online user
freeradius-users hi all In dialup-admin ,it takes a long time to display the online user.why and how to change to use a little time? thanks alantu [EMAIL PROTECTED] 2003-06-24 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Questions about the += users file operator...
Hi,
I'm trying to understand the semantics of the += users file operator.
I'd like to use it to select a particular DEFAULT entry based on a
locally-defined dictionary attribute, as follows...
#
# V.90 dial-up user
#
# ES-Default-ID and V90LocalUser are defined in a local dictionary
#
lerxst Crypt-Password == "KSi8a3j4oasdi", ES-Default-ID += V90LocalUser
Filter-Id = 7,
Fall-Through= yes
#
# Default entry for V.90 dial-up users
#
DEFAULT ES-Default-ID == V90LocalUser
Framed-IP-Address = 0.0.0.0,
Framed-IP-Netmask = 255.255.255.255,
Framed-Protocol = PPP
When I test with a users file like this, FreeRADIUS returns the reply
items from the user-specific entry, but it does not trigger the
DEFAULT entry. If I add ES-Default-ID = V90LocalUser to the original
request, the DEFAULT entry triggers.
Am I using the += operator incorrectly? The users(5) man page states
that the += operator "... adds the current attribute with value to the
list of configuration items." Other documents -- notably aaa.txt --
reference the fact that radiusd builds separate lists for check items
and configure items. Is += adding the ES-Default-ID attribute to a
list which the DEFAULT entry cannot check?
If += cannot be used this way, can anyone recommend a way of
accomplishing the same behavior? I have users with many different
classes of service and I want to create a DEFAULT entry for each class
which the user-specific entry references when authenticating.
I'm running FreeRADIUS 0.8.1 and using a vanilla users file (i.e., no
SQL or LDAP database). I've included below (1) my radiusd.conf (with
comments and whitespace removed for brevity), (2) my local dictionary
file, and (3) a transcript of running radiusd with -X.
Thanks!
Ken Maupin
EasyStreet Online Services
radiusd.conf
prefix = /usr/local/freeradius-0.8.1
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/radius
raddbdir= /usr/local/etc/freeradius
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file= ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
max_request_time= 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests= 1024
bind_address= *
port= 0
hostname_lookups= no
allow_core_dumps= no
regular_expressions = yes
extended_expressions= yes
log_stripped_names = no
log_auth= no
log_auth_badpass= no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user= no
nospace_pass= no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
$INCLUDE${confdir}/clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
files {
usersfile = ${confdir}/users
compat = no
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
}
instantiate {
}
authorize {
preprocess
files
}
authenticate {
}
preacct {
preprocess
files
}
accounting {
}
session {
}
post-auth {
}
Local dictionary
VENDOREasyStreet 2724
ATTRIBUTE ES-Default-ID 1 integer EasyStreet
VALUE ES-Default-ID V90LocalUser1
RE:
I have installed freeradius and now I want to dump the accounting details onto a postgres database. How do I do that. salvin
Re: LDAP and User files
>
> Why not just do:
>
> DEFAULT Huntgroup-Name == "VOICE", Autz-Type := "VOICE"
>
>
> ldap ldap_voice {
> filter = "(cn=${User-Name})"
> [...]
> }
>
> authorize{
> autztype VOICE {
> ldap_voice
> }
> [...]
> }
Excellent!
Thank You! :D
Simon Allard (Senior Tool Monkey)
IHUG
Ph (09) 358-5067 Email: [EMAIL PROTECTED]
I'm out of my mind right now, but feel free to leave a message.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP and User files
On Mon, 23 Jun 2003, Simon Allard wrote:
>
> I have a small problem.
>
> Currently I have a VOIP system here which uses freeradius 0.8.1 to
> authenticate.
>
> I have a users file which contains entry's like:
>
> 5551234Auth-Type := Accept, Huntgroup-Name == "VOICE"
>
> at the end of the file I have
>
>
> Unfortantly I have close over 150,000 of these entry's and as you can
> imagine the userfile is quite big. Ie 10meg now. Freeradius takes a wee
> while to start.
>
>
> I currently have an LDAP database used to auth my dialup customers. I need
> a way to put the phone customers in also.
>
> I need to be able to do something like this
>
>
> DEFAULT Huntgroup-Name == "VOICE", User-Profile == "cn=${User-Name},
> dn=isp,dn=co,dn=nz"
Why not just do:
DEFAULT Huntgroup-Name == "VOICE", Autz-Type := "VOICE"
ldap ldap_voice {
filter = "(cn=${User-Name})"
[...]
}
authorize{
autztype VOICE {
ldap_voice
}
[...]
}
>
> If the userfile is not found in LDAP then falls back to this default
> profile which is in the users file.
>
> DEFAULT Auth-Type := Reject, Huntgroup-Name == VOICE
>
> Is that possible, if not what are my options? Bear in mind that I have to
> use LDAP, I can't convert to mysql or oracle. The aim of the game is to
> reduce the 10meg userfile down to virtually nothing.
>
>
> Thanks in Advance
> Simon Allard
>
>
> Simon Allard (Senior Tool Monkey)
> IHUG
> Ph (09) 358-5067 Email: [EMAIL PROTECTED]
>
> I'm out of my mind right now, but feel free to leave a message.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Red Hat Linux RPM
On Mon, Jun 23, 2003 at 01:23:36PM -0700, Alex Chen wrote:
> If I just run ./configure and make, I am not doing anything special.
>
> I think most people will just do that.
And the other side around: attached is my spec file. it kills ldap,
cause I don't need it. And it lists very little deps (rpm will try
hard to find a few, but they won't be redhat/mandrake/suse compliant,
I think.
As you can see, this is simply the mandrake freeradius 0.8.1 spec file
tuned to my needs.
Oliver.
Summary: High-performance and highly configurable RADIUS server
URL: http://www.freeradius.org/
Name: freeradius
Version: 20030529
Release: 5
License: GPL
Group: Networking/Daemons
Packager: FreeRADIUS.org
Source0: %{name}-snapshot-%{version}.tar.gz
Source1: freeradius-logrotate.d
Patch0: freeradius-lrad_crypt.diff
Patch1: freeradius-detaillock.diff
Patch2: freeradius-gethostr.diff
Prereq: /sbin/chkconfig
BuildPreReq: libtool
# FIXME: snmpwalk, snmpget and rusers POSSIBLY needed by checkrad
Conflicts: cistron-radius
BuildRoot: %{_tmppath}/%{name}-root
%description
The FreeRADIUS Server Project is a high-performance and highly
configurable GPL'd RADIUS server. It is somewhat similar to the
Livingston 2.0 RADIUS server, but has many more features, and is much
more configurable.
%prep
%setup -n %{name}-snapshot-%{version}
%patch0 -p0
%patch1 -p1
%patch2 -p1
rm -rf src/modules/rlm_ldap
%build
autoconf
CFLAGS="$RPM_OPT_FLAGS" \
%configure --prefix=%{_prefix} \
--localstatedir=%{_localstatedir} \
--sysconfdir=%{_sysconfdir} \
--mandir=%{_mandir} \
--with-threads \
--with-thread-pool \
--with-system-libtool \
--disable-ltdl-install \
--with-ltdl-lib=/usr/lib \
--with-ltdl-include=/usr/include \
--with-gnu-ld \
--with-rlm-sql_postgresql-include-dir=/usr/include/pgsql
make
%install
[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT
mkdir -p $RPM_BUILD_ROOT/etc/{logrotate.d,pam.d,rc.d/init.d}
make install R=$RPM_BUILD_ROOT
RADDB=$RPM_BUILD_ROOT/etc/raddb
# set radiusd as default user/group
perl -i -pe 's/^#user =.*$/user = radiusd/' $RADDB/radiusd.conf
perl -i -pe 's/^#group =.*$/group = radiusd/' $RADDB/radiusd.conf
# shadow password file MUST be defined on Linux
perl -i -pe 's/#shadow =/shadow =/' $RADDB/radiusd.conf
# remove unneeded stuff
rm -f $RPM_BUILD_ROOT%{_mandir}/man8/builddbm.8
rm -f $RPM_BUILD_ROOT%{_prefix}/sbin/rc.radiusd
cd redhat
install -m 755 rc.radiusd-redhat $RPM_BUILD_ROOT/etc/rc.d/init.d/radiusd
install -m 644 %{SOURCE1}$RPM_BUILD_ROOT/etc/logrotate.d/radiusd
install -m 644 radiusd-pam $RPM_BUILD_ROOT/etc/pam.d/radius
cd ..
mkdir -p $RPM_BUILD_ROOT/var/log/radius/radacct
mkdir -p $RPM_BUILD_ROOT/var/run/radiusd
%pre
/usr/sbin/useradd -c "radiusd user" -r -s /bin/false -u 95 -d / radiusd 2>/dev/null ||
:
%preun
if [ "$1" = "0" ]; then
/sbin/service radiusd stop > /dev/null 2>&1
/sbin/chkconfig --del radiusd
fi
%post
/sbin/ldconfig
/sbin/chkconfig --add radiusd
# Done here to avoid messing up existing installations
for i in radius/radutmp radius/radwtmp radius/radius.log # radius/radwatch.log
radius/checkrad.log
do
touch /var/log/$i
chown radiusd:radiusd /var/log/$i
chmod 600 /var/log/$i
done
%postun
if [ "$1" -ge "1" ]; then
/sbin/service radiusd condrestart >/dev/null 2>&1
fi
if [ $1 = 0 ]; then
/usr/sbin/userdel radiusd > /dev/null 2>&1 || :
fi
/sbin/ldconfig
%clean
[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT
%files
%defattr(-,root,root)
%doc doc/ChangeLog doc/README* todo/ COPYRIGHT INSTALL
%config /etc/pam.d/radius
%config /etc/logrotate.d/radiusd
%config /etc/rc.d/init.d/radiusd
%config (noreplace) /etc/raddb/[a-ce-z]*
%config /etc/raddb/d*
%{_mandir}/*/*
/usr/bin/*
/usr/sbin/*
/usr/lib/*
%attr(0700,radiusd,radiusd) %dir /var/log/radius
%attr(0700,radiusd,radiusd) %dir /var/log/radius/radacct
%attr(0700,radiusd,radiusd) %dir /var/run/radiusd
%attr(0755,radiusd,radiusd) %dir /usr/share/freeradius
%attr(0644,radiusd,radiusd) /usr/share/freeradius/*
%changelog
* Wed Sep 4 2002 Marko Myllynen
- fix libtool issues for good
* Thu Aug 22 2002 Marko Myllynen
- update for 0.7/0.8
* Tue Jun 18 2002 Marko Myllynen
- run as radiusd user instead of root
- added some options for configure
* Thu Jun 6 2002 Marko Myllynen
- set noreplace for non-dictionary files in /etc/raddb
* Sun May 26 2002 Frank Cusack <[EMAIL PROTECTED]>
- move /var dirs from %%post to %%files
* Thu Feb 14 2002 Marko Myllynen
- use dir name macros in all configure options
- libtool is required only when building the package
- misc clean ups
* Wed Feb 13 2002 Marko Myllynen
- use %%{_mandir} instead of /usr/man
- rename %%postin as %%post
- clean up name/version
* Fri Jan 18 2002 Frank Cusack <[EMAIL PROTECTED]>
- remove (noreplace) for /etc/raddb/* (due to rpm bugs)
* Fri Sep 07 2001 Ivan F. Martinez <[EMAIL PROTECTED]>
- changes to make compati
Re: creating users
On Sun, 22 Jun 2003, Suresh Pinnamaneni wrote: > can any one help me in creating users through the dialupadmin in freeradius > > i loaded freeradius and placed the dialupadmin in /usr/local/ > > but not able to create anyusers using this... > radius is up and running fine with out any problem... i checked this thrugh the > debugging mode.. and more over i made the authorization and accounting through sql > > but i am not able to create sql users through the free radius. > > can any one help me in making things done with this dialupadmin. Double check admin.conf Check the README and http://kstadler.ch/index.php?topgroupid=1&subgroupid=14&groupid=11 Enable sql_debug in dialupadmin Check your http and mysql logs. > > P.Suresh > Vijayawada, > A.P, > India. > > > Suresh.P,Vijayawada - 520 010.India. Ph : +91-866-485230+91-866-483111 > > - > Do you Yahoo!? > SBC Yahoo! DSL - Now only $29.95 per month! -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Red Hat Linux RPM
On Mon, Jun 23, 2003 at 01:23:36PM -0700, Alex Chen wrote: > If I just run ./configure and make, I am not doing anything special. > > I think most people will just do that. Think again about dependencies. You just run configure, and autconf will find all those libs you have installed. A proper RPM has to list those as dependencies and this is not always easy. Especially for a thing as freeradius which has lots of extensions. And a RPM should meet all those, cause you never know what system the admin around the next corner wants to use... Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Red Hat Linux RPM
If I just run ./configure and make, I am not doing anything special. I think most people will just do that. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Matthew Schumacher Sent: Monday, June 23, 2003 12:55 PM To: [EMAIL PROTECTED] Subject: Re: Red Hat Linux RPM Why not build it yourself... it's not hard Also, if you are doing anything special your going to need to build it yourself anyway. If I gave you my binaries you would get a cvs version that depends on psql, openldap, and other libraries. You would be forced to install a bunch of RPMS just to get one thing to work. This is the reason I gave up on RPMS. Either you get a binary that lacks the features you want, or you get one that links against every thing, which forces you to load 25 other rpms, or you build it yourself and get exactly what you need. schu Alex Chen wrote: > Is there a pre-built package of FreeRadius for Red Hat Linux or > do we have to build it ourselves? > > Alex > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS + LDAP + SSL
Well... Right after rlm_ldap: (re)connect to albinoni.upc.es:636, authentication 0 is a line that says: rlm_ldap: setting TLS mode to 1 This leads me to believe that it is trying to start TLS as well, but I could be wrong. I haven't read through the code carefully. Also, I'm not sure why it's trying to bind as Usuari in the second bind. It looks like the bind didn't return and the module returned reject due to timeout, so it might be that with SSL your LDAP server isn't responding fast enough. Owen --On Monday, June 23, 2003 6:58 PM +0200 "Francisco Orozco/Upcnet" <[EMAIL PROTECTED]> wrote: Owen, I've got tls disabled. But I think I may configure something in openSSL Isnt' it? Thanks __ Paco Orozco ([EMAIL PROTECTED]) Divisió de Telecomunicacions UPCNet Edifici Vèrtex - Pl. Eusebi Güell, 6 Telèfon centraleta: 93.40.11600 [EMAIL PROTECTED] wrote on 23/06/2003 16:08:35: If you're using Port 636, you probably need to set TLS off. I'm not sure starting TLS over SSL works. Even if it does, it's kind of redundant. Owen --On Monday, June 23, 2003 10:49 AM +0200 "Francisco Orozco/Upcnet" <[EMAIL PROTECTED]> wrote: > Hiya, > > Finally I've installed openSSL, but I think I'm forgetting something, > because I can authenticate via LDAP over SSL. > > I've installed openSSL (openssl-0.9.7b). > I've installed Freeradius (freeradius-0.8.1) as: > > tar -zxvf freeradius.tar.gz > cd freeradius-0.8.1 > ./configure --prefix=/opt/freeradius > make > make install > > Then I configured radiusd.conf (see file below). > > First with port=389 (LDAP without SSL): > > rad_recv: Access-Request packet from host 127.0.0.1:32805, id=90, > length=60 > User-Name = "0010" > User-Password = "hola123" > NAS-IP-Address = 255.255.255.255 > NAS-Port = 1 > rad_lowerpair: User-Name now '0010' > rad_lowerpair: User-Password now 'hola123' > modcall: entering group authorize > rlm_ldap: - authorize > rlm_ldap: performing user authorization for 0010 > radius_xlat: '(uid=0010)' > radius_xlat: 'o=LCX' > ldap_get_conn: Got Id: 0 > rlm_ldap: performing search in o=LCX, with filter (uid=0010) > rlm_ldap: looking for check items in directory... > rlm_ldap: looking for reply items in directory... > rlm_ldap: user 0010 authorized to use remote access > ldap_release_conn: Release Id: 0 > modcall[authorize]: module "ldap" returns ok > modcall: group authorize returns ok > rad_check_password: Found Auth-Type LDAP > auth: type "LDAP" > modcall: entering group authtype > rlm_ldap: - authenticate > rlm_ldap: login attempt by "0010" with password "hola123" > rlm_ldap: user DN: CN=Usuari Proves10,O=LCX > rlm_ldap: (re)connect to albinoni.upc.es:389, authentication 1 > rlm_ldap: bind as CN=Usuari Proves10,O=LCX/hola123 to albinoni.upc.es:389 > rlm_ldap: waiting for bind result ... > rlm_ldap: user 0010 authenticated succesfully > modcall[authenticate]: module "ldap" returns ok > modcall: group authtype returns ok > Sending Access-Accept of id 90 to 127.0.0.1:32805 > > It works great. I can authenticate without any problem. > > Now I'll try with LDAP over SSL, as you can see I haven't installed any > selfsigned o CA certificate, but I can't see any message about it. > > Now port=636: > > rad_recv: Access-Request packet from host 127.0.0.1:32806, id=100, > length=60 > User-Name = "0010" > User-Password = "hola123" > NAS-IP-Address = 255.255.255.255 > NAS-Port = 1 > rad_lowerpair: User-Name now '0010' > rad_lowerpair: User-Password now 'hola123' > modcall: entering group authorize > rlm_ldap: - authorize > rlm_ldap: performing user authorization for 0010 > radius_xlat: '(uid=0010)' > radius_xlat: 'o=LCX' > ldap_get_conn: Got Id: 0 > rlm_ldap: attempting LDAP reconnection > rlm_ldap: (re)connect to albinoni.upc.es:636, authentication 0 > rlm_ldap: setting TLS mode to 1 > rlm_ldap: bind as / to albinoni.upc.es:636 > rlm_ldap: waiting for bind result ... > rlm_ldap: performing search in o=LCX, with filter (uid=0010) > rlm_ldap: looking for check items in directory... > rlm_ldap: looking for reply items in directory... > rlm_ldap: user 0010 authorized to use remote access > ldap_release_conn: Release Id: 0 > modcall[authorize]: module "ldap" returns ok > modcall: group authorize returns ok > rad_check_password: Found Auth-Type LDAP > auth: type "LDAP" > modcall: entering group authtype > rlm_ldap: - authenticate > rlm_ldap: login attempt by "0010" with password "hola123" > rlm_ldap: user DN: CN=Usuari Proves10,O=LCX > rlm_ldap: (re)connect to albinoni.upc.es:636, authentication 1 > rlm_ldap: setting TLS mode to 1 > rlm_ldap: bind as CN=Usuari Proves10,O=LCX/hola123 to albinoni.upc.es:636 > rlm_ldap: waiting for bind result ... > modcall[authenticate]: module "ldap" returns reject > modcall: group authtype returns reject > auth: Failed to validate the user. > Delaying request
Re: perl. what is differs?
Because to pass multiple hashes, you need to pass references instead of
the hashes themselves. Try something more like:
print_attrs(\%RAD_REQUEST, \%RAD_REPLY, \%RAD_CHECK);
sub print_attrs
{
my $req=shift;
my $reply=shift;
my $check=shift;
Then, when you want to reference them, use something like:
${$req}{'key'}
i.e.:
${$req}{'key'}="value";
$foo=${$req}{'key'};
etc.
Owen
--On Monday, June 23, 2003 7:15 PM +0600 [EMAIL PROTECTED] wrote:
I try to use perl.
I am confused
in sub authorize i write for debuging something like
sub authorize
{
...
print_attrs(%RAD_REQUEST, %RAD_REPLY, %RAD_CHECK);
deb_print ("walk on hash RAD_REQUEST");
for $k (keys %RAD_REQUEST) {
deb_print ("$k = $RAD_REQUEST{$k} ");
}
return $retval;
}
deb_print is
sub deb_print {
print "radius.pl: ", @_,"\n";
}
i use arguments in print_attrs
sub print_attrs {
my(%REQUEST, %REPLY, %CHECK) = @_;
logging("RAD_REQUEST: ===");
for (keys %REQUEST) {
deb_print("$_ = $REQUEST{$_} ");
}
logging("RAD_REPLY: ===");
for (keys %REPLY) {
deb_print("$_ = $REPLY{$_} ");
}
logging("RAD_CHECK: ===");
for (keys %CHECK) {
deb_print("$_ = $CHECK{$_} ");
}
}
output is:
radius.pl: RAD_REQUEST: ===
radius.pl: Service-Type = Framed-User
radius.pl: Auth-Type = MS-CHAP
radius.pl: Calling-Station-Id = 192.168.0.2
radius.pl: MS-CHAP-Challenge = 0x71d56b9f34d89e3db8fba365beb64b08
radius.pl: Client-IP-Address = 192.168.0.12
radius.pl: Framed-Protocol = PPP
radius.pl: User-Name = mmike
radius.pl: User-Password = mike
radius.pl: MS-CHAP2-Response =
0x0100e7814331bd36eafd3cfd1a646fbd3ac2000
0769c73a6a9107f13152e660efc401eafeea5e6e3aec5c18f
radius.pl: Connect-Info = 1524
radius.pl: NAS-Port = 0
radius.pl: NAS-IP-Address = 192.168.0.12
radius.pl: RAD_REPLY: ===
radius.pl: RAD_CHECK: ===
radius.pl: walk on hash RAD_REQUEST
radius.pl: Service-Type = Framed-User
radius.pl: Calling-Station-Id = 192.168.0.2
radius.pl: MS-CHAP-Challenge = 0x71d56b9f34d89e3db8fba365beb64b08
radius.pl: Client-IP-Address = 192.168.0.12
radius.pl: Framed-Protocol = PPP
radius.pl: User-Name = mmike
radius.pl: MS-CHAP2-Response =
0x0100e7814331bd36eafd3cfd1a646fbd3ac2000
0769c73a6a9107f13152e660efc401eafeea5e6e3aec5c18f
radius.pl: Connect-Info = 1524
radius.pl: NAS-Port = 0
radius.pl: NAS-IP-Address = 192.168.0.12
output from print_attrs looks like no attributes in RAD_CHECK both
User-Password and Auth-Type in RAD_REQUEST. but in really they in
RAD_CHECK.
when i not use arguments in print_attrs
sub print_attrs {
#my(%REQUEST, %REPLY, %CHECK) = @_;
.
}
then i have follow output
radius.pl: RAD_REQUEST: ===
radius.pl: Service-Type = Framed-User
radius.pl: Calling-Station-Id = 192.168.0.2
radius.pl: MS-CHAP-Challenge = 0x71d56b9f34d89e3db8fba365beb64b08
radius.pl: Client-IP-Address = 192.168.0.12
radius.pl: Framed-Protocol = PPP
radius.pl: User-Name = mmike
radius.pl: MS-CHAP2-Response =
0x0100e7814331bd36eafd3cfd1a646fbd3ac2000
0769c73a6a9107f13152e660efc401eafeea5e6e3aec5c18f
radius.pl: Connect-Info = 1524
radius.pl: NAS-Port = 0
radius.pl: NAS-IP-Address = 192.168.0.12
radius.pl: RAD_REPLY: ===
radius.pl: RAD_CHECK: ===
radius.pl: User-Password = mike
radius.pl: Auth-Type = MS-CHAP
radius.pl: walk on hash RAD_REQUEST
radius.pl: Service-Type = Framed-User
radius.pl: Calling-Station-Id = 192.168.0.2
radius.pl: MS-CHAP-Challenge = 0x71d56b9f34d89e3db8fba365beb64b08
radius.pl: Client-IP-Address = 192.168.0.12
radius.pl: Framed-Protocol = PPP
radius.pl: User-Name = mmike
radius.pl: MS-CHAP2-Response =
0x0100e7814331bd36eafd3cfd1a646fbd3ac2000
0769c73a6a9107f13152e660efc401eafeea5e6e3aec5c18f
radius.pl: Connect-Info = 1524
radius.pl: NAS-Port = 0
radius.pl: NAS-IP-Address = 192.168.0.12
Looks good - both User-Password and Auth-Type in RAD_CHECK in
print_attrs and in walk on hash.
what is the reason of such different behaviour?
Mike
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Red Hat Linux RPM
Why not build it yourself... it's not hard Also, if you are doing anything special your going to need to build it yourself anyway. If I gave you my binaries you would get a cvs version that depends on psql, openldap, and other libraries. You would be forced to install a bunch of RPMS just to get one thing to work. This is the reason I gave up on RPMS. Either you get a binary that lacks the features you want, or you get one that links against every thing, which forces you to load 25 other rpms, or you build it yourself and get exactly what you need. schu Alex Chen wrote: Is there a pre-built package of FreeRadius for Red Hat Linux or do we have to build it ourselves? Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Red Hat Linux RPM
Is there a pre-built package of FreeRadius for Red Hat Linux or do we have to build it ourselves? Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS daemon performance
On Mon, 23 Jun 2003, Oleg Ustinov wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Hi there, > has anybody radius performance datas? > How much auth and account requests can be handled? Check http://www.freeradius.org/testimonials.html and the list archives. In any case the server performance will vary depending on your specific setup. In general, since the server and the core modules are multithreaded you will see quite nice performance. > > oleg > -BEGIN PGP SIGNATURE- > Version: PGP 8.0 > > iQA/AwUBPvbZxszLGGLKlEfaEQIVswCfce0JoaUmWetMXP3dO1oCYnN/yjgAn2Zm > 1RzoJnlqiN48mdprOt8kkMMF > =s7rr > -END PGP SIGNATURE- > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap + sqlcounter order loop
On Mon, 23 Jun 2003, Najeh Ben Nasrallah wrote:
>
>
> hi all
> I posted a question regarding an order problem between sqlcounter and
> ldap using compare_check_item , but i got no response from anyone.
>
>
> I am posting the question again on the list. Hope I have reply this
> time. This is my question:
>
>
> i'm using freeradius 0.8.1.
> i've enbaled ldap authorization with compare_check_item. i'am also
> using sqlcounter for authorization. my question is about the order of
> modules in the authorization section
>
> {
>weekcounter # check for "WEEK_QUOTA"
>...
>ldap
> }
> gives noop for sqlcounter, because there's no check-item."WEEK_QUOTA"
>
> { ...
> ldap
> ...
> weekcounter
> }
> gives authorization failed, because the "ldap compare_check_items"
> tries to match the "WEEK_QUOTA" check-item with the request items.
>
>
> What should i do ?
Use another operator (:=) for WEEK_QUOTA. Something like:
radiusweekquota: := 12000
That should make things work.
>
>
> Best regards.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAM RHOST patch??
Does anyone have a patch that adds the PAM_RHOST credential info to Freeradius? ( pam_radius uses it..but that doesnt help me =)) We are trying to implement freeradius but we need the the RHOST stuff passed via pam so our module can do some authentication based on hostnames and some other information. Honestly this is over my head as far as programming goes, but I do have a quirky pam module i compiled on linux that will pop out the RHOST variable that gets passed to make testing easier. if that helps =) TIA Sean - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: static build problem in rlm_eap
Dave Mason <[EMAIL PROTECTED]> wrote: > I have the June 11 CVS snapshot - maybe a little old but thought I'd mention this > before I forget. In src/modules/rlm_eap/Makefile there is a line that looks like > this: > > STATIC_OBJS += $(shell ls -1 types/rlm_eap_leap/rlm_eap_md5.a > types/rlm_eap_md5/rlm_eap_leap.a 2>/dev/null) > > Shouldnt it be > STATIC_OBJS += $(shell ls -1 types/rlm_eap_md5/rlm_eap_md5.a > types/rlm_eap_leap/rlm_eap_leap.a 2>/dev/null) Yeah, I'll fix it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS + LDAP + SSL
Owen, I've got tls disabled. But I think I may configure something in openSSL Isnt' it? Thanks __ Paco Orozco ([EMAIL PROTECTED]) Divisió de Telecomunicacions UPCNet Edifici Vèrtex - Pl. Eusebi Güell, 6 Telèfon centraleta: 93.40.11600 [EMAIL PROTECTED] wrote on 23/06/2003 16:08:35: > If you're using Port 636, you probably need to set TLS off. I'm not sure > starting TLS over SSL works. Even if it does, it's kind of redundant. > > Owen > > > --On Monday, June 23, 2003 10:49 AM +0200 "Francisco Orozco/Upcnet" > <[EMAIL PROTECTED]> wrote: > > > Hiya, > > > > Finally I've installed openSSL, but I think I'm forgetting something, > > because I can authenticate via LDAP over SSL. > > > > I've installed openSSL (openssl-0.9.7b). > > I've installed Freeradius (freeradius-0.8.1) as: > > > > tar -zxvf freeradius.tar.gz > > cd freeradius-0.8.1 > > ./configure --prefix=/opt/freeradius > > make > > make install > > > > Then I configured radiusd.conf (see file below). > > > > First with port=389 (LDAP without SSL): > > > > rad_recv: Access-Request packet from host 127.0.0.1:32805, id=90, > > length=60 > > User-Name = "0010" > > User-Password = "hola123" > > NAS-IP-Address = 255.255.255.255 > > NAS-Port = 1 > > rad_lowerpair: User-Name now '0010' > > rad_lowerpair: User-Password now 'hola123' > > modcall: entering group authorize > > rlm_ldap: - authorize > > rlm_ldap: performing user authorization for 0010 > > radius_xlat: '(uid=0010)' > > radius_xlat: 'o=LCX' > > ldap_get_conn: Got Id: 0 > > rlm_ldap: performing search in o=LCX, with filter (uid=0010) > > rlm_ldap: looking for check items in directory... > > rlm_ldap: looking for reply items in directory... > > rlm_ldap: user 0010 authorized to use remote access > > ldap_release_conn: Release Id: 0 > > modcall[authorize]: module "ldap" returns ok > > modcall: group authorize returns ok > > rad_check_password: Found Auth-Type LDAP > > auth: type "LDAP" > > modcall: entering group authtype > > rlm_ldap: - authenticate > > rlm_ldap: login attempt by "0010" with password "hola123" > > rlm_ldap: user DN: CN=Usuari Proves10,O=LCX > > rlm_ldap: (re)connect to albinoni.upc.es:389, authentication 1 > > rlm_ldap: bind as CN=Usuari Proves10,O=LCX/hola123 to albinoni.upc.es:389 > > rlm_ldap: waiting for bind result ... > > rlm_ldap: user 0010 authenticated succesfully > > modcall[authenticate]: module "ldap" returns ok > > modcall: group authtype returns ok > > Sending Access-Accept of id 90 to 127.0.0.1:32805 > > > > It works great. I can authenticate without any problem. > > > > Now I'll try with LDAP over SSL, as you can see I haven't installed any > > selfsigned o CA certificate, but I can't see any message about it. > > > > Now port=636: > > > > rad_recv: Access-Request packet from host 127.0.0.1:32806, id=100, > > length=60 > > User-Name = "0010" > > User-Password = "hola123" > > NAS-IP-Address = 255.255.255.255 > > NAS-Port = 1 > > rad_lowerpair: User-Name now '0010' > > rad_lowerpair: User-Password now 'hola123' > > modcall: entering group authorize > > rlm_ldap: - authorize > > rlm_ldap: performing user authorization for 0010 > > radius_xlat: '(uid=0010)' > > radius_xlat: 'o=LCX' > > ldap_get_conn: Got Id: 0 > > rlm_ldap: attempting LDAP reconnection > > rlm_ldap: (re)connect to albinoni.upc.es:636, authentication 0 > > rlm_ldap: setting TLS mode to 1 > > rlm_ldap: bind as / to albinoni.upc.es:636 > > rlm_ldap: waiting for bind result ... > > rlm_ldap: performing search in o=LCX, with filter (uid=0010) > > rlm_ldap: looking for check items in directory... > > rlm_ldap: looking for reply items in directory... > > rlm_ldap: user 0010 authorized to use remote access > > ldap_release_conn: Release Id: 0 > > modcall[authorize]: module "ldap" returns ok > > modcall: group authorize returns ok > > rad_check_password: Found Auth-Type LDAP > > auth: type "LDAP" > > modcall: entering group authtype > > rlm_ldap: - authenticate > > rlm_ldap: login attempt by "0010" with password "hola123" > > rlm_ldap: user DN: CN=Usuari Proves10,O=LCX > > rlm_ldap: (re)connect to albinoni.upc.es:636, authentication 1 > > rlm_ldap: setting TLS mode to 1 > > rlm_ldap: bind as CN=Usuari Proves10,O=LCX/hola123 to albinoni.upc.es:636 > > rlm_ldap: waiting for bind result ... > > modcall[authenticate]: module "ldap" returns reject > > modcall: group authtype returns reject > > auth: Failed to validate the user. > > Delaying request 0 for 1 seconds > > Finished request 0 > > > > I think RADIUS can connect to LDAP server over SSL, because it can do the > > first filter, but qhen it tries to authenticate it is missing something... > > > > More help! :-) > > > > > > > > > > __ > > Paco Orozco ([EMAIL PROTECTED]) > > Divisió de Telecomunicacions > > UPCNet > > Edifici V
static build problem in rlm_eap
Hi, I have the June 11 CVS snapshot - maybe a little old but thought I'd mention this before I forget. In src/modules/rlm_eap/Makefile there is a line that looks like this: STATIC_OBJS += $(shell ls -1 types/rlm_eap_leap/rlm_eap_md5.a types/rlm_eap_md5/rlm_eap_leap.a 2>/dev/null) Shouldnt it be STATIC_OBJS += $(shell ls -1 types/rlm_eap_md5/rlm_eap_md5.a types/rlm_eap_leap/rlm_eap_leap.a 2>/dev/null) Dave - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS + LDAP + SSL
If you're using Port 636, you probably need to set TLS off. I'm not sure starting TLS over SSL works. Even if it does, it's kind of redundant. Owen --On Monday, June 23, 2003 10:49 AM +0200 "Francisco Orozco/Upcnet" <[EMAIL PROTECTED]> wrote: Hiya, Finally I've installed openSSL, but I think I'm forgetting something, because I can authenticate via LDAP over SSL. I've installed openSSL (openssl-0.9.7b). I've installed Freeradius (freeradius-0.8.1) as: tar -zxvf freeradius.tar.gz cd freeradius-0.8.1 ./configure --prefix=/opt/freeradius make make install Then I configured radiusd.conf (see file below). First with port=389 (LDAP without SSL): rad_recv: Access-Request packet from host 127.0.0.1:32805, id=90, length=60 User-Name = "0010" User-Password = "hola123" NAS-IP-Address = 255.255.255.255 NAS-Port = 1 rad_lowerpair: User-Name now '0010' rad_lowerpair: User-Password now 'hola123' modcall: entering group authorize rlm_ldap: - authorize rlm_ldap: performing user authorization for 0010 radius_xlat: '(uid=0010)' radius_xlat: 'o=LCX' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=LCX, with filter (uid=0010) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user 0010 authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type LDAP auth: type "LDAP" modcall: entering group authtype rlm_ldap: - authenticate rlm_ldap: login attempt by "0010" with password "hola123" rlm_ldap: user DN: CN=Usuari Proves10,O=LCX rlm_ldap: (re)connect to albinoni.upc.es:389, authentication 1 rlm_ldap: bind as CN=Usuari Proves10,O=LCX/hola123 to albinoni.upc.es:389 rlm_ldap: waiting for bind result ... rlm_ldap: user 0010 authenticated succesfully modcall[authenticate]: module "ldap" returns ok modcall: group authtype returns ok Sending Access-Accept of id 90 to 127.0.0.1:32805 It works great. I can authenticate without any problem. Now I'll try with LDAP over SSL, as you can see I haven't installed any selfsigned o CA certificate, but I can't see any message about it. Now port=636: rad_recv: Access-Request packet from host 127.0.0.1:32806, id=100, length=60 User-Name = "0010" User-Password = "hola123" NAS-IP-Address = 255.255.255.255 NAS-Port = 1 rad_lowerpair: User-Name now '0010' rad_lowerpair: User-Password now 'hola123' modcall: entering group authorize rlm_ldap: - authorize rlm_ldap: performing user authorization for 0010 radius_xlat: '(uid=0010)' radius_xlat: 'o=LCX' ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to albinoni.upc.es:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: bind as / to albinoni.upc.es:636 rlm_ldap: waiting for bind result ... rlm_ldap: performing search in o=LCX, with filter (uid=0010) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user 0010 authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type LDAP auth: type "LDAP" modcall: entering group authtype rlm_ldap: - authenticate rlm_ldap: login attempt by "0010" with password "hola123" rlm_ldap: user DN: CN=Usuari Proves10,O=LCX rlm_ldap: (re)connect to albinoni.upc.es:636, authentication 1 rlm_ldap: setting TLS mode to 1 rlm_ldap: bind as CN=Usuari Proves10,O=LCX/hola123 to albinoni.upc.es:636 rlm_ldap: waiting for bind result ... modcall[authenticate]: module "ldap" returns reject modcall: group authtype returns reject auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 I think RADIUS can connect to LDAP server over SSL, because it can do the first filter, but qhen it tries to authenticate it is missing something... More help! :-) __ Paco Orozco ([EMAIL PROTECTED]) Divisió de Telecomunicacions UPCNet Edifici Vèrtex - Pl. Eusebi Güell, 6 Telèfon centraleta: 93.40.11600 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
perl. what is differs?
I try to use perl.
I am confused
in sub authorize i write for debuging something like
sub authorize
{
...
print_attrs(%RAD_REQUEST, %RAD_REPLY, %RAD_CHECK);
deb_print ("walk on hash RAD_REQUEST");
for $k (keys %RAD_REQUEST) {
deb_print ("$k = $RAD_REQUEST{$k} ");
}
return $retval;
}
deb_print is
sub deb_print {
print "radius.pl: ", @_,"\n";
}
i use arguments in print_attrs
sub print_attrs {
my(%REQUEST, %REPLY, %CHECK) = @_;
logging("RAD_REQUEST: ===");
for (keys %REQUEST) {
deb_print("$_ = $REQUEST{$_} ");
}
logging("RAD_REPLY: ===");
for (keys %REPLY) {
deb_print("$_ = $REPLY{$_} ");
}
logging("RAD_CHECK: ===");
for (keys %CHECK) {
deb_print("$_ = $CHECK{$_} ");
}
}
output is:
radius.pl: RAD_REQUEST: ===
radius.pl: Service-Type = Framed-User
radius.pl: Auth-Type = MS-CHAP
radius.pl: Calling-Station-Id = 192.168.0.2
radius.pl: MS-CHAP-Challenge = 0x71d56b9f34d89e3db8fba365beb64b08
radius.pl: Client-IP-Address = 192.168.0.12
radius.pl: Framed-Protocol = PPP
radius.pl: User-Name = mmike
radius.pl: User-Password = mike
radius.pl: MS-CHAP2-Response = 0x0100e7814331bd36eafd3cfd1a646fbd3ac2000
0769c73a6a9107f13152e660efc401eafeea5e6e3aec5c18f
radius.pl: Connect-Info = 1524
radius.pl: NAS-Port = 0
radius.pl: NAS-IP-Address = 192.168.0.12
radius.pl: RAD_REPLY: ===
radius.pl: RAD_CHECK: ===
radius.pl: walk on hash RAD_REQUEST
radius.pl: Service-Type = Framed-User
radius.pl: Calling-Station-Id = 192.168.0.2
radius.pl: MS-CHAP-Challenge = 0x71d56b9f34d89e3db8fba365beb64b08
radius.pl: Client-IP-Address = 192.168.0.12
radius.pl: Framed-Protocol = PPP
radius.pl: User-Name = mmike
radius.pl: MS-CHAP2-Response = 0x0100e7814331bd36eafd3cfd1a646fbd3ac2000
0769c73a6a9107f13152e660efc401eafeea5e6e3aec5c18f
radius.pl: Connect-Info = 1524
radius.pl: NAS-Port = 0
radius.pl: NAS-IP-Address = 192.168.0.12
output from print_attrs looks like no attributes in RAD_CHECK both User-Password
and Auth-Type in RAD_REQUEST. but in really they in RAD_CHECK.
when i not use arguments in print_attrs
sub print_attrs {
#my(%REQUEST, %REPLY, %CHECK) = @_;
.
}
then i have follow output
radius.pl: RAD_REQUEST: ===
radius.pl: Service-Type = Framed-User
radius.pl: Calling-Station-Id = 192.168.0.2
radius.pl: MS-CHAP-Challenge = 0x71d56b9f34d89e3db8fba365beb64b08
radius.pl: Client-IP-Address = 192.168.0.12
radius.pl: Framed-Protocol = PPP
radius.pl: User-Name = mmike
radius.pl: MS-CHAP2-Response = 0x0100e7814331bd36eafd3cfd1a646fbd3ac2000
0769c73a6a9107f13152e660efc401eafeea5e6e3aec5c18f
radius.pl: Connect-Info = 1524
radius.pl: NAS-Port = 0
radius.pl: NAS-IP-Address = 192.168.0.12
radius.pl: RAD_REPLY: ===
radius.pl: RAD_CHECK: ===
radius.pl: User-Password = mike
radius.pl: Auth-Type = MS-CHAP
radius.pl: walk on hash RAD_REQUEST
radius.pl: Service-Type = Framed-User
radius.pl: Calling-Station-Id = 192.168.0.2
radius.pl: MS-CHAP-Challenge = 0x71d56b9f34d89e3db8fba365beb64b08
radius.pl: Client-IP-Address = 192.168.0.12
radius.pl: Framed-Protocol = PPP
radius.pl: User-Name = mmike
radius.pl: MS-CHAP2-Response = 0x0100e7814331bd36eafd3cfd1a646fbd3ac2000
0769c73a6a9107f13152e660efc401eafeea5e6e3aec5c18f
radius.pl: Connect-Info = 1524
radius.pl: NAS-Port = 0
radius.pl: NAS-IP-Address = 192.168.0.12
Looks good - both User-Password and Auth-Type in RAD_CHECK in
print_attrs and in walk on hash.
what is the reason of such different behaviour?
Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Squid - Freeradius authentication
Wei Ming Long wrote: > I don't understand why Squid can't do authentication when running in > transparent mode, can you explain it to me? It can. The problem is that in transparent mode the *browser* cannot distinguish between Squid asking for authentication, or the remote server, so if you hit a web site that performs any HTTP authentication you're effectively hosed. -- Regards, Daryl Tester, Software Wrangler and Bit Herder, IOCANE Pty. Ltd. SCO Rep: "Linux must die! We shall prevail!" Offsider: "Bill, they can see your shirt sleeve." -- http://ars.userfriendly.org/cartoons/?id=20030609 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: digest configuration
On Mon, Jun 23, 2003 at 02:41:15PM +0200, yacine rebahi wrote: > Thanks, I am using the latest cvs snapshot, however, the server > generates the error : > error reading dictionary.invalid keyword "ATTRIB_NMC" Be sure to use the dictonaries that come with the latest cvs snapshot. Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: digest configuration
Thanks, I am using the latest cvs snapshot, however, the server generates the error : error reading dictionary.invalid keyword "ATTRIB_NMC" Alan DeKok wrote: yacine rebahi <[EMAIL PROTECTED]> wrote: Can anyone give a hint about how to configure freeradius to support digest authentication. it is not possible to link to the rlm_digest module. Nonsense. The latest CVS snapshot comes configured to automatically do digest authentication. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RADIUS daemon performance
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi there, has anybody radius performance datas? How much auth and account requests can be handled? oleg -BEGIN PGP SIGNATURE- Version: PGP 8.0 iQA/AwUBPvbZxszLGGLKlEfaEQIVswCfce0JoaUmWetMXP3dO1oCYnN/yjgAn2Zm 1RzoJnlqiN48mdprOt8kkMMF =s7rr -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-Reject problem.
well... I download the last nightly CVS snapshot and the problem is gone. the access-reject is sent one second after the access request. Genoud Richard a écrit : hi ! I use freeradius 0.8.1. i've configured freeradius with a reject_delay of one second. I send an acces-request for a bad user with ntradping. (time-out 15sec, only one attempt ) with ethereal, I get : time 0 : source 10.0.9.192 access request id 7 and nothing else... if I send another access-request : time 20 : source 10.0.9.192 access request id 8 time 20 : source 10.0.9.192 access reject id 7 the access-reject corresponding with the 1st access request is sent ... weird isn't it ? is there something I missed ? here's the log : rad_recv: Access-Request packet from host 10.0.9.192:61007, id=7, length=44 Thread 5 assigned request 45 --- Walking the entire request list --- Threads: total/active/spare threads = 5/1/4 Nothing to do. Sleeping until we see a request. Thread 5 handling request 45, (8 handled so far) User-Name = "toto" User-Password = "titi" modcall: entering group authorize radius_xlat: 'toto' rlm_sql (SQL1): sql_set_user escaped user --> 'toto' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'toto' ORDER BY id' rlm_sql (/usr/local/var/log/radius/sqltrace.sql): Reserving sql socket id: 0 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'toto' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'toto' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'toto' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'toto' ORDER BY id' rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'toto' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'toto' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'toto' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (SQL1): Pairs do not match for user [toto] rlm_sql (/usr/local/var/log/radius/sqltrace.sql): Released sql socket id: 0 modcall[authorize]: module "SQL1" returns notfound modcall[authorize]: module "mschap" returns notfound modcall: group authorize returns notfound auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Delaying request 45 for 1 seconds Finished request 45 Going to the next request Thread 5 waiting to be assigned a request rad_recv: Access-Request packet from host 10.0.9.192:61008, id=8, length=44 Thread 1 assigned request 46 --- Walking the entire request list --- Sending Access-Reject of id 7 to 10.0.9.192:61007 Cleaning up request 45 ID 7 with timestamp 3ef30d3c Nothing to do. Sleeping until we see a request. Thread 1 handling request 46, (9 handled so far) User-Name = "toto" User-Password = "titi" modcall: entering group authorize radius_xlat: 'toto' rlm_sql (SQL1): sql_set_user escaped user --> 'toto' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'toto' ORDER BY id' rlm_sql (/usr/local/var/log/radius/sqltrace.sql): Reserving sql socket id: 0 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'toto' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'toto' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'toto' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'toto' ORDER BY id' rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'toto' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,use
RADIUS + LDAP + SSL
Hiya, Finally I've installed openSSL, but I think I'm forgetting something, because I can authenticate via LDAP over SSL. I've installed openSSL (openssl-0.9.7b). I've installed Freeradius (freeradius-0.8.1) as: tar -zxvf freeradius.tar.gz cd freeradius-0.8.1 ./configure --prefix=/opt/freeradius make make install Then I configured radiusd.conf (see file below). First with port=389 (LDAP without SSL): rad_recv: Access-Request packet from host 127.0.0.1:32805, id=90, length=60 User-Name = "0010" User-Password = "hola123" NAS-IP-Address = 255.255.255.255 NAS-Port = 1 rad_lowerpair: User-Name now '0010' rad_lowerpair: User-Password now 'hola123' modcall: entering group authorize rlm_ldap: - authorize rlm_ldap: performing user authorization for 0010 radius_xlat: '(uid=0010)' radius_xlat: 'o=LCX' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=LCX, with filter (uid=0010) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user 0010 authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type LDAP auth: type "LDAP" modcall: entering group authtype rlm_ldap: - authenticate rlm_ldap: login attempt by "0010" with password "hola123" rlm_ldap: user DN: CN=Usuari Proves10,O=LCX rlm_ldap: (re)connect to albinoni.upc.es:389, authentication 1 rlm_ldap: bind as CN=Usuari Proves10,O=LCX/hola123 to albinoni.upc.es:389 rlm_ldap: waiting for bind result ... rlm_ldap: user 0010 authenticated succesfully modcall[authenticate]: module "ldap" returns ok modcall: group authtype returns ok Sending Access-Accept of id 90 to 127.0.0.1:32805 It works great. I can authenticate without any problem. Now I'll try with LDAP over SSL, as you can see I haven't installed any selfsigned o CA certificate, but I can't see any message about it. Now port=636: rad_recv: Access-Request packet from host 127.0.0.1:32806, id=100, length=60 User-Name = "0010" User-Password = "hola123" NAS-IP-Address = 255.255.255.255 NAS-Port = 1 rad_lowerpair: User-Name now '0010' rad_lowerpair: User-Password now 'hola123' modcall: entering group authorize rlm_ldap: - authorize rlm_ldap: performing user authorization for 0010 radius_xlat: '(uid=0010)' radius_xlat: 'o=LCX' ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to albinoni.upc.es:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: bind as / to albinoni.upc.es:636 rlm_ldap: waiting for bind result ... rlm_ldap: performing search in o=LCX, with filter (uid=0010) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user 0010 authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type LDAP auth: type "LDAP" modcall: entering group authtype rlm_ldap: - authenticate rlm_ldap: login attempt by "0010" with password "hola123" rlm_ldap: user DN: CN=Usuari Proves10,O=LCX rlm_ldap: (re)connect to albinoni.upc.es:636, authentication 1 rlm_ldap: setting TLS mode to 1 rlm_ldap: bind as CN=Usuari Proves10,O=LCX/hola123 to albinoni.upc.es:636 rlm_ldap: waiting for bind result ... modcall[authenticate]: module "ldap" returns reject modcall: group authtype returns reject auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 I think RADIUS can connect to LDAP server over SSL, because it can do the first filter, but qhen it tries to authenticate it is missing something... More help! :-) __ Paco Orozco ([EMAIL PROTECTED]) Divisió de Telecomunicacions UPCNet Edifici Vèrtex - Pl. Eusebi Güell, 6 Telèfon centraleta: 93.40.11600 radiusd.conf Description: Binary data
Cisco SESM
Hello Evereyboday, have anyone expirience with a setup of Freeradius and Cisco SESM insteat Cisco Access Registrar. I have some questions: - It is possible to use Freeradius insteat of Cisco Access Registrar (which is also a RADIUS) - How is the performance of Freeradius for up to 20k users? - Which vendor-specific attributes i need it? thanks for the answers, Ronald - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Re: EAP/TLS Setup problem
Hi Jeson, Thanks for your help. I finally found the problem. It was because I use the same name for the client and the server, and that names were not correct on the local network (I forgot to add the domain). You have to use names that are in the DNS... Jean-Guillaume - Original Message - From: "王志欣" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, June 23, 2003 12:00 AM Subject: Re: Re: Re: EAP/TLS Setup problem Hi Jean-Guillaume, Sorry for delay. I look through your script. Only difference between us is I only use OpenSSL-0.9.7b. Please create Root certificate first, and then server and client certificate. Let's test it again. Jeson [EMAIL PROTECTED] 2003-06-23 >Hi Jason, > >I forgot to say that I am on a freeBSD box. >I put in attachment the install programs, I used. >In addition I give you the logs (when doing ./CA.clt , the ./CA.root >and >./CA.svr were OK) : > > > > >X509v3 extensions: >X509v3 Extended Key Usage: >TLS Web Client Authentication >Certificate is to be certified until Jun 19 07:46:03 2004 GMT (365 days) >Sign the certificate? [y/n]:y >failed to update database >TXT_DB error number 2 >No certificate matches private key >1228:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too >long:asn1_lib.c:138:unable to load certificate >1229:error:0906D06C:PEM routines:PEM_read_bio:no start >line:pem_lib.c:632:Expecting: TRUSTED CERTIFICATE > > >Thanks a lot for your help. > >Best Regards > >Jean-Guillaume > > > >- Original Message - >From: "王志欣" <[EMAIL PROTECTED]> >To: <[EMAIL PROTECTED]> >Sent: Friday, June 20, 2003 3:22 AM >Subject: Re: Re: EAP/TLS Setup problem > > >Hi Jean-Guillaume, > >I also follow this guide. I succeed. Please post your log information. > > > Jeson >[EMAIL PROTECTED] > 2003-06-20 > >>Hi Umesh, >> >>I am trying to install a freeradius/EAP-TLS athentification for my wireless >>network (DWL 1000 AP +) by following the instructions at >>http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm, but >>I don't manage to create correctly the certificate ... >>(I use openssl-0.9.7b) >>How do you manage to do it ? >> >>Thanks a lot for your help, >> >>Best regards, >> >>Jean-Guillaume >> >> >>- Original Message - >>From: "Umesh" <[EMAIL PROTECTED]> >>To: <[EMAIL PROTECTED]> >>Sent: Tuesday, June 10, 2003 8:54 AM >>Subject: EAP/TLS Setup problem >> >> >>> Hi All, >>> >>> I am new to FreeRadius. I am trying to setup EAP/TLS authentication. I >>have >>> installed OpenSSL-0.9.7b and FreeRadius 0.8.1. I followed the >instructions >>at >>> http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm, but when I run >>> >>> radiusd -x -A, an error occurs - Unknown value "EAP". >>> (I have set Auth-Type=EAP in /etc/raddb/users) >>> Any help would be appreciated. >>> >>> Regards, >>> Umesh >>> >>> - >>> List info/subscribe/unsubscribe? See >>http://www.freeradius.org/list/users.html >> >> >>- >>List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html > > > > > > > >- >List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about net-cards
I want to find a solution about having Net-cards. Is there a way to set up radius to have users with limited access time , or I need another billing program? thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(no subject)
[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
