radiusclient
Dear All, I just want to interwork the radiusclient (version 0.3.2) with the freeradius, can anyone tell me the best way for that. cheers yacine - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DSL Accouting?
29-Jan-03 at 09:47, Dave Seddon ([EMAIL PROTECTED]) wrote : Greetings, Yeah IP accouting is how I do it now. I use a FreeBSD bridge box, so nobody can even see it. Works well, however it makes billing on-net traffic difficult if you aren't billing the PPP sessions. What do you mean by on-net traffic? What's the extra info you get from the PPP sessions? -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: QOS question.
28-Jan-03 at 18:04, Sean Smith ([EMAIL PROTECTED]) wrote : Is it possible to set QOS per user or per group in Freeradius? QOS meaning bandwidth and/or priority of bandwidth resources. Example would be setting a residential DSL customer at a limit of 256K and setting a business customer at a limit of 1MB. On top of that, if a residential QoS would of course be dependent on your access server, since FreeRadius will just do the authentication and accounting for you. However, FreeRadius can give you just about anything you want back to your NAS within reason, and can do per user / per group / per domain (@domain.com) stuff. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql radcheck field syntax
28-Jan-03 at 19:18, Doug Yeager ([EMAIL PROTECTED]) wrote :
This is an easy one:
I want to add a user to mysql. Can someone tell me the right values for the
attribute and op field?
I'm just trying to test to see if I can get something simple working.
Is this right:
Insert into radcheck (username,attribute,value,op) values
('doug','User-Password','testpass','==');
This works best for me:
username, attribute, value, op : 'simon', 'Crypt-Password', 'GkTfS3XVFwvDR', null
Regards,
--
|-Simon White, Internet Services Manager, Certified Check Point CCSA.
|-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions.
|-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco.
|-MTDS tel +212.3.767.4861 - fax +212.3.767.4863
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radiusclient
Hello, Can one tell me how to configure the radiusclient in order to interwork with freeradius server. thanks yac - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusclient
29-Jan-03 at 10:31, yacine rebahi ([EMAIL PROTECTED]) wrote : Hello, Can one tell me how to configure the radiusclient in order to interwork with freeradius server. Asking twice will not get you faster responses. I personally do not understand your need. To me, it doesn't make sense. Regards, -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radiusclient
Hi Try Windows Radius client. It's easy to use. Go into page http://www.dialways.com/ MM -Original Message- From: Simon White [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 29, 2003 10:45 AM To: [EMAIL PROTECTED] Subject: Re: radiusclient 29-Jan-03 at 10:31, yacine rebahi ([EMAIL PROTECTED]) wrote : Hello, Can one tell me how to configure the radiusclient in order to interwork with freeradius server. Asking twice will not get you faster responses. I personally do not understand your need. To me, it doesn't make sense. Regards, -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradis need help !
Hello ! Whether ÷ÏÖÍÏÖÎÏ that the inquiry in comparison of passwords was such plan WAIT_PPP_PSWD2 and from base return either a zero or the password and login. Then at ÓÔÁhÔÏ×ÏÊ to record in base it was transferred INSERT (standard) And at closing ÓÅÓÉÉ (close init sesion). If it possible that you could not result examples skripts by means of which it is possible to make the given procedures! Thenk You for you help ! -- Best regards, Panchenko Mikhael Master Sviaz Sank-Petersburg +7(812) 346-8101 www.master.ru - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Run external script after disconnect.
I use FreeRadius-0.8.1 with Postgres on Linux RH 8.0 for authenticate and accounting dial-in users. My radiusd execute the external script with Exec-Program-Wait = /some/script when user is autenticated. No problems, it's worked fine... Q: How I can execute the external script *after* user disconnecting? Thank's for your time. Sorry, if my English scare you... -- Uralsvyazinform. Tazovsky, YANAD, Russia Network administrator e-mail: [EMAIL PROTECTED] ICQ: 105874601 tel.: +7 34940 21100 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: problem with postgresql 7.2 + freeradius (latest cvs)
Hello Alan, Tuesday, January 28, 2003, 3:29:12 PM, you wrote: AD The SQL module doesn't do authentication, and it isn't rejecting the AD user. AD Read the log message you posted to the list. The Unix module is AD doing the authentication, and is rejecting the user. Ok. Thx. But auth configuration is very complex for me. -- Best regards, Pavelmailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
YOONG Choen Hin/Engr - Sys/iSTT/ST Group is out of the office.
Thank you for your email. I am sorry that I am not able to respond to you immediately as I am away until 3 Feb 2003. I will revert as soon as I return. If there is any urgent matter, please email to [EMAIL PROTECTED], the person on duty will response to you. Thank you and have a nice day! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Run external script after disconnect.
Andrew E. Guly wrote: I use FreeRadius-0.8.1 with Postgres on Linux RH 8.0 for authenticate and accounting dial-in users. My radiusd execute the external script with Exec-Program-Wait = /some/script when user is autenticated. No problems, it's worked fine... Q: How I can execute the external script *after* user disconnecting? May be you look at file acct_users ? When your radius server recieve Acct-Stop... some like this: acct_user: == acct_users == DEFAULT Acct-Status-Type == Stop Exec-Program = /path/to/some/script.pl == - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP MySQL
Hello there, Is it possible to implement FreeRADIUS with LDAP for users and MySQL for accounting? Fred - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP MySQL
On Wed, 29 Jan 2003, Frederic SOSSON wrote: Hello there, Is it possible to implement FreeRADIUS with LDAP for users and MySQL for accounting? yes Fred - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
cant unsubscribe
I went to the website, put my password in, it said I was unsubscribed, but I am still getting emails. I can't use the email feature because it says I'm not subscribed. and the website says I'm not subscribed now. but I still get emails. help Dan. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP MySQL
Do you have time to explain howto with a small sample? Thanks. Fred - Original Message - From: Kostas Kalevras [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, January 29, 2003 2:43 PM Subject: Re: LDAP MySQL On Wed, 29 Jan 2003, Frederic SOSSON wrote: Hello there, Is it possible to implement FreeRADIUS with LDAP for users and MySQL for accounting? yes Fred - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HELP: EAP/TLS - XP
hi David ok, it's good news then... if you followed exactly the steps, it should work fine. to find the error, just put the same certificate which is available at the server side on your XP machine and open it using the crypto extensions (double-click). XP should say you what is missing. the most probable error would be imho an expiration date. the second possible would be the forgotten extension (as already said, both errors should not be there if you followed exactly the script, but still, check it). check the availability of the private key, check the certification path, XP should know the signing CA (meaning that the cert is signed by the CA whose certificate is installed under certification authorities). regards, artur David Baer wrote: The problem has been partially solved (or let's say: narrowed). Somehow the server's certificate is not accepted by the XP-supplicant. If the Validate server certificate check box is unchecked, the authentication succeeds. To leave the server's certificate unvalidated is not very desirbale though. I used the script by Ken Roser (http://www.freeradius.org/doc/EAPTLS.pdf) to generate the certificates. Any idea what I could have done wrong with the server's certificate? david -- Artur Hecker Département Informatique et Réseaux, ENST Paris http://www.infres.enst.fr/~hecker - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradis need help !
*?* would it be ÷ÏÖÍÏÖÎÏ for you to avoid russenglish? it's hardly comprehensible, even perfectly speaking both languages. and it's not very polite for those who don't, don't you think? :-) Whether ÷ÏÖÍÏÖÎÏ that the inquiry in comparison of passwords was such plan WAIT_PPP_PSWD2 and from base return either a zero or the password and login. Then at ÓÔÁhÔÏ×ÏÊ to record in base it was transferred INSERT (standard) And at closing ÓÅÓÉÉ (close init sesion). If it possible that you could not result examples skripts by means of which it is possible to make the given procedures! Thenk You for you help ! Sank-Petersburg SankT??? :-) best wishes artur -- Artur Hecker De'partement Informatique et Re'seaux, ENST Paris http://www.infres.enst.fr/~hecker - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MySQL
Hi, I would like to implement freeradius with mysql and I'd like to know if --with-mysql-include-dir --with-mysql-lib-dir --with-mysql-dir are essentials when I do ./configure ? (i realy need help I'm a newbie) Frederic - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql radcheck field syntax
Doug Yeager [EMAIL PROTECTED] wrote: This is an easy one: I want to add a user to mysql. Can someone tell me the right values for the attribute and op field? That depends on your local configuration. See the 'users' file for examples. Read 'doc/rlm_sql' in the latest CVS snapshot. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sockets disconected from DB. How reconect it?
Using Freeradius 0.8.1 and validating users using Sybase driver work fine for us; but if for some reason we lost connection to the DB, or the DB server is restarted we can't continue validating using the DB until radiusd is restarted and new sockets are open again. Is there any way to do a new connection to the DB (open new sockets) in case that the DB is restarted? or check the connection before connect to DB and open new sockets in case we need it? This is the debug of the fail when freeradius lost connection to DB: rlm_sql (sql): Reserving sql socket id: 3 SELECT 1,NAME,'User-Password',PASS,'==' FROM names WHERE USER = 'jon' Client Library error: severity(0) number(6) origin(3) layer(5) ct_results(): network packet layer: internal net library error: Net-Library operation terminated due to disconnect rlm_sql_sybase(sql_select_query): Failure retrieving query results Client Library error: severity(0) number(5) origin(3) layer(5) ct_cancel(): network packet layer: internal net library error: Net-Library operation terminated due to disconnect rlm_sql_sybase(sql_select_query): cleaning up. rlm_sql_getvpdata: database query error rlm_sql (sql): SQL query error; rejecting user rlm_sql (sql): Released sql socket id: 3 modcall[authorize]: module sql returns fail modcall: group authorize returns fail There was no response configured: rejecting request 1 Server rejecting request 1. Finished request 1 Some idea about how can I reconnect to the DB without restart radiusd? Best regards, Yurguen === Este mensaje y sus anexos son confidenciales y de uso exclusivo de las personas a las que está dirigido. En caso de que ud. recibiera éste correo por error no podrá modificar, copiar o distribuir parte o la totalidad del mismo; asimismo le solicitamos que notifique tal situación al emisor y que que tenga a bien eliminarlo de su sistema. El emisor no acepta responsabilidades por errores u omisiones en el contenido de éste correo dado que Internet no garantiza la seguridad y exactitud de las comunicaciones. Las opiniones vertidas en este correo son exclusivas de su autor y no representan la opinión del Banco Galicia. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Threads not being used
Matt Scifo [EMAIL PROTECTED] wrote: I didn't even think to look in /proc. I found the same thing. The threads were spawned according to /proc, yet the daemon is not reporting thread info in the debug output. Though that still doesn't explain the horrid numbers I'm seeing. The horrid numbers are due to something else blocking the server (back-end database, disk IO, DNS, etc) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS under Cygwin
Philip Blow [EMAIL PROTECTED] wrote: Here are some brief notes I but together for compiling FreeRADIUS 0.8.1 on Windows XP with EAP/TLS support. ... Nice, but your diff's are reversed. 4. the top-level Makefile change isn't needed in the CVS head, I've fixed that issue. - On the cygwin system, can you do: grep ^exeext libtool and mail the output to the list? I'll see if I can fix the problems with installing executables. 6. Hmm... I'll fix that in the CVS head. It may also explain weirdness on MACOSX. It's a good document. I'll add it as 'doc/CYGWIN' Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sockets disconected from DB. How reconect it?
Yurguen Castillo [EMAIL PROTECTED] wrote: Using Freeradius 0.8.1 and validating users using Sybase driver work fine for us; but if for some reason we lost connection to the DB, or the DB server is restarted we can't continue validating using the DB until rad= iusd is restarted and new sockets are open again. Is there any way to do a new connection to the DB (open new sockets) in case that the DB is restarted? Yes. Patch the rlm_sql_sybase driver to return SQL_DOWN in the appropriate places. See the rlm_sql_mysql code for examples of SQL_DOWN. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sockets disconected from DB. How reconect it?
29-Jan-03 at 12:23, Yurguen Castillo ([EMAIL PROTECTED]) wrote : Using Freeradius 0.8.1 and validating users using Sybase driver work fine for us; but if for some reason we lost connection to the DB, or the DB server is restarted we can't continue validating using the DB until radiusd is restarted and new sockets are open again. Is there any way to do a new connection to the DB (open new sockets) in case that the DB is restarted? or check the connection before connect to DB and open new sockets in case we need it? Two thoughts:- You're going to need a watcher script I think. If radius logs that it lost connection with the db somewhere (I'm sure it does, just don't have time to check) then you can sniff this out with something like Perl's File::Tail and then cause it to restart / HUP the radius server. - or - Just maybe, there is an argument for some fallback code in the freeradius source, but somewhere in the back of my mind configurable failover is your best bet anyway. If the downtime on your DB server is predictable, you don't have a problem anyway. If not, get Radius to failover to somewhere else. Instead of me re-reading configurable failover docs, have a look yourself and come back to the list with questions. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sockets disconected from DB. How reconect it?
Simon White [EMAIL PROTECTED] wrote: Just maybe, there is an argument for some fallback code in the freeradius source, The rlm_sql module and *some* of it's drivers were updated in 0.8 to do re-connects. However, some of the drivers are not actively maintained, and weren't patched. but somewhere in the back of my mind configurable failover is your best bet anyway. If the downtime on your DB server is predictable, you don't have a problem anyway. If not, get Radius to failover to somewhere else. Instead of me re-reading configurable failover docs, have a look yourself and come back to the list with questions. Configurable fail-over won't help here, as the database connections will *never* come back up. Sending a HUP signal to the server may help in the short term. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sockets disconected from DB. How reconect it?
29-Jan-03 at 05:27, Alan DeKok ([EMAIL PROTECTED]) wrote : Simon White [EMAIL PROTECTED] wrote: Just maybe, there is an argument for some fallback code in the freeradius source, The rlm_sql module and *some* of it's drivers were updated in 0.8 to do re-connects. However, some of the drivers are not actively maintained, and weren't patched. but somewhere in the back of my mind configurable failover is your best bet anyway. If the downtime on your DB server is predictable, you don't have a problem anyway. If not, get Radius to failover to somewhere else. Instead of me re-reading configurable failover docs, have a look yourself and come back to the list with questions. Configurable fail-over won't help here, as the database connections will *never* come back up. Sending a HUP signal to the server may help in the short term. Configurable failover was just a thought. Like, if it failed over to another DB then what happens when the original DB comes up? Is there a preference? This is a rhetorical question. I just don't have time to go find read the docs right now. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sockets disconected from DB. How reconect it?
Simon White [EMAIL PROTECTED] wrote: Configurable failover was just a thought. Like, if it failed over to another DB then what happens when the original DB comes up? Nothing. That's the problem with the sybase driver. Fail-over is nice, but *recovery* from error is what the driver is missing. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL
something like --with-rlm-rlm_sql_mysql-include-dir=/usr/include/mysql and --with-rlm_sql_mysql would be great. (mysql rpm installation) you have to install mysql-devel in order to get it work. the compilation worked if the file freeradius-0.8.x/src/modules/rlm_sql/drivers/rlm_sql_mysql/rlm_sql_mysql.a exists. Frederic SOSSON wrote: Hi, I would like to implement freeradius with mysql and I'd like to know if --with-mysql-include-dir --with-mysql-lib-dir --with-mysql-dir are essentials when I do ./configure ? (i realy need help I'm a newbie) Frederic - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- --- CYBERDECK Solutions de bornes interactives --- Richard Genoud Ingenieur RD --- 300 route nationale 6 - 69760 Limonest - France Tel. : 0820 820 107 - International +33 4 78 66 74 00 Fax : +33 4 78 66 74 69 [EMAIL PROTECTED] - www.cyberdeck.com --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
init.d script on debian
i grabbed the initscript from the debian folder, figured it wouldn't be too far off since i am using a debian 3.0r1 system. i didn't make a deb file with it though, kept failing due to some of the database support wasn't available, and i was having problems finding where to disable the support since i wasn't going to be using it anyways. but anyways, '/etc/init.d/radiusd stop' doesn't stop the radius. anyone working on debian or know what should be fixed to get it to stop correctly? freeRadius 0.8.1 file in question: freeradius-0.8.1/debian/initscript - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Overriding entries in radgroupreply table
Hello all, This may be yet another one of those obvious answers that I just cant seem to locate... But this time at least I read the rlm_sql docs better than I did the last time I posted a question. :) Most of our users fall into two different radgroupreply's that I have setup, but there are a handful that have special configurations... static ip's, non-default idle timeouts, etc... Right now I cant authenticate them against the mysql database, beacuse all t he users get one of the two default groups I have setup for their reply attributes... Is there a way to override the radgroupreply's for specific users? To make things clearer, here's some table data... mysql select * from radcheck where UserName = 'test5PPP'; +--+--+---++--+-+ | id | UserName | Attribute | op | Value| Status | +--+--+---++--+-+ | 2217 | test5PPP | Password | == | ddffgg99 | enabled | +--+--+---++--+-+ mysql select * from usergroup where UserName = 'test5PPP'; +--+--++ | id | UserName | GroupName | +--+--++ | 2217 | test5PPP | dialup_dynamic | +--+--++ mysql select * from radgroupreply where GroupName = 'dialup_dynamic'; +++++-+--+ | id | GroupName | Attribute | op | Value | prio | +++++-+--+ | 1 | dialup_dynamic | Framed-Protocol| += | PPP |0 | | 2 | dialup_dynamic | Framed-Address | += | 255.255.255.254 |0 | | 3 | dialup_dynamic | Framed-Netmask | += | 255.255.255.255 |0 | | 4 | dialup_dynamic | Framed-Routing | += | None|0 | | 5 | dialup_dynamic | Framed-Compression | += | Van-Jacobsen-TCP-IP |0 | | 6 | dialup_dynamic | Framed-MTU | += | 1500|0 | | 7 | dialup_dynamic | Session-Timeout| += | 43200 |0 | | 8 | dialup_dynamic | Idle-Timeout | += | 1800|0 | +++++-+--+ And what I was trying to do for a test case was change the Idle-Timeout attribute of the reply by adding an entry to the radreply table: mysql select * from radreply where UserName = 'test5PPP'; ++--+--++---+ | id | UserName | Attribute| op | Value | ++--+--++---+ | 1 | test5PPP | Idle-Timeout | += | 2000 | ++--+--++---+ When I run a test auth using this configuration, though, I get two Idle-Timeout values... One at 1800 seconds (from the radgroupreply table) and one with 2000 seconds (from the radreply table) I have tried both the := operator and the += operator. They give the same results -- two Idle-Timeout attributes... Am I doing something obviously wrong, or is this type of setup not going to work with freeradius? If all else fails, I can continue to keep the 'special' users with static ip's, different timeouts, and the like in a cistron type file... But I'd prefer to keep it all in sql is possible. Thank you, Brad Stockdale - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Overriding entries in radgroupreply table
Once again, I figured out at least part of the solution myself... I changed the +='s on the radgroupreply Idle-Timeout, and now the radreply value replaces the radgroupreply's value... However, that leaves me with another problem... Part of our users with static IP's are ADSL users, and we use a Cisco box to aggregate them all... Two of the values I have to send back to them are: Cisco-AVPair = ip:route=65.173.147.0 255.255.255.0 65.173.147.1 Cisco-AVPair = ip:addr-pool=pool1 Since both have the same attribute names, I have to use the += operator, or else freeradius thinks I want to replace one of them with the other... So, there's really no easy way to add these to the radreply table, since the radgroupreply's will always override them.. Any thoughts? Thanks again, Brad Stockdale - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Overriding entries in radgroupreply table
29-Jan-03 at 11:26, Brad Stockdale ([EMAIL PROTECTED]) wrote : Once again, I figured out at least part of the solution myself... I changed the +='s on the radgroupreply Idle-Timeout, and now the radreply value replaces the radgroupreply's value... However, that leaves me with another problem... Part of our users with static IP's are ADSL users, and we use a Cisco box to aggregate them all... Two of the values I have to send back to them are: Cisco-AVPair = ip:route=65.173.147.0 255.255.255.0 65.173.147.1 Cisco-AVPair = ip:addr-pool=pool1 Since both have the same attribute names, I have to use the += operator, or else freeradius thinks I want to replace one of them with the other... So, there's really no easy way to add these to the radreply table, since the radgroupreply's will always override them.. have two entries in the radreply table with the same Attributes? -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusclient
Simon White wrote: 29-Jan-03 at 10:31, yacine rebahi ([EMAIL PROTECTED]) wrote : Hello, Can one tell me how to configure the radiusclient in order to interwork with freeradius server. Asking twice will not get you faster responses. you are right I personally do not understand your need. To me, it doesn't make sense. I mean I configured the radiusclient based on the documentation provided with but It does not send any request to the radius server. I am using radlogin command, so I have to provide my username and password. In the local mode it works but in the radius mode no. Should I specify the server's name and its port somewhwre other than the config file thanks Regards,
Re: Threads not being used
On Wed, 2003-01-29 at 02:08, Alan DeKok wrote: Matt Scifo [EMAIL PROTECTED] wrote: I began to play around with my thread-pool settings and noticed that only one radiusd process was running despite the settings. That depends on your local system. Some systems show only one process, even if multiple threads are running. Running the daemon in debug mode failed to produce any output relating to the use of threads which I had seen in other posts to this list. Debug mode doesn't use threads. Edit the source code rebuild to enable threads in debugging mode. Look in src/main/radiusd.c for the string 'X' (with the quotes). Delete one of the following lines which has 'spawn_flag' in it. Rebuild reinstall radiusd. Alan DeKok. I made this change and am now seeing thread information is debug mode. Thanks Matt Scifo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Threads not being used
At 09:40 AM 1/29/2003 -0800, Matt Scifo wrote: On Wed, 2003-01-29 at 02:08, Alan DeKok wrote: Debug mode doesn't use threads. Edit the source code rebuild to enable threads in debugging mode. Look in src/main/radiusd.c for the string 'X' (with the quotes). Delete one of the following lines which has 'spawn_flag' in it. Rebuild reinstall radiusd. Alan DeKok. I made this change and am now seeing thread information is debug mode. Alternatively, don't run 'radiusd -X' run 'radiusd -x -x -x' to get debugging info in threaded mode. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Overriding entries in radgroupreply table
But the problem is the fact that the radgroupreply entries will override whatever is in the radreply table... I would have to use '+=' in both radreply and radgroupreply to send these attributes... If I use anything other than '+=', then the first Cisco-AVPair will be overwritten by the second Cisco-AVPair... And if I use += in both tables, then I'll have four Cisco-AVPair's... Which will most likely thoroughly confuse my Cisco router... That's my delima... Brad have two entries in the radreply table with the same Attributes? -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problems building Freeradius with MySQL support
Do you have the mysql development libraries installed when you do the compilation, as this stops it working. regards, Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of john zurowski Sent: 28 January 2003 11:06 To: [EMAIL PROTECTED] Subject: Problems building Freeradius with MySQL support I've been using Freeradius with the users file without any problems for a while now. I've decided to upgrade to using MySQL to maintain the users/accounting database I've tried building freeradius using the following ./configure without any luck. ./configure --with-rlm-mysql-lib-dir=/usr/local/mysql/lib/ --with-rlm-mysql-include-dir=/usr/local/mysql/include/ and ./configure --with-mysql-lib-dir=/usr/local/mysql/lib/ --with-mysql-include-dir=/usr/local/mysql/include/ I'm using freeradius.0.8.1 MySQL 3.23.54 after doing a make looking in : src/modules/rlm_sql/drivers/rlm_sql_mysql no object files are being generated although a Makefile is created It would be greatly appreciated if someone could point me at a how-to to resolve this issue. As I know that its something that I'm not doing right - just can't figure out what it is. Thanks in advance --- John Zurowski _ Overloaded with spam? With MSN 8, you can filter it out http://join.msn.com/?page=features/junkmailpgmarket=en-gbXAPID=3 2DI=1059 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Overriding entries in radgroupreply table
29-Jan-03 at 12:53, Brad Stockdale ([EMAIL PROTECTED]) wrote : But the problem is the fact that the radgroupreply entries will override whatever is in the radreply table... I would have to use '+=' in both radreply and radgroupreply to send these attributes... If I use anything other than '+=', then the first Cisco-AVPair will be overwritten by the second Cisco-AVPair... And if I use += in both tables, then I'll have four Cisco-AVPair's... Which will most likely thoroughly confuse my Cisco router... That's my delima... Make a radgroup with exceptions (no attribs) which is returned for these people, and then create in radreply custom attribs on a per user basis? -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Counters
Hi all, I have successfully now got a radius server with mySQL working reliably (with the help of the Radius book). What I now want to do is to have the facility where say I want to give a customer 1000 minutes of access, and once that's used (possibly over several sessions) that's it, no more access. Do I just use counters, or is there a mySQL method (preferable)? regards, Keith - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Threads not being used
On Wed, 2003-01-29 at 02:11, Alan DeKok wrote:
Matt Scifo [EMAIL PROTECTED] wrote:
I didn't even think to look in /proc. I found the same thing. The
threads were spawned according to /proc, yet the daemon is not reporting
thread info in the debug output. Though that still doesn't explain the
horrid numbers I'm seeing.
The horrid numbers are due to something else blocking the server
(back-end database, disk IO, DNS, etc)
I assumed that was what the issue had to be. Yet I have tuned and
stripped the server down to the bare minimum and am still seeing
disappointing numbers.
Let me tell you in more detail exactly how my configuration is set up so
you can get a better idea about my concerns. As you can see from my
configuration below, I am still receiving low numbers even when I have
no back-end database, added disk IO do to writing detail records, and
hostname lookups are off. Even with no accounting/authentication
processing, I can never get more than 60 requests per/sec, which is
disappointing on my hardware and stripped down configuration.
Hardware: Quad Xeon 550mhz with 2g ram and 8g scsi disk
Software: Redhat 8.0 running Freeradius 0.8.1
Network: Full Duplex 100mb network
Configuration: (I removed commented out sections)
BEGIN CONFIGURATION ##
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 10
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions= yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = no
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 100
max_servers = 150
min_spare_servers = 30
max_spare_servers = 50
max_requests_per_server = 0
}
modules {
detail {
detailfile = ${radacctdir}/detail-%Y%m%d
detailperm = 0600
}
acct_unique {
key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port-Id
}
$INCLUDE ${confdir}/sql.conf
expr {
}
}
instantiate {
expr
}
## I have run tests with all of these enabled, a combination of them
## enabled, and even with none of them enabled.
accounting {
#acct_unique
#detail
#sql
}
post-auth {
}
END CONFIGURATION ##
Here is debug output from one accounting request packet (with no
accounting options enabled, hence the Nothing to do line)...
rad_recv: Accounting-Request packet from host 66.81.1.206:46298, id=215,
length=113
Thread 33 assigned request 2362
--- Walking the entire request list ---
Thread 33 handling request 2362, (47 handled so far)
Cleaning up request 2361 ID 214 with timestamp 3e3811f9
Nothing to do. Sleeping until we see a request.
User-Name = mikem
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
NAS-Port-Type = Async
Acct-Session-Id = 2206
Acct-Status-Type = Stop
Called-Station-Id = 123456789
Calling-Station-Id = 987654321
Acct-Delay-Time = 0
Acct-Session-Time = 1972
Acct-Input-Octets = 20972
Acct-Output-Octets = 30972
Sending Accounting-Response of id 215 to 66.81.1.206:46298
Finished request 2362
Going to the next request
Thread 33 waiting to be assigned a request
Results from top during test shows that radiusd never uses more than
20% cpu...
10:01am up 22:18, 2 users, load average: 0.05, 0.06, 0.00
94 processes: 93 sleeping, 1 running, 0 zombie, 0 stopped
CPU0 states: 0.1% user, 4.0% system, 0.0% nice, 94.0% idle
CPU1 states: 5.0% user, 1.0% system, 0.0% nice, 92.0% idle
CPU2 states: 2.0% user, 0.0% system, 0.0% nice, 97.0% idle
CPU3 states: 3.0% user, 0.0% system, 0.0% nice, 96.0% idle
Mem: 2064712K av, 175380K used, 1889332K free, 0K shrd, 40860K buff
Swap: 1052248K av, 0K used, 1052248K free91536K cached
PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME COMMAND
3536 root 15 0 1732 1732 776 S14.2 0.0 0:01 radiusd
snip
I hope I have provided enough information to be useful. Are there any
other thoughts you can bring to light that could explain this
performance? I
newbie needs help!
Hi All, I've downloaded freeradius, and installed the server. I've also brought up an apache web server with the mod_auth_radius module loaded. Both are compiled and installed. My problem is I'm a complete newbie to this software. I've been reading the documentation that came with the source but I guess I'm looking for more of a "cookbook" or a good starting point. I'm assuming there's more to it than simply creating a client and running the server. Even that, I'm having troubles creating the client! Does anyone have any pointers? I am ordering the O'reily book! Thanks Matt
RE: newbie needs help!
Chapter 7 in the RADIUS book has an introduction to the mod_auth_radius module and instructions for getting it going (pp. 118-123). -Original Message- From: Matt Ashfield (UNB) [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 29, 2003 1:17 PM To: [EMAIL PROTECTED] Subject: newbie needs help! Hi All, I've downloaded freeradius, and installed the server. I've also brought up an apache web server with the mod_auth_radius module loaded. Both are compiled and installed. My problem is I'm a complete newbie to this software. I've been reading the documentation that came with the source but I guess I'm looking for more of a cookbook or a good starting point. I'm assuming there's more to it than simply creating a client and running the server. Even that, I'm having troubles creating the client! Does anyone have any pointers? I am ordering the O'reily book! Thanks Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: newbie needs help!
The book should suffice, I just set up freeRadius server with mySQL on RH7.2 with no previous knowledge at all, and it is now running like a charm. regards, Keith -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Matt Ashfield (UNB)Sent: 29 January 2003 18:17To: [EMAIL PROTECTED]Subject: newbie needs help! Hi All, I've downloaded freeradius, and installed the server. I've also brought up an apache web server with the mod_auth_radius module loaded. Both are compiled and installed. My problem is I'm a complete newbie to this software. I've been reading the documentation that came with the source but I guess I'm looking for more of a "cookbook" or a good starting point. I'm assuming there's more to it than simply creating a client and running the server. Even that, I'm having troubles creating the client! Does anyone have any pointers? I am ordering the O'reily book! Thanks Matt
Re: Overriding entries in radgroupreply table
That'll work! Thanks for helping me get out of my rut! I was so deep I couldnt see an awswer. Thanks again, Brad Stockdale At 06:01 PM 1/29/2003 +, you wrote: Make a radgroup with exceptions (no attribs) which is returned for these people, and then create in radreply custom attribs on a per user basis? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Threads not being used
Hi, On Tue, Jan 28, 2003 at 06:05:55PM -0800, Matt Scifo wrote: I tested with just start packets and also with start/stop packets using radpwtst v 1.52 from Radiator. we can safely assume that you are able to hammer out enough packets to load your server to begin with... Although I don't have this problem, I'm interested in the solution ;-) Best, --Toni++ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP Support
Hi Group, I`d like to know if there is some development to integrate PEAP support into freeradius ? Sorry I am not a programmer, so I can`t contribute to much to this issue, besides testing the peap support in out cisco lab thanks michael -- +++ GMX - Mail, Messaging more http://www.gmx.net +++ NEU: Mit GMX ins Internet. Rund um die Uhr für 1 ct/ Min. surfen! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
REPOST: partial realm match?
I sent this a week ago and got no response, so I figured I'd send it again. Any help anyone on the list could provide would be great. Thanks! Original Message Subject: partial realm match? Date: Wed, 22 Jan 2003 13:24:23 -0500 From: Robert Haskins [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Organization: WorldNET To: [EMAIL PROTECTED] I am trying to configure freeradius-0.8.1 to accept authentication requests of the form: user@somthing.isp.net where I don't know in advance what the something is going to be. So essentially what I am asking is, is it possible to setup proxy.conf to match on a substring? Is there a regular expression type of realm matching logic available, or must this be coded? Thanks for your help! -- Robert D. Haskins - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sockets disconected from DB. How reconect it?
On Wed, 29 Jan 2003 12:23 pm, Alan DeKok wrote: Yurguen Castillo [EMAIL PROTECTED] wrote: Using Freeradius 0.8.1 and validating users using Sybase driver work fine for us; but if for some reason we lost connection to the DB, or the DB server is restarted we can't continue validating using the DB until rad= iusd is restarted and new sockets are open again. Is there any way to do a new connection to the DB (open new sockets) in case that the DB is restarted? Yes. Patch the rlm_sql_sybase driver to return SQL_DOWN in the appropriate places. See the rlm_sql_mysql code for examples of SQL_DOWN. Hi Yurguen Alan has just given you the same answer he gave me when I asked about the same problem with the Postgresql drivers a few months ago. As a poor C programmer (ocasional perl hacker, mostly sysadmin) this was not the answer I was looking for, but as I REALLY needed this feature I dived in and attempted to figure the driver out. As it turned out, it was relatively simple (It took me about 6-8 hours all up, most of which was relearning my university C skills). If you join the freeradius-devel list and have a stab at the code and post your patches and or questions, you will probably find you get it done pretty easily. Maybe you will become the new maintainer of the Sybase driver :-) Hope that helps. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: REPOST: partial realm match?
Robert Haskins [EMAIL PROTECTED] wrote: I am trying to configure freeradius-0.8.1 to accept authentication requests of the form: user@somthing.isp.net where I don't know in advance what the something is going to be. So essentially what I am asking is, is it possible to setup proxy.conf to match on a substring? No. But you can do it elsewhere: DEFAULT User-Name =~ @.*\.isp\.net$, Proxy-To-Realm = isp.net ... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP Support
[EMAIL PROTECTED] wrote: I`d like to know if there is some development to integrate PEAP support into freeradius ? Not at this time. People have been asking that question for over a year on the list, and no one has volunteered to do the work. You can always try paying a programmer to do the work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Threads not being used
Toni Mueller [EMAIL PROTECTED] wrote: we can safely assume that you are able to hammer out enough packets to load your server to begin with... ./radclient ... -c 1000 ... Sends a request 1000 times (not duplicated: 1000 unique, but similar requests) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Starting new thread with a reply (like this one)
On Wed, 29 Jan 2003 06:17 pm, Brad Stockdale wrote: Hello all, Hello List Is it possible to people to please start a new thread with a new message, not a reply to an existing thread. This can get very annoying for this of us who use threaded mail clients that thread based on In-Reply-To: headers. Is it too much to ask to type [EMAIL PROTECTED] in the To: field of a new mail or do the intelligent thing and set a default To: address for the folder you filter your freeradius mail into. All semi intelligent mail clients support this. (I have no idea about the Microsoft variety though.) -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Threads not being used
On Wed, 2003-01-29 at 06:25, Alan DeKok wrote:
Toni Mueller [EMAIL PROTECTED] wrote:
we can safely assume that you are able to hammer out enough packets
to load your server to begin with...
./radclient ... -c 1000 ...
Sends a request 1000 times (not duplicated: 1000 unique, but similar
requests)
yeah, it's a nice tool. radpwtst from radiator works the same way, it
justs let you do everything from command line, which makes it easy to
script. like...
time perl -e 'for (1..100) {`radpwtst -time -trace -s xx.xx.xx.xx
-acct_port 1813 -secret testing123 -noauth -iterations 100 \`;}'
:)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Special characters
I am running FreeRadius 0.5 as a proxy to our enterprise auth system. Everything is running great, except for one user. He has no trouble getting to his email account (same uname and pword on the enterprise system), but he can't dial in get auth'ed. I was wondering if there are any special characters that FreeRadius 0.5 won't pass correctly. Any ideas? Thanks! -- Boa I can hear the voice, But I don't want to listen - Strap me down and tell me I'll be all right - Disturbed, The Sickness, Voices (2000) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Special characters
Boa [EMAIL PROTECTED] wrote: I am running FreeRadius 0.5 as a proxy to our enterprise auth system. Everything is running great, except for one user. He has no trouble getting to his email account (same uname and pword on the enterprise system), but he can't dial in get auth'ed. So run the server in debugging mode to see why... I was wondering if there are any special characters that FreeRadius 0.5 won't pass correctly. A zero byte embedded inside of the user name. But why are you running 0.5? 0.8.1 is *much* better, and has been out for a while. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Which takes priority? MAC ACL or Radius on Orinoco AP-1000
Hi, I am trying to implement MAC based authentication with the (Lucent)Orinoco's wireless access point AP-1000 and the FreeRadius here. Now if you own an AP-1000 you might be aware that there you can do either MAC filtering and/or Radius based authentication on that AP. So my question is that which takes priority out of the two methods when we have enabled both of them at the same time on this access point? Second question is that now that I'm interested in doing Radius based authentication only so in what state should the MAC access control table should be? because if you notice you can only Delete All MAC addresses from the MAC authentication table but you cannot say to block all of them! Thanks in advance for all your help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Logging Question
Hello List, I have looked through quite a bit of the archives and did not see anything along this question. I currently have Freeradius running perfectly as a proxy system. The accounting data is saved to a file and forwarded to the actual auth server. No problems there. I also have another log file (detail.log) that contains lines similar to this: Wed Jan 29 17:23:02 2003 : Auth: Login OK: [[EMAIL PROTECTED]/] (from client rad2.cisp.proxy port 16928 cli 4193558974) Wed Jan 29 17:23:04 2003 : Auth: Login incorrect (Home Server says so): [[EMAIL PROTECTED]/] (from client rad1.cisp.proxy port 17871 cli 4195882771) (some wrapping may have occured). I am currently trying to get FreeRadius to log everything to a MySQL server (for testing then to a MSSQL server). The accounting data (start stop packets... etc) are making it into the MySQL database just fine. The problem lies in the fact that I can not find any way to log the information that goes into detail.log to a MySQL database. We are looking for the ability to rapidly search through our users login attempts during a certain date range or even the current date to see #1 if we receive the auth request, #2 if their password is correct, and #3 was it ok. Any help would be greatly appreciated. Please reply both on-list and off. Brandon Lehmann CCNA, CFOT, A+ Network Co-Administrator Networld Online Inc. WorldTeq Group Intl 2201 Commerce Drive Fremont, OH 43420 800-644-6638 [EMAIL PROTECTED] www.nwonline.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Counters
On Wed, 29 Jan 2003, Keith Ballard wrote: Hi all, I have successfully now got a radius server with mySQL working reliably (with the help of the Radius book). What I now want to do is to have the facility where say I want to give a customer 1000 minutes of access, and once that's used (possibly over several sessions) that's it, no more access. Do I just use counters, or is there a mySQL method (preferable)? You can either use the counter module (gdbm accounting) or the sqlcounter module (uses the sql accounting info) regards, Keith - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging Question
Brandon Lehmann [EMAIL PROTECTED] wrote: I have looked through quite a bit of the archives and did not see anything along this question. I currently have Freeradius running perfectly as a proxy system. The accounting data is saved to a file and forwarded to the actual auth server. No problems there. I also have another log file (detail.log) that contains lines similar to this: Wed Jan 29 17:23:02 2003 : Auth: Login OK: [[EMAIL PROTECTED]/] (from client rad2.cisp.proxy port 16928 cli 4193558974) That's not the detail log file. It's the log file describing what the server is doing. I am currently trying to get FreeRadius to log everything to a MySQL server (for testing then to a MSSQL server). The accounting data (start stop packets... etc) are making it into the MySQL database just fine. The problem lies in the fact that I can not find any way to log the information that goes into detail.log to a MySQL database. You can't. It's not meant to go into a database. It doesn't contain much additional information over the accounting logs. We are looking for the ability to rapidly search through our users login attempts during a certain date range or even the current date to see #1 if we receive the auth request, #2 if their password is correct, and #3 was it ok. Any help would be greatly appreciated. Grab the latest CVS snapshot. There is the ability to do things (including logging to SQL) after a user has been authenticated (or failed authentication), but before the Reject packet is sent to the client. Please reply both on-list and off. Why? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging Question
On Wed, 29 Jan 2003, Brandon Lehmann wrote: Hello List, I have looked through quite a bit of the archives and did not see anything along this question. I currently have Freeradius running perfectly as a proxy system. The accounting data is saved to a file and forwarded to the actual auth server. No problems there. I also have another log file (detail.log) that contains lines similar to this: Wed Jan 29 17:23:02 2003 : Auth: Login OK: [[EMAIL PROTECTED]/] (from client rad2.cisp.proxy port 16928 cli 4193558974) Wed Jan 29 17:23:04 2003 : Auth: Login incorrect (Home Server says so): [[EMAIL PROTECTED]/] (from client rad1.cisp.proxy port 17871 cli 4195882771) (some wrapping may have occured). I am currently trying to get FreeRadius to log everything to a MySQL server (for testing then to a MSSQL server). The accounting data (start stop packets... etc) are making it into the MySQL database just fine. The problem lies in the fact that I can not find any way to log the information that goes into detail.log to a MySQL database. We are looking for the ability to rapidly search through our users login attempts during a certain date range or even the current date to see #1 if we receive the auth request, #2 if their password is correct, and #3 was it ok. Any help would be greatly appreciated. Please reply both on-list and off. Check out the log_badlogins script in dialup_admin. Brandon Lehmann CCNA, CFOT, A+ Network Co-Administrator Networld Online Inc. WorldTeq Group Intl 2201 Commerce Drive Fremont, OH 43420 800-644-6638 [EMAIL PROTECTED] www.nwonline.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Logging Question
I'm sorry I got my log files mixed up. Either way I want the information from the server (radius.log) to log to sql. I may just have to fire a cronjob to parse it and toss it into the sql dbase but thats the complex way out. The detail.log has the accounting data that is going to the SQL server already. Why reply off list? - I am subscribed to too many mailing lists and its hard to tell if someone responds to my posts. However I didn't know if someone else might one day have the same question as I and they could then go through the archive and find it. Brandon Lehmann CCNA, CFOT, A+ Network Co-Administrator Networld Online Inc. WorldTeq Group Intl 2201 Commerce Drive Fremont, OH 43420 800-644-6638 [EMAIL PROTECTED] www.nwonline.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Alan DeKok Sent: Wednesday, January 29, 2003 12:29 PM To: [EMAIL PROTECTED] Subject: Re: Logging Question Brandon Lehmann [EMAIL PROTECTED] wrote: I have looked through quite a bit of the archives and did not see anything along this question. I currently have Freeradius running perfectly as a proxy system. The accounting data is saved to a file and forwarded to the actual auth server. No problems there. I also have another log file (detail.log) that contains lines similar to this: Wed Jan 29 17:23:02 2003 : Auth: Login OK: [[EMAIL PROTECTED]/] (from client rad2.cisp.proxy port 16928 cli 4193558974) That's not the detail log file. It's the log file describing what the server is doing. I am currently trying to get FreeRadius to log everything to a MySQL server (for testing then to a MSSQL server). The accounting data (start stop packets... etc) are making it into the MySQL database just fine. The problem lies in the fact that I can not find any way to log the information that goes into detail.log to a MySQL database. You can't. It's not meant to go into a database. It doesn't contain much additional information over the accounting logs. We are looking for the ability to rapidly search through our users login attempts during a certain date range or even the current date to see #1 if we receive the auth request, #2 if their password is correct, and #3 was it ok. Any help would be greatly appreciated. Grab the latest CVS snapshot. There is the ability to do things (including logging to SQL) after a user has been authenticated (or failed authentication), but before the Reject packet is sent to the client. Please reply both on-list and off. Why? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
CHAP + Linux Accounts
Hi All I have a small server to authenticate a few dozen local users. I'd like to avoid setting up SQL and/or LDAP databases for this small task. I successfully configured PAM authentication -- so that my local Linux users could authenticate via FreeRADIUS. My problem is: when a Win9x machine dials and auths, it uses CHAP. While I'm tailing the log file, it points out that it isn't gonna work, and to read the FAQ. OK. Is there any way to allow CHAP authentication to LINUX SYSTEM accounts (via passwd, shadow, etc) ?? Thanks in advance! -Ryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP + Linux Accounts
On Wed, Jan 29, 2003 at 06:35:05PM -0600, Ryan Beisner wrote: Is there any way to allow CHAP authentication to LINUX SYSTEM accounts (via passwd, shadow, etc) ?? No. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS under Cygwin
Glad to be of help. Sorry about the diffs. The doc was originally for my own use. When I get a Chance I will tidy up and repost. The out of the grep is: exeext= Philip Blow Senior Technical Manager Simply Wireless [EMAIL PROTECTED] Philip Blow [EMAIL PROTECTED] wrote: Here are some brief notes I but together for compiling FreeRADIUS 0.8.1 on Windows XP with EAP/TLS support. ... Nice, but your diff's are reversed. 4. the top-level Makefile change isn't needed in the CVS head, I've fixed that issue. - On the cygwin system, can you do: grep ^exeext libtool and mail the output to the list? I'll see if I can fix the problems with installing executables. 6. Hmm... I'll fix that in the CVS head. It may also explain weirdness on MACOSX. It's a good document. I'll add it as 'doc/CYGWIN' Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP + Linux Accounts
On Wed, Jan 29, 2003 at 06:35:05PM -0600, Ryan Beisner wrote:
Hi All
My problem is: when a Win9x machine dials and auths, it uses CHAP.
While I'm tailing the log file, it points out that it isn't gonna
work, and to read the FAQ. OK.
Is there any way to allow CHAP authentication to LINUX SYSTEM accounts
(via passwd, shadow, etc) ??
no, but you CAN force the other end to only accept pap. We only accept
PAP here, and as far as i know, all dialup accounts work without any
special settings. we haven't had any customers complaining about it, and
most of them end up using win95/98 that they borrowed from friends.
here, we just set
authenticate {
authtype PAP {
pap
}
pap
}
in the radiusd.conf, and it's working nicely.
that said, the problem with chap is that the radius server *must* know
the full password, since CHAP is in effect a shared-secret based
authentication mechanism, and if it's encrypted using a one-way hash,
you won't be able to get the password out of it to build the
challenge/response packets.
Personally, i'd rather risk someone breaking into the phone exchange and
sniffing the password off the wire than someone lifting the entire set
of passwords from my radius server.
also, it's possible for you to actually add the cleartext password to
/etc/raddb/users(.conf) and have that override the shadow password. less
messing around than SQL, but harder to maintain, and still easy to
steal.
Andrew Pilley
Thanks in advance!
-Ryan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
prio clumn in radgroupreply
Anyone know what the prio column is for in the radgroupreply table? Item Field Type Null Key Default Extra 1 |id |int(11) unsigned||PRI| |auto_increment 2 |GroupName|varchar(64) ||MUL| | 3 |Attribute|varchar(32) || | | 4 |op |char(2) || | | 5 |Value|varchar(253)|| | | 6 |prio |int(10) unsigned|| | 0 | -- robert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Run external script after disconnect.
Vitaliy Karlov wrote: Andrew E. Guly wrote: I use FreeRadius-0.8.1 with Postgres on Linux RH 8.0 for authenticate and accounting dial-in users. My radiusd execute the external script with Exec-Program-Wait = /some/script when user is autenticated. No problems, it's worked fine... Q: How I can execute the external script *after* user disconnecting? May be you look at file acct_users ? When your radius server recieve Acct-Stop... some like this: acct_user: == acct_users == DEFAULT Acct-Status-Type == Stop Exec-Program = /path/to/some/script.pl == thanks, i've never noticed this *useful feature* before, so i think i'd have to add acct_users in the radius.conf accounting section ? best regards, -- Do-Risika RAFIEFERANTSIARONJY, SysAdmin mailto:[EMAIL PROTECTED] Simicro Internet, mailto:[EMAIL PROTECTED], http://internet.simicro.mg Tel : (+261) 20 22 648 83 (GMT +3), Fax : (+261) 20 22 661 83 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
