Re: Two radius demaons running, problem !!!
Is there any particular reason that you are running two separate radiusd's on different ports and not using huntgroups to differentiate between them instead? -- Mark P. Hennessy [EMAIL PROTECTED] On Wed, 5 Nov 2003, Moktar KONE wrote: Date: Wed, 5 Nov 2003 18:11:11 - From: Moktar KONE [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Two radius demaons running, problem !!! Hi all, I am using freeradius 0.9 and I have two radiusd deamon running : one on port 1645/1646 for Dialup users authentication and the other on port 1812/1813 for ADSL users authentication . I launched the two daemons with success and I can test with success authentication for ADSL and Dialup users but after some minutes the second deamon (listinning port 1812/1813) dies! It is always the same scenario when I launch it an other time. can someone help to find why this happens and how can I solve it? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Random auth failure issue
I know this question might be a bit vague, but... What might cause a freeRADIUS server to start returning failed authentication responses when correct information is given after it has been running successfully and returning correct responses for many days. I have to kill radiusd and restart it to get it to accept requests again. I am using freeRADIUS with MySQL providing the access information to freeRADIUS and catching accounting data. What other information should I be providing and what else should I look at? Relevant systems in use: freeRADIUS 0.9.0 release MySQL 4.0.13 with linuxthreads FreeBSD 4.8 -- Mark P. Hennessy [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Random auth failure issue
From debug output: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 modcall[accounting]: module sql returns fail Well, that answers that I guess. -- Mark P. Hennessy [EMAIL PROTECTED] On Thu, 28 Aug 2003, Mark Hennessy wrote: Date: Thu, 28 Aug 2003 15:02:13 -0400 (EDT) From: Mark Hennessy [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Random auth failure issue I know this question might be a bit vague, but... What might cause a freeRADIUS server to start returning failed authentication responses when correct information is given after it has been running successfully and returning correct responses for many days. I have to kill radiusd and restart it to get it to accept requests again. I am using freeRADIUS with MySQL providing the access information to freeRADIUS and catching accounting data. What other information should I be providing and what else should I look at? Relevant systems in use: freeRADIUS 0.9.0 release MySQL 4.0.13 with linuxthreads FreeBSD 4.8 -- Mark P. Hennessy [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Where does Freeradius get DNS information from?
Have you checked the configuration of the NAS device that you are using? You probably have a default profile set in there with particular DNS servers to be given to all connecting clients. -- Mark P. Hennessy [EMAIL PROTECTED] On Wed, 20 Aug 2003, Kevin Hanser wrote: Date: Wed, 20 Aug 2003 12:27:52 -0400 From: Kevin Hanser [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Where does Freeradius get DNS information from? Hello, We are running a freeradius server to authenticate some DSL clients. Recently, we became aware that the DSL routers were getting some incorrect DNS data sent to them, but I'm not sure where the information is coming from. We're running freeradius 0.8.1 on RedHat Linux 7.2. The Radius server resides in a DMZ, but somehow the IP addresses that it is giving out to the DNS routers are the IP addresses of our internal DNS servers, which reside on a different network. I've looked thru the configuration files for the radius server, and I can't find a reference to our internal DNS server _anywhere_. I checked in /etc/resolv.conf, and the only server listed there is our primary external DNS server, which is the IP that radius should be giving out. So what I'm wondering is: Where is radius getting this DNS server information from? And how can I change it? thx! k - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I need help on this please
Do you have a line containing: Auth-Type System in your users file? You may want to try changing that to Auth-Type := System -- Mark P. Hennessy [EMAIL PROTECTED] On Wed, 20 Nov 2002, Jamil Buchalla Neto wrote: Date: Wed, 20 Nov 2002 12:34:28 -0200 From: Jamil Buchalla Neto [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: I need help on this please I'm new to freeradius and radius at all. What I need to configure to make authentication by sql to work? When a user log in I receive this rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module sql returns ok users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type System auth: type System auth: Failed to validate the user. Where do I set the auth type to sql? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about radrelay with FreeRadius 0.7
I have radrelay running on my backup freeradius server, but it seems to stop collecting and passing entries without warning. I do see a detail.work file that appears to contain a single Start record: (names and numbers slightly altered, no special characters removed) Thu Oct 3 15:45:29 2002 Acct-Session-Id = 4F003E31 User-Name = foo NAS-IP-Address = 192.168.1.139 NAS-Port = 41 NAS-Port-Type = Async Acct-Status-Type = Start Acct-Authentic = RADIUS Connect-Info = 49333 LAPM/V42BIS Called-Station-Id = 5551212 Calling-Station-Id = 9145551213 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 192.168.20.12 Acct-Delay-Time = 2335515 Client-IP-Address = 192.168.1.139 Stripped-User-Name = foo Realm = NULL Timestamp = 1033674329 The timestamp appears to coincide with the time that RADIUS accounting data stopped getting relayed to my primary freeradius server. This is the first record in the detail file after this: (names and numbers slightly altered, no special characters removed) Thu Oct 3 15:46:41 2002 Acct-Session-Id = 4F003E34 User-Name = bar NAS-IP-Address = 192.168.1.139 NAS-Port = 13 NAS-Port-Type = Async Acct-Status-Type = Stop Acct-Session-Time = 38 Acct-Authentic = RADIUS Connect-Info = 52000 LAPM/V42BIS Acct-Input-Octets = 417 Acct-Output-Octets = 734 Called-Station-Id = 5551212 Calling-Station-Id = 9145551214 Acct-Terminate-Cause = User-Request LE-Terminate-Detail = User Request - PPP Term Req Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 192.168.20.6 Acct-Delay-Time = 2335587 Client-IP-Address = 192.168.1.139 Stripped-User-Name = bar Realm = NULL Timestamp = 1033674401 I don't know what would be causing radrelay to stop functioning, it still appears to be a running process even after it stops handling the relaying properly. I'm using FreeBSD 4.5. -- Mark P. Hennessy [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reject Group in mysql
Out of curiosity, why did you not include an operator? Possibly op for this item should be := -- Mark P. Hennessy [EMAIL PROTECTED] On Wed, 25 Sep 2002, Alberto Pereira wrote: Date: Wed, 25 Sep 2002 16:37:46 -0300 From: Alberto Pereira [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Reject Group in mysql Hi, How can I configure a group in mysql to reject the auth package? Like on the users file: DEFAULT Group = emailonly, Auth-Type = Reject I tried something like: mysql select * from radgroupreply where GroupName = reject; ++---+---++--+--+ | id | GroupName | Attribute | Value | op | prio | ++---+---++--+--+ | 8 | reject| Auth-Type | Reject | NULL |0 | ++---+---++--+--+ And put the users in this group, but this donĀ“t work. Someone can help me? Thanks, Alberto - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radrelay crashes when I try to run it
Unfortunately, I don't see any .work file around. -- Mark P. Hennessy [EMAIL PROTECTED] On Thu, 29 Aug 2002, Simon wrote: Date: Thu, 29 Aug 2002 00:28:56 +0200 From: Simon [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: radrelay crashes when I try to run it On Wed, Aug 28, 2002 at 11:26:07AM -0400, Mark Hennessy wrote: I get a segmentation fault each time I try to restart radrelay. I was able to get it to run initially, but after it died, I would not be able to restart it. That sounds like it might be hitting some odd accounting record that it's having problems handling. Is there a detailfile.work laying around in the same directory as the detailfile you're running radrelay on? If there is could you try removing the detailfile.work and re-running radrelay to see if it crashes? If it does work I'd appreciate a copy of the detailfile.work to figure out what in it is making radrelay die. -- Simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dual Modems
If I recall correctly... Add this into the reply attribute/value pair list to be passed to that individual user: Port-Limit = x where x is the number of ports you want that user to be able to use. Dual-Channel ISDN and two-modem multilink users would want 2 ports. -- Mark P. Hennessy [EMAIL PROTECTED] On Tue, 27 Aug 2002, Funk, Michael wrote: Date: Tue, 27 Aug 2002 15:42:44 -0400 From: Funk, Michael [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Dual Modems How would someone setup FreeRADIUS to allow a user to have dual modems and authenticate correctly? Setup a different realm? Any examples out there? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about interpreting debug output for freeradius
-- Mark P. Hennessy [EMAIL PROTECTED] I am trying to set up authentication through MySQL for freeradius. I'm unable to get successful authentication, but I'm not sure how to interpret the debug data returned when watching the debug output. I was wondering if someone might be able to see what is missing. Check Values for the user in question: +-+--+++--+ | id | UserName | Attribute | Value | op | +-+--+++--+ | 151 | FOO | Auth-Type | Local | := | | 152 | FOO | User-Password | BAR | == | | 153 | FOO | Huntgroup-Name | redback | == | +-+--+++--+ Reply Values for the user in question: +-+--+---+-+--+ | id | UserName | Attribute | Value | op | +-+--+---+-+--+ | 183 | FOO | Framed-IP-Address | 192.168.20.52 | == | | 184 | FOO | Framed-IP-Netmask | 255.255.255.255 | == | +-+--+---+-+--+ When I try to move my authentication from flat users file to mysql, i'm getting the following output from my freeradius server: rad_recv: Access-Request packet from host 192.168.1.20:1812, id=188, length=102 User-Name = FOO User-Password = snipped NAS-Identifier = redback.host NAS-IP-Address = 192.168.1.20 NAS_Real_Port = 671351090 Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 117443262 modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_realm: Looking up realm NULL for User-Name = FOO rlm_realm: Found realm NULL rlm_realm: Adding Stripped-User-Name = FOO rlm_realm: Proxying request from user FOO to realm NULL rlm_realm: Adding Realm = NULL rlm_realm: Authentication realm is LOCAL. rlm_realm: auth_port is not set. proxy cancelled modcall[authorize]: module suffix returns noop radius_xlat: 'FOO' sql_set_user: escaped user -- 'FOO' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'FOO' ORDER BY id' rlm_sql: Reserving sql socket id: 3 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'FOO' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'FOO' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'FOO' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql: Pairs do not match [FOO] rlm_sql: Released sql socket id: 3 modcall[authorize]: module sql returns notfound huntgroups: Matched redback at 64 users: Matched DEFAULT at 36 modcall[authorize]: module files returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type Local auth: type Local auth: No password configured for the user auth: Failed to validate the user. rad_lowerpair: Stripped-User-Name now 'FOO' rad_rmspace_pair: Stripped-User-Name now 'FOO' rad_rmspace_pair: User-Password now 'BAR' modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_realm: Request already proxied. Ignoring. modcall[authorize]: module suffix returns noop radius_xlat: 'FOO' sql_set_user: escaped user -- 'FOO' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'FOO' ORDER BY id' rlm_sql: Reserving sql socket id: 2 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'FOO' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'FOO' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'FOO' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql: Pairs do not match [FOO] rlm_sql: Released sql socket id: 2 modcall[authorize]: module sql returns notfound huntgroups: Matched redback at 64 users: Matched DEFAULT at 36 modcall[authorize]: module files returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type Local auth: type Local auth: No password configured for the user auth: Failed to validate the user. Delaying request 13 for 1 seconds Finished request 13 Going to the next
Re: Question about interpreting debug output for freeradius (fixed)
Disregard. I tried everything without forcing in the quotes and all seems to work. -- Mark P. Hennessy [EMAIL PROTECTED] On Wed, 21 Aug 2002, Mark Hennessy wrote: Date: Wed, 21 Aug 2002 06:15:10 -0400 (EDT) From: Mark Hennessy [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Question about interpreting debug output for freeradius -- Mark P. Hennessy [EMAIL PROTECTED] I am trying to set up authentication through MySQL for freeradius. I'm unable to get successful authentication, but I'm not sure how to interpret the debug data returned when watching the debug output. I was wondering if someone might be able to see what is missing. Check Values for the user in question: +-+--+++--+ | id | UserName | Attribute | Value | op | +-+--+++--+ | 151 | FOO | Auth-Type | Local | := | | 152 | FOO | User-Password | BAR | == | | 153 | FOO | Huntgroup-Name | redback | == | +-+--+++--+ Reply Values for the user in question: +-+--+---+-+--+ | id | UserName | Attribute | Value | op | +-+--+---+-+--+ | 183 | FOO | Framed-IP-Address | 192.168.20.52 | == | | 184 | FOO | Framed-IP-Netmask | 255.255.255.255 | == | +-+--+---+-+--+ When I try to move my authentication from flat users file to mysql, i'm getting the following output from my freeradius server: rad_recv: Access-Request packet from host 192.168.1.20:1812, id=188, length=102 User-Name = FOO User-Password = snipped NAS-Identifier = redback.host NAS-IP-Address = 192.168.1.20 NAS_Real_Port = 671351090 Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 117443262 modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_realm: Looking up realm NULL for User-Name = FOO rlm_realm: Found realm NULL rlm_realm: Adding Stripped-User-Name = FOO rlm_realm: Proxying request from user FOO to realm NULL rlm_realm: Adding Realm = NULL rlm_realm: Authentication realm is LOCAL. rlm_realm: auth_port is not set. proxy cancelled modcall[authorize]: module suffix returns noop radius_xlat: 'FOO' sql_set_user: escaped user -- 'FOO' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'FOO' ORDER BY id' rlm_sql: Reserving sql socket id: 3 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'FOO' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'FOO' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'FOO' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql: Pairs do not match [FOO] rlm_sql: Released sql socket id: 3 modcall[authorize]: module sql returns notfound huntgroups: Matched redback at 64 users: Matched DEFAULT at 36 modcall[authorize]: module files returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type Local auth: type Local auth: No password configured for the user auth: Failed to validate the user. rad_lowerpair: Stripped-User-Name now 'FOO' rad_rmspace_pair: Stripped-User-Name now 'FOO' rad_rmspace_pair: User-Password now 'BAR' modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_realm: Request already proxied. Ignoring. modcall[authorize]: module suffix returns noop radius_xlat: 'FOO' sql_set_user: escaped user -- 'FOO' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'FOO' ORDER BY id' rlm_sql: Reserving sql socket id: 2 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'FOO' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'FOO' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'FOO' AND usergroup.GroupName = radgroupreply.GroupName ORDER
Basic authentication tables maintenance script for SQL
I have scraped together a perl script that can be used to create a perl script for maintaining users in an SQL database. In case anyone wants to use it for any reason it is located at: http://www.users.cloud9.net/~mark/FreeRADIUSAuthSQL.pl.txt -- Mark P. Hennessy [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about rejecting users
Is there a way to reject any users not explicitly listed in the flat users file or the sql database? My defaults are able to match up to any user in my passwd file and allow access at this moment, and give them an incomplete reply. -- Mark P. Hennessy [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about rejecting users
Nope, the passwords are stored in the UNIX file so that's not an option.
I fixed this by adding the check value Auth-Type := System to each of the
usernames explicitly and removing it from the default entry.
--
Mark P. Hennessy [EMAIL PROTECTED]
On Wed, 21 Aug 2002, Shawn O'Shea wrote:
Date: Wed, 21 Aug 2002 09:37:13 -0400 (EDT)
From: Shawn O'Shea [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Re: Question about rejecting users
On Wed, 21 Aug 2002, Mark Hennessy wrote:
Is there a way to reject any users not explicitly listed in the flat users
file or the sql database? My defaults are able to match up to any user in
my passwd file and allow access at this moment, and give them an
incomplete reply.
If you mean /etc/passwd, and you dont want users from there ever to
authenticate against radius, then just make sure the unix module is not
in your authenticate {} block of radiusd.conf
This may not be what your trying to do though 8-)
Hope it helps!
-Shawn
--
Mark P. Hennessy [EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Shawn K. O'Shea
Sr. Unix Administrator
DSL.net, Inc.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
hints file somehow not processed against users in sql database?
For some reason, the hints file doesn't seem to get honored when a user with an entry the sql database is trying to authenticate on my system. Here's my hints file: DEFAULT Suffix = .ppp, Strip-User-Name = Yes Hint = PPP, Service-Type = Framed-User, Framed-Protocol = PPP, Fall-Through = Yes DEFAULT Suffix = .roaming, Strip-User-Name = Yes Hint = PPP, Service-Type = Framed-User, Framed-Protocol = PPP, Fall-Through = Yes It doesn't seem to be authenticating properly if the realm is specified either, even though the realm is specified in the realms file. huntgroups is being honored, so it would appear that preprocess is being used. This is debug output from an attempt with the realm name, the debug output from an attempt with .ppp suffix is the next one below this. rad_recv: Access-Request packet from host 192.168.1.20:2465, id=96, length=82 User-Name = [EMAIL PROTECTED] User-Password = snipped Service-Type = Framed-User Framed-Protocol = PPP NAS-IP-Address = 192.168.1.20 NAS-Port = 0 modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_realm: Looking up realm cloud9.net for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm cloud9.net rlm_realm: Adding Stripped-User-Name = foo rlm_realm: Proxying request from user foo to realm cloud9.net rlm_realm: Adding Realm = cloud9.net rlm_realm: Authentication realm is LOCAL. rlm_realm: auth_port is not set. proxy cancelled modcall[authorize]: module suffix returns noop radius_xlat: '[EMAIL PROTECTED]' sql_set_user: escaped user -- '[EMAIL PROTECTED]' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' rlm_sql: Reserving sql socket id: 4 rlm_sql: User [EMAIL PROTECTED] not found radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' sql_set_user: escaped user -- 'DEFAULT' radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'DEFAULT' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'DEFAULT' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql: DEFAULT not found rlm_sql: Released sql socket id: 4 modcall[authorize]: module sql returns notfound huntgroups: Matched local at 50 users: Matched DEFAULT at 19 modcall[authorize]: module files returns ok modcall: group authorize returns ok auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. rad_lowerpair: Stripped-User-Name now 'foo' rad_rmspace_pair: Stripped-User-Name now 'foo' rad_rmspace_pair: User-Password now 'BAR' modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_realm: Request already proxied. Ignoring. modcall[authorize]: module suffix returns noop radius_xlat: '[EMAIL PROTECTED]' sql_set_user: escaped user -- '[EMAIL PROTECTED]' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' rlm_sql: Reserving sql socket id: 3 rlm_sql: User [EMAIL PROTECTED] not found radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' sql_set_user: escaped user -- 'DEFAULT' radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'DEFAULT' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT
Re: hints file somehow not processed against users in sql database?
I fixed this.
I did the following:
in sql.conf:
I uncommented:
sql_user_name = %{Stripped-User-Name:-%{User-Name:-none}}
and commented out:
sql_user_name = %{User-Name}
causing Stripped-User-Name to be checked as well against the sql database.
In radiusd.conf:
I added
suffix
in the preprocess section right before the hints file is specified so that
a hinted username can be properly stripped if it is also realmed.
username.ppp@domain wouldn't work before.
--
Mark P. Hennessy [EMAIL PROTECTED]
On Wed, 21 Aug 2002, Mark Hennessy wrote:
Date: Wed, 21 Aug 2002 10:20:39 -0400 (EDT)
From: Mark Hennessy [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: hints file somehow not processed against users in sql database?
For some reason, the hints file doesn't seem to get honored when a user
with an entry the sql database is trying to authenticate on my system.
Here's my hints file:
DEFAULT Suffix = .ppp, Strip-User-Name = Yes
Hint = PPP,
Service-Type = Framed-User,
Framed-Protocol = PPP,
Fall-Through = Yes
DEFAULT Suffix = .roaming, Strip-User-Name = Yes
Hint = PPP,
Service-Type = Framed-User,
Framed-Protocol = PPP,
Fall-Through = Yes
It doesn't seem to be authenticating properly if the realm is specified
either, even though the realm is specified in the realms file.
huntgroups is being honored, so it would appear that preprocess is
being used.
This is debug output from an attempt with the realm name, the debug output
from an attempt with .ppp suffix is the next one below this.
rad_recv: Access-Request packet from host 192.168.1.20:2465, id=96, length=82
User-Name = [EMAIL PROTECTED]
User-Password = snipped
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-IP-Address = 192.168.1.20
NAS-Port = 0
modcall: entering group authorize
modcall[authorize]: module preprocess returns ok
rlm_realm: Looking up realm cloud9.net for User-Name =
[EMAIL PROTECTED]
rlm_realm: Found realm cloud9.net
rlm_realm: Adding Stripped-User-Name = foo
rlm_realm: Proxying request from user foo to realm cloud9.net
rlm_realm: Adding Realm = cloud9.net
rlm_realm: Authentication realm is LOCAL.
rlm_realm: auth_port is not set. proxy cancelled
modcall[authorize]: module suffix returns noop
radius_xlat: '[EMAIL PROTECTED]'
sql_set_user: escaped user -- '[EMAIL PROTECTED]'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = '[EMAIL PROTECTED]' ORDER BY id'
rlm_sql: Reserving sql socket id: 4
rlm_sql: User [EMAIL PROTECTED] not found
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username =
'[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupcheck.GroupName
ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username =
'[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupreply.GroupName
ORDER BY radgroupreply.id'
sql_set_user: escaped user -- 'DEFAULT'
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'DEFAULT' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'DEFAULT' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql: DEFAULT not found
rlm_sql: Released sql socket id: 4
modcall[authorize]: module sql returns notfound
huntgroups: Matched local at 50
users: Matched DEFAULT at 19
modcall[authorize]: module files returns ok
modcall: group authorize returns ok
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
rad_lowerpair: Stripped-User-Name now 'foo'
rad_rmspace_pair: Stripped-User-Name now 'foo'
rad_rmspace_pair: User-Password now 'BAR'
modcall: entering group authorize
modcall[authorize]: module preprocess returns ok
rlm_realm: Request already proxied. Ignoring.
modcall[authorize]: module suffix returns noop
radius_xlat: '[EMAIL PROTECTED]'
sql_set_user: escaped user -- '[EMAIL PROTECTED]'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = '[EMAIL PROTECTED]' ORDER BY id'
rlm_sql: Reserving sql socket id: 3
rlm_sql: User [EMAIL PROTECTED] not found
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName
Odd thing happening...
-- Mark P. Hennessy [EMAIL PROTECTED] I'm using freeradius 0.7 with mysql I'm having a problem where for some unknown reason, the user dialing in to a piece of equipment in the megapop huntgroup is being provided with an IP address specified in the sql database rather than the one in the default entry for megapop which has been given the operator to override the IP address. It works fine with cistron, the only thing I can see that may be slightly weird is the fact that the NAS-IP-Address listed in the debug output is the individual NAS device and not the requestor of the authentication (the proxy radius). Any ideas? Here is a sample user from the sql database: radcheck: +---+--+---++--+ | id| UserName | Attribute | Value | op | +---+--+---++--+ | 34867 | testauth | Auth-Type | System | := | +---+--+---++--+ radreply: +---+--+---+-+--+ | id| UserName | Attribute | Value | op | +---+--+---+-+--+ | 40868 | testauth | Framed-IP-Address | snipped | =| | 40869 | testauth | Port-Limit| 1 | == | +---+--+---+-+--+ Here is the users file: DEFAULT Huntgroup-Name == megapop Service-Type = Framed-User, Framed-MTU = 1500, Framed-IP-Address := 255.255.255.254, Framed-IP-Netmask = 255.255.255.255, Idle-Timeout = 600, Session-Timeout = 28800 DEFAULT Framed-Protocol == PPP, Huntgroup-Name == local Service-Type = Framed-User, Framed-MTU = 1500, Idle-Timeout = 1200, Session-Timeout = 129600, Framed-Routing = None, Framed-Compression = Van-Jacobson-TCP-IP, Framed-IP-Netmask = 255.255.255.255, Framed-Protocol = PPP, Login-IP-Host = snipped, Login-Service = Rlogin DEFAULT Auth-Type := Local, Framed-Protocol == PPP, Huntgroup-Name == redback Service-Type = Framed-User, Framed-Protocol = PPP, Idle-Timeout = 0 Here is the debug output of the session: Cleaning up request 67 ID 147 with timestamp 3d63ceef Waking up in 5 seconds... rad_recv: Access-Request packet from host megapop ip IN huntgroups, their proxy radius:1650, id=66, length=143 Framed-Protocol = PPP User-Name = [EMAIL PROTECTED] User-Password = snipped Called-Station-Id = calledtn Calling-Station-Id = callingtn NAS-Port = 109 NAS-Port-Type = Async Service-Type = Framed-User NAS-IP-Address = megapop ip NOT in huntgroups, actual NAS device IP Proxy-State = 0x3d63cef3d87e96ec066d5600fd38fc9e0d91abb4553a6b23eafc4c7a modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_realm: Looking up realm cloud9.net for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm cloud9.net rlm_realm: Adding Stripped-User-Name = testauth rlm_realm: Proxying request from user testauth to realm cloud9.net rlm_realm: Adding Realm = cloud9.net rlm_realm: Authentication realm is LOCAL. rlm_realm: auth_port is not set. proxy cancelled modcall[authorize]: module suffix returns noop radius_xlat: 'testauth' sql_set_user: escaped user -- 'testauth' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'testauth' ORDER BY id' rlm_sql: Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'testauth' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'testauth' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'testauth' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' radius_xlat: 'SELECT Value,Attribute FROM radcheck WHERE UserName = '[EMAIL PROTECTED]' AND ( Attribute = 'User-Password' OR Attribute = 'Password' OR Attribute = 'Crypt-Password' ) ORDER BY Attribute DESC' rlm_sql: Released sql socket id: 4 rlm_sql_authorize: no rows returned from query (no such user) modcall[authorize]: module sql returns ok modcall[authorize]: module files returns notfound modcall: group authorize returns ok rad_check_password: Found Auth-Type System auth: type System modcall: entering group authenticate modcall[authenticate]: module unix returns ok modcall: group authenticate returns ok Sending Access-Accept of id 66 to megapop radius proxy IP same as above:1650 Framed-IP-Address = snipped, same as the
Re: Odd thing happening...
A netmask of 255.255.255.255 isolates a single IP address. That is the desired result. The problem is that 255.255.255.254 doesn't seem to get to the end customer and this only seems to happen with FreeRADIUS, not cistron. -- Mark P. Hennessy [EMAIL PROTECTED] On Wed, 21 Aug 2002, Nick Davis wrote: Date: Wed, 21 Aug 2002 13:49:02 -0500 From: Nick Davis [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Odd thing happening... On Wednesday 21 August 2002 13:26, Mark Hennessy wrote: Framed-IP-Address := 255.255.255.254, Framed-IP-Netmask = 255.255.255.255, How can it work with that netmask? That seems wrong to me. That netmask leaves no IP addresses left for use. Nick Nick Davis Associate Systems Administrator [EMAIL PROTECTED] Internet Exposure, Inc. http://www.iexposure.com (612)676-1946 Web Development-Web Marketing-ISP Services - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.7 FreeBSD port
Why not just compile it directly from the distribution? It has autoconf, and is easy to just ./configure make make install -- Mark P. Hennessy [EMAIL PROTECTED] On Tue, 20 Aug 2002, Clever wrote: Date: Tue, 20 Aug 2002 11:40:55 -0300 From: Clever [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: 0.7 FreeBSD port Hi, Do you know how to install freeradius 0.7 via FreeBSD ports system? I have updated the database with cvsup but it only gets version 0.5 Thanks Clever Anjos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Override using DEFAULT
For the purposes of maintaining as small a users database as possible, I wanted to know if it was possible for a specific DEFAULT record's reply attributes to override any conflicting reply attributes of an individual user entry? Say I had the following user entries in the following format: foo Framed-Type = User, Framed-Address = 192.168.1.17 bar Framed-Type = User, Framed-Address = 192.168.1.18 Here are the defaults: DEFAULT Auth-Type := System, Framed-Protocol == PPP, Huntgroup-Name == local Service-Type = Framed-User, Framed-MTU = 1500, Framed-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobson-TCP-IP, Framed-Routing = None, Idle-Timeout = 1200, Session-Timeout = 129600 DEFAULT Auth-Type := System, Framed-Protocol == PPP, Huntgroup-Name == roaming Service-Type = Framed-User, Framed-MTU = 1500, Framed-Address = 255.255.255.254, Framed-Netmask = 255.255.255.255, Idle-Timeout = 600, Session-Timeout = 28800 I would want foo coming in from the roaming huntgroup to lose their individually defined address and reply using the reply attribute under the default entry for the roaming huntgroup instead. -- Mark P. Hennessy [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
A few questions, new to FreeRADIUS
I'm trying to set up the following NAS devices NAS Group=redback 1 Redback SMS 500 (with multiple contexts/global RADIUS authentication settings for all contexts) NAS Group=local 1 3Com TotalControl 2 Lucent Portmaster 3's NAS Group=roaming and authentication from a remote RADIUS proxy under the following situation: Users coming in from the redback NAS Group would get authenticated against the flat users file with Auth-Type := Local PAP password authentication. Users coming in from the local NAS Group would use Auth-Type := UNIX but the username would have to be read from a freeradius MySQL database for the specifics, such as IP address. Any users not specified here would not be permitted to connect at all. In addition to those users, there would be some custom-defined users with specific needs that would be put into the flat users file. Users coming in from the roaming NAS Group would use Auth-Type := UNIX, and be given a generic reply allowing them to grab a dynamic IP. Any users not allowed to dial into roaming numbers would not be able to authenticate and grab an IP. I want to do this without using a UNIX group containing either the list of dialup users or containing the list of non-dialup users. I would like to specify the list of legitimate users or non-legitimate users that exist in the UNIX passwd file so that dialin rights are properly controlled but as little user-specific data as possible need to be provided (I don't want to have to specify a full users record for each and every roaming user if possible for example). The only way I can think of to do this at the moment is by using UNIX groups, but I would prefer to use a means of defining and maintaining the groups internal to freeradius if such a thing is possible. Any ideas? Maybe I'm thinking along the wrong lines? Secondly, is anyone working on a perl module to maintain the contents of the freeradius authentication tables in a DBMS such as MySQL? -- Mark P. Hennessy [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP Pool questions
Are you trying to set up a block of IPs to be passed to a subscriber, or dynamically assign an IP from a pool to a subscriber? -- Mark P. Hennessy [EMAIL PROTECTED] On Mon, 19 Aug 2002, Li Lin wrote: Date: Mon, 19 Aug 2002 17:38:10 -0400 From: Li Lin [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Cc: Li Lin [EMAIL PROTECTED] Subject: IP Pool questions Dear Sir/Madam: I have a problem to setup IP pool. (The free radius server only assigns one IP address) Could you please tell me: 1.whether freeradius-0.3 supports IP pool or not? 2.any document for IP pool? Thanks Li Lin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: IP Pool questions
Here's an example user named foo: foo Auth-Type := System Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Address = 192.168.2.21, Framed-Netmask = 255.255.255.252, Framed-Route = 192.168.2.20/30 192.168.2.21 1, Framed-Compression = Van-Jacobson-TCP-IP, Idle-Timeout = 0, Framed-MTU = 1500 Note the Framed-Route line. /30 is equivalent to 255.255.255.252 This is just an example, you could use much larger blocks. The subscriber would configure their equipment to use the IP address 192.168.2.21. 192.168.2.22 would be an IP usable within their LAN. Remote gateway could be available in a larger network specified by a more general netmask for the remote gateway where appropriate. Alternately, if you wish, you can do this: foo Auth-Type := System Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Address = 192.168.2.2, Framed-Netmask = 255.255.255.255, Framed-Route = 192.168.3.0/28 192.168.2.2 1, Framed-Compression = Van-Jacobson-TCP-IP, Idle-Timeout = 0, Framed-MTU = 1500 This would instead of providing a merged LAN IP block provide a WAN/LAN-style structure, where you could give each dialup device their own single IP and then forward blocks over those single IPs to their LAN. In this example, a /28 (13 usable addresses) is forwarded to this subscriber for use in their LAN, they would have to have two separate interfaces, a WAN interface for 192.168.2.2 and a LAN interface where they define one of the IPs in the 192.168.3.0 block (such as 192.168.3.1). -- Mark P. Hennessy [EMAIL PROTECTED] On Mon, 19 Aug 2002, Li Lin wrote: Date: Mon, 19 Aug 2002 17:43:31 -0400 From: Li Lin [EMAIL PROTECTED] To: 'Mark Hennessy' [EMAIL PROTECTED] Cc: Li Lin [EMAIL PROTECTED] Subject: RE: IP Pool questions Hi Mark: Yes, I am trying to set up a block of IPs to be passed to a subscriber. Thanks Li Lin -Original Message- From: Mark Hennessy [mailto:[EMAIL PROTECTED]] Sent: Monday, August 19, 2002 5:48 PM To: '[EMAIL PROTECTED]' Cc: Li Lin Subject: Re: IP Pool questions Are you trying to set up a block of IPs to be passed to a subscriber, or dynamically assign an IP from a pool to a subscriber? -- Mark P. Hennessy [EMAIL PROTECTED] On Mon, 19 Aug 2002, Li Lin wrote: Date: Mon, 19 Aug 2002 17:38:10 -0400 From: Li Lin [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Cc: Li Lin [EMAIL PROTECTED] Subject: IP Pool questions Dear Sir/Madam: I have a problem to setup IP pool. (The free radius server only assigns one IP address) Could you please tell me: 1. whether freeradius-0.3 supports IP pool or not? 2. any document for IP pool? Thanks Li Lin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
