debug in daemon mode...
All- I am currently using freeradius .05 on Solaris 8. My question is: How does one run radiusd in daemon mode, and sending all debug output to the log file? I have not been able to get this working yet. I can get it to start in daemon mode by issuing 'radiusd', and I can get it to run in debug mode- but only to stdout. Is there a command line way to do the above, something along the lines of 'radiusd --daemon --debug' ? Thanks in advance- hopefully I'm just missing something very simple here. -- Sincerely, Michael Klatsky Senior Unix Administrator Connecticut Telephone 1 Talcott Plaza Hartford, CT 06103 1-860-240-6496 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Compiling errors
What did you use for configure options? I've compile on the same platform successfully. I use ldap and mysql (for accounting), so my configure options were:#!/bin/sh # ./configure --enable-ldap=yes --enable-mysql=yes Sincerely, Michael Klatsky Senior Unix Administrator Connecticut Telephone 1 Talcott Plaza Hartford, CT 06103 1-860-240-6496 On Fri, 2002-05-17 at 22:36, Russell Premont wrote: > I have just downloaded FreeRadius 0.5. and am trying to compile it on > Solaris 8 for Sparc. I can run the configure command but when I run make I > get the following errors > > gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DND > EBUG -I../../include -c rlm_eap.c -o rlm_eap.o > In file included from rlm_eap.c:25: > eap.h:9: ltdl.h: No such file or directory > In file included from eap.h:17, > from rlm_eap.c:25: > /usr/include/netinet/in.h:271: warning: `INADDR_ANY' redefined > ../../include/missing.h:73: warning: this is the location of the previous > definition > /usr/include/netinet/in.h:272: warning: `INADDR_LOOPBACK' redefined > ../../include/missing.h:77: warning: this is the location of the previous > definition > make[6]: *** [rlm_eap.o] Error 1 > make[6]: Leaving directory > `/export/home/russell/freeradius-0.5/src/modules/rlm_eap' > make[5]: *** [common] Error 1 > make[5]: Leaving directory `/export/home/russell/freeradius-0.5/src/modules' > make[4]: *** [all] Error 2 > make[4]: Leaving directory `/export/home/russell/freeradius-0.5/src/modules' > make[3]: *** [common] Error 1 > make[3]: Leaving directory `/export/home/russell/freeradius-0.5/src' > make[2]: *** [all] Error 2 > make[2]: Leaving directory `/export/home/russell/freeradius-0.5/src' > make[1]: *** [common] Error 1 > make[1]: Leaving directory `/export/home/russell/freeradius-0.5' > make: *** [all] Error 2 > > Could someone please tell me what the problem might be. > > Thanks > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Another post re:access
Kostas- Thanks for your response. Now, what to do with the groupname items? If I comment them out, I end up with: rlm_ldap: performing search in o=CTTEL,c=US, with filter (uid=gozilla) rlm_ldap: checking if remote access for gozilla is allowed by radiusClass rlm_ldap: checking user membership in dialup-enabling group radiusClass=AnalogUser radius_xlat: 'radiusClass=AnalogUser' radius_xlat: '(uid=gozilla)' rlm_ldap: performing search in radiusClass=AnalogUser, with filter (uid=gozilla) rlm_ldap: ldap_search() failed: No such object My goal is- if (obviously) username and password match, then see if the user is an AnalogUser (radiusClass=AnalogUser). If so- then allow them access. Should I make my filter be (&(uid=%u)(radiusClass=AnalogUser))? Thanks again... Michael On Mon, 2002-05-13 at 14:17, Kostas Kalevras wrote: > On 13 May 2002, Michael Klatsky wrote: > > > I thought I would place a general post regarding the Access packets... > > > > While I successfully authenticate, I cannot seem to formulate a working > > packet which authenticates AND authorizes. With 3 1/2 years of working > > with 2 other (commercial) radius servers, I thought I would have gotten > > this by now.:( > > > > Below is the response from my test: > > > > rad# radclient -f test.auth localhost auth x > > Received response ID 90, code 3, length = 20 > > > > > > Here is my test.auth: > > > > User-Name = gozilla > > User-Password = x > > Nas-IP-Address = 127.0.0.1 > > Nas-Port-ID = 0 > > Service-Type = Framed-User > > Class = AnalogUser > > > > And here are some log entries: > > > > rlm_ldap: checking if remote access for gozilla is allowed by > > radiusClass > > rlm_ldap: checking user membership in dialup-enabling group > > ou=People,o=CTTEL,c=US > > radius_xlat: 'ou=People,o=CTTEL,c=US' > > radius_xlat: ''(&(uid=gozilla)(o=cttel.net))'' > > rlm_ldap: performing search in ou=People,o=CTTEL,c=US, with filter > > '(&(uid=gozilla)(o=cttel.net))' > > rlm_ldap: object not found or got ambiguous search result > > ldap_release_conn: Release Id: 0 > > modcall[authorize]: module "ldap" returns userlock > > modcall: group authorize returns userlock > > Invalid user (rlm_ldap: User is not an access group member): > > [gozilla/xx] (from nas local port 0) > > Delaying request 0 for 1 seconds > > Finished request 0 > > Going to the next request > > Thread 1 waiting to be assigned a request > > rad_recv: Access-Request packet from host 127.0.0.1:33879, id=90, > > length=74 > > Sending duplicate authentication reply to client localhost:33879 - ID: > > 90 > > Sending Access-Reject of id 90 to 127.0.0.1:33879 > > > > The result of an ldapsearch as below returns what is expected. > > > > ldapsearch -x -v -hloon.cttel.net -bou=People,o=CTTEL,c=US > > '(&(uid=gozilla)(o=cttel.net))' > > > > I am running my ldap server in debug mode, and am seeing a failed > > inquiry, using exactly the information above- so I am wondering whether > > there is a bug, or a fundamental misunderstanding in how to either > > configure this portion of a freeradius server. > > > > > > > > If more info is needed - please let me know. Thanks again as I'm sure I > > am not unique in hoping to document step by step the process of setting > > up and testing the freeradius server. It IS a very nice piece of > > software. > > > > > > > > > > -- > > > > > > Sincerely, > > > > > > Michael Klatsky > > Senior Unix Administrator > > Connecticut Telephone > > 1 Talcott Plaza > > Hartford, CT 06103 > > 1-860-240-6496 > > > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > You are using group membership access without having defined a group. The way > you have configured it the ldap module will try to find if user godzilla is a > member of the group ou=People,o=CTTEL,c=US. In your case though > ou=People,o=CTTEL,c=US is just the base for your ldap search and not an ldap > group. So you should either use a valid group or disable the access_group > configuration directive (just comment it out). > The comment in doc/rlm_ldap: > 'means all users located in the LDAP tree under specified "basedn"' > > applies for the default access_group (NULL). > > -- > Kostas Kalevras Network Operations Center > [EMAIL PROTECTED]National Technical University of Athens, Greece > Work Phone: +30 10 7721861 > 'Go back to the shadow' Gandalf > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Sincerely, Michael Klatsky Senior Unix Administrator Connecticut Telephone 1 Talcott Plaza Hartford, CT 06103 1-860-240-6496 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Another post re:access
I thought I would place a general post regarding the Access packets... While I successfully authenticate, I cannot seem to formulate a working packet which authenticates AND authorizes. With 3 1/2 years of working with 2 other (commercial) radius servers, I thought I would have gotten this by now.:( Below is the response from my test: rad# radclient -f test.auth localhost auth x Received response ID 90, code 3, length = 20 Here is my test.auth: User-Name = gozilla User-Password = x Nas-IP-Address = 127.0.0.1 Nas-Port-ID = 0 Service-Type = Framed-User Class = AnalogUser And here are some log entries: rlm_ldap: checking if remote access for gozilla is allowed by radiusClass rlm_ldap: checking user membership in dialup-enabling group ou=People,o=CTTEL,c=US radius_xlat: 'ou=People,o=CTTEL,c=US' radius_xlat: ''(&(uid=gozilla)(o=cttel.net))'' rlm_ldap: performing search in ou=People,o=CTTEL,c=US, with filter '(&(uid=gozilla)(o=cttel.net))' rlm_ldap: object not found or got ambiguous search result ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns userlock modcall: group authorize returns userlock Invalid user (rlm_ldap: User is not an access group member): [gozilla/xx] (from nas local port 0) Delaying request 0 for 1 seconds Finished request 0 Going to the next request Thread 1 waiting to be assigned a request rad_recv: Access-Request packet from host 127.0.0.1:33879, id=90, length=74 Sending duplicate authentication reply to client localhost:33879 - ID: 90 Sending Access-Reject of id 90 to 127.0.0.1:33879 The result of an ldapsearch as below returns what is expected. ldapsearch -x -v -hloon.cttel.net -bou=People,o=CTTEL,c=US '(&(uid=gozilla)(o=cttel.net))' I am running my ldap server in debug mode, and am seeing a failed inquiry, using exactly the information above- so I am wondering whether there is a bug, or a fundamental misunderstanding in how to either configure this portion of a freeradius server. If more info is needed - please let me know. Thanks again as I'm sure I am not unique in hoping to document step by step the process of setting up and testing the freeradius server. It IS a very nice piece of software. -- Sincerely, Michael Klatsky Senior Unix Administrator Connecticut Telephone 1 Talcott Plaza Hartford, CT 06103 1-860-240-6496 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentication ok, now access...
With the kind help of Alan DeKok last week, I was able to configure the sending of properly formed accounting packets to my freeradius server, which successfully logged to mysql. And I can successfully authenticate a testuser. However, I am now having difficulty in the access stage. All of my users reside in ldap. They have an attribute radiusClass, which if set to "AnalogUser" should allow them access. I have the following lines in radiusd.conf: access_group = "ou=People,o=CTTEL,c=US" access_attr = radiusClass I can search successfully by doing an ldapsearch at the commandline for either the user, the radiusclass, or both. However, I am unsuccessful with radius. A log excerpt is below: rlm_ldap: performing search in ou=People,o=CTTEL,c=US, with filter (uid=gozilla) rlm_ldap: checking if remote access for gozilla is allowed by radiusClass rlm_ldap: checking user membership in dialup-enabling group ou=People,o=CTTEL,c=US radius_xlat: 'ou=People,o=CTTEL,c=US' radius_xlat: 'radiusClass' rlm_ldap: performing search in ou=People,o=CTTEL,c=US, with filter radiusClass rlm_ldap: ldap_search() failed: Bad search filter I might just be way off track right now... Thanks in advance for any help. -- Sincerely, Michael Klatsky Senior Unix Administrator Connecticut Telephone 1 Talcott Plaza Hartford, CT 06103 1-860-240-6496 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySql accounting help
Alan- Excellent- thanks for this information. I now am able to send/test accounting packets. Rudimentary right now- but I'll be working it this weekend. Here is the result of a test packet: Sending Accounting-Request of id 140 to 127.0.0.1:1813 User-Name = "testuser" User-Password = "" NAS-IP-Address = 127.0.0.1 NAS-Port-Id = "0" Service-Type = Framed-User Acct-Status-Type = Start Acct-Session-Time = 24600 Acct-Session-Id = "12345" Acct-Authentic = Local rad_recv: Accounting-Response packet from host 127.0.0.1:1813, id=140, length=20 Here is how I changed my test file: User-Name = testuser User-Password = Nas-IP-Address = 127.0.0.1 Nas-Port-ID = 0 Service-Type = Framed-User Acct-Status-Type = Start Acct-Session-Time = 024600 Acct-Session-Id = 12345 Acct-Authentic = Local And here is my command line: radclient -x -f test localhost acct Of course, additional attributes can be added. M On Fri, 2002-05-10 at 14:27, Alan DeKok wrote: > Michael Klatsky <[EMAIL PROTECTED]> wrote: > > This is the ouptut of radclient. Below is the command line I used, along > > with the test file contents. > > > > radclient -f test -x localhost acct > > > > test: > > > > User-Name = testuser > > User-Password = > > Acct-Status-Type = Start > > You need Acct-Session-Id, too. > > See the RFC's for a list of attributes you need in an accounting > packet. A good starting point is: > >http://freeradius.org/rfc/attributes.html > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Sincerely, Michael Klatsky Senior Unix Administrator Connecticut Telephone 1 Talcott Plaza Hartford, CT 06103 1-860-240-6496 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySql accounting help
Yes- that's what this output is from. I am not at the point where I am going to receive packets from a NAS yet. This is the ouptut of radclient. Below is the command line I used, along with the test file contents. radclient -f test -x localhost acct test: User-Name = testuser User-Password = Acct-Status-Type = Start Thanks again. M On Fri, 2002-05-10 at 14:19, Alan DeKok wrote: > Michael Klatsky <[EMAIL PROTECTED]> wrote: > > So my question is- how can I test accounting? It doesn't appear to be > > sending the info to mysql database, as this log entry shows: > > ... > > radius_xlat: 'rlm_sql: packet has no account status type. [user > > 'testuser', nas '255.255.255.255']' > > Step one would be convincing your NAS to send RFC compliant > accounting packets. > > You can test it yourself via 'radclient', which comes with the > server. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Sincerely, Michael Klatsky Senior Unix Administrator Connecticut Telephone 1 Talcott Plaza Hartford, CT 06103 1-860-240-6496 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MySql accounting help
Good afternoon- I have just configured freeradius .5, using ldap auth. That part works just fine. However, I wish to use mysql for accounting only. Upon startup, the log shows a successful connection to the mysql server/database: rlm_sql: Driver rlm_sql_mysql loaded and linked rlm_sql: Attempting to connect to root@localhost:/radius rlm_sql: Connected new DB handle, #0 rlm_sql: Connected new DB handle, #1 rlm_sql: Connected new DB handle, #2 rlm_sql: Connected new DB handle, #3 rlm_sql: Connected new DB handle, #4 Module: Instantiated sql (sql) So my question is- how can I test accounting? It doesn't appear to be sending the info to mysql database, as this log entry shows: modcall[accounting]: module "detail" returns ok Accounting: no Accounting-Status-Type record. modcall[accounting]: module "unix" returns noop radius_xlat: 'rlm_sql: packet has no account status type. [user 'testuser', nas '255.255.255.255']' Thanks in advance for any help. -- Sincerely, Michael Klatsky Senior Unix Administrator Connecticut Telephone 1 Talcott Plaza Hartford, CT 06103 1-860-240-6496 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 0.5 with mysql...
Lin- I believe adding /usr/lib/mysql into your /etc/ld.so.conf file and rerunnig ldconfig will do it. Michael On Fri, 2002-05-10 at 03:37, Houcheng wrote: > Dear all Freeradius users: > > I've installed freeradius 0.5 and mysql database on my linux, > and both run well. Now I try to log the accounting information into mysql database, > so I modify the "sql.conf" and change the driver to "rlm_sql_mysql". > > When I start the radiusd, it fails with the following error message: > > root@bmw>/usr/local/sbin/radiusd -x > Starting - reading configuration files ... > Module: Loaded preprocess > Module: Instantiated preprocess (preprocess) > Module: Loaded realm > Module: Instantiated realm (suffix) > Module: Loaded files > Module: Instantiated files (files) > Module: Loaded detail > Module: Instantiated detail (detail) > Module: Loaded radutmp > Module: Instantiated radutmp (radutmp) > Module: Loaded SQL > rlm_sql: Could not link driver rlm_sql_mysql: file not found > rlm_sql: Make sure it (and all its dependent libraries!) are in the search path of >your system's ld. > radiusd.conf[4]: sql: Module instantiation failed. > root@bmw> > > I can assure that the rlm_sql_mysql.a and rlm_sql_mysql.la is installed into > the modules lib directory, and mysql lib is installed at /usr/lib/mysql. > Is there anything I miss ? > >Thanks in advance! >Lin Houcheng > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
