unsubscribe
unsubscribe - Bringing First World Technology Closer to You. http://www.1asialink.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: core dump using freeradius0.9.2 with FreeBSD 5.1
even 0.9.0 having problem with FreeBSD 5.1 ... something about rlm_ldap --haizam - Original Message - From: Rohaizam Abu Bakar To: [EMAIL PROTECTED] Sent: Monday, October 20, 2003 6:53 PM Subject: core dump using freeradius0.9.2 with FreeBSD 5.1 Using freeradius 0.9.2 with FreeBSD 5.1.. All compilations seems Ok... even starting up doesn't give any problem... But once pumping load into it (not that heavy)... then it keep core dumping as shown in below log.. Currently i revert back to freeradius 0.9.0 with my FreeBSD 5.1 ... FYI... freeradius 0.9.2 inside my FreeBSD 4.8 runnning fine... LOG = i) from system log Oct 20 16:42:20 radius3 kernel: pid 67341 (radiusd), uid 0: exited onsignal 4 (core dumped)Oct 20 16:42:20 radius3 kernel: Oct 20 16:42:20 radius3 kernel: pid 67341(radiusd), uid 0: exited on signal 4 (core dumped)Oct 20 17:02:02 radius3 kernel: pid 68054 (radiusd), uid 0: exited onsignal 4 (core dumped)Oct 20 17:02:02 radius3 kernel: Oct 20 17:02:02 radius3 kernel: pid 68054(radiusd), uid 0: exited on signal 4 (core dumped)Oct 20 17:34:01 radius3 kernel: pid 69185 (radiusd), uid 0: exited onsignal 4 (core dumped)Oct 20 17:34:01 radius3 kernel: Oct 20 17:34:01 radius3 kernel: pid 69185(radiusd), uid 0: exited on signal 4 (core dumped)Oct 20 17:46:27 radius3 kernel: pid 69671 (radiusd), uid 0: exited onsignal 4 (core dumped)Oct 20 17:46:27 radius3 kernel: Oct 20 17:46:27 radius3 kernel: pid 69671(radiusd), uid 0: exited on signal 4 (core dumped) ii) from radius.log Mon Oct 20 18:37:00 2003 : Error: rlm_ldap: uniqueIdentifier=227523,ou=RADIUS,ou=People,dc=com,dc=my bind to x.x.x.x:389 failed: timeoutMon Oct 20 18:37:00 2003 : Error: rlm_ldap: uniqueIdentifier=717710,ou=RADIUS,ou=People,dc=com,dc=my bind to x.x.x.x:389 failed: timeoutMon Oct 20 18:37:03 2003 : Error: rlm_ldap: uniqueIdentifier=983053,ou=RADIUS,ou=People,dc=com,dc=my bind to x.x.x.x:389 failed: timeout --haizam
RE: FreeRadius On a Lucent NAS
Manoj Reddy wrote: y don't u check ur server, hosting RADIUS for ports on which it is listening. there might a possible mismatch of ports on which ur server is listening and the ports on which ur NAS is operating for RADIUS Connections. check it out once and let me know the results. Both you and Alan Dekok were actually quite right. Foolish mistake :-) Thanks a lot Btw has anyone figured anything out regarding the snmpfinger issue I mentioned on my previous e-mail? Is opening the finger daemon on the NAS the only way? Regards Paris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: core dump using freeradius0.9.2 with FreeBSD 5.1
On Mon, 20 Oct 2003, Rohaizam Abu Bakar wrote: even 0.9.0 having problem with FreeBSD 5.1 ... something about rlm_ldap Please read doc/bugs and send a backtrace of the core dump to the list. Thanks --haizam - Original Message - From: Rohaizam Abu Bakar To: [EMAIL PROTECTED] Sent: Monday, October 20, 2003 6:53 PM Subject: core dump using freeradius0.9.2 with FreeBSD 5.1 Using freeradius 0.9.2 with FreeBSD 5.1.. All compilations seems Ok... even starting up doesn't give any problem... But once pumping load into it (not that heavy)... then it keep core dumping as shown in below log.. Currently i revert back to freeradius 0.9.0 with my FreeBSD 5.1 ... FYI... freeradius 0.9.2 inside my FreeBSD 4.8 runnning fine... LOG = i) from system log Oct 20 16:42:20 radius3 kernel: pid 67341 (radiusd), uid 0: exited on signal 4 (core dumped) Oct 20 16:42:20 radius3 kernel: Oct 20 16:42:20 radius3 kernel: pid 67341 (radiusd), uid 0: exited on signal 4 (core dumped) Oct 20 17:02:02 radius3 kernel: pid 68054 (radiusd), uid 0: exited on signal 4 (core dumped) Oct 20 17:02:02 radius3 kernel: Oct 20 17:02:02 radius3 kernel: pid 68054 (radiusd), uid 0: exited on signal 4 (core dumped) Oct 20 17:34:01 radius3 kernel: pid 69185 (radiusd), uid 0: exited on signal 4 (core dumped) Oct 20 17:34:01 radius3 kernel: Oct 20 17:34:01 radius3 kernel: pid 69185 (radiusd), uid 0: exited on signal 4 (core dumped) Oct 20 17:46:27 radius3 kernel: pid 69671 (radiusd), uid 0: exited on signal 4 (core dumped) Oct 20 17:46:27 radius3 kernel: Oct 20 17:46:27 radius3 kernel: pid 69671 (radiusd), uid 0: exited on signal 4 (core dumped) ii) from radius.log Mon Oct 20 18:37:00 2003 : Error: rlm_ldap: uniqueIdentifier=227523,ou=RADIUS,ou=People,dc=com,dc=my bind to x.x.x.x:389 failed: timeout Mon Oct 20 18:37:00 2003 : Error: rlm_ldap: uniqueIdentifier=717710,ou=RADIUS,ou=People,dc=com,dc=my bind to x.x.x.x:389 failed: timeout Mon Oct 20 18:37:03 2003 : Error: rlm_ldap: uniqueIdentifier=983053,ou=RADIUS,ou=People,dc=com,dc=my bind to x.x.x.x:389 failed: timeout --haizam -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius On a Lucent NAS
On Sun, 19 Oct 2003, m0bius wrote: Hello there, I am doing an upgrade on the radius server, and I've decided to switch from Clistron Radius Server to FreeRadius. I have set FreeRadius to use mySQL and I've transformed the users file to the database format. I believe that I have configured freeradius enough to work fine. (radtest and radclient works as expected) However I've encountered some issues. 1st) The first time I tried to see if our Lucent NAS worked well with the freeradius (clients.conf has been properly set, with all the correct ip's and passwords) and running radiusd on debug mode (-X) I never saw a single connection from the NASes. It's kinda confusing since if the password was incorrect I would probably see a message. I believe that it is a Lucent issue but the weird thing is that it previously worked just fine with the Cistron Radius (I've not changed anything on the NASes). Could anyone know if there is anything that should be taken into consideration regarding the configuration of the nas? 2nd) I've set the dialup admin pretty well and it seems to work (Check Server and each Test User works as expected) however I don't seem to see the online users on the nas. I've set as fingering method snmp. I've tried running snmpfinger manually to see that it didn't work giving out errors. Mostly this was because of the different version of the snmpwalk I have installed on the system. (I use net-snmp latest version). I've edited snmpfinger for snmpwalk to work well, however now when I manually execute it I never get anything back... I don't want to use radacct for such purposes and I am most confused on what is going on. (Shouldn't snmpfinger return something back? Please note that when I do something like: snmpwalk -c community host -v 1 system I get a response from the nas) The snmpfinger will use the Cisco Session MIB so it will probably only work for cisco equipment. Patches are always welcome though. You could just try using radacct. As long as your accounting works ok it won't be of any difference. 3rd) The nases are supposed to server both dialup PSTN and ISDN 64k and 128k at the same time. I've included the NAS-Port-Type on the dictionary and the dialup admin user_edit.attr file, however, while in Cistron the difference between PSTN, ISDN 64k, ISDN 128K was something like: PSTN: NAS-Port-Type = Async Simultaneus Use = 1 ISDN 64 Simultaneus Use = 1 ISDN 128 Simultaneus Use = 2 I've been searching the documentations and saw something like: NAS-Port-Type = ISDN. Would such a thing work as well? Simultaneous-Use is used to determine the number of distinct logins of a user Port-Limit is used to determine the number of multilink channels a user is allowed to open on a login. Btw I should mention that the Cistron Radius was not set by me and the people do not know how or why it was done this way back then. Well it's pretty much about that. I am sorry about the extended mail Really looking forward for any help available Regards Paris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout
On Sun, 19 Oct 2003, Doron Shmaryahu wrote: Hi, I am using freeradius with mysql and dialupadmin. I have deleted the timeouts for users in the admin.conf file in dialup admin. I still seem to have users being disconnected after 2hrs with Session-Timeout as the cause. How could I remedy this ?? The admin.conf has nothing to do with the user information in the database. You should change the user attributes for things to work ok. Thanks Doron Shmaryahu -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radkill
On Sat, 18 Oct 2003, Matthew wrote: Is it possible to use Radkill or something similiar to use the accounting logs to determine who the heaviest users are and kick them off line if there is only one free line left on the portmaster? I want the accounting to based on the last 30 days of usage not just the current session. This way the line campers would be kicked off rather then giving busy signals to everyone else at peak times. If there are plenty of lines though no one would be kicked. One easy way is to just setup a monthly counter for all your users (see rlm_counter). What you are trying to do is quite difficult. For instance how will you be able to stop the disconnected users from reconnecting after you 've kicked them out? Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: attr_rewrite documentation?
On Fri, 17 Oct 2003, Steve Fulton wrote: Hi all, I'm in the process of setting up a FreeRADIUS server to replace our ancient one, and part of our requirements mean using attr_rewrite. Is there any decent documentation/how-to's out there on how it is used? Other than the comments in radiusd.conf and 'man 5 regex' none. And FWIW, I'm going to share our logic, so please feel free to poke holes in it: 1. We use [EMAIL PROTECTED]. If the realm is missing, we will use attr_write to add it. proxy.conf: realm NULL{ [...] } 2. Since we're AAA'ing using a SQL database, the username needs to be parsed so that the username and the realm/domain is split. Then those, plus the password, are checked against the SQL DB. This is done automatically by the realm module. Seem sane to you? Yes but you probably don't need to even use the attr_rewrite module -- Stephen. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_counter and rlm_sqlcounter
On Sun, 19 Oct 2003, apellido jr., wilfredo p wrote: Have a nice day Mr. Kalevras, I just question regarding counter attribute, is this possible to add this attribute in rlm_sqlcounter? or it is just for rlm_counter? Both rlm_counter and rlm_sqlcounter support user define reset, i tried to change the default reset of sql_monthlycounter and counter Monthly to 3 months and here's the LOG daywalker# radiusd -xx Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf [...] Module: Loaded Counter counter: filename = /etc/raddb/db.monthly counter: key = User-name counter: reset = 3m counter: count-attribute = Acct-Session-Time counter: counter-name = Monthly-Session-Time counter: check-name = Max-Monthly-Session counter: allowed-servicetype = Framed-User counter: cache-size = 5000 rlm_counter: Counter attribute Monthly-Session-Time is number 1081 rlm_counter: num=3, last=m rlm_counter: Current Time: 1066614025, Next reset 1072886400 You could try using the cvs version of rlm_counter, it will print the current time and next reset time in human readable form. In any case for rlm_counter the next is after 72 days which is probably at the first day of the third month ahead. [...] Module: Loaded SQL Counter sqlcounter: counter-name = Monthly-Session-Time sqlcounter: check-name = Max-Monthly-Session sqlcounter: key = User-Name sqlcounter: sqlmod-inst = sqlcca3 sqlcounter: query = SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{%k}' AND AcctStartTime FROM_UNIXTIME('%b') sqlcounter: reset = 3m rlm_sqlcounter: Counter attribute Monthly-Session-Time is number 1081 rlm_sqlcounter: Check attribute Max-Monthly-Session is number 1082 rlm_sqlcounter: num=1, last=m rlm_sqlcounter: Current Time: 1066614026 [2003-10-20 09:40:26], Next reset 1067616000 [2003-11-01 00:00:00] rlm_sqlcounter: num=3, last=m rlm_sqlcounter: Current Time: 1066614026 [2003-10-20 09:40:26], Prev reset 1059667200 [2003-08-01 00:00:00] Module: Instantiated sqlcounter (monthlycounter) why isnt it the next reset STILL first day of the month? As for rlm_sqlcounter i don't know. = [ apellido jr., wilfredo p. ] +63 034 4880-449 If you can't hear me, it's because i'm in parentheses. __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication with FreeRadius and /etc/shadow
=?iso-8859-1?Q?Jos=E9?= Berenguer [EMAIL PROTECTED] wrote: We are trying to authenticate users with FreeRadius 0.9.2 against the /etc/shadow file in a Solaris system, but we always get an error like this: Info: Ready to process requests. Info: rlm_eap_md5: Issuing Challenge Auth: Login OK: [jose/no User-Password attribute] Info: rlm_eap_md5: No password configured for this user Auth: Login incorrect: [jose/no User-Password attribute] System authentication will NEVER work for EAP-MD5. It's CHAP. See the FAQ. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: dialup_admin: log_badlogins problem
I had to download dialup-admin from the cvs snapshot to allow [EMAIL PROTECTED]. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kostas Kalevras Sent: Monday, October 20, 2003 8:57 AM To: [EMAIL PROTECTED] Subject: RE: dialup_admin: log_badlogins problem On Fri, 17 Oct 2003, Kenny Olano wrote: I fixed that issue. I had to run it as perl log_badlogins /path/to/radius.log. But now when it logs the bad logins, The username is just a -. That probable has to do with the form of your usernames. log_badlogins will only log usernames matching the regex [EMAIL PROTECTED] for now. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kostas Kalevras Sent: Friday, October 17, 2003 9:25 AM To: Freeradius-Users Subject: Re: dialup_admin: log_badlogins problem On Fri, 17 Oct 2003, Kenny Olano wrote: I'm trying to run log_badlogin but I keep getting the following error sh: /usr/local/mysql/bin/mysql: No such file or directory I am pointing the $mysql variable to right path /usr/bin/mysql Why does it still try to use /usr/local/mysql/bin/mysql ? I even tried commenting out the insert command but I still get this error. Any help will be appreciated. As long as you have something like: $mysql='/usr/bin/mysql'; in your log_badlogins it should work just fine... Kenny Olano Web Programmer Practical Solutions - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
manually updating AcctStopTime
Hello I am using freeradius 07.1 with mysql. I am working on script that will update the AcctStopTime manually, But I have noticed that when that is done and the radius server receives the accounting stop packets it doesn't update the record but inserts an entire new record. Any way of stopping this? Kenny Olano Web Programmer Practical Solutions 1561 Virginia Avenue Suite 207A College Park, GA 30337 404-762-5600 x103 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: manually updating AcctStopTime
On Mon, 20 Oct 2003, Kenny Olano wrote: Hello I am using freeradius 07.1 with mysql. I am working on script that will update the AcctStopTime manually, But I have noticed that when that is done and the radius server receives the accounting stop packets it doesn't update the record but inserts an entire new record. Any way of stopping this? Have you read the sql.conf file? the accounting-stop query will do an 'update where acctstoptime = 0' If acctstoptime has been changed then the query will fail and the server will fall back to an insert Kenny Olano Web Programmer Practical Solutions 1561 Virginia Avenue Suite 207A College Park, GA 30337 404-762-5600 x103 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: manually updating AcctStopTime
I guess I should of read the sql.conf file before I posted this. Sorry about that. Would there be any damage caused if I remove accstoptime = 0 from the sql clause? By damage I mean any time of database corruption or the wrong records being updated. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kostas Kalevras Sent: Monday, October 20, 2003 10:27 AM To: Freeradius-Users Subject: Re: manually updating AcctStopTime On Mon, 20 Oct 2003, Kenny Olano wrote: Hello I am using freeradius 07.1 with mysql. I am working on script that will update the AcctStopTime manually, But I have noticed that when that is done and the radius server receives the accounting stop packets it doesn't update the record but inserts an entire new record. Any way of stopping this? Have you read the sql.conf file? the accounting-stop query will do an 'update where acctstoptime = 0' If acctstoptime has been changed then the query will fail and the server will fall back to an insert Kenny Olano Web Programmer Practical Solutions 1561 Virginia Avenue Suite 207A College Park, GA 30337 404-762-5600 x103 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: manually updating AcctStopTime
On Mon, 20 Oct 2003, Kenny Olano wrote: I guess I should of read the sql.conf file before I posted this. Sorry about that. Would there be any damage caused if I remove accstoptime = 0 from the sql clause? By damage I mean any time of database corruption or the wrong records being updated. Probably not as long as the acct-session-id (and probably acct-unique-id) fields are unique... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kostas Kalevras Sent: Monday, October 20, 2003 10:27 AM To: Freeradius-Users Subject: Re: manually updating AcctStopTime On Mon, 20 Oct 2003, Kenny Olano wrote: Hello I am using freeradius 07.1 with mysql. I am working on script that will update the AcctStopTime manually, But I have noticed that when that is done and the radius server receives the accounting stop packets it doesn't update the record but inserts an entire new record. Any way of stopping this? Have you read the sql.conf file? the accounting-stop query will do an 'update where acctstoptime = 0' If acctstoptime has been changed then the query will fail and the server will fall back to an insert Kenny Olano Web Programmer Practical Solutions 1561 Virginia Avenue Suite 207A College Park, GA 30337 404-762-5600 x103 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: manually updating AcctStopTime
Thanks for your help Kostas. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kostas Kalevras Sent: Monday, October 20, 2003 10:40 AM To: [EMAIL PROTECTED] Subject: RE: manually updating AcctStopTime On Mon, 20 Oct 2003, Kenny Olano wrote: I guess I should of read the sql.conf file before I posted this. Sorry about that. Would there be any damage caused if I remove accstoptime = 0 from the sql clause? By damage I mean any time of database corruption or the wrong records being updated. Probably not as long as the acct-session-id (and probably acct-unique-id) fields are unique... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kostas Kalevras Sent: Monday, October 20, 2003 10:27 AM To: Freeradius-Users Subject: Re: manually updating AcctStopTime On Mon, 20 Oct 2003, Kenny Olano wrote: Hello I am using freeradius 07.1 with mysql. I am working on script that will update the AcctStopTime manually, But I have noticed that when that is done and the radius server receives the accounting stop packets it doesn't update the record but inserts an entire new record. Any way of stopping this? Have you read the sql.conf file? the accounting-stop query will do an 'update where acctstoptime = 0' If acctstoptime has been changed then the query will fail and the server will fall back to an insert Kenny Olano Web Programmer Practical Solutions 1561 Virginia Avenue Suite 207A College Park, GA 30337 404-762-5600 x103 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.1 and bad logins
Bill [EMAIL PROTECTED] wrote: What does this mean? I don't understand the -s according to the radiusd man page. When I do a ps ax and review my logs Radius appears to running normally. It means that there are still threading issues with some system calls. FreeRADIUS has its own internal locks which prevent it from making more than one call to the getpwent(), etc. functions at a time. It appears that either more locks are needed, or that the existing locks don't work. Since you're the only one having problems, I believe it's most likely a local system issue. There's not much I can suggest as to how to fix that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Importing /etc/passwd file to Postgresgql DB
I have freeradius 0.9.1 up and running using pgsql. I would like to import /etc/passwd into the radius db. I have manually entered a user into the radius db and have been able to authenticate the user fine, but am unclear as to how I can import the passwd file in the db. Any help would be appreciated. I have looked high and low on the mailing list and google. thanx Carol B. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: assign wireless users to VLANs on CISCO AP1230
# ATTRIBUTE Tunnel-Private-Group-Id 81 string has_tag ATTRIBUTE Tunnel-Private-Group-Id 81 integer has_tag I have no clue why you would change that. See: http://www.freeradius.org/rfc/attributes.html Click on the Tunnel-Private-Group-Id link, and read the text. Sorry if I wasn't clear enough. When I read the CISCO configuration guide, it says : These are the RADIUS user attributes used for vlan-id assignment. Each attribute must have a common Tag value to identify the grouped relationship. IETF 64 (Tunnel Type): Set this attribute to VLAN IETF 65 (Tunnel Medium Type): Set this attribute to 802 IETF 81 (Tunnel Private Group ID): Set this attribute to vlan-id I'm not perfectly bilingual, but I understand that my AP is expecting the attributes VLAN, 802 and the VLAN-ID vlan-id is not a string, it's an integer for CISCO (for instance, in my WLAN the SSID teacher is mapped to VLAN 10 : 10 is the vlan-id) Don't play games with the dictionaries unless you know what you're doing. Change the entries back, and I'll bet it will work. unfortunately not. But be sure that before bothering the mailing list, I tried to make it work without making any change to the dictionaries : jmguillemot Auth-Type := eap, User-Password == X Service-Type = Login-User, Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = teacher ...without success. thanks anyway for the help. Jean-Marie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius and BreezeAccess...
First a pre-question, how can I see a DUMP of radius accounting packets that are entering my freeradius? Second, has anyone used freeradius to collect radius accounting from BreezeAccess wireless devices? The peculiar thing with these units is that they are sending some interesting info in Vendor-Specific attributes, but freeradius complains that: Mon Oct 20 18:39:07 2003 : Error: WARNING: Malformed RADIUS packet from host 192.168.2.10: Vendor specific attributes do not exactly fill Vendor-Specific -- Damjan Georgievski jabberID: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: assign wireless users to VLANs on CISCO AP1230
Jean-Marie GUILLEMOT [EMAIL PROTECTED] wrote: These are the RADIUS user attributes used for vlan-id assignment. Each attribute must have a common Tag value to identify the grouped relationship. IETF 64 (Tunnel Type): Set this attribute to VLAN IETF 65 (Tunnel Medium Type): Set this attribute to 802 IETF 81 (Tunnel Private Group ID): Set this attribute to vlan-id I'm not perfectly bilingual, but I understand that my AP is expecting the attributes VLAN, 802 and the VLAN-ID No. Read the 'dictionary.tunnel' file. VLAN is a name for the value 13 for the attribute Tunnel-Type. 802 is the name for the value 6 for the attribue Tunnel-Medium-Type. The Tunnel-Private-Group-Id attribute is of type string, so the value inside of it should be a string representation of the vlan-id. vlan-id is not a string, it's an integer for CISCO (for instance, in my WLAN the SSID teacher is mapped to VLAN 10 : 10 is the vlan-id) It can still be sent as the string 10. But be sure that before bothering the mailing list, I tried to make it work without making any change to the dictionaries : jmguillemot Auth-Type := eap, User-Password == X Service-Type = Login-User, Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = teacher teacher? That's the SSID. Did the documentation not say to use the vlan-id, NOT the SSID? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: assign wireless users to VLANs on CISCO AP1230
hi These are the RADIUS user attributes used for vlan-id assignment. Each attribute must have a common Tag value to identify the grouped relationship. IETF 64 (Tunnel Type): Set this attribute to VLAN IETF 65 (Tunnel Medium Type): Set this attribute to 802 IETF 81 (Tunnel Private Group ID): Set this attribute to vlan-id I'm not perfectly bilingual, but I understand that my AP is expecting the attributes VLAN, 802 and the VLAN-ID no, your AP wants the attributes Tunnel-Type, Tunnel-Medium-Type and Tunnel-Private-Group-ID and the VALUEs should be as you say. there is no need to change the dictionaries for that. vlan-id is not a string, it's an integer for CISCO (for instance, in my WLAN the SSID teacher is mapped to VLAN 10 : 10 is the vlan-id) that doesn't prove anything. 10 is a perfect string. jmguillemot Auth-Type := eap, User-Password == X Service-Type = Login-User, Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = teacher ...without success. please always post the server debug output (radiusd -s -X) as requested by the FAQ. btw.: auth-type shouldn't be explicitly set to eap ... ciao artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and BreezeAccess...
Damjan [EMAIL PROTECTED] wrote: First a pre-question, how can I see a DUMP of radius accounting packets that are entering my freeradius? www.tcpdump.org Second, has anyone used freeradius to collect radius accounting from BreezeAccess wireless devices? The peculiar thing with these units is that they are sending some interesting info in Vendor-Specific attributes, but freeradius complains that: Mon Oct 20 18:39:07 2003 : Error: WARNING: Malformed RADIUS packet from host 192.168.2.10: Vendor specific attributes do not exactly fill Vendor-Specific Breezecom has chosen to ignore the RFC's. Therefore, their hardware is not fully RADIUS compliant. We may add hacks to FreeRADIUS to make this work, before version 1.0 is released. But the problem is definitely caused by Breezecom choosing to ignore the RFC recommendations, and do something which is intentionally broken. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Access-Reject has no Reply-Message (2nd try)
From: 野村 建 Sent: Monday, 20 October 2003 6:35 PM I want my freeradius server to send Access-Reject packet with Reply-Message in it, so that NAS can alert user when authentication fails. But, it's not working so far. When authentication succeeds, my freeradius server sends Access-Accept packet with Reply-Message in it. But when authentication fails, it sends Access Reject packet with no Reply-Message in it.. So my question is why my freeradius doesn't include Reply-Message into Access-Reject packet, and how can I fix this problem? ---users [EMAIL PROTECTED] Auth-Type :=Local, User-Password == "secret" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-address = 192.168.200.1, Framed-IP-Netmask = 255.255.255.0, Session-Timeout = 30, Reply-Message="111", Reply-Message="222", Reply-Message="333", As you've observed, this will only add a Reply-Message if the authentication succeeds. In the same way as it will only give an IP address or Session Timeout if it succeeds. As for how to send a Reply-Message on failure, I dunno off hand. :-) -- Paul "TBBle" Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] On a sidewalk near Portland State University someone wrote `Trust Jesus', and someone else wrote `But Cut the Cards'. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and BreezeAccess...
First a pre-question, how can I see a DUMP of radius accounting packets that are entering my freeradius? www.tcpdump.org Didn't mean about a dump on that level... I meant how freeeradius sees or interprets the packet.. Second, has anyone used freeradius to collect radius accounting from BreezeAccess wireless devices? The peculiar thing with these units is that they are sending some interesting info in Vendor-Specific attributes, but freeradius complains that: Mon Oct 20 18:39:07 2003 : Error: WARNING: Malformed RADIUS packet from host 192.168.2.10: Vendor specific attributes do not exactly fill Vendor-Specific Breezecom has chosen to ignore the RFC's. Therefore, their hardware is not fully RADIUS compliant. yes I know that, hoped someone maybe got it to work... thanks anyway. -- Damjan Georgievski jabberID: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and BreezeAccess...
Damjan [EMAIL PROTECTED] wrote: www.tcpdump.org Didn't mean about a dump on that level... I meant how freeeradius sees or interprets the packet.. FreeRADIUS sees the same packet as tcpdump. Any other information is printed out in debugging mode. yes I know that, hoped someone maybe got it to work... You've got source. Hack the server so that Vendor-Specific is not treated specially, but is instead treated like an attribute of type 'octets'. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
newbie question about rlm_radutmp
I've got freeradius 0.9.1 configured and running on a sun enterprise ultra 2 with gentoo linux. When I try to authenticate from an Ascend Max 6000, I'm getting the following message in the radius.log: Error: rlm_radutmp: Logout for NAS max6000 port 20101, but no Login record The radutmp file is empty. I have not found much information on the radutmp module and how it works. I'm also getting the following entry in the log file: Error: Received Accounting-Request packet from ascend-IP-address with invalid signature! (Shared secret is incorrect.) I have double and triple-checked the passwords on the Ascend box to confirm that they match the secret in the clients.conf file. I appreciate any help that you folks can give me with these 2 issues. Jeff Mello __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PPTP+RADIUS+LDAP+MSCHAP
Hi. I'm a newbie to radius and am trying to get mschap to authenticate over ppp using an ldap server. I have read through many archives and checked the faq's but still no luck. I can authenticate successfully using text passwords and everything works fine connecting to poptop without radius. I am storing the userpassword as text in ldap. radiusd.conf and the output from radius are below. Any help would be appreciated! tia radiusd.conf: modules { mschap { authtype = MS-CHAP use_mppe = yes require_encryption = yes require_strong = yes } ldap { server = 10.1.1.2 identity = cn=Manager,dc=tsoftware,dc=com password = mypass basedn = dc=tsoftware,dc=com filter = (uid=%{Stripped-User-Name:-%{User-Name}}) start_tls = no access_attr = dialupAccess dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_header = {clear} password_attribute = userPassword timeout = 4 timelimit = 3 net_timeout = 1 # access_attr_used_for_allow = yes } } authorize { preprocess ldap mschap } authenticate { Auth-Type MS-CHAP { mschap } # Auth-Type LDAP { # ldap # } } radiusd output: rad_recv: Access-Request packet from host 127.0.0.1:32807, id=111, length=59 Service-Type = Framed-User Framed-Protocol = PPP User-Name = RadiusTestUID NAS-IP-Address = 127.0.0.1 NAS-Port = 0 modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for RadiusTestUID radius_xlat: '(uid=RadiusTestUID)' radius_xlat: 'dc=tsoftware,dc=com' ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.1.1.2:389, authentication 0 rlm_ldap: bind as cn=Manager,dc=tsoftware,dc=com/mypass to 10.1.1.2:389 rlm_ldap: waiting for bind result ... rlm_ldap: performing search in dc=tsoftware,dc=com, with filter (uid=RadiusTestUID) rlm_ldap: checking if remote access for RadiusTestUID is allowed by dialupAccess rlm_ldap: Password header not found in password usertestpwd for user RadiusTestUID rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user RadiusTestUID authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall[authorize]: module mschap returns noop for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type LDAP auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 111 to 127.0.0.1:32807 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 111 with timestamp 3f9438ca Nothing to do. Sleeping until we see a request. _ Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PPTP+RADIUS+LDAP+MSCHAP
Jason Schultz [EMAIL PROTECTED] wrote: I'm a newbie to radius and am trying to get mschap to authenticate over ppp using an ldap server. I have read through many archives and checked the faq's but still no luck. The output of the server helps, too. rlm_ldap: Password header not found in password usertestpwd for user RadiusTestUID In the 'ldap' module, you've got: password_header = {clear} Try adding that to the password in LDAP. rad_recv: Access-Request packet from host 127.0.0.1:32807, id=111, length=59 Service-Type = Framed-User Framed-Protocol = PPP User-Name = RadiusTestUID NAS-IP-Address = 127.0.0.1 NAS-Port = 0 And that's an Access-Request without a password, CHAP password, or MS-CHAP password. The server will *never* authenticate it. modcall[authorize]: module mschap returns noop for request 0 The mschap module hasn't seen anything it recognizes in the packet. MS-CHAP will never work with that packet. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: expired certificate
Sorry, arniel, I don't have a concrete answer for you. I'm still trying to get my first EAP/TLS client going. Its been about 3 days working on it. The certificate stuff is the worst. Here is a thread that might shed some light: http://www.mail-archive.com/[EMAIL PROTECTED]/msg20440.html. I think the key is where the discussion mentions that the certificates don't include a real user name as login would understand it. The supplicant has a certificate and it either matches one on the server or it doesn't. Its kind of anonymous that way. Everyone could have the same cert and get on the net that way. You're either in the group that can use the AP or you're not. From a security standpoint, this is disturbing. Sure, you probably can't brute force it anymore but if you can human engineer yourself a cert, no one will ever know you're in and don't belong. It still looks like you have to use supplicant tools to install the cert. And now, here are my issues: I'd like to know if the latest versions of OpenSSL (I have 0.9.6b-29 from redhat 8) and FreeRADIUS (0.9.2) will work with the latest XP clients (I have XP SP1 with latest patches from Windows Update). If not, who knows what will work? Please don't tell me that in the 19 months since March 2002, OpenSSL hasn't had the extra code (SNAP?) put into the main tree. I saw somewhere that OpenSSL 0.9.7c was used by someone for EAP/TLS successfully. Is my 0.9.6b-29 OK? FYI - for the best tutorial I've seen so far about EAP/TLS certificates in general, Cisco has a good start: http://www.cisco.com/warp/public/cc/pd/sqsw/sq/tech/acstl_wp.htm I realize that RADIUS is only one piece of EAP/TLS but its an important piece. IMO there should be a section in the FAQ by now. Dana Bourgeois --__--__-- Message: 2 From: arniel [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: expired certificate Date: Sun, 19 Oct 2003 16:34:15 +0800 Reply-To: [EMAIL PROTECTED] Hi Guys, I am implementing EAP-TLS on my network using Freeradius. Just want to ask if there is a better way of re-certifying my client certificate if ever it is already expired? For now, I am doing the manual thing... I have to go over from scratch, like copying root.der and client.p12 and copy it to my clients PC. Then prior to that I also have to remove the expired certificate and replace it with a new one. Its really tidious to do if i have like 10 wireless clients. Please advice... Thanks arniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem running freeradius server
Hi Everyone, This is the first time i am using freeradius server. I tried running the free radius server in the debug mode, but it gave me error like failed to link to module 'rlm_expr' file not found There is no such module on my redhat 9 m/c. i just want to allow a user defined in the users file to send a request to the server. Right now i have commented almost all lines in the radiusd.conf file. Now the server runs, but when the client from the localhost try to acceess it. it says access denied. can anybody tell me what is the required minimum configuration file for this. awaiting a positive reply Pinkesh __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentication based on interface?
I have a cicso 3600 with 2 physical interfaces (2 ISDN PRIs) and want to make 2 usergroups with separate access to them (ex. group1 can login only from Serial0/0, and group2 - Serial1/0). How could that be done? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
test scripts question..
Hi, I just wanted to know if FreeRadius has any test scripts that I can run. I looked at 'radtest'/ 'radclient' frontend command line tool. But I was looking for some scripts to generate and test various VSAs and such. Any ideas ? Thanks, __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
doc/tips to configure/enable VSA on FreeRadius.
Hi, I looked at doc directory, but could not find any document how to configure/enable VSAs in FreeRadius. I just see the 'dictionary' file, but not the 'vendors' file. Where are vendor attribute mappings to be defined ? Thanks, __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: core dump using freeradius0.9.2 with FreeBSD 5.1
Can't find the core although it say in log Oct 20 16:42:20 radius3 kernel: pid 67341 (radiusd), uid 0: exited on signal 4 (core dumped) Mon Oct 20 11:41:50 2003 : Error: rlm_ldap: uniqueIdentifier=208173,ou=RADIUS,ou=People,dc=com ,dc=my bind to x.x.x.x:389 failed: timeout When runnning FB 5.1 with 0.9.2, at first it will running OK .. then around 15 minutes it will die BOTH error log appear... Then when i switch to 0.9.0 ... no core error but only rlm_ldap error Currently no authentication is forwarded to above server... I've reverted to my FB 4.8 with 0.9.2 that running fine... What should i do without the CORE?? --haizam - Original Message - From: Kostas Kalevras [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, October 20, 2003 8:43 PM Subject: Re: core dump using freeradius0.9.2 with FreeBSD 5.1 On Mon, 20 Oct 2003, Rohaizam Abu Bakar wrote: even 0.9.0 having problem with FreeBSD 5.1 ... something about rlm_ldap Please read doc/bugs and send a backtrace of the core dump to the list. Thanks --haizam - Original Message - From: Rohaizam Abu Bakar To: [EMAIL PROTECTED] Sent: Monday, October 20, 2003 6:53 PM Subject: core dump using freeradius0.9.2 with FreeBSD 5.1 Using freeradius 0.9.2 with FreeBSD 5.1.. All compilations seems Ok... even starting up doesn't give any problem... But once pumping load into it (not that heavy)... then it keep core dumping as shown in below log.. Currently i revert back to freeradius 0.9.0 with my FreeBSD 5.1 ... FYI... freeradius 0.9.2 inside my FreeBSD 4.8 runnning fine... LOG = i) from system log Oct 20 16:42:20 radius3 kernel: pid 67341 (radiusd), uid 0: exited on signal 4 (core dumped) Oct 20 16:42:20 radius3 kernel: Oct 20 16:42:20 radius3 kernel: pid 67341 (radiusd), uid 0: exited on signal 4 (core dumped) Oct 20 17:02:02 radius3 kernel: pid 68054 (radiusd), uid 0: exited on signal 4 (core dumped) Oct 20 17:02:02 radius3 kernel: Oct 20 17:02:02 radius3 kernel: pid 68054 (radiusd), uid 0: exited on signal 4 (core dumped) Oct 20 17:34:01 radius3 kernel: pid 69185 (radiusd), uid 0: exited on signal 4 (core dumped) Oct 20 17:34:01 radius3 kernel: Oct 20 17:34:01 radius3 kernel: pid 69185 (radiusd), uid 0: exited on signal 4 (core dumped) Oct 20 17:46:27 radius3 kernel: pid 69671 (radiusd), uid 0: exited on signal 4 (core dumped) Oct 20 17:46:27 radius3 kernel: Oct 20 17:46:27 radius3 kernel: pid 69671 (radiusd), uid 0: exited on signal 4 (core dumped) ii) from radius.log Mon Oct 20 18:37:00 2003 : Error: rlm_ldap: uniqueIdentifier=227523,ou=RADIUS,ou=People,dc=com,dc=my bind to x.x.x.x:389 failed: timeout Mon Oct 20 18:37:00 2003 : Error: rlm_ldap: uniqueIdentifier=717710,ou=RADIUS,ou=People,dc=com,dc=my bind to x.x.x.x:389 failed: timeout Mon Oct 20 18:37:03 2003 : Error: rlm_ldap: uniqueIdentifier=983053,ou=RADIUS,ou=People,dc=com,dc=my bind to x.x.x.x:389 failed: timeout --haizam -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html