freeradius Cisco VPN 3000
Hi, Im trying to get the above mentioned combo working. freeradius is version: radiusd: FreeRADIUS Version 0.8.1, for host i686-pc-linux-gnu, built on Mar 13 2003 at 18:00:13 The Cisco is running version: Cisco Systems, Inc./VPN 3000 Concentrator Version 3.6.7.A Feb 06 2003 23:29:48 vpn3005-3.6.7.A-k9.bin I can get the Cisco to send authentication requests for a group to freeradius, and freeradius replying back to the Cisco. To get the Cisco to send the request for user authentication to freeradius, I understand you have to send the right attributes back to the Cisco [1], IPSec Authentication = RADIUS. I include the following in my /etc/raddb/dictionary: $INCLUDE dictionary.cisco $INCLUDE dictionary.cisco.vpn3000 I have configured the group/users in /etc/raddb/users (and understand the security implications) like this: user1 Auth-Type := Local, User-Password == passwd1 group1Auth-Type := Local, User-Password == passwd2 CVPN3000-IPSec-Authentication = 2 I can see the value is sent back to the Cisco, see [2], but the Cisco never asks for authentication of the user. I tried with values 0..4 of the CVPN3000-IPSec-Authentication without any change in behaviour. Am I doing something wrong or overseeing something simple? Any help apriciated. [1]: http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2284/products_tech_note09186a00800948c1.shtml [2]: x:/etc/raddb # radiusd -A -f -s -x Starting - reading configuration files ... Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded preprocess Module: Instantiated preprocess (preprocess) Module: Loaded files Module: Instantiated files (files) Module: Loaded realm Module: Instantiated realm (suffix) Module: Loaded Acct-Unique-Session-Id Module: Instantiated acct_unique (acct_unique) Module: Loaded detail Module: Instantiated detail (detail) Module: Loaded radutmp Module: Instantiated radutmp (radutmp) Can't connect to SNMP agent with SMUX: Connection refused Listening on IP address *, ports 1812/udp and 1813/udp. Ready to process requests. rad_recv: Access-Request packet from host x.y.z.a:1296, id=1, length=100 User-Name = group1 User-Password = pass2 NAS-Port = 0 Service-Type = Framed-User Framed-Protocol = PPP Tunnel-Client-Endpoint:0 = 80.y.243.x Attr-201588758 = 0x0005 NAS-IP-Address = x.y.z.a NAS-Port-Type = Virtual rlm_chap: Could not find proper Chap-Password attribute in request Login OK: [group1/pass2] (from client x.y.z.a port 0) Sending Access-Accept of id 1 to x.y.z.a:1296 CVPN3000-IPSec-Authentication = 2 -- Dangaard Telecom IT A/S Lars Knudsen Technical Engineer Phone: +45 73303270 Fax: +45 73303271 E-mail: Mailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS MYSQL solve it :)
Carlo Tovazzi wrote: try to launch ./configure in /freeradius-0.8.1/src/modules/rlm_sql/ probably is absent the rlm module for sql rlm_sql (sql): Make sure it (and all its dependent libraries!) are in the search ath of your system's ld. radiusd.conf[14]: sql: Module instantiation failed. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I sure this part is working the accounting is working with mysql just not auth -- Travis M. Best Systems Administrator SunQwest Internet Services 1040 Walnut St Sunbury, PA 17801 Phone: 866-344-9509 Direct: 570-279-1746 -- This message has been scanned for viruses and dangerous content by SunQwest MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with free-radius compilation with AIX4.3
Hi, I am trying to install free-radius-0.8.1. I was able to run the configure script with one minor correction. I then tried to do the ' make'. I am getting the error listed below. The problem seems to be with the declaration of an array with a variable value. Can anyone suggest work-around to get past this. Line 524 in files.c has the following type decalaration. The maximum_proxies gets the value from a configured parameter and so is not a fixed value. REALM *rr_array[maximum_proxies]; Making all in main... gmake[3]: Entering directory `/aps/qa/radius/freeradius-0.8.1/src/main' cc -g -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DNDEBUG -I../include -c files.c 1506-507 (W) No licenses available. Contact your program supplier to add additional users. Compilation will proceed shortly. files.c, line 524.25: 1506-195 (S) Integral constant expression with a value greater than zero is required. gmake[3]: *** [files.o] Error 1 gmake[3]: Leaving directory `/aps/qa/radius/freeradius-0.8.1/src/main' gmake[2]: *** [common] Error 1 gmake[2]: Leaving directory `/aps/qa/radius/freeradius-0.8.1/src' gmake[1]: *** [all] Error 2 gmake[1]: Leaving directory `/aps/qa/radius/freeradius-0.8.1/src' gmake: *** [common] Error 1 make: 1254-004 The error code from the last command is 2. Thanks -Jay. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous use stops working.
Okay, this is really bizarre. After awhile, Simultaneous-Use just stops working and lets people log on more than once. (I haven't figured out how long awhile is at the moment. Definitely overnight, possibly a couple of hours.) At that point, it seems to stop running checkrad -- at least, there's not the usual delay while checkrad checks if someone is logged on: authorization happens almost instantly. Restarting the server makes it work again. Has anyone seen this before, or have any ideas where I might check for what's going on? K. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: expr in sql doesn't work?
Dmitry Glushenok [EMAIL PROTECTED] wrote:
I use freeradius-0.8.1 with mysql.
In radiusd.conf expr listed in modules and in instantiate.
In mysql at Framed-IP-Address i've put following line:
`%{expr: sql: SELECT inetipaddress FROM users.accounts WHERE username = 'glush'}`
But no SELECT from users.accounts happens at processing logon.
You didn't tell them to happen.
The macros are documented as %{foo:...}. You have NOT done that
with the SQL query.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with free-radius compilation with AIX4.3
Jay Kumar [EMAIL PROTECTED]m wrote: I am trying to install free-radius-0.8.1. I was able to run the configure script with one minor correction. I then tried to do the ' make'. I am getting the error listed below. The problem seems to be with the declaration of an array with a variable value. Can anyone suggest work-around to get past this. Use GCC, or grab the latest CVS snapshot. That should work better. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
stale logins/sessions or Simultaneous-Use behavior
Is there any way (don't you love it when emails start out that way...) to have freeradius arbitrarily kill a session (record a session stop time and forget about it) when another session is started with the same username? For example: User joefoo logs in at 13:05:00 user joefoo logs in again at 13:20:00 the server allows the second joefoo to authenticate and gain access but terminates the first joefoo session and gives it a stop time of 13:20:00. This functionality is useful in an environment where one doesn't always get the accounting stop packets but is sure that a duplicate login wont actually happen because all of an upstream radius server/proxy. I know that checkrad is supposed to verify if the session is there or not but I don't have access to the NAS servers and cannot directly verify the login. It may be useful to add an option to Simultaneous-Use where the module would allow up to the number of sessions specified (eg 5) but upon the 6th login would kill the oldest of the 5 previous sessions. Thanks, Josh Kleensang Vice President, Engineering Lunar Gravity Networks 402-898-GRAV x 101 http://www.lunargravity.com BEGIN:VCARD VERSION:2.1 N:Kleensang;Joshua FN:Joshua Kleensang ORG:Lunar Gravity TITLE:Vice President, Engineering TEL;WORK;VOICE:(402) 898-4728 ADR;WORK:;;2437 South 130th Circle;Omaha;Nebraska;68144;United States of America LABEL;WORK;ENCODING=QUOTED-PRINTABLE:2437 South 130th Circle=0D=0AOmaha, Nebraska 68144=0D=0AUnited States of Ame= rica EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20020423T192545Z END:VCARD
RE: FreeRadius, LDAP to a remote Active Directory Server
I found the correct configuration settings
for
LDAP to Active directory in radiusd.conf
Ldap section or radiusd.conf
Ldap {
identity = cn=Admin,cn=Users,dc=rovingplanet,dc=com
password = youradminpassword
basedn = dc=yourcompany,dc=com
# stripped name
filter = (SamAccountName=%U)
or
# full name
filter = (SamAccountName=%u)
}
Ron Wahler
-Original Message-
From: Ron Wahler
Sent: Tuesday, March 11, 2003
10:01 AM
To: [EMAIL PROTECTED]
Subject: FreeRadius, LDAP to a
remote Active Directory Server
Has anyone integrated
FreeRadius/LDAP to a Remote Active Directory Server?
I am trying to integrate the two and
need some examples of radiusd.conf for the
LDAP to Active Directory.
I also tried uid=ron
And [EMAIL PROTECTED]
I have no organization just a
list of users under users directory in active directory.
The error that concerns me is
Tue Mar 11 08:40:06 2003 : Error:
rlm_ldap: ldap_search() failed: Operations error
Any one have a radiusd.conf that
shows a good example ?
Thanks,
Ron
Tue Mar 11 08:40:06 2003 : Debug:
ldap_get_conn: Got Id: 0
Tue Mar 11 08:40:06 2003 : Debug:
rlm_ldap: attempting LDAP reconnection
Tue Mar 11 08:40:06 2003 : Debug:
rlm_ldap: closing existing LDAP connection
Tue Mar 11 08:40:06 2003 : Debug:
rlm_ldap: (re)connect to 10.0.0.13:389, authentication 0
Tue Mar 11 08:40:06 2003 : Debug:
rlm_ldap: bind as / to 10.0.0.13:389
Tue Mar 11 08:40:06 2003 : Debug:
rlm_ldap: waiting for bind result ...
Tue Mar 11 08:40:06 2003 : Debug:
rlm_ldap: performing search in dn=roncompany,dn=com, with filter (uid=ron@
roncompany.com)
Tue Mar 11 08:40:06 2003 : Error:
rlm_ldap: ldap_search() failed: Operations error
Tue Mar 11 08:40:06 2003 : Debug:
rlm_ldap: search failed
Tue Mar 11 08:40:06 2003 : Debug:
ldap_release_conn: Release Id: 0
Tue Mar 11 08:40:06 2003 :
Debug: modcall[authorize]: module ldap returns fail
Tue Mar 11 08:40:06 2003 : Debug:
modcall: group authorize returns fail
Tue Mar 11 08:40:06 2003 : Debug:
Finished request 16
Tue Mar 11 08:40:06 2003 : Debug:
Going to the next request
What is in my radiusd.conf
file..
ldap {
#server = ldap.your.domain
server = 10.0.0.13
#identity = cn=Administrator
#password =
#basedn = o=roncompany.com
basedn = dn=roncompany,dn=com
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
start_tls = no
# set this to 'yes' to use TLS encrypted connections to the
# LDAP database by passing the LDAP_OPT_X_TLS_TRY option to
# the ldap library.
tls_mode = no
# default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA
# profile_attribute = radiusProfileDn
access_attr = dialupAccess
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
# ldap_cache_timeout = 120
# ldap_cache_size = 0
ldap_connections_number = 5
# password_header = {clear}
password_attribute = userPassword
# groupname_attribute = cn
# groupmembership_filter
=(|((objectClass=GroupOfNames)(member=%{LdapUserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
# groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# access_attr_used_for_allow = yes
}
�
Re: Simultaneous use stops working.
On Fri, 14 Mar 2003, Kristina Pfaff-Harris wrote: Okay, this is really bizarre. After awhile, Simultaneous-Use just stops working and lets people log on more than once. (I haven't figured out how long awhile is at the moment. Definitely overnight, possibly a couple of hours.) At that point, it seems to stop running checkrad -- at least, there's not the usual delay while checkrad checks if someone is logged on: authorization happens almost instantly. Restarting the server makes it work again. Possible hint: it occurs to me that if the server can't check the database (I'm using sql for sessions), it will possibly never actually run checkrad? Our MySQL server is pretty loaded, so I'm wondering if maybe the server just can't connect to check the users online db. Can anyone tell me where to look for a timeout of this kind? (rlm_sql_mysql? Somewhere else?) Or am I totally off-base here? :-) Thanks for any hints. K. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius, LDAP to a remote Active Directory Server
Small typo
dc=yourcompany not rovingplanet
--
I found the correct
configuration settings for
LDAP to Active directory
in radiusd.conf
Ldap section or
radiusd.conf
Ldap {
identity = cn=Admin,cn=Users,dc=yourcompany,dc=com
password =
youradminpassword
basedn = dc=yourcompany,dc=com
# stripped name
filter =
(SamAccountName=%U)
or
# full name
filter =
(SamAccountName=%u)
}
Ron Wahler
-Original Message-
From: Ron Wahler
Sent: Tuesday, March
11, 2003 10:01 AM
To: [EMAIL PROTECTED]
Subject: FreeRadius, LDAP to a
remote Active Directory Server
Has anyone integrated
FreeRadius/LDAP to a Remote Active Directory Server?
I am trying to integrate the two and
need some examples of radiusd.conf for the
LDAP to Active Directory.
I also tried uid=ron
And [EMAIL PROTECTED]
I have no organization just a
list of users under users directory in active directory.
The error that concerns me is
Tue Mar 11 08:40:06 2003 :
Error: rlm_ldap: ldap_search() failed: Operations error
Any one have a radiusd.conf that
shows a good example ?
Thanks,
Ron
Tue Mar 11 08:40:06 2003 :
Debug: ldap_get_conn: Got Id: 0
Tue Mar 11 08:40:06 2003 :
Debug: rlm_ldap: attempting LDAP reconnection
Tue Mar 11 08:40:06 2003 :
Debug: rlm_ldap: closing existing LDAP connection
Tue Mar 11 08:40:06 2003 :
Debug: rlm_ldap: (re)connect to 10.0.0.13:389, authentication 0
Tue Mar 11 08:40:06 2003 :
Debug: rlm_ldap: bind as / to 10.0.0.13:389
Tue Mar 11 08:40:06 2003 :
Debug: rlm_ldap: waiting for bind result ...
Tue Mar 11 08:40:06 2003 :
Debug: rlm_ldap: performing search in dn=roncompany,dn=com, with filter
(uid=ron@
roncompany.com)
Tue Mar 11 08:40:06 2003 :
Error: rlm_ldap: ldap_search() failed: Operations error
Tue Mar 11 08:40:06 2003 :
Debug: rlm_ldap: search failed
Tue Mar 11 08:40:06 2003 :
Debug: ldap_release_conn: Release Id: 0
Tue Mar 11 08:40:06 2003 :
Debug: modcall[authorize]: module ldap returns fail
Tue Mar 11 08:40:06 2003 :
Debug: modcall: group authorize returns fail
Tue Mar 11 08:40:06 2003 :
Debug: Finished request 16
Tue Mar 11 08:40:06 2003 :
Debug: Going to the next request
What is in my radiusd.conf
file..
ldap {
#server = ldap.your.domain
server = 10.0.0.13
#identity = cn=Administrator
#password =
#basedn = o=roncompany.com
basedn = dn=roncompany,dn=com
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
start_tls = no
# set this to 'yes' to use TLS encrypted connections to the
# LDAP database by passing the LDAP_OPT_X_TLS_TRY option to
# the ldap library.
tls_mode = no
# default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA
# profile_attribute = radiusProfileDn
access_attr = dialupAccess
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
# ldap_cache_timeout = 120
# ldap_cache_size = 0
ldap_connections_number = 5
# password_header = {clear}
password_attribute = userPassword
# groupname_attribute = cn
#
groupmembership_filter
=(|((objectClass=GroupOfNames)(member=%{LdapUserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
# groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# access_attr_used_for_allow = yes
}
�
freeradius howto/need info
Hello, I was wondering, does anyone have something like a howto to setup freeradius with mysql? This is what I would like in the end: freeradius authenticates users against mysql database. this includes all default, static address, multiple logins, etc. accounting is logged in mysql database (to see all login times, addresses, etc). failed login requests and other are logged to a text file. this is so I can watch requests realtime if needed or check history as to why they were getting denied. keep ability to use radwho for users currently logged in. if this is available from the database, that is fine. this also includes a radlast to see past logins, but i'm sure that is easy to pull from the database I'm assuming this is all fairly simplistic, but I'm coming from an older Cistron server, and freeradius has quite a bit of extra configuration, so I am a bit lost. If anyone can give me a hand, or maybe send me some of their own examples (maybe a fake user entry from the database) I would be greatly appreciative. Thanks in advance, Bryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius howto/need info
On Friday 14 March 2003 03:19 pm, Bryan Koschmann - GKT wrote: Hello, I was wondering, does anyone have something like a howto to setup freeradius with mysql? This is what I would like in the end: http://www.frontios.com/freeradius.html got me going. Once file authentication worked i settled for sql accounting but i did export an old icradius database by patching in a == operator and duplicating a couple of fields in the old accounting records. There is a text to sql converter but I have never used it. If you are desparate and will settle for less my config notes are around someplace. jim Tarvid - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: stale logins/sessions or Simultaneous-Use behavior
Josh Kleensang [EMAIL PROTECTED] wrote: Is there any way (don't you love it when emails start out that way...) to have freeradius arbitrarily kill a session (record a session stop time and forget about it) when another session is started with the same username? Write an external script to do that. It can be run from the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RADIUS MySql
I am trying to get radius to authencate to mysql and having trouble
below is a copy of the log when running radiusd -x please help i need to
get this working like yesterday
Thanks,
Travis
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = /usr/local
main: localstatedir = /usr/local/var
main: logdir = /usr/local/var/log/radius
main: libdir = /usr/local/lib
main: radacctdir = /usr/local/var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /usr/local/var/log/radius/radius.log
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = no
main: pidfile = /usr/local/var/run/radiusd/radiusd.pid
main: user = (null)
main: group = (null)
main: usercollide = no
main: lower_user = before
main: lower_pass = before
main: nospace_user = before
main: nospace_pass = before
main: checkrad = /usr/local/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: servers_per_realm = 15
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: ignore_password = no
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: passwd = (null)
mschap: authtype = MS-CHAP
Module: Instantiated mschap (mschap)
Module: Loaded Pam
pam: pam_auth = passwd
Module: Instantiated pam (pam)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = (null)
unix: group = (null)
unix: radwtmp = /usr/local/var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded preprocess
preprocess: huntgroups = /usr/local/etc/raddb/huntgroups
preprocess: hints = /usr/local/etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
Module: Instantiated realm (suffix)
Module: Loaded SQL
sql: driver = rlm_sql_mysql
sql: server = localhost
sql: port =
sql: login = root
sql: password = ?Tcm_Rad!
sql: radius_db = radius
sql: acct_table = radacct
sql: acct_table2 = radacct
sql: authcheck_table = radcheck
sql: authreply_table = radreply
sql: groupcheck_table = radgroupcheck
sql: groupreply_table = radgroupreply
sql: usergroup_table = usergroup
sql: nas_table = nas
sql: dict_table = dictionary
sql: sqltrace = no
sql: sqltracefile = /usr/local/var/log/radius/sqltrace.sql
sql: deletestalesessions = yes
sql: num_sql_socks = 5
sql: sql_user_name = %{User-Name}
sql: default_user_profile =
sql: query_on_not_found = no
sql: authorize_check_query = SELECT id,UserName,Attribute,Value,op
FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id
sql: authorize_reply_query = SELECT id,UserName,Attribute,Value,op
FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id
sql: authorize_group_check_query = SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username =
'%{SQL-User-Name}' AND usergroup.GroupName = radgroupcheck.GroupName
ORDER BY radgroupcheck.id
sql: authorize_group_reply_query = SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username =
'%{SQL-User-Name}' AND usergroup.GroupName = radgroupreply.GroupName
ORDER BY radgroupreply.id
sql: accounting_onoff_query = UPDATE radacct SET AcctStopTime='%S',
AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime),
AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay =
%{Acct-Delay-Time} WHERE AcctSessionTime=0 AND AcctStopTime=0 AND
NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime = '%S'
sql: accounting_update_query = UPDATE radacct SET FramedIPAddress =
'%{Framed-IP-Address}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND
UserName =
Re: freeradius howto/need info
On Fri, 14 Mar 2003, tarvid wrote: |http://www.frontios.com/freeradius.html got me going. Once file |authentication worked i settled for sql accounting | |but i did export an old icradius database by patching in a == operator and |duplicating a couple of fields in the old accounting records. | |There is a text to sql converter but I have never used it. | |If you are desparate and will settle for less my config notes are around |someplace. Thanks for the link! I think it will give me a better basis on getting started. Would you be able to send me a couple rows from the database, so I can see some real world examples (nwames changed to protect the customer of course :) ) Don't worry about it if it's a hassle, I'm just trying to get a good grasp before I dive into all this. Thanks, Bryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius howto/need info
On Friday 14 March 2003 19:33, Bryan Koschmann - GKT wrote:
On Fri, 14 Mar 2003, tarvid wrote:
|http://www.frontios.com/freeradius.html got me going. Once file
|authentication worked i settled for sql accounting
|
|but i did export an old icradius database by patching in a == operator
| and duplicating a couple of fields in the old accounting records.
|
|There is a text to sql converter but I have never used it.
|
|If you are desparate and will settle for less my config notes are around
|someplace.
Thanks for the link! I think it will give me a better basis on getting
started.
Would you be able to send me a couple rows from the database, so I can see
some real world examples (nwames changed to protect the customer of course
:) ) Don't worry about it if it's a hassle, I'm just trying to get a good
grasp before I dive into all this.
Thanks,
Bryan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
My notes are attached.
Title: freeradius-0.8.1-1mdk configuration
freeradius 0.8.1-1mdk configuration
This is the package generated by Oden Eriksson for the
cooker contrib library on Sun Mar 02 2003. The goal here is to
provide the information to get the package working in the
simplest manner.
clients.conf
We have four clients - two for dialins and two for testing.
The minimum default configuration would be one client -
localhost - so that the program radtest can run. The "secret"
must be known to the user of radtest.
as5200-e1 - dialins
as5200-e2 - dialins
nuhorace - to enable radtest
diva.ls.net - to enable ntradping
Each entry has the form -
client client-ip {
secret = radius-secret
shortname = client-hostname
nastype = cisco|other|portslave
login = client-username
password= client-password
}
login and password are optional and are used when RADIUS
must connect to the client via a login session for certain
operations (such as detecting simultaneous use).
radiusd.conf
I could not get the default configuration (system
authentication) to work. I downloaded, compiled and installed
the source from http://freeradius.org and got exactly the same
error.
I am not sure that all of the following are required - I was
less than methodical in my testing - but the following did make
file authentication work (reading passwords directly instead of
making system calls).
user = root
group = root
RADIUS must be able to read /etc/shadow for "file" (as
opposed to system) authentication to work. I will take up this
matter on the freeradius mailiing list to get some insight.
sudo or chroot might be alternatives. ip access control is
inherent in freeradius (see clients.conf above).
log_auth = yes
Enables writing requests to /var/log/radius/radius.log. We
use this file often to check for failed logins.
log_auth_badpass = yes
log_auth_goodpass = yes
Logging bad passwords is essential to good management.
Logging good passwords in clear text is not such a good idea
but while setting up radius it does tell you whether there was
no password or a good password (no passwords being a common
error). Obviously permissions of this file (running as root)
should be 600. Once user, group and permissions are worked out,
they should be added to msec.
lower_user = yes
lower_pass = yes
nospace_user = after
nospace_pass = after
These are convenience items of debateable merit and
security. Mixing case in passwords is good for security but the
cause of much headaches for sysadmins.
proxy_requests = no
#$INCLUDE ${confdir}/proxy.conf
There is no good reason to require proxy configuration for a
basic install. This turns it off.
cache = yes
Essential for performance on Linux systems. This does
require a "HUP" (reload) when users are added.
passwd = /etc/passwd
shadow = /etc/shadow
group = /etc/group
I think the default is adequate but I uncommented all three.
/etc/shadow has all the information required.
sql
I added this to the accounting section after unix and before
radutmp which enabled logging to mysql and requires setting up
sql.conf.
sql.conf
password = ""
I simply turned off the root password for sql. I only permit
root from localhost and I find this preferable to having the
root password lying around in clear text.
sqltrace = yes
This logs every sql operation. This can be enormously
helpful in debugging more complex installations and even when
rebuilding access records.
cisco aaa
The cisco readme in freeradius is misleading and
inappropriate for simple freeradius configurations and
inadequate for complex
Re: freeradius howto/need info
On Friday 14 March 2003 19:33, Bryan Koschmann - GKT wrote: On Fri, 14 Mar 2003, tarvid wrote: |http://www.frontios.com/freeradius.html got me going. Once file |authentication worked i settled for sql accounting | |but i did export an old icradius database by patching in a == operator | and duplicating a couple of fields in the old accounting records. | |There is a text to sql converter but I have never used it. | |If you are desparate and will settle for less my config notes are around |someplace. Thanks for the link! I think it will give me a better basis on getting started. Would you be able to send me a couple rows from the database, so I can see some real world examples (nwames changed to protect the customer of course :) ) Don't worry about it if it's a hassle, I'm just trying to get a good grasp before I dive into all this. Thanks, Bryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html mysql select * from radcheck order by username limit 10; +--+---+---++---+ | id | UserName | Attribute | op | Value | +--+---+---++---+ | 3293 | 24th_virginia | Auth-Type | == | Crypt-Local | | 3294 | 24th_virginia | Password | == | SDAZ49.6SbKeE | | 4293 | 3swyrs| Auth-Type | == | Crypt-Local | | 4294 | 3swyrs| Password | == | $sPrs8fiXWyhM | | 3445 | 4reeces | Auth-Type | == | Crypt-Local | | 3446 | 4reeces | Password | == | RAtLD.G6wNfpU | | 3706 | aaron87 | Auth-Type | == | Crypt-Local | | 3707 | aaron87 | Password | == | $sy4.P1Uto40. | | 3081 | abransco | Auth-Type | == | Crypt-Local | | 3082 | abransco | Password | == | XJW7.LFJYhhXk | +--+---+---++---+ mysql select * from radreply limit 3; ++-+---++---+ | id | UserName| Attribute | op | Value | ++-+---++---+ | 12 | hrblock2| Framed-IP-Address | == | 12.43.223.196 | | 21 | waltersdrug | Framed-IP-Address | == | 12.43.223.198 | | 19 | ford| Framed-IP-Address | == | 12.43.223.194 | ++-+---++---+ mysql select * from radacct order by acctstarttime limit 2; +---+---+--+--+---+--+---+-+-+-+-+---+---+--+-+--+-+--++-++-++---+ | RadAcctId | AcctSessionId | AcctUniqueId | UserName | Realm | NASIPAddress | NASPortId | NASPortType | AcctStartTime | AcctStopTime | AcctSessionTime | AcctAuthentic | ConnectInfo_start | ConnectInfo_stop | AcctInputOctets | AcctOutputOctets | CalledStationId | CallingStationId | AcctTerminateCause | ServiceType | FramedProtocol | FramedIPAddress | AcctStartDelay | AcctStopDelay | +---+---+--+--+---+--+---+-+-+-+-+---+---+--+-+--+-+--++-++-++---+ | 1546806 | 0005 | a932bd30c115e6ee | barb | | 66.242.243.1 | 9 | Async | -00-00 00:00:00 | 2003-03-09 22:43:04 | 908 | RADIUS| | | 82565 | 372259 | 2766622040 | | User-Request | Framed-User | PPP| 66.242.243.23 | 0 | 0 | | 1546807 | 0005 | 4fc67df93aa5df19 | tarvid | | 66.242.243.2 |30 | Async | -00-00 00:00:00 | 2003-03-09 23:09:16 |1219 | RADIUS| | | 140943 | 1347807 | 2766622040 | | User-Request | Framed-User | PPP| 66.242.243.73 | 0 | 0 | +---+---+--+--+---+--+---+-+-+-+-+---+---+--+-+--+-+--++-++-++---+ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Insane Pu%%sy ....
Have You Ever Met A Woman Who Is Not Insane?? Of Course Not Check Out The CRAZY Biathches You Wont Believe The Things These Whacked Out Chicks Are Doing - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS MySql
On Fri, 14 Mar 2003, Travis Best wrote: auth: Failed to validate the user. Login incorrect: [test1/test1] (from client localhost port 0) Is the user in your radcheck/radreply tables? Jim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS MySql
Jim wrote: On Fri, 14 Mar 2003, Travis Best wrote: auth: Failed to validate the user. Login incorrect: [test1/test1] (from client localhost port 0) Is the user in your radcheck/radreply tables? Jim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html the user is in the radcheck but not in the radreply does it need to be in both -- Travis M. Best Systems Administrator SunQwest Internet Services 1040 Walnut St Sunbury, PA 17801 Phone: 866-344-9509 Direct: 570-279-1746 -- This message has been scanned for viruses and dangerous content by SunQwest MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Looking up clients in SQL/oracle?
I can't figure out how to get FreeRADIUS (0.8.1) to look up clients (NAS units) in oracle SQL. I know the schema has places for this information, but I'd like to be able to use it. Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Looking up clients in SQL/oracle?
Ryan Castellucci [EMAIL PROTECTED] wrote: I can't figure out how to get FreeRADIUS (0.8.1) to look up clients (NAS units) in oracle SQL. I know the schema has places for this information, but I'd like to be able to use it. Thanks. The schema exists, but the server never uses it to look up clients. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
