine for some hours sometimes but always at some point it crashes dumping a core, ending in one of two functions: (gdb) bt #0 0x4207ad9e in chunk_free () from /lib/i686/libc.so.6 #1 0x4207ad24 in free () from /lib/i686/libc.so.6 #2 0x400bef6f in freePGconn () from /usr/lib/libpq.so.2 #3 0x400a02e2 in sql_close (sqlsocket=0x80ec0b8, config=0x80bd948) at sql_postgresql.c:390 #4 0x400afad1 in rlm_sql_query (sqlsocket=0x80ec0b8, inst=0x80bd530, query=0x404358dc "UPDATE radacct SET AcctStopTime = '2003-01-16 12:14:17', AcctSessionTime = 263, AcctInputOctets = 24304, AcctOutputOctets = 394481, AcctTerminateCause = '', AcctStopDelay = 6, FramedIPAddress = '200.1"...) at sql.c:384 #5 0x400aed0b in rlm_sql_accounting (instance=0x80bd530, request=0x40d5b4a0) at rlm_sql.c:745 #6 0x08054981 in module_post_auth () #7 0x08054aca in modcall () #8 0x080549cb in module_post_auth () #9 0x08054a91 in modcall () #10 0x0805466a in module_accounting () #11 0x0804f736 in rad_accounting () #12 0x0804d2fa in rad_respond () #13 0x0805635c in radius_xlat () #14 0x40073faf in pthread_start_thread () from /lib/i686/libpthread.so.0 (gdb) bt #0 0x40075087 in pthread_mutex_lock () from /lib/i686/libpthread.so.0 #1 0x4207ad18 in free () from /lib/i686/libc.so.6 #2 0x400bef6f in freePGconn () from /usr/lib/libpq.so.2 #3 0x400a02e2 in sql_close (sqlsocket=0x80f89d8, config=0x80bd948) at sql_postgresql.c:390 #4 0x400afad1 in rlm_sql_query (sqlsocket=0x80f89d8, inst=0x80bd530, query=0x406358dc "INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputO"...) at sql.c:384 #5 0x400aebab in rlm_sql_accounting (instance=0x80bd530, request=0x81459f0) at rlm_sql.c:701 #6 0x08054981 in module_post_auth () #7 0x08054aca in modcall () #8 0x080549cb in module_post_auth () #9 0x08054a91 in modcall () #10 0x0805466a in module_accounting () #11 0x0804f736 in rad_accounting () #12 0x0804d2fa in rad_respond () #13 0x0805635c in radius_xlat () #14 0x40073faf in pthread_start_thread () from /lib/i686/libpthread.so.0 Any ideas? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Re: SQL Authorization / Authentication
Alan, My users file isn’t very large. I’m not going to pretend to know what most of this means, but suffice it to say that I don’t have any dial-in users, so I’m not sure that the PPP, CSLIP, or SLIP parts apply. If they don’t, should I comment them out? Also, I don’t think the Default Auth-type should be System, but I didn’t see any other option, besides Reject. Is there an SQL option? The contents of my /etc/raddb/users file are as follows: DEFAULT Auth-Type := System Fall-Through = Yes DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "SLIP" Framed-Protocol = SLIP Shannon "Shannon Johnson" <[EMAIL PROTECTED]> wrote:> That's what I thought, but the definition of Authorization and> Authentication got me a little confused. New question now..> rlm_sql (sql): User not found in radgroupcheck> rlm_sql (sql): User not found> rlm_sql (sql): Released sql socket id: 2> modcall[authorize]: module "sql" returns notfound...> From what I can tell, it's not passing the username (or password, for> that matter) to the SQL database. Would that be a correct assumption? If> so, do you have any suggestions on what to do to fix? Look through the SQL configuration, seeing why the user doesn'tmatch. I'd suggest debugging it with the 'users' file first, though. Getthe config working for the user, and then move it over to SQL. Thatway you're tracking down one problem at a time. Alan DeKok.
RE: Dialup_admin
Do you have .php3 enabled as a proper extension in your httpd.conf file? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of System Administrator Sent: Monday, January 20, 2003 2:46 PM To: [EMAIL PROTECTED] Subject: Dialup_admin can anyone tell me why I get this on the left frame of my dialup admin install? the example on freeradius.org seems to have the same problem Redhat 8.0 freeradius .8.1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dialup_admin
can anyone tell me why I get this on the left frame of my dialup admin install? the example on freeradius.org seems to have the same problem Redhat 8.0 freeradius .8.1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and ippools
Thank you Alan, with this little bit of - for me - missing information it nearly worked out of the box. Just another question: How can I query which ipaddresses of the pool are in use? Only ping them might not be the best solution. Thanks Norbert Alan DeKok schrieb: Norbert Wegener <[EMAIL PROTECTED]> wrote: I appended the following to radiusd.conf: ippool main_pool { session-db = /usr/local/etc/raddb/ippool-sess-db ip-index = /usr/local/etc/raddb/ippool-idx-db range-start = 192.168.100.20 range-stop = 192.168.100.40 } Starting radius with -X gives the following error message: ERROR: Cannot find a configuration entry for module "main_pool" Put the configuration into the 'modules' section of radiusd.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Norbert Wegener Phone : (49) 201 2661 379 SBS Essen Fax:(49) 201 2661 377 Germany Mail: [EMAIL PROTECTED] http://relax.sbs.de (intranet) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL Authorization / Authentication
"Shannon Johnson" <[EMAIL PROTECTED]> wrote: > That's what I thought, but the definition of Authorization and > Authentication got me a little confused. New question now... ... > rlm_sql (sql): User not found in radgroupcheck > rlm_sql (sql): User not found > rlm_sql (sql): Released sql socket id: 2 > modcall[authorize]: module "sql" returns notfound ... > From what I can tell, it's not passing the username (or password, for > that matter) to the SQL database. Would that be a correct assumption? If > so, do you have any suggestions on what to do to fix? Look through the SQL configuration, seeing why the user doesn't match. I'd suggest debugging it with the 'users' file first, though. Get the config working for the user, and then move it over to SQL. That way you're tracking down one problem at a time. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: SQL Authorization / Authentication
Alan, That’s what I thought, but the definition of Authorization and Authentication got me a little confused. New question now... I have the MySQL database set up with a test account (username test, password test). When I run “radiusd –xxp 1645” and try “radtest test test localhost:1645 0 testing”, it gives me a bunch of stuff, but the part that stands out is the following: rad_recv: Access-Request packet from host 130.203.224.111:32769, id=167, length=56Thread 2 assigned request 1--- Walking the entire request list ---Threads: total/active/spare threads = 5/1/4Waking up in 5 seconds...Thread 2 handling request 1, (1 handled so far) User-Name = "test" User-Password = "test" NAS-IP-Address = 255.255.255.255 NAS-Port = 0modcall: entering group authorize modcall[authorize]: module "preprocess" returns okrlm_chap: Could not find proper Chap-Password attribute in request modcall[authorize]: module "chap" returns noop modcall[authorize]: module "mschap" returns notfound rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module "suffix" returns noopradius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '' ORDER BY id'rlm_sql (sql): Reserving sql socket id: 2rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '' ORDER BY idrlm_sql (sql): User not found in radcheckradius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.idradius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.idrlm_sql (sql): User not found in radgroupcheckrlm_sql (sql): User not foundrlm_sql (sql): Released sql socket id: 2 modcall[authorize]: module "sql" returns notfound users: Matched DEFAULT at 152 modcall[authorize]: module "files" returns okmodcall: group authorize returns ok rad_check_password: Found Auth-Type System From what I can tell, it’s not passing the username (or password, for that matter) to the SQL database. Would that be a correct assumption? If so, do you have any suggestions on what to do to fix? Thanks for your help! ShannonShannon Johnson" <[EMAIL PROTECTED]> wrote:> I need this radius server to authenticate / authorize (still a> little hazy on the difference) console and ssh access to 10> workstations. The requests would come in to the workstation, get> routed to the server via a pam module, hit the freeradius server,> verify the username and password in the database, and let the person> on if their info is correct. First question, is this possible? For username/password verification, yes. They'll still have to getuid/gid/shell from somewhere, though. > I just got done reading about the differences between authorization> and authentication, and from what I gather, freeradius can't do> authentication to an SQL database. Is that correct? Yes. It won't try to log users into an SQL database. > Ideally, what I would like, is to have a database holding all the> usernames and passwords (holding in clear text, but transmitting> encrypted, if that matters). Can I do that with freeradius? Yes. That's storing the username/password in SQL, and lettingFreeRADIUS use trhat information to authenticate them. Alan DeKok.
Compile freeradius on RH8
Hi, I'm trying to compile FreeRadius 0.8.1 on a clean Red Hat 8 Install but it seems to be some problems. First, it returns an error related with DBM. I changed the line RLM_LIBS on the file src/modules/rlm_dbm/Makefile to RLM_LIBS= -lgdbm ant it worked. After that I needed Postgresql-devel package. But now I get this error --- gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG -I../include -c radiusd.c radiusd.c:103: parse error before "RADIUSD_VERSION" --- I'm compiling with gcc version 3.2 20020903 (Red Hat Linux 8.0 3.2-7) I'm waiting you help tips. Thanks In Advance, Joao Sa - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MPPE dynamic re-keying
Artur Hecker <[EMAIL PROTECTED]> wrote: > well, yes and no: actually, rekeying should be done between the > supplicant and the AP since only those two support the actual > cryptosuite, namely WEP if we are talking about 802.11. Wait for 802.11f. It over-loads RADIUS to do re-keying... It's astonishingly ugly. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL Authorization / Authentication
"Shannon Johnson" <[EMAIL PROTECTED]> wrote: > I need this radius server to authenticate / authorize (still a > little hazy on the difference) console and ssh access to 10 > workstations. The requests would come in to the workstation, get > routed to the server via a pam module, hit the freeradius server, > verify the username and password in the database, and let the person > on if their info is correct. First question, is this possible? For username/password verification, yes. They'll still have to get uid/gid/shell from somewhere, though. > I just got done reading about the differences between authorization > and authentication, and from what I gather, freeradius can't do > authentication to an SQL database. Is that correct? Yes. It won't try to log users into an SQL database. > Ideally, what I would like, is to have a database holding all the > usernames and passwords (holding in clear text, but transmitting > encrypted, if that matters). Can I do that with freeradius? Yes. That's storing the username/password in SQL, and letting FreeRADIUS use trhat information to authenticate them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Upgrading to Freeradius from Cistron Radius
I'm looking at making the jump to Freeradius. We have TotalControl HiPerARCs and one POP of PortMasters. Any tips or caveats I should be aware of? Thanks, Kevin. -- Kevin Hemsley Systems Engineer Microserv Computer Technologies, Inc. [EMAIL PROTECTED] NF7J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error: Accounting: logout
Hi In radius.log file I found some records which indicate errors. I use FreeRadius 0.8 with Oracle for accounting Could someone explain me reason for such records (as below) Sometime I don't observe (about 3% of records) packets (or at least records) "Accounting Stop" for appropriate "Accounting Start". Maybe that's a quite different problem. Sun Jan 19 11:14:25 2003 : Error: Accounting: logout: entry for NAS Tigris port 1541 has wrong ID Sun Jan 19 11:14:25 2003 : Error: Accounting: logout: entry for NAS Tigris port 488 has wrong ID Sun Jan 19 11:14:35 2003 : Error: Accounting: logout: entry for NAS Tigris port 1781 has wrong ID Sun Jan 19 11:14:52 2003 : Error: Accounting: logout: entry for NAS Tigris port 453 has wrong ID Sun Jan 19 11:15:16 2003 : Error: Accounting: logout: entry for NAS Tigris port 320 has wrong ID Sun Jan 19 11:15:27 2003 : Error: Accounting: logout: entry for NAS Tigris port 396 has wrong ID Sun Jan 19 11:15:58 2003 : Error: Accounting: logout: login entry for NAS Tigris port 411 not found Sun Jan 19 11:16:16 2003 : Error: Accounting: logout: entry for NAS Tigris port 448 has wrong ID Sun Jan 19 11:16:55 2003 : Error: Accounting: logout: entry for NAS Tigris port 1859 has wrong ID Sun Jan 19 11:17:25 2003 : Error: Accounting: logout: entry for NAS Tigris port 1919 has wrong ID Sun Jan 19 11:17:31 2003 : Error: Accounting: logout: entry for NAS Tigris port 314 has wrong ID Sun Jan 19 11:17:57 2003 : Error: Accounting: logout: entry for NAS Tigris port 351 has wrong ID Sun Jan 19 11:18:32 2003 : Error: Accounting: logout: entry for NAS Tigris port 538 has wrong ID Sun Jan 19 11:19:57 2003 : Error: Accounting: logout: entry for NAS Tigris port 1499 has wrong ID Sun Jan 19 11:19:58 2003 : Error: Accounting: logout: entry for NAS Tigris port 1977 has wrong ID Sun Jan 19 11:30:50 2003 : Error: Accounting: logout: entry for NAS Tigris port 1337 has wrong ID Sun Jan 19 11:31:24 2003 : Error: Accounting: logout: entry for NAS Tigris port 1955 has wrong ID Sun Jan 19 11:31:58 2003 : Error: Accounting: logout: entry for NAS Tigris port 543 has wrong ID Sun Jan 19 11:32:17 2003 : Error: Accounting: logout: entry for NAS Tigris port 458 has wrong ID Sun Jan 19 11:32:19 2003 : Error: Accounting: logout: entry for NAS Tigris port 1586 has wrong ID Sun Jan 19 11:32:57 2003 : Error: Accounting: logout: entry for NAS Tigris port 1228 has wrong ID Sun Jan 19 11:33:01 2003 : Error: Accounting: logout: entry for NAS Tigris port 1354 has wrong ID Sun Jan 19 11:33:56 2003 : Error: Accounting: logout: entry for NAS Tigris port 1307 has wrong ID Sun Jan 19 11:34:54 2003 : Error: Accounting: logout: login entry for NAS Tigris port 37 not found Sun Jan 19 11:35:15 2003 : Error: Accounting: logout: entry for NAS Tigris port 529 has wrong ID Sun Jan 19 11:35:16 2003 : Error: Accounting: logout: login entry for NAS Tigris port 442 not found - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and ippools
Norbert Wegener <[EMAIL PROTECTED]> wrote: > I appended the following to radiusd.conf: > > ippool main_pool { > session-db = /usr/local/etc/raddb/ippool-sess-db > ip-index = /usr/local/etc/raddb/ippool-idx-db > range-start = 192.168.100.20 > range-stop = 192.168.100.40 > } > > Starting radius with -X gives the following error message: ERROR: Cannot > find a configuration entry for module "main_pool" Put the configuration into the 'modules' section of radiusd.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius and ippools
I have downloaded the actual freeradius sources and wanted to make use of ippools. The module is still experimental(?) and so I configured fr with ./configure --with-experimental-modules From raddb/experimental.conf: # Do server side ip pool management. Should be added in post-auth and # accounting sections. As the distributed radiusd.conf contains an entry #main_pool in the post-auth section, I uncommented it. In the accounting section I added main_pool. I appended the following to radiusd.conf: ippool main_pool { session-db = /usr/local/etc/raddb/ippool-sess-db ip-index = /usr/local/etc/raddb/ippool-idx-db range-start = 192.168.100.20 range-stop = 192.168.100.40 } Starting radius with -X gives the following error message: ERROR: Cannot find a configuration entry for module "main_pool" Supposed I misunderstand the documentation, I changed the entries in the accounting and post-auth section to ippool. What changed was the error message: ERROR: Cannot find a configuration entry for module "ippool" What am I doing wrong and/or where can I find more documentation about this Norbert -- Norbert WegenerPhone:(49)2012661379 Fax:(49)2012661377 SBS Essen,Germany Mail: [EMAIL PROTECTED] Mailfax:(49)2018165521379 smime.p7s Description: S/MIME Cryptographic Signature
Re: MPPE dynamic re-keying
hi Klaus Heck wrote: Did I get this right? FreeRADIUS does send a dynamically created MPPE key once the authentication is performed. But there's no dynamic yes, if you use EAP/TLS. re-keying after certain time spans. Is that correct? And how hard is it to implement it, say with configurable time intervals? well, yes and no: actually, rekeying should be done between the supplicant and the AP since only those two support the actual cryptosuite, namely WEP if we are talking about 802.11. so, it's more the function of your AP. the auth server (AS) like freeradius shouldn't change the keys at the AP without supplicant beeing involved, since this risks to provoke key desynchronization. on the other side, the AS never contacts the supplicant from itself. so basically, the supplicant has to contact the AS after some period of time. that's possible to do whenever you want, if the supplicant supports it. the radius server will reply with an usual Accept-Accept with all the MPPE stuff in it. other possibility to do this is by using Radius-attribute "Session-Timeout" (or something like that). In this manner, the AP (radius-client) will close the session after this time has elapsed and the supplicant will have to re-authenticate. this however is very likely to cut any open connections. ciao artur -- Artur Hecker Groupe Accès et Mobilité hecker[at]enst[dot]fr Département Informatique et Réseaux +33 1 45 81 7507 46, rue Barrault 75634 Paris cedex 13 http://www.infres.enst.fr ENST Paris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MPPE dynamic re-keying
Did I get this right? FreeRADIUS does send a dynamically created MPPE key once the authentication is performed. But there's no dynamic re-keying after certain time spans. Is that correct? And how hard is it to implement it, say with configurable time intervals? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL Authorization / Authentication
I got the radius server talking to the sql database finally (thanks Nick). I now have another question. I need this radius server to authenticate / authorize (still a little hazy on the difference) console and ssh access to 10 workstations. The requests would come in to the workstation, get routed to the server via a pam module, hit the freeradius server, verify the username and password in the database, and let the person on if their info is correct. First question, is this possible? I just got done reading about the differences between authorization and authentication, and from what I gather, freeradius can't do authentication to an SQL database. Is that correct? Ideally, what I would like, is to have a database holding all the usernames and passwords (holding in clear text, but transmitting encrypted, if that matters). Can I do that with freeradius? Shannon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unwanted character in time field
On Sat, 18 Jan 2003 01:59 am, Andy Melton wrote: > I have recently installed a Free Radius server to collect accounting > output from a Cisco AS5350. Up until today, it was working fine, but at > 4:00 pst yesterday, the timestamps from the accounting record are > prepended by an *. > > I'm not sure if this was caused by the AS5350, which I'm guessing it is, > but has anyone seen this and do you know how to strip off that *? > > Thanks for your help. Yes. I have had this problem in the past. It happens when your ciscos loose NTP timesync. I have fixed it in two ways. a) I run multiple local NTP servers b) I use Postgres 7.3 as my backend DB. I have an embeded regexp perl function that strips out the asterix if there is one before inserting into the DB field. Cheers Peter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: **Re2: I have rlm_eap_tls-0.8.1.so: undefinedsymbol:SSL_set_msg_callback while trying to use EAP/TLS authenticationover LAN
hi Ian [ichew@sg-dsbu-ws1 lib]# rpm -qa |grep openssl openssl-0.9.6b-18 <---existing one on my Redhat Linux 7.1 openssl-devel-0.9.6-3
**Re2: I have rlm_eap_tls-0.8.1.so: undefinedsymbol:SSL_set_msg_callback while trying to use EAP/TLS authenticationover LAN
Hi! Ian here. Thanks for the input Artur and David. Below are more information. Again, I did use this version "openssl-SNAP-20021027.tar.gz" when I edited the Makefile for the rlm_eap_tls. Is this version correct? cause I followed the instructions from http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm , except that I used the released version of 0.8.1 for freeRadius. Thanks! [ichew@sg-dsbu-ws1 lib]# pwd /usr/local/radius/lib [ichew@sg-dsbu-ws1 lib]# rpm -qa |grep openssl openssl-0.9.6b-18 <---existing one on my Redhat Linux 7.1 openssl-devel-0.9.6-3 rlm_eap_tls-0.8.1.so -rwxr-xr-x 1 root root 812 Jan 13 20:09 rlm_eap_tls.la -rw-r--r-- 1 root root 584292 Jan 13 20:09 rlm_eap_tls.a lrwxrwxrwx 1 root root 14 Jan 13 20:09 rlm_eap_tls-0.8.1.la -> rlm_eap_tls.la [ichew@sg-dsbu-ws1 lib]# ldd rlm_eap_tls.so libnsl.so.1 => /lib/libnsl.so.1 (0x400bb000) libresolv.so.2 => /lib/libresolv.so.2 (0x400d2000) libpthread.so.0 => /lib/i686/libpthread.so.0 (0x400e5000) libc.so.6 => /lib/i686/libc.so.6 (0x400fa000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x2000) [ichew@sg-dsbu-ws1 lib]# ldd rlm_eap_tls-0.8.1.so libnsl.so.1 => /lib/libnsl.so.1 (0x400bb000) libresolv.so.2 => /lib/libresolv.so.2 (0x400d2000) libpthread.so.0 => /lib/i686/libpthread.so.0 (0x400e5000) libc.so.6 => /lib/i686/libc.so.6 (0x400fa000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x2000) [ichew@sg-dsbu-ws1 lib]# uname -a Linux sg-dsbu-ws1.cisco.com 2.4.2-2 #1 Sun Apr 8 20:41:30 EDT 2001 i686 unknown === Message: 6 Date: Mon, 20 Jan 2003 09:51:36 +0100 From: Artur Hecker <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: I have rlm_eap_tls-0.8.1.so: undefinedsymbol:SSL_set_msg_callback while trying to use EAP/TLS authenticationover LAN Reply-To: [EMAIL PROTECTED] Hi Ian Ian Chew wrote: > > Hi! My name is Ian Chew. > > I am using the released version of freeRadius > "freeradius-0.8.1.tar.gz" and used the "openssl-SNAP-20021027.tar.gz" > for the rlm_eap_tls module during the "make" process of freeRaduis. > > [snip] > > /usr/local/radius/sbin/radiusd: error while loading shared libraries: > /usr/local/radius/lib/rlm_eap_tls-0.8.1.so: undefined symbol: > SSL_set_msg_callback looks to me like if freeradius uses the older OpenSSL which does not have this function. please make sure that rlm_eap_tls has been compiled and linked to the openssl beta-version (0.9.7) or newer and not to some other openssl lib which may have existed on your system before. (try ldd at the rlm_eap_tls.so and see what it says). ciao artur -- Artur Hecker artur[at]hecker.info
exec_program_wait
Hi, I've tried to use exec_program_wait. I wrote a OCI program(radautz) to interact with oracle. In root, it can run correctly. 1. I wrote most calculation in oracle triggers, will this do harm to performance? 2. In radreply, I added a row, value = '/usr/local/bin/radauth', and in radauth I call the radautz with $USER_NAME variables. In debug mode(run as root), it complains following error: Exec-Program: /usr/local/bin/radauth /usr/local/bin/radautz: error while loading shared libraries: libclntsh.so.8.0: cannot open shared object file: No such file or directory Exec-Program: returned: 0 In root I tried radautz again, it can do what i want to do. I know this should be related to environment, but I'm not very familiar with linux, could anyone give me some advice? Thanks in advanced. Regards Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql Authentication
Alan DeKok wrote: Ossama Suleiman <[EMAIL PROTECTED]> wrote: i am using freeradius 0.8.1 with Redhat 8.0, i wanted to use mysql authentication, the problem is that i want to authenticate users depending on Calling-Station-Id, so i added an entry (blank username) Why? What's wrong with the DEFAULT configuration? When using the DEFAULT entry with the users file there is no problem at all, but when using it with mysql i got the error message mentioned before below -i got the following error message that the user-name can't be blank: -- rlm_sql (sql): zero length username not permitted Exactly. Use DEFAULT. i tried the DEFAULT value, my table looks like this: ++--+--+--+--+ | id | UserName | Attribute | Value | op | ++--+--+--+--+ | 1 | DEFAULT | Auth-Type | Accept | := | | 2 | DEFAULT | Huntgroup-Name | test | == | ++--+--+--+--+ but as i said before, this configuration is not working and it still complains about zero length username. when i commented out that section in rlm_sql.c and replaced the default entry with an blank entry it worked correctly. my table looked like this in that case: ++--+--+--+--+ | id | UserName | Attribute | Value | op | ++--+--+--+--+ | 1 | | Auth-Type | Accept | := | | 2 | | Huntgroup-Name | test | == | ++--+--+--+--+ this is working fine, and checking the calling-station-id listed in the huntgroup file could somebody correct me if this contains mistakes?? You're doing too much work, and ignoring the examples which tell you about the DEFAULT user. Alan DeKok. sorry for all the trouble. Ossama - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HELP: EAP/TLS - XP
hi > I don't think it's an AP problem, because Raymon McKey > (http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm) is working > with the same AP. i never tried with md5, did it work with you? and you probably can't since you use XP SP1 which does not offer EAP/MD5 for wireless anymore :) > do you work with an english XP? (just asking, because I have japanese > XP and the other person that had this problem also had an asian > name.) I don't know nothing about XP, but could it be possible, that > this is some japanese-XP bug? I'm trying to get into the source code, > but this might take some time (I'm not very good in C). however, it > seems that the radius server did not get the expected message. it > would have needed an ACK-response, but received something else... in fact, unless you shortened your post, there seems to be two requests one after another or am i wrong? because radius actually doesn't do anything about the wrong request. it denies the next one... well, it's perhaps normal. some developers here? :-) ciao artur -- Artur Hecker Groupe Acce`s et Mobilite' hecker[at]enst[dot]fr De'partement Informatique et Re'seaux +33 1 45 81 750746, rue Barrault 75634 Paris cedex 13 http://www.infres.enst.fr ENST Paris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HELP: EAP/TLS - XP
Hi Jeffrey, > Do you work well via md5? I cannot work fine with ap-2000 too? :( > I guess it is AP problem! I don't think it's an AP problem, because Raymon McKey (http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm) is working with the same AP. i never tried with md5, did it work with you? do you work with an english XP? (just asking, because I have japanese XP and the other person that had this problem also had an asian name.) I don't know nothing about XP, but could it be possible, that this is some japanese-XP bug? I'm trying to get into the source code, but this might take some time (I'm not very good in C). however, it seems that the radius server did not get the expected message. it would have needed an ACK-response, but received something else... david - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HELP: EAP/TLS - XP
Dear David, Do you work well via md5? I cannot work fine with ap-2000 too? :( I guess it is AP problem! ¦b ¶g¤@, 2003-01-20 14:39, David Baer ¼g¹D¡G > I'm trying to get XP and freeRADIUS working together. I encountered a problem that >has been reported here before > (http://lists.cistron.nl/pipermail/freeradius-users/2002-August/009650.html), but no >solution has been posted. > Maybe someone else has an stumbled accross it or has an idea. > > The thing is that all tls handshake passed and then it seems that the supplicant >backs off... > I'm using Service Pack 1 and a Orinoco 2000 AP with img 2.0.10 installed. > > thanks for any help, > david > > > > rad_recv: Access-Request packet from host 10.56.56.201:6001, id=95, length=180 > User-Name = "Hera" > NAS-IP-Address = 10.56.56.201 > Called-Station-Id = "00-02-2d-48-6d-89" > Calling-Station-Id = "00-05-3c-06-6e-61" > NAS-Identifier = "hercules" > State = >0xcbc90276b2c75bcf69c846a00bbb35e62f922b3ea0b9afaf4605a59f14b2fa8fc483abdc > Framed-MTU = 1400 > NAS-Port-Type = Wireless-802.11 > EAP-Message = >"\002\007\000!\r\200\000\000\000\027\025\003\001\000\022^\333$,\363"\275\010\010\374\234\204y\337\306U-g" > Message-Authenticator = 0x9095e69b06f47161b67f54139c32e1ef > modcall: entering group authorize > modcall[authorize]: module "preprocess" returns ok > modcall[authorize]: module "eap" returns updated > rlm_realm: No '@' in User-Name = "Hera", looking up realm NULL > rlm_realm: No such realm NULL > modcall[authorize]: module "suffix" returns noop > users: Matched Hera at 98 > modcall[authorize]: module "files" returns ok > modcall: group authorize returns updated > rad_check_password: Found Auth-Type EAP > auth: type "EAP" > modcall: entering group authenticate > rlm_eap: Request found, released from the list > rlm_eap: EAP_TYPE - tls > rlm_eap: processing type tls > rlm_eap_tls: Length Included > <<< TLS 1.0 Alert [length 0002], fatal access_denied > > TLS Alert read:fatal:access denied > 2727:error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access >denied:s3_pkt.c:1037:SSL alert number 49 > rlm_eap_tls: SSL_read Error > Error code is . 6 > SSL Error . 6 > rlm_eap_tls: BIO_read Error > Error code is . 5 > Error in SSL . 5 > modcall[authenticate]: module "eap" returns ok > modcall: group authenticate returns ok > Delaying request 10 for 1 seconds > Finished request 10 > Going to the next request > Waking up in 5 seconds... > rad_recv: Access-Request packet from host 10.56.56.201:6001, id=95, length=180 > Sending Access-Reject of id 95 to 10.56.56.201:6001 > EAP-Message = "\004\007\000\004" > Message-Authenticator = 0x > --- Walking the entire request list --- > Waking up in 2 seconds... > --- Walking the entire request list --- > Cleaning up request 6 ID 91 with timestamp 3e2b922e > Cleaning up request 7 ID 92 with timestamp 3e2b922e > Cleaning up request 8 ID 93 with timestamp 3e2b922e > Waking up in 1 seconds... > --- Walking the entire request list --- > Cleaning up request 9 ID 94 with timestamp 3e2b922f > Cleaning up request 10 ID 95 with timestamp 3e2b922f > Nothing to do. Sleeping until we see a request. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Regard, Jeffery Huang iMining Technology Inc., Addr: 8F-4 No.432, Sec. 1, Keelung Rd., Taipei,Taiwan Tel: 886-2-27235122 ext 20 Fax: 886-2-27232287 mail:[EMAIL PROTECTED] http://www.imining.com.tw - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I have rlm_eap_tls-0.8.1.so: undefined symbol:SSL_set_msg_callback while trying to use EAP/TLS authentication over LAN
no, 0.8.1 should work, too. David Baer wrote: > > I think you should have taken a snapshot version and not 0.8.1 of freeRADIUS. > use the one that is linked in the howto and at least i got beyond that > point... (though having some other problems) > david -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I have rlm_eap_tls-0.8.1.so: undefinedsymbol:SSL_set_msg_callback while trying to use EAP/TLS authenticationover LAN
Hi Ian Ian Chew wrote: > > Hi! My name is Ian Chew. > > I am using the released version of freeRadius > "freeradius-0.8.1.tar.gz" and used the "openssl-SNAP-20021027.tar.gz" > for the rlm_eap_tls module during the "make" process of freeRaduis. > > [snip] > > /usr/local/radius/sbin/radiusd: error while loading shared libraries: > /usr/local/radius/lib/rlm_eap_tls-0.8.1.so: undefined symbol: > SSL_set_msg_callback looks to me like if freeradius uses the older OpenSSL which does not have this function. please make sure that rlm_eap_tls has been compiled and linked to the openssl beta-version (0.9.7) or newer and not to some other openssl lib which may have existed on your system before. (try ldd at the rlm_eap_tls.so and see what it says). ciao artur -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ken Roser FAQ - link
On Monday 20 January 2003 17:41, Artur Hecker wrote: > take a closer look at www.freeradius.org thanks. i was looking for some explicit "faq" and have rated that document (that i already knew) as a "howto" ;) david - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ken Roser FAQ - link
take a closer look at www.freeradius.org ciao artur David Baer wrote: > > Hi, > I'm having a problem with eap/tls - XP and have seen some posts in the history > of this mailing list that suggested to take a look at the Ken Roser FAQ. > Unfortunately I can not find that link. Anyone knows that link? > thank you! > david > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I have rlm_eap_tls-0.8.1.so: undefined symbol:SSL_set_msg_callback while trying to use EAP/TLS authentication over LAN
I think you should have taken a snapshot version and not 0.8.1 of freeRADIUS. use the one that is linked in the howto and at least i got beyond that point... (though having some other problems) david - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I have rlm_eap_tls-0.8.1.so: undefined symbol:SSL_set_msg_callback while trying to use EAP/TLS authentication over LAN
Hi! My name is Ian Chew. I am using the released version of freeRadius "freeradius-0.8.1.tar.gz" and used the "openssl-SNAP-20021027.tar.gz" for the rlm_eap_tls module during the "make" process of freeRaduis. Most of the steps I did were from http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm The freeRadius server starts up fine, and authenticates fine for local logons. However, I cannot get my EAP/TLS authentication to work. I got the following error and freeRaduis just exits. The error message can be seen at the end of the log files i have attached. Can anyone please help or give me some pointers on where I have gone wrong? Thank you. [ichew@sg-dsbu-ws1 sbin]# run-radiusd -X -A & [1] 1807 + LD_LIBRARY_PATH=/usr/local/openssl/lib + LD_PRELOAD=/usr/local/openssl/lib/libcrypto.so + export LD_LIBRARY_PATH LD_PRELOAD + /usr/local/radius/sbin/radiusd -X -A [ichew@sg-dsbu-ws1 sbin]# Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/radius/etc/raddb/proxy.conf Config: including file: /usr/local/radius/etc/raddb/clients.conf Config: including file: /usr/local/radius/etc/raddb/snmp.conf Config: including file: /usr/local/radius/etc/raddb/sql.conf main: prefix = "/usr/local/radius" main: localstatedir = "/usr/local/radius/var" main: logdir = "/usr/local/radius/var/log/radius" main: libdir = "/usr/local/radius/lib" main: radacctdir = "/usr/local/radius/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/radius/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/radius/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/radius/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: servers_per_realm = 15 security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/radius/lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: ignore_password = no mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "/etc/passwd" unix: shadow = "/etc/shadow" unix: group = "/etc/group" unix: radwtmp = "/usr/local/radius/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "tls" eap: timer_expire = 60 rlm_eap: Loaded and initialized the type md5 tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/1x/sg-dsbu-ws1.pem" tls: certificate_file = "/etc/1x/sg-dsbu-ws1.pem" tls: CA_file = "/etc/1x/root.pem" tls: private_key_password = "whatever" tls: dh_file = "/etc/1x/dh" tls: random_file = "/etc/1x/random" tls: fragment_size = 1024 tls: include_length = yes rlm_eap_tls: conf N ctx stored rlm_eap: Loaded and initialized the type tls Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/radius/etc/raddb/huntgroups" preprocess: hints = "/usr/local/radius/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/local/radius/etc/raddb/users" files: acctusersfile = "/usr/local/radius/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/radius/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id" Mo