Re: Number of MySQL connections needed?
On Thu, 18 Dec 2003, Kristina Pfaff-Harris wrote: Heya, all. This might be a silly question, but can anyone tell me a rule of thumb to figure out how many MySQL connections (num_sql_socks in the config) to configure based on ... heck, I don't know ... something like number of people dialed up at the same time? It's a bit difficult to say how many users I have simultaneously using FR, since the logs/debug stuff is sequential. Currently using 24 connections for auth and 24 for accounting. I'm wondering if I really need that many or if I should add more. Any ideas? What I've got seems to work: I'm just trying to be a little more scientific about it. Pointers to docs appreciated if this is in the docs and I missed it! See doc/tuning_guide In any case it depends on how fast your sql server responds to queries. One way is to do a 'SHOW PROCESSLIST;' in mysql during radius peek time If you see active threads put in a few sql connections more than the maximum number of active threads. A more scientific solution is to increase the connection pool if you get 'out of sql sockets' errors radius.log :-) Thanks! Kristina - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Getting no results with LDAP
On Tue, 16 Dec 2003, Sevcik Berndt wrote:
Thanks for the tip with th NT Domain hack Brian.
An other problem is the LDAP Query themself. I get no result for my Username.
But the User exists and when I use the ldapsearch command with the
same filter I also get an result.
I use the latest CVS Version of Freeradius
and openLDAP Version 2.1.22-1
rlm_ldap: - authorize
rlm_ldap: performing user authorization for sevcikb
radius_xlat: '(uid=sevcikb)'
radius_xlat: 'ou=People,ou=admin,dc=tgm.dc=ac,dc=at'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=People,ou=admin,dc=tgm.dc=ac,dc=at, with filter
(uid=sevcikb)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
ldap_release_conn: Release Id: 0
Check your ldap server ACIs
Check your ldap server logs
freeradius normally just uses the openldap libs (which are used by ldapsearch)
so there should be some kind of difference between the queries ran by each one.
Hers my config:
ldap {
server = localhost
identity = cn=admin,dc=tgm,dc=ac,dc=at
password = xxx
basedn = ou=People,ou=admin,dc=tgm.dc=ac,dc=at
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
# base_filter = (objectclass=radiusprofile)
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
# The StartTLS operation is supposed to be used with normal
# ldap connections instead of using ldaps (port 689) connections
start_tls = no
# tls_cacertfile= /path/to/cacert.pem
# tls_cacertdir = /path/to/ca/dir/
# tls_certfile = /path/to/radius.crt
# tls_keyfile = /path/to/radius.key
# tls_randfile = /path/to/rnd
# tls_require_cert = demand
# default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA
# profile_attribute = radiusProfileDn
# access_attr = dialupAccess
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
#
# NOTICE: The password_header directive is NOT case insensitive
#
# password_header = {clear}
#
# The server can usually figure this out on its own, and pull
# the correct User-Password or NT-Password from the database.
#
# Note that NT-Passwords MUST be stored as a 32-digit hex
# string, and MUST start off with 0x, such as:
#
# 0x000102030405060708090a0b0c0d0e0f
#
# Without the leading 0x, NT-Passwords will not work.
# This goes for NT-Passwords stored in SQL, too.
#
password_attribute = ntPassword
# groupname_attribute = cn
# groupmembership_filter =
(|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
# groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
}
Thanks for help
Berndt
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Ip address assignation
On Tue, 16 Dec 2003, Oliver Graf wrote: On Tue, Dec 16, 2003 at 12:46:18PM -0600, Anson Rinesmith wrote: I've been trying to get this to work. What must I enable and where to get freeradius to manage the IP pools. I have the setup mentioned with an OSPF setup using ASCEND products that can do dynamic routing. It keeps trying to look for it in my SQL db. I would opt for configure some pools and go... an example is in the standard radiusd.conf. Each pool should have its own db file I would say. But I don't think it does something in sql, it uses gdbm db files. Sorry, I can't be of more help, cause I never used this. From the one look I took at it a minute ago, I would ask myself the question: how does the radiusd sense a disconnect? A quick look in the sources shows that it does this by looking at the stop records. Be sure it sees all (here is the place where you certainly will loose some IPs over time). And there seems to be a tool called rlm_ippool_tool to clean up those stuck entries. Perhaps with an script that checks those sessions via snmp... rlm_ippool will also clear an entry if an access-request comes in on an assigned nas/port combination. So as long as accounting works ok and the ip pool is not full rlm_ippool should be able to find a free entry. Oliver (still feeling good using nas-side pools). Me too. There's very little reason in using server side pools. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Digital Cert + Username/Password against LDAP = ???
On Sun, 14 Dec 2003, Patrick Mowry wrote: Hello, I have a requirement for two stage authentication for wireless networks. Before the wireless Windows 2000/XP client is even allowed to reach the domain, it must authenticate to the network with Digital Certs issued from an iPlanet certificate server (EAP-TLS) and also a username/password against LDAP. Would this be EAP-TTLS? If someone can point me to the correct keyword I'm sure I can figure it out from there. Yes that would be EAP-TTLS. You can also set the EAP-TLS-Require-Client-Cert attribute to 1 so that the TLS code will also require a valid client certificate Thanks, -Patrick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: There are no DB handles to use! skipped 0, tried to connect 0
On Tue, 16 Dec 2003, Ripunjay Bararia wrote: thanks Alan, for the comment, My SQL server and FR are running on the same box, will separating them be a good idea, I need to do AAA for about 1500 concurrent users what kind of a machine would I need for FR and how much load will it put on the MySQL server so that I can scale both of the machines accordingly currently both are running on P-IV 2.6 Intel 856 based board 512MB DDR 266Mhz 9.1GB X 2 SCSI disks The hardware is more than adequate. And there's no need to separate them. Read doc/tuning_guide and especially the section on the sql module. In general for mysql EXPLAIN SELECT is your friend. Run all the SELECT queries (and also transform all the UPDATE queries to corresponding SELECT queries) through an EXPLAIN SELECT statement to see how many candidate rows are there. Example outputs: mysql explain select * from radacct where acctstoptime is null; +-+--+---+--+-+---+--+-+ | table | type | possible_keys | key | key_len | ref | rows | Extra | +-+--+---+--+-+---+--+-+ | radacct | ref | AcctStopTime | AcctStopTime | 8 | const | 315 | Using ^ where | +-+--+---+--+-+---+--+-+ 1 row in set (0.02 sec) mysql explain select * from radacct where acctstoptime = '2003-12-15 21:00:00'; +-+--+---+--+-+---+--+-+ | table | type | possible_keys | key | key_len | ref | rows | Extra | +-+--+---+--+-+---+--+-+ | radacct | ref | AcctStopTime | AcctStopTime | 8 | const |1 | Using ^ where | +-+--+---+--+-+---+--+-+ The rows and possible_keys columns are important. If you see that the candidate rows are more than a few, or that an index is never used (for example: mysql explain select * from radacct where acctterminatecause = 'User-Request'; +-+--+---+--+-+--++-+ | table | type | possible_keys | key | key_len | ref | rows | Extra | +-+--+---+--+-+--++-+ | radacct | ALL | NULL | NULL |NULL | NULL | 971518 | Using where | +-+--+---+--+-+--++-+ 1 row in set (0.00 sec) then you should either rearrange your queries to use a proper index (like using the acctuniqueid column in the accounting_stop query) or add a corresponding index. If you are using MySQL 3.X maybe you should think of moving to 4.X and to the InnoDB tables (instead of MyISAM which have global instead of per row locking). Hope the above was helpful. thanks Ripunjay Bararia -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Alan DeKok Sent: Monday, December 15, 2003 10:19 PM To: [EMAIL PROTECTED] Subject: Re: There are no DB handles to use! skipped 0, tried to connect 0 Ripunjay Bararia [EMAIL PROTECTED] wrote: --- radius.log begin --- Mon Dec 15 12:30:23 2003 : Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Find out why your SQL database is slow. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Eap ttls and LDAP
On Wed, 10 Dec 2003, Arthur EBEL wrote: Hi, I am using freeradius 0.9.3 on a linux box I have found the eap_ttls module in the CVS tree How to install it ??? ./configure make make install Can anyone can explain me the interest to use EAP TTLS + LDAP I dont want to use personnal certificate but only the login and ldap passwd of the personn Is TTLS+LDAP it a good solution to do that ??? Yes it is. Anyone have test it ??? Any recommandations ??? It works out of the box. Just uncomment the necessary modules in the authorize/authenticate sections and configure the eap(tls/ttls) and ldap modules. Thanx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP
On Mon, 8 Dec 2003, Arthur EBEL wrote: Hi :-) I would like to user freeradius and LDAP to authentication. Do u know where can I find documentation about this kind of configuration. doc/rlm_ldap Anyone have a experience about that ??? Quite a few people have managed to make it work. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco AV-Pair
On Mon, 8 Dec 2003, Rohaizam Abu Bakar wrote: It's working for entry in users file.. thanks... how about entry from LDAP?? radiusReplyItem: Cisco-AVPair += outbound:send-secret=XXX something like that --haizam - Original Message - From: Oliver Graf [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, December 05, 2003 7:13 PM Subject: Re: Cisco AV-Pair On Fri, Dec 05, 2003 at 05:06:11PM +0800, Rohaizam Abu Bakar wrote: Adding a few Cisco-AVPair value in entry... and tested but radtest only return one value... man 5 users Attribute += Value Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html [ Scanned by JARING E-Mail Virus Scanner ( http://www.jaring.my ) ] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SOLVED?! ( was Re: BUG?! (was Re: date type attribute not added to accounting request using attr_rewrite)
On Sun, 7 Dec 2003, Alan DeKok wrote: Paul Sijben [EMAIL PROTECTED] wrote: I found now WHY a change in attr_rewrite when used in pre-Proxy does not work. It operates on request-packet rather than request-proxy. That should be fixed. Now the question is which ought to be fixed; the call to pre-proxy in procy.c Absolutely not. I don't know what you would change there, or why. or the pre-proxy chain that uses standard calls to operate on the request? I don't know what you mean by that, either. You said the module doesn't do what you expect. Why not change the module? The configuration for the module currently allows it to search in the packet, config, or reply. Why not add proxy and prpxy_reply' to that list? OK fixed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: obtain group membership from LDAP sever
On Thu, 4 Dec 2003, Marcelo Azola M. wrote: Hi: I need obtain the group membership for a user that is created in a LDAP server, from freeradius server. I configured the freeradius to authenticate the user to LDAP server, but only validate the username And password. I need know the group that the user to as it belongs, or Did you check doc/rlm_ldap first?? the cn value. Add a line like: checkItem Hintcn in ldap.attrmap. That will map the user cn to the Hint attribute Best Regards. Marcelo Azola M. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Confusion over attribute types (date integer)
On Sat, 29 Nov 2003, James Nedila wrote:
I'm trying to add an attr_rewrite rule to add an Event-Timestamp
attribute to outgoing accounting requests.
I've tried this in 0.7.1, and now 0.9.3.
This attribute is listed as a 'date' type in the dictionary.
The date type looks just like an integer... but what is the difference?
Here's what i've got in my radiusd.conf:
attr_rewrite addEventTimestamp {
attribute = Event-Timestamp
searchfor = NULL
searchin = packet
replacewith = %l
new_attribute = yes
max_matches = 1
append = no
}
When I send an accounting request, this module is called, and then
segfaults.
Here's what debug says:
rad_recv: Accounting-Request packet from host 216.187.77.178:32804,
id=159, length=174
NAS-Port-Type = Virtual
Service-Type = Framed-User
Framed-Protocol = PPP
Acct-Session-Id = 445864c128c9a6f5989600ea2d05f10b
Acct-Status-Type = Stop
Acct-Authentic = RADIUS
NAS-Identifier = FP_44
User-Name = some user name
NAS-IP-Address = XXX.XXX.XXX.XXX
Called-Station-Id = 00:00:00:00:00:00
Acct-Input-Octets = 0
Acct-Output-Octets = 0
Framed-IP-Address = 10.0.1.254
Calling-Station-Id = 00:00:00:00:00:00
modcall: entering group preacct for request 0
modcall[preacct]: module preprocess returns noop for request 0
radius_xlat: '1070138162'
Segmentation fault
I've done some digging on this, and if I modify the dictionary entry for
Event-Timestamp to integer, the segfaults go away.
Also, gdb says this is dying on line 344 of rlm_attr_rewrite.c, which is
a debug line.
Fixed, thanks
So my questions are: how are dates different from integers?
And how are they treated differently than integers?
Thanks,
James
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dialup Admin with PostgreSQL and NetSNMP support
On Fri, 28 Nov 2003, Guy Fraser wrote: Hmm... The updated version of dialup admin I sent in didn't seem to show up on the list. The attachment was 70kB, I presume thats why. Where should I send this updated source, so it can be tested, and put into the main source? I 'd rather prefer a patch to the current CVS version rather than the whole thing. Either put it on a web page somewhere, or send it to me directly. Though i don't use postgresql -- Guy Fraser Network Administrator The Internet Centre 780-450-6787 , 1-888-450-6787 There is a fine line between genius and lunacy, fear not, walk the line with pride. Not all things will end up as you wanted, but you will certainly discover things the meek and timid will miss out on. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialupAccess...
On Wed, 26 Nov 2003, Rick Whitley wrote: Is there a way to tell freeradius that the dialupAccess is an attribute in a user object and not radiusprofile? I am using eDirectory as my ldap server and the RADIUS-LDAPv3 schema file is not compatible. I do not have the experience at this point to rewrite the schema file and have been unable so far to set dialupAccess in radius to equal rADIUSEnableDialAccess in eDirectory. Any thoughts or insight would be very appreciated. Normally you would only have to change the access_attr configuration directive from dialupAccess to rADIUSEnableDialAccess. Isn't that working? If not make sure that freeradius can read that attribute from the corresponding ldap user entries. I am running freeradius 0.9.2 on rh 9. The ldap authorization and authentication works. I just need to be able to disable a certain user without shuting down their ldap access all together. thanks rick... Rom.5:8 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free RADIUS tutorials or manuals?
On Wed, 19 Nov 2003, ylei wrote: maybe you can't get what you want. i think the begin is reading RFC2865. and then you can download the freeradius' source code. reading src/README, FAQ. etc. doc/README, aaa.txt, configurable_failover, module_interface, processing_users_file. and then you can practise with special rlm_XXX modules(google it for some chinese article), watching output of radiusd -X, watching the code, ask to this list. just in my option.:) good luck. There are actually a few HOWTOs for specific things: http://www.frontios.com/freeradius.html (freeradius+mysql) http://kstadler.ch/index.php?page=dialup and dialup_admin/doc/HOWTO (dialupadmin) http://doris.cc/radius (freeradius+ldap) along with the documentation floating around in the doc directory. Maybe someone could volunteer to take all those small pieces and make a big HOWTO out of it Hello World! = = = = = = = = = = = = = = = = = = = = ylei [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Users in LDAP and mysql
On Wed, 19 Nov 2003, Costas Christonis wrote: Hi to all, I want to ask this: using freeradius, can you have users in LDAP and mysql so doing authentication from both simultaneous? In general yes. Though you will probably need to play with Autz-Type and Auth-Type to get that working ok Thanks a lot Costas A. Christonis Networking Communications Centre Gallos Campus - University of Crete email: [EMAIL PROTECTED] http://www.ucnet.uoc.gr/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fw: Status... rlm_ldap problem
On Sun, 16 Nov 2003, Rohaizam Abu Bakar wrote: When runing ldapsearch did you bind with the problematic DNs or with the admin DN? I would suggest trying to bind with the user DNs and see what happens I bind as admin DN but why i never received the error while running in FreeBSD 4.8.. only in FreeBSD 5.1 the problem appear.. both accessing the same LDAP server. Is there something to do with FreeBSD 5.1 ??? Probably different openldap lib versions. In any case try binding with the user DN to see what will happen then. Also check out the ldap server logs for the freeradius bind operations. There should be something there that will explain what's happening. If there isn't run the ldap server in debug mode. I don't think there's much else to do in rlm_ldap to fix the problem. OK... --haizam -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialup_admin and postgresql
On Tue, 18 Nov 2003, Guy Fraser wrote:
OK I almost got it working
When I finish teasing it into shape, I'll post a patch if anyone want's one.
If nobody wants the patch where should I submit the fix.
Please do submit a fix. I would be really happy to have dialupadmin
definitely working with pg. The only thing is that i will have to make sure
that it works ok with mysql first.
Guy Fraser wrote:
Hi
I have started to look at the dialup_admin for use with postgresql.
I am using PostgreSQL 7.3.4, and FreeRadius 0.9.2.
The porblem I just discovered is that the PHP is looking for case
sensitive column names when processing returned data.
Example :
while(($row = @da_sql_fetch_array($res,$config)))
$member_groups[] = $row[GroupName];
But the columns are not quoted in requests or inserts.
Example :
$res = @da_sql_query($link,$config,
INSERT INTO $config[sql_usergroup_table] (GroupName,UserName)
VALUES ('$login','$new_member'););
PostgreSQL requires double quotes to be around column names in order
to maintain case sensitivity.
As far as I know this can only be fixed by either ;
a) lower casing all the column names in array requests.
Example :
while(($row = @da_sql_fetch_array($res,$config)))
$member_groups[] = $row[groupname];
b) Putting double quotes around all column names when creating
the tables and performing operations on the tables.
Example :
$res = @da_sql_query($link,$config,
INSERT INTO $config[sql_usergroup_table]
(\GroupName\,\UserName\)
VALUES ('$login','$new_member'););
Has anybody made dialup_admin work with PostgreSQL ?
If you have an easier or better way of fixing this
problem, I would like to know.
Thank you, for your time.
--
Guy Fraser
Network Administrator
The Internet Centre
780-450-6787 , 1-888-450-6787
There is a fine line between genius and lunacy, fear not, walk the
line with pride. Not all things will end up as you wanted, but you
will certainly discover things the meek and timid will miss out on.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap doesn't support multiple attribute-fields anymore?
On Fri, 14 Nov 2003, DMcLF wrote: hi, i just upgraded from freeradius 0.8.1 to 0.9.2, and i noticed that rlm_ldap doesn't support multiple (same) attribute fields anymore.. anyone knows if this is on purpose, or a programming glitch? this isn't so nice for me, since i use a lot of these multiple attributes.. for instance for cisco-avpairs ip-routes. (i'm now using the old 0.8.1 module.. :P) No it's just that now rlm_ldap honors operators. The default operator for the reply attributes is = So in your case you should use the += operator like this: ldapattribute: += value ie radiusFilterId: 12 radiusFilterId: += 13 grtz, dmclf -- (o Lord of the Rings LITE(tm) //\-- by J.R.R. Tolkien V_/_Some guys take a long vacation to throw a ring into a volcano - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialup_admin
On Fri, 14 Nov 2003, apellido jr., wilfredo p wrote: Good day Mr. Kalevras, as your suggestion im tried to create a script to perform manual reset in GDBM database(db.monthly). I want to synchronize the update of GDBM database and MySQL. My question is after sucessfully reseting user's counter in GDBM database then how can i update user's status in dialup_admin? dialupadmin only queries the sql database for accounting so as long as mysql contains the correct data it will show the expected info. = wilfredo pahilanga apellido jr. technical support mactan online bacolod city, philippines +63 34 4348311 If you can't hear me, it's because i'm in parentheses. __ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Login into radius
On Sat, 15 Nov 2003, Zoup wrote: is this possible to login into radius server ( with somesort of tool like radtest ) some who that radius think (!) user is online ? What do you mean by that? Test the user logon or make sure you get an access-accept even if the radius server believes the user is online? For the first you can just use radtest For the second you can use radclient and send an extra attribute of your choise which if set will unset Simultaneous-Use (you will have to create a corresponding rule in the users file for that). i think it could be great test . -- It's a poor workman who blames his tools. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Add Delete Modify Users
On Thu, 13 Nov 2003, Sanjiv Thakor wrote: I am new to using this Radius Server so please bear with me. When I change a user's password in the users file or make some other change to the user's profile like change the Auth-Type from PAP to CHAP or something I have to restart the radius server. Is there a more dynamic way to do this? Yes, move your users file to a database (sql or ldap). Thanks in advance. Sanjiv -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialup_admin statistic report?
On Thu, 13 Nov 2003, apellido jr., wilfredo p wrote: Good day, why isnt it User Statistic and Statistic Report doesnt show anthing? The User Statistics page will use the totacct tables. So they should contain data for the page to display it (the data is created by runing the tot_stats script in the bin folder). IN any case enable sql debugging in dialupadmin and you should be able to figure out what is happening. = wilfredo pahilanga apellido jr. technical support mactan online bacolod city, philippines +63 34 4348311 If you can't hear me, it's because i'm in parentheses. __ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialupAccess attribute
On Thu, 13 Nov 2003, Rick Whitley wrote: If noone else is using eDirectory for ldap access is there an example of mapping the dialupAccess attribute for other ldap servers? thanks rick... Rom.5:8 [EMAIL PROTECTED] 11/11/03 11:29AM I have freeradius running on RH 9 doing ldap authentication to eDirectory within ttls. The one thing I can't find is how to map the dialupAccess attribute to eDirectory. We would like to be able to deny access based on the value of this. Is anyone using eDirectory for ldap with freeRadius? Any insight would be most appreciated. See doc/RADIUS-LDAPv3.schema It contains a definition for the dialupaccess attribute. You can use that in your ldap server. thanks rick... Rom.5:8 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fw: Status... rlm_ldap problem
max_requests = 256000
hostname_lookups = yes
allow_core_dumps = no
start_servers = 20
max_servers = 1024
min_spare_servers = 10
max_spare_servers = 20
ldap ldap2 {
server = 10.1.1.1
identity = cn=Sysadmin,ou=Applications,dc=jaring,dc=my
password = XX
basedn = ou=People,dc=jaring,dc=my
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
start_tls = no
access_attr = dialupAccess
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 256
timeout = 10
timelimit =10
net_timeout = 5
}
Hopefully above info good enough to troubleshoot the problem...
--haizam
- Original Message -
From: Alan DeKok [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, November 10, 2003 10:47 PM
Subject: Re: Status...
Rohaizam Abu Bakar [EMAIL PROTECTED] wrote:
Hopefully in 1.0 release, rlm_ldap can work well with FreeBSD 5.1
Currently it has problem.. so i stick with FreeBSD 4.8 (and 4.9)
Are you willing to tell us what those problems are?
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
[ Scanned by JARING E-Mail Virus Scanner ( http://www.jaring.my ) ]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Time limits
On Fri, 14 Nov 2003, James Green wrote: Alan DeKok wrote: James Green [EMAIL PROTECTED] wrote: For example, if [EMAIL PROTECTED] logged in, we might have him on a 2 hours per day access permitted tariff. rlm_counter I guess then rlm_sqlcounter is the only way forward, since rlm_counter doesn't have any documentation that I can detect? Daa?? Can you please just do a search for counter in radiusd.conf? James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Management Tools
On Wed, 12 Nov 2003, Anson Rinesmith wrote: Are there any web based management interfaces, for easily seeing what a user is doing? (connection speed, time oneline, etc) Polling freeRadius/MySQL, and getting the NAS IP and Port and querying the NAS for that information. dialupadmin -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: failed login (log_badlogins script)
On Fri, 14 Nov 2003, apellido jr., wilfredo p wrote: dialup_admin failed login doesnt show any report -- sql debug - # login time server terminate cause callerid DEBUG(SQL,MYSQL DRIVER): Query: SELECT AcctStopTime,UserName,NASIPAddress,NASPortId,AcctTerminateCause,CallingStationId FROM radacct WHERE AcctStopTime = '2003-11-14 20:20:24' AND AcctStopTime = '2003-11-14 19:50:24' ^^ Isn't it clear? The failed logins page will by default only show the last 30 minutes (or as many as you configure it through the general_most_recent_fl configuration directive as IS described in admin.conf) AND (AcctTerminateCause LIKE 'Login-Incorrect%' OR AcctTerminateCause LIKE 'Invalid-User%' OR AcctTerminateCause LIKE 'Multiple-Logins%') ORDER BY AcctStopTime desc LIMIT 10; DEBUG(SQL,MYSQL DRIVER): Query Result: - when i tried to run log_badlogins, it take so long to end. any suggestion, comment? thanks That's what it is supposed to do. It does the equivalent of a tail -f radius.log and logs the failed logins in the database. It should run all the time. = wilfredo pahilanga apellido jr. technical support mactan online bacolod city, philippines +63 34 4348311 If you can't hear me, it's because i'm in parentheses. __ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: rlm_sql: Stop packet with zero session length.
On Tue, 11 Nov 2003, DPL wrote: Hello, I am running FreeRADIUS 0.9.1 on Redhat 9.0 and MySQL 4.x with all the necessary MySQL stuff. I have been working on setting up my radius accounting logs to go to MySQL. I am seeing the following errors in radius.log: Error: rlm_sql: Stop packet with zero session length. (user '[EMAIL PROTECTED]', nas '10.1.4.22') I can see the insert trying to be performed from the sql traces but I am not sure why the accounting stop insert is failing. It's a feature of the rlm_sql module to not accept packets with zero session length. You can disable it by undefining CISCO_ACCOUNTING_HACK in the Makefiles and recompiling rlm_sql. Any suggestions or guidance on how to troubleshoot the problem would be appreciated. Thanks, Dave -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Still fighting to understand free RADIUS code
On Fri, 14 Nov 2003, German Viera wrote: Hi everybody, I am new to free RADIUS but I found it very usefull and powerfull. I had configured it and make it work with different porpouses, most of them with cisco platforms. Right now I am trying to develop an application where I think freeRADIUS code could help. I would like to ask (if somebody knows) wich modules (files) from the code are the one in charge of seting up the RADIUS server. What I wanna do is to code an application wich hears for RADIIUS request (at first...to understand how RADIUS protocol works) at translate the message. But I am confused on HOW TO ? to hear the radius message . OK ...hope someone could help me Read the radclient source. It's the easiest/best way. Regards, German Viera Montevideo Uruguay -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Still fighting to understand free RADIUS code
On Fri, 14 Nov 2003, German Viera wrote: Can you tell me wich files are those , or in wich folder I can find them ??? src/main/radclient.c The function defintions are in src/include/libradius.h i think - Original Message - From: Kostas Kalevras [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, November 14, 2003 2:57 PM Subject: Re: Still fighting to understand free RADIUS code On Fri, 14 Nov 2003, German Viera wrote: Hi everybody, I am new to free RADIUS but I found it very usefull and powerfull. I had configured it and make it work with different porpouses, most of them with cisco platforms. Right now I am trying to develop an application where I think freeRADIUS code could help. I would like to ask (if somebody knows) wich modules (files) from the code are the one in charge of seting up the RADIUS server. What I wanna do is to code an application wich hears for RADIIUS request (at first...to understand how RADIUS protocol works) at translate the message. But I am confused on HOW TO ? to hear the radius message . OK ...hope someone could help me Read the radclient source. It's the easiest/best way. Regards, German Viera Montevideo Uruguay -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: caller-id
On Tue, 11 Nov 2003, Juan Pablo Fava wrote: Hi! I cant get caller id to work, the feature is enabled in .conf file, the phone lines have caller id enabled, but it doesn work. any ideas? 1. What do you mean by caller id to work? 2. Run radiusd in debug mode and see what's happening. Maybe the callerid is not sent in the radius packets Thanks in advance. -- Juan Pablo Fava Ing. en Sistemas de Informaci?n Departamento T?cnico de Inform?tica Procuraci?n General Buenos Aires - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rlm_counter question
On Wed, 12 Nov 2003, CertaintyTech wrote: I have been looking at the rlm_counter module and as I understand it when the new month begins all accumulated values get reset to 0. Is it possible to configure a counter that keeps track of the last 30 days where on day 31 it doesn't get reset to 0 but just deletes values for day 31 and always keeps a total of the last 30 days independent of the calendar. Any ideas much appreciated. No that cannot be done with rlm_counter due to how it works inside (just stores a counter, not complete logs). You can probably do that with rlm_sqlcounter though. --- Ed - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP-TTLS+AEGIS Client
On Mon, 10 Nov 2003, Kostas Kalevras wrote:
Hello, we are facing a problem when trying to test EAP-TTLS with the
Meetinghouse AEGIS Client
We are using a Cisco 2950 as an AP (EAPOL authentication) with recent IOS.
freeradius latest cvs (two or three days old)
Aegis 2.1.0
OpenSSL 0.9.7c
Unfortunately we haven't been able to find a sniffer capable of reporting the
TLS traffic within an EAP-TTLS (or EAP-TLS for that matter) conversation.
So I am mostly speculating what the problem is.
As can be seen from the radiusd -X -xxx output after sending a TLS Hello with
the server certificate the client returns with a TLS ACK. I am guessing that one
TLS fragment got to the client and it is ACKing for another. Though the eap_tls
module seems to not accept that ACK.
From what i 've found the eaptls_ack_handler() never seems to be called. If it
is an openssl or rlm_eap_tls module problem i don't know. From the documentation
on openssl.org it seems that the handler will only be called if the received
packet is ok so it can just be that the packet is malformed somehow.
In any case I don't really know where to go from here. One thing that would help
would be if someone confirmed that eap-ttls works with such a configuration.
OK that one was a typo. I was actually referring to cbtls_msg() function in cb.c
which is never called. And now that i think of it (and read the EAP-TLS RFC):
EAP-Message = 0x021100061500
So we do get an EAP-TLS Fragment ACK. But the callback function will *never* get
called for a packet like this (it isn't an actual TLS segment in any case). As a
result i don't think that the checks run in the eaptls_ack_handler() function
can actually work. I 've removed them and now the TTLS session works much better
(i do get a core dump just before sending back the Access-Accept but i 'll
probably figure that one out).
tls {
private_key_password =
private_key_file = /etc/1x/private.pem
certificate_file = /etc/1x/cert.pem
CA_file = /etc/1x/CA.pem
dh_file = /etc/1x/DH
random_file = /etc/1x/random
fragment_size = 1024
# include_length = no
}
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP-TTLS+AEGIS Client
On Mon, 10 Nov 2003, Alan DeKok wrote:
Kostas Kalevras [EMAIL PROTECTED] wrote:
So we do get an EAP-TLS Fragment ACK. But the callback function will
*never* get called for a packet like this (it isn't an actual TLS
segment in any case). As a result i don't think that the checks run
in the eaptls_ack_handler() function can actually work.
Hm... I used the Aegis client to test the TTLS code, so it worked
for me...
Probably with small enough certificates to not worry about fragmentation.
I 've removed them and now the TTLS session works much better (i do
get a core dump just before sending back the Access-Accept but i 'll
probably figure that one out).
Do you have a patch, with a little more detailed explanation as to
what is going wrong, and why?
I am attaching the patch (though it just makes eaptls_ack_handler to return
immediately).
Let me try and outline the problem.
For TLS fragments the client will respond with an EAP-TTLS message with only one
zero data byte. This signifies a fragment ACK.
In eap_tls we have registered eaptls_msg as a callback function for all tls
messages which will set various variables like
state-info.origin = (unsigned char)write_p;
state-info.content_type = (unsigned char)content_type;
state-info.record_len = len;
state-info.version = msg_version;
Though since this one byte packet is *not* an actual TLS packet this function
will not run in this case. Nevertheless, eaptls_ack_handler currently will use
these variables to determine the nature of the received packet. As a result it
will fail and kill the EAP-TTLS (or EAP-TLS for that matter) session.
So the way i see it the fix is to just make eaptls_ack_handler a dummy function
which will just return EAPTLS_REQUEST. Though i don't know the eap module that
well to be sure that this is the correct solution.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' GandalfIndex: eap_tls.c
===
RCS file: /source/radiusd/src/modules/rlm_eap/types/rlm_eap_tls/eap_tls.c,v
retrieving revision 1.18
diff -u -r1.18 eap_tls.c
--- eap_tls.c 23 Oct 2003 22:04:09 - 1.18
+++ eap_tls.c 10 Nov 2003 15:09:02 -
@@ -214,6 +214,12 @@
tls_session_t *tls_session;
tls_session = (tls_session_t *)handler-opaque;
+ if (tls_session == NULL){
+ radlog(L_ERR, rlm_eap_tls: Unexpected ACK received);
+ return EAPTLS_FAIL;
+ }
+ return EAPTLS_REQUEST;
+
if ((tls_session == NULL) ||
(tls_session-info.origin == 0)) {
radlog(L_ERR, rlm_eap_tls: Unexpected ACK received);
Re: Problem with EAP-TTLS+AEGIS Client
On Mon, 10 Nov 2003, Kostas Kalevras wrote: OK that one was a typo. I was actually referring to cbtls_msg() function in cb.c which is never called. And now that i think of it (and read the EAP-TLS RFC): EAP-Message = 0x021100061500 So we do get an EAP-TLS Fragment ACK. But the callback function will *never* get called for a packet like this (it isn't an actual TLS segment in any case). As a result i don't think that the checks run in the eaptls_ack_handler() function can actually work. I 've removed them and now the TTLS session works much better (i do get a core dump just before sending back the Access-Accept but i 'll probably figure that one out). For the core dump now: Loaded symbols for /usr/libexec/ld-elf.so.1 #0 0x2844b337 in eaptls_gen_mppe_keys (reply_vps=0x81169b8, s=0x809ec00, prf_label=0x14 Address 0x14 out of bounds) at mppe_keys.c:136 136 memcpy(p, s-s3-client_random, SSL3_RANDOM_SIZE); (gdb) print s $1 = (struct ssl_st *) 0x809ec00 (gdb) print s-s2 $2 = (struct ssl2_state_st *) 0x8117400 (gdb) print s-s3 $3 = (struct ssl3_state_st *) 0x0 In other words the s-s3 structure is NULL. I 've added a few debug statements in rlm_eap_tls and rlm_eap_ttls and it seems to always be NULL. I don't know why though. In any case that one is causing the core dumps. If there are no objections i can add a few checks in eaptls_gen_mppe_keys() and eapttls_gen_challenge() for s-s3 being NULL -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP-TTLS+AEGIS Client
On Mon, 10 Nov 2003, Alan DeKok wrote: Kostas Kalevras [EMAIL PROTECTED] wrote: For the core dump now: ... (gdb) print s-s2 $2 = (struct ssl2_state_st *) 0x8117400 (gdb) print s-s3 $3 = (struct ssl3_state_st *) 0x0 In other words the s-s3 structure is NULL. See RFC 2716, top of page 3. TLS version 1 is required. See ssl/ssl.h, SSLv3 is pretty much TLS version 1. So the TLS session SHOULD have been rejected, as soon as the client tried to use SSLv2. This may be a failure in the EAP-TLS code. Hmm... See: src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c, line 185: /* * Set ctx_options */ ctx_options |= SSL_OP_NO_SSLv2; ctx_options |= SSL_OP_NO_SSLv3; So SSLv2 and SSLv3 should NOT be used. Ever. OK now i am getting really puzzled. I did this little change: eap_tls.c, line 680 DEBUG2( rlm_eap_tls: processing TLS); if (tls_session-ssl) DEBUG(rlm_eap_tls: Version: %s,SSL_get_version(tls_session-ssl)); and i get: Mon Nov 10 18:33:14 2003 : Debug: rlm_eap_tls: processing TLS Mon Nov 10 18:33:14 2003 : Debug: rlm_eap_tls: Version: TLSv1 Man page for SSL_get_version: returns the name of the protocol used for the connection ssl. Unfortunately i don't have a sniffer capable of returning the TLS session details from within the EAP message conversation. So /me puzzled In any case that one is causing the core dumps. If there are no objections i can add a few checks in eaptls_gen_mppe_keys() and eapttls_gen_challenge() for s-s3 being NULL I'd say add a few checks to the TLS module, eaptls_process(), so that at it returns FAILED if s-s3 == NULL. That will prevent the core dump, but it will also prevent your client from working. It's rather strange since i am also using the AEGIS client. How can i be so damn lucky and hit on all errors? :-) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP-TTLS+AEGIS Client
On Mon, 10 Nov 2003, Alan DeKok wrote:
Kostas Kalevras [EMAIL PROTECTED] wrote:
and i get:
Mon Nov 10 18:33:14 2003 : Debug: rlm_eap_tls: processing TLS
Mon Nov 10 18:33:14 2003 : Debug: rlm_eap_tls: Version: TLSv1
Which should be fine. So I'm a little congfused as to why s-s3 is
NULL. OpenSSL versions, maybe?
Yes that was it.
rlm_eap_{ttls,tls} was using the correct version but the radiusd binary was
compiled with the older ones. Now all is working fine. Thanks a lot for your
help.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: command-line SQL management utilities
On Tue, 4 Nov 2003, Damian Gerow wrote: Thus spake Alan DeKok ([EMAIL PROTECTED]) [04/11/03 11:26]: There's dialup_admin, which is in the tree. It's based on PHP the web, but it's similar. It may be possible to make the dialup_admin tools also wrok as command-line tools, or to make a generic command line tool which dialup_admin can use, too. I'm hoping to provide a companion to the web interface, but don't know PHP very well. I don't know perl very well either, but that's what I'm shooting to use. I've already written a password management utility (expire, reactivate users, change passwords, put users on hold), so the next step is user creation and generic attribute management. I would suggest the same thing. PHP is mainly for web applications, perl for command line utils. And it would be nice to also have command line utils in companion with dialupadmin mainly for mass user creation/administration. I'm willing to share my (ugly) code with anyone that wants it. I figure I'm not the only one who wants command-line control of the users database. Unfortunately, it's SQL only. I've never touched LDAP with perl. One nice thing would be to try and distinguish script operation from the actual database operations. Mainly keep them all in a separate included file(s). dialupadmin shares that kind of logic. Then someone else can easily create ldap specific code. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with EAP-TTLS+AEGIS Client
Hello, we are facing a problem when trying to test EAP-TTLS with the
Meetinghouse AEGIS Client
We are using a Cisco 2950 as an AP (EAPOL authentication) with recent IOS.
freeradius latest cvs (two or three days old)
Aegis 2.1.0
OpenSSL 0.9.7c
Unfortunately we haven't been able to find a sniffer capable of reporting the
TLS traffic within an EAP-TTLS (or EAP-TLS for that matter) conversation.
So I am mostly speculating what the problem is.
As can be seen from the radiusd -X -xxx output after sending a TLS Hello with
the server certificate the client returns with a TLS ACK. I am guessing that one
TLS fragment got to the client and it is ACKing for another. Though the eap_tls
module seems to not accept that ACK.
From what i 've found the eaptls_ack_handler() never seems to be called. If it
is an openssl or rlm_eap_tls module problem i don't know. From the documentation
on openssl.org it seems that the handler will only be called if the received
packet is ok so it can just be that the packet is malformed somehow.
In any case I don't really know where to go from here. One thing that would help
would be if someone confirmed that eap-ttls works with such a configuration.
tls {
private_key_password =
private_key_file = /etc/1x/private.pem
certificate_file = /etc/1x/cert.pem
CA_file = /etc/1x/CA.pem
dh_file = /etc/1x/DH
random_file = /etc/1x/random
fragment_size = 1024
# include_length = no
}
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalfrad_recv: Access-Request packet from host 147.102.247.20:1812, id=45, length=102
NAS-IP-Address = 147.102.247.20
NAS-Port-Type = Async
User-Name = papage
Service-Type = Framed-User
Framed-MTU = 1500
Calling-Station-Id = 00-00-86-33-52-43
EAP-Message = 0x020e000b01706170616765
Message-Authenticator = 0x33b1b4adac3a64f2951c083441512065
Sun Nov 9 21:52:25 2003 : Debug: modcall: entering group authorize for request 40
Sun Nov 9 21:52:25 2003 : Debug: modsingle[authorize]: calling preprocess
(rlm_preprocess) for request 40
Sun Nov 9 21:52:25 2003 : Debug: modsingle[authorize]: returned from preprocess
(rlm_preprocess) for request 40
Sun Nov 9 21:52:25 2003 : Debug: modcall[authorize]: module preprocess returns ok
for request 40
Sun Nov 9 21:52:25 2003 : Debug: modsingle[authorize]: calling chap (rlm_chap) for
request 40
Sun Nov 9 21:52:25 2003 : Debug: modsingle[authorize]: returned from chap
(rlm_chap) for request 40
Sun Nov 9 21:52:25 2003 : Debug: modcall[authorize]: module chap returns noop for
request 40
Sun Nov 9 21:52:25 2003 : Debug: modsingle[authorize]: calling eap (rlm_eap) for
request 40
Sun Nov 9 21:52:25 2003 : Debug: rlm_eap: EAP packet type response id 14 length 11
Sun Nov 9 21:52:25 2003 : Debug: rlm_eap: No EAP Start, assuming it's an on-going
EAP conversation
Sun Nov 9 21:52:25 2003 : Debug: modsingle[authorize]: returned from eap (rlm_eap)
for request 40
Sun Nov 9 21:52:25 2003 : Debug: modcall[authorize]: module eap returns updated
for request 40
Sun Nov 9 21:52:25 2003 : Debug: modsingle[authorize]: calling suffix (rlm_realm)
for request 40
Sun Nov 9 21:52:25 2003 : Debug: rlm_realm: No '@' in User-Name = papage,
looking up realm NULL
Sun Nov 9 21:52:25 2003 : Debug: rlm_realm: No such realm NULL
Sun Nov 9 21:52:25 2003 : Debug: modsingle[authorize]: returned from suffix
(rlm_realm) for request 40
Sun Nov 9 21:52:25 2003 : Debug: modcall[authorize]: module suffix returns noop
for request 40
Sun Nov 9 21:52:25 2003 : Debug: modsingle[authorize]: calling files (rlm_files)
for request 40
Sun Nov 9 21:52:25 2003 : Debug: modsingle[authorize]: returned from files
(rlm_files) for request 40
Sun Nov 9 21:52:25 2003 : Debug: modcall[authorize]: module files returns
notfound for request 40
Sun Nov 9 21:52:25 2003 : Debug: modsingle[authorize]: calling mschap (rlm_mschap)
for request 40
Sun Nov 9 21:52:25 2003 : Debug: modsingle[authorize]: returned from mschap
(rlm_mschap) for request 40
Sun Nov 9 21:52:25 2003 : Debug: modcall[authorize]: module mschap returns noop
for request 40
Sun Nov 9 21:52:25 2003 : Debug: modcall: group authorize returns updated for request
40
Sun Nov 9 21:52:25 2003 : Debug: rad_check_password: Found Auth-Type EAP
Sun Nov 9 21:52:25 2003 : Debug: auth: type EAP
Sun Nov 9 21:52:25 2003 : Debug: modcall: entering group authenticate for request 40
Sun Nov 9 21:52:25 2003 : Debug: modsingle[authenticate]: calling eap (rlm_eap) for
request 40
Sun Nov 9 21:52:25 2003 : Debug: rlm_eap: EAP Identity
Sun Nov
Re: EAP subtype as authorization
On Fri, 7 Nov 2003, Artur Hecker wrote: hi so what value would i set the EAP-Type attribute to? See the dictionary file for the values for the EAP-Type attribute no, i think we didn't understand each other. you are talking about Auth-Type := EAP which is set automatically by the EAP module in the authorize section. that's evident. We clearly aren't understanding each other :-) And you didn't read what i asked you to, because you would find out it's exactly what you want. Evidently i _wasn't_ talking about Auth-Type but about EAP-Type. So please read the dictionary file for the values for EAP-Type. what i want, is quite different _and_ quite necessary, given the potential generality of the EAP authentication methods. in the same manner like you can demand CHAP, PAP, MS-CHAP or whatever EAP on a per-user basis, i.e. reject EVERY request for this user NOT having the pre-defined (part of authorization) authentication type, you should be capable of defining which EAP subtype the user is trying to use. EAP can be potentially as simple as CHAP or based on certificates, kerberos or GSM-SIM cards. so, it's crucial to be able to control that. you don't want your users to freely choose the possibly weakest authentication method. you probably want to enforce ONE and only method per user. a propos, that was strongly recommended for all RADIUS servers. now if you enforce Auth-Type := EAP, you effectively do not enforce _anything_, since it can be almost everything. we should probably add a kind of Auth-Type := EAP/MD5 possibility and then, in the code fragment you posted, we should check if the provided EAP type matches the preconfigured one. if yes, the authentication can take place. if not, the reject should be sent. for example... That's exactly what the patch i sent will do (at least from my quick pass through the rlm_eap module code). i thought even, that it would be possible by defining instances of the eap module with different default_types. but then, the eap module should set the Auth-Type to the subtype and only if the provided EAP-Message includes this one, and the code you mentioned should check as described above... imho... perhaps alan could say something on this matter, i'm far from being freeradius configuration possibilities expert :-) i don't want the user X just to grab the EAP-method Y and freeradius to use it if it finds it in user's request. i want freeradius to impose _a_ certain EAP subtype (and to deny user if it's not the configured one). From a quick look at the rlm_eap sources i don't think that it is possible. that's exactly the problem. it's not. ciao thanks artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing Modules which are not needed
On Fri, 7 Nov 2003, Arindam Roy wrote: Hi to all, My query is that how can I disable certain modules? Like I want to disable pap. When I give ./configure --without-pap it configures, and after make and make install I edit the radiusd.conf file. Here I comment the lines for pap support. But when I run with radiusd -X it stops saying ERROR: Cannot find a configuration entry for module pap. Is there any way I can stop this? or am I doing something wrong here. Scorpy You should also remove the pap module from the authenticate section -- Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with [EMAIL PROTECTED] http://shopnow.netscape.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PPP
On Thu, 6 Nov 2003, Thomas Meggs wrote: Hi, I have FreeRADIUS set up in a pretty basic manner. It passes authentication requests through to an LDAP server. I need for FreeRADIUS to return the attribute Framed-Protocol = PPP along with saying if the authentication is successful. I am unable to add anything to the user's schema. How would I go about doing this? Thanks! See doc/RADIUS-LDAPv3.schema Regards, Tom __ This email transmission and any documents, files or previous email messages attached to it may contain information that is confidential or legally privileged. If you are not the intended recipient or a person responsible for delivering this transmission to the intended recipient, you are hereby notified that you must not read this transmission and that any disclosure, copying, printing, distribution or use of this transmission is strictly prohibited. If you have received this transmission in error, please immediately notify the sender by telephone or return email and delete the original transmission and its attachments without reading or saving in any manner. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP authentication problem
On Fri, 7 Nov 2003, Peter Bates wrote:
Hello all...
Freeradius 0.9.2, built as an RPM on RedHat 7.3.
I'm using LDAP support to try and authenticate users against
Novell's eDirectory (which has the LDAP 'interface', as it were).
Our usernames are generally like: (or the full DN)
cn=Anstpbat,ou=NST,ou=AS,o=LSHTM
but they are all over the 'tree', so we have a container (in Novell
speak, don't know if it's an LDAP term!) called 'Login.lshtm', or
'ou=Login,o=LSHTM'.
I've been configuring radiusd.conf with that as the basedn:
basedn = ou=Login,o=LSHTM
filter = (cn=%{Stripped-User-Name:-%{User-Name}})
And I get:
rad_recv: Access-Request packet from host 127.0.0.1:1619, id=248,
length=60
User-Name = anstpbat
User-Password = qwert1e
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
modcall: entering group Auth-Type for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by anstpbat with password qwert1e
rlm_ldap: user DN: cn=Anstpbat,ou=Login,o=LSHTM
rlm_ldap: (re)connect to 193.63.251.176:636, authentication 1
rlm_ldap: setting TLS mode to 1
rlm_ldap: bind as cn=Anstpbat,ou=Login,o=LSHTM/qwert1e to
193.63.251.176:636
rlm_ldap: waiting for bind result ...
modcall[authenticate]: module ldap returns reject for request 0
modcall: group Auth-Type returns reject for request 0
auth: Failed to validate the user.
Login incorrect (rlm_ldap: Bind as user failed): [anstpbat/qwert1e]
(from client localhost port 0)
If I fix the basedn as the actual 'unaliased' container:
basedn = ou=NST,ou=AS,o=LSHTM
I get:
rad_recv: Access-Request packet from host 127.0.0.1:1621, id=57,
length=60
User-Name = anstpbat
User-Password = qwert1e
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
modcall: entering group Auth-Type for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by anstpbat with password qwert1e
rlm_ldap: user DN: cn=Anstpbat,ou=NST,ou=AS,o=LSHTM
rlm_ldap: (re)connect to 193.63.251.176:636, authentication 1
rlm_ldap: setting TLS mode to 1
rlm_ldap: bind as cn=Anstpbat,ou=NST,ou=AS,o=LSHTM/qwert1e to
193.63.251.176:636
rlm_ldap: waiting for bind result ...
rlm_ldap: user anstpbat authenticated succesfully
modcall[authenticate]: module ldap returns ok for request 0
modcall: group Auth-Type returns ok for request 0
Login OK: [anstpbat] (from client localhost port 0)
Sending Access-Accept of id 57 to 127.0.0.1:1621
So, we have 'rlm_ldap: user anstpbat authorized to use remote access'
in both cases, so it's obviously reading something, but then can't do
the actual bind as the user, unless directed to the complete DN, rather
than trying to follow the 'alias'.
Well it can access the entry but it finds a different DN in each case.
And that is probably why the BIND operation with the aliased DN fails.
There is an object, 'aliasedObjectName' which contains the complete
name:
aliasedObjectName: cn=Anstpbat,ou=NST,ou=AS,o=LSHTM
Is there a way I can retrieve this initially, and then use this 'cn'
result as the parameter to the bind for the password?
If that attribute is contained in the user entry you could probably map the
Ldap-UserDn attribute to that one in ldap.attrmap. Something like:
checkItem Ldap-UserDn aliasedObjectName
though i haven't checked it.
I hope I've explained the above clearly... I'm not sure (but I'm
presuming) that these 'aliases' (essentially shortcuts to other bits of
the tree) are not standard LDAP items.
No they aren't from what i can see. LDAP refferences are the standard way to go
for these things.
However, we authenticate boxes in
a similar way using PAM and LDAP (for FTP/SSH, etc.), and that does
somehow seem to follow the reference down from 'login.lshtm' down to the
proper DN.
I don't know how PAM_LDAP works exactly. In any case rlm_ldap will just do
normal ldap operations and use the results. If that fails then it's mostly due
to the ldap server not doing something correctly.
I'd be grateful for any suggestions!
---
Peter Bates, Systems Support Officer, Network Support Team.
London School of Hygiene Tropical Medicine.
Telephone:0207-958 8353 / Fax: 0207- 636 9838
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:PPP
On Fri, 7 Nov 2003, Charles Francis wrote: Hi, I have FreeRADIUS set up in a pretty basic manner. It passes authentication requests through to an LDAP server. I need for FreeRADIUS to return the attribute Framed-Protocol = PPP along with saying if the authentication is successful. I am unable to add anything to the user's schema. How would I go about doing this? Thanks! See doc/RADIUS-LDAPv3.schema Regards, Tom We are seeing the info in the RADIUS-LDAPv3.schema, however, we are needing to bypass this to an extent. What we have is a Freeradius-0.9.2 server using an SQL backend for a user DB and LDAP to verify passwords. We are trying/hoping to have the Framed-Protocol = PPP attribute in a static location in the conf files so that it returns for every user. We are using a very old version of Netscape LDAP and do not have access to add attributes. So add a DEFAULT entry in the users file DEFAULT Framed-Protocol = PPP Thanks in Advance. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP subtype as authorization
On Thu, 6 Nov 2003, Artur Hecker wrote:
hi people
do i ignore something or am i right in the assumption that it is
currently not possible to define different EAP authentication methods on
a per-user basis with the provided onboard configuration?
(would be a nice feature to have john use PEAP during jack has to go for
pure TLS, for instance...)
or can it somehow be done by defining instances of the EAP module with
different eap default types? (i obviously haven't tried it yet)
Hmm, that's already supported :-)
Look at src/modules/rlm_eap/eap.c line 196:
case PW_EAP_IDENTITY:
{
VALUE_PAIR *vp;
DEBUG2( rlm_eap: EAP Identity);
/*
* Allow per-user configuration of EAP types.
*/
vp = pairfind(handler-request-config_items,
PW_EAP_TYPE);
if (vp) default_eap_type = vp-lvalue;
So you only need to set the EAP-Type attribute in the authorize section on a per
user basis and i think it should work.
ciao
artur
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP subtype as authorization
On Thu, 6 Nov 2003, Artur Hecker wrote: hi kostas So you only need to set the EAP-Type attribute in the authorize section on a per user basis and i think it should work. so what value would i set the EAP-Type attribute to? See the dictionary file for the values for the EAP-Type attribute i don't want the user X just to grab the EAP-method Y and freeradius to use it if it finds it in user's request. i want freeradius to impose _a_ certain EAP subtype (and to deny user if it's not the configured one). From a quick look at the rlm_eap sources i don't think that it is possible. rlm_eap will currently honor an EAP-NAK request from the client and change the EAP-Type to whatever the client requested (if that eap type is supported by rlm_eap). Though it should not be that difficult to add something like a configuration directive (or a radius attribute) enforce_eap_type = yes|no It would actually probably be the patch included (not tested though sorry). do i miss something? ciao artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: check list multiple values in NAS-Port-Type
On Mon, 3 Nov 2003, ZORBADELOS KONSTANTINOS wrote: Hello to everyone. This is my first post to the list. I want to have a user that is allowed to have ISDN or PSTN access and another that should have PSTN access only. I am using the attribute NAS-Port-Type in the check list to accomplish this. In the first user I want the NAS-Port-Type to have values Async or ISDN and in the second I want to have Async only. I am also using the sql module so my users' authorization data are stored in an Oracle database. Freeradius version 0.9.2 (latest for now). My radcheck table looks like +--+--+--+-+--- id username attribute op value +--+--+--+-+--- 1 kzorbaUser-Password == 2 kzorbaNAS-Port-Type ==Async 3 kzorbaNAS-Port-Type ==ISDN 4 mitg User-Password == 5 mitg NAS-Port-Type ==Async +--+--+--+-+--- I am using the NTradping test utility (as descibed in the O'Reilly book) but the results are the same when I use a Cisco 3640 router. When I am sending one of the 2 allowed values in an Access-Request for kzorba I always get reject. I tried to put as a value for NAS-Port-Type Async-ISDN in one record instead of 2 and I always got accept no matter what I sent (even a value besides ISDN or Async). I only managed to get accept when I have one record with a specific value (in this case everything works as expected). So the question is: How can I express the fact that I want to accept the user when the attribute has value a OR b? By generalizing can I have boolean expressions in check items? Thank you in advance I think that the AND relation of the check items is rather strongly established in the check functions of freeradius. The way i see it you have two choises: 1. Use a regular expression 2. Use the checkval module (check raddb/experimental.conf) Kostas == Kostas Zorbadelos Currently at: Otenet IT Department mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialup-admin / new help-pages
On Thu, 30 Oct 2003, Ulrich Walcher wrote: HI, I have done some additions to user_edit.attrs and some help pages... They're all on http://www.walcher.co.at/fr/ Added, thanks a lot Greets, Uli -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_counter question
On Wed, 29 Oct 2003, apellido jr., wilfredo p wrote: Hello Mr. Kalevras, i already look @ rad_counter.pl and i understand the flow of this script. It open the database as READONLY, print the information where u can specify the db filename, user, how the counter will be shown, second (default), minutes, hours and match. My problem is i dont have any hint in command or syntax. Just like how do i open the database as read/write? What is cmd to update, delete, add or edit. I know this is not related in Freeeradius but i dont have any choice, im spending days try to search this web but i dont see any documentation. thanks very much ... Well http://www.perldoc.com/perl5.6/lib/GDBM_File.html http://www.perldoc.com/perl5.6/pod/perldbmfilter.html http://www.mit.edu:8001/afs/athena.mit.edu/project/gnu/doc/html/gdbm_toc.html These should be more than sufficient = wilfredo pahilanga apellido jr. technical support mactan online bacolod city, philippines +63 34 4348311 If you can't hear me, it's because i'm in parentheses. __ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: seeking a tool to graph radius logs
On Fri, 31 Oct 2003, Bill Pavich wrote: Please add my email address to your offer as well. Thanks! [EMAIL PROTECTED] Maybe it would be a good idea to add a page in the freeradius website with instructions about things like this as long as someone is willing to provide the corresponding content. Alan what do you think? -Original Message- From: Jeff Sullivan [mailto:[EMAIL PROTECTED] Sent: Friday, October 31, 2003 8:55 AM To: [EMAIL PROTECTED] Subject: RE: seeking a tool to graph radius logs Me Too, [EMAIL PROTECTED] For those desiring the info on mrtg, send me your e-mail and I'll send you my configuration I use and instructions on setting it up including crons etc. Thanks John Count me in as well please. sergio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: processing users by hours
On Thu, 30 Oct 2003 [EMAIL PROTECTED] wrote: hi, i wanna have give users option to either pay monthly flat rate package, (unlimited access), and either pay for example 10 hours of internet, so their remaining time will be places in separate record. And every time they connect AcctSessionTime will be substracted from their paid time. Is there some already made solution for this problem, or i`ll have to do this by myself. Can you explain me the steps i need to take for something like this? Check out the rlm_counter module - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Accounting-On packet
On Thu, 30 Oct 2003, Gustavo A. Lozano wrote: Hello. I have a very big problem with one NAS. The machine is sending accounting-on packets every 2 seconds, so the wtmp and rlm_ippool modules are not working. Every time the packet is received by the radius, the wtmp and ip_pool dbs are reset. There's currently no support for accounting-on/off packets in rlm_ippool so i don't think that it's possible for the db to get reset. The radius.log file shows the next every 2-3 seconds: Thu Oct 30 16:12:36 2003 : Info: rlm_radutmp: NAS 123.456.789.012 restarted (Accounting-On packet seen) Well, What I need is a patch/way to tell the radius to ignore the accounting-on packets while the people of the factory can repair the nas. Any ideas??? Gustavo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ippool way to realize an entry is stale
On Fri, 31 Oct 2003, Jonathan Ruano wrote: Hi there: I messed with rlm_ippool sources in the past but I decided to give the 0.9.2 version a try, as I hadn't touched anything since July. Not doing stress, full load tests, but took a look at the sources and remembered how stale entries are found and fixed. The ippool array is indexed by nas/port, so if we're to assign an IP address to a dialup user using the same nas/port combination than a previous (currently marked as active) one, then the latter must be a stale entry. This works great (any real-life experiencies to share, anyone?) for just one ippool instance, but not when there are several. Why? However many instances you may have they will all check for a stale entry for that nas/port combination in their respective databases. So where exactly do you see a problem? I'll see if I can merge my hacked version and 0.9.2's. Jonathan Ruano - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TTLS/TLS: LDAP - RADIUS
On Tue, 28 Oct 2003, Jack J wrote: Hi, I could not find this information in archives. Can someone please share views ? For TTLS tunnel, I can have LDAP as user profile storage mechanism. Questions: 1) Can this be for both inner and outer TTLS tunnel realms ? Only the eap_ttls module knows about inner and outer tunnel realms. For the rest of the server there's is no difference. So probably yes 2) How does FreeRADIUS communicate with LDAP via some secured channel ? How do I configure this ? Can it use another TTLS/TLS tunnel to LDAP server ? You can enable the start_tls directive in rlm_ldap and communicate with the ldap server through a tls secured connection. Thanks, __ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap authentication + mysql accounting
On Sun, 26 Oct 2003, Ruslan Spivak wrote: Hello. For now i use authentication(authtype PAP) and accounting in mysql(also rlm_sqlcounter). I saw in config option for authentication using ldap. Is it possible to use ldap authentication and mysql accounting and will rlm_sqlcounter work in such combination? Yes Thanks in advance. Your help is very appreciated. Best regards, Ruslan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: attr_rewrite documentation?
On Mon, 27 Oct 2003, Stephen Fulton wrote:
At 04:00 PM 20/10/2003 +0300, Kostas wrote:
Other than the comments in radiusd.conf and 'man 5 regex' none.
That's too bad. Perhaps before 1.0, an effort can be made to improve the
documentation somewhat?
Yes and no. Usually bug fixes/new features are more important. And you didn't
say anything about where you found the current documentation lacking so...
No use coding something esoteric, is there?
1. We use [EMAIL PROTECTED]. If the realm is missing, we will use
attr_write to add it.
proxy.conf:
realm NULL{
[...]
Just so I'm clear on this, let me word my question another way:
In order to ensure that a realm is added to the packet from a particular
NAS, you suggest I use the proxy.conf NULL function? This seems to go
against your advice to another earlier this summer:
http://lists.cistron.nl/archives/freeradius-users/2003/07/msg01290.html
If not, where should I place the autztype Rewrite { function you
describe? radiusd.conf? Where specifically?
Well you didn't metion that you want it added for a particular NAS now did you?
In any case, yes that post sums it up. the autztype Rewrite function should be
added in radiusd.conf in the authorize section. Check out doc/Autz-Type for more
information.
2. Since we're AAA'ing using a SQL database, the username needs to be
parsed so that the username and the realm/domain is split. Then those,
plus the password, are checked against the SQL DB.
This is done automatically by the realm module.
Again, just so I'm sure I've properly communicated what I want to do, here
is the situation reworded:
I want to ensure that only clients allowed to use a specific NAS are using
it. Everyone else is rejected. Can the realm pass on the info needed to
make the SQL call? Or should can I assign (for instance) a NAS to a
particular group instead?
You can do what you want by using the checkval module. Assign a NAS-IP-Address
check item in the sql profile (by using the := operator) for those users and
check it with checkval. The comments for the checkval module (in
experimental.conf) should make it more clear.
Thanks for you patience,
-- Stephen
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialup_admin latest cvsup
product search http://shopping.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Acctstarttime set to 0000-00-00 00:00:00
On Thu, 23 Oct 2003, Costas Christonis wrote: Hi to all, we running freeradius 0.9 on a linux box red hat 9.0 and we have the following problem: sometimes the acctstarttime field is set to zero in sql_radacct. We have 2 nas AS5300 and AS5200 and we have the problem for both. Anyone has the same problem before? That happens when the accounting-start is lost. You could grab the sql.conf from 0.9.2 it should work better (it calculates acctstarttime from the information in the accounting-stop packet). Costas A. Christonis Networking Communications Centre Gallos Campus - University of Crete email: [EMAIL PROTECTED] http://www.ucnet.uoc.gr/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: newbie question about rlm_radutmp
On Mon, 20 Oct 2003, Jeff Mello wrote: I've got freeradius 0.9.1 configured and running on a sun enterprise ultra 2 with gentoo linux. When I try to authenticate from an Ascend Max 6000, I'm getting the following message in the radius.log: Error: rlm_radutmp: Logout for NAS max6000 port 20101, but no Login record That means you got an accounting-stop without a corresponding accounting-start The radutmp file is empty. I have not found much information on the radutmp module and how it works. Since you don't get an accounting-start it will probably remain empty. I'm also getting the following entry in the log file: Error: Received Accounting-Request packet from ascend-IP-address with invalid signature! (Shared secret is incorrect.) I have double and triple-checked the passwords on the Ascend box to confirm that they match the secret in the clients.conf file. Probably the accounting-start packets have an invalid signature. There's not much i could suggest on that apart from rechecking the shared secret. I appreciate any help that you folks can give me with these 2 issues. Jeff Mello __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialup_admin latest cvsup
On Tue, 21 Oct 2003, apellido jr., wilfredo p wrote: I tried the latest cvsup of dialup_admin and there's a new feature in user's information, the open session however the online user command is not working, then i How do you mean not working? Can you give more details? switch to dialup_admin which included in freeradiu-0.9.0 package and it is working as i expected. what is the file to be update in dialup_admin (freeradius-0.9.0)to have this latest feature which included in latest cvsup? You could just only download the htdocs/clear_opensessions.php3 file. = wilfredo pahilanga apellido jr. technical support mactan online bacolod city, philippines +63 34 4348311 If you can't hear me, it's because i'm in parentheses. __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: postauth required?
On Tue, 21 Oct 2003, Graeme Hinchliffe wrote: Hiya Will not having entries for postauth in the sql configuration cause issues? I am still using the sql config from freeRADIUS 0.9.0 with the cvs version of 0.9.1 No it won't When the database is used heavily by another process freeradius eats loads of CPU, becomes unresponsive and eventually just dies. This only seems to happen when another process (such as mysql_dump) is ran on the database. radiusd should never die. Check for any core dumps. In any case if you are using mysqldump it will acquire a global lock on the db and not allow the radiusd sql queries to run. As a result the radiusd process will become unresponsive (though it should not eat loads of CPU) I am examining configuration files to see if there is anything I have overlooked. -- - Graeme Hinchliffe (BSc) Core Team Member Zen Internet (http://www.zen.co.uk) ICQ 3842605 (link) Direct: 0845 058 9074 Main : 0845 058 9000 Fax : 0845 058 9005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS and freeradius ?
On Tue, 21 Oct 2003, Sebastien HANUCHE wrote: first sorry for my poor english, is freeradius able to simulate a NAS the goal is to generate message accouting start and stop from the freeradius server (and not from the nas who do normaly this) if there is no way to do this, is there a solution to genarate this message ? (with apache for example, i know there is a module for radius but i think the accouting start and stop are not take in charge ...?) You can use radclient to send fake accounting-start/stop packets - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP authentication with LDAP
On Tue, 21 Oct 2003, Lai Fu Keung wrote:
Hi,
I use LDAP to authenticate all requests. LDAP contains 2 password
attributes -- a plain text password for authenticating MS-CHAP and a
crypted password for authenticating PAP, CHAP.
I can get CHAP, MS-CHAP working, but not with PAP.
Anyone can help? Thanks in advance.
Lai
Error message:
rad_recv: Access-Request packet from host 147.8.123.123:1645, id=211,
length=197
User-Name = testuser
User-Password = testtest
NAS-IP-Address = 147.8.123.123
NAS-Port = 21
Service-Type = Framed-User
Framed-Protocol = PPP
Called-Station-Id = 300
USR-Connect-Speed = 48000-BPS
USR-Modulation-Type = v90Analog
USR-Simplified-MNP-Levels = mnpLevel4
USR-Simplified-V42bis-Usage = none
USR-Chassis-Call-Slot = 0
USR-Chassis-Call-Span = 0
USR-Chassis-Call-Channel = 16
NAS-Identifier = modemserver
Acct-Session-Id = 050003e4
NAS-Port-Type = Async
modcall: entering group authorize
modcall[authorize]: module preprocess returns ok
radius_xlat: '/var/log/radius/radacct/147.8.123.123/auth-detail-
20031020'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-
%Y%m%d expands to /var/log/radius/radacct/147.8.123.123/auth-detail-
20031020
modcall[authorize]: module auth_log returns ok
modcall[authorize]: module chap returns noop
users: Matched DEFAULT at 171
users: Matched DEFAULT at 185
modcall[authorize]: module files returns ok
modcall: entering group redundant
rlm_ldap: - authorize
rlm_ldap: performing user authorization for tfklai
radius_xlat: '(uid=testuser)'
radius_xlat: 'ou=radius,c=hk'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=radius,c=hk, with filter
(uid=testuser)
rlm_ldap: Added password testtest in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user tfklai authorized to use remote access
ldap_release_conn: Release Id: 0
modcall[authorize]: module first_ldap returns ok
modcall: group redundant returns ok
modcall[authorize]: module mschap returns noop
modcall: group authorize returns ok
rad_check_password: Found Auth-Type LDAP
auth: type LDAP
modcall: entering group Auth-Type
modcall: entering group redundant
rlm_ldap: - authenticate
rlm_ldap: login attempt by testuser with password testtest
rlm_ldap: user DN: uid=testuser,ou=radius,c=hk
rlm_ldap: (re)connect to freeradius.hku.hk:389, authentication 1
rlm_ldap: bind as uid=testuser,ou=radius,c=hk/testtest to
freeradius.hku.hk:389
rlm_ldap: waiting for bind result ...
modcall[authenticate]: module first_ldap returns reject
modcall: group redundant returns reject
modcall: group Auth-Type returns reject
auth: Failed to validate the user.
Login incorrect (rlm_ldap: Bind as user failed): [testuser/testtest]
(from client ppp-29642300 port 21)
Well it seems that the bind operation is failing. If your encrypted password is
not the userpassword attribute then the ldap server will _not_ use that in the
bind operation and as a result the bind operation will fail. So make sure you
are using the right password attribute.
radiusd.config file:
module {
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
ms_chap {
authtype = MS-CHAP
etc ...
}
ldap first_ldap {
server = freeradius.hku.hk
identity = cn=administrator,c=hk
password = 123456
basedn = ou=radius,c=hk
etc ...
}
}
authorize {
chap
redundant {
first_ldap {
notfound = return
}
second_ldap {
notfound = return
}
handled
}
files
mschap
}
authenticate {
Auth-Type LDAP {
# ldap
redundant {
first_ldap
second_ldap
}
}
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
}
users file:
DEFAULT Service-Type == Framed-User
Framed-IP-Address = 255.255.255.254,
Framed-MTU = 576,
Service-Type = Framed-User,
Fall-Through = Yes
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210
Re: Problem running freeradius server
On Mon, 20 Oct 2003, pinkesh valdria wrote: Hi Everyone, This is the first time i am using freeradius server. I tried running the free radius server in the debug mode, but it gave me error like failed to link to module 'rlm_expr' file not found It seems that the rlm_expr module was not compiled in. You could comment it out from the instantiate section in radiusd.conf and you should be fine. There is no such module on my redhat 9 m/c. i just want to allow a user defined in the users file to send a request to the server. Right now i have commented almost all lines in the radiusd.conf file. Now the server runs, but when the client from the localhost try to acceess it. it says access denied. can anybody tell me what is the required minimum configuration file for this. awaiting a positive reply Pinkesh __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Password Expiration
On Mon, 20 Oct 2003, [EMAIL PROTECTED] wrote: Hello, I am using FreeRADIUS 0.9.1 on RedHat 9.0. For testing and demo purposes I am using a simple users file. I would like to set up password expiration for the demo accounts that I create. Is it possible to add this to the users entry in the user file? If so, what is the syntax. You could use the Expiration attribute. It should be a check item like: Expiration == 20 MAy 2004 Sorry if this is a simple question or if I have over looked it in the documentation. Thanks, Dave - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: postauth required?
On Tue, 21 Oct 2003, Graeme Hinchliffe wrote: When the database is used heavily by another process freeradius eats loads of CPU, becomes unresponsive and eventually just dies. This only seems to happen when another process (such as mysql_dump) is ran on the database. radiusd should never die. Check for any core dumps. In any case if you are using mysqldump it will acquire a global lock on the db and not allow the radiusd sql queries to run. As a result the radiusd process will become unresponsive (though it should not eat loads of CPU) That fits with what happens, I think I got the order slightly out. To be more precises: The radiusd runs happily. mysqldump starts and radiusd complains about unresponsive children, the number of threads increases until the mysqldump finishes, at which point the number of threads begins to drop. The no of threads gets to about 20 (initial start value is 5).. at which point the daemon locks up and consumes lots of CPU. It has to be kill -9'd to stop and then restart. That's bad. Try running it like radiusd -xxx and send back the results. It would be nice if you upgraded to 0.9.2 first though. I always thought that the lock would be to stop writes to the db? not reads? I think it's a global lock though i am not sure. In any case you are using radiusd for accounting right (which means writing to the db)? -- - Graeme Hinchliffe (BSc) Core Team Member Zen Internet (http://www.zen.co.uk) ICQ 3842605 (link) Direct: 0845 058 9074 Main : 0845 058 9000 Fax : 0845 058 9005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: core dump using freeradius0.9.2 with FreeBSD 5.1
On Tue, 21 Oct 2003, Rohaizam Abu Bakar wrote: Can't find the core although it say in log According to doc/bugs you should first do ulimit -c unlimited before running radiusd Also make sure that allow_core_dumps is set to yes in radiusd.conf Another question. Are you using the default threaded version of freeradius or a multiprocess one? Oct 20 16:42:20 radius3 kernel: pid 67341 (radiusd), uid 0: exited on signal 4 (core dumped) Mon Oct 20 11:41:50 2003 : Error: rlm_ldap: uniqueIdentifier=208173,ou=RADIUS,ou=People,dc=com ,dc=my bind to x.x.x.x:389 failed: timeout When runnning FB 5.1 with 0.9.2, at first it will running OK .. then around 15 minutes it will die BOTH error log appear... Then when i switch to 0.9.0 ... no core error but only rlm_ldap error Currently no authentication is forwarded to above server... I've reverted to my FB 4.8 with 0.9.2 that running fine... What should i do without the CORE?? --haizam - Original Message - From: Kostas Kalevras [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, October 20, 2003 8:43 PM Subject: Re: core dump using freeradius0.9.2 with FreeBSD 5.1 On Mon, 20 Oct 2003, Rohaizam Abu Bakar wrote: even 0.9.0 having problem with FreeBSD 5.1 ... something about rlm_ldap Please read doc/bugs and send a backtrace of the core dump to the list. Thanks --haizam - Original Message - From: Rohaizam Abu Bakar To: [EMAIL PROTECTED] Sent: Monday, October 20, 2003 6:53 PM Subject: core dump using freeradius0.9.2 with FreeBSD 5.1 Using freeradius 0.9.2 with FreeBSD 5.1.. All compilations seems Ok... even starting up doesn't give any problem... But once pumping load into it (not that heavy)... then it keep core dumping as shown in below log.. Currently i revert back to freeradius 0.9.0 with my FreeBSD 5.1 ... FYI... freeradius 0.9.2 inside my FreeBSD 4.8 runnning fine... LOG = i) from system log Oct 20 16:42:20 radius3 kernel: pid 67341 (radiusd), uid 0: exited on signal 4 (core dumped) Oct 20 16:42:20 radius3 kernel: Oct 20 16:42:20 radius3 kernel: pid 67341 (radiusd), uid 0: exited on signal 4 (core dumped) Oct 20 17:02:02 radius3 kernel: pid 68054 (radiusd), uid 0: exited on signal 4 (core dumped) Oct 20 17:02:02 radius3 kernel: Oct 20 17:02:02 radius3 kernel: pid 68054 (radiusd), uid 0: exited on signal 4 (core dumped) Oct 20 17:34:01 radius3 kernel: pid 69185 (radiusd), uid 0: exited on signal 4 (core dumped) Oct 20 17:34:01 radius3 kernel: Oct 20 17:34:01 radius3 kernel: pid 69185 (radiusd), uid 0: exited on signal 4 (core dumped) Oct 20 17:46:27 radius3 kernel: pid 69671 (radiusd), uid 0: exited on signal 4 (core dumped) Oct 20 17:46:27 radius3 kernel: Oct 20 17:46:27 radius3 kernel: pid 69671 (radiusd), uid 0: exited on signal 4 (core dumped) ii) from radius.log Mon Oct 20 18:37:00 2003 : Error: rlm_ldap: uniqueIdentifier=227523,ou=RADIUS,ou=People,dc=com,dc=my bind to x.x.x.x:389 failed: timeout Mon Oct 20 18:37:00 2003 : Error: rlm_ldap: uniqueIdentifier=717710,ou=RADIUS,ou=People,dc=com,dc=my bind to x.x.x.x:389 failed: timeout Mon Oct 20 18:37:03 2003 : Error: rlm_ldap: uniqueIdentifier=983053,ou=RADIUS,ou=People,dc=com,dc=my bind to x.x.x.x:389 failed: timeout --haizam -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: core dump using freeradius0.9.2 with FreeBSD 5.1 - more to rlm_ldap problem
On Tue, 21 Oct 2003, Rohaizam Abu Bakar wrote: manage to point one NAS to this radius... turn on the debug mode (-sfxxyz)... and below is the portion where the problem start . FYI.. during this rlm_ldap problem.. using ldapsearch should yield the result... So no problem on LDAP site... ... rlm_ldap: performing search in ou=People,dc=jaring,dc=my, with filter (uid=spts) rlm_ldap: checking if remote access for spts is allowed by dialupAccess rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusSessionTimeout as Session-Timeout, value 21600 op=11 rlm_ldap: Adding radiusFramedCompression as Framed-Compression, value Van-Jacobson-TCP-IP op=11 rlm_ldap: Adding radiusFramedMTU as Framed-MTU, value 1500 op=11 rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol, value PPP op=11 rlm_ldap: Adding radiusServiceType as Service-Type, value Framed-User op=11 rlm_ldap: user spts authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap1 returns ok for request 561 modcall: group redundant returns ok for request 561 modcall: group authorize returns ok for request 561 rad_check_password: Found Auth-Type LDAP auth: type LDAP modcall: entering group Auth-Type for request 561 modcall: entering group redundant for request 561 rlm_ldap: - authenticate rlm_ldap: login attempt by spts with password rlm_ldap: user DN: uniqueIdentifier=687130,ou=RADIUS,ou=People,dc=jaring,dc=my rlm_ldap: (re)connect to 61.6.32.201:389, authentication 1 rlm_ldap: bind as uniqueIdentifier=687130,ou=RADIUS,ou=People,dc=jaring,dc=my/spts2003 to 61.6.32 .201:389 rlm_ldap: waiting for bind result ... rlm_ldap: ldap_result() rlm_ldap: uniqueIdentifier=687130,ou=RADIUS,ou=People,dc=jaring,dc=my bind to 61.6.32.201:389 fai led: timeout rlm_ldap: ldap_connect() failed modcall[authenticate]: module ldap1 returns fail for request 561 rlm_ldap: - authenticate rlm_ldap: login attempt by spts with password rlm_ldap: user DN: uniqueIdentifier=687130,ou=RADIUS,ou=People,dc=jaring,dc=my rlm_ldap: (re)connect to 61.6.32.97:389, authentication 1 rlm_ldap: bind as uniqueIdentifier=687130,ou=RADIUS,ou=People,dc=jaring,dc=my/spts2003 to 61.6.32 .97:389 rlm_ldap: waiting for bind result ... rlm_ldap: ldap_result() rlm_ldap: uniqueIdentifier=687130,ou=RADIUS,ou=People,dc=jaring,dc=my bind to 61.6.32.97:389 fail ed: timeout rlm_ldap: ldap_connect() failed modcall[authenticate]: module ldap2 returns fail for request 561 modcall: group redundant returns fail for request 561 modcall: group Auth-Type returns fail for request 561 auth: Failed to validate the user. One question is why the bind operations are failing while the ldap search for the ldap attributes works ok. Use tcpdump to see inspect the ldap traffic between your radius and ldap server and take a look at the ldap server logs for anything strange. From the logs you sent it doesn't show when the problem leading to the process death you are describing occurs. Login incorrect: [spts] (from client jhb34 port 239 cli 072270533) Delaying request 561 for 1 seconds Finished request 561 Going to the next request . --haizam - Original Message - From: Rohaizam Abu Bakar [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, October 21, 2003 12:44 PM Subject: Re: core dump using freeradius0.9.2 with FreeBSD 5.1 Can't find the core although it say in log Oct 20 16:42:20 radius3 kernel: pid 67341 (radiusd), uid 0: exited on signal 4 (core dumped) Mon Oct 20 11:41:50 2003 : Error: rlm_ldap: uniqueIdentifier=208173,ou=RADIUS,ou=People,dc=com ,dc=my bind to x.x.x.x:389 failed: timeout When runnning FB 5.1 with 0.9.2, at first it will running OK .. then around 15 minutes it will die BOTH error log appear... Then when i switch to 0.9.0 ... no core error but only rlm_ldap error Currently no authentication is forwarded to above server... I've reverted to my FB 4.8 with 0.9.2 that running fine... What should i do without the CORE?? --haizam - Original Message - From: Kostas Kalevras [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, October 20, 2003 8:43 PM Subject: Re: core dump using freeradius0.9.2 with FreeBSD 5.1 On Mon, 20 Oct 2003, Rohaizam Abu Bakar wrote: even 0.9.0 having problem with FreeBSD 5.1 ... something about rlm_ldap Please read doc/bugs and send a backtrace of the core dump to the list. Thanks --haizam - Original Message - From: Rohaizam Abu Bakar To: [EMAIL PROTECTED] Sent: Monday, October 20, 2003 6:53 PM Subject: core dump using freeradius0.9.2 with FreeBSD 5.1 Using freeradius 0.9.2 with FreeBSD 5.1.. All compilations seems Ok... even starting up doesn't give any problem
Re: core dump using freeradius0.9.2 with FreeBSD 5.1
On Mon, 20 Oct 2003, Rohaizam Abu Bakar wrote: even 0.9.0 having problem with FreeBSD 5.1 ... something about rlm_ldap Please read doc/bugs and send a backtrace of the core dump to the list. Thanks --haizam - Original Message - From: Rohaizam Abu Bakar To: [EMAIL PROTECTED] Sent: Monday, October 20, 2003 6:53 PM Subject: core dump using freeradius0.9.2 with FreeBSD 5.1 Using freeradius 0.9.2 with FreeBSD 5.1.. All compilations seems Ok... even starting up doesn't give any problem... But once pumping load into it (not that heavy)... then it keep core dumping as shown in below log.. Currently i revert back to freeradius 0.9.0 with my FreeBSD 5.1 ... FYI... freeradius 0.9.2 inside my FreeBSD 4.8 runnning fine... LOG = i) from system log Oct 20 16:42:20 radius3 kernel: pid 67341 (radiusd), uid 0: exited on signal 4 (core dumped) Oct 20 16:42:20 radius3 kernel: Oct 20 16:42:20 radius3 kernel: pid 67341 (radiusd), uid 0: exited on signal 4 (core dumped) Oct 20 17:02:02 radius3 kernel: pid 68054 (radiusd), uid 0: exited on signal 4 (core dumped) Oct 20 17:02:02 radius3 kernel: Oct 20 17:02:02 radius3 kernel: pid 68054 (radiusd), uid 0: exited on signal 4 (core dumped) Oct 20 17:34:01 radius3 kernel: pid 69185 (radiusd), uid 0: exited on signal 4 (core dumped) Oct 20 17:34:01 radius3 kernel: Oct 20 17:34:01 radius3 kernel: pid 69185 (radiusd), uid 0: exited on signal 4 (core dumped) Oct 20 17:46:27 radius3 kernel: pid 69671 (radiusd), uid 0: exited on signal 4 (core dumped) Oct 20 17:46:27 radius3 kernel: Oct 20 17:46:27 radius3 kernel: pid 69671 (radiusd), uid 0: exited on signal 4 (core dumped) ii) from radius.log Mon Oct 20 18:37:00 2003 : Error: rlm_ldap: uniqueIdentifier=227523,ou=RADIUS,ou=People,dc=com,dc=my bind to x.x.x.x:389 failed: timeout Mon Oct 20 18:37:00 2003 : Error: rlm_ldap: uniqueIdentifier=717710,ou=RADIUS,ou=People,dc=com,dc=my bind to x.x.x.x:389 failed: timeout Mon Oct 20 18:37:03 2003 : Error: rlm_ldap: uniqueIdentifier=983053,ou=RADIUS,ou=People,dc=com,dc=my bind to x.x.x.x:389 failed: timeout --haizam -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius On a Lucent NAS
On Sun, 19 Oct 2003, m0bius wrote: Hello there, I am doing an upgrade on the radius server, and I've decided to switch from Clistron Radius Server to FreeRadius. I have set FreeRadius to use mySQL and I've transformed the users file to the database format. I believe that I have configured freeradius enough to work fine. (radtest and radclient works as expected) However I've encountered some issues. 1st) The first time I tried to see if our Lucent NAS worked well with the freeradius (clients.conf has been properly set, with all the correct ip's and passwords) and running radiusd on debug mode (-X) I never saw a single connection from the NASes. It's kinda confusing since if the password was incorrect I would probably see a message. I believe that it is a Lucent issue but the weird thing is that it previously worked just fine with the Cistron Radius (I've not changed anything on the NASes). Could anyone know if there is anything that should be taken into consideration regarding the configuration of the nas? 2nd) I've set the dialup admin pretty well and it seems to work (Check Server and each Test User works as expected) however I don't seem to see the online users on the nas. I've set as fingering method snmp. I've tried running snmpfinger manually to see that it didn't work giving out errors. Mostly this was because of the different version of the snmpwalk I have installed on the system. (I use net-snmp latest version). I've edited snmpfinger for snmpwalk to work well, however now when I manually execute it I never get anything back... I don't want to use radacct for such purposes and I am most confused on what is going on. (Shouldn't snmpfinger return something back? Please note that when I do something like: snmpwalk -c community host -v 1 system I get a response from the nas) The snmpfinger will use the Cisco Session MIB so it will probably only work for cisco equipment. Patches are always welcome though. You could just try using radacct. As long as your accounting works ok it won't be of any difference. 3rd) The nases are supposed to server both dialup PSTN and ISDN 64k and 128k at the same time. I've included the NAS-Port-Type on the dictionary and the dialup admin user_edit.attr file, however, while in Cistron the difference between PSTN, ISDN 64k, ISDN 128K was something like: PSTN: NAS-Port-Type = Async Simultaneus Use = 1 ISDN 64 Simultaneus Use = 1 ISDN 128 Simultaneus Use = 2 I've been searching the documentations and saw something like: NAS-Port-Type = ISDN. Would such a thing work as well? Simultaneous-Use is used to determine the number of distinct logins of a user Port-Limit is used to determine the number of multilink channels a user is allowed to open on a login. Btw I should mention that the Cistron Radius was not set by me and the people do not know how or why it was done this way back then. Well it's pretty much about that. I am sorry about the extended mail Really looking forward for any help available Regards Paris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout
On Sun, 19 Oct 2003, Doron Shmaryahu wrote: Hi, I am using freeradius with mysql and dialupadmin. I have deleted the timeouts for users in the admin.conf file in dialup admin. I still seem to have users being disconnected after 2hrs with Session-Timeout as the cause. How could I remedy this ?? The admin.conf has nothing to do with the user information in the database. You should change the user attributes for things to work ok. Thanks Doron Shmaryahu -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radkill
On Sat, 18 Oct 2003, Matthew wrote: Is it possible to use Radkill or something similiar to use the accounting logs to determine who the heaviest users are and kick them off line if there is only one free line left on the portmaster? I want the accounting to based on the last 30 days of usage not just the current session. This way the line campers would be kicked off rather then giving busy signals to everyone else at peak times. If there are plenty of lines though no one would be kicked. One easy way is to just setup a monthly counter for all your users (see rlm_counter). What you are trying to do is quite difficult. For instance how will you be able to stop the disconnected users from reconnecting after you 've kicked them out? Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: attr_rewrite documentation?
On Fri, 17 Oct 2003, Steve Fulton wrote:
Hi all,
I'm in the process of setting up a FreeRADIUS server to replace our
ancient one, and part of our requirements mean using attr_rewrite. Is
there any decent documentation/how-to's out there on how it is used?
Other than the comments in radiusd.conf and 'man 5 regex' none.
And FWIW, I'm going to share our logic, so please feel free to poke holes
in it:
1. We use [EMAIL PROTECTED]. If the realm is missing, we will use
attr_write to add it.
proxy.conf:
realm NULL{
[...]
}
2. Since we're AAA'ing using a SQL database, the username needs to be
parsed so that the username and the realm/domain is split. Then those,
plus the password, are checked against the SQL DB.
This is done automatically by the realm module.
Seem sane to you?
Yes but you probably don't need to even use the attr_rewrite module
-- Stephen.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_counter and rlm_sqlcounter
On Sun, 19 Oct 2003, apellido jr., wilfredo p wrote:
Have a nice day Mr. Kalevras, I just question
regarding counter attribute, is this possible to add
this attribute in rlm_sqlcounter? or it is just for
rlm_counter? Both rlm_counter and rlm_sqlcounter
support user define reset, i tried to change the
default reset of sql_monthlycounter and counter
Monthly
to 3 months and here's the LOG
daywalker# radiusd -xx
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
[...]
Module: Loaded Counter
counter: filename = /etc/raddb/db.monthly
counter: key = User-name
counter: reset = 3m
counter: count-attribute = Acct-Session-Time
counter: counter-name = Monthly-Session-Time
counter: check-name = Max-Monthly-Session
counter: allowed-servicetype = Framed-User
counter: cache-size = 5000
rlm_counter: Counter attribute Monthly-Session-Time is
number 1081
rlm_counter: num=3, last=m
rlm_counter: Current Time: 1066614025, Next reset
1072886400
You could try using the cvs version of rlm_counter, it will print the current
time and next reset time in human readable form. In any case for rlm_counter the
next is after 72 days which is probably at the first day of the third month
ahead.
[...]
Module: Loaded SQL Counter
sqlcounter: counter-name = Monthly-Session-Time
sqlcounter: check-name = Max-Monthly-Session
sqlcounter: key = User-Name
sqlcounter: sqlmod-inst = sqlcca3
sqlcounter: query = SELECT SUM(AcctSessionTime) FROM
radacct WHERE UserName='%{%k}' AND AcctStartTime
FROM_UNIXTIME('%b')
sqlcounter: reset = 3m
rlm_sqlcounter: Counter attribute Monthly-Session-Time
is number 1081
rlm_sqlcounter: Check attribute Max-Monthly-Session is
number 1082
rlm_sqlcounter: num=1, last=m
rlm_sqlcounter: Current Time: 1066614026 [2003-10-20
09:40:26], Next reset 1067616000 [2003-11-01 00:00:00]
rlm_sqlcounter: num=3, last=m
rlm_sqlcounter: Current Time: 1066614026 [2003-10-20
09:40:26], Prev reset 1059667200 [2003-08-01 00:00:00]
Module: Instantiated sqlcounter (monthlycounter)
why isnt it the next reset STILL first day of the
month?
As for rlm_sqlcounter i don't know.
=
[ apellido jr., wilfredo p. ]
+63 034 4880-449
If you can't hear me, it's because i'm in parentheses.
__
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: manually updating AcctStopTime
On Mon, 20 Oct 2003, Kenny Olano wrote: Hello I am using freeradius 07.1 with mysql. I am working on script that will update the AcctStopTime manually, But I have noticed that when that is done and the radius server receives the accounting stop packets it doesn't update the record but inserts an entire new record. Any way of stopping this? Have you read the sql.conf file? the accounting-stop query will do an 'update where acctstoptime = 0' If acctstoptime has been changed then the query will fail and the server will fall back to an insert Kenny Olano Web Programmer Practical Solutions 1561 Virginia Avenue Suite 207A College Park, GA 30337 404-762-5600 x103 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: manually updating AcctStopTime
On Mon, 20 Oct 2003, Kenny Olano wrote: I guess I should of read the sql.conf file before I posted this. Sorry about that. Would there be any damage caused if I remove accstoptime = 0 from the sql clause? By damage I mean any time of database corruption or the wrong records being updated. Probably not as long as the acct-session-id (and probably acct-unique-id) fields are unique... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kostas Kalevras Sent: Monday, October 20, 2003 10:27 AM To: Freeradius-Users Subject: Re: manually updating AcctStopTime On Mon, 20 Oct 2003, Kenny Olano wrote: Hello I am using freeradius 07.1 with mysql. I am working on script that will update the AcctStopTime manually, But I have noticed that when that is done and the radius server receives the accounting stop packets it doesn't update the record but inserts an entire new record. Any way of stopping this? Have you read the sql.conf file? the accounting-stop query will do an 'update where acctstoptime = 0' If acctstoptime has been changed then the query will fail and the server will fall back to an insert Kenny Olano Web Programmer Practical Solutions 1561 Virginia Avenue Suite 207A College Park, GA 30337 404-762-5600 x103 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_counter costume reset
On Fri, 17 Oct 2003, apellido jr., wilfredo p wrote:
what wrong with this configuration?
counter Monthly {
filename = ${raddbdir}/db.monthly
key = User-name
count-attribute = Acct-Session-Time
reset = 3m
counter-name = Monthly-Session-Time
check-name = Max-Monthly-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
here's the part of the log :
sqlcounter: counter-name = Monthly-Session-Time
sqlcounter: check-name = Max-Monthly-Session
sqlcounter: key = User-Name
sqlcounter: sqlmod-inst = sqlcca3
sqlcounter: query = SELECT SUM(AcctSessionTime) FROM
radacct WHERE UserName='%{%k}' AND AcctStartTime
FROM_UNIXTIME('%b')
sqlcounter: reset = monthly
rlm_sqlcounter: Counter attribute Monthly-Session-Time
is number 1081
rlm_sqlcounter: Check attribute Max-Monthly-Session is
number 1082
rlm_sqlcounter: Current Time: 1066458752 [2003-10-18
14:32:32], Next reset 1067616000 [2003-11-01 00:00:00]
rlm_sqlcounter: Current Time: 1066458752 [2003-10-18
14:32:32], Prev reset 1064937600 [2003-10-01 00:00:00]
Module: Instantiated sqlcounter (monthlycounter)
What does sqlcounter have to do with rlm_counter?
why isnt it the next reset still first day of the
month eventhough it is set for 3 month?
=
[ apellido jr., wilfredo p. ]
+63 034 4880-449
If you can't hear me, it's because i'm in parentheses.
__
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_counter question
On Wed, 15 Oct 2003, apellido jr., wilfredo p wrote: hello guys good day, after reading the mailing list. Part of the problem solved. Using rlm_counter you can disconnect the user using the specified session timeout entry. I just want to ask, how to reset the counter immediatly? In radius.conf the counter can be reset to zero, daily weekly, monthly and user define. I configure the radius server using prepaid internet which consumable for 1 month but not all user comsume their account at exactly 1 month, sometime 3 day, 2 week or 3 weeks. Now, if they want to update their account to us then how can i update(reset) the user as soon as possible without waiting for an hour, day , week or month ? Thanks Use a simple perl script or C program using the corresponding GDBM library to reset the user counter in the GDBM database. = [ apellido jr., wilfredo p. ] +63 034 4880-449 If you can't hear me, it's because i'm in parentheses. __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rad_counter.pl error
On Thu, 16 Oct 2003, apellido jr., wilfredo p wrote: hello, i got this error when im trying to run rad_counter.pl in FreeBSD 4.8 perl rad_counter.pl Can't locate warnings.pm in @INC (@INC contains: /usr/local/lib/perl5/site_perl/5.005/i386-freebsd /usr/local/lib/perl5/site_perl/5.005 . /usr/libdata/perl/5.00503/mach /usr/libdata/perl/5.00503) at rad_counter.pl line 5. BEGIN failed--compilation aborted at rad_counter.pl line 5. i tried to comment this in perl script to see what other errors may come then i got this: perl rad_counter.pl Can't locate GDBM_File.pm in @INC (@INC contains: /usr/local/lib/perl5/site_perl/5.005/i386-freebsd /usr/local/lib/perl5/site_perl/5.005 . /usr/libdata/perl/5.00503/mach /usr/libdata/perl/5.00503) at rad_counter.pl line 6. BEGIN failed--compilation aborted at rad_counter.pl line 6. i installed gdbm, rlm_dbm and rlm_counter thinking that this script may solve my problem regarding in reseting the counter attribute. what im missing here? what other dependencies should i install to run this script? thanks ... You need to install the corresponding PERL modules which seem to be missing in your installation perl -MCPAN -e shell install GDBM_File; for example = [ apellido jr., wilfredo p. ] +63 034 4880-449 If you can't hear me, it's because i'm in parentheses. __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: rlm_ldap: ldap_search() failed: Time limit exceeded
On Wed, 15 Oct 2003, Teoh, Chee wrote: Registered in England, number 4005262, c/o Hogan and Hartson LLP, One Angel Court, LONDON, EC2R 7HJ United Kingdom -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: rlm_ldap: ldap_search() failed: Time limit exceeded
On Wed, 15 Oct 2003, Kostas Kalevras wrote: Hi All, I am using freeradius-0.8.1 with LDAP backend running on FreeBSD 4.8. During busier periods (approx 1-3 auth request per sec, not very high!) I see a alot of the following errors: Wed Oct 15 08:25:05 2003 : Error: rlm_ldap: ldap_search() failed: Time limit exceeded Wed Oct 15 08:25:06 2003 : Error: rlm_ldap: ldap_search() failed: Time limit exceeded Wed Oct 15 08:25:06 2003 : Error: rlm_ldap: ldap_search() failed: Time limit exceeded Wed Oct 15 08:25:06 2003 : Error: rlm_ldap: ldap_search() failed: Time limit exceeded Questions: 1) Does anyone know what this error relates to in LDAP? Timelimit of the ldap operation was exceeded. 2) Is this a timeout value configurable in the radiusd.conf file, if so, which one? The timelimit directive 3) If it is a freeradius-LDAP interface performance problems, how can I fix it? Probably add an index on the attribute used in the ldap search. By default timelimit is 3 secs which should be sufficient if the corresponding attribute is indexed. Any help would be greatly appreciated. Kind regards, Chee. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: failed logins
On Sun, 12 Oct 2003, Doron Shmaryahu wrote: Hi all, After much trying I have finally got freeradius on Freebsd with mysql all working. The dialup admin interface is working. The only thing is that it does not log failed login's. Can anyone give me a idea ?? You should run the dialup_admin/bin/log_badlogins script to log them. tahnks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Login-Time Problem Freeradius-0.9.1
On Sat, 11 Oct 2003, apellido jr., wilfredo p wrote: Good day Mr. Kalevras, thanks for the reply. I think the problem is my NAS (Cyclades Ze using Portslave) and Portmaster. And i got another one problem Simultaneous-Use doesnt work also. if the user is already connected then i tried to connect using radtest unfortunately it is accepted. In dialup_admin Online user report shows it disconnected Well that means that the session has not been logged in the radacct table as open. Make sure that accounting works correctly and that the user sessions are correctly logged in the accounting database. Also make sure that the module handling the session checking (either sql or radutmp) is listed both in the session and accounting sections. but it radius log (radius -xx) nothing stating that the user is disconnected. In reality the user still connected. Lastly, I got no log in my radius.log and i know that the problem also related to my NAS. I got no any Manual so i tried to search any documentation in web but unfortunately im still hanging looking for anything. Do u have any Suggestion ? thanks very much = [ apellido jr., wilfredo p. ] +63 034 4880-449 If you can't hear me, it's because i'm in parentheses. __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session Control,,,,
On Sat, 11 Oct 2003, Anshu wrote: Hi, I need to control the user for the specific time ,,, ie say he should not be able to access for more that 5 hours in a week ,, or 50 Hours in a Year See the counter module. Can anyone help me in configuring that. -Anshu . Disclaimer -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. Recipients must check this email and any attachments for the presence of viruses before downloading them. Direct Internet / Primus India accepts no liability for any damage caused by any virus transmitted by this email. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sqlcounter ( Monthly Limit)
On Thu, 9 Oct 2003, apellido jr., wilfredo p wrote: hello guys why isnt it i got this error when im trying to run radius -xx? rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module sql returns ok rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair ^^ You need to set the Check item you have configured in the counter module (the check-name configuration directive) somewhere (in the users file,in mysql/ldap etc) modcall[authorize]: module monthlycounter returns noop i just added sqlcounter.conf in /etc/raddb and added monthlycounter in radius.conf under authorization. The user can authenticate but the Login-Time doesnt work. They can still Login eventhough they are not in the time span. What im missing here? thanks = [ apellido jr., wilfredo p. ] +63 034 4880-449 If you can't hear me, it's because i'm in parentheses. __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + mysql Expiration problem
On Wed, 8 Oct 2003, net.art communications GmbH wrote: Hello, Can anybody help me? Password Expiration is not work here. In userfile work this fine, but not in MySql. mysql SELECT * FROM radcheck; ++--+++--+ | id | UserName | Attribute | op | Value| ++--+++--+ | 1 | bob | Password | == | testing | | 2 | bob | Expiration | := | 8 Oct 2003 | ++--+++--+ is this correct? You have to use the == operator for Expiration due to the way it is implemented in freeradius (through a registered comapre function). -- Mario - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Login-Time Problem Freeradius-0.9.1
On Fri, 10 Oct 2003, apellido jr., wilfredo p wrote: Good day, im just wondering if my configuration is correct. I tried to limit the internet access of the user april from 11 pm - 3 am then i got this entry in my DB. After 3 am why isnt it the user (april) is still Online? Make sure that radiusd is sending back a Session-Timeout attribute and that your NAS is honnoring it. I tried to disconnect her and when she login once again she cant, i got this reply msg from radius : Reply-Message = You are calling outside your allowed timespan\r\n That's what i actually expect. What im missing here? thanks thanks. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialup_admin
On Thu, 9 Oct 2003, apellido jr., wilfredo p wrote: Good day guys, i tried to add another group using dialup_admin then i try to show groups, the one that ive created doesnt appear in the report. when im check my db (mysql) it apeears that the group ive created is already inserted. here's my output mysql select * from radgroupreply; ++---+++-+--+ | id | GroupName | Attribute | op | Value | prio | ++---+++-+--+ | 1 | admin | Framed-Compression | = | Van-Jacobsen-TCP-IP |0 | | 2 | admin | Framed-Protocol| = | PPP |0 | | 3 | admin | Service-Type | = | Framed-User |0 | | 4 | admin | Auth-Type | = | System |0 | | 5 | admin | Framed-MTU | = | 1500|0 | | 6 | Night-Owl Prepaid | Framed-Protocol| = | PPP |0 | | 7 | Night-Owl Prepaid | Framed-MTU | = | 1500|0 | | 8 | Night-Owl Prepaid | Framed-Compression | = | Van-Jacobsen-TCP-IP |0 | | 9 | Night-Owl Prepaid | Service-Type | = | Framed-User |0 | ++---+++-+--+ The Night-Owl Prepaid group is the one ive inserted through dialup_admin and admin group ive inserted manually. im using dialup_admin which include in freeradius-0.9.0 package. Thanks If you don't assign any user to that group it won't show in the 'show groups' page. = [ apellido jr., wilfredo p. ] +63 034 4880-449 If you can't hear me, it's because i'm in parentheses. __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS.
On Thu, 9 Oct 2003, Raj Jadhav wrote: Hi Anybody has implemented EAP-TTLS, or more details on how to implement EAP TTLS with PAP? I am facing a problem with an ISP has old legacy platform with Merit RADIUS and IBM LDAP, I tried to test with FREE RADIUS and IBM LDAP. IBM LDAP responds nicely to Free RADIUS with crypto password of user. When I enter my username and password through 802.1x Ethernet switch by XP client with md5 challenge. FreeRADIUS debug says MD5 challenge failure It means my Free RADIUS server is not understanding passwords of users. How can I convert the crypto passwords in IBM LDAP to MD5 passwords. You can't. EAP-MD5 is the same as CHAP. See: http://www.freeradius.org/faq/#4.4 http://www.freeradius.org/faq/#5.11 Or same thing can be used with EAP-TTLS?? I am confused Thanks in advance Raj Jadhav - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP with XP supplicant
On Thu, 9 Oct 2003, Artur Hecker wrote: however, it's true that the User-Name content, the certified name AND the EAP-Identity information is not checked for consistency by the server. (EAP-Identity should be equal User-Name - that's the function of the AP, that is something you have a trust with; however, these both compared to the certified name in the certificate could NOT match and the certificate would still be accepted. the question here is: do they have to match as strings or which is the good metrics? perhaps a configurable comparison handler?) One thing we could do (this is what iplanet does for certificate authentication) is get the user certificate of the user from ldap and check it with the user supplied. If they match then we can be pretty sure we are dealing with the right user. This should not be too difficult to do using ldap_xlat. Maybe it would require some code changes to ldap_xlat since the usercertificate attribute is of binary type, base64 encoded but i think it's doable. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP with XP supplicant
On Thu, 9 Oct 2003, Artur Hecker wrote: hi kostas yes, that would be a possibility. in any case we shouldn't be too strict in the comparison. the example i'm thinking about, is the following: given that the certificates are usually issued to real persons, the CN could be e.g. smith. however, with nomadicity he is still smith but he is likely to use something like [EMAIL PROTECTED] which is NOT his CN. i think there are more similar examples in the case of proxying. perhaps we should also allow the usage of other (critical) certified fields instead of the CN - the email address is for example a good choice, since it can directly be used as a fully qualified global user name - since it is by default unique. that's why i am talking about some freely definable handler for comparison, like a function boolean compare(string, string). I am not talking about checking specific attributes of the certificate but rather checking the certificate as a whole. If the certificate was issued to user jim then the usercertificate;binary in ldap and the certificate passed through eap should be exactly the same. ciao artur Kostas Kalevras wrote: On Thu, 9 Oct 2003, Artur Hecker wrote: however, it's true that the User-Name content, the certified name AND the EAP-Identity information is not checked for consistency by the server. (EAP-Identity should be equal User-Name - that's the function of the AP, that is something you have a trust with; however, these both compared to the certified name in the certificate could NOT match and the certificate would still be accepted. the question here is: do they have to match as strings or which is the good metrics? perhaps a configurable comparison handler?) One thing we could do (this is what iplanet does for certificate authentication) is get the user certificate of the user from ldap and check it with the user supplied. If they match then we can be pretty sure we are dealing with the right user. This should not be too difficult to do using ldap_xlat. Maybe it would require some code changes to ldap_xlat since the usercertificate attribute is of binary type, base64 encoded but i think it's doable. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP with XP supplicant
On Thu, 9 Oct 2003, Artur Hecker wrote: i understand, but if you do that, you can't proxy requests anymore. I don't need to authenticate requests that i am just proxying. The certificate check will be after checking that the certificate is valid. AND: this does not solve the problem of user-name being NOT the same as certificate. e.g. if you me and i we both have the complete certificate (you in the LDAP), i could still use some other User-Name thus faking the accounting. But i use the username in the access-request to find the certificate in ldap. So you can't use a fake username... ciao artur Kostas Kalevras wrote: On Thu, 9 Oct 2003, Artur Hecker wrote: hi kostas yes, that would be a possibility. in any case we shouldn't be too strict in the comparison. the example i'm thinking about, is the following: given that the certificates are usually issued to real persons, the CN could be e.g. smith. however, with nomadicity he is still smith but he is likely to use something like [EMAIL PROTECTED] which is NOT his CN. i think there are more similar examples in the case of proxying. perhaps we should also allow the usage of other (critical) certified fields instead of the CN - the email address is for example a good choice, since it can directly be used as a fully qualified global user name - since it is by default unique. that's why i am talking about some freely definable handler for comparison, like a function boolean compare(string, string). I am not talking about checking specific attributes of the certificate but rather checking the certificate as a whole. If the certificate was issued to user jim then the usercertificate;binary in ldap and the certificate passed through eap should be exactly the same. ciao artur Kostas Kalevras wrote: On Thu, 9 Oct 2003, Artur Hecker wrote: however, it's true that the User-Name content, the certified name AND the EAP-Identity information is not checked for consistency by the server. (EAP-Identity should be equal User-Name - that's the function of the AP, that is something you have a trust with; however, these both compared to the certified name in the certificate could NOT match and the certificate would still be accepted. the question here is: do they have to match as strings or which is the good metrics? perhaps a configurable comparison handler?) One thing we could do (this is what iplanet does for certificate authentication) is get the user certificate of the user from ldap and check it with the user supplied. If they match then we can be pretty sure we are dealing with the right user. This should not be too difficult to do using ldap_xlat. Maybe it would require some code changes to ldap_xlat since the usercertificate attribute is of binary type, base64 encoded but i think it's doable. -- Kostas KalevrasNetwork Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone:+30 210 7721861 'Go back to the shadow'Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP with XP supplicant
On Thu, 9 Oct 2003, Artur Hecker wrote: hi kostas ok, now i get it :-) but with your approach you have to put the user certificate into the server's LDAP (which it doesn't necessarily has), i.e. you have to put all certificates on the server AND on clients. it's a bit more difficult, especially if you don't run any kind of certificate repository. I don't need to authenticate requests that i am just proxying. The certificate check will be after checking that the certificate is valid. well, you are right. (however, we have a more complicated thing here, we check locally and then proxy only the authorization, i.e. is this user still valid to the remote host. with this, we don't need to proxy complete TLS exchages (quite big auth delay), we do not need CRLs or other central depositories ... and we do not need user certificates in _all_ visited domains... but i suppose, it's not quite usual though perfectly legal.) But i use the username in the access-request to find the certificate in ldap. So you can't use a fake username... ok, with the limitations mentioned above. sorry, i didn't get it first. still, i would prefer a more traditional method: why would the server need to have all user certs installed? it should be quite simple to compare the User-Name to the configured field in the certificate by using regular expressions and similar. Sure. Both could be just configurable options. If you maintain a CA and an ldap to store user certificates you can enable certificate verification. If not you can just do a regex on the certificate attributes and verify it that way. The only thing left now, is for someone to write these checks :-) ciao artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP failure on Redhat.
On Mon, 6 Oct 2003, ted wrote:
I have run radtest on a new server running Redhat 7.3 with md5 shadow
passwords. This machine is running freeradius-0.9.1. As you can see below,
I keep getting rlm_pap: No password (or empty password) to check against for
for user clover
I have spent the last 5 hours searching the list and pulling my hair out
trying to figure this out. Does anyone see anything that I'm missing. Let
me know if there is anything else you need, IE users, or radius.conf
Regards
Ted
Waking up in 5 seconds...
Thread 1 handling request 0, (1 handled so far)
User-Name = clover
User-Password = 9794scor
NAS-IP-Address = 255.255.255.255
NAS-Port = 1
modcall: entering group authorize
modcall[authorize]: module preprocess returns ok
radius_xlat: '/var/log/radius/radacct/207.14.77.13/auth-detail-20031006'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/207.14.77.13/auth
-detail-20031006
modcall[authorize]: module auth_log returns ok
modcall[authorize]: module chap returns noop
rlm_eap: EAP-Message not found
modcall[authorize]: module eap returns noop
rlm_realm: No '@' in User-Name = clover, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop
users: Matched DEFAULT at 217
modcall[authorize]: module files returns ok
modcall[authorize]: module mschap returns noop
modcall: group authorize returns ok
You don't seem to have anything in your authorize section which will set the
User-Password. As a result rlm_pap fails. Fix that and things should work.
rad_check_password: Found Auth-Type PAP
auth: type PAP
modcall: entering group Auth-Type
rlm_pap: login attempt by clover with password 9794scor
rlm_pap: No password (or empty password) to check against for for user
clover
modcall[authenticate]: module pap returns invalid
modcall: group Auth-Type returns invalid
auth: Failed to validate the user.
Login incorrect (rlm_pap: User password not available): [clover/9794scor]
(from client test port 1)
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LEAP,LDAP required User-Password
On Tue, 7 Oct 2003, claufer wrote: I didn't say that. Ok, I?m sorry then I?ve misunterstood something. This means that my UserPassword entry in LDAP is unecessary? No. Ok. I was setting up a DEFAULT password for all my LDAP users in users file. I don't see why. Just to see if authentication with password in users file can be successfull instead of having the password in LDAP were the authentication always fails with the error: rlm_eap_leap: FAILED incorrect NtChallengeResponse from AP Put the users password into the ldap database? Alan DeKok. hmm, Ok. Thats what I already did before: setting the userPassword entry in LDAP. Sadly I always get this error message above. But if I understood you properly I?m on the right path get this to work when setting the var userPassword:=. in ldif files. I don?t know were else I?m doing something wrong in configs, but if anyone has some ideas I would be really grateful! Probably you need to extract your user password from the ldap entry and make it available to eap_leap. The password should be clear text for things to work i think. Check out doc/rlm_eap (EAP-MD5 and ldap) and doc/rlm_ldap on how to configure password extraction in the ldap module best regards, cl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: specific login periods
On Tue, 7 Oct 2003, Randy Mingo wrote: I know I've seen this before but I cant remember where. I need to allow someone to only be able to login during certain times. Like 9 to 5 for an example can someone point me in the right direction? Any help is appreciated thanks. Randy Mingo Check out the Login-Time attribute in doc/README If you are using ldap/mysql there is also a web page to create it in dialupadmin -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialup_admin
On Mon, 6 Oct 2003, apellido jr., wilfredo p wrote: Thank you very much Mr. Kalevras, maybe it work after updating the user_admin.php3 but my BIG problem now is to how to use CVS? :( but anyway thank you very much. http://www.freeradius.org/development.html#cvs = [ apellido jr., wilfredo p. ] +63 034 4880-449 If you can't hear me, it's because i'm in parentheses. __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialup_admin
On Mon, 6 Oct 2003, apellido jr., wilfredo p wrote: Good day Mr. Kalevras i know this is not part of this mailing list. But im very glad if you can help me with this. When im trying to cvs: cvs -d :pserver:[EMAIL PROTECTED]:/source login then it promt for the password: Logging in to :pserver:[EMAIL PROTECTED]:2401/source CVS password: when i type anoncvs, nothing happens. Just came back to root. im using freebsd4.8 That's what it should do!! Just follow all the instructions and it should work just fine. man cvs on your system should also help. = [ apellido jr., wilfredo p. ] +63 034 4880-449 If you can't hear me, it's because i'm in parentheses. __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap in v0.9.1 and multi-value attributes
On Mon, 6 Oct 2003, Najeh Ben Nasrallah wrote: Hi all, it seems there's a bug within the rlm_ldap module in version 0.9.1. freeradius fails to insert a multivalue attribue (like cisco-avpair )in the Access-Accept. Note that there another freeradius server v0.8.1 running without problem with the same ldap directory as backend. Well, rlm_ldap in 0.8.1 had pairadd() while rlm_ldap in 0.9.X uses pairxlatmove() which honors operators. You should use the += operator to add a multivalue attribute like: radiusVSA: vpdn:nas-password=** radiusVSA: += vpdn:gw-password=* Here's a log exemple : rlm_ldap: looking for reply items in directory... ... rlm_ldap: Adding radiusVSA as Cisco-AVPair, value vpdn:nas-password=* op=11 rlm_ldap: Adding radiusVSA as Cisco-AVPair, value vpdn:gw-password=* op=11 Sending Access-Accept of id 118 to 127.0.0.1:43810 Service-Type = Outbound-User Tunnel-Server-Auth-Id:1 = *** Tunnel-Client-Auth-Id:1 = *** Tunnel-Server-Endpoint:1 = A.B.C.D Tunnel-Medium-Type:1 = IP Tunnel-Type:1 = L2F Cisco-AVPair = vpdn:nas-password=** missing the other cisco-avpair. Finished request 20 Is it really a bug, or i'm missing someting else. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialup_admin
On Fri, 3 Oct 2003, apellido jr., wilfredo p wrote: Mr. Kalevras, good day. I've already add Max-Monthly-Session in user_edit.attrs and also added in sql.attrmap. Yes dialupadmin wasn't calculating monthly usage. Do a cvs update on the user_admin.php3 page and it should work now. Thanks for the report. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
