running from daemontools
Hey All, Running FreeRadius 0.9.3 w/ MySQL from daemontools and I get these strange messages on my radius log : Error: Discarding new request from client xyz:1027 - ID: 73 due to live request 0 Doesn't seem to cause any problems, radius clients still work fine - but I'm not quite sure why this is happening and would like to know (in case things start to get whacky later down the line). linux redhat 9 freeradius 0.9.3 mysql 4.0.16 standard daemontools (0.8x i think) run file: #!/bin/sh exec /usr/local/sbin/radiusd -f I'm running Freeradius on a Solaris box w/o mysql and I've never seen this message before (totally different nas setup as well) Any thoughts/suggestions? Thanks, Rob Genovesi [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL Help!
oh boy, I remember kicking this around for ever as well ... My solution was to 1) be sure you have development rpms installed and 2) do not use --disable-shared when running configure. I don't know exactly why this changed things, but compiling with shared libraries it was able to find and use all the necessary mysql libs and includes. I installed the following MySQL rpms (Redhat) : MySQL-devel-4.0.16-0 MySQL-shared-compat-4.0.16-0 MySQL-client-4.0.16-0 MySQL-server-4.0.16-0 -rob At 04:23 PM 12/12/2003 -0500, you wrote: To all, I have spent over 16 hours working this issue now and am completely out of ideas. I have tried RPM Installations of multiple versions of MySQL, including 3.23.58 and 4.0.16. I am still getting the error message: rlm_sql (sql): Could not link driver rlm_sql_mysql: file not found rlm_sql (sql): Make sure it (and all its dependent libraries!) are in the search path of your system's ld. radiusd.conf[4]: sql: Module instantiation failed. I have checked and verified the LD_LIBRARY_PATH variable, I have updated ld.so.conf as well. I've tried multiple configuration options, including disable-shared. Something isn't adding up. Any suggestions would be most appreciated. Thanks and have a good weekend. Chris DeRamus OCIO VPN Administrator SAIC -Original Message- From: Deramus, Chris Sent: Friday, December 12, 2003 2:01 PM To: '[EMAIL PROTECTED]' Subject: RE: RedHat Enterprise 2.1, FreeRadius 0.9.3 with MySQL I have check the FreeRADIUS FAQ and followed the instructions. My ld.so.conf file has been setup correcly and is pointing the respective library dependencies and it still is giving me the same error. I have also attempted ./configure --disable-shared and still no go. I know I do not need mysql-shared, I am honestly stumped. Sorry to keep this thread going, I just can't seem to find much documentation on any extra steps required when running this new distro of RedHat. Thanks, Chris DeRamus -Original Message- From: NetNITCO Systems Administration [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 11, 2003 5:26 PM To: [EMAIL PROTECTED] Subject: Re: RedHat Enterprise 2.1, FreeRadius 0.9.3 with MySQL On Thu, 2003-12-11 at 16:00, Deramus, Chris wrote: To all -- I recently upgraded my development RADIUS box which was running RedHat 8.0 to RedHat Enterprise Linux 2.1 ES. This was a fresh install which included all Mysql related packages contained on the CD's. It was noted that the Enterprise installation did not contain a Mysql-devel package, I am assuming it is now bundled in with one of the other rpm's. I tested SQL queries from both web applications and command line and everything seemed to be a go so I then configured freeradius. I believe you are mistaken. The current MySQL development package for RHEL ES 2.1 is mysql-devel-3.23.58-1.72. You can grab the package from the RHEL installation media, or, you can download the SRPM from a Red Hat mirror and rebuild the package: ftp://redhat.netnitco.net/pub/mirrors/redhat/updates/enterprise/2.1ES/en/os/SRPMS/mysql-3.23.58-1.72.src.rpm rlm_sql (sql): Could not link driver rlm_sql_mysql: file not found rlm_sql (sql): Make sure it (and all its dependent libraries!) are in the search path of your system's ld. radiusd.conf[4]: sql: Module instantiation failed. You'll get this until you compile FreeRADIUS with the MySQL development libraries installed. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL falls through to users file
Do you need the users file at all? If not comment out the files entry. -Rob At 01:06 PM 12/11/2003 -0500, you wrote: I have some basic SQL functionality working, but I discovered that if the SQL module returns ok, FreeRadius still falls through to the users file. Is there any way to prevent this? I even tried to set Fall-Through := 0 in the SQL. That did not help. Here's a snippet from my radiusd.conf: authorize { preprocess chap suffix sql files mschap } The included sql.conf is the standard mysql.conf with just the db, host, user and password changed. Here's my sql data: mysql select * from radcheck; ++--+---++---+ | id | UserName | Attribute | op | Value | ++--+---++---+ | 1 | fred | User-Password | == | fred | ++--+---++---+ 1 row in set (0.00 sec) mysql select * from radreply; ++--+--++---+ | id | UserName | Attribute| op | Value | ++--+--++---+ | 2 | | Fall-Through | := | 0 | ++--+--++---+ 1 row in set (0.00 sec) mysql select * from usergroup; ++--+---+ | id | UserName | GroupName | ++--+---+ | 1 | XX | Inside| | 2 | YY | Inside| | 3 | ZZ | Inside| | 4 | fred | Outside | ++--+---+ 4 rows in set (0.00 sec) The rest of the tables are empty. I was trying to login as fred with passwd fred. If I comment out the whole users file, it works, but I want some DEFAULT entries for special purposes and I don't see how one can put them in an SQL database and control the order that they are applied. I also tried: 1) Set Auth-Type := Accept in SQL and have this in users: DEFAULT Auth-Type != Accept, ... other stuff ... ... replies ... This will always apply my DEFAULT. 2) Set Auth-Type := Accept in SQL and have this in users: DEFAULT Auth-Type == Accept DEFAULT ... other stuff ... ... replies ... This is always accepted, even with bogus users. Any clues? Is there something I can put in the radius.conf like: authorize { preprocess chap suffix sql if (!ok) { files mschap } } -- Gary Algier, WB2FWZ gaa at ulticom.com +1 856 787 2758 Ulticom Inc., 1020 Briggs Rd, Mt. Laurel, NJ 08054 Fax:+1 856 866 2033 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What is a good wireless solution for a small restaurant.
Use this page as a cheatsheet of sorts : http://www.airpath.com/Products/wiboss_lite/compat.htm Airpath is a back-end provider for hotspot services, so they list a bunch of compliant devices to use with their service. This means that these devices have valid radius clients, and therefore should play nicely with FreeRadius. cheap and easy side: check out the D-Link DL-3800. minimal features, easy to set-up. requires seperate wireless AP. cheap, yet full featured - harder to config if you aren't technical: check out Mikrotik Router OS. Hope this helps. -Rob PS: nice tag line, very appropos for people in our business... At 03:49 PM 12/11/2003 -0700, you wrote: Since many of the people on this list talk about wireless systems, I thought I could ask for some assistance. I have a customer with a chain of small restaurants, that want to provide wireless connections for his customers. I am looking for an inexpensive secure solution. I have heard people talking about 'walled gardens', and that may be the way to go. I have been asked about the d-link and linksys wireless routers, but have no experience with them. To date I have only had experience with long haul wireless, campus wireless and wired solutions. I don't have a firm direction from the customer yet, but there will be dozens of restaurants that will need to be hooked up. I am guessing that I could somehow use FreeRadius to provide centralized access controls. One of the prerequisites will likely be that there are NO moving parts {ie. no hard drives} on any of the devices and low power consumption {no large servers or monitors} in the restaurants. If required, the traffic could be backhauled to a centralized location over vpn's. I would appreciate any suggestions. -- Guy Fraser Network Administrator The Internet Centre 780-450-6787 , 1-888-450-6787 There is a fine line between genius and lunacy, fear not, walk the line with pride. Not all things will end up as you wanted, but you will certainly discover things the meek and timid will miss out on. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to implement walled garden with freeRadius?
Check out Mikrotik (www.mikrotik.com) -- a linux-based router with Hotspot functionality. I am using it to do this exact sort of thing. Mikrotik has a built-in radius client and it works flawlessly (so far) with FreeRadius on the backend. Users are redirected to a sign-in page and once they sign in firewall rules are updated to allow them access beyond the gateway. -rob At 10:46 AM 12/11/2003 +1100, you wrote: I am climbing a learning curve at the moment, and intend to provide this sort of functionality. I am looking at setting up a regional wireless ISP. I am planning on allowing everyone to associate with the wireless APs. When they open up a web browser and try to hit a page, I am going to use squid to redirect them to this walled garden page that provides limited free content and instructions on how to subscribe to our services. Paid subscribers will then be able to login and access the internet. I think there may be a few ways to achieve this, but I have been testing it using PPPoe and a RADIUS server (freeradius). When they login, a PPP tunnel will be created and routed correctly to the internet (with relevant access controls setup through squid). If anyone else has any ideas in respect to this sort of setup, I would welcome suggestions! Any recommendation on implementing walled garden with freeRadius and cisco 1100 APs. The walled garden allows wireless user to access some pre-defined websites even BEFORE they login. Has anyone done this before? The idea is to allow user visit our sign-up website and download the certificate (generated with OpenSSL). After the user has installed the certificate, freeRadius will autheticate the user with EAP-TLS and the user can access any websites after that. Is there any other free software that supports the walled garden? Any suggestions or URL refs are appreciate. Richard __ Do you Yahoo!? New Yahoo! Photos - easier uploading and sharing. http://photos.yahoo.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: simple setup using users file
The username 00022d-8152d8 is in your users file? You can see it is matching the DEFAULT entry at line 153 (users: Matched DEFAULT at 153) , but it does not seem to find this specific username in the users file. Other recommendation would be to check the lower_user option in radiusd.conf. Freeradius has a few options for matching case sensitivity in usernames (and passwords). -Rob At 03:11 PM 11/24/2003 -0800, you wrote: Rob, Thanks. I doubled checked. The comma is there. Sorry 'bout that. I really have no clue what is going on here. The message indicate no password is present in the request, yet in the debug log is it shown. Here is a snippit of the log: Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp. Ready to process requests. rad_recv: Access-Request packet from host XX.XXX.XXX.XXX:33631, id=139, length=65 User-Name = 00022d-8152d8 User-Password = blbb NAS-IP-Address = 192.168.0.200 NAS-Port = 0 modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module eap returns noop for request 0 rlm_realm: No '@' in User-Name = 00022d-8152d8, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 users: Matched DEFAULT at 153 modcall[authorize]: module files returns ok for request 0 modcall[authorize]: module mschap returns noop for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: No password configured for the user auth: Failed to validate the user. Any ideas?? Bill - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
reject auth after exec
Hi All, I've been searching for an answer to this and haven't found one yet - can someone please help me out? FreeRadius 0.9.2 - what's the proper way to reject a user after doing an exec? For example defining in radiusd.conf : modules { [stuff] exec getstatus { wait = yes program = /path/program %{User-Name} input_pairs = request output_pairs = reply } } ... authorize { [stuff] getstatus } What should the getstatus exec return to reject the user if custom checks determine the user should not be allowed on? Many thanks, Rob Genovesi [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reject auth after exec
I tried this one earlier Non-zero exit code seems to return an Exec module failed message and then does not seem a valid reponse to the Radius client. Exec-Program: returned: 255 rlm_exec (getstatus): External script failed In this case getstatus was a simple shell script that did nothing but exit 255. I would prefer to exit with a valid radius response including a Reply-Message. Thanks, -Rob At 12:34 PM 11/20/2003 -0600, you wrote: At 12:28 PM 11/20/2003, Rob Genovesi wrote: Hi All, I've been searching for an answer to this and haven't found one yet - can someone please help me out? FreeRadius 0.9.2 - what's the proper way to reject a user after doing an exec? snip What should the getstatus exec return to reject the user if custom checks determine the user should not be allowed on? I believe a non-zero exit value of the exec'ed program will trigger a reject. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reject auth after exec
Have you tried having the program print 'Auth-Type := Reject' to stdout? Ok - I think I'm starting to catch on : Auth-Type appears to be a config item. Reply-Message is a reply item. Exec calls must exit 0 , anything else indicates an execution error (not an auth error). Changing the output_pairs to config allows me to reject the request, but does not allow me to send a custom Reply-Message. Now I've got (radiusd.conf) { modules { [stuff] getstatus { wait = yes program = /path/program %{User-Name} input_pairs = request output_pairs = config } } And my program simply does this: #!/usr/bin/perl my $user = $ARGV[0]; if($user eq 'test') { # fail print Auth-Type := Reject, Reply-Message = \Test is not allowed\\n; } exit 0; This works as it should, accept for the obvious point that the custom Reply-Message is ignored (since it is not a config item). Now I suppose I can do a second exec with output_pairs set to reply and output a custom message. Either that or do as Thor did and patch the source Thanks, Rob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting
This is close to what I'm playing with ... IN radiusd.conf : -- modules { exec session_lookup wait = yes program = /your/program %{User-Name} input_pairs = request output_pairs = reply } authorize { session_lookup } -- Next you just need to write a program (/your/program) that accepts the username via STDIN , does your look up and prints the Pairs to STDOUT. Example of /your/program : -- #!/usr/bin/perl my $username = $ARGV[0]; [sql query here] print Session-Timeout = $X, Idle-Timeout = $Y\n; exit 0; -- At 12:12 PM 11/20/2003 -0800, you wrote: Hello! How will I make use of the 'session-timeout' attribute (No- 27) in freeradius. Every time I get a login request, I want to query this value associated with that particular user from a sql db and send it back with the request. Would this require additional coding. Also, can the Idle-timeout attribute be set? Appreciate any help. Cheers! Do you Yahoo!? Free Pop-Up Blocker - Get it now