Patch for LDAP URI support (at least with OpenLDAP libraries)
I've worked up a small patch that works with OpenLDAP features to support the use of LDAP URIs for referring to LDAP servers instead of specifying by host/port. This will work easily for ldap://, ldaps:// and ldapi:// (LDAP over IPC) URIs. I've plugged this in and tested the module (with CVS code from ~7 days ago), and it's working well. I'm checking out the Netscape/iPlanet LDAP C API documentation, but it doesn't appear to provide the ldap_initialize() call that the OpenLDAP libraries do. To use this module, just patch it in. No makefile changes are necessary. To use an LDAP URI, just add a line like: server_uri = ldap://localhost/ or server_uri = ldapi:/// to the ldap config section in your radiusd.conf. By default, its value will be NULL, so the server and port options will take effect instead. If you specify anything for server_uri, however, it will take precedence. Also, if you wish to use an ldapi:// URI, check to see that your slapd has been started with the -h "URI list" option. If one of the URIs specified points to a particular path for the LDAP socket file, specify it like this: ldapi://%2fvar%2frun%2fldapi/ See the OpenLDAP docs for additional info. -- Derrik Pates [EMAIL PROTECTED] [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
missing docs?
Running 0.8.1. I'm reviewing doc/rlm_sqlcounter and it references: "You can make your own names and directives for resetting the counter by following src/modules/rlm_sqlcounter/README.txt" Can't find it or any apparent replacement. Is it missing? Replaced? Deprecated? Ground up for dog food? thanks, Jim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use + Ascend maxen
Well, this is quite bizarre. I have Ascend Maxen, Livingston Portmaster III's, and a couple of Ciscoes as dialup servers. With Simultaneous-Use set to 1, if I dial into a Max when the account is already logged on, I get dropped to the internal ascend% prompt. I know this is likely an Ascend wierdness rather than a Freeradius weirdness, but was wondering if any other folks with Maxen have noticed this, and if so, what you did about it? Or, if you didn't notice it, and you are using MySQL auth, can you tell me how your Simultaneous-Use flag is set? I have no Simultaneous-Use settings in the database, and in the users file, I have: DEFAULT Simultaneous-Use +=1 Fall-Through = Yes I'm using the "+=" op and not ":=" because I wanted to be able to set Simultaneous-Use to different values for individual users, and "+=" was the only way that it seemed to work so that it would only put the Simultaneous-Use value in if the user didn't have one. (Crossing my fingers that someone has seen this...:-)) K. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_ldap URI support?
I'd rather see LDAP URIs used instead of specifying the server hostname and port separately - in no small part because in that case, it's easy to support LDAP over UNIX domain sockets, which (in my experience) provides lower overhead when doing lots of queries (which is hopefully going to be the case with the setup I'm working on). Does anyone have a patch? If not, does anyone know if opening by URI is an OpenLDAP-only feature? If no one has a patch, I can probably sort it out myself. -- Derrik Pates [EMAIL PROTECTED] [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use problem from virtual ISP
Hello, I am trying to get our radius servers to authenticate a virtual ISP request. When we have the Simultaneous-Use attribute in radcheck it ALWAYS fails with a Multiple login error, no matter how may Simultaneous-Use I give it. It always says there are more logins then the number I have. I have debugging on the radcheck script and it returns that there is no one logged in. Things work fine for all our own dial equipment, ascends, cicsos, portmaster, TNTs, etc. First here is the debug from when connecting from them: Next will be the debug from when connecting from out test Ascend. (we have a custom module that appends the domain name to a username if they don't supply it based off of the IP address of the NAS, ignore that stuff) rad_recv: Access-Request packet from host 170.147.113.49:58771, id=46, length=114 User-Name = "[EMAIL PROTECTED]" User-Password = "icgtest" NAS-IP-Address = 170.147.113.13 NAS-Port = 16930 Service-Type = Framed-User Framed-Protocol = PPP Called-Station-Id = "2143799633" Calling-Station-Id = "7034816192" NAS-Port-Type = Async modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok rlm_realm: Looking up realm trueband.net for User-Name = "[EMAIL PROTECTED]" rlm_realm: No such realm trueband.net modcall[authorize]: module "suffix" returns noop modcall: entering group group radius_xlat: Running registered xlat function of module atdomain for string '%n' rlm_sql: sql_domain_xlat radius_xlat: '[EMAIL PROTECTED]' sql_domain_xlat: User [EMAIL PROTECTED] already has a domain name radius_xlat: '[EMAIL PROTECTED]' rlm_sql (sql1): sql_set_user escaped user --> '[EMAIL PROTECTED]' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' rlm_sql (sql1): Reserving sql socket id: 14 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql1): Released sql socket id: 14 modcall[authorize]: module "sql1" returns ok modcall: group group returns ok rlm_sqlcounter: Entering module authorize code sqlcounter_expand: 'SELECT SUM(AcctSessionTime - GREATEST((1045785600 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{User-Name}%{atdomain:%n}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '1045785600'' radius_xlat: Running registered xlat function of module atdomain for string '%n' rlm_sql: sql_domain_xlat radius_xlat: '[EMAIL PROTECTED]' sql_domain_xlat: User [EMAIL PROTECTED] already has a domain name radius_xlat: 'SELECT SUM(AcctSessionTime - GREATEST((1045785600 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='[EMAIL PROTECTED]' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '1045785600'' sqlcounter_expand: '%{sql1:SELECT SUM(AcctSessionTime - GREATEST((1045785600 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='[EMAIL PROTECTED]' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '1045785600'}' radius_xlat: Running registered xlat function of module sql1 for string 'SELECT SUM(AcctSessionTime - GREATEST((1045785600 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='[EMAIL PROTECTED]' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '1045785600'' rlm_sql (sql1): - sql_xlat radius_xlat: 'SELECT SUM(AcctSessionTime - GREATEST((1045785600 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='[EMAIL PROTECTED]' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '1045785600'' rlm_sql (sql1): Reserving sql socket id: 13 rlm_sql (sql1): - sql_xlat finished rlm_sql (sql1): Released sql socket id: 13 radius_xlat: '18' rlm_sqlcounter: (Check item - counter) is greater than zero rlm_sqlcounter: Authorized user [EMAIL PROTECTED], check_item=36000, counter=18 rlm_sqlcounter: Sent Reply-Item for user [EMAIL PROTECTED], Type=Session-Timeout, value=28800 modcall[authorize]: module "dailycounter" returns ok rlm_sqlcounter: Entering module authorize code sqlcounter_expand: 'SELECT SUM(AcctSessionTime - GREATEST((1044057600 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{User-Name}%{atdomain:%n}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '1044057600'' radius_xlat: Running registered xlat function of module atdomain for string '%n' rlm_sql: sql_domain_xlat radius_xlat: '[
Re: RADIUS +
[EMAIL PROTECTED] wrote: > Iam working on a wireless project and i want to enforce policy based > authentication. > > I want the RADIUS to interact with this application before it can > authenticate a user. But that's what the RADIUS server does. It enforces policy based authentication. The policy usually comes from a database, like SQL or LDAP. > I understand about opening the socket connection and adhering to > the RFC's but i dont know if i can make the RADIUS to import > authentication details before it actually authenticates. Yes, it can import the policy from a database. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE:RE: RADIUS +
Hi chris/simon Thanks for the response, let me make myself clear. This is what i want to do. Iam working on a wireless project and i want to enforce policy based authentication. I want the RADIUS to interact with this application before it can authenticate a user. This application will determine the policy for authentication. E.g: To authenticate a NAS or authenticate a request coming from a uid from a particular NAS etc.. I understand about opening the socket connection and adhering to the RFC's but i dont know if i can make the RADIUS to import authentication details before it actually authenticates. Because ultimately it is the RADIUS which will authenticate. Hope this is clear. Any suggestion will be a great help to me. Thanks a lot Narasimha ([EMAIL PROTECTED]) - This mail sent through IMP: http://horde.org/imp/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap in solaris
I was doing some research here, and the problems I saw seemed to be related to the order of the linking of libraries. The solaris linker is particular about order the "-l" arguments on the command line. It only goes though a library looking for unresolved symbols once, and this is only at the time that it gets to it on the command line. Since libldap references stuff in liblber if -llber is passed to cc before -lldap the compile doesn't work, and hence the configure doesn't work. I had to mess with the configure script to get this order reversed, and then passing "--with-rlm-ldap" args at the top level worked for the configure. I then had trouble building it later (I think for the same reason) but I got distracted with some other problems and haven't gotten back to it to finish the build... /marc On Friday, February 21, 2003, at 08:28 AM, Brian Leung wrote: i have tried.but seems the rlm_ldap still failed although i pass it in the 1st time configure so i separate the step to do Brian - Original Message - From: "Kostas Kalevras" <[EMAIL PROTECTED]> To: "radius" <[EMAIL PROTECTED]> Sent: Friday, February 21, 2003 11:47 PM Subject: Re: rlm_ldap in solaris On Fri, 21 Feb 2003, Brian Leung wrote: Today, i finally compile the ldap module of freeradius in solaris platform successfully. I hope the following steps can help: 1. install openssl in to /usr/local cd /usr/local/src/openssl ./config --prefix=/usr/local 2. install openldap into /usr/local/openldap 3. install freeradius cd /usr/local/src/freeradius ./configure --prefix=/usr/local/radiusd Note: in this stage, you will still find that the rlm_ldap can't be compiled successfully, but don't give up 4. compile the freeradius ldap module now cd /usr/local/src/freeradius/src/modules/rlm_ldap ./configure --prefix=/usr/local/radiusd --with-rlm-ldap-lib-dir=/usr/local/o penldap/lib --with-rlm-ldap-include-dir=/usr/loca/openldap=include you will find that you should not have any "Failure" appear make make install 5. Finally, you will find the rlm_ldap lib will go to /usr/local/radiusd/lib Brian Sorry but why don't you just pass the --with-rlm-ldap* options in the first configure run? -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: checkrad crashes radius? (was Bug - checkrad w/ Livingston)
If checkrad were changed to only output a 0 instead of the dump it currently produces when it can't connect to snmp on the NAS I think that could possibly correct the problem, I think that radiusd only expects a 1 character response, maybe it flips when it gets 7 lines of information? Just an idea. Then again... checkrad might not be printing anything, could be just warnings from snmpget. I didn't look it to closely, I just know that it's working and is stable now - and I can't login twice. Adam Kristina Pfaff-Harris said: > On Fri, 21 Feb 2003, Alan DeKok wrote: > >> That's confusing as all get out. The code which runs checkrad >> tries >> to kill it if checkrad doesn't respond. But it sends *checkrad* a >> TERM signal, and doesn't send one to the RADIUS server. > > The wierd thing is, checkrad DOES respond -- it just responds with a > timeout, and if that weren't strange enough, checkrad appears to be > exiting normally, that is, it's not hanging or anything. > >> A short-term solution is to go to the bottom of src/main/session.c, >> and delete the 3 lines doing: >> >> kill(pid, SIGTERM); >> sleep(1); >> kill(pid, SIGKILL); > > Heh. Any ideas on where to start looking to track down a long-term > solution? :-) > > K. > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: checkrad crashes radius? (was Bug - checkrad w/ Livingston)
Kristina Pfaff-Harris <[EMAIL PROTECTED]> wrote: > The wierd thing is, checkrad DOES respond -- it just responds with a > timeout, and if that weren't strange enough, checkrad appears to be > exiting normally, that is, it's not hanging or anything. Yeah, but if it doesn't respond within 10 seconds, the code in session.c gives up, and tries to kill checkrad. If checkrad takes 30 seconds to time out, then that's bad. > Heh. Any ideas on where to start looking to track down a long-term > solution? :-) Find out why the SIGTERM is getting delivered to radiusd, and not to checkrad. I think, though, that the calls to kill() in session.c should probably go away. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: checkrad crashes radius? (was Bug - checkrad w/ Livingston)
On Fri, 21 Feb 2003, Alan DeKok wrote: > That's confusing as all get out. The code which runs checkrad tries > to kill it if checkrad doesn't respond. But it sends *checkrad* a > TERM signal, and doesn't send one to the RADIUS server. The wierd thing is, checkrad DOES respond -- it just responds with a timeout, and if that weren't strange enough, checkrad appears to be exiting normally, that is, it's not hanging or anything. > A short-term solution is to go to the bottom of src/main/session.c, > and delete the 3 lines doing: > > kill(pid, SIGTERM); > sleep(1); > kill(pid, SIGKILL); Heh. Any ideas on where to start looking to track down a long-term solution? :-) K. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: checkrad crashes radius? (was Bug - checkrad w/ Livingston)
Kristina Pfaff-Harris <[EMAIL PROTECTED]> wrote: > Running 'checkrad cisco (etc)' on a certain of our ciscoes came back with > "Timeout: No Response from IP address". When called from radiusd, this > killed the radius daemon completely. That's confusing as all get out. The code which runs checkrad tries to kill it if checkrad doesn't respond. But it sends *checkrad* a TERM signal, and doesn't send one to the RADIUS server. A short-term solution is to go to the bottom of src/main/session.c, and delete the 3 lines doing: kill(pid, SIGTERM); sleep(1); kill(pid, SIGKILL); Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting Realm attribute based on NAS-IP-Address?
At 01:30 PM 2/21/2003 -0500, Derrik Pates wrote: On Fri, Feb 21, 2003 at 12:18:00PM -0600, Chris Parker wrote: > DEFAULT NAS-IP-Address == a.b.c.d, Proxy-To-Realm := "foobar" >Fall-Through = Yes Excellent. And this it correct even though I'm not proxying, but the realm is local? I believe it should be. You'll want to check it yourself to make sure your setup is behaving as you want. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem getting counter to work...
"Mike Cisar" <[EMAIL PROTECTED]> wrote: > On another note, is there a way with the counter module of making two > counters... for example one that expires on a monthly basis, another on a > daily or weekly basis. Create two instances of the 'counter' module. counter daily { ... } counter monthly { ... } Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simple, quick question re: simultaneous-use
Justin Wheeler <[EMAIL PROTECTED]> wrote: > If checkrad is run, and returns that the user is *not* online, does it > automatically zap them from radutmp? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (no subject)
=?iso-8859-1?Q?Manuel_S=E1nchez_Cuenca?= <[EMAIL PROTECTED]> wrote: > Hello, why freeRadius show this: > > rad_check_password: Found Auth-Type EAP > rad_check_password: Found Auth-Type Local > Warning: Found 2 auth-types on request for user 'lolo' Because you told it to use two different kinds of authentication. > I need the auth type was eap, how can I do it? List the 'eap' module AFTER the 'files' module in the 'authorize' section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting Realm attribute based on NAS-IP-Address?
On Fri, Feb 21, 2003 at 12:18:00PM -0600, Chris Parker wrote: > DEFAULT NAS-IP-Address == a.b.c.d, Proxy-To-Realm := "foobar" >Fall-Through = Yes Excellent. And this it correct even though I'm not proxying, but the realm is local? -- Derrik Pates [EMAIL PROTECTED] [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
checkrad crashes radius? (was Bug - checkrad w/ Livingston)
A little more info. Looks like maybe an SNMP issue with checkrad? I modified checkrad to log what it was called as from radiusd, so that I could recreate what happened when it crashed the server. When I say "(etc)" below, it's shorthand for the arguments that radiusd called checkrad with. Running 'checkrad cisco (etc)' on a certain of our ciscoes came back with "Timeout: No Response from IP address". When called from radiusd, this killed the radius daemon completely. Running 'checkrad livingston (etc)' on a portmaster came back with: SNMP Error: no response received SNMPv1_Session (remote host: "10.x.x.x" [10.x.x.x].161) community: "public" request ID: -361687079 PDU bufsize: 8000 bytes timeout: 2s retries: 5 backoff: 1) at /usr/local/freeradius-0.8.1/sbin/checkrad line 217 checkrad: No SNMP answer from livingston. When called from radiusd, this also killed the server with "Terminated." Can't find any core files. If this is already documented, please let me know and I'll look it up. Otherwise, it seems to be fairly easily reproducible, so if anyone would like more info, I'd be glad to give it up. :-) K. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting Realm attribute based on NAS-IP-Address?
At 01:05 PM 2/21/2003 -0500, Derrik Pates wrote: I'm presently responsible for setting up a system using a combination of OpenLDAP, MySQL and FreeRADIUS to provide centralized RADIUS service hosting for some of our customers. The only problem I haven't managed to surmount so far is customers who are unable (or unwilling) to get their customers to use [user]@[realm] as their login name for the RAS servers they are using. If I can figure out how to force the realm to the appropriate one based on the NAS-IP-Address field where the realm would otherwise be NULL, I can work around this. Does anyone know what the best way to do this would be? If this can be done with a stanza in the users file that ends with 'Fall-Through = Yes', how should it be phrased? Thanks for your help. DEFAULT NAS-IP-Address == a.b.c.d, Proxy-To-Realm := "foobar" Fall-Through = Yes -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Setting Realm attribute based on NAS-IP-Address?
I'm presently responsible for setting up a system using a combination of OpenLDAP, MySQL and FreeRADIUS to provide centralized RADIUS service hosting for some of our customers. The only problem I haven't managed to surmount so far is customers who are unable (or unwilling) to get their customers to use [user]@[realm] as their login name for the RAS servers they are using. If I can figure out how to force the realm to the appropriate one based on the NAS-IP-Address field where the realm would otherwise be NULL, I can work around this. Does anyone know what the best way to do this would be? If this can be done with a stanza in the users file that ends with 'Fall-Through = Yes', how should it be phrased? Thanks for your help. -- Derrik Pates [EMAIL PROTECTED] [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Bug - checkrad w/ Livingston
While we're on the subject, I think I might be retarded. (Again) Thanks for Kristina, I have it running checkrad properly, however, regardless of whether it returns 2, 0, 1, -1, "cheese" .. no matter what, it gives the LOGIN OK and wipes the old session from the radutmp. Regards, Justin Wheeler -- Computer programmer (n): Red-eyed mammal capable of communicating with electronics and inanimate equipment. On Fri, 21 Feb 2003, Kristina Pfaff-Harris wrote: > On Fri, 21 Feb 2003, Adam Fladwood wrote: > > > When using checkrad w/ a PM3 if the public snmp string is not set to > > 'public' in the portmaster checkrad will timeout, not that big of an > > issue - however, it causes the entire radius daemon to crash, saying it > > couldn't process signal 15, and shutdowns all the child processes as well > > as the master. > > For what it's worth, I've also noticed that the entire radiusd also seems > to die if you set the nastype incorrectly as "livingston" when it's > actually a "cisco." Haven't really looked into it, since setting the > appropriate nastype value works around this. > > It seemed odd that checkrad would crash the whole server... > > Also, I did have to go into checkrad and manually change my community > string from public to what we're using. I ended up setting it as > $community_string or something towards the top of the script, and then > replacing "public" with $community_string. I'd submit a patch, but I > wasn't sure how to prompt for the community string in the configure stuff. > (Maybe --with-community-string='blahblah'? as a configure option?) > > K. > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Bug - checkrad w/ Livingston
On Fri, 21 Feb 2003, Adam Fladwood wrote: > When using checkrad w/ a PM3 if the public snmp string is not set to > 'public' in the portmaster checkrad will timeout, not that big of an > issue - however, it causes the entire radius daemon to crash, saying it > couldn't process signal 15, and shutdowns all the child processes as well > as the master. For what it's worth, I've also noticed that the entire radiusd also seems to die if you set the nastype incorrectly as "livingston" when it's actually a "cisco." Haven't really looked into it, since setting the appropriate nastype value works around this. It seemed odd that checkrad would crash the whole server... Also, I did have to go into checkrad and manually change my community string from public to what we're using. I ended up setting it as $community_string or something towards the top of the script, and then replacing "public" with $community_string. I'd submit a patch, but I wasn't sure how to prompt for the community string in the configure stuff. (Maybe --with-community-string='blahblah'? as a configure option?) K. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Bug - checkrad w/ Livingston
Just wanted to drop a message to the list about a bug that I came across, it may already have been discovered, but doing some google searches nothing came up. When using checkrad w/ a PM3 if the public snmp string is not set to 'public' in the portmaster checkrad will timeout, not that big of an issue - however, it causes the entire radius daemon to crash, saying it couldn't process signal 15, and shutdowns all the child processes as well as the master. Version: 0.8.1 Take care, Adam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius on AIX 4.3.3
"Jacob C. Vann" <[EMAIL PROTECTED]> wrote: > I have been trying unsuccessfully to install FreeRadius version 0.8 on a > an IBM box running AIX 4.3.3. AIX is... interesting. It's like Unix if you squint, but it's not like Unix when you try to do anything useful. > ltdl.c:161: `malloc' undeclared here (not in a function) That file includes , which defines malloc(). If that doesn't work on AIX, then AIX is seriously broken. You will run into other issues, too. AIX doesn't implement POSIX semaphores, which the server currently requires. > All the warnings about malloc and free worry me, and this probably > indicates the code isn't AIX ready. I noticed AIX isn't mentioned as a > supported OS. Exactly. No developer has access to an AIX box, and people who do have AIX boxes generally aren't developers. So any AIX fixes are very difficult to make. > Is anyone porting freeradius code or are there plans to make it work > under AIX? The *hope* is to eventually make it work under AIX. The CVS snapshot should be a little better than 0.8.1, but it probably needs more work. > Thanks much! If I can't make it work under AIX, I can't use FreeRadius > with our system. Grab the latest CVS snapshot, and do: ./configure --disable-shared --without-threads make And it should *hopefully* work. Getting rid of shared libraries and threads will make it more likely that the server will work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql patch for stripping NT domains from username
"Doug Yeager" <[EMAIL PROTECTED]> wrote: > *** rlm_sql.c.orig Fri Feb 21 06:53:52 2003 > --- rlm_sql.c Fri Feb 21 06:54:02 2003 ... > + > + /* > + * strip and translate usernames. > + */ > + static int stripMSdomain_escape_func(char *out, int outlen, const char > *in) Why? rlm_preprocess already does this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem getting counter to work...
> > syntax still fails (allows the user to log in regardless of the > > counter) with the same error in the logs of > > Why do you need both? The counter module will send back a > Reply-Message if the user is over quota I don't need both to work, as I said your fix solves my immediate needs. However since both syntaxes are documented as being valid I thought I might be able to be of some sort of assistance to the authors in troubleshooting why it doesn't work (if it turns out that it isn't a configuration related issue which is preventing it from working). On another note, is there a way with the counter module of making two counters... for example one that expires on a monthly basis, another on a daily or weekly basis. I see there is the possiblity of doing it with the SQL counter, but since we don't use SQL for our accounting I don't believe that is an option. Cheers, > Mike < - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration of prepaid cards
Hi Eric, I'm not sure if this is what you're looking for or if it's the best way to do it but the following setup allows a user to authenticate for a predetermined time from first usage. i.e. if I set the time period to be 24hrs then a scratch card is valid for 24hrs from first usage. in "radcheck" mysql table Max-All-Session := 86400 sqlcounter.conf contains: sqlcounter noresetsqlcounter { counter-name = Max-All-Session-Time check-name = Max-All-Session sqlmod-inst = sql key = User-Name reset = never query = "SELECT UNIX_TIMESTAMP()-UNIX_TIMESTAMP(AcctStartTime) FROM radacct WHERE UserName='%{%k}' ORDER BY AcctStartTime LIMIT 1" } From: Eric <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Expiration of prepaid cards Date: Fri, 21 Feb 2003 09:41:02 +0500 Hello, I need to make special prepaid cards, which will expire after 2 month of usage. Can anyone to help me to write this module for sqlcounter? Thanks!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ MSN Messenger - fast, easy and FREE! http://messenger.msn.co.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap in solaris
i have tried.but seems the rlm_ldap still failed although i pass it in the 1st time configure so i separate the step to do Brian - Original Message - From: "Kostas Kalevras" <[EMAIL PROTECTED]> To: "radius" <[EMAIL PROTECTED]> Sent: Friday, February 21, 2003 11:47 PM Subject: Re: rlm_ldap in solaris > On Fri, 21 Feb 2003, Brian Leung wrote: > > > Today, i finally compile the ldap module of freeradius in solaris platform successfully. > > I hope the following steps can help: > > > > 1. install openssl in to /usr/local > > cd /usr/local/src/openssl > > ./config --prefix=/usr/local > > 2. install openldap into /usr/local/openldap > > 3. install freeradius > > cd /usr/local/src/freeradius > > ./configure --prefix=/usr/local/radiusd > > Note: in this stage, you will still find that the rlm_ldap can't be compiled successfully, but don't give up > > 4. compile the freeradius ldap module now > > cd /usr/local/src/freeradius/src/modules/rlm_ldap > > ./configure --prefix=/usr/local/radiusd --with-rlm-ldap-lib-dir=/usr/local/o penldap/lib --with-rlm-ldap-include-dir=/usr/loca/openldap=include > > you will find that you should not have any "Failure" appear > > make > > make install > > 5. Finally, you will find the rlm_ldap lib will go to /usr/local/radiusd/lib > > > > Brian > > Sorry but why don't you just pass the --with-rlm-ldap* options in the first > configure run? > > -- > Kostas Kalevras Network Operations Center > [EMAIL PROTECTED] National Technical University of Athens, Greece > Work Phone: +30 210 7721861 > 'Go back to the shadow' Gandalf > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Single LDAP, different attributes
> On Fri, 21 Feb 2003, Joseph Raviele wrote: > > > I commented out the files lines because I kept getting errors. When I looked > > up the error on the mailing list, it said the solution was to comment the > > line out. Is the rest of the config, as far as autztyp, correct? > > I think so but you NEED the files module somewhere (in the end) in the authorize > section. Good call. I moved the file line after the autztype statements, but it still didn't work. I modified the users file by adding an auth-type statement that follows, and everything worked. Thanks for all of the help. users: DEFAULT NAS-IP-Address == 10.x.x.x, Autz-Type := VPN_LDAP, Auth-Type := VPN_LDAP Fall-Through = No > > > > > > > > On Thu, 20 Feb 2003, Joseph Raviele wrote: > > > > > > > Thanks, for the response, but still no luck. I'm not sure if I'm just > > > > exhausted and missing something basic, or just some newbie mistake. I > > admit > > > > I don't understand the whole autztype thing. Here are my files: > > > > > > > > users: > > > > DEFAULT NAS-IP-Address == 10.x.x.x, Autz-Type := VPN_LDAP > > > > Fall-Through = Yes > > > > > > > > DEFAULT Service-Type == Framed-User > > > > Ascend-Assign-IP-Pool = 1, > > > > Framed-IP-Address = 255.255.255.254, > > > > Framed-MTU = 1524, > > > > Service-Type = Framed-User, > > > > Fall-Through = Yes > > > > > > > > radiusd.conf: > > > > [omitted] > > > > > > > > ldap VPN_LDAP { > > > > server = "ldap.mydomain.com" > > > > basedn = "o=mydomian.com" > > > > filter = > > > > "(&(uid=%{Stripped-User-Name:-%{User-Name}})(x121address=yes))" > > > > > > > > ldap Dial_LDAP { > > > > server = "ldap.mydomain.com" > > > > basedn = "o=mydomain.com" > > > > filter = "(uid=%u)" > > > > [omitted] > > > > authorize { > > > > autztype VPN_LDAP { > > > > VPN_LDAP > > > > } > > > > autztype Dial_LDAP { > > > > Dial_LDAP > > > > } > > > > } > > > > > > Do you have the files module in the authorize section? > > > > > > > [omitted] > > > > authenticate { > > > > authtype VPN_LDAP { > > > > VPN_LDAP > > > > } > > > > authtype Dial_LDAP { > > > > Dial_LDAP > > > > } > > > > } > > > > > > > > I have tried several combinations to get the autztype to work. The > > documents > > > > I was able to find on it have conflicting info... > > > > > > > > Thanks again, > > > > > > > > - joe > > > > > > > > > > > > > > > I am currently running FreeRadius 0.8.1 on RedHat 8.0. I have it > > working > > > > to > > > > > > authenticate any user against an iPlanet LDAP server, if the > > username > > > > and > > > > > > password are right it returns an accept and the user is all set. > > What I > > > > > > would like to do is tie our 2 Cisco VPN servers into this using a > > > > > > pre-existing LDAP attribute. Any user with the proper name and > > password > > > > gets > > > > > > dial in access, but only users with "x121address=yes" (generic > > > > pre-existing > > > > > > attribute we chose) get VPN access. I have read through the mail > > list > > > > > > archives, searched on the web and tried all of the suggested > > different > > > > ways > > > > > > and none of them seem to work. I have tried multiple instances of > > ldap, > > > > one > > > > > > with the attribute and one without. I have tried using autz-type. Is > > it > > > > > > possible for someone a little more knowledgeable to point me in the > > > > right > > > > > > direction. It seems as though it should just work with a few small > > > > changes > > > > > > to the radiusd.conf and users file. Thanks in advance for your time > > and > > > > > > help. > > > > > > > > > > > > - Joe > > > > > > > > > > users file: > > > > > > > > > > DEFAULT NAS-IP-Address == My.VPN.Server.Ip, Autz-Type := VPN_LDAP > > > > > > > > > > ldap VPN_LDAP { > > > > > [...] > > > > > filter = > > "(&(uid=%{Stripped-User-Name:-%{User-Name}})(x121address=yes))" > > > > > } > > > > > > > > > > blah blah blah > > > > > > > > > > > > > > > > > > > > > > > - > > > > > > List info/subscribe/unsubscribe? See > > > > http://www.freeradius.org/list/users.html > > > > > > > > > > > > > > > > -- > > > > > Kostas Kalevras Network Operations Center > > > > > [EMAIL PROTECTED] National Technical University of Athens, Greece > > > > > Work Phone: +30 210 7721861 > > > > > 'Go back to the shadow' Gandalf > > > > > > > > > > - > > > > > List info/subscribe/unsubscribe? See > > > > http://www.freeradius.org/list/users.html > > > > > > > > > > > > > > > > > - > > > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > > > > > > > -- > > > Kostas Kalevras Network Operations Center > > > [EMAIL PROTECTED] National Technical University of Athens, Greece > > > Work Phone: +30 210 7721861 > > > 'Go back to the shadow' Ganda
EAP-MD5 and Win XP !!
I don't understand win XP ! When I activate MD5-Challenge in the properties of my network card, nothing happen ! But if I activate PEAP, it answer to the NAS but my FreeRadius server and I want eap-md5 challenge! So, does anybody can explain to me why it happens nothing with MD5-Challenge ? thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap in solaris
On Fri, 21 Feb 2003, Brian Leung wrote: > Today, i finally compile the ldap module of freeradius in solaris platform >successfully. > I hope the following steps can help: > > 1. install openssl in to /usr/local > cd /usr/local/src/openssl > ./config --prefix=/usr/local > 2. install openldap into /usr/local/openldap > 3. install freeradius > cd /usr/local/src/freeradius > ./configure --prefix=/usr/local/radiusd > Note: in this stage, you will still find that the rlm_ldap can't be compiled >successfully, but don't give up > 4. compile the freeradius ldap module now > cd /usr/local/src/freeradius/src/modules/rlm_ldap > ./configure --prefix=/usr/local/radiusd >--with-rlm-ldap-lib-dir=/usr/local/openldap/lib >--with-rlm-ldap-include-dir=/usr/loca/openldap=include > you will find that you should not have any "Failure" appear > make > make install > 5. Finally, you will find the rlm_ldap lib will go to /usr/local/radiusd/lib > > Brian Sorry but why don't you just pass the --with-rlm-ldap* options in the first configure run? -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simple, quick question re: simultaneous-use
If checkrad is run, and returns that the user is *not* online, does it automatically zap them from radutmp? Thanks, Justin Wheeler [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Single LDAP, different attributes
On Fri, 21 Feb 2003, Joseph Raviele wrote: > I commented out the files lines because I kept getting errors. When I looked > up the error on the mailing list, it said the solution was to comment the > line out. Is the rest of the config, as far as autztyp, correct? I think so but you NEED the files module somewhere (in the end) in the authorize section. > > > > On Thu, 20 Feb 2003, Joseph Raviele wrote: > > > > > Thanks, for the response, but still no luck. I'm not sure if I'm just > > > exhausted and missing something basic, or just some newbie mistake. I > admit > > > I don't understand the whole autztype thing. Here are my files: > > > > > > users: > > > DEFAULT NAS-IP-Address == 10.x.x.x, Autz-Type := VPN_LDAP > > > Fall-Through = Yes > > > > > > DEFAULT Service-Type == Framed-User > > > Ascend-Assign-IP-Pool = 1, > > > Framed-IP-Address = 255.255.255.254, > > > Framed-MTU = 1524, > > > Service-Type = Framed-User, > > > Fall-Through = Yes > > > > > > radiusd.conf: > > > [omitted] > > > > > > ldap VPN_LDAP { > > > server = "ldap.mydomain.com" > > > basedn = "o=mydomian.com" > > > filter = > > > "(&(uid=%{Stripped-User-Name:-%{User-Name}})(x121address=yes))" > > > > > > ldap Dial_LDAP { > > > server = "ldap.mydomain.com" > > > basedn = "o=mydomain.com" > > > filter = "(uid=%u)" > > > [omitted] > > > authorize { > > > autztype VPN_LDAP { > > > VPN_LDAP > > > } > > > autztype Dial_LDAP { > > > Dial_LDAP > > > } > > > } > > > > Do you have the files module in the authorize section? > > > > > [omitted] > > > authenticate { > > > authtype VPN_LDAP { > > > VPN_LDAP > > > } > > > authtype Dial_LDAP { > > > Dial_LDAP > > > } > > > } > > > > > > I have tried several combinations to get the autztype to work. The > documents > > > I was able to find on it have conflicting info... > > > > > > Thanks again, > > > > > > - joe > > > > > > > > > > > > I am currently running FreeRadius 0.8.1 on RedHat 8.0. I have it > working > > > to > > > > > authenticate any user against an iPlanet LDAP server, if the > username > > > and > > > > > password are right it returns an accept and the user is all set. > What I > > > > > would like to do is tie our 2 Cisco VPN servers into this using a > > > > > pre-existing LDAP attribute. Any user with the proper name and > password > > > gets > > > > > dial in access, but only users with "x121address=yes" (generic > > > pre-existing > > > > > attribute we chose) get VPN access. I have read through the mail > list > > > > > archives, searched on the web and tried all of the suggested > different > > > ways > > > > > and none of them seem to work. I have tried multiple instances of > ldap, > > > one > > > > > with the attribute and one without. I have tried using autz-type. Is > it > > > > > possible for someone a little more knowledgeable to point me in the > > > right > > > > > direction. It seems as though it should just work with a few small > > > changes > > > > > to the radiusd.conf and users file. Thanks in advance for your time > and > > > > > help. > > > > > > > > > > - Joe > > > > > > > > users file: > > > > > > > > DEFAULT NAS-IP-Address == My.VPN.Server.Ip, Autz-Type := VPN_LDAP > > > > > > > > ldap VPN_LDAP { > > > > [...] > > > > filter = > "(&(uid=%{Stripped-User-Name:-%{User-Name}})(x121address=yes))" > > > > } > > > > > > > > blah blah blah > > > > > > > > > > > > > > > > > > > - > > > > > List info/subscribe/unsubscribe? See > > > http://www.freeradius.org/list/users.html > > > > > > > > > > > > > -- > > > > Kostas Kalevras Network Operations Center > > > > [EMAIL PROTECTED] National Technical University of Athens, Greece > > > > Work Phone: +30 210 7721861 > > > > 'Go back to the shadow' Gandalf > > > > > > > > - > > > > List info/subscribe/unsubscribe? See > > > http://www.freeradius.org/list/users.html > > > > > > > > > > > > > - > > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > > > > -- > > Kostas Kalevras Network Operations Center > > [EMAIL PROTECTED] National Technical University of Athens, Greece > > Work Phone: +30 210 7721861 > > 'Go back to the shadow' Gandalf > > > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_ldap in solaris
Today, i finally compile the ldap module of freeradius in solaris platform successfully. I hope the following steps can help: 1. install openssl in to /usr/local cd /usr/local/src/openssl ./config --prefix=/usr/local 2. install openldap into /usr/local/openldap 3. install freeradius cd /usr/local/src/freeradius ./configure --prefix=/usr/local/radiusd Note: in this stage, you will still find that the rlm_ldap can't be compiled successfully, but don't give up 4. compile the freeradius ldap module now cd /usr/local/src/freeradius/src/modules/rlm_ldap ./configure --prefix=/usr/local/radiusd --with-rlm-ldap-lib-dir=/usr/local/openldap/lib --with-rlm-ldap-include-dir=/usr/loca/openldap=include you will find that you should not have any "Failure" appear make make install 5. Finally, you will find the rlm_ldap lib will go to /usr/local/radiusd/lib Brian
Re: Single LDAP, different attributes
I commented out the files lines because I kept getting errors. When I looked up the error on the mailing list, it said the solution was to comment the line out. Is the rest of the config, as far as autztyp, correct? > On Thu, 20 Feb 2003, Joseph Raviele wrote: > > > Thanks, for the response, but still no luck. I'm not sure if I'm just > > exhausted and missing something basic, or just some newbie mistake. I admit > > I don't understand the whole autztype thing. Here are my files: > > > > users: > > DEFAULT NAS-IP-Address == 10.x.x.x, Autz-Type := VPN_LDAP > > Fall-Through = Yes > > > > DEFAULT Service-Type == Framed-User > > Ascend-Assign-IP-Pool = 1, > > Framed-IP-Address = 255.255.255.254, > > Framed-MTU = 1524, > > Service-Type = Framed-User, > > Fall-Through = Yes > > > > radiusd.conf: > > [omitted] > > > > ldap VPN_LDAP { > > server = "ldap.mydomain.com" > > basedn = "o=mydomian.com" > > filter = > > "(&(uid=%{Stripped-User-Name:-%{User-Name}})(x121address=yes))" > > > > ldap Dial_LDAP { > > server = "ldap.mydomain.com" > > basedn = "o=mydomain.com" > > filter = "(uid=%u)" > > [omitted] > > authorize { > > autztype VPN_LDAP { > > VPN_LDAP > > } > > autztype Dial_LDAP { > > Dial_LDAP > > } > > } > > Do you have the files module in the authorize section? > > > [omitted] > > authenticate { > > authtype VPN_LDAP { > > VPN_LDAP > > } > > authtype Dial_LDAP { > > Dial_LDAP > > } > > } > > > > I have tried several combinations to get the autztype to work. The documents > > I was able to find on it have conflicting info... > > > > Thanks again, > > > > - joe > > > > > > > > > I am currently running FreeRadius 0.8.1 on RedHat 8.0. I have it working > > to > > > > authenticate any user against an iPlanet LDAP server, if the username > > and > > > > password are right it returns an accept and the user is all set. What I > > > > would like to do is tie our 2 Cisco VPN servers into this using a > > > > pre-existing LDAP attribute. Any user with the proper name and password > > gets > > > > dial in access, but only users with "x121address=yes" (generic > > pre-existing > > > > attribute we chose) get VPN access. I have read through the mail list > > > > archives, searched on the web and tried all of the suggested different > > ways > > > > and none of them seem to work. I have tried multiple instances of ldap, > > one > > > > with the attribute and one without. I have tried using autz-type. Is it > > > > possible for someone a little more knowledgeable to point me in the > > right > > > > direction. It seems as though it should just work with a few small > > changes > > > > to the radiusd.conf and users file. Thanks in advance for your time and > > > > help. > > > > > > > > - Joe > > > > > > users file: > > > > > > DEFAULT NAS-IP-Address == My.VPN.Server.Ip, Autz-Type := VPN_LDAP > > > > > > ldap VPN_LDAP { > > > [...] > > > filter = "(&(uid=%{Stripped-User-Name:-%{User-Name}})(x121address=yes))" > > > } > > > > > > blah blah blah > > > > > > > > > > > > > > > - > > > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > > > > > > > -- > > > Kostas Kalevras Network Operations Center > > > [EMAIL PROTECTED] National Technical University of Athens, Greece > > > Work Phone: +30 210 7721861 > > > 'Go back to the shadow' Gandalf > > > > > > - > > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > > > > > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > -- > Kostas Kalevras Network Operations Center > [EMAIL PROTECTED] National Technical University of Athens, Greece > Work Phone: +30 210 7721861 > 'Go back to the shadow' Gandalf > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Loaded expr ... Segmentation fault
At 10:28 AM 2/21/2003 +0100, [EMAIL PROTECTED] wrote: Hallo, i got problems with FreeRADIUS using MySQL. I'm using FreeRADIUS Version 0.8.1, for host powerpc-ibm-aix5.1.0.0, first i compilied with the flags -- with-mysql-lib-dir=/opt/freeware/lib/mysql -- with-mysql-dir=/opt/freeware everything worked fine, but when i tried to start the server the radiusd.log says "Failed to link to module 'rlm_expr': file not found". so i compilied with the additional flag --disable-shared. Now i get the error while debugging $ radiusd -sfxxyz -l stdout | pg . . . "Module: Loaded expr ksh: 12926 Segmentation fault(coredump)". Does anybody know what to do? Try the latest CVS. Also, you shouldn't have to 'disable-shared' to compile the rlm_expr module. Have you tried going into that directory manually and running make? -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlcounter syntaxis
At 09:54 AM 2/21/2003 +0500, Eric wrote: Hello, Please, can anyone show me the correct documentation about how to write new modules for sqlcounter. I meaning queries, like this: SELECT SUM(AcctSessionTime - GREATEST(('%b' - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct .. or "SELECT SUM(AcctInputOctets)+SUM(AcctOutputOctets) FROM radacct WHERE UserName = '%{%k}' LIMIT 0, 30" I don't know what GREATEST meens & destination of strange number following after round brackets (0 or LIMIT 0 or 30). It will prevent the query from returning a value of < 0. Reading more about the queries at http://www.mysql.com would be suggested. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration of prepaid cards
At 09:41 AM 2/21/2003 +0500, Eric wrote: Hello, I need to make special prepaid cards, which will expire after 2 month of usage. Can anyone to help me to write this module for sqlcounter? If you want them to expire after a certain date, then you don't want sqlcounter. sqlcounter is useful if you want to expire after a certain amount of usage. For expiring after a certain date in time, simply create an entry with a Check-Item of 'Expiration' attribute in your users file/sql store/etc. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem getting counter to work...
On Thu, 20 Feb 2003, Mike Cisar wrote: > Thanks Kostas, > > I had just uncommented the existing counter lines in the sample radiusd.conf > file not stopping to think that the sample might have them in the wrong > order. > > I have moved the counter module down to the bottom of the list and this > seems to have (at least partially) solved the problem. I can now get the > counter working using the > > testMax-Monthly-Session := 120 > Fall-Through = yes > > syntax, which solves my immediate problem THANKS! However, the > > test Monthly-Session-Time > 120, Auth-Type = Reject >Reply-Message = "Monthly time limit exceeded." > > syntax still fails (allows the user to log in regardless of the counter) > with the same error in the logs of Why do you need both? The counter module will send back a Reply-Message if the user is over quota > > rlm_counter: Entering module authorize code > rlm_counter: Could not find Check item value pair > modcall[authorize]: module "counter" returns noop > > Is there anything else in the configuration I should be checking to enable > it to work with that other syntax as well? Or failing that, anything I can > do to help the authors troubleshoot why it doesn't. > > Cheers, > > Mike < > > > -Original Message- > > So you have the files module *after* the counter module. How > > will the counter module find the check item > > (Max-Monthly-Session)? As it is clearly stated in the sample > > radiusd.conf: > > > > # The module should be added in the instantiate, > > authorize and > > # accounting sections. Make sure that in the authorize > > # section it comes after any module which sets the > > # 'check-name' attribute. > > > > Make sure you do the above. > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Single LDAP, different attributes
On Thu, 20 Feb 2003, Joseph Raviele wrote: > Thanks, for the response, but still no luck. I'm not sure if I'm just > exhausted and missing something basic, or just some newbie mistake. I admit > I don't understand the whole autztype thing. Here are my files: > > users: > DEFAULT NAS-IP-Address == 10.x.x.x, Autz-Type := VPN_LDAP > Fall-Through = Yes > > DEFAULT Service-Type == Framed-User > Ascend-Assign-IP-Pool = 1, > Framed-IP-Address = 255.255.255.254, > Framed-MTU = 1524, > Service-Type = Framed-User, > Fall-Through = Yes > > radiusd.conf: > [omitted] > > ldap VPN_LDAP { > server = "ldap.mydomain.com" > basedn = "o=mydomian.com" > filter = > "(&(uid=%{Stripped-User-Name:-%{User-Name}})(x121address=yes))" > > ldap Dial_LDAP { > server = "ldap.mydomain.com" > basedn = "o=mydomain.com" > filter = "(uid=%u)" > [omitted] > authorize { > autztype VPN_LDAP { > VPN_LDAP > } > autztype Dial_LDAP { > Dial_LDAP > } > } Do you have the files module in the authorize section? > [omitted] > authenticate { > authtype VPN_LDAP { > VPN_LDAP > } > authtype Dial_LDAP { > Dial_LDAP > } > } > > I have tried several combinations to get the autztype to work. The documents > I was able to find on it have conflicting info... > > Thanks again, > > - joe > > > > > > I am currently running FreeRadius 0.8.1 on RedHat 8.0. I have it working > to > > > authenticate any user against an iPlanet LDAP server, if the username > and > > > password are right it returns an accept and the user is all set. What I > > > would like to do is tie our 2 Cisco VPN servers into this using a > > > pre-existing LDAP attribute. Any user with the proper name and password > gets > > > dial in access, but only users with "x121address=yes" (generic > pre-existing > > > attribute we chose) get VPN access. I have read through the mail list > > > archives, searched on the web and tried all of the suggested different > ways > > > and none of them seem to work. I have tried multiple instances of ldap, > one > > > with the attribute and one without. I have tried using autz-type. Is it > > > possible for someone a little more knowledgeable to point me in the > right > > > direction. It seems as though it should just work with a few small > changes > > > to the radiusd.conf and users file. Thanks in advance for your time and > > > help. > > > > > > - Joe > > > > users file: > > > > DEFAULT NAS-IP-Address == My.VPN.Server.Ip, Autz-Type := VPN_LDAP > > > > ldap VPN_LDAP { > > [...] > > filter = "(&(uid=%{Stripped-User-Name:-%{User-Name}})(x121address=yes))" > > } > > > > blah blah blah > > > > > > > > > > > - > > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > > > > -- > > Kostas Kalevras Network Operations Center > > [EMAIL PROTECTED] National Technical University of Athens, Greece > > Work Phone: +30 210 7721861 > > 'Go back to the shadow' Gandalf > > > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New RedBack Attributes.
21-Feb-03 at 08:49, Chris Parker ([EMAIL PROTECTED]) wrote : > At 01:06 AM 2/21/2003 +, Miquel van Smoorenburg wrote: > >In article <1045770571.29271.28.camel@lxmt>, > >Eduardo Roldan <[EMAIL PROTECTED]> wrote: > >>Some FR developer can include these new redback attributes as described > >>in the 'AOS Configuration Guide Release 5.0'? > >> > >>ATTRIBUTE Acct_Dyn_Ac_Ent141 string Redback > >>ATTRIBUTE Session_Error_Code 142 integer Redback > >>ATTRIBUTE Session_Error_Msg 143 string Redback > > > >The redback dictionary should be cleaned up since the latest (PDF) > >docs from redback don't use "_" anymore but the standard "-", > >that is the attribute is not spelled Session_Error_Code but > >rather as Session-Error-Code > > Gotta love changing horses mid-stream. Clients do it all the time. This is just vendor revenge :) -- [--Partly Cloudy in Rabat, 18°C/64°F. Wind: SW strength 7. Humidity: 64%-] It's amazing how some people can put their foot in their mouth with their head so far up their ass. [Linux user 170823|XML Weather-www.interceptvector.com|.sig-vim/mutt/perl] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS +
21-Feb-03 at 08:46, Chris Parker ([EMAIL PROTECTED]) wrote : > At 06:20 PM 2/20/2003 -0600, [EMAIL PROTECTED] wrote: > >Hi > > > >I was wondering how to write some applications which can interact with my > >RADIUS server. I envision that this application will determine the policy > >for the RADIUS to authenticate/reject a user. > > > >I have freeradius 0.7 with userbase in LDAP. > > > >Is it possible? if yes where in RADIUS will my application has to interact? > >and which language is best for this? > > The FreeRADIUS server is writen in C. What specifically are you trying to > do. It's not clear how/what you need to interact with your RADIUS server. > > More information on what you are attempting is needed before we can make > any suggestions. If you want your application to authenticate against Radius, then you just need it to respect the radius client specification in the RFCs, or find a radius client and borrow from it. e.g. you will open a socket to the radius server, send it a correctly formatted packet, wait for a response, and parse that response in your application. -- [--Partly Cloudy in Rabat, 18°C/64°F. Wind: SW strength 7. Humidity: 64%-] Man will never be free until the last king is strangled with the entrails of the last priest. -- Diderot [Linux user 170823|XML Weather-www.interceptvector.com|.sig-vim/mutt/perl] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New RedBack Attributes.
At 01:06 AM 2/21/2003 +, Miquel van Smoorenburg wrote: In article <1045770571.29271.28.camel@lxmt>, Eduardo Roldan <[EMAIL PROTECTED]> wrote: >Some FR developer can include these new redback attributes as described >in the 'AOS Configuration Guide Release 5.0'? > >ATTRIBUTE Acct_Dyn_Ac_Ent141 string Redback >ATTRIBUTE Session_Error_Code 142 integer Redback >ATTRIBUTE Session_Error_Msg 143 string Redback The redback dictionary should be cleaned up since the latest (PDF) docs from redback don't use "_" anymore but the standard "-", that is the attribute is not spelled Session_Error_Code but rather as Session-Error-Code Gotta love changing horses mid-stream. I think the best way is to add the '-' entries at the top of the file but leave the '_' entries at the bottom. That way, users who already have specified the '_' format in their users/sql/ldap etc. won't be broken, but the preferred format will be the '-'. I'll poke at the dictionary now to make that change. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS +
At 06:20 PM 2/20/2003 -0600, [EMAIL PROTECTED] wrote: Hi I was wondering how to write some applications which can interact with my RADIUS server. I envision that this application will determine the policy for the RADIUS to authenticate/reject a user. I have freeradius 0.7 with userbase in LDAP. Is it possible? if yes where in RADIUS will my application has to interact? and which language is best for this? The FreeRADIUS server is writen in C. What specifically are you trying to do. It's not clear how/what you need to interact with your RADIUS server. More information on what you are attempting is needed before we can make any suggestions. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New RedBack Attributes.
On Thu, 2003-02-20 at 22:06, Miquel van Smoorenburg wrote: > In article <1045770571.29271.28.camel@lxmt>, > Eduardo Roldan <[EMAIL PROTECTED]> wrote: > >Some FR developer can include these new redback attributes as described > >in the 'AOS Configuration Guide Release 5.0'? > > > >ATTRIBUTE Acct_Dyn_Ac_Ent141 string Redback > >ATTRIBUTE Session_Error_Code 142 integer Redback > >ATTRIBUTE Session_Error_Msg 143 string Redback > > The redback dictionary should be cleaned up since the latest (PDF) > docs from redback don't use "_" anymore but the standard "-", > that is the attribute is not spelled Session_Error_Code but > rather as Session-Error-Code > > Mike You are right. Somebody is doing this?. I could do it and send the file to some developer if it avoids me the hassle of modifying this file at every new release installed. Other issue about redback is the abscence of a checkrad 'function' for this equipment. AOS 5.0 has snmp capabilities that could do the trick more easy for checkrad. Anyway I have a function that works for me in AOS 3 and 5 using the telnet interface, somebody want/can see this and maybe check it to CVS tree? -- Eduardo Roldan <[EMAIL PROTECTED]> Multitel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sql patch for stripping NT domains from username
*** rlm_sql.c.orig Fri Feb 21 06:53:52 2003 --- rlm_sql.c Fri Feb 21 06:54:02 2003 *** *** 224,229 --- 224,283 *out = '\0'; return len; } + + /* + * strip and translate usernames. + */ + static int stripMSdomain_escape_func(char *out, int outlen, const char *in) + { + int len = 0; + int lentmp=0; + char tmp[MAX_STRING_LEN]; + + tmp[0]=0; + if (strrchr(in, '\\')) { + strcpy(tmp, strrchr(in, '\\') + 1); + } else { + strcpy(tmp, in); + } + + + while (tmp[lentmp]) { + /* + * Only one byte left. + */ + if (outlen <= 1) { + break; + } + + /* + * Non-printable characters get replaced with their + * mime-encoded equivalents. + */ + if ((tmp[lentmp] < 32) || + strchr("@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: =/", tmp[lentmp]) == NULL) { + snprintf(out, outlen, "=%02X", (unsigned char) tmp[lentmp]); + out += 3; + outlen -= 3; + len += 3; + lentmp++; + continue; + } + + /* + * Else it's a nice character. + */ + *out = tmp[lentmp]; + out++; + outlen--; + len++; + lentmp++; + } + + *out = '\0'; + return len; + } + /* * Set the SQl user name. */ *** *** 240,246 if (username != NULL) { strNcpy(tmpuser, username, MAX_STRING_LEN); } else if (strlen(inst->config->query_user)) { ! radius_xlat(tmpuser, sizeof(tmpuser), inst->config->query_user, request, sql_escape_func); } else { return 0; } --- 294,300 if (username != NULL) { strNcpy(tmpuser, username, MAX_STRING_LEN); } else if (strlen(inst->config->query_user)) { ! radius_xlat(tmpuser, sizeof(tmpuser), inst->config->query_user, request, stripMSdomain_escape_func); } else { return 0; }
(no subject)
Hello, why freeRadius show this: rad_check_password: Found Auth-Type EAP rad_check_password: Found Auth-Type LocalWarning: Found 2 auth-types on request for user 'lolo'auth: type Local the file radliusd.conf contains: authorize { # # The preprocess module takes care of sanitizing some bizarre # attributes in the request, and turning them into attributes # which are more standard. # # It takes care of processing the 'raddb/hints' and the # 'raddb/huntgroups' files. # # It also adds a Client-IP-Address attribute to the request. preprocess # # The chap module will set 'Auth-Type := CHAP' if we are # handling a CHAP request and Auth-Type has not already been set chap # If the users are logging in with an MS-CHAP-Challenge # attribute for authentication, the mschap module will find # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' # to the request, which will cause the server to then use # the mschap module for authentication. mschap # counter# attr_filter eap suffix files# etc_smbpasswd # The ldap module will set Auth-Type to LDAP if it has not already been set# ldap} I need the auth type was eap, how can I do it?
RSA key generation problem
Hi, I am in the process of installing freeradius-0.8.1 on a Solaris 7 machine. I've installed OpenSSL( snapshot and main release) successfully. Freeradius also installs without any major problems. But when I run the server, it exits with the following error message : Fri Feb 21 08:57:42 2003 : Error: rlm_eap_tls: Couldn't set RSA key Fri Feb 21 08:57:42 2003 : Error: rlm_eap: Failed to initialize the type tls Fri Feb 21 08:57:42 2003 : Error: radiusd.conf[572]: eap: Module instantiation failed. I've tried the genrsa command from the command line and it works fine. Has anyone experienced this problem before ? Any leads will be greatly appreciated. Regards, Nadeem Nadeem Akhtar Centre for Comm. Systems Research University of Surrey Guildford, Surrey GU2 7XH United Kingdom Tel (CCSR) : 01483-683605 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Loaded expr ... Segmentation fault
Hallo, i got problems with FreeRADIUS using MySQL. I'm using FreeRADIUS Version 0.8.1, for host powerpc-ibm-aix5.1.0.0, first i compilied with the flags -- with-mysql-lib-dir=/opt/freeware/lib/mysql -- with-mysql-dir=/opt/freeware everything worked fine, but when i tried to start the server the radiusd.log says "Failed to link to module 'rlm_expr': file not found". so i compilied with the additional flag --disable-shared. Now i get the error while debugging $ radiusd -sfxxyz -l stdout | pg . . . "Module: Loaded expr ksh: 12926 Segmentation fault(coredump)". Does anybody know what to do? Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html