Re: Can rlm_expr be used with check items?
On Fri, Jul 18, 2003 at 12:39:55PM -0400, Alan DeKok wrote: > Tero Turtiainen <[EMAIL PROTECTED]> wrote: > > After this discussion it seems that setting attribute values cannot > > be done, > > SOME attributes can be set: configuration items. Some cannot be: > attributes in the request. Alan, could you please describe the difference between them and put it in the FAQ? Something like (correct me please if it's wrong or incomplete or too hard to understand): Q. What are request attributes? A. Those which were send by a NAS to the server. Based on these attributes and collected config items for this user, the server decides what to do with this user. Q. What are config/check items for? A. They tell the server: a) to compare attributes in the request with given values (so-called check items), e.g. NAS-IP-Address == 127.0.0.1, NAS-Port < 64; b) or to do something special with this user later (so-called config items), e.g. Auth-Type += System, Proxy-To-Realm := "foo.com". "Config" and "check" are often used as synonyms here. > You tried to set request attributes, which CANNOT be done in the > 'users' file. Q. Can I use them to re-write Some-Attribute in the request? A. No, you can't. Attributes in the request are commonly not changed. Try using attr_rewrite module, if you *really* need it. -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply attribute
I tried to set the 'Session-Timeout' attribute in the access-accept reply packet. It works fine if the authorize section in radiusd.conf uses 'files' and this attribute is defined in 'users', i.e. I can see the AV pair sent back by the server. But if I set this attribute in radreply, I do not see it being sent in the reply even in the server debug message. My suspicion is that the data type in the radreply of 'Value' is varchar, while the data type for Session-Timeout is defined as an integer in the protocol. How do I set this value in the DB? In the 'users' I have AlexAuth-Type := Local, User-Password == "alextest" Service-Type := Outbound-User, Session-Timeout = 300 and in the DB I have mysql> select * from radreply; ++--+-+++ | id | UserName | Attribute | op | Value | ++--+-+++ | 1 | Alex | Service-Type| := | Outbound-User | | 2 | Alex | Session-Timeout | := | 300| ++--+-+++ 2 rows in set (0.00 sec) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cisco leap problem with pre3
> From: Jeremy Salch > Sent: Saturday, 19 July 2003 7:53 AM > I created it again and this time it showed up as follows > Error: Discarding new request from client GDC-T1-AP1:4370 - ID: 187 due to > live request 78 > Fri Jul 18 16:44:55 2003 : Error: Discarding new request from client > GDC-T1-AP1:4371 - ID: 188 due to live request 79 > Fri Jul 18 16:44:56 2003 : Error: Discarding new request from client > GDC-T1-AP1:4388 - ID: 205 due to live request 96 > Fri Jul 18 16:45:00 2003 : Error: Discarding new request from client > GDC-T1-AP1:4370 - ID: 187 due to live request 78 > Fri Jul 18 16:45:00 2003 : Error: Discarding new request from client > GDC-T1-AP1:4371 - ID: 188 due to live request 79 > Fri Jul 18 16:45:01 2003 : Error: Discarding new request from client > GDC-T1-AP1:4388 - ID: 205 due to live request 96 > Fri Jul 18 16:45:28 2003 : Error: WARNING: Unresponsive child (id 6151) for > request 78 > Fri Jul 18 16:45:28 2003 : Error: WARNING: Unresponsive child (id 7176) for > request 79 > Fri Jul 18 16:45:28 2003 : Error: WARNING: Unresponsive child (id 8201) for > request 96 > Whith 3 unresponsive children > I couldn't seem to make it happen in -X mode. Which makes things difficult. > What does it mean that it happens in normal mode but not in -X mode>? That it's a threading or timing problem. Try -fxxyz -l stdout (IE -X mode without the -s for single threaded) and see if it happens. If two threads deadlock, and a third hits that spot, it'll also wait indefinately. I would expect that the longer it runs, the more child threads would hit that spot and stick... -- = Paul "TBBle" Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] This is a one line proof...if we start sufficiently far to the left. -- Cambridge University Math Department - Random signature generator 3.0 by Paul "TBBle" Hampson = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cisco leap problem with pre3
I created it again and this time it showed up as follows Error: Discarding new request from client GDC-T1-AP1:4370 - ID: 187 due to live request 78 Fri Jul 18 16:44:55 2003 : Error: Discarding new request from client GDC-T1-AP1:4371 - ID: 188 due to live request 79 Fri Jul 18 16:44:56 2003 : Error: Discarding new request from client GDC-T1-AP1:4388 - ID: 205 due to live request 96 Fri Jul 18 16:45:00 2003 : Error: Discarding new request from client GDC-T1-AP1:4370 - ID: 187 due to live request 78 Fri Jul 18 16:45:00 2003 : Error: Discarding new request from client GDC-T1-AP1:4371 - ID: 188 due to live request 79 Fri Jul 18 16:45:01 2003 : Error: Discarding new request from client GDC-T1-AP1:4388 - ID: 205 due to live request 96 Fri Jul 18 16:45:28 2003 : Error: WARNING: Unresponsive child (id 6151) for request 78 Fri Jul 18 16:45:28 2003 : Error: WARNING: Unresponsive child (id 7176) for request 79 Fri Jul 18 16:45:28 2003 : Error: WARNING: Unresponsive child (id 8201) for request 96 Whith 3 unresponsive children I couldn't seem to make it happen in -X mode. Which makes things difficult. What does it mean that it happens in normal mode but not in -X mode>? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Hampson Sent: Friday, July 18, 2003 4:42 PM To: [EMAIL PROTECTED] Subject: RE: Cisco leap problem with pre3 > From: Jeremy Salch > Sent: Saturday, 19 July 2003 7:28 AM > Well.. Actually. I spoke too soon. I tried running all of the > clients through re-authentication again.. And after > Having all 12 clients re-authenticate a couple of times in a relatively > short time I get the following > Fri Jul 18 16:25:21 2003 : Auth: Login OK: [dwilson] (from client > GDC-T1-AP1 port 37 cli 000b4625d5de) Fri Jul 18 16:25:21 2003 : Auth: > Login OK: [chyne] (from client GDC-T1-AP1 port 12 cli 000943e586ae) > Fri Jul 18 16:25:21 2003 : Auth: Login OK: [jblack] (from client GDC-T1-AP1 > port 21 cli 000af4e22599) > Fri Jul 18 16:25:22 2003 : Auth: Login OK: [coldwell] (from client > GDC-T1-AP1 port 20 cli 000af4e2249b) > Fri Jul 18 16:25:25 2003 : Error: Discarding new request from client > GDC-T1-AP1:4251 - ID: 68 due to live request 160 > Fri Jul 18 16:25:26 2003 : Error: Discarding new request from client > GDC-T1-AP1:4274 - ID: 91 due to live request 183 > Fri Jul 18 16:25:30 2003 : Error: Discarding new request from client > GDC-T1-AP1:4251 - ID: 68 due to live request 160 > Fri Jul 18 16:25:31 2003 : Error: Discarding new request from client > GDC-T1-AP1:4274 - ID: 91 due to live request 183 > Fri Jul 18 16:26:40 2003 : Error: WARNING: Unresponsive child (id 8201) for > request 160 > Fri Jul 18 16:26:40 2003 : Error: WARNING: Unresponsive child (id 9226) for > request 183 Yup, there's your processes locking, as Alan said Does it happen in -X mode? The fact that it's always two children locking suggests a deadlock somewhere, either one inside FreeRADIUS (urgh) or something else... If it is a deadlock, -X won't trigger it. In that case, you'll need to use the finer-grained debugging options, and not disable threading in the process. -- = Paul "TBBle" Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] This is a one line proof...if we start sufficiently far to the left. -- Cambridge University Math Department - Random signature generator 3.0 by Paul "TBBle" Hampson = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cisco leap problem with pre3
> From: Jeremy Salch > Sent: Saturday, 19 July 2003 7:28 AM > Well.. Actually. I spoke too soon. I tried running all of the clients > through re-authentication again.. And after > Having all 12 clients re-authenticate a couple of times in a relatively > short time I get the following > Fri Jul 18 16:25:21 2003 : Auth: Login OK: [dwilson] (from client GDC-T1-AP1 > port 37 cli 000b4625d5de) > Fri Jul 18 16:25:21 2003 : Auth: Login OK: [chyne] (from client GDC-T1-AP1 > port 12 cli 000943e586ae) > Fri Jul 18 16:25:21 2003 : Auth: Login OK: [jblack] (from client GDC-T1-AP1 > port 21 cli 000af4e22599) > Fri Jul 18 16:25:22 2003 : Auth: Login OK: [coldwell] (from client > GDC-T1-AP1 port 20 cli 000af4e2249b) > Fri Jul 18 16:25:25 2003 : Error: Discarding new request from client > GDC-T1-AP1:4251 - ID: 68 due to live request 160 > Fri Jul 18 16:25:26 2003 : Error: Discarding new request from client > GDC-T1-AP1:4274 - ID: 91 due to live request 183 > Fri Jul 18 16:25:30 2003 : Error: Discarding new request from client > GDC-T1-AP1:4251 - ID: 68 due to live request 160 > Fri Jul 18 16:25:31 2003 : Error: Discarding new request from client > GDC-T1-AP1:4274 - ID: 91 due to live request 183 > Fri Jul 18 16:26:40 2003 : Error: WARNING: Unresponsive child (id 8201) for > request 160 > Fri Jul 18 16:26:40 2003 : Error: WARNING: Unresponsive child (id 9226) for > request 183 Yup, there's your processes locking, as Alan said Does it happen in -X mode? The fact that it's always two children locking suggests a deadlock somewhere, either one inside FreeRADIUS (urgh) or something else... If it is a deadlock, -X won't trigger it. In that case, you'll need to use the finer-grained debugging options, and not disable threading in the process. -- = Paul "TBBle" Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] This is a one line proof...if we start sufficiently far to the left. -- Cambridge University Math Department - Random signature generator 3.0 by Paul "TBBle" Hampson = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius-0.9.0-pre3 on BSDI4.3, Makefile error
> From: Alan DeKok > Sent: Saturday, 19 July 2003 7:15 AM > "Paul Hampson" <[EMAIL PROTECTED]> wrote: > > Hmm, looking at the code and definition, that's crazy talk... > > What _is_ line 309 of src/main/radiusd.c > > As far as I can see, it shouldn't be looking for an sa_sigaction > > member. > I don't recall if -pre3 had it fixed, but the fix will be in 0.9.0 *baps self* Sorry for the confusion. I was looking at the CVS tree from which 0.9.0-pre3 was spawned... but not for _time_ at which 0.9.0-pre3 was spawned. -- = Paul "TBBle" Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] This is a one line proof...if we start sufficiently far to the left. -- Cambridge University Math Department - Random signature generator 3.0 by Paul "TBBle" Hampson = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_ippool: No available ip addresses in pool
> From: Gustavo Lozano > Sent: Saturday, 19 July 2003 6:35 AM > The author of the module told me that like 3 months ago Before or after April 26th when the person whom I _assume_ is the author of the module accepted a patch from me to make netmasks of /32 work? http://www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/src/modules/rlm_ippool/rlm_ippool.c and you're looking at revision 1.16. Although I must say I was wrong before, the netmask _is_ used to determine what's in the IP Pool, but only to spot network and broadcast addresses. And a /32 netmask skips that code. -- = Paul "TBBle" Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] This is a one line proof...if we start sufficiently far to the left. -- Cambridge University Math Department - Random signature generator 3.0 by Paul "TBBle" Hampson = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cisco leap problem with pre3
Well.. Actually. I spoke too soon. I tried running all of the clients through re-authentication again.. And after Having all 12 clients re-authenticate a couple of times in a relatively short time I get the following Fri Jul 18 16:25:21 2003 : Auth: Login OK: [dwilson] (from client GDC-T1-AP1 port 37 cli 000b4625d5de) Fri Jul 18 16:25:21 2003 : Auth: Login OK: [chyne] (from client GDC-T1-AP1 port 12 cli 000943e586ae) Fri Jul 18 16:25:21 2003 : Auth: Login OK: [jblack] (from client GDC-T1-AP1 port 21 cli 000af4e22599) Fri Jul 18 16:25:22 2003 : Auth: Login OK: [coldwell] (from client GDC-T1-AP1 port 20 cli 000af4e2249b) Fri Jul 18 16:25:25 2003 : Error: Discarding new request from client GDC-T1-AP1:4251 - ID: 68 due to live request 160 Fri Jul 18 16:25:26 2003 : Error: Discarding new request from client GDC-T1-AP1:4274 - ID: 91 due to live request 183 Fri Jul 18 16:25:30 2003 : Error: Discarding new request from client GDC-T1-AP1:4251 - ID: 68 due to live request 160 Fri Jul 18 16:25:31 2003 : Error: Discarding new request from client GDC-T1-AP1:4274 - ID: 91 due to live request 183 Fri Jul 18 16:26:40 2003 : Error: WARNING: Unresponsive child (id 8201) for request 160 Fri Jul 18 16:26:40 2003 : Error: WARNING: Unresponsive child (id 9226) for request 183 And one station wasn't able to login. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Friday, July 18, 2003 4:20 PM To: [EMAIL PROTECTED] Subject: Re: Cisco leap problem with pre3 "Jeremy Salch" <[EMAIL PROTECTED]> wrote: > Fri Jul 18 14:33:10 2003 : Error: Discarding new request from client > GDC-T1-AP2:4849 - ID: 136 due to live request 88 This has nothing to do with LEAP. Something is causing the server to block, and stop processing the request. The client re-tries, and the server refuses to RE-process the same request, because the first one isn't done... Find out wherewhy the server is stopping, and fix that. LEAP will start working again. I've been using LEAP regularly, and have had zero problems. However, I don't run fancy DB's, files over NFS, or *anything* which could cause the server to stop processing requests. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cisco leap problem with pre3
I think I found the problem. A while back I posted a message about getting a error in threads.c and I was directed to Set max_requests_per_server to 0 to bypass the error. I still had that setting in use. Upon removing that setting it seems to have started working properly -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Friday, July 18, 2003 4:20 PM To: [EMAIL PROTECTED] Subject: Re: Cisco leap problem with pre3 "Jeremy Salch" <[EMAIL PROTECTED]> wrote: > Fri Jul 18 14:33:10 2003 : Error: Discarding new request from client > GDC-T1-AP2:4849 - ID: 136 due to live request 88 This has nothing to do with LEAP. Something is causing the server to block, and stop processing the request. The client re-tries, and the server refuses to RE-process the same request, because the first one isn't done... Find out wherewhy the server is stopping, and fix that. LEAP will start working again. I've been using LEAP regularly, and have had zero problems. However, I don't run fancy DB's, files over NFS, or *anything* which could cause the server to stop processing requests. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco leap problem with pre3
"Jeremy Salch" <[EMAIL PROTECTED]> wrote: > Fri Jul 18 14:33:10 2003 : Error: Discarding new request from client > GDC-T1-AP2:4849 - ID: 136 due to live request 88 This has nothing to do with LEAP. Something is causing the server to block, and stop processing the request. The client re-tries, and the server refuses to RE-process the same request, because the first one isn't done... Find out wherewhy the server is stopping, and fix that. LEAP will start working again. I've been using LEAP regularly, and have had zero problems. However, I don't run fancy DB's, files over NFS, or *anything* which could cause the server to stop processing requests. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-0.9.0-pre3 on BSDI4.3, Makefile error
"Paul Hampson" <[EMAIL PROTECTED]> wrote: > Hmm, looking at the code and definition, that's crazy talk... > What _is_ line 309 of src/main/radiusd.c > As far as I can see, it shouldn't be looking for an sa_sigaction > member. I don't recall if -pre3 had it fixed, but the fix will be in 0.9.0 The solution was "the entire world isn't Linux". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_ippool: No available ip addresses in pool
The author of the module told me that like 3 months ago On Fri, 2003-07-18 at 15:21, Paul Hampson wrote: > > From: Gustavo Lozano > > Sent: Saturday, 19 July 2003 6:03 AM > > > The netmask shouldnt be /32 in the ippool configuration. > > If you put /32 in the config the client will not connect. > > Wha? It works here. Why do you say it won't work? > > Surely most point-to-point connections work when they've > got a netmask of /32, since they don't care what the address > on the other end is, as long as they send the data there. > > In fact, I'd expect a point-to-point link to ignore a > netmask. (As opposed to a two-NIC ethernet network, which > needs... /30. Net, you, me, broadcast.) > > -- > = > Paul "TBBle" Hampson > Bubblesworth Pty Ltd (ABN: 51 095 284 361) > [EMAIL PROTECTED] > > This is a one line proof...if we start > sufficiently far to the left. > -- Cambridge University Math Department > - > Random signature generator 3.0 by Paul "TBBle" Hampson > = > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Gustavo A. Lozano Noldata Corporation [EMAIL PROTECTED] Calle 46 No. 40-19 CTO Bogota D.C. Colombia Noldata Corporation http://noldata.com I know not with what weapons World War III will be fought, but World War IV will be fought with sticks and stones. Albert Einstein - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_ippool: No available ip addresses in pool
> From: Gustavo Lozano > Sent: Saturday, 19 July 2003 6:03 AM > The netmask shouldnt be /32 in the ippool configuration. > If you put /32 in the config the client will not connect. Wha? It works here. Why do you say it won't work? Surely most point-to-point connections work when they've got a netmask of /32, since they don't care what the address on the other end is, as long as they send the data there. In fact, I'd expect a point-to-point link to ignore a netmask. (As opposed to a two-NIC ethernet network, which needs... /30. Net, you, me, broadcast.) -- = Paul "TBBle" Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] This is a one line proof...if we start sufficiently far to the left. -- Cambridge University Math Department - Random signature generator 3.0 by Paul "TBBle" Hampson = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius-0.9.0-pre3 on BSDI4.3, Makefile error
> From: Guillermo Delmastro > Sent: Saturday, 19 July 2003 1:16 AM > But now, after doing gmake, I get this errors: > gmake[4]: Entering directory `/usr/local/freeradius-0.9.0-pre3/src/main' > gcc -g -O2 -Wall -D_GNU_SOURCE -DNDEBUG -I../include -c radiusd.c > radiusd.c: In function `main': > radiusd.c:309: structure has no member named `sa_sigaction' These lines should only be compiled if HAVE_SIGACTION is defined... Does src/include/autoconf.h have it as defined or undefined? Have a look at your configure logs, and see what the result of "checking for sigaction" was. Maybe sigaction and co are defined differently on your system than on the system the code was tested on... Hmm, looking at the code and definition, that's crazy talk... What _is_ line 309 of src/main/radiusd.c As far as I can see, it shouldn't be looking for an sa_sigaction member. > radiusd.c: At top level: > radiusd.c:106: warning: `got_child' defined but not used This is because got_child is only used when HAVE_PTHREAD_H is defined, so I guess its definition could also be #ifdef'd around... > radiusd.c:117: warning: `needs_child_cleanup' defined but not used And _this_ is used only if HAVE_PTHREAD_H or ALLOW_CHILD_FORKS are defined. So the last two aren't problems. 12345678911234567892123456789312345678941234567895123456789612345678971234567898 -- = Paul "TBBle" Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] This is a one line proof...if we start sufficiently far to the left. -- Cambridge University Math Department - Random signature generator 3.0 by Paul "TBBle" Hampson = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_ippool: No available ip addresses in pool
Paul.
You are wrong.
The netmask shouldnt be /32 in the ippool configuration.
If you put /32 in the config the client will not connect.
Regards
On Fri, 2003-07-18 at 14:35, Paul Hampson wrote:
> > From: Pierluigi Frullani
> > Sent: Friday, 18 July 2003 8:00 PM
>
> > > modules {
> > >
> > > ippool wpool {
> > > session-db = ${raddbdir}/wpool-sess-db
> > > ip-index = ${raddbdir}/wpool-idx-db
> > > range-start = 192.168.127.1
> > > range-stop = 192.168.127.127
> > > netmask = 255.255.255.255
> > > #netmask = 255.255.255.128
> > > cache-size = 5000
> > > }
> > >
> > >
> > > ippool dpool {
> > > session-db = ${raddbdir}/dpool-sess-db
> > > ip-index = ${raddbdir}/dpool-idx-db
> > > range-start = 192.168.126.160
> > > range-stop = 192.168.126.255
> > > netmask = 255.255.255.255
> > > cache-size = 800
> > > }
> > >
> > > So, what's wrong?
> > > Thanks for any hints!
> > If I don't get wrong, the netmask in the config is for determine the
> > address pool. So if you use the 255.255.255.255 netmask, you say to
> > rlm_ippool that you have no network. You should use a higher netmask to
> > provide some address. EG:
> > range-start = 192.168.126.160
> > range-stop = 192.168.126.255
> > netmask = 255.255.255.128
>
> > This will inform the module that you want to use the address in the
> > network 192.168.126.128/25, starting from the .160
>
> > I think that the 255.255.255.255 mask will lead the module to a confusion.
>
> Actually, that's not correct. The ippool module only uses the Netmask to
> set a value if one isn't set in the packet already. The Pool range will be
> from the start value to the stop value.
>
> Netmask of 255.255.255.255 is I would expect quite common from an ip pool,
> since people getting those IPs are probably only on a point-to-point link,
> at least when you're using a RADIUS server and not, say, DHCP to allocate
> the IPs. Unless it's a wireless network, I suppose...
>
> --
> =
> Paul "TBBle" Hampson
> Bubblesworth Pty Ltd (ABN: 51 095 284 361)
> [EMAIL PROTECTED]
>
> This is a one line proof...if we start
> sufficiently far to the left.
> -- Cambridge University Math Department
> -
> Random signature generator 3.0 by Paul "TBBle" Hampson
> =
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Gustavo A. Lozano Noldata Corporation
[EMAIL PROTECTED] Calle 46 No. 40-19
CTO Bogota D.C. Colombia
Noldata Corporation http://noldata.com
I know not with what weapons World War III will be fought,
but World War IV will be fought with sticks and stones.
Albert Einstein
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Two Issues
At 02:03 PM 7/18/2003, you wrote: My first issue, is in the users file, how do I set an attribute to equal something ONLY if it doesn't exist in the packet? A DEFAULT profile. Secondly, with rlm_attr_filter, how do I setup multiple values to allow per attribute (like for Service-Type, the proxy is allowed to reply with Framed-User or Login-User), specifying multiple pairs doesn't work, the attribute is stripped from the reply. And the example of multiple values for a single attribute (realm tisp, about line 59) doesn't work due to syntax errors, and if you fix the error, by adding in the required comma, I'm back to square one: the attribute is stripped from the reply. Service-Type < 3 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco leap problem with pre3
When about 12 clients are logging in using leap to a AP I get this error in the radius logfile And at the same time on the AP I get "No EAP response from server" and then "Failed EAP-Authentication" Fri Jul 18 14:33:05 2003 : Auth: Login OK: [drright] (from client GDC-T1-AP2 port 13 cli 000c303ebbe0) Fri Jul 18 14:33:06 2003 : Auth: Login OK: [mike] (from client GDC-T1-AP2 port 15 cli 000af4e22970) Fri Jul 18 14:33:07 2003 : Auth: Login OK: [mike] (from client GDC-T1-AP2 port 15 cli 000af4e22970) Fri Jul 18 14:33:08 2003 : Auth: Login OK: [mike] (from client GDC-T1-AP2 port 15 cli 000af4e22970) Fri Jul 18 14:33:09 2003 : Error: Discarding new request from client GDC-T1-AP2:4836 - ID: 123 due to live request 75 Fri Jul 18 14:33:09 2003 : Auth: Login OK: [mike] (from client GDC-T1-AP2 port 15 cli 000af4e22970) Fri Jul 18 14:33:10 2003 : Error: Discarding new request from client GDC-T1-AP2:4849 - ID: 136 due to live request 88 Fri Jul 18 14:33:14 2003 : Error: Discarding new request from client GDC-T1-AP2:4836 - ID: 123 due to live request 75 Fri Jul 18 14:33:15 2003 : Error: Discarding new request from client GDC-T1-AP2:4849 - ID: 136 due to live request 88 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_ippool: No available ip addresses in pool
> From: Pierluigi Frullani
> Sent: Friday, 18 July 2003 8:00 PM
> > modules {
> >
> > ippool wpool {
> > session-db = ${raddbdir}/wpool-sess-db
> > ip-index = ${raddbdir}/wpool-idx-db
> > range-start = 192.168.127.1
> > range-stop = 192.168.127.127
> > netmask = 255.255.255.255
> > #netmask = 255.255.255.128
> > cache-size = 5000
> > }
> >
> >
> > ippool dpool {
> > session-db = ${raddbdir}/dpool-sess-db
> > ip-index = ${raddbdir}/dpool-idx-db
> > range-start = 192.168.126.160
> > range-stop = 192.168.126.255
> > netmask = 255.255.255.255
> > cache-size = 800
> > }
> >
> > So, what's wrong?
> > Thanks for any hints!
> If I don't get wrong, the netmask in the config is for determine the
> address pool. So if you use the 255.255.255.255 netmask, you say to
> rlm_ippool that you have no network. You should use a higher netmask to
> provide some address. EG:
> range-start = 192.168.126.160
> range-stop = 192.168.126.255
> netmask = 255.255.255.128
> This will inform the module that you want to use the address in the
> network 192.168.126.128/25, starting from the .160
> I think that the 255.255.255.255 mask will lead the module to a confusion.
Actually, that's not correct. The ippool module only uses the Netmask to
set a value if one isn't set in the packet already. The Pool range will be
from the start value to the stop value.
Netmask of 255.255.255.255 is I would expect quite common from an ip pool,
since people getting those IPs are probably only on a point-to-point link,
at least when you're using a RADIUS server and not, say, DHCP to allocate
the IPs. Unless it's a wireless network, I suppose...
--
=
Paul "TBBle" Hampson
Bubblesworth Pty Ltd (ABN: 51 095 284 361)
[EMAIL PROTECTED]
This is a one line proof...if we start
sufficiently far to the left.
-- Cambridge University Math Department
-
Random signature generator 3.0 by Paul "TBBle" Hampson
=
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: ip problem
> From: labis siegfried > Sent: Friday, 18 July 2003 5:36 PM > my radius does not attribuate any ip address althoug ippool was created in > radiusd.conf! i have the freeradius 0.9, and i have in my configuration > this command: > users : > Framed-Pool = name I think you want that to be Pool-Name, and make sure it's a check item, not a reply item. -- = Paul "TBBle" Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] This is a one line proof...if we start sufficiently far to the left. -- Cambridge University Math Department - Random signature generator 3.0 by Paul "TBBle" Hampson = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Two Issues
My first issue, is in the users file, how do I set an attribute to equal something ONLY if it doesn't exist in the packet? Secondly, with rlm_attr_filter, how do I setup multiple values to allow per attribute (like for Service-Type, the proxy is allowed to reply with Framed-User or Login-User), specifying multiple pairs doesn't work, the attribute is stripped from the reply. And the example of multiple values for a single attribute (realm tisp, about line 59) doesn't work due to syntax errors, and if you fix the error, by adding in the required comma, I'm back to square one: the attribute is stripped from the reply. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can rlm_expr be used with check items?
Alan DeKok wrote: > Tero Turtiainen <[EMAIL PROTECTED]> wrote: > > After this discussion it seems that setting attribute values cannot > > be done, > > SOME attributes can be set: configuration items. Some cannot be: > attributes in the request. > > You tried to set request attributes, which CANNOT be done in the > 'users' file. Ok, it seems that I will definitely have to use the patch mailed in October to be able to use the VPI and VCI values the way I would like to. Thank you for your patience :) -- <-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-> < Tero Turtiainen | Yes Sir, may I lick your boots or do your Highness > < [EMAIL PROTECTED] |use dry cleaning? - Stone > <-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can rlm_expr be used with check items?
Tero Turtiainen <[EMAIL PROTECTED]> wrote: > But the example above is so trivial that I don't think I need to try that > one Your original post ALSO contained an example so trivially wrong that there should have been no confusion over why it didn't work. I can't read your mind, so my suggestion was an attempt to get you to understand *why* both examples are trivial. > After this discussion it seems that setting attribute values cannot > be done, SOME attributes can be set: configuration items. Some cannot be: attributes in the request. You tried to set request attributes, which CANNOT be done in the 'users' file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: BEST PORTAL TECHNIQUE?
I use Mikrotik with a custom perl/php site my coder made for us. Jeromie At 04:42 PM 7/18/2003 +0100, you wrote: Indirectly related to RADIUS. Sorry if it not appreciated. I need to use freeradius to authenticate hotspot customers. Which method of adding customers registration details to a central SQL server from a web portal is best/most efficient? I was thinking SMTP, but I have a feeling that there is something better. TIA RJS - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap whitespace patch
On Wed, 16 Jul 2003, Matthew Schumacher wrote: > Alan, > > I don't know if this is something you want to include but I thought I > would mail it to you in case you do want it. > > This patch causes the rlm_ldap module to reject usernames that have > whitespace in them. This was causing me a lot of grief because ldap was > accepting usernames with whitespace causing the NAS to send accounting > messages with white space. This white space caused the Simultaneous-Use > code to break and it also caused a lot of accounting headaches. > > There was also one case there a user was authenticated with more than 30 > chars of whitespace which broke accounting when the rlm_postgres module > when to put that username in a varchar(20) column. > > BTW, I can barely hack my way around c so hopefully there isn't anything > wrong with my code. > > schu > 1. You can do the same thing with a simple regex in the users file 2. There is also the nospace_user directive in radiusd.conf # nospace_user / nospace_pass: # # Some users like to enter spaces in their username or password # incorrectly. To save yourself the tech support call, you can # eliminate those spaces here: # # Default is 'no' (don't remove spaces) # Valid values = "before" / "after" / "no" (explanation above) # nospace_user = no nospace_pass = no So in general I don't think there's any need for this patch... -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
BEST PORTAL TECHNIQUE?
Indirectly related to RADIUS. Sorry if it not appreciated. I need to use freeradius to authenticate hotspot customers. Which method of adding customers registration details to a central SQL server from a web portal is best/most efficient? I was thinking SMTP, but I have a feeling that there is something better. TIA RJS - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can rlm_expr be used with check items?
Alan DeKok wrote:
> Tero Turtiainen <[EMAIL PROTECTED]> wrote:
> > > Try:
> > >
> > > DEFAULT NAS-Port == `%{rlm_expr: 1 + 2}`
> > > Reply-Message = "Nas port of 3",
> > > Fall-Through = 1
> > >
> > > Send it packets containin NAS-Port of 1, 2, 3, 4, ... and see what
> > > happens.
> >
> > I won't, it is quite obvious what happens in this case :)
>
> If you're not going to listen to my advice, then I don't see why I
> should waste my time trying to help you.
>
> Your ideas about how the server works are wrong. My request above
> was an attempt to get you to educate yourself, so as to better
> understand how the server works. Since you're unwilling to educate
> yourself, I suggest you stop asking questions.
I listen to your advice, after all, you are THE FreeRADIUS-guru and
authority.
But the example above is so trivial that I don't think I need to try that
one (and at the moment, I can't access my FreeRADIUS-test environment).
I *have* educated myself with FreeRADIUS to some extent, so I know that
the expression 1+2=3 and thus the entry will match any request where
NAS-Port=3.
My ideas about how the server works are probably wrong in this case, but
I was lead to the wrong ways by the email you wrote in October and which I
have referred to. Now I am wondering if the information there is correct
or do I have to apply the patch which was in the same thread. After this
discussion it seems that setting attribute values cannot be done, which
was not what I was expecting having read the email archive.
--
<-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=->
< Tero Turtiainen | Yes Sir, may I lick your boots or do your Highness >
< [EMAIL PROTECTED] |use dry cleaning? - Stone >
<-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=->
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-0.9.0-pre3 on BSDI4.3, Makefile error
Thanks Ross !!! But now, after doing gmake, I get this errors: gmake[4]: Entering directory `/usr/local/freeradius-0.9.0-pre3/src/main' gcc -g -O2 -Wall -D_GNU_SOURCE -DNDEBUG -I../include -c radiusd.c radiusd.c: In function `main': radiusd.c:309: structure has no member named `sa_sigaction' radiusd.c: At top level: radiusd.c:106: warning: `got_child' defined but not used radiusd.c:117: warning: `needs_child_cleanup' defined but not used gmake[4]: *** [radiusd.o] Error 1 gmake[4]: Leaving directory `/usr/local/freeradius-0.9.0-pre3/src/main' gmake[3]: *** [common] Error 1 gmake[3]: Leaving directory `/usr/local/freeradius-0.9.0-pre3/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/usr/local/freeradius-0.9.0-pre3/src' gmake[1]: *** [common] Error 1 gmake[1]: Leaving directory `/usr/local/freeradius-0.9.0-pre3' gmake: *** [all] Error 2 Is this a problem from this version? Or am I doing something wrong? Guillermo - Original Message - From: "Ross Reed" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, July 17, 2003 6:06 PM Subject: RE: Freeradius-0.9.0-pre3 on BSDI4.3, Makefile error > Make sure you are using gmake and not make. I had the same problem. If you > cant use gmake, you will need to paste the contents of Make.inc into you > Makefile, but I don't recommend it. > > Ross Reed > > -Original Message- > From: Guillermo Delmastro [mailto:[EMAIL PROTECTED] > Sent: Thursday, July 17, 2003 4:01 PM > To: [EMAIL PROTECTED] > Subject: Freeradius-0.9.0-pre3 on BSDI4.3, Makefile error > > > Hi > I'm trying to install freeradius-0.9.0-on BSDI4.3 doing: > > ./configure > make > make install > > but when i do make, i get the following: > > "Makefile", line 10: Need an operator > Fatal errors encountered -- cannot continue > > and line 10 is: > > include Make.inc > > Can anybody help me? > > Thanks > > Guillermo > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can rlm_expr be used with check items?
Tero Turtiainen <[EMAIL PROTECTED]> wrote:
> > Try:
> >
> > DEFAULT NAS-Port == `%{rlm_expr: 1 + 2}`
> > Reply-Message = "Nas port of 3",
> > Fall-Through = 1
> >
> > Send it packets containin NAS-Port of 1, 2, 3, 4, ... and see what
> > happens.
>
> I won't, it is quite obvious what happens in this case :)
If you're not going to listen to my advice, then I don't see why I
should waste my time trying to help you.
Your ideas about how the server works are wrong. My request above
was an attempt to get you to educate yourself, so as to better
understand how the server works. Since you're unwilling to educate
yourself, I suggest you stop asking questions.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stopping radius responding
On Fri, 18 Jul 2003 15:35:54 +0100
João Filipe Frade <[EMAIL PROTECTED]> wrote:
> Strange,
> I've tried this configuration in freeradius 0.8.1 and it worked...
I thought it odd too.
> Do you have more radius servers configured?
> Do you have any other module in the authentication section?
> Are you shure that you get an auth-reject package?
my authentication section looks like this
START
authenticate {
authtype PAP {
pap
}
authtype CHAP {
chap
}
}
END
and my authorize section is:
START
authorize {
redundant {
sql1
sql2
handled
}
}
END
And the dump from running radiusd -X gives (NB: I have commented out the
username/password and replaced them with xx )
START
rad_recv: Access-Request packet from host 127.0.0.1:42097, id=1, length=63
User-Name = "xx"
User-Password = "xx"
NAS-Identifier = "office-137"
modcall: entering group authorize
modcall: entering group redundant
radius_xlat: 'xxx'
rlm_sql (sql1): sql_set_user escaped user --> 'xxx'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username =
'xx' ORDER BY id'
rlm_sql (sql1): Ignoring unconnected handle
rlm_sql (sql1): Ignoring unconnected handle
rlm_sql (sql1): Ignoring unconnected handle
rlm_sql (sql1): Ignoring unconnected handle
rlm_sql (sql1): Ignoring unconnected handle
rlm_sql (sql1): There are no DB handles to use!
modcall[authorize]: module "sql1" returns fail
radius_xlat: 'x'
rlm_sql (sql2): sql_set_user escaped user --> 'xxx'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username =
'xxx' ORDER BY id'
rlm_sql (sql2): Ignoring unconnected handle
rlm_sql (sql2): Ignoring unconnected handle
rlm_sql (sql2): Ignoring unconnected handle
rlm_sql (sql2): Ignoring unconnected handle
rlm_sql (sql2): Ignoring unconnected handle
rlm_sql (sql2): There are no DB handles to use!
modcall[authorize]: module "sql2" returns fail
modcall[authorize]: module "handled" returns handled
modcall: group redundant returns handled
modcall: group authorize returns handled
There was no response configured: rejecting request 0
Server rejecting request 0.
Sending Access-Reject of id 1 to 127.0.0.1:42097
Finished request 0
END
To me it looks like getting a 'handled' request from the authorize section requires
some extra config to say do nothing, but I am probably wrong :)
--
-
Graeme Hinchliffe (BSc)
Core Internet Systems Designer
Zen Internet (http://www.zen.co.uk)
ICQ 3842605 (link)
Sales : 0870 6000 971
Fax : 0870 6000 972
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radius benchmark
I was looking for a utility for different radius servers as well, so I can benchmark freeradius vs. the current radius server that I am using. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ulrich Walcher Sent: Friday, July 18, 2003 3:20 AM To: [EMAIL PROTECTED] Subject: Re: radius benchmark > What is a good tool for radius benchmarking? Take a look at: scripts/create-users.pl and doc/performance-testing - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can rlm_expr be used with check items?
Alan DeKok wrote:
> Turtiainen Tero" <[EMAIL PROTECTED]> wrote:
> > Which part of that entry does not work?
>
> NAS-Port is NOT a configuration item.
Does it matter which attribute is used? I have tried adding my own
attributes to a dictionary as suggested by the link in my previous mail
and those attributes failed too.
> The problem has nothing to do with rlm_expr. You CANNOT add a
> RADIUS attribute to a request from the 'users' file, which is what
> you were trying to do.
Then I guess the attribute does not matter...
So is it true that something like:
DEFAULT Some-Valid-Attribute := 42
Fall-Through = Yes
cannot be done, unless the attribute is one of those special attributes
like Auth-Type?
> > I was expecting expr to work also on check items. I just haven't
> > managed to get it working.
>
> Try:
>
> DEFAULT NAS-Port == `%{rlm_expr: 1 + 2}`
> Reply-Message = "Nas port of 3",
> Fall-Through = 1
>
> Send it packets containin NAS-Port of 1, 2, 3, 4, ... and see what
> happens.
I won't, it is quite obvious what happens in this case :)
> > I don't get it. At the top you seem to imply that rlm_expr can be
> > used with config items but now you are saying that it doesn't work
> > that way. I am obviously confused and missing something obvious.
>
> As I said before, rlm_expr works, but your attempt to *set* the
> value of NAS-Port is wrong.
Then I don't understand how the following users-file line in the link mentioned
earlier is supposed to work:
DEFAULT NAS-IP-Address == 1.2.3.4, ATM-VCI := `%{expr:%{NAS-Port} & 65535}`,
ATM-VPI := `%{expr:%{NAS-Port} / 65536}`
I understood that in this case two new check items are set with the
values provided by the expression.
--
<-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=->
< Tero Turtiainen | Yes Sir, may I lick your boots or do your Highness >
< [EMAIL PROTECTED] |use dry cleaning? - Stone >
<-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=->
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Stopping radius responding
Strange, I've tried this configuration in freeradius 0.8.1 and it worked... Do you have more radius servers configured? Do you have any other module in the authentication section? Are you shure that you get an auth-reject package? Bye, Joao Frade -Original Message- From: Graeme Hinchliffe [mailto:[EMAIL PROTECTED] Sent: sexta-feira, 18 de Julho de 2003 10:32 To: [EMAIL PROTECTED] Subject: Re: Stopping radius responding Hiya A bit more info from running with -X output shows for a request: - START - modcall: entering group authorize modcall: entering group redundant modcall[authorize]: module "handled" returns handled modcall: group redundant returns handled modcall: group authorize returns handled There was no response configured: rejecting request 2 Server rejecting request 2 - END - -- - Graeme Hinchliffe (BSc) Core Internet Systems Designer Zen Internet (http://www.zen.co.uk) ICQ 3842605 (link) Sales : 0870 6000 971 Fax : 0870 6000 972 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy attrs on per realm bases
Matthew Krenzer <[EMAIL PROTECTED]> wrote: > We are running freeradius here to proxy radius requests to several > different people. Unfortunately, some of the realms have very > different requirements pertaining to retry_delay retry_count and > dead_time. > > From what I can see, freeradius does not support setting these > attributes on a per-realm bases. Can anyone confirm this? It doesn't. > Also, how much work would it take to make the attributes apply on > a per-realm bases (we might be willing to do all the work)? Not much. Add a few entries to the 'realms' data structure, and update src/main/mainconfig.c to set them, if it finds them in the configuration files. The make src/main/proxy.c prefere those values over the ones in the main server configuration. ~100 lines of code, tops. > Another approach to this that we tried in the past was to use > 'synchronous' mode, but this seemed kind of quirky at the time (I > think freeradius was at version 0.1 at the time). Uh, yeah. > At the time I think someone was even thinking of removing this > feature from the product. Is anyone using synchronous mode? How is > it working for you? Is it currently expected to work 'right'? I think it works, but I don't regularly use it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
password
is it possible to put the user's password in the huntgroups files? if yes , how can i do this? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can rlm_expr be used with check items?
Turtiainen Tero" <[EMAIL PROTECTED]> wrote:
> Which part of that entry does not work?
NAS-Port is NOT a configuration item.
The problem has nothing to do with rlm_expr. You CANNOT add a
RADIUS attribute to a request from the 'users' file, which is what
you were trying to do.
> I was expecting expr to work also on check items. I just haven't
> managed to get it working.
Try:
DEFAULT NAS-Port == `%{rlm_expr: 1 + 2}`
Reply-Message = "Nas port of 3",
Fall-Through = 1
Send it packets containin NAS-Port of 1, 2, 3, 4, ... and see what
happens.
> I don't get it. At the top you seem to imply that rlm_expr can be
> used with config items but now you are saying that it doesn't work
> that way. I am obviously confused and missing something obvious.
As I said before, rlm_expr works, but your attempt to *set* the
value of NAS-Port is wrong.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can rlm_expr be used with check items?
>"Turtiainen Tero" <[EMAIL PROTECTED]> wrote:
> > I am wondering if rlm_expr can be used with config items.
>
> Sure, why not?
I was wondering because I couldn't figure out how it works :)
> > (I am using NAS-Port attribute just as an example for testing this =
> > feature):
> >
> > DEFAULT NAS-Port :=3D `%{expr: 1+1}`
> > Fall-Through =3D Yes
>
> Huh? That won't work even without rlm_expr.
Which part of that entry does not work? Obviously setting NAS-Port works as
it was shown that the expression is calculated correctly when it is in reply
items.
And based on this email in the archive
http://lists.cistron.nl/pipermail/freeradius-devel/2002-October/003604.html
I was expecting expr to work also on check items. I just haven't managed to
get it working.
> > ie. it matches the first entry in the users file where I would like
> > to calculate NAS-Port for the check items. I would think after that
> > entry has been processes check item NAS-Port would be set to 2
>
> It doesn't work that way. Ever.
I don't get it. At the top you seem to imply that rlm_expr can be used with
config items but now you are saying that it doesn't work that way. I am
obviously confused and missing something obvious.
--
Tero Turtiainen
Sonera Oyj
[EMAIL PROTECTED]
Tel: +358 40 702 8754
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
proxy attrs on per realm bases
We are running freeradius here to proxy radius requests to several different people. Unfortunately, some of the realms have very different requirements pertaining to retry_delay retry_count and dead_time. >From what I can see, freeradius does not support setting these attributes on a per-realm bases. Can anyone confirm this? Also, how much work would it take to make the attributes apply on a per-realm bases (we might be willing to do all the work)? Another approach to this that we tried in the past was to use 'synchronous' mode, but this seemed kind of quirky at the time (I think freeradius was at version 0.1 at the time). In particular, it looked like on Solaris the process would start using 100%CPU, etc. At the time I think someone was even thinking of removing this feature from the product. Is anyone using synchronous mode? How is it working for you? Is it currently expected to work 'right'? Thanks, Matthew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + TTLS authentication?
Francisco Javier Martinez Martinez <[EMAIL PROTECTED]> wrote: > 1.- It is possible to make EAP-TTLS authentication with freeradius? No. But some people appear to be working on it. See the list archives. > 2.- If yes, the certificate belongs to the radius server? The server will need a certificate for TTLS. > 2.1 Is neccesary that the CN match to a DNS name? The client can be configured that way. > 3.- If the client to be authenticated is a wireless client an the request > is sent by the AP. Are derived the wep keys from this certificate? No. See the TLS standard for details. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can rlm_expr be used with check items?
"Turtiainen Tero" <[EMAIL PROTECTED]> wrote:
> I am wondering if rlm_expr can be used with config items.
Sure, why not?
> (I am using NAS-Port attribute just as an example for testing this =
> feature):
>
> DEFAULT NAS-Port :=3D `%{expr: 1+1}`
> Fall-Through =3D Yes
Huh? That won't work even without rlm_expr.
> ie. it matches the first entry in the users file where I would like
> to calculate NAS-Port for the check items. I would think after that
> entry has been processes check item NAS-Port would be set to 2
It doesn't work that way. Ever.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius + TTLS authentication?
Hello. I had made the basic installation of freeradius, it is going to make basic authentication. But I had a few question. 1.- It is possible to make EAP-TTLS authentication with freeradius? 2.- If yes, the certificate belongs to the radius server? 2.1 Is neccesary that the CN match to a DNS name? 3.- If the client to be authenticated is a wireless client an the request is sent by the AP. Are derived the wep keys from this certificate? 3.1 If yes, the wep configuration in the client must be authomatic? Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: nomadix
Yep, thats what I've got configured in clients.config .
I'm running radiusd -X and the nomadix is not hitting at all.
-- just realised what is wrong - my firewall is blocking the ports !
Thanks
Barry
- Original Message -
From: "Alan Litster" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, July 18, 2003 12:22 PM
Subject: RE: nomadix
> Barry,
>
> You don't need to put the USG in the naslist as it is depreciated, just
> create an entry in clients.conf similar to:
>
> client 1.1.1.1 {
> secret = test
> shortname = nomadix
> nastype = other
> }
>
> Where 1.1.1.1 is the 'Network IP Address' and NOT the 'Subscriber IP
> Address' of the Nomadix.
>
> Have you tried running freeradius in debug mode (radiusd -X) ? to see if
the
> Nomadix is hitting the radius server.
>
> Regards,
>
> Alan
>
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] Behalf Of
> > [EMAIL PROTECTED]
> > Sent: 18 July 2003 10:44
> > To: [EMAIL PROTECTED]
> > Subject: Re: nomadix
> >
> >
> > Hi Alan
> >
> > I've got freeradius working with postgres and its authorization is
working
> > when I use radtest.
> > When I use the nomadix radius test login, it comes back with a
> > server timed
> > out message.
> > I do have the USG setup in the naslist and also as a client (nastype =
> > other) and I'm using the standard ports (1812/1813) on both sides.
> >
> > Thanks + Regards,
> > Barry
> >
> > - Original Message -
> > From: "Alan Litster" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Friday, July 18, 2003 11:18 AM
> > Subject: RE: nomadix
> >
> >
> > > Hi Barry,
> > >
> > > I'm currently in the process of setting up a Nomadix(USG II) and
> > FreeRADIUS
> > > configuration. I've successfully got the two working together
> > with out any
> > > major problems. The Nomadix is quite useful in that it supprts
> > an account
> > > expiry attribute, you simply set the account expiry datetime and it
will
> > > disable the user when the time comes.
> > > Nomadix-Expiration = "2003-07-18 16:15:00"
> > >
> > > What are you struggling with...?
> > >
> > > Regards,
> > >
> > > Alan
> > >
> > >
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] Behalf Of
> > > [EMAIL PROTECTED]
> > > Sent: 18 July 2003 09:31
> > > To: [EMAIL PROTECTED]
> > > Subject: nomadix
> > >
> > >
> > > Does anyone have any experience in getting FreeRadius to work with a
> > nomadix
> > > xSG product ?
> > > I'm struggling ...
> > >
> > >
> > >
>
> --
> > -
> > > This email, and any files transmitted with it, is copyright and may
> > contain confidential information.
> > > The contents are intended for the use of the addressee(s) only.
> > > Unauthorized use may be unlawful.
> > > If you receive this email by mistake, please advise sender
immediately.
> > > The views of the author may not necessarily constitute the
> > views of Telco
> > Electronics Limited.
> > > Nothing in this mail shall bind Telco Electronics Limited in
> > any contract
> > or obligation.
> > >
> > > Telco Electronics Limited
> > > 6-8 Oxford Court
> > > Brackley
> > > Northants
> > > NN13 7XY
> > >
> > > Tel 07000 701999
> > > Fax 07000 701777
> > >
> > > -
> > > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> --
-
> This email, and any files transmitted with it, is copyright and may
contain confidential information.
> The contents are intended for the use of the addressee(s) only.
> Unauthorized use may be unlawful.
> If you receive this email by mistake, please advise sender immediately.
> The views of the author may not necessarily constitute the views of Telco
Electronics Limited.
> Nothing in this mail shall bind Telco Electronics Limited in any contract
or obligation.
>
> Telco Electronics Limited
> 6-8 Oxford Court
> Brackley
> Northants
> NN13 7XY
>
> Tel 07000 701999
> Fax 07000 701777
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: nomadix
Barry,
You don't need to put the USG in the naslist as it is depreciated, just
create an entry in clients.conf similar to:
client 1.1.1.1 {
secret = test
shortname = nomadix
nastype = other
}
Where 1.1.1.1 is the 'Network IP Address' and NOT the 'Subscriber IP
Address' of the Nomadix.
Have you tried running freeradius in debug mode (radiusd -X) ? to see if the
Nomadix is hitting the radius server.
Regards,
Alan
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of
> [EMAIL PROTECTED]
> Sent: 18 July 2003 10:44
> To: [EMAIL PROTECTED]
> Subject: Re: nomadix
>
>
> Hi Alan
>
> I've got freeradius working with postgres and its authorization is working
> when I use radtest.
> When I use the nomadix radius test login, it comes back with a
> server timed
> out message.
> I do have the USG setup in the naslist and also as a client (nastype =
> other) and I'm using the standard ports (1812/1813) on both sides.
>
> Thanks + Regards,
> Barry
>
> - Original Message -
> From: "Alan Litster" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Friday, July 18, 2003 11:18 AM
> Subject: RE: nomadix
>
>
> > Hi Barry,
> >
> > I'm currently in the process of setting up a Nomadix(USG II) and
> FreeRADIUS
> > configuration. I've successfully got the two working together
> with out any
> > major problems. The Nomadix is quite useful in that it supprts
> an account
> > expiry attribute, you simply set the account expiry datetime and it will
> > disable the user when the time comes.
> > Nomadix-Expiration = "2003-07-18 16:15:00"
> >
> > What are you struggling with...?
> >
> > Regards,
> >
> > Alan
> >
> >
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] Behalf Of
> > [EMAIL PROTECTED]
> > Sent: 18 July 2003 09:31
> > To: [EMAIL PROTECTED]
> > Subject: nomadix
> >
> >
> > Does anyone have any experience in getting FreeRadius to work with a
> nomadix
> > xSG product ?
> > I'm struggling ...
> >
> >
> >
> --
> -
> > This email, and any files transmitted with it, is copyright and may
> contain confidential information.
> > The contents are intended for the use of the addressee(s) only.
> > Unauthorized use may be unlawful.
> > If you receive this email by mistake, please advise sender immediately.
> > The views of the author may not necessarily constitute the
> views of Telco
> Electronics Limited.
> > Nothing in this mail shall bind Telco Electronics Limited in
> any contract
> or obligation.
> >
> > Telco Electronics Limited
> > 6-8 Oxford Court
> > Brackley
> > Northants
> > NN13 7XY
> >
> > Tel 07000 701999
> > Fax 07000 701777
> >
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
---
This email, and any files transmitted with it, is copyright and may contain
confidential information.
The contents are intended for the use of the addressee(s) only.
Unauthorized use may be unlawful.
If you receive this email by mistake, please advise sender immediately.
The views of the author may not necessarily constitute the views of Telco Electronics
Limited.
Nothing in this mail shall bind Telco Electronics Limited in any contract or
obligation.
Telco Electronics Limited
6-8 Oxford Court
Brackley
Northants
NN13 7XY
Tel 07000 701999
Fax 07000 701777
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can rlm_expr be used with check items?
Hi,
I am wondering if rlm_expr can be used with config items. My current guess
is that it cannot be used, though I would find it quite useful.
I am currently using CVS snapshot 20030611. My users-file looks like this
(I am using NAS-Port attribute just as an example for testing this feature):
DEFAULT NAS-Port := `%{expr: 1+1}`
Fall-Through = Yes
DEFAULT NAS-Port == 2, Auth-Type := Reject
Reply-Message := "NAS-Port was indeed calculated, and it was 2",
Fall-Through = No
DEFAULT
NAS-Port := `%{expr: 2+2}`,
Reply-Message := "NAS-Port was calculated for the reply attributes",
Fall-Through = No
Then I use radclient to send a simple authentication request and radius logs
the following:
rad_recv: Access-Request packet from host 127.0.0.1:34593, id=76, length=43
User-Name = "abc"
User-Password = "def"
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
rlm_realm: No '@' in User-Name = "abc", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop
users: Matched DEFAULT at 1
users: Matched DEFAULT at 8
radius_xlat: Running registered xlat function of module expr for string ' 2+2'
radius_xlat: ' 2+2'
radius_xlat: '4'
...
Sending Access-Accept of id 108 to 127.0.0.1:34593
NAS-Port := 4
Reply-Message := "NAS-Port was calculated for the reply attributes"
...
ie. it matches the first entry in the users file where I would like to
calculate NAS-Port for the check items. I would think after that entry has
been processes check item NAS-Port would be set to 2, and then the next match
would be at line 4 (DEFAULT NAS-Port == 2, Auth-Type := Reject). But no, the
processing continues at line 8. rlm_expr is obviously working with reply items
as can be seen in the log file, it is correctly calculating the NAS-Port as
specified on line 9.
So now I am wondering can rlm_expr be used with check items at all, or
am I missing something obvious? Would rlm_attr_rewrite be more useful, can
it perform simple arithmetics?
--
Tero Turtiainen
Sonera Oyj
[EMAIL PROTECTED]
Tel: +358 40 702 8754
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:rlm_ippool: No available ip addresses in pool (Thomas Krause (Webmatic))
> modules {
>
> ippool wpool {
> session-db = ${raddbdir}/wpool-sess-db
> ip-index = ${raddbdir}/wpool-idx-db
> range-start = 192.168.127.1
> range-stop = 192.168.127.127
> netmask = 255.255.255.255
> #netmask = 255.255.255.128
> cache-size = 5000
> }
>
>
> ippool dpool {
> session-db = ${raddbdir}/dpool-sess-db
> ip-index = ${raddbdir}/dpool-idx-db
> range-start = 192.168.126.160
> range-stop = 192.168.126.255
> netmask = 255.255.255.255
> cache-size = 800
> }
>
> So, what's wrong?
> Thanks for any hints!
If I don't get wrong, the netmask in the config is for determine the
address pool. So if you use the 255.255.255.255 netmask, you say to
rlm_ippool that you have no network. You should use a higher netmask to
provide some address. EG:
range-start = 192.168.126.160
range-stop = 192.168.126.255
netmask = 255.255.255.128
This will inform the module that you want to use the address in the
network 192.168.126.128/25, starting from the .160
I think that the 255.255.255.255 mask will lead the module to a confusion.
Hope I've been clear, and that this help.
Pigi
>
> Regards,
> Thomas.
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stopping radius responding
Hiya A bit more info from running with -X output shows for a request: - START - modcall: entering group authorize modcall: entering group redundant modcall[authorize]: module "handled" returns handled modcall: group redundant returns handled modcall: group authorize returns handled There was no response configured: rejecting request 2 Server rejecting request 2 - END - -- - Graeme Hinchliffe (BSc) Core Internet Systems Designer Zen Internet (http://www.zen.co.uk) ICQ 3842605 (link) Sales : 0870 6000 971 Fax : 0870 6000 972 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: nomadix
Hi Alan I've got freeradius working with postgres and its authorization is working when I use radtest. When I use the nomadix radius test login, it comes back with a server timed out message. I do have the USG setup in the naslist and also as a client (nastype = other) and I'm using the standard ports (1812/1813) on both sides. Thanks + Regards, Barry - Original Message - From: "Alan Litster" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, July 18, 2003 11:18 AM Subject: RE: nomadix > Hi Barry, > > I'm currently in the process of setting up a Nomadix(USG II) and FreeRADIUS > configuration. I've successfully got the two working together with out any > major problems. The Nomadix is quite useful in that it supprts an account > expiry attribute, you simply set the account expiry datetime and it will > disable the user when the time comes. > Nomadix-Expiration = "2003-07-18 16:15:00" > > What are you struggling with...? > > Regards, > > Alan > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of > [EMAIL PROTECTED] > Sent: 18 July 2003 09:31 > To: [EMAIL PROTECTED] > Subject: nomadix > > > Does anyone have any experience in getting FreeRadius to work with a nomadix > xSG product ? > I'm struggling ... > > > -- - > This email, and any files transmitted with it, is copyright and may contain confidential information. > The contents are intended for the use of the addressee(s) only. > Unauthorized use may be unlawful. > If you receive this email by mistake, please advise sender immediately. > The views of the author may not necessarily constitute the views of Telco Electronics Limited. > Nothing in this mail shall bind Telco Electronics Limited in any contract or obligation. > > Telco Electronics Limited > 6-8 Oxford Court > Brackley > Northants > NN13 7XY > > Tel 07000 701999 > Fax 07000 701777 > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Updated User Survey - Which DB backend do you use?
--snip--
> > > a) If you use a Database backend for FreeRadius which one do you use?
> > >
> Postgres
> > > b) If you do not use a DB backend for FreeRadius, but do have a DB on your
> > > server or in your rack, what DB is it?
-- snip--
> > d) If you do use a DB backend for FR do you use the default SQL queries that
> > come with FR or have you written your own? If you wrote your own, would you
> > mind sharing them with us (with a description please)?
> Some defaults, some self written.
> Wouldn't mind sharing. Just need some spare time for the description...
>
> OoLee
So, that's the changed stuff...
Basically it's just a very simple prepaid model that works on passing
the remaining "Session-Timeout" after successful authentication...
Didn't find much time for a 'description', but I changed the to field
names to something pretty obvious...
authorize_check_query = "SELECT id,username,attribute,value,op FROM
${authcheck_table} WHERE username = '%{SQL-User-Name}' AND (username =
'Internet' OR account_expires > current_timestamp OR account_expires IS
NULL) ORDER BY id"
authorize_reply_query = "SELECT id,username,attribute,value,op FROM
${authreply_table} WHERE username = '%{SQL-User-Name}' AND attribute !=
'Session-Timeout' ORDER BY id"
post_auth_query = "UPDATE ${authcheck_table} SET account_expires =
(current_timestamp + contract_value) WHERE username = '%{SQL-User-Name}'
AND account_expires IS NULL; UPDATE ${authreply_table} SET value =
(SELECT split_part(EXTRACT(EPOCH FROM account_expires -
current_timestamp), '.', 1) FROM ${authcheck_table} WHERE username =
'%{SQL-User-Name}') WHERE username = '%{SQL-User-Name}' AND attribute =
'Session-Timeout' "
post_auth_reply_query = "SELECT id,username,attribute,value,op FROM
${authreply_table} WHERE username = '%{SQL-User-Name}' AND attribute =
'Session-Timeout' "
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stopping radius responding
On Thu, 17 Jul 2003 17:59:42 +0100
João Filipe Frade <[EMAIL PROTECTED]> wrote:
> Use something like this:
>
>
> Modules {
> ...
> always handled {
> rcode = handled
> }
> ...
> }
> authorize {
> ...
> redundant {
> sql_master < primary db
> sql_slave < secondary db
> handled
> }
> ...
> }
Ah! I missed that in the docs! DOH! :)
However it doesn't seem to work! I have in my config in authorize :
redundant {
sql1
sql2
handled
}
And also defined 'handled' in the modules section.. but if I stop both db's I get an
auth reject..
I tried putting handled as the first entry in the redundant block but this gave
exactly the same results! (yes I am stopping and starting the radius daemon :)
any ideas?
Graeme
> -Original Message-
> From: Graeme Hinchliffe [mailto:[EMAIL PROTECTED]
> Sent: quinta-feira, 17 de Julho de 2003 16:33
> To: freeradius-users
> Subject: Stopping radius responding
>
>
> Hiya
> Not sure if I have asked this already...
>
> I need to be able to have freeRadius not respond AT ALL if it cannot contact
> any databases, as opposed to sending auth rejections. The logic (crazy as it sounds
> initially) is this.
>
> Imagine the setup. 3 locations (A,B & C) each with their own NAS (A,B & C) and also
> each with their own FreeRADIUS (A,B & C).
>
> They are configured so that NAS A talks to RADIUS A primarily, and then fails over
> to RADIUS B or C, and equivalent for each of the other sites.
>
> RADIUS A is configured to use it's local database as well as the databases of RADIUS
> B & C, and the same for the other RADIUS servers.
>
> Now. Suppose there are some problems, and RADIUS A cannot talk to it's local db,
> but also cannot talk to RADIUS B or C's db's. It is going to send out Auth Rejects
> for every request NAS A sends to it. This doesn't sound too much like a problem,
> except that NAS A can see RADIUS B without issue and RADIUS B is still happy. So
> what we have here is a NAS refusing connections due to RADIUS A, when infact if
> RADIUS A didn't respond it would try using RADIUS B, and be able to authenticate
> connections.
>
> I know this situation is very unlikley, but I am sure most people are aware that 1
> in a million chances happen 9 times out of 10 (especially when computers are
> involved! :) )
>
> Is it possible to configure this into freeRADIUS? or am I going to require some sort
> of exterior monitor to kill off freeRADIUS should this occur?
>
> Thanks for your help
>
> --
> -
> Graeme Hinchliffe (BSc)
> Core Internet Systems Designer
> Zen Internet (http://www.zen.co.uk)
>
> ICQ 3842605 (link)
>
> Sales : 0870 6000 971
> Fax : 0870 6000 972
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
--
-
Graeme Hinchliffe (BSc)
Core Internet Systems Designer
Zen Internet (http://www.zen.co.uk)
ICQ 3842605 (link)
Sales : 0870 6000 971
Fax : 0870 6000 972
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: nomadix
Hi Barry, I'm currently in the process of setting up a Nomadix(USG II) and FreeRADIUS configuration. I've successfully got the two working together with out any major problems. The Nomadix is quite useful in that it supprts an account expiry attribute, you simply set the account expiry datetime and it will disable the user when the time comes. Nomadix-Expiration = "2003-07-18 16:15:00" What are you struggling with...? Regards, Alan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: 18 July 2003 09:31 To: [EMAIL PROTECTED] Subject: nomadix Does anyone have any experience in getting FreeRadius to work with a nomadix xSG product ? I'm struggling ... --- This email, and any files transmitted with it, is copyright and may contain confidential information. The contents are intended for the use of the addressee(s) only. Unauthorized use may be unlawful. If you receive this email by mistake, please advise sender immediately. The views of the author may not necessarily constitute the views of Telco Electronics Limited. Nothing in this mail shall bind Telco Electronics Limited in any contract or obligation. Telco Electronics Limited 6-8 Oxford Court Brackley Northants NN13 7XY Tel 07000 701999 Fax 07000 701777 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ip-pool problem
I can't set ip-address for user. When I recive Access-Request packet I add to Access-Accept reply field "Framed-IP-Address = 192.168.164.164" but my cisco (ubr7200) ignore it and set ip-address for user from cisco-ip-pool. I try to remove ip-pool on cisco, but in this way user don't create at all. I try to send Access-Accept with and without "Framed-IP-Netmask", "Framed-Protocol", "Service-Type". Authorize and accounting work normal, if forget about manualy set ip-address for some users. I have freeradius 0.8. rad_recv: Access-Request packet from host 192.168.164.34:1645, id=167, length=170 NAS-IP-Address = 195.38.164.34 NAS-Port = 1 Cisco-NAS-Port = "Virtual-Access1*" NAS-Port-Type = Virtual User-Name = "kern" Acct-Session-Id = "01C7" MS-CHAP-Challenge = 0x09090acf9e70a853 MS-CHAP-Response = 0x540100 ... ecbb4a Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 192.168.164.164 ... ... Sending Access-Accept of id 167 to 192.168.164.34:1645 Framed-MTU = 576 Service-Type = Framed-User Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP MS-CHAP-MPPE-Keys = 0xf03aa0dca9147c4f88a2f3bd8c51e766f90bbd3bcf4ea1e332bb3bf21b7d87cc MS-MPPE-Encryption-Policy = 0x0001 MS-MPPE-Encryption-Types = 0x0006 Framed-IP-Netmask = 255.255.255.128 Framed-IP-Address = 192.168.164.254 ... ... rad_recv: Accounting-Request packet from host 192.168.164.34:1646, id=168, length=114 NAS-IP-Address = 192.168.164.34 NAS-Port = 1 Cisco-NAS-Port = "Virtual-Access1*" NAS-Port-Type = Virtual User-Name = "kern" Acct-Status-Type = Start Acct-Authentic = RADIUS Service-Type = Framed-User Acct-Session-Id = "01C7" Framed-Protocol = PPP Framed-IP-Address = 192.168.164.164 Acct-Delay-Time = 0 ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
nomadix
Does anyone have any experience in getting FreeRadius to work with a nomadix xSG product ? I'm struggling ...
RE: freeradius debian dependencies
> From: Alan DeKok > Sent: Friday, 18 July 2003 12:15 AM > Kirt Runolfson <[EMAIL PROTECTED]> wrote: > > A previous thread mentioned breaking off the rlm stuff into Yet Another > > debian package. There are cons to this, but I think in this case, the > > pros out weigh the cons. As it is now, just installing freeradius wants > > to install 17.5 MB worth of packages on a woody server and pulls all > > sorts of X packages: > It's inappropriate, I agree. > My suggestion is to put as many modules as possible into the base > distribution, which will make a simple & working server. pap, chap, > mschap, eap-md5, detail, radutmp, ... Currently on Debian/testing, freeradius (the base package) has: Depends: libc6 (>= 2.3.1-1), libgdbmg1, libltdl3 (>= 1.4.3-1), libpam0g (>= 0.76), libsnmp4.2, libssl0.9.7 (My build splits freeradius-iodbc out, but otherwise it would be there.) And I currently intend to find a way to get rid of libssl (which also implies splitting snmp out since it depends on libssl) in case it is deemed neccessary due to libssl/GPL licensing issues which I still don't have my head around. (From memory, rlm_x99_token is what's pulling libssl into the main package.) Of course, this is hard since libsnmp-0.4.2.so is pulled in by the main binary... (On looking, rlm_eap_tls also pulls in libssl. rlm_x99_token pulls in libcrypto.) So I guess that's unlikely to happen. :-) > The modules which pull in massive amounts of libraries should > probably each be in a seperate package: sql, ldap, ... Sounds good to me. The patch I posted could go into 0.9.0, but I guess it's not urgent since Debian/unstable and Debian/testing's version(s) of libiodbc2 don't pull in xlibs. > > The following NEW packages will be installed: > > freeradius libfreetype6 libglib1.2 libgtk1.2 libgtk1.2-common libiodbc2 > > libltdl3 libsnmp-base libsnmp4.2 xfree86-common xlibs > xlibs? What the heck for? Package: libiodbc2 Depends: libc6 (>= 2.2.4-4), libglib1.2 (>= 1.2.0), libgtk1.2 (>= 1.2.10-4), xlibs (>> 4.1.0) /usr/bin/iodbcadm-gtk I expect. Presumably split out post-release. -- = Paul "TBBle" Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] This is a one line proof...if we start sufficiently far to the left. -- Cambridge University Math Department - Random signature generator 3.0 by Paul "TBBle" Hampson = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: typo in pgsql-voip.conf from Peter
On Fri, 18 Jul 2003 02:27 am, Miranda Gomez Miguel Angel wrote:
> Hi Peter/All
> I just check the last updates of your voip config,
> and have noticed a little typo: in the insert stop query of pgsql-voip.conf
>
> accounting_stop_query = "INSERT into ${acct_table2}%{h323-call-type} \
> (RadiusServerName, UserName, NASIPAddress, AcctTime, \
> AcctSessionTime, AcctInputOctets, AcctOutputOctets,
> CalledStationId, CallingStationId, \
> AcctDelayTime, H323RemoteAddress, CiscoNASPort,
> h323callorigin, h323confid, \
> h323connecttime, h323disconnectcause, h323disconnecttime,
> h323gwid, h323setuptime) \
> values('${radius_server_name}', '%{SQL-User-Name}',
> '%{NAS-IP-Address}', now(), '%{Acct-Session-Time:-0}', \
> '%{Acct-Input-Octets:-0}', '%{Acct-Output-Octets:-0}',
> '%{Called-Station-Id}', '%{Calling-Station-Id}', \
> '%{Acct-Delay-Time:-0}', NULLIF('%{h323-remote-address}',
> '')::inet', '%{Cisco-NAS-Port}', \
> '%{h323-call-origin}', '%{h323-conf-id}',
> strip_dot('%{h323-connect-time}'), '%{h323-disconnect-cause}', \
> strip_dot('%{h323-disconnect-time}'), '%{h323-gw-id}',
> strip_dot('%{h323-setup-time}'))"
>
>
> in the '%{h323-remote-address}', '')::inet' part, you have to drop the last
> ' after the ::inet, otherwise the
> record will not be inserted, giving POSTGRES FATAL ERROR,
Thanks. Fixed.
Wow. There seems to be alot more people using my VoIP accounting code that I
thought.
I guess I am going to have to start doing more testing before doing a CVS
commit :-)
--
Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ip problem
my radius does not attribuate any ip address althoug ippool was created in radiusd.conf! i have the freeradius 0.9, and i have in my configuration this command: users : Framed-Pool = name the name of pool is good , i have verify thx siegfried - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius benchmark
> What is a good tool for radius benchmarking? Take a look at: scripts/create-users.pl and doc/performance-testing - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
