RE: How to start/stop/restart FR
Title: RE: How to start/stop/restart FR Ripunjay, I have been running FreeRADIUS successfully for over a year on various versions of Redhat. I simply just copied the radiusd executable into /etc/init.d and created a symbolic link to this file in /etc/rc3.d Each time the machine is restarted or powered on it will then start this process. When I terminate the process I usually just executed a pkill -9 rad which is not the recommended way but it's a bad habit that I have :). Thanks, Chris DeRamus OCIO VPN Administrator SAIC -Original Message- From: Ripunjay Bararia [mailto:[EMAIL PROTECTED]] Sent: Monday, December 15, 2003 2:45 PM To: [EMAIL PROTECTED] Subject: How to start/stop/restart FR hi just had this silly question what is the preferred/normal way to start/stop/restart FR running on a RedHat box with or without init.d scripts Ripunjay Bararia - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MySQL Success
Title: Message To all, I finall got it, go figure it was a very obvious answer. I simply re-configured FreeRADIUS using ./configure --with-static-modules="sql sql_mysql" command. When I executed a make, it errored out saying it could not find ../modules/rlm_sql_mysql. I simply made a symbolic link to include the rlm_sql_mysql sub-directory in the ../modules/ directory and re-ran make. Everything works great now, thanks! Cordially, Chris DeRamus OCIO VPN Administrator SAIC -Original Message-From: Deramus, Chris Sent: Sunday, December 14, 2003 11:09 PMTo: '[EMAIL PROTECTED]'Subject: RE: MySQL Help! Chris, Thanks for the input, however, when I updated the configure script with your extra code configure would not find lmysqlclient and prompted that I specify the path to the library files by using --with-mysql-lib= When I put in the path to the MySQL library files, it still would not find lmysqlclient. Any other thoughts? If I get it I'll be sure to let you know what it was, thanks so much. Chris DeRamus OCIO VPN Administrator SAIC -Original Message- From: Chris Parker [mailto:[EMAIL PROTECTED]] Sent: Friday, December 12, 2003 5:14 PM To: [EMAIL PROTECTED] Subject: Re: MySQL Help! At 03:42 PM 12/12/2003, Rob Genovesi wrote: >oh boy, I remember kicking this around for ever as well ... > >My solution was to 1) be sure you have development rpms installed and >2) >do not use "--disable-shared" when running configure. I don't know >exactly why this changed things, but compiling with shared libraries it >was able to find and use all the necessary mysql libs and includes. > >I installed the following MySQL rpms (Redhat) : > MySQL-devel-4.0.16-0 > MySQL-shared-compat-4.0.16-0 > MySQL-client-4.0.16-0 > MySQL-server-4.0.16-0 Aha. Mysql4 changes some stuff. On Solaris we had to change some of the Makefiles manually to get all of the appropriate libs included to build the rlm_mysql driver built. It may be the same on RH as well. Helpfully, MySQL 3 build syntax is not totally workable with MySQL 4 at least as far as FR is concerned. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless! \ Director, Engineering | @ @ | \ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MySQL Help!
Title: RE: MySQL Help! Chris, Thanks for the input, however, when I updated the configure script with your extra code configure would not find lmysqlclient and prompted that I specify the path to the library files by using --with-mysql-lib= When I put in the path to the MySQL library files, it still would not find lmysqlclient. Any other thoughts? If I get it I'll be sure to let you know what it was, thanks so much. Chris DeRamus OCIO VPN Administrator SAIC -Original Message- From: Chris Parker [mailto:[EMAIL PROTECTED]] Sent: Friday, December 12, 2003 5:14 PM To: [EMAIL PROTECTED] Subject: Re: MySQL Help! At 03:42 PM 12/12/2003, Rob Genovesi wrote: >oh boy, I remember kicking this around for ever as well ... > >My solution was to 1) be sure you have development rpms installed and >2) >do not use "--disable-shared" when running configure. I don't know >exactly why this changed things, but compiling with shared libraries it >was able to find and use all the necessary mysql libs and includes. > >I installed the following MySQL rpms (Redhat) : > MySQL-devel-4.0.16-0 > MySQL-shared-compat-4.0.16-0 > MySQL-client-4.0.16-0 > MySQL-server-4.0.16-0 Aha. Mysql4 changes some stuff. On Solaris we had to change some of the Makefiles manually to get all of the appropriate libs included to build the rlm_mysql driver built. It may be the same on RH as well. Helpfully, MySQL 3 build syntax is not totally workable with MySQL 4 at least as far as FR is concerned. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless! \ Director, Engineering | @ @ | \ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MySQL Help!
Title: RE: MySQL Help! Alan, What file(s) should I run ldd against? Chris DeRamus OCIO VPN Administrator SAIC -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED]] Sent: Friday, December 12, 2003 4:44 PM To: [EMAIL PROTECTED] Subject: Re: MySQL Help! "Deramus, Chris" <[EMAIL PROTECTED]> wrote: > I have checked and verified the LD_LIBRARY_PATH variable, I have > updated ld.so.conf as well. I've tried multiple configuration options, > including disable-shared. Something isn't adding up. Any suggestions > would be most appreciated. Thanks and have a good weekend. 'ldd' should tell you which libraries are needed. Maybe MySQL needs additional libraries, which somehow aren't loaded. I don't know how else to help you. The server core doesn't know *anything* about modules/libraries, other than it asks the system to load them. If that doesn't work, there isn't much else the server can do. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MySQL Help!
Title: Message To all, I have spent over 16 hours working this issue now and am completely out of ideas. I have tried RPM Installations of multiple versions of MySQL, including 3.23.58 and 4.0.16. I am still getting the error message: > rlm_sql (sql): Could not link driver rlm_sql_mysql: file not found > rlm_sql (sql): Make sure it (and all its dependent libraries!) are in > the search path of your system's ld. > radiusd.conf[4]: sql: Module instantiation failed. I have checked and verified the LD_LIBRARY_PATH variable, I have updated ld.so.conf as well. I've tried multiple configuration options, including disable-shared. Something isn't adding up. Any suggestions would be most appreciated. Thanks and have a good weekend. Chris DeRamus OCIO VPN Administrator SAIC -Original Message-From: Deramus, Chris Sent: Friday, December 12, 2003 2:01 PMTo: '[EMAIL PROTECTED]'Subject: RE: RedHat Enterprise 2.1, FreeRadius 0.9.3 with MySQL I have check the FreeRADIUS FAQ and followed the instructions. My ld.so.conf file has been setup correcly and is pointing the respective library dependencies and it still is giving me the same error. I have also attempted ./configure --disable-shared and still no go. I know I do not need mysql-shared, I am honestly stumped. Sorry to keep this thread going, I just can't seem to find much documentation on any extra steps required when running this new distro of RedHat. Thanks, Chris DeRamus -Original Message- From: NetNITCO Systems Administration [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 11, 2003 5:26 PM To: [EMAIL PROTECTED] Subject: Re: RedHat Enterprise 2.1, FreeRadius 0.9.3 with MySQL On Thu, 2003-12-11 at 16:00, Deramus, Chris wrote: > To all -- > > I recently upgraded my development RADIUS box which was running RedHat > 8.0 to RedHat Enterprise Linux 2.1 ES. This was a fresh install which > included all Mysql related packages contained on the CD's. It was > noted that the Enterprise installation did not contain a Mysql-devel > package, I am assuming it is now bundled in with one of the other > rpm's. I tested SQL queries from both web applications and command > line and everything seemed to be a go so I then configured freeradius. > I believe you are mistaken. The current MySQL development package for RHEL ES 2.1 is mysql-devel-3.23.58-1.72. You can grab the package from the RHEL installation media, or, you can download the SRPM from a Red Hat mirror and rebuild the package: ftp://redhat.netnitco.net/pub/mirrors/redhat/updates/enterprise/2.1ES/en/os/SRPMS/mysql-3.23.58-1.72.src.rpm > rlm_sql (sql): Could not link driver rlm_sql_mysql: file not found > rlm_sql (sql): Make sure it (and all its dependent libraries!) are in > the search path of your system's ld. > radiusd.conf[4]: sql: Module instantiation failed. > You'll get this until you compile FreeRADIUS with the MySQL development libraries installed. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RedHat Enterprise 2.1, FreeRadius 0.9.3 with MySQL
Title: RE: RedHat Enterprise 2.1, FreeRadius 0.9.3 with MySQL I have check the FreeRADIUS FAQ and followed the instructions. My ld.so.conf file has been setup correcly and is pointing the respective library dependencies and it still is giving me the same error. I have also attempted ./configure --disable-shared and still no go. I know I do not need mysql-shared, I am honestly stumped. Sorry to keep this thread going, I just can't seem to find much documentation on any extra steps required when running this new distro of RedHat. Thanks, Chris DeRamus -Original Message- From: NetNITCO Systems Administration [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 11, 2003 5:26 PM To: [EMAIL PROTECTED] Subject: Re: RedHat Enterprise 2.1, FreeRadius 0.9.3 with MySQL On Thu, 2003-12-11 at 16:00, Deramus, Chris wrote: > To all -- > > I recently upgraded my development RADIUS box which was running RedHat > 8.0 to RedHat Enterprise Linux 2.1 ES. This was a fresh install which > included all Mysql related packages contained on the CD's. It was > noted that the Enterprise installation did not contain a Mysql-devel > package, I am assuming it is now bundled in with one of the other > rpm's. I tested SQL queries from both web applications and command > line and everything seemed to be a go so I then configured freeradius. > I believe you are mistaken. The current MySQL development package for RHEL ES 2.1 is mysql-devel-3.23.58-1.72. You can grab the package from the RHEL installation media, or, you can download the SRPM from a Red Hat mirror and rebuild the package: ftp://redhat.netnitco.net/pub/mirrors/redhat/updates/enterprise/2.1ES/en/os/SRPMS/mysql-3.23.58-1.72.src.rpm > rlm_sql (sql): Could not link driver rlm_sql_mysql: file not found > rlm_sql (sql): Make sure it (and all its dependent libraries!) are in > the search path of your system's ld. > radiusd.conf[4]: sql: Module instantiation failed. > You'll get this until you compile FreeRADIUS with the MySQL development libraries installed. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RedHat Enterprise 2.1, FreeRadius 0.9.3 with MySQL
I also mis-typed my message. The package that I was talking about was mysql-shared not mysql-devel. I do not think you need mysql-shared though, or do you? Thanks, Chris DeRamus OCIO VPN Administrator SAIC -Original Message- From: NetNITCO Systems Administration [mailto:[EMAIL PROTECTED] Sent: Thursday, December 11, 2003 5:26 PM To: [EMAIL PROTECTED] Subject: Re: RedHat Enterprise 2.1, FreeRadius 0.9.3 with MySQL On Thu, 2003-12-11 at 16:00, Deramus, Chris wrote: > To all -- > > I recently upgraded my development RADIUS box which was running RedHat > 8.0 to RedHat Enterprise Linux 2.1 ES. This was a fresh install which > included all Mysql related packages contained on the CD's. It was > noted that the Enterprise installation did not contain a Mysql-devel > package, I am assuming it is now bundled in with one of the other > rpm's. I tested SQL queries from both web applications and command > line and everything seemed to be a go so I then configured freeradius. > I believe you are mistaken. The current MySQL development package for RHEL ES 2.1 is mysql-devel-3.23.58-1.72. You can grab the package from the RHEL installation media, or, you can download the SRPM from a Red Hat mirror and rebuild the package: ftp://redhat.netnitco.net/pub/mirrors/redhat/updates/enterprise/2.1ES/en/os/ SRPMS/mysql-3.23.58-1.72.src.rpm > rlm_sql (sql): Could not link driver rlm_sql_mysql: file not found > rlm_sql (sql): Make sure it (and all its dependent libraries!) are in > the search path of your system's ld. > radiusd.conf[4]: sql: Module instantiation failed. > You'll get this until you compile FreeRADIUS with the MySQL development libraries installed. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RedHat Enterprise 2.1, FreeRadius 0.9.3 with MySQL
Here's the output from the box, as you can see I have the development package. Any other thoughts? [EMAIL PROTECTED] ->rpm -qa | grep mysql mysqlclient9-3.23.22-8 mysql-devel-3.23.58-1.72 mysql-3.23.58-1.72 php-mysql-4.1.2-2.1.6 mysql-server-3.23.58-1.72 mod_auth_mysql-1.11-1 Thanks! Chris DeRamus -Original Message- From: NetNITCO Systems Administration [mailto:[EMAIL PROTECTED] Sent: Thursday, December 11, 2003 5:26 PM To: [EMAIL PROTECTED] Subject: Re: RedHat Enterprise 2.1, FreeRadius 0.9.3 with MySQL On Thu, 2003-12-11 at 16:00, Deramus, Chris wrote: > To all -- > > I recently upgraded my development RADIUS box which was running RedHat > 8.0 to RedHat Enterprise Linux 2.1 ES. This was a fresh install which > included all Mysql related packages contained on the CD's. It was > noted that the Enterprise installation did not contain a Mysql-devel > package, I am assuming it is now bundled in with one of the other > rpm's. I tested SQL queries from both web applications and command > line and everything seemed to be a go so I then configured freeradius. > I believe you are mistaken. The current MySQL development package for RHEL ES 2.1 is mysql-devel-3.23.58-1.72. You can grab the package from the RHEL installation media, or, you can download the SRPM from a Red Hat mirror and rebuild the package: ftp://redhat.netnitco.net/pub/mirrors/redhat/updates/enterprise/2.1ES/en/os/ SRPMS/mysql-3.23.58-1.72.src.rpm > rlm_sql (sql): Could not link driver rlm_sql_mysql: file not found > rlm_sql (sql): Make sure it (and all its dependent libraries!) are in > the search path of your system's ld. > radiusd.conf[4]: sql: Module instantiation failed. > You'll get this until you compile FreeRADIUS with the MySQL development libraries installed. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RedHat Enterprise 2.1, FreeRadius 0.9.3 with MySQL
Title: RedHat Enterprise 2.1, FreeRadius 0.9.3 with MySQL
To all --
I recently upgraded my development RADIUS box which was running RedHat 8.0 to RedHat Enterprise Linux 2.1 ES. This was a fresh install which included all Mysql related packages contained on the CD's. It was noted that the Enterprise installation did not contain a Mysql-devel package, I am assuming it is now bundled in with one of the other rpm's. I tested SQL queries from both web applications and command line and everything seemed to be a go so I then configured freeradius.
I used the following configure line:
./configure --with-mysql-include-dir=/usr/include/mysql --with-mysql-dir=/usr/lib/mysql --with-mysql
I configured the flat configuration files including radiusd.conf to match my desired configuration. SQL is setup like so:
--- Pasted from radiusd.conf ---
$INCLUDE ${confdir}/sql.conf
$INCLUDE ${confdir}/sql2.conf
authorize {
#
# The preprocess module takes care of sanitizing some bizarre
# attributes in the request, and turning them into attributes
# which are more standard.
#
# It takes care of processing the 'raddb/hints' and the
# 'raddb/huntgroups' files.
#
# It also adds a Client-IP-Address attribute to the request.
autztype sql1 {
sql
}
autztype sql2 {
sql2
}
accounting {
detail
acctype sql1 {
sql
}
acctype sql2 {
sql2
}
radutmp
My sql.conf and sql2.conf files repesctively called the driver rlm_sql_mysql. Upon launching radiusd with debugging turned on I get the following message:
rlm_sql (sql): Could not link driver rlm_sql_mysql: file not found
rlm_sql (sql): Make sure it (and all its dependent libraries!) are in the search path of your system's ld.
radiusd.conf[4]: sql: Module instantiation failed.
I have re-configured the sql_mysql module multiple times, even as a static module and no luck. I am wondering if this has to do with differences in the way MySQL is setup in the Enterprise 2.1 ES distro? Any light that you can shed on this issue would be greatly appreciated.
Thanks and have a great day,
Chris DeRamus
RE: Is it possible to split authentication and authorizationrequ ests based on NAS IP?
Title: RE: Is it possible to split authentication and authorization requ ests based on NAS IP?
Alan,
I realize how aggravating this must be, but I guess I'm getting confused as to where you say create two instances of the SQL module.
I modeled my radiusd.conf after your example Autz-Type webpage located at:
http://www.freeradius.org/radiusd/doc/Autz-Type
So my radiusd.conf authorize section looks like this:
authorize {
preprocess
files
autztype sql1 {
sql1
}
autztype sql2 {
sql2
}
}
When I run radiusd -X it generates the following error message:
/usr/local/etc/raddb/users[148]: Parse error (check) for entry DEFAULT: Unknown value sql1 for attribute Autz-Type
I setup my users file exactly as instructed. If I change the precedence to load the files entry after, looking like this:
authorize {
preprocess
autztype sql1 {
sql1
}
autztype sql2 {
sql2
}
files
}
I get the following...ERROR: Cannot find a configuration entry for module "sql1"
Cordially,
Chris DeRamus
OCIO VPN Administrator
Verizon
301-903-2093
-Original Message-
From: Alan DeKok [mailto:[EMAIL PROTECTED]]
Sent: Thursday, April 03, 2003 9:54 AM
To: [EMAIL PROTECTED]
Subject: Re: Is it possible to split authentication and authorization requ ests based on NAS IP?
"Deramus, Chris" <[EMAIL PROTECTED]> wrote:
> Thanks, I sort of get what you are saying. But where do I define which
> sql.conf file to look in?
radiusd.conf? Is it really that hard to find out which file
references sql.conf?
> I assume that I would want sql1 for example to
> point to sql.conf and sql2 to point to sql2.conf or however I choose to set
> it up. I defined sql1 and sql2 in my radiusd.conf section and it made the
> application error out. I assume I have to define this elsewhere, any
> suggestions?
Read sql.conf. It's just a definition for an SQL module. You can
create two instances of the SQL module by using standard methods.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Is it possible to split authentication and authorizationrequ ests based on NAS IP?
Title: RE: Is it possible to split authentication and authorization requests based on NAS IP?
Thanks, I sort of get what you are saying. But where do I define which sql.conf file to look in? I assume that I would want sql1 for example to point to sql.conf and sql2 to point to sql2.conf or however I choose to set it up. I defined sql1 and sql2 in my radiusd.conf section and it made the application error out. I assume I have to define this elsewhere, any suggestions?
Cordially,
Chris DeRamus
OCIO VPN Administrator
Verizon
301-903-2093
-Original Message-
From: Dustin Doris [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, April 01, 2003 1:18 PM
To: '[EMAIL PROTECTED]'
Subject: Re: Is it possible to split authentication and authorization requests based on NAS IP?
Yes you can do that now. In your users file put.
DEFAULT NAS-IP-Address == "1.1.1.1", Autz-Type := sql1
DEFAULT NAS-IP-Address == "2.2.2.2", Autz-Type := sql2
Then you can setup two different sql types. Then in authorization in
radius.conf add
autztype sql1 {
sql1
}
autztype sql2 {
sql2
}
You can do the same thing with auth types and set Auth-Type := whatever.
On Tue, 1 Apr 2003, Deramus, Chris wrote:
> I will try to make this as simple to understand as possible. Basically in
> our production environment we are trying to use our FreeRADIUS server to do
> authentication for both VPN users (stored in radcheck) and Sprint dialup
> users. In my radcheck table, I have the typical UserName, Attribute, Value,
> and op fields, but I also have a lot of user information. My table structure
> looks like this:
>
> +---+-+--+-+-+--
> --+
> | Field | Type | Null | Key | Default | Extra
> |
> +---+-+--+-+-+--
> --+
> | id | int(5) unsigned | | PRI | NULL |
> auto_increment |
> | UserName | varchar(64) | | MUL | |
> |
> | Attribute | varchar(16) | | | Password |
> |
> | Value | varchar(253) | | | |
> |
> | op | char(2) | YES | | := |
> |
> | Org | varchar(16) | | | |
> |
> | Name | varchar(64) | | | |
> |
> | Mail | varchar(128) | | | |
> |
> | WorkPhone | varchar(24) | | | |
> |
> | Requestor | varchar(128) | | | |
> |
> | DateCreated | datetime | | | -00-00 00:00:00 |
> |
> | DateUpdated | datetime | | | -00-00 00:00:00 |
> |
> | Profile | varchar(8) | | | |
> |
> | Sprint | enum('N','Y') | | | N |
> |
> | NewNotice | enum('N','Y') | | | N |
> |
> | ExpiredNotice | enum('N','Y') | | | N |
> |
> +---+-+--+-+-+--
> --+
>
> All VPN authentication requests come from our VPN NAS IP-Address (Static),
> and Sprint requests come from a totally different NAS IP-Address (Static). I
> don't want to duplicate data into radcheck, so I was curious if FreeRADIUS
> has (or is planning to have) the capability (maybe in sql.conf?) to do
> different queries based on different inbound requests? Maybe a some IF THEN
> logic which can say if the nas-ip is equal to value then execute
> authentication_query number 1, else execute authentication_query number 2.
> Would this be possible to add into your program? If it's already available
> then please let me know, because I can't seem to get separate queries to
> work at this moment.
>
>
> Cordially,
>
> Chris DeRamus
> OCIO VPN Administrator
> Verizon
> 301-903-2093
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Is it possible to split authentication and authorizationrequests based on NAS IP?
Title: Is it possible to split authentication and authorization requests based on NAS IP?
I will try to make this as simple to understand as possible. Basically in our production environment we are trying to use our FreeRADIUS server to do authentication for both VPN users (stored in radcheck) and Sprint dialup users. In my radcheck table, I have the typical UserName, Attribute, Value, and op fields, but I also have a lot of user information. My table structure looks like this:
+---+-+--+-+-++
| Field | Type | Null | Key | Default | Extra |
+---+-+--+-+-++
| id | int(5) unsigned | | PRI | NULL | auto_increment |
| UserName | varchar(64) | | MUL | | |
| Attribute | varchar(16) | | | Password | |
| Value | varchar(253) | | | | |
| op | char(2) | YES | | := | |
| Org | varchar(16) | | | | |
| Name | varchar(64) | | | | |
| Mail | varchar(128) | | | | |
| WorkPhone | varchar(24) | | | | |
| Requestor | varchar(128) | | | | |
| DateCreated | datetime | | | -00-00 00:00:00 | |
| DateUpdated | datetime | | | -00-00 00:00:00 | |
| Profile | varchar(8) | | | | |
| Sprint | enum('N','Y') | | | N | |
| NewNotice | enum('N','Y') | | | N | |
| ExpiredNotice | enum('N','Y') | | | N | |
+---+-+--+-+-++
All VPN authentication requests come from our VPN NAS IP-Address (Static), and Sprint requests come from a totally different NAS IP-Address (Static). I don't want to duplicate data into radcheck, so I was curious if FreeRADIUS has (or is planning to have) the capability (maybe in sql.conf?) to do different queries based on different inbound requests? Maybe a some IF THEN logic which can say if the nas-ip is equal to value then execute authentication_query number 1, else execute authentication_query number 2. Would this be possible to add into your program? If it's already available then please let me know, because I can't seem to get separate queries to work at this moment.
Cordially,
Chris DeRamus
OCIO VPN Administrator
Verizon
301-903-2093
FreeRADIUS 0.8.1 MySQL Module issue
Title: FreeRADIUS 0.8.1 MySQL Module issue I'm currently having an issue starting up FreeRADIUS with MySQL support. I did a proper configure, and have the necessary library files located in /usr/local/lib I also have that directory referenced in my radiusd.conf and it's still a no go. I also tried doing a configure and disabling shared libraries, still no luck. Is there something that I'm missing? I've set this up on previous versions of FreeRADIUS in almost the exact same manner and haven't had this issue. Any light you can shed on this would be most beneficial. Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "root" main: group = "root" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 2 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded PAP pap: encryption_scheme = "md5" Module: Instantiated pap (pap) ERROR: Cannot find a configuration entry for module "sql".
Cisco Dictionary File(s)
Title: Cisco Dictionary File(s) Cisco just released an update for their Concentrator AV pairs. If you could, please review the following page. I am really just concerned with the 3000 RADIUS VSA's, but they have added support for their 5000 series Concentrator as well. I wasn't sure if you wanted to make a different dictionary file or just stick with the dictionary.cisco3030 one that was created awhile back. http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs31/acsuser/ad.htm#984410 Let me know if you need more information, and thanks! Cordially, Chris DeRamus HQ VPN Administrator Verizon 301-903-2093
RE: Request for another dictionary file?
Title: RE: Request for another dictionary file? Alan, The Vendor Id from what I can tell on Cisco's website is 3076. The following table lists the supported Cisco VPN 3000 Concentrator RADIUS VSAs. ATTRIBUTE CVPN3000-Access-Hours 1 string ATTRIBUTE CVPN3000-Simultaneous-Logins 2 integer ATTRIBUTE CVPN3000-Primary-DNS 3 ipaddr ATTRIBUTE CVPN3000-Secondary-DNS 4 ipaddr ATTRIBUTE CVPN3000-Primary-WINS 5 ipaddr ATTRIBUTE CVPN3000-Secondary-WINS 6 ipaddr ATTRIBUTE CVPN3000-SEP-Card-Assignment 7 ipaddr ATTRIBUTE CVPN3000-Tunneling-Protocols 8 interger ATTRIBUTE CVPN3000-IPSec-Sec-Association 9 string ATTRIBUTE CVPN3000-IPSec-Authentication 10 integer ATTRIBUTE CVPN3000-IPSec-Banner1 11 string ATTRIBUTE CVPN3000-IPSec-Allow-Passwd-Store 12 integer ATTRIBUTE CVPN3000-Use-Client-Address 13 integer ATTRIBUTE CVPN3000-IPSec-Split-Tunnel-List 14 string ATTRIBUTE CVPN3000-IPSec-Default-Domain 15 string ATTRIBUTE CVPN3000-IPSec-Tunnel-Type 16 integer ATTRIBUTE CVPN3000-IPSec-Mode-Config 17 integer ATTRIBUTE CVPN3000-IPSec-User-Group-Lock 18 integer ATTRIBUTE CVPN3000-IPSec-Through-NAT 19 integer ATTRIBUTE CVPN3000-IPSec-Through-NAT-Port 20 integer Let me know if you need to know anything else, thanks. Cordially, Chris -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 18, 2002 3:24 PM To: [EMAIL PROTECTED] Subject: Re: Request for another dictionary file? "Deramus, Chris" <[EMAIL PROTECTED]> wrote: > I will paste the request for a dictionary file below, I believe if I can > pass these to the Concentrator it will know what to do with them: So what are you supposed to use for Vendor-Id? Cisco? If so, then this dictionary would conflict with Cisco's other dictionary... > BM_954283Attribute Value Type of Value > > CVPN3000-Access-Hours > > 1 > > string ... Hmm... I think your mailer screwed up the file, and added a huge number of pointless blank lines. (No, I don't look at HTML email...) > This seems to have exactly what I'm looking for, I can't seem to locate > anything else. If it's possible to either a.) add this to the current > dictionary.cisco file or b.) make an entirely new dictionary file that's > supported please let me know. Sure, create a dictionary file (NOT an HTML table), and put it on the web somewhere, or post it to the list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Request for another dictionary file?
Alan,Still working on this Default Domain, DNS, and WINS issue. I found an interesting read on Cisco's website that details valid attributes which can be used on a Cisco 3030 series concentrator which is what we have. If you have a second and want to look it over it's at http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/csnt26/usergd26/ap_rads.htm#88844I will paste the request for a dictionary file below, I believe if I can pass these to the Concentrator it will know what to do with them: Attribute Value Type of Value CVPN3000-Access-Hours 1 string CVPN3000-Simultaneous-Logins 2 integer CVPN3000-Primary-DNS 5 ipaddr CVPN3000-Secondary-DNS 6 ipaddr CVPN3000-Primary-WINS 7 ipaddr CVPN3000-Secondary-WINS 8 ipaddr CVPN3000-SEP-Card-Assignment 9 integer CVPN3000-Tunneling-Protocols 11 integer CVPN3000-IPSec-Sec-Association 12 string CVPN3000-IPSec-Authentication 13 integer CVPN3000-IPSec-Banner1 15 string CVPN3000-IPSec-Allow-Passwd-Store 16 integer CVPN3000-Use-Client-Address 17 integer CVPN3000-IPSec-Split-Tunnel-List 27 string CVPN3000-IPSec-Default-Domain 28 string CVPN3000-IPSec-Tunnel-Type 30 integer CVPN3000-IPSec-Mode-Config 31 integer CVPN3000-IPSec-User-Group-Lock 33 integer CVPN3000-IPSec-Through-NAT 34 integer CVPN3000-IPSec-Through-NAT-Port 35 integer This seems to have exactly what I'm looking for, I can't seem to locate anything else. If it's possible to either a.) add this to the current dictionary.cisco file or b.) make an entirely new dictionary file that's supported please let me know. Thanks, Chris
Cannot get MySQL loaded in FreeRADIUS 0.7.1
Title: Cannot get MySQL loaded in FreeRADIUS 0.7.1 I am just now trying to upgrade on my development box, and am having a tough time getting radiusd -X to run without erroring out. When I take out the Mysql module call at the base of radiusd.conf radiusd runs fine, however when I turn the mysql module back on I get the following: radiusd.conf[4] Failed to link to module 'rlm_sql': file not found I checked my libraries directory /usr/local/lib and verified that the sql modules are in there, which they are. I manually went into /usr/local/src/freeradius-0.7.1/src/modules/rlm_sql/drivers/rlm_sql_mysql and did a ./configure, make, make install. Then I went into /etc/ld.so.conf and verified that /usr/local/lib was in there, and did a ldconfig. Doing these steps in the past gave me no problems at all with MySQL support, however, now I am getting it. Is there a known problem or am I just missing something? Thanks, Chris
Cannot find a Domain attribute ??
I'm definately getting somewhere with this, I appreciate your input. I thoroughly read the documentation and am close. I set my Mysql table up like this for user chris.deramus22 chris.deramus Vendor-Specific Microsoft == 23 chris.deramus MS-CHAP-Domain test.my.gov == Then when running FreeRADIUS in debugging mode, I get this with an incoming request. As you can see in bold, it's passing the MS-CHAP-Domain in the Access Accept, however it doesn't seem to be passing to my client laptop. Maybe it's a problem with my MySQL table, maybe its a problem with how I have MS-CHAP loaded in radiusd.confrlm_sql: Released sql socket id: 8 modcall[authorize]: module "sql" returns okrlm_counter: Entering module authorize coderlm_counter: Could not find Check item value pair modcall[authorize]: module "counter" returns noop users: Matched DEFAULT at 141 modcall[authorize]: module "files" returns ok modcall[authorize]: module "mschap" returns noopmodcall: group authorize returns ok rad_check_password: Found Auth-Type PAPauth: type "PAP"modcall: entering group authtyperlm_pap: login attempt by "chris.deramus" with password yy rlm_pap: Using password 690d96285de94b9e7138e3d9d687ce3e for user chris.deramus authentication.rlm_pap: Using MD5 encryption.rlm_pap: User authenticated succesfully modcall[authenticate]: module "pap" returns okmodcall: group authtype returns okLogin OK: [chris.deramus/ ] (from client 192.168.0.2 port 1008)Sending Access-Accept of id 2 to 192.168.0.2:1026 Framed-IP-Address = 192.168.1.20 Vendor-Specific = 0x4d6963726f736f6674 MS-CHAP-Domain = "test.my.gov" I bolded the sections that I found to be of interest, I'm assuming the returned noop means that the module isn't loaded, or isn't doing anything? I have the MS-CHAP module loaded in the authorization section, should it be loaded in a different section of radiusd.conf ? Thanks for the help and patience. Chris -Original Message-From: Alan DeKok [mailto:[EMAIL PROTECTED]]Sent: Monday, July 22, 2002 9:58 AMTo: [EMAIL PROTECTED]Subject: Re: Cannot find a Domain attribute ??"Deramus, Chris" <[EMAIL PROTECTED]> wrote:> Sorry for the confusion, I meant I have to return that Domain attribute to> the NAS, we have different program offices with resources on different> domains. You can return the MS-CHAP-Domain domain attribute in theAccess-Accept. Alan DeKok.-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cannot find a Domain attribute ??
To all,I'm definately getting somewhere with this, I appreciate your input. I thoroughly read the documentation and am close. I set my Mysql table up like this for user chris.deramus22 chris.deramus Vendor-Specific Microsoft == 23 chris.deramus MS-CHAP-Domain test.my.gov == Then when running FreeRADIUS in debugging mode, I get this with an incoming request. As you can see in bold, it's passing the MS-CHAP-Domain in the Access Accept, however it doesn't seem to be passing to my client laptop. Maybe it's a problem with my MySQL table, maybe its a problem with how I have MS-CHAP loaded in radiusd.confrlm_sql: Released sql socket id: 8 modcall[authorize]: module "sql" returns okrlm_counter: Entering module authorize coderlm_counter: Could not find Check item value pair modcall[authorize]: module "counter" returns noop users: Matched DEFAULT at 141 modcall[authorize]: module "files" returns ok modcall[authorize]: module "mschap" returns noopmodcall: group authorize returns ok rad_check_password: Found Auth-Type PAPauth: type "PAP"modcall: entering group authtyperlm_pap: login attempt by "chris.deramus" with password xxxrlm_pap: Using password 690d96285de94b9e7138e3d9d687ce3e for user chris.deramus authentication.rlm_pap: Using MD5 encryption.rlm_pap: User authenticated succesfully modcall[authenticate]: module "pap" returns okmodcall: group authtype returns okLogin OK: [chris.deramus/] (from client 192.168.0.2 port 1008)Sending Access-Accept of id 2 to 192.168.0.2:1026 Framed-IP-Address = 192.168.1.20 Vendor-Specific = 0x4d6963726f736f6674 MS-CHAP-Domain = "test.my.gov" I bolded the sections that I found to be of interest, I'm assuming the returned noop means that the module isn't loaded, or isn't doing anything? I have the MS-CHAP module loaded in the authorization section, should it be loaded in a different section of radiusd.conf ? Thanks for the help and patience. Chris -Original Message-From: Alan DeKok [mailto:[EMAIL PROTECTED]]Sent: Monday, July 22, 2002 9:58 AMTo: [EMAIL PROTECTED]Subject: Re: Cannot find a Domain attribute ??"Deramus, Chris" <[EMAIL PROTECTED]> wrote:> Sorry for the confusion, I meant I have to return that Domain attribute to> the NAS, we have different program offices with resources on different> domains. You can return the MS-CHAP-Domain domain attribute in theAccess-Accept. Alan DeKok.-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Requirement to pass alternet Domain Name, DNS Servers, and WINSs ervers -- HELP
Title: Requirement to pass alternet Domain Name, DNS Servers, and WINS servers -- HELP To all, I've posted about this before but still am getting no where on it unfortunately. I'll start from the beginning to try to make it easier for people to understand. I'm running FreeRADIUS 0.6, using MySQL for authorization and PAP for authentication. I have the Base Group setting on the VPN Concentrator set to assign 146.138.1.x as the primary DNS server and 146.138.198.x as the secondary DNS server. I have the primary domain set to hr.doe.gov and no WINS servers set up. All of our program offices use the above settings, except one. They need to have their DNS servers set to 132.60.35.x and 132.60.36.x and need WINS servers set up. They also need to have their DNS search suffix be set to em.doe.gov instead of hr.doe.gov. Here's where the issue comes in. I've used the MS-Primary-DNS-Server and MS-Secondary-DNS-Server attributes in dictionary.microsoft and tried multiple operators and I can't seem to pass these attributes that are held in the radreply table. I also can't seem to find which attribute(s) to use to pass a different Domain as well as WINS servers. How exactly do I do this? And why aren't the MS-Primary-DNS-Server and MS-Secondary-DNS-Server attributes working, is it because the Base Group setting on the VPN Concentrator overrides all of this? Please help, thanks! Chris
RE: Requirement to pass alternet Domain Name, DNS Servers, andWI NS s ervers
Title: RE: Requirement to pass alternet Domain Name, DNS Servers, and WINS s ervers Matt, With ours and their current setup, it'd be a lot easier to just pass these attributes. This is only for 3-4 users, there's no since is wasting all these resources when there's attributes in place to do it for you :). Thanks, Chris DeRamus HQ VPN Administrator Verizon 301-903-2093 -Original Message- From: Mattt [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 21, 2002 10:17 AM To: [EMAIL PROTECTED] Subject: Re: Requirement to pass alternet Domain Name, DNS Servers, and WINS s ervers I know this isn't a direct answer to your question, and I apologise in advance for replying to you in plain text ;-) What you're trying to do sounds more in the domain (pun intended) of DHCP. Assuming your security model allows for it, why not deploy DHCP for that office? On Thu, 2002-08-22 at 00:01, Deramus, Chris wrote: > To all, > > I've posted about this before but still am getting no where on it > unfortunately. I'll start from the beginning to try to make it easier for > people to understand. > > I'm running FreeRADIUS 0.6, using MySQL for authorization and PAP for > authentication. I have the Base Group setting on the VPN Concentrator set to > assign 146.138.1.x as the primary DNS server and 146.138.198.x as the > secondary DNS server. I have the primary domain set to hr.doe.gov and no > WINS servers set up. > > All of our program offices use the above settings, except one. They need to > have their DNS servers set to 132.60.35.x and 132.60.36.x and need WINS > servers set up. They also need to have their DNS search suffix be set to > em.doe.gov instead of hr.doe.gov. > > Here's where the issue comes in. I've used the MS-Primary-DNS-Server and > MS-Secondary-DNS-Server attributes in dictionary.microsoft and tried > multiple operators and I can't seem to pass these attributes that are held > in the radreply table. I also can't seem to find which attribute(s) to use > to pass a different Domain as well as WINS servers. > > How exactly do I do this? And why aren't the MS-Primary-DNS-Server and > MS-Secondary-DNS-Server attributes working, is it because the Base Group > setting on the VPN Concentrator overrides all of this? > > Please help, thanks! > > Chris -- Cheers, Mattt. icq : 117539757 Network and Tech Guy, www1 : http://www.pulse.nq4u.net Expressnet. www2 : http://www.expressnet.net.au [EMAIL PROTECTED] jabber: [EMAIL PROTECTED] I always wanted to be someone. I should have been more specific... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Requirement to pass alternet Domain Name, DNS Servers, and WINSs ervers
Title: Requirement to pass alternet Domain Name, DNS Servers, and WINS servers To all, I've posted about this before but still am getting no where on it unfortunately. I'll start from the beginning to try to make it easier for people to understand. I'm running FreeRADIUS 0.6, using MySQL for authorization and PAP for authentication. I have the Base Group setting on the VPN Concentrator set to assign 146.138.1.x as the primary DNS server and 146.138.198.x as the secondary DNS server. I have the primary domain set to hr.doe.gov and no WINS servers set up. All of our program offices use the above settings, except one. They need to have their DNS servers set to 132.60.35.x and 132.60.36.x and need WINS servers set up. They also need to have their DNS search suffix be set to em.doe.gov instead of hr.doe.gov. Here's where the issue comes in. I've used the MS-Primary-DNS-Server and MS-Secondary-DNS-Server attributes in dictionary.microsoft and tried multiple operators and I can't seem to pass these attributes that are held in the radreply table. I also can't seem to find which attribute(s) to use to pass a different Domain as well as WINS servers. How exactly do I do this? And why aren't the MS-Primary-DNS-Server and MS-Secondary-DNS-Server attributes working, is it because the Base Group setting on the VPN Concentrator overrides all of this? Please help, thanks! Chris
RE: Cannot find a Domain attribute ??
Title: RE: Cannot find a Domain attribute ?? Alan Sorry for the confusion, I meant I have to return that Domain attribute to the NAS, we have different program offices with resources on different domains. Let me know if I'm still confusing you. Thanks, Chris -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED]] Sent: Sunday, July 21, 2002 12:02 PM To: [EMAIL PROTECTED] Subject: Re: Cannot find a Domain attribute ?? "Deramus, Chris" <[EMAIL PROTECTED]> wrote: > I have a requirement to apply different Domain values to different groups > via FreeRadius. You mean to return the domain to the NAS, or to use the domain information in the server? > I can set the Base Group on my Cisco VPN but then that > applies to every user that connects. The only domain attribute I could find > was Tunnel_Domain in dictionary.redback If you don't have a redback NAS< then that attribute probably won't help you at all. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Success Alan thanks for the CVS
Title: Success Alan thanks for the CVS Alan, Thanks so much, everythings fine now it was an mistake on my part I didn't realize the users file was a granular as it is and I had a blank line with tabs that was causing the issue. It's always the easiest answer that you overlook in life isn't it :) Take care, Chris DeRamus HQ VPN Administrator Verizon 301-903-2093 -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 16, 2002 3:19 PM To: [EMAIL PROTECTED] Subject: Re: Problem with Files module in latest snapshot? "Deramus, Chris" <[EMAIL PROTECTED]> wrote: > Are you just going to re-release the dictionary file or just update the > website to reflect the necessary changes to the dictionary file. The dictionary file in the distribution will have changed, and it will be included in the next snapshot, and in the next release. > One thing I Just wanted to clairfy, did you mean the *bottom* of the > file as a whole, or close to the bottom where it lists the other > VALUE Auth-Type's located underneath the Cistron extensions? It doesn't matter. > I tried it in both locations and had no luck. I also tried a value > of 255 instead of 256, don't know if that makes a difference. The number should be different from the other Auth-Type values. I've updated the dictionary in CVS, and for the cases where I *could* reproduce your problem, updating the dictionary fixes it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with Files module in latest snapshot?
Title: RE: Problem with Files module in latest snapshot? Alan, Just a theory but could it possible be the operator on the DEFAULT entry in /usr/local/etc/raddb/dictionary ? So instead of it being DEFAULT Auth-Type := PAP maybe it should be == or != ... I read the man 5 users file extensively and I seriously doubt this will have any bearing, but I'll give it a shot. I'm running out of options and time unfortunately. If worse comes to worse we can just stick with 0.5 in our production environment but I was very excited to start toying with the ability to implement groups into radgroupcheck for authorization and authentication. What else do you suggest? Thanks, Chris DeRamus HQ VPN Administrator Verizon 301-903-2093 -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 16, 2002 3:19 PM To: [EMAIL PROTECTED] Subject: Re: Problem with Files module in latest snapshot? "Deramus, Chris" <[EMAIL PROTECTED]> wrote: > Are you just going to re-release the dictionary file or just update the > website to reflect the necessary changes to the dictionary file. The dictionary file in the distribution will have changed, and it will be included in the next snapshot, and in the next release. > One thing I Just wanted to clairfy, did you mean the *bottom* of the > file as a whole, or close to the bottom where it lists the other > VALUE Auth-Type's located underneath the Cistron extensions? It doesn't matter. > I tried it in both locations and had no luck. I also tried a value > of 255 instead of 256, don't know if that makes a difference. The number should be different from the other Auth-Type values. I've updated the dictionary in CVS, and for the cases where I *could* reproduce your problem, updating the dictionary fixes it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with Files module in latest snapshot?
Title: RE: Problem with Files module in latest snapshot? Alan, I got the latest snapshot, copied over the new dictionary file which defines PAP, and still am having the same problem when running radiusd -xx. Is there another file in this CVS snapshot I should transfer over. I just copied the file to my /usr/local/etc/raddb directory, I didn't do a make or make install or anything, is this correct? I'm sure it's something I'm not doing, thanks for your time. Chris -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 16, 2002 3:19 PM To: [EMAIL PROTECTED] Subject: Re: Problem with Files module in latest snapshot? "Deramus, Chris" <[EMAIL PROTECTED]> wrote: > Are you just going to re-release the dictionary file or just update the > website to reflect the necessary changes to the dictionary file. The dictionary file in the distribution will have changed, and it will be included in the next snapshot, and in the next release. > One thing I Just wanted to clairfy, did you mean the *bottom* of the > file as a whole, or close to the bottom where it lists the other > VALUE Auth-Type's located underneath the Cistron extensions? It doesn't matter. > I tried it in both locations and had no luck. I also tried a value > of 255 instead of 256, don't know if that makes a difference. The number should be different from the other Auth-Type values. I've updated the dictionary in CVS, and for the cases where I *could* reproduce your problem, updating the dictionary fixes it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with Files module in latest snapshot?
Title: RE: Problem with Files module in latest snapshot? Alan, I'm a little confused? I downloaded the latest cvs file that was uploaded today for the 16th, however, it was uploaded at 9:01 a.m. Is the freeradius-snapshot for today the file for me to get? Sorry I'm a total newbie at this =) Thanks! Chris DeRamus HQ VPN Administrator Verizon 301-903-2093 -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 16, 2002 3:19 PM To: [EMAIL PROTECTED] Subject: Re: Problem with Files module in latest snapshot? "Deramus, Chris" <[EMAIL PROTECTED]> wrote: > Are you just going to re-release the dictionary file or just update the > website to reflect the necessary changes to the dictionary file. The dictionary file in the distribution will have changed, and it will be included in the next snapshot, and in the next release. > One thing I Just wanted to clairfy, did you mean the *bottom* of the > file as a whole, or close to the bottom where it lists the other > VALUE Auth-Type's located underneath the Cistron extensions? It doesn't matter. > I tried it in both locations and had no luck. I also tried a value > of 255 instead of 256, don't know if that makes a difference. The number should be different from the other Auth-Type values. I've updated the dictionary in CVS, and for the cases where I *could* reproduce your problem, updating the dictionary fixes it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with Files module in latest snapshot?
Title: RE: Problem with Files module in latest snapshot? Alan, Are you just going to re-release the dictionary file or just update the website to reflect the necessary changes to the dictionary file. One thing I Just wanted to clairfy, did you mean the *bottom* of the file as a whole, or close to the bottom where it lists the other VALUE Auth-Type's located underneath the Cistron extensions? I tried it in both locations and had no luck. I also tried a value of 255 instead of 256, don't know if that makes a difference. Cordially, Chris DeRamus HQ VPN Administrator Verizon 301-903-2093 -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 16, 2002 1:34 PM To: [EMAIL PROTECTED] Subject: Re: Problem with Files module in latest snapshot? "Deramus, Chris" <[EMAIL PROTECTED]> wrote: > I did exactly what you recommended and still no go, I really am stumped. I > will triple check my radiusd.conf file and verify that everything is okay. > If you think of anything else please letme know. Add a line to the bottom of 'raddb/dictionary': VALUE Auth-Type PAP 256 and it should work. The issue is that the 'files' module is telling th eserver to use PAP authentication, before the server has loaded the PAP module. So the server doesn't know PAP exists, and dies. I'll commit some fixes to the default dictionary. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with Files module in latest snapshot?
Title: RE: Problem with Files module in latest snapshot? Alan, Thanks for the suggestion but still no go, I appreciate the feedback though :) Chris DeRamus HQ VPN Administrator Verizon 301-903-2093 -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 16, 2002 1:34 PM To: [EMAIL PROTECTED] Subject: Re: Problem with Files module in latest snapshot? "Deramus, Chris" <[EMAIL PROTECTED]> wrote: > I did exactly what you recommended and still no go, I really am stumped. I > will triple check my radiusd.conf file and verify that everything is okay. > If you think of anything else please letme know. Add a line to the bottom of 'raddb/dictionary': VALUE Auth-Type PAP 256 and it should work. The issue is that the 'files' module is telling th eserver to use PAP authentication, before the server has loaded the PAP module. So the server doesn't know PAP exists, and dies. I'll commit some fixes to the default dictionary. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with Files module in latest snapshot?
Title: RE: Problem with Files module in latest snapshot? Chris, I did exactly what you recommended and still no go, I really am stumped. I will triple check my radiusd.conf file and verify that everything is okay. If you think of anything else please letme know. Thanks, Chris DeRamus HQ VPN Administrator Verizon 301-903-2093 -Original Message- From: Chris Parker [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 16, 2002 10:52 AM To: [EMAIL PROTECTED] Subject: Re: Problem with Files module in latest snapshot? At 06:25 PM 7/15/2002 -0400, Deramus, Chris wrote: >I just updated with the July 15th snapshot, re-ran radiusd -X and am now >getting a line that says. > >/usr/local/etc/raddb/users[143]: Parse error (reply) for entry DEFAULT: No >token read where we expected an attribute name > >Errors reading /usr/local/etc/raddb/users >radiusd.conf[785]: files: Modules instantiation failed. > >Problem with files module or am I just missing something? The users file >has a line that says > >DEFAULT Auth-Type := pap > >Haven't had a problem with it before, any suggestions? Hmmm, it may be case-sensitive. Does the case match your 'pap' section in the 'conf' file? Try also 'Pap' and 'PAP' to see if those make a difference. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless! \ Director, Engineering | @ @ | \ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with Files module in latest snapshot?
Title: Problem with Files module in latest snapshot? I just updated with the July 15th snapshot, re-ran radiusd -X and am now getting a line that says. /usr/local/etc/raddb/users[143]: Parse error (reply) for entry DEFAULT: No token read where we expected an attribute name Errors reading /usr/local/etc/raddb/users radiusd.conf[785]: files: Modules instantiation failed. Problem with files module or am I just missing something? The users file has a line that says DEFAULT Auth-Type := pap Haven't had a problem with it before, any suggestions?
RE: Problem with PAP modules in FreeRadius 0.6!
Title: RE: Problem with PAP modules in FreeRadius 0.6! Kostas, Did exactly what you said, and still having no luck. I believe it's a problem with my Linux install though, there's a lot of non-freeradius stuff located in /usr/local/lib and when I run ldconfig I get about 50 or so messages that say Suchandsuch.so is not a symbolic link. I don't know if this is causing the issue or not, but I'm going to reinstall Redhat on our development box and go from there. Thanks, I'll let you know if I succeed or not. -Original Message- From: Kostas Kalevras [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 11, 2002 11:14 AM To: '[EMAIL PROTECTED]' Subject: RE: Problem with PAP modules in FreeRadius 0.6! On Thu, 11 Jul 2002, Deramus, Chris wrote: > Kostas, > > I'm sorry I haven't done a CVS update yet. I should just go to > ftp://ftp.freeradius.org/pub/radius/CVS-snapshots/ and download the latest > snapshot. Do I do a configure, make, and make install like when installing > free-radius from scratch, or will it just update my files? > > Thanks for your assistance. > > Cordially, > > Chris DeRamus > HQ VPN Administrator > Verizon > 301-903-2093 You 'll have to wait until tomorrow for the CVS snapshot to contain the changes. You can just do a cvs update (see http://www.freeradius.org/development.html#cvs) and move the rlm_pap.c file to your old one and then do a make;make install in src/modules/rlm_pap. That sould do the trick. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with PAP modules in FreeRadius 0.6!
Title: RE: Problem with PAP modules in FreeRadius 0.6! Kostas, I'm sorry I haven't done a CVS update yet. I should just go to ftp://ftp.freeradius.org/pub/radius/CVS-snapshots/ and download the latest snapshot. Do I do a configure, make, and make install like when installing free-radius from scratch, or will it just update my files? Thanks for your assistance. Cordially, Chris DeRamus HQ VPN Administrator Verizon 301-903-2093 -Original Message- From: Kostas Kalevras [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 11, 2002 10:30 AM To: '[EMAIL PROTECTED]' Subject: Re: Problem with PAP modules in FreeRadius 0.6! On Thu, 11 Jul 2002, Deramus, Chris wrote: > I believe I have found a problem with the PAP module in FreeRadius 0.6. In > our environment, we have a production box, running FreeRadius 0.5 and a > development box running 0.6 > > We're using MySQL for user authorization and PAP for password > authentication. Passwords are using MD5 encryption in the database. I made a > test user on both the 0.5 server, and the 0.6 server. I then verified all > information and tried connecting with each. The 0.5 server has no problem > with the entered information, however, 0.6 can't seem to encrypt correctly > to match up the password with the one in the database. When I take off MD5 > encryption and do Clear-Text it goes through beautifully in 0.6. > > Did something change with the MD5 part of the module, or is there something > missing? I ran radiusd -X on both boxes and compared my results and they are > 100% identical with the exception of 0.5 going through and 0.6 rejecting the > user. > > Thanks, > > Chris Yes I introduced a stupid bug in MD5 and SHA1. Do a cvs update on the rlm_pap module and things should work ok again. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with PAP modules in FreeRadius 0.6!
Title: Problem with PAP modules in FreeRadius 0.6! I believe I have found a problem with the PAP module in FreeRadius 0.6. In our environment, we have a production box, running FreeRadius 0.5 and a development box running 0.6 We're using MySQL for user authorization and PAP for password authentication. Passwords are using MD5 encryption in the database. I made a test user on both the 0.5 server, and the 0.6 server. I then verified all information and tried connecting with each. The 0.5 server has no problem with the entered information, however, 0.6 can't seem to encrypt correctly to match up the password with the one in the database. When I take off MD5 encryption and do Clear-Text it goes through beautifully in 0.6. Did something change with the MD5 part of the module, or is there something missing? I ran radiusd -X on both boxes and compared my results and they are 100% identical with the exception of 0.5 going through and 0.6 rejecting the user. Thanks, Chris
Someone please help???
Title: Someone please help??? To all, I've posted 3 times regarding this matter, and I'm not getting any response. I realize this seems like a very newbie question, if it is then I am sorry to waste your time but I would love a response at least. I cannot get any rlm_ modules to load when I start radiusd -X ... it lists the path to the libraries, but doesn't seem to load any like in the previous versions. I've triple checked just about everything I can think of, including the ld.so.conf and I typed ldconfig and still no go. Please help! Thanks
RE: FreeRADIUS 0.6.0 Module HELP!
Title: RE: FreeRADIUS 0.6.0 Module HELP! To all, I have no idea why, but when I run radiusd -X it loads fine, and is listening on the proper ports, but does load ANY modules. I have sql, preprocess, files, pap, etc. configured properly in radiusd.conf and I have the library path pointing the appropriate directory, yet still it won't load any modules. Is there a different way of configuring radiusd.conf in 0.6 ? Please help, I post as similar response before the 4th of July and got no response. Thanks for your time, Chris DeRamus HQ VPN Administrator Verizon 301-903-2093 -Original Message- From: Frank Cusack [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 03, 2002 2:58 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: FreeRADIUS 0.6.0 has been released On Wed, Jul 03, 2002 at 10:50:58AM -0400, Alan DeKok wrote: > FreeRADIUS 0.6.0 has just been released. Hats off to Alan and the other contributors! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius 0.6 + MySQL Question
To all: I just recently downloaded the new version of FreeRadius and am configuring it on a test box before deploying it into our current setup. I set it up just about exactly the same as 0.5, however, I'm having trouble getting authentication to work. I ran radiusd -xx > log and viewed the log file afterwards, unlike 0.5 it doesn't even echo out that it's loading SQL, or connecting to the SQL database. Is this supposed to be an underlying event, that isn't displayed in the logs, or is MySQL just not even being loaded? I have the module defined and everything in sql.conf and radiusd.conf...this is definitely odd. Thanks, Chris DeRamus HQ VPN Administrator Verizon 301-903-2093
RE: Re[6]: MS-CHAP V2 Question
Title: RE: Re[6]: MS-CHAP V2 Question
I think I'm not describing our goal well enough. I'm trying to use MS-CHAP v2 because of it's ability to make passwords expire after a certain time. In the dictionary file, there's an attribute called "Expiration". I'm not 100% sure but this to me seems like an attribute to say that the account is expired?
How is this judged, if the date given on that attribute is less tan the date the user connects? We could jerry rig something if this is possible? Or, is there anyway to configure MS-CHAP authentication to prompt the user for a password change after x amount of log-ins. I believe the first way would be the best personally. From what I can tell we could have the users log on with a default password, and inform them that they have 5 days to go to this URL which we provide. That website has a password change webfront using PHP, and the string inputted is then passed into the mySQL backend. This would automate the process very nicely and make the Administration of 3000 passwords a bit easier =)
Let me know what you think, thanks!
Chris DeRamus
HQ VPN Administrator
Verizon
301-903-2093
-Original Message-
From: 3APA3A [mailto:[EMAIL PROTECTED]]
Sent: Friday, June 21, 2002 2:52 AM
To: Deramus, Chris
Subject: Re[6]: MS-CHAP V2 Question
Dear Deramus, Chris,
Behavior like this is not intended to be RADIUS feature. You can
implement it be the means of you database (set the trigger on accounting
table and lock account in database then accounting record inserted).
--Thursday, June 20, 2002, 10:01:49 PM, you wrote to [EMAIL PROTECTED]:
DC> Thanks again, this is the last issue I'm running into.
DC> We're trying to implement a password feature that redirects users to a
DC> website to change their password upon first logging in. Is there a way to
DC> set the password usage limit to once, and then that password is null and
DC> void, or, just as good can I set a time limit on that password's validity of
DC> lets say 1-2 days?
DC> I've been looking at the counter module and I guess maybe it's possible in
DC> that but something tells me I'm looking in the wrong places. Where should I
DC> begin?
DC> Appreciate it,
DC> Chris DeRamus
DC> HQ VPN Administrator
DC> Verizon
DC> 301-903-2093
DC> -Original Message-
DC> From: 3APA3A [mailto:[EMAIL PROTECTED]]
DC> Sent: Thursday, June 20, 2002 10:33 AM
DC> To: Deramus, Chris
DC> Subject: Re[4]: MS-CHAP V2 Question
DC> Dear Deramus, Chris,
DC> --Thursday, June 20, 2002, 6:19:46 PM, you wrote to
DC> [EMAIL PROTECTED]:
DC>> Thanks for your fast reply. I downloaded
DC> freeradius-snapshot-20020620.tar.gz
DC>> from the CVS ftp mirror. Do I have to reconfigure the entire server? It
DC>> seems that this is going to over-write all my current configuration
DC> files,
DC>> so I should just back them up and I should be okay correct?
DC> do not make install, only make
DC>> Do I have to add any special configure options such as --static modules
DC>> (rlm_mschap) or anything? Thanks!
DC> Just make the project and obtain smbencrypt from src/modules/rlm_mschap
DC> directory
DC>> Chris DeRamus
DC>> HQ VPN Administrator
DC>> Verizon
DC>> 301-903-2093
DC>> -Original Message-
DC>> From: 3APA3A [mailto:[EMAIL PROTECTED]]
DC>> Sent: Thursday, June 20, 2002 10:09 AM
DC>> To: Deramus, Chris
DC>> Subject: Re[2]: MS-CHAP V2 Question
DC>> Dear Deramus, Chris,
DC>> smbecrypt is command line tool. You can use it to generate SQL script
DC>> with something like:
DC>> echo "INSERT INTO radcheck VALUES ('testacct', '"`smbencrypt
DC> testing1|cut
DC>> -f2`"');" > script.sql
DC>> to execute this script from file.
--
~/ZARAZA
Ïèøèòå åùå. È åñëè â âàøåé ïåòèöèè èìåëñÿ êàêîé-íèáóäü
ñìûñë, òî, íå ñòåñíÿÿñü, ðàçúÿñíèòå â ÷åì äåëî. (Òâåí)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Please Help!! -- Attribute Expiration Question
I've been looking at using the Expiration attribute to make user accounts expire after 5 days if they do not change their password. I set up my radreply table like this. Id Username Atribute Value Op 1 testdate Expiration 2002-06-20 12:00:00 := I chose that date randomly just to see if I could still connect to our VPN concentrator, and sure enough I could. I'm thinking that I possibly have the wrong date format, I also tried the following based on other documentation I found on the web: 2002 Jun 20 and Jun 20 2002 Does FreeRadius have the logic to see that this account expired yesterday, therefore not to let it connect? Or is this something I'll have to jerry rig manually with like a cronjob, etc. Thanks! Chris DeRamus HQ VPN Administrator Verizon 301-903-2093
FW: MySQL Attribute Question
Title: FW: MySQL Attribute Question Chris DeRamus HQ VPN Administrator Verizon 301-903-2093 -Original Message- From: Deramus, Chris Sent: Friday, June 21, 2002 11:09 AM To: Deramus, Chris Subject: RE: MySQL Attribute Question I thought about something else Alan maybe you can verify this. We have a Cisco VPN 3030 Concentrator, and you are able to specify IP pools on each group you create. I have the group that this test account is logging into set to an ip pool of 172.16.2.41-50. I was under the impression that RADIUS attributes take precedence over NAS attributes, and the NAS attributes are only applied if the RADIUS server didn't apply those itself. Am I wrong ? Thanks, Chris DeRamus HQ VPN Administrator Verizon 301-903-2093 Alan, I made the change you suggested, I tried every operator in that users file just in case, and still no go. Is there another module I have to load in radiusd.conf in order to allow these attributes to be passed? I've triple checked my typing to make sure I didn't just mis-type it and that isn't it. Thanks for your time, Chris DeRamus HQ VPN Administrator Verizon 301-903-2093 -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 20, 2002 4:38 PM To: [EMAIL PROTECTED] Subject: Re: MySQL Attribute Question "Deramus, Chris" <[EMAIL PROTECTED]> wrote: > I have noticed that I have not been able to pass Attributes to the user-base > with MySQL / PAP. > The table looks like this: > > Id User Attribute Value > Op > 1 testing Framed-IP-Address 172.16.2.250 == That's your problem. 'man 5 users', and see what it says for '=='. Change it to ':=', and it will work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MySQL Attribute Question
Title: RE: MySQL Attribute Question Alan, I made the change you suggested, I tried every operator in that users file just in case, and still no go. Is there another module I have to load in radiusd.conf in order to allow these attributes to be passed? I've triple checked my typing to make sure I didn't just mis-type it and that isn't it. Thanks for your time, Chris DeRamus HQ VPN Administrator Verizon 301-903-2093 -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 20, 2002 4:38 PM To: [EMAIL PROTECTED] Subject: Re: MySQL Attribute Question "Deramus, Chris" <[EMAIL PROTECTED]> wrote: > I have noticed that I have not been able to pass Attributes to the user-base > with MySQL / PAP. > The table looks like this: > > Id User Attribute Value > Op > 1 testing Framed-IP-Address 172.16.2.250 == That's your problem. 'man 5 users', and see what it says for '=='. Change it to ':=', and it will work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MySQL Attribute Question
I have noticed that I have not been able to pass Attributes to the user-base with MySQL / PAP. When I originally setup freeradius I used the built in files (users, clients, etc.) and had no problem passing attributes to the users. I have attributes in the MySQL table radreply and it seems that everything is okay, however, those values are not getting passed back to the end-user. I have the cisco vsa hack turned on, and have set my radreply table up similar to the documentation page at http://www.frontios.com/freeradius.html The table looks like this: Id User Attribute Value Op 1 testing Framed-IP-Address 172.16.2.250 == 2 testing Expiration 2002-06-20 == What I'm trying to do is figure out how to set up Framed IP address's as well as make an account expire on a given day. Let me know if I'm missing something, thanks. Chris DeRamus HQ VPN Administrator Verizon 301-903-2093
RE: Re[4]: MS-CHAP V2 Question
Title: RE: Re[4]: MS-CHAP V2 Question
Thanks again, this is the last issue I'm running into.
We're trying to implement a password feature that redirects users to a website to change their password upon first logging in. Is there a way to set the password usage limit to once, and then that password is null and void, or, just as good can I set a time limit on that password's validity of lets say 1-2 days?
I've been looking at the counter module and I guess maybe it's possible in that but something tells me I'm looking in the wrong places. Where should I begin?
Appreciate it,
Chris DeRamus
HQ VPN Administrator
Verizon
301-903-2093
-Original Message-
From: 3APA3A [mailto:[EMAIL PROTECTED]]
Sent: Thursday, June 20, 2002 10:33 AM
To: Deramus, Chris
Subject: Re[4]: MS-CHAP V2 Question
Dear Deramus, Chris,
--Thursday, June 20, 2002, 6:19:46 PM, you wrote to [EMAIL PROTECTED]:
DC> Thanks for your fast reply. I downloaded freeradius-snapshot-20020620.tar.gz
DC> from the CVS ftp mirror. Do I have to reconfigure the entire server? It
DC> seems that this is going to over-write all my current configuration files,
DC> so I should just back them up and I should be okay correct?
do not make install, only make
DC> Do I have to add any special configure options such as --static modules
DC> (rlm_mschap) or anything? Thanks!
Just make the project and obtain smbencrypt from src/modules/rlm_mschap
directory
DC> Chris DeRamus
DC> HQ VPN Administrator
DC> Verizon
DC> 301-903-2093
DC> -Original Message-
DC> From: 3APA3A [mailto:[EMAIL PROTECTED]]
DC> Sent: Thursday, June 20, 2002 10:09 AM
DC> To: Deramus, Chris
DC> Subject: Re[2]: MS-CHAP V2 Question
DC> Dear Deramus, Chris,
DC> smbecrypt is command line tool. You can use it to generate SQL script
DC> with something like:
DC> echo "INSERT INTO radcheck VALUES ('testacct', '"`smbencrypt testing1|cut
DC> -f2`"');" > script.sql
DC> to execute this script from file.
RE: Dialup Admin question
Title: RE: Dialup Admin question Does it print out any messages? If you try adding a new user what happens? Do you have problem seeing the accounting information or everything? If you try to administer an active account, does it report that it didn't find it or does it show the user administration page ok? The page to load fine. I click the Edit Users section on the left frame and it says user not found. I do a search for user 'TestRad' (which does exist cause I'm currently logged in as him on my laptop) and it says User does not exist. The accounting page shows my attributes and gives me the selection to choose from, but when I hit the submit button it just resets the values and doesn't display anything (including error messages). When I had enter new user information on the Add User section, and then hit the enter button the information disappears and that entry isn't added to the database. It doesn't display any active accounts even though I'm currently logged on right now. Thanks, Chris DeRamus HQ VPN Administrator Verizon 301-903-2093
Dialup Admin question
I know this service is mainly for Free Radius questions but I figured since this product was written for FreeRadius that someone on here has had experience using it. I have FreeRadius successfully working with MySQL for Authorization and PAP for authentication. The system works great and I'm very happy. I'm now trying to bring a web front online for added administration convenience. I have Dialup Admin installed and it seems to be working fine, however it's not pulling any information from the MySQL database and tables. I've looked over the admin.conf file many a times and short of the basic configuration changes are there any major changes that any of you had to make before this would begin to work. Thanks, Chris DeRamus HQ VPN Administrator Verizon 301-903-2093
RE: Problems with MySQL Auth-Type
Title: RE: Problems with MySQL Auth-Type Simon, Wow, I feel stupid =). I didn't didn't realize all user id's go in radcheck whether it's a group id or not, thank you so much for everything. Your time is greatly appreciated. Everythings working now, the only thing I need to figure out is how to get the incoming IP address into accounting. Radacct gives the NAS IP Address, as well as the Framed IP Address, but I cannot seem to get the PPP address to display. When I was first setting this up I remember seeing it on the Radius outputs when using radiusd -xx but it doesn't seem to be included in the mySQL schema. It's something I'll have to take a look at, I'm sure there's documentation out there. Thanks again Simon, I'll be sure to leave ya alone for a few days, hehe. Chris DeRamus HQ VPN Administrator Verizon 301-903-2093 -Original Message- From: Simon [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 30, 2002 10:24 AM To: [EMAIL PROTECTED] Subject: Re: Problems with MySQL Auth-Type On Thu, May 30, 2002 at 09:27:32AM -0400, Deramus, Chris wrote: > Simon, > > I follow what you are saying, I changed a few tables per your suggestions, > no success. I'm going to copy paste what I have, I apologize in advanced for > the length of this post. > > mysql> select * from radcheck; > ++--+---+-+--+ > | id | UserName | Attribute | Value | op | > ++--+---+-+--+ > | 1 | TestRad | Password | TestRad | := | > | 2 | Radius | Password | TestRad | := | > ++--+---+-+--+ > 2 rows in set (0.00 sec) This looks fine. Since you have cleartext passwords set also make sure that you have encryption_scheme = clear in the pap section of the modules section in radiusd.conf. > mysql> select * from radgroupcheck; > ++---+-+-+--+ > | id | GroupName | Attribute | Value | op | > ++---+-+-+--+ > | 1 | Radius | Password | TestRad | := | > | 2 | Radius | Auth-Type | PAP | := | > | 3 | Radius | Framed-Protocol | PPP | == | > | 4 | Radius | Service-Type | Framed-User | == | > ++---+-+-+--+ > 4 rows in set (0.00 sec) Remove the row with id = 1. > mysql> select * from radgroupreply; > ++---++-+--+--+ > | id | GroupName | Attribute | Value | op | prio | > ++---++-+--+--+ > | 2 | Radius | Framed-Protocol | PPP | == | 0 | > | 3 | Radius | Service-Type | Framed-User | == | 0 | > | 1 | Radius | Auth-Type | PAP | := | 0 | > | 4 | Radius | Framed-Compression | None | == | 0 | > ++---++-+--+--+ > 4 rows in set (0.00 sec) Remove row with id = 1, you don't set auth-type in radgroupreply. Change all the other op fields to ':='. Are you sure your NAS wants the above attributes in return? Just making sure. > mysql> select * from radgroup > ++--+---+ > | id | UserName | GroupName | > ++--+---+ > | 1 | TestRad | Radius | > | 2 | Radius | Radius | > ++--+---+ > 2 rows in set (0.00 sec) This looks fine, if this is actually the usergroup table. Have you updated the querys in sql.conf to reflect the table name change? Using 'Radius' as both a username and groupname might get confusing though. > I am trying to send out the first authorization/authentication request as > part of the Radius group. Multiple users will have this group name and group > password. Next I want the user TestRad to authenticate himself. After these > two authentication requests pass through, everything *should* be okay. I think the whole group thing in your vpn-concentrator is what's confusing the whole issue. I _believe_ though i could ofcourse be wrong, that your NAS will just send a "normal" radius auth packet when it wants to authenticate the group, Ie. User-Name = "groupname". The whole group bit used in the freeradius sql tables are just used internally by the rlm_sql* modules for easier grouping handling of accounts/attributes. Try making the changes i noted above, if that doesn't help include the output of 'radiusd -X' when you try logging on with one of your clients. -- Simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problems with MySQL Auth-Type
Title: RE: Problems with MySQL Auth-Type Simon, I follow what you are saying, I changed a few tables per your suggestions, no success. I'm going to copy paste what I have, I apologize in advanced for the length of this post. mysql> select * from radcheck; ++--+---+-+--+ | id | UserName | Attribute | Value | op | ++--+---+-+--+ | 1 | TestRad | Password | TestRad | := | | 2 | Radius | Password | TestRad | := | ++--+---+-+--+ 2 rows in set (0.00 sec) mysql> select * from radgroupcheck; ++---+-+-+--+ | id | GroupName | Attribute | Value | op | ++---+-+-+--+ | 1 | Radius | Password | TestRad | := | | 2 | Radius | Auth-Type | PAP | := | | 3 | Radius | Framed-Protocol | PPP | == | | 4 | Radius | Service-Type | Framed-User | == | ++---+-+-+--+ 4 rows in set (0.00 sec) mysql> select * from radgroupreply; ++---++-+--+--+ | id | GroupName | Attribute | Value | op | prio | ++---++-+--+--+ | 2 | Radius | Framed-Protocol | PPP | == | 0 | | 3 | Radius | Service-Type | Framed-User | == | 0 | | 1 | Radius | Auth-Type | PAP | := | 0 | | 4 | Radius | Framed-Compression | None | == | 0 | ++---++-+--+--+ 4 rows in set (0.00 sec) mysql> select * from radgroup ++--+---+ | id | UserName | GroupName | ++--+---+ | 1 | TestRad | Radius | | 2 | Radius | Radius | ++--+---+ 2 rows in set (0.00 sec) I am trying to send out the first authorization/authentication request as part of the Radius group. Multiple users will have this group name and group password. Next I want the user TestRad to authenticate himself. After these two authentication requests pass through, everything *should* be okay. Chris DeRamus HQ VPN Administrator Verizon 301-903-2093 -Original Message- From: Simon [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 30, 2002 9:03 AM To: [EMAIL PROTECTED] Subject: Re: Problems with MySQL Auth-Type On Thu, May 30, 2002 at 08:38:04AM -0400, Deramus, Chris wrote: > Simon, > > I got Authentication to work with the method you described, but that's only > the first level. I realize that I can't make username, the group name. I > guess I am not wording it correctly, let me try better this time =). > > The Cisco VPN Dialer has a setup section where the user must enter their > group name and group password. When they attempt to connect to our VPN, it > passes the group name and group password to the concentrator. If that group > name and pass is authenticated either via RADIUS or it's the VPN's internal > database, it then prompts the user to enter their username and password for > themselves (individual authorization/authentication). There's no real way to > bypass this dual authentication, unless we used Digital Certificates which > at this point we really can't. So my question is, can I somehow *trick* > FreeRadius into realizing that the first authorization/authentication > request is the Group Name and Pass, and then it will still listen for > another request (Username/Pass)? So the NAS is sending two auth requests to freeradius for every connection? One for the groupname/grouppassword and one for the username/password? Are the same groupnames/grouppasswords used by multiple clients? This doesn't look like it should really change anything, if the NAS sends an "ordinary" auth request for the group authentication and another auth request for the user authentication all you would need to do is add an entry for the groupname/grouppassword in radcheck/usergroup/radgroucpcheck and another entry in the same tables for the username/password. It would be easier to answer your question if we knew what attributes were sent in the auth requests for the group authentication and user authentication respectively. -- Simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problems with MySQL Auth-Type
Title: RE: Problems with MySQL Auth-Type Simon, I got Authentication to work with the method you described, but that's only the first level. I realize that I can't make username, the group name. I guess I am not wording it correctly, let me try better this time =). The Cisco VPN Dialer has a setup section where the user must enter their group name and group password. When they attempt to connect to our VPN, it passes the group name and group password to the concentrator. If that group name and pass is authenticated either via RADIUS or it's the VPN's internal database, it then prompts the user to enter their username and password for themselves (individual authorization/authentication). There's no real way to bypass this dual authentication, unless we used Digital Certificates which at this point we really can't. So my question is, can I somehow *trick* FreeRadius into realizing that the first authorization/authentication request is the Group Name and Pass, and then it will still listen for another request (Username/Pass)? Thanks again for your patience, Chris DeRamus -Original Message- From: Simon [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 29, 2002 4:39 PM To: [EMAIL PROTECTED] Subject: Re: Problems with MySQL Auth-Type On Wed, May 29, 2002 at 03:28:36PM -0400, Deramus, Chris wrote: > Simon, > > For the record you are the man :). I'm *almost* there and I do appreciate > you being in a good today...it must be my lucky day. > > I made the changes you suggested and I am now a step further, it does check > the password file it seems, however it is almost like it's checking the > radcheck table and not radgroupcheck. It seems that it's taking TestRad as > the username, and not the group name. This could be the Cisco VPN client or > maybe I should switch up the query order in sql.conf ? The VPN client first > logs into the Group, and then prompts the user to enter their username and > password into a popup dialogue box. It seems that this takes both entries at > once, any way to change this? I'm not sure i understand what you mean with the group part above, but is it the username TestRad your entering into the dialog box your prompted with? > Thanks again Simon, I owe ya =)! > > User-Name = "TestRad" > User-Password = "\255\014\020e\345\377rG\305\014\000n\351\317\0349" > NAS-Port = 0 > Service-Type = Framed-User > Framed-Protocol = PPP > Tunnel-Client-Endpoint:0 = "63.188.96.2" > Attr-201588758 = "\000\000\000\005" > NAS-IP-Address = 172.16.0.2 > NAS-Port-Type = Virtual Your NAS is sending an auth packet with the attribute User-Name set to TestRad. Just to make everything as simple as possible i suggest you do the following (if it's PAP you want to use for authentication): Add an entry to radcheck with: UserName = TestRad Attribute = Password <-- Literally Value = YourPassword op = := Add an entry to usergroup with: UserName = TestRad GroupName = testgroup Add an entry to radgroupcheck with: GroupName = testgroup Attribute = PAP op = := Then set encryption_scheme in the pap section of the module section in radiusd.conf to clear . Does authentication/authorization work then?
RE: Problems with MySQL Auth-Type
Title: RE: Problems with MySQL Auth-Type Simon, For the record you are the man :). I'm *almost* there and I do appreciate you being in a good today...it must be my lucky day. I made the changes you suggested and I am now a step further, it does check the password file it seems, however it is almost like it's checking the radcheck table and not radgroupcheck. It seems that it's taking TestRad as the username, and not the group name. This could be the Cisco VPN client or maybe I should switch up the query order in sql.conf ? The VPN client first logs into the Group, and then prompts the user to enter their username and password into a popup dialogue box. It seems that this takes both entries at once, any way to change this? Thanks again Simon, I owe ya =)! User-Name = "TestRad" User-Password = "\255\014\020e\345\377rG\305\014\000n\351\317\0349" NAS-Port = 0 Service-Type = Framed-User Framed-Protocol = PPP Tunnel-Client-Endpoint:0 = "63.188.96.2" Attr-201588758 = "\000\000\000\005" NAS-IP-Address = 172.16.0.2 NAS-Port-Type = Virtual modcall: entering group authorize radius_xlat: 'TestRad' sql_escape in: 'TestRad' sql_escape out: 'TestRad' sql_set_user: escaped user --> 'TestRad' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE STRCMP(Username, 'TestRad') = 0 ORDER BY id' rlm_sql: Reserving sql socket id: 9 SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE STRCMP(Username, 'TestRad') = 0 ORDER BY id sql_escape in: 'DEFAULT' sql_escape out: 'DEFAULT' sql_set_user: escaped user --> 'DEFAULT' radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'DEFAULT' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'DEFAULT' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'DEFAULT' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'DEFAULT' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql: User DEFAULT not found and DEFAULT not found rlm_sql: Released sql socket id: 9 modcall[authorize]: module "sql" returns notfound rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair modcall[authorize]: module "counter" returns noop users: Matched DEFAULT at 148 modcall[authorize]: module "files" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type pap auth: type "PAP" modcall: entering group authenticate rlm_pap: login attempt by "TestRad" with password TestRad rlm_pap: Could not find password for user TestRad modcall[authenticate]: module "pap" returns invalid modcall: group authenticate returns invalid auth: Failed to validate the user. Chris DeRamus HQ VPN Administrator Verizon 301-903-2093 -Original Message- From: Simon [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 29, 2002 3:07 PM To: [EMAIL PROTECTED] Subject: Re: Problems with MySQL Auth-Type While i'm in a posting mood :) On Wed, May 29, 2002 at 02:00:55PM -0400, Deramus, Chris wrote: > Alan, > > Thanks for your quick response, I will definitely give this a try. I like > this product and I think it'll work out great once I can finish the > configuration but let me ask you this. I realize this isn't your problem but > I just wanted to see what you might suggest. If I set the Auth-Type to > Local, and then use lets say PAP for example to internally authenticate. If you set Auth-Type to Local you won't be using PAP to authenticate, set Auth-Type to PAP if you wan't PAP. Local will (i think) only let you use cleartext passwords (and CHAP?) if i'm reading the source correctly. > We're trying to set up a web front, where all of this stuff can be changed > without having to know any linux commands or mysql commands. I have the web > front basically done, but tying it into FreeRadius would be nearly > impossible from what I'm understanding. That means the p
RE: Problems with MySQL Auth-Type
Title: RE: Problems with MySQL Auth-Type I reloaded the default sql.conf and made the necessary changes, in my previous sql.conf I forgot I was commenting out a few queries therefore it wasn't properly querying my database. With the default query's this is what I get. Instead of taking in TestRad as a the groupname it takes it in as the user-name. I'm not sql expert but there are a few around the workplace, is this a problem with the query itself and the values just have to be toyed with? The reason it says no password at the bottom is because I didn't want to specify a password in the users / clients.conf files. I was really hoping to figure out a way to have it authenticate through the radcheck / radgroupcheck tables to authenticate, however, as Alan and you have told me this isn't really possible. Was this possible in 0.4 or has it never been possible? Ready to process requests. Thread 5 waiting to be assigned a request rad_recv: Access-Request packet from host 172.16.0.2:3241, id=101, length=102 Thread 1 assigned request 0 --- Walking the entire request list --- Threads: total/active/spare threads = 5/1/4 Nothing to do. Sleeping until we see a request. Thread 1 handling request 0, (1 handled so far) User-Name = "TestRad" User-Password = "U\352\221\231A\026A\202\231\227aG\221\204\312\254" NAS-Port = 0 Service-Type = Framed-User Framed-Protocol = PPP Tunnel-Client-Endpoint:0 = "63.188.96.2" Attr-201588758 = "\000\000\000\005" NAS-IP-Address = 172.16.0.2 NAS-Port-Type = Virtual modcall: entering group authorize radius_xlat: 'TestRad' sql_escape in: 'TestRad' sql_escape out: 'TestRad' sql_set_user: escaped user --> 'TestRad' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE STRCMP(Username, 'TestRad') = 0 ORDER BY id' rlm_sql: Reserving sql socket id: 9 SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE STRCMP(Username, 'TestRad') = 0 ORDER BY id sql_escape in: 'DEFAULT' sql_escape out: 'DEFAULT' sql_set_user: escaped user --> 'DEFAULT' radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'DEFAULT' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'DEFAULT' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'DEFAULT' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'DEFAULT' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql: User DEFAULT not found and DEFAULT not found rlm_sql: Released sql socket id: 9 modcall[authorize]: module "sql" returns notfound rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair modcall[authorize]: module "counter" returns noop users: Matched DEFAULT at 148 modcall[authorize]: module "files" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type Local auth: type Local auth: No password configured for the user Thanks, Chris DeRamus HQ VPN Administrator Verizon 301-903-2093 Actually, after having another look i don't quite agree. The lines: Radius_xlat: '' Rlm_sql Reserving sql socket id: 4 MYSQL Error: Cannot get result MYSQL Error: Query was empty From the first mail in the thread would indicate that, umm.. the query was empty. The message 'Query was empty' is, not very suprisingly exactly what libmysqlclient returns in mysql_error() for empty querys. An empty query won't return much in the way of anything. This looks like a messed up raddb/sql.conf , have you made any changes to the querys in there? Ofcourse, i could very well be way of :) -- Simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problems with MySQL Auth-Type
Title: RE: Problems with MySQL Auth-Type Alan, Thanks for your quick response, I will definitely give this a try. I like this product and I think it'll work out great once I can finish the configuration but let me ask you this. I realize this isn't your problem but I just wanted to see what you might suggest. If I set the Auth-Type to Local, and then use lets say PAP for example to internally authenticate. We're trying to set up a web front, where all of this stuff can be changed without having to know any linux commands or mysql commands. I have the web front basically done, but tying it into FreeRadius would be nearly impossible from what I'm understanding. That means the password needs to also be stored in one of the configuration files correct? Such as clients.conf? Or is PAP just used to verify the password stored in the SQL database? Thanks again, Chris DeRamus HQ VPN Administrator Verizon 301-903-2093 -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 29, 2002 1:50 PM To: [EMAIL PROTECTED] Subject: Re: Problems with MySQL Auth-Type "Deramus, Chris" <[EMAIL PROTECTED]> wrote: > I have another group on which is using the VPN concentrators method of > authentication, (only supports 500 users however, and we require 1500 or > entries) and set that group up to pass all accounting information out to the > Radius server on port 1813. It's logging VPN connections, so the MySQL > module has to be configured properly I would think. I used the schema in > /src/modules/rlm_sql/drivers/rlm_sql_mysql/ and it imported the correct > tables. Is there a line that I'm missing my sql.conf or does it look like > something is screwy in the radiusd.conf itself possibly? No, you've probably got the SQL module pulling password information out of the SQL database. That's OK. The problem is that you're not telling the server what to *do* with that password. I would suggest setting somewhere (DEFAULT in 'users' file?): DEFAULT Auth-Type := Local Which tells the server to look for a password, and to authenticate against PAP/CHAP/whatever internally. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problems with MySQL Auth-Type
Title: RE: Problems with MySQL Auth-Type
MySQL is working on the accounting side when Radius requests are sent out.
I have another group on which is using the VPN concentrators method of authentication, (only supports 500 users however, and we require 1500 or entries) and set that group up to pass all accounting information out to the Radius server on port 1813. It's logging VPN connections, so the MySQL module has to be configured properly I would think. I used the schema in /src/modules/rlm_sql/drivers/rlm_sql_mysql/ and it imported the correct tables. Is there a line that I'm missing my sql.conf or does it look like something is screwy in the radiusd.conf itself possibly?
I can copy paste the entire conf files but I figured I wouldn't start out with that for now to make this thread a bit smaller in case other people experience this.
Thanks,
Chris DeRamus
HQ VPN Administrator
Verizon
301-903-2093
-Original Message-
From: Simon [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, May 29, 2002 12:54 PM
To: [EMAIL PROTECTED]
Subject: Re: Problems with MySQL Auth-Type
On Wed, May 29, 2002 at 12:26:50PM -0400, Deramus, Chris wrote:
> I'm new to Free-Radius, I'll try to be as descriptive as possible. I have
> taken the advice of this board and read all documentation possible before
> asking this. I've searched on countless search engines for possible answers,
> and the only results I seem to come up with are pre Free Radius 0.5 answers.
>
>
> The current setup that we are running, is a Cisco 3030 Concentrator, which
> has dual-level authentication. First you have to authenticate with your
> group, and then you do individual level authentication. I set up my group
> table with a group name of TestRad and then setup a user TestUser which is
> affiliated to that group.
Not sure about this, but from what i've seen the group tables used in
sql with freeradius are only for easier 'grouping' of the users, to
be able to supply return attributes without setting them individually
etc. They're not used for any external types of groups.
> The big question is what do I put for an Auth-Type. On the net I have seen a
> lot of examples such as Auth-Type := Local however this is for Local
> authentication with the files such as clients, clients.conf, and users
> correct? I set the Auth-Type := sql and it is still doing the same thing. I
> tried setingt the Authentication section of radiusd.conf to use the sql
> module, however, that was disabled in 0.5
SQL doesn't do authentication, only authorization.
> I have the rlm_sql_mysql module loaded correctly, it seems that it attempts
> to access my SQL database, but then returns an error message saying:
>
> Modcall: entering group authorize
> Radius_xlat: 'TestRad'
> Sql_escape in: 'TestRad'
> Sql_escape out: 'TestRad'
> Sql_set_user: escaped user --> 'TestRad'
> Radius_xlat: ''
> Rlm_sql Reserving sql socket id: 4
> MYSQL Error: Cannot get result
> MYSQL Error: Query was empty
> Rlm_sql_getvpndata: database query error
> Rlm_sql: Released sql socket id: 4
> Modcall[authorize]: module "sql" returns noop
> Modcall: group authorize returns noop
> Auth: No Auth-Type configuration for the request, rejecting the user
> Auth: Failed to validate the user.
> Login incorrect: [TestRad]
Are you sure you have mysql setup correctly? The sql module doesn't seem
to be getting anything back from your mysql database, take a look at
the file src/modules/rlm_sql/drivers/rlm_sql_mysql from the radius
source, all the tables you need are there.
In the radcheck table, setting Attribute to Password, Value to a
plaintext password and Op to ':=' will use local authentication.
The same holds true for setting Attribute to Crypt-Password and doing a
'encrypt('password')' when you do an sql insert (so you don't have to
have plaintext passwords stored in the database).
You can also set a plaintext password then, for example, associate the
user with a group in the usergroup table and set an Auth-Type in the
radgroupcheck table, eg.:
mysql> select * from radgroupcheck;
++---+---+---+--+
| id | GroupName | Attribute | Value | op |
++---+---+---+--+
| 1 | test2 | Auth-Type | PAP | := |
++---+---+---+--+
Would presumably work.
Taking a look at http://www.frontios.com/freeradius.html might help to.
Hope that helps.
--
Simon
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with MySQL Auth-Type
I'm new to Free-Radius, I'll try to be as descriptive as possible. I have taken the advice of this board and read all documentation possible before asking this. I've searched on countless search engines for possible answers, and the only results I seem to come up with are pre Free Radius 0.5 answers. The current setup that we are running, is a Cisco 3030 Concentrator, which has dual-level authentication. First you have to authenticate with your group, and then you do individual level authentication. I set up my group table with a group name of TestRad and then setup a user TestUser which is affiliated to that group. The big question is what do I put for an Auth-Type. On the net I have seen a lot of examples such as Auth-Type := Local however this is for Local authentication with the files such as clients, clients.conf, and users correct? I set the Auth-Type := sql and it is still doing the same thing. I tried setingt the Authentication section of radiusd.conf to use the sql module, however, that was disabled in 0.5 I have the rlm_sql_mysql module loaded correctly, it seems that it attempts to access my SQL database, but then returns an error message saying: Modcall: entering group authorize Radius_xlat: 'TestRad' Sql_escape in: 'TestRad' Sql_escape out: 'TestRad' Sql_set_user: escaped user à 'TestRad' Radius_xlat: '' Rlm_sql Reserving sql socket id: 4 MYSQL Error: Cannot get result MYSQL Error: Query was empty Rlm_sql_getvpndata: database query error Rlm_sql: Released sql socket id: 4 Modcall[authorize]: module "sql" returns noop Modcall: group authorize returns noop Auth: No Auth-Type configuration for the request, rejecting the user Auth: Failed to validate the user. Login incorrect: [TestRad] I apologize for seeming like an idiot or any confusion I may be causing but I am totally out of ideas, I appreciate your time. Cordially, Chris DeRamus HQ VPN Administrator Verizon 301-903-2093
