Re: starting FreeRadius
Max, I am very new to both Linux (Mandrake 9.1) and FreeRadius, please forgive the "newbie questions". I currently have it running with scripts also, but was considering using daemontools. Certainly something like daemontools that will keep a watchdog on the server would be very helpful. Does daemontools open a window to view the program running? - Original Message - From: "Max Ahston" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, March 20, 2004 1:46 AM Subject: Re: starting FreeRadius > > Please ignore my lazyness on the last message, I used "reply" instead of > > typing the address and forgot to change the subject. > > but you're still wondering what's the proper way how to start the server? > > I would say it depends on your needs, in the beginning I used to start it > with rc-scripts. But it happened that the server crashed (we have added > 5-6 own modules to the software) I've but freeradius under daemontools to > get a quick restart if the server dies, eventough it is now running very > stable. > > I do this on 4 servers and it works like a charm :) > > Max! > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: starting FreeRadius
> Please ignore my lazyness on the last message, I used "reply" instead of > typing the address and forgot to change the subject. but you're still wondering what's the proper way how to start the server? I would say it depends on your needs, in the beginning I used to start it with rc-scripts. But it happened that the server crashed (we have added 5-6 own modules to the software) I've but freeradius under daemontools to get a quick restart if the server dies, eventough it is now running very stable. I do this on 4 servers and it works like a charm :) Max! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: hey
On Fri, Mar 19, 2004 at 08:41:37PM -0500, radius wrote: > If you want commercial support, then buy a commercial product. You > are here because you cannot afford to buy or you can not find a better > product. Hey, watch it with that. I don't think you'd find a better product, free or not. And if you do, we'd love to hear about it (that's the royal we) so we can _make_ FreeRADIUS the better product. On the other hand, if you want to pay for commercial support for FreeRADIUS, then you get the best of both worlds. -- Paul "TBBle" Hampson, on an alternate email client - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dialup_admin again
Hello, I know this is a newbie question but when I try to do something like add a new user with dialup_admin I see only a blank white frame. What do I do to fix this problem? I'm using RH 7.2 with Netscape 7.1; my freeradius server is RH 7.2 and I'm getting no error messages from the httpd. Regards, M.R.F. __ Introducing the New Netscape Internet Service. Only $9.95 a month -- Sign up today at http://isp.netscape.com/register Netscape. Just the Net You Need. New! Netscape Toolbar for Internet Explorer Search from anywhere on the Web and block those annoying pop-ups. Download now at http://channels.netscape.com/ns/search/install.jsp - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlcounter: count=0 ?????
can we take a look at your sqlcounter.conf?
- Original Message -
From: "Juan Pablo Fava" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, March 20, 2004 10:12 AM
Subject: sqlcounter: count=0 ?
> Hi, the problem is that my instalation of sqlcounter doesn`t work, i think
> because the counter returns ZERO!!
> and i don`t know why, because if i execute sql code by hand, i doesn`t get
> zero:
>
> radcheck is ok:
>
> mysql> select * from radcheck where username='troll';
> ++--+-++---+
> | id | UserName | Attribute | op | Value |
> ++--+-++---+
> | 3 | troll| User-Password | == | troll |
> | 5 | troll| Max-Monthly-Session | := | 3600 |
> ++--+-++---+
> 2 rows in set (0.11 sec)
>
>
> mysql> SELECT SUM(AcctSessionTime - GREATEST((107811 -
> UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='troll'
> AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '107811';
>
+---
---+
> | SUM(AcctSessionTime - GREATEST((107811 -
> UNIX_TIMESTAMP(AcctStartTime)), 0)) |
>
+---
---+
> |
> 376200 |
>
+---
---+
> 1 row in set (0.00 sec)
>
> Now, lets see radiusd output:
>
>
> rlm_sqlcounter: Entering module authorize code
>
> sqlcounter_expand: 'SELECT SUM(AcctSessionTime - GREATEST((107811 -
> UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE
> UserName='%{User-Name}' AND UNIX_TIMESTAMP(AcctStartTime) +
> AcctSessionTime > '107811''
>
> radius_xlat: 'SELECT SUM(AcctSessionTime - GREATEST((107811 -
> UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='troll'
> AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '107811''
>
> sqlcounter_expand: '%{sqlcca3:SELECT SUM(AcctSessionTime -
> GREATEST((107811 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct
> WHERE UserName='troll' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime
> > '107811'}'
>
> WARNING: Attempt to use unknown xlat function or attribute in string
> %{sqlcca3:SELECT SUM(AcctSessionTime - GREATEST((107811 -
> UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='troll'
> AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '107811'}
>
> radius_xlat: ''
> rlm_sqlcounter: (Check item - counter) is greater than zero
> rlm_sqlcounter: Authorized user troll, check_item=3600, counter=0
> <= HERE !!
> rlm_sqlcounter: Sent Reply-Item for user troll, Type=Session-Timeout,
> value=3600
> modcall[authorize]: module "monthlycounter" returns ok for request 5
> < NO, IT`S NOT OK USER CAN`T LOGIN!! :P
>
>
> Some one have an idea about what`s going on here?
> I doesn`t understand the Warning above...
>
>
> Thanks in advance, and excuse my english.
>
> --
> Juan Pablo Fava
>
>
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sqlcounter: count=0 ?????
Hi, the problem is that my instalation of sqlcounter doesn`t work, i think
because the counter returns ZERO!!
and i don`t know why, because if i execute sql code by hand, i doesn`t get
zero:
radcheck is ok:
mysql> select * from radcheck where username='troll';
++--+-++---+
| id | UserName | Attribute | op | Value |
++--+-++---+
| 3 | troll| User-Password | == | troll |
| 5 | troll| Max-Monthly-Session | := | 3600 |
++--+-++---+
2 rows in set (0.11 sec)
mysql> SELECT SUM(AcctSessionTime - GREATEST((107811 -
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='troll'
AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '107811';
+--+
| SUM(AcctSessionTime - GREATEST((107811 -
UNIX_TIMESTAMP(AcctStartTime)), 0)) |
+--+
|
376200 |
+--+
1 row in set (0.00 sec)
Now, lets see radiusd output:
rlm_sqlcounter: Entering module authorize code
sqlcounter_expand: 'SELECT SUM(AcctSessionTime - GREATEST((107811 -
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE
UserName='%{User-Name}' AND UNIX_TIMESTAMP(AcctStartTime) +
AcctSessionTime > '107811''
radius_xlat: 'SELECT SUM(AcctSessionTime - GREATEST((107811 -
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='troll'
AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '107811''
sqlcounter_expand: '%{sqlcca3:SELECT SUM(AcctSessionTime -
GREATEST((107811 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct
WHERE UserName='troll' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime
> '107811'}'
WARNING: Attempt to use unknown xlat function or attribute in string
%{sqlcca3:SELECT SUM(AcctSessionTime - GREATEST((107811 -
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='troll'
AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '107811'}
radius_xlat: ''
rlm_sqlcounter: (Check item - counter) is greater than zero
rlm_sqlcounter: Authorized user troll, check_item=3600, counter=0
<= HERE !!
rlm_sqlcounter: Sent Reply-Item for user troll, Type=Session-Timeout,
value=3600
modcall[authorize]: module "monthlycounter" returns ok for request 5
< NO, IT`S NOT OK USER CAN`T LOGIN!! :P
Some one have an idea about what`s going on here?
I doesn`t understand the Warning above...
Thanks in advance, and excuse my english.
--
Juan Pablo Fava
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
hey
HEY BUBBA Brian Schuetz If you want commercial support, then buy a commercial product. You are here because you cannot afford to buy or you can not find a better product. You ask a really stupid question, you deserve a really stupid answer. You should be thanking Dekok for services donated and haveing to put up with our stupid human questions. Many times the answer is in your face (the files README and all that jaz!) Did not anybody teach you any manners, perhaps when your mouth is open your ears are closed. Just think how much you could learn if kept your mouth shut and listened! I sit here 48 years old and no formal education tackled radius about two years ago.Was up and running in production in no-time.Now I can config a radius server from scratch in no time flat.I love my radius, I have it conigured to give the lame user an IP then iptables takes over and -j redirect's to my special deadbeat user's "Twighlight Zone" Page You need to pay your bill!) then my two minute Session time out Drops them like a hot potatoe" FreeRadius RULZ Bubba and my freeradius is better than yours...HA ! What University are you attending? Maybe the Dean can just hand me my Diploma...HA! How much are you paying for yours...HA! Sorry list, I sat back and watched for a year or so...but it was simply irresistable. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error reading Trusted root CA list
I searched the docs and google for this error. Can it simply mean that it
doesn't like my CA cert, which was issued from a Windows 2000 cert server
- or have I failed to configure somewhere else?
I've my 3 certs successfully for EAP-TLS on Windows IAS and Cisco ACS.
radiusd does have permission to read these files of course.
Kirby
SuSE Linux 9.0
FreeRADIUS 0.9.0
openssl 0.9.7d
---freeradius debug output excerpt---
Module: Loaded eap
eap: default_eap_type = "tls"
eap: timer_expire = 60
rlm_eap: Loaded and initialized the type md5
rlm_eap: Loaded and initialized the type leap
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/etc/ssl/private/acu.pvk"
tls: certificate_file = "/etc/ssl/private/acuweb.cer"
tls: CA_file = "/etc/ssl/private/CAcert.cer"
tls: private_key_password = "atheros"
tls: dh_file = "/etc/ssl/private/DH"
tls: random_file = "/etc/ssl/private/random"
tls: fragment_size = 1024
tls: include_length = yes
rlm_eap_tls: Error reading Trusted root CA list <-
rlm_eap: Failed to initialize the type tls
radiusd.conf[596]: eap: Module instantiation failed.
---end freeradius debug output---
---radiusd.conf excerpt---
## EAP-TLS is highly experimental EAP-Type at the moment.
# Please give feedback on the mailing list.
tls {
private_key_password = atheros
private_key_file = /etc/ssl/private/acu.pvk
# If Private key & Certificate are located in the
# same file, then private_key_file & certificate_file
# must contain the same file name.
certificate_file = /etc/ssl/private/acuweb.cer
# Trusted Root CA list
CA_file = /etc/ssl/private/CAcert.cer
dh_file = /etc/ssl/private/DH
random_file = /etc/ssl/private/random
#
# This can never exceed MAX_RADIUS_LEN (4096)
# preferably half the MAX_RADIUS_LEN, to
# accomodate other attributes in RADIUS packet.
# On most APs the MAX packet length is configured
# between 1500 - 1600. In these cases, fragment
# size should be <= 1024.
#
fragment_size = 1024
# include_length is a flag which is by default set to yes
# If set to yes, Total Length of the message is included
# in EVERY packet we send.
# If set to no, Total Length of the message is included
# ONLY in the First packet of a fragment series.
#
include_length = yes
}
---end radiusd.conf excerpt---
--
[EMAIL PROTECTED]
--
http://www.fastmail.fm - Consolidate POP email and Hotmail in one place
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FOR FREERADIUS DEVELOPERS: Building FreeRADIUS under Cygwin
Please wrap your lines at 80 characters. Luckily for me, I could make vim rewrap your entire email with one command. Other list-readers may not be so lucky. On Thu, Mar 18, 2004 at 07:37:27PM -0500, Frank Seesink wrote: > I would very much like to tackle the issue of getting FreeRADIUS to > run on Windows (most likely under Cygwin). I did some Googling and > found that there's been some chitchat here and there, but nothing > definitive. So here's my initial input on the subject, aimed towards > the FreeRADIUS developers. > I have been able to follow the standard > > ./configure make > > sequence, only having the build blow up on an undefined _inet_pton > near the end of the build process. The last few lines of output > follow for reference: > __ > dlltool --as=as --dllname cyggdbm-4.dll --def .libs/cyggdbm-4.dll-def --output-l > ib .libs/libimp-cyggdbm-4.a > gcc rlm_ippool_tool.o -o rlm_ippool_tool.exe -lresolv -lpthread .libs/libimp-cy > ggdbm-4.a > rlm_ippool_tool.o(.text+0x26f): In function `addip': > /usr/local/freeradius-0.9.3/src/modules/rlm_ippool/rlm_ippool_tool.c:115: undefi > ned reference to `_inet_pton' > collect2: ld returned 1 exit status > make[6]: *** [rlm_ippool_tool] Error 1 > make[6]: Leaving directory `/usr/local/freeradius-0.9.3/src/modules/rlm_ippool' > make[5]: *** [common] Error 1 > make[5]: Leaving directory `/usr/local/freeradius-0.9.3/src/modules' > make[4]: *** [all] Error 2 > make[4]: Leaving directory `/usr/local/freeradius-0.9.3/src/modules' > make[3]: *** [common] Error 1 > make[3]: Leaving directory `/usr/local/freeradius-0.9.3/src' > make[2]: *** [all] Error 2 > make[2]: Leaving directory `/usr/local/freeradius-0.9.3/src' > make[1]: *** [common] Error 1 > make[1]: Leaving directory `/usr/local/freeradius-0.9.3' > make: *** [all] Error 2 > __ > A quick 'grep' of the FreeRADIUS source shows this function is called > only ONE time in all of the source code, and that call is in the file > ./src/modules/rlm_ippool/rlm_ippool_tool.c > and there are no instances of inet_pton() in the source. > So the question is, would it be possible to modify the FreeRADIUS > source to use IPv4 functions like inet_ntoa() instead of inet_ntop() > when building under Cygwin? I will investigate this when I have time, > but as you guys have been doing this for some time and know the code > like the back of your hand, figured it's likely a quick click/bang for > you to make the necessary adjustments to the above file. Sadly, this is not simple. The set of functions that fufils the requirements of that function call is disjoint between Cygwin and FreeBSD (I think...). You can check the CVS logs for that file to see what I mean as well as the couple of days on the mailing list where the FreeBSD users beat me with sticks over this very issue when I first comitted rlm_ippool_tool. This wasn't an issue since I think the last person to try this didn't have gdbm for cygwin either. I can see above you've got that... > For what it's worth, I found the following link, which might be of > some help (though not really sure, as I don't code at this level near > as much as I'd like): > http://www.kame.net/newsletter/19980604/ I'd love to switch get getaddrinfo, but from memory that's even less widely supported than inet_pton. I wonder if it's time yet to throw my hands in the air, say "To heck with it" and produce our own resolver library to contain/hide all the evil #ifdefs and whatnot for name resolution No. ;-) > I don't know if there are other Cygwin-unsupported functions lurking > in the FreeRADIUS code, but I must say that this build process has > gone much further than it ever did in the past, so I believe it's > quite close. It certainly _used_ to build, according to the Cygwin instructions in the documentation. > For those not familiar with recent changes in Cygwin, one thing that > has helped immensely is the addition of the minires package, which > provides a minimalist BIND resolver set of functions (something SORELY > missing from Cygwin). This has allowed net apps like FreeRADIUS to > build where they would fail much earlier in the past due to a lack of > libresolv, etc. That's excellent news. Now if only it wasn't GPL-encumbered... > If one of the developers is bored and thinks they know how I can > replace the inet_pton() function with something like inet_aton(), I'll > be more than glad to apply the changes and attempt another build. > Otherwise, I'll have to sit and read for awhile to fathom the > intricacies of these functions and how to use one in place of the > other. :-/ The only solution that presents itself to me is an #ifdef to catch Cygwin-based builds, assuming we can fairly trivially replace inet_pton with inet_aton... (If it's really trivial, a Cygwin-specific macro at the top of the file. After all, it's
Re: hey
What an awesome reply. I love mailing lists. :-) You could never get this type of entertainment by calling technical support for Compaq, or somewhere, heh. -- Donnie On Fri, 2004-03-19 at 17:33, Alan DeKok wrote: > "Brian Schuetz" <[EMAIL PROTECTED]> wrote: > > Is your last name Dekok for a reason? > > Yes. > > So... you'd rather insult the person who answered your question than > admit you were wrong? Great. > > It's OK that you have a small wee-wee. But I don't see why you have > to tell everybody. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > signature.asc Description: This is a digitally signed message part
Re: Freeradius don't write in radacct with FreeBSD + Mysql... why?
Resolved it was just some kind allowing for freeradius but I have just to realize how we we solve it Mistery!!! - Original Message - From: "Ciolo_-^DusT^-_WebMaster" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, March 19, 2004 8:21 PM Subject: Re: Freeradius don't write in radacct with FreeBSD + Mysql... why? > I just forget to tell that I'm working over a FreeBSD system > > > - Original Message - > From: "Ciolo_-^DusT^-_WebMaster" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Friday, March 19, 2004 7:45 PM > Subject: Freeradius don't write in radacct with FreeBSD + Mysql... why? > > > > I'm just trying to use freeradius 0.9.3 and also the 1.0.x pre0 > > but in both cases I have problems,,, > > > > the radius is not writing data inside radacct table... > > so I cannot use any kind of sqlcounter module because I need the data > > written inside this table... > > > > I still don't understand which is the problem because over a RH 7.3 I have > > got the same system and it's completely working! > > > > > > > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: hey
"Brian Schuetz" <[EMAIL PROTECTED]> wrote: > Is your last name Dekok for a reason? Yes. So... you'd rather insult the person who answered your question than admit you were wrong? Great. It's OK that you have a small wee-wee. But I don't see why you have to tell everybody. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Suggested modification to radacct SQL table definition
According to the RFC's, NAS-Port-Id should be a string not an integer: radiusd/share/dictionary:ATTRIBUTE NAS-Port5 integer radiusd/share/dictionary:ATTRIBUTE NAS-Port-Id 87 string All of the drivers with provided db schemas use NAS-Port-Id and define it as an integer. I "grep"ed my detail files and it appears that almost all of the different NAS equipment that I get accounting iformation from present NAS-Port rather than NAS-Port-Id. The odd duck is from a telco's vpop service that uses Shasta and it does not provide any port designation information. As for the single quotes; in order to maintain compatability with many different SQL systems it is best to be carefull and ensure the most compatble method is used. Graeme Hinchliffe wrote: Hiya Just a small change, not sure where I should post this, so I am posting here as I think the relivant person will hopefully see it :) On RedBack kit (NASes) it is quite common to get extremely large NAS port id's. These do not fit in the stanard integer datatype under postgres on linux. Changing to bigint fixes this. Also I noticed that the SQL for making insertions and updates to the radacct db under postgres encapsulates the values in '' thus causing postgress to perform a string to int conversion on the data. Would it not give an extra cycle or two to ommit these quotes? Seems to work here. just my 2 pence -- Guy Fraser - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
starting FreeRadius
Please ignore my lazyness on the last message, I used "reply" instead of typing the address and forgot to change the subject. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql overhead
What is considered the best or proper way of starting FreeRadius? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: hey
lighten up guys. I think Alan does a great job supporting. We just need a few more people like him. I do think it's a little funny though... --- Steve OBrien <[EMAIL PROTECTED]> wrote: - If you are complaining about the support on free software then youare a bigger idiot than your post made you look. Grow up. [EMAIL PROTECTED] wrote: - To: <[EMAIL PROTECTED]> From: "Brian Schuetz" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] Date: 03/19/2004 12:06PM Subject: hey Alan, Is your last name Dekok for a reason? -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do you Yahoo!? Yahoo! Mail - More reliable, more storage, less spam http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: hey
If you are complaining about the support on free software then you are a bigger idiot than your post made you look. Grow up. [EMAIL PROTECTED] wrote: -To: <[EMAIL PROTECTED]>From: "Brian Schuetz" <[EMAIL PROTECTED]>Sent by: [EMAIL PROTECTED]Date: 03/19/2004 12:06PMSubject: heyAlan, Is your last name Dekok for a reason? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
hey
Alan, Is your last name Dekok for a reason?
Re: getting a UID on the client after PAM authentication passes
That's what I thought (because I could not find any instructions on how to do it). Now I know to start looking for that next step. Thanks. On Fri March 19 2004 2:55 pm, Michael Griego wrote: > RADIUS does not provide name services, such as UID/GID mapping. It is > simply an authorization and authentication service. For name services, > you'll need to either create the /etc/passwd entry on each machine or > use a directory service such as NIS/NIS+ or LDAP. > > The same applies to PAM. PAM only does authentication of users > (possibly from remote sources such as RADIUS, LDAP, or other services). > It is the job of the name switch services (NSS) subsystem on a unix > system to retrieve the account information once authentication has been > established. Like PAM, NSS can tap into foreign sources to retrieve > this information from services that are capable of providing that > information (such as NIS and LDAP). > > --Mike > > On Fri, 2004-03-19 at 13:42, Bill Feero wrote: > > I'm trying to authenticate with PAM to freeRADIUS 0.9.0 > > I'm using pam_radius_auth version 1.3.15 on a RedHat 8.0 system > > > > Here is my /etc/pam.d/login file: > > #%PAM-1.0 > > auth required /lib/security/pam_securetty.so > > auth sufficient /lib/security/pam_radius_auth.so debug > > auth required /lib/security/pam_stack.so service=system-auth > > auth required /lib/security/pam_nologin.so > > accountrequired /lib/security/pam_stack.so service=system-auth > > password required /lib/security/pam_stack.so service=system-auth > > sessionrequired /lib/security/pam_stack.so service=system-auth > > sessionoptional /lib/security/pam_console.so > > > > The radius server does accept the user name and password, but since the > > user name does not exist in the clients /etc/passwd file, I can't log in. > > This is the message I receive on the client. > > User not known to the underlying authentication > > > > I'm guessing it's because there is no UID for that user. > > > > I created a second user in the RADIUS user file, and created a user with > > the same name on the client but with a different password. I can login to > > the client using the RADIUS password. > > > > I don't want to create user's on the client, so how can I force a UID, > > home dir. and default shell settings for a user that has been > > authenticated by RADIUS? > > > > Thanks for any help. -- Bill Feero Logical Solutions, Inc. 203 647 8700 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: getting a UID on the client after PAM authentication passes
RADIUS does not provide name services, such as UID/GID mapping. It is simply an authorization and authentication service. For name services, you'll need to either create the /etc/passwd entry on each machine or use a directory service such as NIS/NIS+ or LDAP. The same applies to PAM. PAM only does authentication of users (possibly from remote sources such as RADIUS, LDAP, or other services). It is the job of the name switch services (NSS) subsystem on a unix system to retrieve the account information once authentication has been established. Like PAM, NSS can tap into foreign sources to retrieve this information from services that are capable of providing that information (such as NIS and LDAP). --Mike On Fri, 2004-03-19 at 13:42, Bill Feero wrote: > I'm trying to authenticate with PAM to freeRADIUS 0.9.0 > I'm using pam_radius_auth version 1.3.15 on a RedHat 8.0 system > > Here is my /etc/pam.d/login file: > #%PAM-1.0 > auth required /lib/security/pam_securetty.so > auth sufficient /lib/security/pam_radius_auth.so debug > auth required /lib/security/pam_stack.so service=system-auth > auth required /lib/security/pam_nologin.so > accountrequired /lib/security/pam_stack.so service=system-auth > password required /lib/security/pam_stack.so service=system-auth > sessionrequired /lib/security/pam_stack.so service=system-auth > sessionoptional /lib/security/pam_console.so > > The radius server does accept the user name and password, but since the user name > does not exist in the clients /etc/passwd file, I can't log in. > This is the message I receive on the client. > User not known to the underlying authentication > > I'm guessing it's because there is no UID for that user. > > I created a second user in the RADIUS user file, and created a user with the same > name > on the client but with a different password. I can login to the client using the > RADIUS password. > > I don't want to create user's on the client, so how can I force a UID, home dir. and > default shell settings for a user that has been authenticated by RADIUS? > > Thanks for any help. -- --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPASS: no such realm
At 12:35 PM 3/19/2004, Reinaldo Silva wrote: Hi, I use this version: radiusd: FreeRADIUS Version 0.8.1, for host i386-redhat-linux-gnu, built on Jun 11 2003 at 12:03:43 0.8.1 is quite old. 0.9.3 is recommended. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ Wholesale Internet\ Director, Engineering | @ @ |\ http://www.starnetusa.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Outpace the Competition - http://www.getmespeed.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
getting a UID on the client after PAM authentication passes
I'm trying to authenticate with PAM to freeRADIUS 0.9.0 I'm using pam_radius_auth version 1.3.15 on a RedHat 8.0 system Here is my /etc/pam.d/login file: #%PAM-1.0 auth required /lib/security/pam_securetty.so auth sufficient /lib/security/pam_radius_auth.so debug auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_nologin.so accountrequired /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth sessionrequired /lib/security/pam_stack.so service=system-auth sessionoptional /lib/security/pam_console.so The radius server does accept the user name and password, but since the user name does not exist in the clients /etc/passwd file, I can't log in. This is the message I receive on the client. User not known to the underlying authentication I'm guessing it's because there is no UID for that user. I created a second user in the RADIUS user file, and created a user with the same name on the client but with a different password. I can login to the client using the RADIUS password. I don't want to create user's on the client, so how can I force a UID, home dir. and default shell settings for a user that has been authenticated by RADIUS? Thanks for any help. -- Bill Feero Logical Solutions, Inc. 203 647 8700 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius don't write in radacct with FreeBSD + Mysql... why?
I just forget to tell that I'm working over a FreeBSD system - Original Message - From: "Ciolo_-^DusT^-_WebMaster" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, March 19, 2004 7:45 PM Subject: Freeradius don't write in radacct with FreeBSD + Mysql... why? > I'm just trying to use freeradius 0.9.3 and also the 1.0.x pre0 > but in both cases I have problems,,, > > the radius is not writing data inside radacct table... > so I cannot use any kind of sqlcounter module because I need the data > written inside this table... > > I still don't understand which is the problem because over a RH 7.3 I have > got the same system and it's completely working! > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialup-admin
sql_debug is enabled. I am able to connect withe credentials in admin.conf but the web interface still returns Could not connect to SQL database" Thanks. --- Kostas Kalevras <[EMAIL PROTECTED]> wrote: > On Thu, 18 Mar 2004, Amedzekor Kafui wrote: > > > Hi, > > > > I used to run Redhat 9 but I upgraded to Fedora > Core 1 > > using yum. > > > > I run apache 2.0.4 and php 4.3.4 and postgresql > 7.3.4 > > on Fedora Core 1. I run yum as a cron job to > update my > > system every night. > > > > I am no more able to use dialup-admin again. > Anytime I > > click on New User I get the error meesage "Could > not > > connect to SQL database". > > What could be wrong? > > Enable sql_debug in dialup admin. Check pgsql that > you can connect with the > credentials configured in admin.conf > > > > > Does dialup_admin work with php running as a > module on > > apache. > > Thanks. > > > > Kafui Amedzekor. > > > > > > > > > > __ > > Do you Yahoo!? > > Yahoo! Mail - More reliable, more storage, less > spam > > http://mail.yahoo.com > > > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > -- > Kostas Kalevras Network Operations Center > [EMAIL PROTECTED] National Technical University of > Athens, Greece > Work Phone: +30 210 7721861 > 'Go back to the shadow' Gandalf > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do you Yahoo!? Yahoo! Mail - More reliable, more storage, less spam http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem on users file
Hi, My freeradius version: radiusd -v radiusd: FreeRADIUS Version 0.8.1, for host i386-redhat-linux-gnu, built on Jun 11 2003 at 12:03:43 My users file: # Uncomment the following to test local authentication #"testing123" Auth-Type := Local, User-Password == "testing123" # Session-Timeout = "60" "ricbasto" Auth-Type := Local, User-Password == "vex12ab" "benjamim" Auth-Type := Local, User-Password == "aeco9eek" "matos" Auth-Type := Local, User-Password == "iex7thoh" "adilson" Auth-Type := Local, User-Password == "ahsh0uat" "mbrolio" Auth-Type := Local, User-Password == "eique9zo" "orlando" Auth-Type := Local, User-Password == "coxaet7o" "garcia"Auth-Type := Local, User-Password == "och2eiwu" "thiago"Auth-Type := Local, User-Password == "toothee3" "marcos"Auth-Type := Local, User-Password == "ahy3ahpi" "rodrigo" Auth-Type := Local, User-Password == "gahxe0oh" "amarantep" Auth-Type := Local, User-Password == "ahr9ikol" And I get this error: Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" /etc/raddb/users[24]: Parse error (reply) for entry amarantep: No token read where we expected an attribute name Errors reading /etc/raddb/users radiusd.conf[905]: files: Module instantiation failed. Any ideas? Thanks! -- Reinaldo Silva Vex Wi-Fi +55 11 3444 7921 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius don't write in radacct with FreeBSD + Mysql... why?
I'm just trying to use freeradius 0.9.3 and also the 1.0.x pre0 but in both cases I have problems,,, the radius is not writing data inside radacct table... so I cannot use any kind of sqlcounter module because I need the data written inside this table... I still don't understand which is the problem because over a RH 7.3 I have got the same system and it's completely working! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius don't write in radacct with FreeBSD + Mysql... why?
I'm just trying to use freeradius 0.9.3 and also the 1.0.x pre0 but in both cases I have problems,,, the radius is not writing data inside radacct table... so I cannot use any kind of sqlcounter module because I need the data written inside this table... I still don't understand which is the problem because over a RH 7.3 I have got the same system and it's completely working!
Re: sql overhead
"[EMAIL PROTECTED]" <[EMAIL PROTECTED]> wrote: > ok, but I am confused on how to access an attribute set by > authorize_check_query, because it is added to the check list and I do > not know how to access a check list attribute. I have read the > variables.txt and sow variables for request, reply, proxy, and config, > no check. It's in the latest CVS snapsot. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mysql Error Message and Postgresql Question
Hi
Im my radius server gives "Mysql check_error : 1054 received "message after
user authorization procc.
What is it mean
My usergroup table is empty !!!
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
radius_xlat: 'dark'
rlm_sql (sql): sql_set_user escaped user --> 'dark'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = 'dark' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche
ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
usergroup.Username = 'dark' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id'
rlm_sql_mysql: MYSQL check_error: 1054 received
rlm_sql_getvpdata: database query error
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = 'dark' ORDER BY id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep
ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
usergroup.Username = 'dark' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql_mysql: MYSQL check_error: 1054 received
rlm_sql_getvpdata: database query error
rlm_sql (sql): Released sql socket id: 4
And my second question is
im exporting detail to mysql
But i want to export detail to postgresql
At same time with mysql
i edit my
Radius.conf . Like this
# Include another file that has the SQL-related configuration.
# This is another file solely because it tends to be big.
#
# The following configuration file is for use with MySQL.
#
# For Postgresql, use: ${confdir}/postgresql.conf
# For MS-SQL, use: ${confdir}/mssql.conf
#
$INCLUDE ${confdir}/sql.conf
$INCLUDE /usr/local/radiusd/etc/raddb/postgresql.conf
# Write a 'utmp' style log file, of which users are currently
# logged in, and where they've logged in from.
#
And postgresql.conf like this
# Connect info
server = "localhost"
login = "puser"
password = "ppass"
# Database table configuration
radius_db = "pdata_db"
But in postgres radacct table is empty
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying TTLS and PEAP
[EMAIL PROTECTED] wrote: > Is it possible to use Freeradius in such an environment, how is it configured? Yes. In the latest CVS snapshot, you can put the following at the top of the "users" file: #--- DEFAULT Proxy-To-Realm := "example.com" Fall-Through = Yes DEFAULT EAP-Type == PEAP, Proxy-To-Realm := LOCAL Fall-Through = Yes DEFAULT EAP-Type == EAP-TTLS, Proxy-To-Realm := LOCAL Fall-Through = Yes #--- This will make all request be proxied to "example.com", but will cancel that proxying for PEAP and TTLS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: leap works, mschap does not
"Brian Schuetz" <[EMAIL PROTECTED]> wrote: > No, it is NOT the same thing again. I have read ALL replies and you have > not responded until NOW, Nonsense. Read the list archives: Your post: http://lists.freeradius.org/pipermail/freeradius-users/2004-March/029644.html I respond: http://lists.freeradius.org/pipermail/freeradius-users/2004-March/029645.html And today you post again the same message as before. So I responded, and you didn't read my response. > I gave you more information. LOOK AGAIN. Nonsense. > I do not appreciate your tone in your email That really doesn't concern me. And I don't see why you're getting upset at me because you don't know how to read email, or the list archives... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IPASS: no such realm
Hi,
I use this version:
radiusd: FreeRADIUS Version 0.8.1, for host i386-redhat-linux-gnu, built
on Jun 11 2003 at 12:03:43
Here is my proxy.conf:
realm IPASS {
type= radius
authhost= 200.160.255.86:11812
accthost= 200.160.255.86:11813
secret = ?
nostrip
}
And I get this error:
--- Walking the entire request list ---
Cleaning up request 34 ID 6 with timestamp 405b36f4
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host 10.50.0.3:36679, id=181,
length=142
User-Password = "zeze"
Service-Type = Login-User
NAS-IP-Address = 10.50.0.3
User-Name = "IPASS/[EMAIL PROTECTED]"
NAS-Identifier = "vex_cafedev"
NAS-IP-Address = 10.50.0.3
Framed-IP-Address = 192.168.1.119
Calling-Station-Id = "00:07:95:43:15:3A"
Called-Station-Id = "00:40:F4:5A:4B:65"
NAS-Port = 119
NAS-Port-Type = Wireless-802.11
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
rlm_eap: EAP-Message not found
modcall[authorize]: module "eap" returns noop
rlm_realm: Looking up realm IPASS for User-Name = "IPASS/[EMAIL PROTECTED]"
rlm_realm: No such realm IPASS
modcall[authorize]: module "realmslash" returns noop
rlm_realm: Looking up realm xixi for User-Name = "IPASS/[EMAIL PROTECTED]"
rlm_realm: No such realm xixi
modcall[authorize]: module "suffix" returns noop
radius_xlat: 'IPASS/[EMAIL PROTECTED]'
rlm_sql (sql): sql_set_user escaped user --> 'IPASS/[EMAIL PROTECTED]'
radius_xlat: 'SELECT id,user_name,attribute,value,op FROM radcheck
WHERE user_name = 'IPASS/[EMAIL PROTECTED]' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 16
rlm_sql_postgresql: query: SELECT id,user_name,attribute,value,op FROM
radcheck WHERE user_name = 'IPASS/[EMAIL PROTECTED]' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: affected rows =
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.group_name,radgroupcheck.attribute,radgroupcheck.value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.user_name = 'IPASS/[EMAIL PROTECTED]'
AND usergroup.group_name = radgroupcheck.group_name ORDER BY radgroupcheck.id'
rlm_sql_postgresql: query: SELECT
radgroupcheck.id,radgroupcheck.group_name,radgroupcheck.attribute,radgroupcheck.value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.user_name = 'IPASS/[EMAIL PROTECTED]'
AND usergroup.group_name = radgroupcheck.group_name ORDER BY radgroupcheck.id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: affected rows =
radius_xlat: 'SELECT id,user_name,attribute,value,op FROM radreply
WHERE user_name = 'IPASS/[EMAIL PROTECTED]' ORDER BY id'
rlm_sql_postgresql: query: SELECT id,user_name,attribute,value,op FROM
radreply WHERE user_name = 'IPASS/[EMAIL PROTECTED]' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: affected rows =
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.group_name,radgroupreply.attribute,radgroupreply.value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.user_name = 'IPASS/[EMAIL PROTECTED]'
AND usergroup.group_name = radgroupreply.group_name ORDER BY radgroupreply.id'
rlm_sql_postgresql: query: SELECT
radgroupreply.id,radgroupreply.group_name,radgroupreply.attribute,radgroupreply.value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.user_name = 'IPASS/[EMAIL PROTECTED]'
AND usergroup.group_name = radgroupreply.group_name ORDER BY radgroupreply.id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: affected rows =
rlm_sql (sql): Released sql socket id: 16
modcall[authorize]: module "sql" returns ok
users: Matched DEFAULT at 31
modcall[authorize]: module "files" returns ok
modcall: group authorize returns ok
auth: type Local
auth: user supplied User-Password matches local User-Password
Sending Access-Accept of id 181 to 10.50.0.3:36679
Acct-Interim-Interval = 600
Idle-Timeout = 900
Session-Timeout = 86400
Finished request 35
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
It authenticates from a local sql cache instead of proxying the request.
Why?
Thanks!!
Reinaldo
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Using freeradius to authenticate users to a Windows 2000 AD
OK I got that problem fixed on the windows side. Now I am getting immediate access-reject here is the debug:
rad_recv: Access-Request packet from host 127.0.0.1:44805, id=51, length=56
User-Name = "test"
User-Password = "test"
NAS-IP-Address = 255.255.255.255
NAS-Port = 1
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "eap" returns noop for request 0
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
users: Matched DEFAULT at 152
modcall[authorize]: module "files" returns ok for request 0
modcall[authorize]: module "mschap" returns noop for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
modcall: entering group Auth-Type for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by "test" with password "test"
radius_xlat: '(cn=test)'
radius_xlat: 'dc=ci,dc=bend,dc=or,dc=us'
ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to cityhalldc1.ci.bend.or.us:636, authentication 0
rlm_ldap: setting TLS mode to 1
ldap_err2string
rlm_ldap: could not set LDAP_OPT_X_TLS option Success
rlm_ldap: bind as cn=freeradius,cn=users,dc=ci,dc=bend,dc=or,dc=us/freerad1us to cityhalldc1.ci.bend.or.us:636
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP cityhalldc1.ci.bend.or.us:636
ldap_new_socket: 7
ldap_prepare_socket: 7
ldap_connect_to_host: Trying 192.168.19.40:636
ldap_connect_timeout: fd: 7 tm: 5 async: 0
ldap_ndelay_on: 7
ldap_is_sock_ready: 7
ldap_ndelay_off: 7
ldap_open_defconn: successful
ldap_send_server_request
rlm_ldap: waiting for bind result ...
ldap_result msgid 1
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
wait4msg (timeout 10 sec, 0 usec), msgid 1
wait4msg continue, msgid 1, all 1
** Connections:
* host: cityhalldc1.ci.bend.or.us port: 636 (default)
refcnt: 2 status: Connected
last used: Fri Mar 19 09:13:12 2004
** Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
** Response Queue:
Empty
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid 1, all 1
ber_get_next failed.
rlm_ldap: ldap_result()
ldap_err2string
rlm_ldap: cn=freeradius,cn=users,dc=ci,dc=bend,dc=or,dc=us bind to
cityhalldc1.ci.bend.or.us:636 failed: Can't contact LDAP server
ldap_free_request (origid 1, msgid 1)
ldap_free_connection
ldap_send_unbind
ldap_free_connection: actually freed
rlm_ldap: (re)connection attempt failed
ldap_release_conn: Release Id: 0
modcall[authenticate]: module "ldap" returns fail for request 0
modcall: group Auth-Type returns fail for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 51 to 127.0.0.1:44805
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 51 with timestamp 405b2a28
Nothing to do. Sleeping u
Here is the pertinant part of my radiusd.conf:
start_tls = no
#tls_mode = no
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
# ldap_cache_timeout = 120
# ldap_cache_size = 0
ldap_connections_number = 10
#groupname_attribute = cn
#groupmembership_filter = "(&(objectClass=Group)(member=%{Ldap-
UserDn}))"
timeout = 10
timelimit = 10
net_timeout = 5
ldap_debug = 0x
ldap_debug = 0x0001
compare_check_items = yes
access_attr_used_for_allow = no
}
[EMAIL PROTECTED] wrote: -To: <[EMAIL PROTECTED]>From: "Tarun Bhushan" <[EMAIL PROTECTED]>Sent by: [EMAIL PROTECTED]Date: 03/18/2004 10:58PMSubject: RE: Using freeradius to authenticate users to a Windows 2000 ADSteveI don't know the Windows side well - you might need to do some Googling to find out what this error means. Sorry.Also, you definitely do not export the private key. That remains on the CA.RegardsTarun-Original Message-From: Steve OBrien [mailto:[EMAIL PROTECTED]]Sent: Friday, 19 March 2004 5:51 PMTo: [EMAIL PROTECTED]Subject: RE: Using freeradius to authenticate users to a Windows 2000 ADNow I am seeing this in the windows dc server log:A
f
Re: sql overhead
> > is there a way to communicate a value/parameter between > > authorize_check_query and authorize_reply_query ? > > Yes. Put it into a RADIUS attribute. ok, but I am confused on how to access an attribute set by authorize_check_query, because it is added to the check list and I do not know how to access a check list attribute. I have read the variables.txt and sow variables for request, reply, proxy, and config, no check. > > I want to migrate my application from gnuradius to freeradius > > and in gnuradius is a attribute "Auth-Data" which is added to > > the request and can be viewed by sequential sql queries. > > How is it added to the request? What does it mean? > > Odds are you can do the same thing with FreeRADIUS. After the execution of check_attr_query, if the attribute Auth-Data is returned it is added to the request as if it were sent by the nas, so it is reflected in the request variables thanks, razvan radu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Juniper Attributes and OpenLDAP
On Fri, 19 Mar 2004, Robert Banniza wrote: > In looking at the dictionary.juniper file, I notice there are 5 > attributes in this file: > > ATTRIBUTE Juniper-Local-User-Name 1 string > Juniper > ATTRIBUTE Juniper-Allow-Commands 2 string > Juniper > ATTRIBUTE Juniper-Deny-Commands 3 string > Juniper > ATTRIBUTE Juniper-Allow-Configuration 4 string > Juniper > ATTRIBUTE Juniper-Deny-Configuration 5 string > Juniper > > With that said, I'm using OpenLDAP to authenticate and would also like > to use LDAP to control who has access to which commands within JUNOS. > Therefore, can I place these attributes in my OpenLDAP ldif and have > radius read themIn doing this, don't these attributes need to be > defined within the RADIUS-LDAPv3.schema or some other schema? Is anyone > doing this currently to show me where I need to go next? I have searched > the web and there is little info on Juniper/Freeradius. You can either define a few new ldap attributes for the corresponding Juniper RADIUS attributes and add them to your ldap schema. Or you can use the generic attributes provided in the current schema: radiusReplyItem: Juniper-Local-User-Name := and so on > > Thanks > > Robert > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: leap works, mschap does not
Actually, Brian, Alan's email response to you was quite correct, and it *is* the same problem as before. Before you email the list again with any more questions, download the latest CVS snapshot (NOT version 0.9.3), and try using that. If you read the download page, you will see how to get the CVS version. --Mike On Fri, 2004-03-19 at 10:23, Brian Schuetz wrote: > Alan DeKok > > No, it is NOT the same thing again. I have read ALL replies and you have > not responded until NOW, therefore your assumption is WRONG. I gave you > more information. LOOK AGAIN. I do not appreciate your tone in your email > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxying TTLS and PEAP
Hello I am new to Freeradius and I know that Freeradius handles TTLS and PEAP. However, I dont know if it possible to use Freeradius as a proxy that acts as the endpoint of the TLS-Tunnel and that forwards the inner (tunneled) attributes to a second Radius Server. The second Radius Server in turn would be responsible for "inner" authentication using the user name and the MD5/PAP/CHAP-Password. Is it possible to use Freeradius in such an environment, how is it configured? Thank you Roman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
leap works, mschap does not
Alan DeKok No, it is NOT the same thing again. I have read ALL replies and you have not responded until NOW, therefore your assumption is WRONG. I gave you more information. LOOK AGAIN. I do not appreciate your tone in your email - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialup-admin
On Thu, 18 Mar 2004, Amedzekor Kafui wrote: > Hi, > > I used to run Redhat 9 but I upgraded to Fedora Core 1 > using yum. > > I run apache 2.0.4 and php 4.3.4 and postgresql 7.3.4 > on Fedora Core 1. I run yum as a cron job to update my > system every night. > > I am no more able to use dialup-admin again. Anytime I > click on New User I get the error meesage "Could not > connect to SQL database". > What could be wrong? Enable sql_debug in dialup admin. Check pgsql that you can connect with the credentials configured in admin.conf > > Does dialup_admin work with php running as a module on > apache. > Thanks. > > Kafui Amedzekor. > > > > > __ > Do you Yahoo!? > Yahoo! Mail - More reliable, more storage, less spam > http://mail.yahoo.com > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Dialup-Admin Help
On Fri, 19 Mar 2004 [EMAIL PROTECTED] wrote: > Hi All, > > I am trying to use dialup_admin/bin/clean_radacct to clear dangling User > sessions. > When I fire following Command it returns an error > > [EMAIL PROTECTED] bin]# ./clean_radacct > Could not find mysql binary. Please make sure that the $mysql variable > points to the right location > > I have configured admin.conf with following details... > > # > # mysq: MySQL database (port 3306) > # > sql_type: mysql > sql_server: localhost > sql_port: 3306 > sql_username: root > sql_password: rootpass > sql_database: radius > sql_accounting_table: radacct > sql_badusers_table: badusers > sql_check_table: radcheck > sql_reply_table: radreply > sql_user_info_table: userinfo > sql_groupcheck_table: radgroupcheck > sql_groupreply_table: radgroupreply > sql_usergroup_table: usergroup > sql_total_accounting_table: totacct > # > # This variable is used by the scripts in the bin folder > # It should contain the path to the sql binary used to run > # sql commands (mysql is only supported for now) > sql_command: /usr/bin/mysql > > > What is wrong here ? So is mysql located in /usr/bin/mysql? Is it executable? > > Thanks, > Sagar > > > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: Behavior for rlm_ldap module
On Fri, 19 Mar 2004 [EMAIL PROTECTED] wrote:
> Hi,
>
> i would also appreciate a solution for this "LDAP-ISSUE" (very much!)
>
> does any know if a solution is in sight? And - more importand - when??
when a patch is posted. I 'll try to work on it on the weekend. It isn't too
much of a job.
>
> Is anyony working on the extension of "configurable failover"??
>
> Arne
>
> Dataport
> Altenholzer Str 10 - 14, 24161 Altenholz
> Internet:www.dataport.de
> E-Mail: [EMAIL PROTECTED]
> Telefon: 0431 - 32 95 6840
> Telefax: 0431 - 32 95 410
>
> > Message: 6
> > Date: Fri, 12 Mar 2004 16:17:14 +0200 (EET)
> > From: Kostas Kalevras <[EMAIL PROTECTED]>
> > To: [EMAIL PROTECTED]
> > Subject: Re: Behavior for rlm_ldap module
> > Reply-To: [EMAIL PROTECTED]
> >
> > On Fri, 12 Mar 2004, Pierluigi Frullani wrote:
> >
> > > Hi all.
> > > Reading through the C code of rlm_ldap I've noticed that
> > the behavior for
> > > this module, when it got a nosuchobject or a ambiguous
> > reply is to not
> > > reject the request, but pass it over for some other
> > modules, either in
> > > authorize then in authenticate.
> > > This could be ok when you have a distributed ldap with
> > different databses,
> > > but could result in some false positive when using a
> > replicated net of
> > > ldap that have the same informations.
> > > While I do have this latest configuration I've tried to
> > figure out how I
> > > could get an reject if the modules fail with this two
> > options, and I made
> > > a patch to rlm_ldap.c to have a configuration option for
> > achieve this
> > > behavior.
> > > So, my patch add the : "not_found_should_reject" (boolean
> > type yes/no)
> > > keyword in ldap section of radiusd.conf, with a default
> > value of no, so
> > > the normal behavior is keeped, and if setted to yes, will
> > make the module
> > > to return a reject when it fails as described.
> > >
> > > Could this patch be included in CVS, and so in next distribution ?
> >
> >
> > I 'd prefer a more general approach. As previously described by Alan
> > configurable failover could be extended so that something
> > like this can be
> > possible:
> >
> > authorize{
> > eap
> > chap
> > files
> > ldap {
> > notfound = reject
> > }
> > }
> >
> >
> > --
> > Kostas Kalevras Network Operations Center
> > [EMAIL PROTECTED] National Technical University of Athens, Greece
> > Work Phone: +30 210 7721861
> > 'Go back to the shadow' Gandalf
> >
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TTLS + LDAP authentication
Rok Papez <[EMAIL PROTECTED]> wrote: > AFAIK: FR works so that after the EAP-TTLS tunnel is established it > proxies all inner RADIUS requests to 127.0.0.1 where they reenter > processing. Pretty much. It doesn't actually send the packet to the IP address 127.0.0.1, but the effect is the same. The tunneled authentication request is passed recursively to the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: leap works, mschap does not
"Brian Schuetz" <[EMAIL PROTECTED]> wrote: ... The same thing again. If you're not going to read the replies to your messages, then don't post those messages to the list. I already answered your message. Go back and read that answer. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql overhead
"[EMAIL PROTECTED]" <[EMAIL PROTECTED]> wrote: > is there a way to communicate a value/parameter between > authorize_check_query and authorize_reply_query ? Yes. Put it into a RADIUS attribute. > I want to migrate my application from gnuradius to freeradius > and in gnuradius is a attribute "Auth-Data" which is added to > the request and can be viewed by sequential sql queries. How is it added to the request? What does it mean? Odds are you can do the same thing with FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Digest-Attributes + perl
Pavel Kuz <[EMAIL PROTECTED]> wrote: > The question is: can freeradius translate these av-pairs into > Digest-Realm,Digest-Nonce, etc, av-pairs before passing them to > rlm_perl? List "perl" after "digest" in the "authorize" section. The "digest" module does this. If you ran the server in debugging mode with the digest module enabled, it would tell you it's doing this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: module execution order
flamur <[EMAIL PROTECTED]> wrote: > In my system i use both files and python module > When files module returns ok, (the user is accepted), freeradius continues to > execute next module (python). > > How can I disable this ? Read doc/configurable_failover. The version in the latest CVS makes more sense than the one in 0.9.3. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR doesn't know my users
Marc Werner <[EMAIL PROTECTED]> wrote: > i have a problem with my free-radiusserver. the radiusd starts normally but > i cannot log on with a username and password defined in /etc/raddb/users. the > client is a cisco-router 1720. below you find some logs i made. perhaps you > can pick out what went wrong. thanks for your help!!! You included things which don't help, and didn't include the information specified in the FAQ and README. Run the server in debugging mode, and read the output. The answer is there. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TTLS + LDAP authentication
David Dunn <[EMAIL PROTECTED]> wrote: > OK I understand, but what Auth-Type should I set in > the users file? That's an issue. The LDAP module probably shouldn't add Auth-Type = LDAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication Responses during error conditions
Doug Hardie <[EMAIL PROTECTED]> wrote: > However the NASs didn't switch to the backup radius server which was > operating properly. We are trying to figure out why they didn't > switch. When the server gives up on a thread, it sends a Reject back to the NAS. This behaviour should probably be configurable. See src/main/request_list.c, around line 519 in the latest CVS snapshot. The call to request_reject() should be configurable. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TTLS + LDAP authentication
Hello David! David Dunn wrote: You need to set Auth-Type in the users file. Since you don't the ldap module sets it to LDAP. OK I understand, but what Auth-Type should I set in the users file? It shouldn't be LDAP (I'll end up where I started). Nor PAP, as password is not available before the EAP-TLS tunnel has been established and authentication will fail. Set to EAP, once the password is sent through the TLS tunnel FR still expect EAP authentication and it failed. Suggestions? DEFAULT Auth-Type := PAP, Freeradius-Proxied-To == 127.0.0.1 Fall-Through = Yes AFAIK: FR works so that after the EAP-TTLS tunnel is established it proxies all inner RADIUS requests to 127.0.0.1 where they reenter processing. -- Lep pozdrav, Rok Papez. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius-Dialup-Admin Help
Hi All, I am trying to use dialup_admin/bin/clean_radacct to clear dangling User sessions. When I fire following Command it returns an error [[EMAIL PROTECTED] bin]# ./clean_radacct Could not find mysql binary. Please make sure that the $mysql variable points to the right location I have configured admin.conf with following details… # # mysq: MySQL database (port 3306) # sql_type: mysql sql_server: localhost sql_port: 3306 sql_username: root sql_password: rootpass sql_database: radius sql_accounting_table: radacct sql_badusers_table: badusers sql_check_table: radcheck sql_reply_table: radreply sql_user_info_table: userinfo sql_groupcheck_table: radgroupcheck sql_groupreply_table: radgroupreply sql_usergroup_table: usergroup sql_total_accounting_table: totacct # # This variable is used by the scripts in the bin folder # It should contain the path to the sql binary used to run # sql commands (mysql is only supported for now) sql_command: /usr/bin/mysql What is wrong here ? Thanks, Sagar �
Re: dialup-admin
I use postgresql. postgresql is running because that is the database the radius server store it accounting and usernames. --- Martin Jessa <[EMAIL PROTECTED]> wrote: > Then it's propably not running. > Run netstat -l |grep mysql > It should be listed > Or ps auxww |grep mysql > > > On Thu, 18 Mar 2004 17:46:04 -0800 (PST) > Amedzekor Kafui <[EMAIL PROTECTED]> wrote: > > > Hi, > > > > I used to run Redhat 9 but I upgraded to Fedora > Core 1 > > using yum. > > > > I run apache 2.0.4 and php 4.3.4 and postgresql > 7.3.4 > > on Fedora Core 1. I run yum as a cron job to > update my > > system every night. > > > > I am no more able to use dialup-admin again. > Anytime I > > click on New User I get the error meesage "Could > not > > connect to SQL database". > > What could be wrong? > > > > Does dialup_admin work with php running as a > module on > > apache. > > Thanks. > > > > Kafui Amedzekor. > > > > > > > > > > __ > > Do you Yahoo!? > > Yahoo! Mail - More reliable, more storage, less > spam > > http://mail.yahoo.com > > > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do you Yahoo!? Yahoo! Mail - More reliable, more storage, less spam http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
leap works, mschap does not
I do not necessarily know how to implement mschap, it is actually (Secured password (EAP-MSCHAP v2) on the Orinoco gold card. The only thing I have set up in free radius that works is LEAP so far. Lets start from the beginning: I downloaded freeradius 0.9.3 and “unzipped” it. After installation, I went to /usr/local/etc/raddb/ and from there put in my changes in files to implement leap and mschap. In radiusd.conf I edited the default_eap_type to mschap (perhaps this does not matter now that it seems eap and chap are not the same after reading your email). In users I put in the user name and password. In clients, I entered the access point ip address and the key. This is all that I have done. If I set the default_eap_type in radiusd.conf to leap or md5, leap will work with a cisco client card. When trying to implement mschap, I am using an Orinoco gold card that offers to use peap then secured password (EAP-MSCHAP v2) within peap. This also appears to give me the opportunity to avoid using a certificate. The Orinoco gold card then offers me a logon using username and password and domain. I use the username and password only. This is when the radius server returns the message I will again send below. Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 172.16.30.165:1645, id=8, length=123 User-Name = "Joe" Framed-MTU = 1400 Called-Station-Id = "000d.bdda.b379" Calling-Station-Id = "0002.2d5e.d7a4" Message-Authenticator = 0x59f628e88f1fbb34059861e921e58a5d EAP-Message = 0x0202000d017363687565747a62 NAS-Port-Type = Virtual NAS-Port = 353 NAS-IP-Address = 172.16.30.165 NAS-Identifier = "ap" modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 rlm_eap: EAP packet type notification id 2 length 13 rlm_eap: EAP Start not found modcall[authorize]: module "eap" returns updated for request 0 rlm_realm: No '@' in User-Name = "joe", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 users: Matched joe at 74 modcall[authorize]: module "files" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate for request 0 rlm_eap: EAP packet type notification id 2 length 13 rlm_eap: EAP Start not found rlm_eap: Configured EAP_TYPE is not supported rlm_eap: EAP Identity rlm_eap: Unsupported EAP_TYPE 1 modcall[authenticate]: module "eap" returns invalid for request 0 modcall: group authenticate returns invalid for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 8 to 172.16.30.165:1645 EAP-Message = 0x04020004 Message-Authenticator = 0x Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 8 with timestamp 40562aa3 Nothing to do. Sleeping until we see a request. [EMAIL PROTECTED] 417-895-5694
Juniper Attributes and OpenLDAP
In looking at the dictionary.juniper file, I notice there are 5 attributes in this file: ATTRIBUTE Juniper-Local-User-Name 1 string Juniper ATTRIBUTE Juniper-Allow-Commands 2 string Juniper ATTRIBUTE Juniper-Deny-Commands 3 string Juniper ATTRIBUTE Juniper-Allow-Configuration 4 string Juniper ATTRIBUTE Juniper-Deny-Configuration 5 string Juniper With that said, I'm using OpenLDAP to authenticate and would also like to use LDAP to control who has access to which commands within JUNOS. Therefore, can I place these attributes in my OpenLDAP ldif and have radius read themIn doing this, don't these attributes need to be defined within the RADIUS-LDAPv3.schema or some other schema? Is anyone doing this currently to show me where I need to go next? I have searched the web and there is little info on Juniper/Freeradius. Thanks Robert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sql overhead
hello, is there a way to communicate a value/parameter between authorize_check_query and authorize_reply_query ? I use a extensive search to qualify a request from the radius server and I do not want to do it twice. I want to migrate my application from gnuradius to freeradius and in gnuradius is a attribute "Auth-Data" which is added to the request and can be viewed by sequential sql queries. thanks, razvan radu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Digest-Attributes + perl
Hello! I have freeradius-0.9.3_1 running at FreeBSD 5.2.1-RELEASE-p1 I'd like to user rlm_perl for digest authentication. The problem is when I look into %RAD_REQUEST here is what I see: rlm_perl: Digest-Attribute= 0x010b746573747265616c6d rlm_perl: Digest-Attribute= 0x020a3132333461626364 rlm_perl: Digest-Attribute= 0x0308494e56495445 rlm_perl: Digest-Attribute=0x041c7369703a35353535353531323132406578616d706c652e636f6d rlm_perl: Digest-Attribute= 0x06054d4435 rlm_perl: Digest-Attribute= 0x0a0674657374 The question is: can freeradius translate these av-pairs into Digest-Realm,Digest-Nonce, etc, av-pairs before passing them to rlm_perl? I think it's possible to import code from rlm_digest to freeradius, but I'm not very goot in C, can someone help me with this? Any ideas on this question are welcome! Thanks in advance! -- Sincerely, Pavel Kuz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
module execution order
Hi,
I have installed freeradius 0.9.3 with python module and it works ok, and I have one
question regarding module execution order.
In my system i use both files and python module
When files module returns ok, (the user is accepted), freeradius continues to execute
next module (python).
How can I disable this ?
radiusd debug output:
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.10.9:1125, id=0, length=85
User-Name = "test"
User-Password = "test"
modcall: entering group authorize for request 0
users: Matched test at 2
modcall[authorize]: module "files" returns ok for request 0
modcall[authorize]: module "python" returns notfound for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type Local
auth: type Local
auth: user supplied User-Password matches local User-Password
Login OK: [test/test] (from client 192.168.10.11shi port 0 cli 10.1.0.77)
Sending Access-Accept of id 0 to 192.168.10.9:1125
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-Filter-Id = "60"
Framed-Compression = Van-Jacobson-TCP-IP
Session-Timeout = 900
Finished request 0
/etc/raddb/users
testAuth-Type := Local, Password == "test"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-Filter-Id = "60",
Framed-Compression = Van-Jacobson-TCP-IP,
Session-Timeout = 900,
radiusd.conf has the following,
modules {
file {
...
}
python {
...
}
}
instantiate {
files
python
}
authorize {
files
python
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type PYTHON {
python
}
}
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR doesn't know my users
hi group!
i have a problem with my free-radiusserver. the radiusd starts normally but i
cannot log on with a username and password defined in /etc/raddb/users. the
client is a cisco-router 1720. below you find some logs i made. perhaps you
can pick out what went wrong. thanks for your help!!!
ciao marc werner
/etc/raddb/clients.conf:
client 10.0.0.1 {
secret = meinsecret
shortname = 1720 }
output from tcpdump:
09:39:00.304215 10.0.0.1.sightline > radius.radius: rad-access-req 72 [id 1]
Attr[ NAS_ipaddr{10.0.0.1} NAS_port{0} NAS_port_type{Async} User{$enab15$} [|
radius]
09:39:05.304134 10.0.0.1.sightline > radius.radius: rad-access-req 72 [id 1]
Attr[ NAS_ipaddr{10.0.0.1} NAS_port{0} NAS_port_type{Async} User{$enab15$} [|
radius]
09:39:05.304742 arp who-has 10.0.0.1 tell radius
09:39:05.305353 arp reply 10.0.0.1 is-at 0:b0:c2:89:d6:58
09:39:05.305370 radius.radius > 10.0.0.1.sightline: rad-access-reject 20 [id
1] (DF)
09:39:05.305377 radius.radius > 10.0.0.1.sightline: rad-access-reject 20 [id
1] (DF)
/var/log/radius/radius.log:
Fri Mar 19 09:02:35 2004 : Info: Using deprecated naslist file. Support for
this will go away soon.
Fri Mar 19 09:02:35 2004 : Info: Using deprecated clients file. Support for
this will go away soon.
Fri Mar 19 09:02:35 2004 : Info: Using deprecated realms file. Support for
this will go away soon.
Fri Mar 19 09:02:35 2004 : Info: HASH: Reinitializing hash structures and
lists for caching...
Fri Mar 19 09:02:35 2004 : Info: HASH: Stored 17 entries from /etc/passwd
Fri Mar 19 09:02:35 2004 : Info: HASH: Stored 36 entries from /etc/group
Fri Mar 19 09:02:35 2004 : Info: Listening on IP address 10.0.0.2, ports 1812/
udp and 1813/udp, with proxy on 1814/udp.
Fri Mar 19 09:02:35 2004 : Info: Ready to process requests.
Fri Mar 19 09:05:07 2004 : Auth: Login incorrect: [$enab15$/sususe8710] (from
client 1720 port 0)
Fri Mar 19 09:39:00 2004 : Auth: Login incorrect: [$enab15$/sususe8710] (from
client 1720 port 0)
output from debug-mode:
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = "/"
main: localstatedir = "//var"
main: logdir = "//var/log/radius"
main: libdir = "/usr/lib"
main: radacctdir = "//var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "//var/log/radius/radius.log"
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = "//var/run/radiusd.pid"
main: bind_address = 10.0.0.2 IP address [10.0.0.2]
main: user = "root"
main: group = "root"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
Using deprecated clients file. Support for this will go away soon.
read_config_files: reading realms
Using deprecated realms file. Support for this will go away soon.
radiusd: entering modules setup
Module: Library search path is /usr/lib
Module: Loaded System
unix: cache = yes
unix: passwd = "/etc/passwd"
unix: shadow = "/etc/shadow"
unix: group = "/etc/group"
unix: radwtmp = "//var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
HASH: Reinitializing hash structures and lists for caching...
HASH: user root found in hashtable bucket 11726
HASH: user bin found in hashtable bucket 86651
HASH: user daemon found in hashtable bucket 11668
HASH: user lp found in hashtable bucket 54068
HASH: user mail found in hashtable bucket 79471
HASH: user news found in hashtable bucket 5375
HASH: user uucp found in hashtable bucket 38541
HASH: user games found in hashtable bucket 47657
HASH: user man found in hashtable bucket 50534
HASH: user wwwrun found in hashtable bucket 21080
HASH: user ftp found in hashtable bucket 56226
HASH: user nobody found in hashtable bucket 99723
HASH: user at found in hashtable bucket 67095
HASH: user sshd found in hashtable bucket 71560
HASH: user postfix found in hashtable bucket 23093
HASH: user radiusd found in hashtable bucket 55046
HASH: user ntp found in hashtable bu
Re: TTLS + LDAP authentication
--- Kostas Kalevras <[EMAIL PROTECTED]> wrote: > On Thu, 18 Mar 2004, David Dunn wrote: > > > Dear all, > > > > I'm a newbie to FR so please bear with me. > > > > I'm doing TTLS for wireless access. The wireless > > client is Alfa-Ariss SecureW2 with Netscape LDAP > as > > backend (passwords are SHA encrypted). FR is CVS > > snapshot-20040308 running on RH9. > > > > I planned to retrieve the encrypted password from > > LDAP. During the final stage of the TTLS > > authentication use PAP module to encrypt the > cleartext > > password from SecureW2 into SHA hash and compare > with > > the retrieved one. > > > > But what actually happen is that FR indicate it > found > > 'Auth-Type LDAP' during the final stage (request 5 > in > > my debug) and proceed to use LDAP for user > password > > authentication, since I didn't enable LDAP for > > authentication, it failed. > > > > If I enable LDAP for authentication, it works. A > > success bind to LDAP will authenticate the user. > But > > cleartext password is used and I would rather > avoid > > it. > > > > So how can I use PAP for password authentication > or is > > it not possible? > > You need to set Auth-Type in the users file. Since > you don't the ldap module > sets it to LDAP. OK I understand, but what Auth-Type should I set in the users file? It shouldn't be LDAP (I'll end up where I started). Nor PAP, as password is not available before the EAP-TLS tunnel has been established and authentication will fail. Set to EAP, once the password is sent through the TLS tunnel FR still expect EAP authentication and it failed. Suggestions? Thanks. __ Do you Yahoo!? Yahoo! Mail - More reliable, more storage, less spam http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Behavior for rlm_ldap module
Hi,
i would also appreciate a solution for this "LDAP-ISSUE" (very much!)
does any know if a solution is in sight? And - more importand - when??
Is anyony working on the extension of "configurable failover"??
Arne
Dataport
Altenholzer Str 10 - 14, 24161 Altenholz
Internet:www.dataport.de
E-Mail: [EMAIL PROTECTED]
Telefon: 0431 - 32 95 6840
Telefax: 0431 - 32 95 410
> Message: 6
> Date: Fri, 12 Mar 2004 16:17:14 +0200 (EET)
> From: Kostas Kalevras <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: Re: Behavior for rlm_ldap module
> Reply-To: [EMAIL PROTECTED]
>
> On Fri, 12 Mar 2004, Pierluigi Frullani wrote:
>
> > Hi all.
> > Reading through the C code of rlm_ldap I've noticed that
> the behavior for
> > this module, when it got a nosuchobject or a ambiguous
> reply is to not
> > reject the request, but pass it over for some other
> modules, either in
> > authorize then in authenticate.
> > This could be ok when you have a distributed ldap with
> different databses,
> > but could result in some false positive when using a
> replicated net of
> > ldap that have the same informations.
> > While I do have this latest configuration I've tried to
> figure out how I
> > could get an reject if the modules fail with this two
> options, and I made
> > a patch to rlm_ldap.c to have a configuration option for
> achieve this
> > behavior.
> > So, my patch add the : "not_found_should_reject" (boolean
> type yes/no)
> > keyword in ldap section of radiusd.conf, with a default
> value of no, so
> > the normal behavior is keeped, and if setted to yes, will
> make the module
> > to return a reject when it fails as described.
> >
> > Could this patch be included in CVS, and so in next distribution ?
>
>
> I 'd prefer a more general approach. As previously described by Alan
> configurable failover could be extended so that something
> like this can be
> possible:
>
> authorize{
> eap
> chap
> files
> ldap {
> notfound = reject
> }
> }
>
>
> --
> Kostas Kalevras Network Operations Center
> [EMAIL PROTECTED] National Technical University of Athens, Greece
> Work Phone: +30 210 7721861
> 'Go back to the shadow' Gandalf
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TTLS + LDAP authentication
On Thu, 18 Mar 2004, David Dunn wrote: > Dear all, > > I'm a newbie to FR so please bear with me. > > I'm doing TTLS for wireless access. The wireless > client is Alfa-Ariss SecureW2 with Netscape LDAP as > backend (passwords are SHA encrypted). FR is CVS > snapshot-20040308 running on RH9. > > I planned to retrieve the encrypted password from > LDAP. During the final stage of the TTLS > authentication use PAP module to encrypt the cleartext > password from SecureW2 into SHA hash and compare with > the retrieved one. > > But what actually happen is that FR indicate it found > 'Auth-Type LDAP' during the final stage (request 5 in > my debug) and proceed to use LDAP for user password > authentication, since I didn't enable LDAP for > authentication, it failed. > > If I enable LDAP for authentication, it works. A > success bind to LDAP will authenticate the user. But > cleartext password is used and I would rather avoid > it. > > So how can I use PAP for password authentication or is > it not possible? You need to set Auth-Type in the users file. Since you don't the ldap module sets it to LDAP. > > Below are the debug output, users file and > radiusd.conf. > > Any input greatly appreciated. > > --- > Debug output > --- > Starting - reading configuration files ... > reread_config: reading radiusd.conf > Config: including file: > /usr/local/etc/raddb/clients.conf > Config: including file: > /usr/local/etc/raddb/snmp.conf > main: prefix = "/usr/local" > main: localstatedir = "/usr/local/var" > main: logdir = "/usr/local/var/log/radius" > main: libdir = "/usr/local/lib" > main: radacctdir = > "/usr/local/var/log/radius/radacct" > main: hostname_lookups = no > main: max_request_time = 30 > main: cleanup_delay = 5 > main: max_requests = 1024 > main: delete_blocked_requests = 0 > main: port = 0 > main: allow_core_dumps = no > main: log_stripped_names = no > main: log_file = > "/usr/local/var/log/radius/radius.log" > main: log_auth = no > main: log_auth_badpass = no > main: log_auth_goodpass = no > main: pidfile = > "/usr/local/var/run/radiusd/radiusd.pid" > main: user = "(null)" > main: group = "(null)" > main: usercollide = no > main: lower_user = "no" > main: lower_pass = "no" > main: nospace_user = "no" > main: nospace_pass = "no" > main: checkrad = "/usr/local/sbin/checkrad" > main: proxy_requests = no > security: max_attributes = 200 > security: reject_delay = 1 > security: status_server = no > main: debug_level = 0 > read_config_files: reading dictionary > read_config_files: reading naslist > Using deprecated naslist file. Support for this will > go away soon. > read_config_files: reading clients > Using deprecated clients file. Support for this will > go away soon. > read_config_files: reading realms > Using deprecated realms file. Support for this will > go away soon. > radiusd: entering modules setup > Module: Library search path is /usr/local/lib > Module: Loaded exec > exec: wait = yes > exec: program = "(null)" > exec: input_pairs = "request" > exec: output_pairs = "(null)" > exec: packet_type = "(null)" > rlm_exec: Wait=yes but no output defined. Did you mean > output=none? > Module: Instantiated exec (exec) > Module: Loaded expr > Module: Instantiated expr (expr) > Module: Loaded PAP > pap: encryption_scheme = "sha1" > Module: Instantiated pap (pap) > Module: Loaded CHAP > Module: Instantiated chap (chap) > Module: Loaded MS-CHAP > mschap: use_mppe = yes > mschap: require_encryption = no > mschap: require_strong = no > mschap: with_ntdomain_hack = no > mschap: passwd = "(null)" > mschap: authtype = "MS-CHAP" > Module: Instantiated mschap (mschap) > Module: Loaded eap > eap: default_eap_type = "tls" > eap: timer_expire = 60 > eap: ignore_unknown_eap_types = no > eap: cisco_accounting_username_bug = no > tls: rsa_key_exchange = no > tls: dh_key_exchange = yes > tls: rsa_key_length = 512 > tls: dh_key_length = 512 > tls: verify_depth = 0 > tls: CA_path = "(null)" > tls: pem_file_type = yes > tls: private_key_file = > "/usr/local/etc/raddb/certs/cert-srv.pem" > tls: certificate_file = > "/usr/local/etc/raddb/certs/cert-srv.pem" > tls: CA_file = > "/usr/local/etc/raddb/certs/demoCA/cacert.pem" > tls: private_key_password = "whatever" > tls: dh_file = "/usr/local/etc/raddb/certs/dh" > tls: random_file = > "/usr/local/etc/raddb/certs/random" > tls: fragment_size = 1024 > tls: include_length = yes > tls: check_crl = no > rlm_eap: Loaded and initialized type tls > ttls: default_eap_type = "md5" > ttls: copy_request_to_tunnel = yes > ttls: use_tunneled_reply = no > rlm_eap: Loaded and initialized type ttls > Module: Instantiated eap (eap) > Module: Loaded preprocess > preprocess: huntgroups = > "/usr/local/etc/raddb/huntgroups" > preprocess: hints = "/usr/local/etc/raddb/hints" > preprocess: with_ascend_hack = no > preprocess: ascend_channels_per_line = 23 > preprocess: w
Re: how to assign arbitrary dynamic Nas-Port in Hints file for rlm_ippool using variables ?
On Fri, 19 Mar 2004, Josh Fry wrote: > Hello, > > I am using freeradius-0.9.3 on Solaris 8, > > I have a scenario where a remote third party NAS that we do not control is sending > access request packets without > any NAS-Port defined. ( it is a GPRS connection ) > > To get round this - in the Hints file I was assigning an arbitrary Nas-Port to the > incoming connection. > However so far I have only been able to assign a static number as a Nas-Port. > > this does not work with rlm_ippool module as the database uses nas ip/ nas port as a > key in the file. > > is it possible to assign some sort of arbitrary unique dynamic number as a Nas-Port > I thought I might be able to use "Calling-Station-Id" for example in the > hints file I tried to set > > DEFAULT Suffix = "***", Strip-User-Name = No > Hint = "GPRS", > Nas-Port = `%i` > > > but this does not seem to work it just sets the port as '0' > > or force rlm_ippool to use some other value apart from Nas-Port as a key In the future rlm_ippool will be able to use a user defined key. For now you could use attr_rewrite to add the value Calling-Station-Id as a NAS-Port attribute. > > does anybody know away round this > > kind regards > > Josh > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: segmentation fault
Hi! > Hi there, > I downloaded freeradius-snapshot-20040317.tar.gz > and compiled against openssl-0.9.7d. It produces > segmentation fault when I run for TLS authentication. I get also some segmentation fault before. Make sure the radiusd is using the apropriate shared libraries. ldd radiusd Make sure the version of libraries are used that you have compiled it with. For example, my problem was, that radiusd was using openssl0.9.6 however I have compiled it with 0.9.7 and also the so files where loaded... maybe this will help.. P.Zibrita - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to assign arbitrary dynamic Nas-Port in Hints file for rlm_ippool using variables ?
Hello, I am using freeradius-0.9.3 on Solaris 8, I have a scenario where a remote third party NAS that we do not control is sending access request packets without any NAS-Port defined. ( it is a GPRS connection ) To get round this - in the Hints file I was assigning an arbitrary Nas-Port to the incoming connection. However so far I have only been able to assign a static number as a Nas-Port. this does not work with rlm_ippool module as the database uses nas ip/ nas port as a key in the file. is it possible to assign some sort of arbitrary unique dynamic number as a Nas-Port I thought I might be able to use "Calling-Station-Id" for example in the hints file I tried to set DEFAULT Suffix = "***", Strip-User-Name = No Hint = "GPRS", Nas-Port = `%i` but this does not seem to work it just sets the port as '0' or force rlm_ippool to use some other value apart from Nas-Port as a key does anybody know away round this kind regards Josh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Freeradius-Users digest, Vol 1 #2969 - 15 msgs
Hi,
i would also appreciate a solution for this "LDAP-ISSUE" (very much!)
does any know if a solution is in sight? And - more importand - when??
Is anyony working on the extension of "configurable failover"??
Arne
Dataport
Altenholzer Str 10 - 14, 24161 Altenholz
Internet:www.dataport.de
E-Mail: [EMAIL PROTECTED]
Telefon: 0431 - 32 95 6840
Telefax: 0431 - 32 95 410
> Message: 6
> Date: Fri, 12 Mar 2004 16:17:14 +0200 (EET)
> From: Kostas Kalevras <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: Re: Behavior for rlm_ldap module
> Reply-To: [EMAIL PROTECTED]
>
> On Fri, 12 Mar 2004, Pierluigi Frullani wrote:
>
> > Hi all.
> > Reading through the C code of rlm_ldap I've noticed that
> the behavior for
> > this module, when it got a nosuchobject or a ambiguous
> reply is to not
> > reject the request, but pass it over for some other
> modules, either in
> > authorize then in authenticate.
> > This could be ok when you have a distributed ldap with
> different databses,
> > but could result in some false positive when using a
> replicated net of
> > ldap that have the same informations.
> > While I do have this latest configuration I've tried to
> figure out how I
> > could get an reject if the modules fail with this two
> options, and I made
> > a patch to rlm_ldap.c to have a configuration option for
> achieve this
> > behavior.
> > So, my patch add the : "not_found_should_reject" (boolean
> type yes/no)
> > keyword in ldap section of radiusd.conf, with a default
> value of no, so
> > the normal behavior is keeped, and if setted to yes, will
> make the module
> > to return a reject when it fails as described.
> >
> > Could this patch be included in CVS, and so in next distribution ?
>
>
> I 'd prefer a more general approach. As previously described by Alan
> configurable failover could be extended so that something
> like this can be
> possible:
>
> authorize{
> eap
> chap
> files
> ldap {
> notfound = reject
> }
> }
>
>
> --
> Kostas Kalevras Network Operations Center
> [EMAIL PROTECTED] National Technical University of Athens, Greece
> Work Phone: +30 210 7721861
> 'Go back to the shadow' Gandalf
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: free radius client software
> does any one of you know where to find the free radius client software > ,also if source code is available then let me know free radius client software? I guess you're looking for radclient or radtest, both are included in the source-package that you can download from www.freeradius.org. Compile the package and you will get your radtest or radclient. Max! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with AS5400 and freeradius
Hi to all, we have installed radius 0.9 on linux box and it works fine with cisco AS5200 and AS5300. WE tried to install a new AS5400 to work with radius but we have some problems. The problems that we notice are: - when a ppp request is coming in the AS5400 3 same requests come in radius. The first has the right usernmae/password and the other 2 the right usernmae and password ciscoThe result is that the user is rejected - When running debug in Cisco AS5400 we have these 1:57:20: ISDN Se7/0:15: RX <- SETUP pd = 8 callref = 0x0D4A 01:57:20: Sending Complete 01:57:20: Bearer Capability i = 0x8090A3 01:57:20: Channel ID i = 0xA18381 01:57:20: Calling Party Number i = 0x0083, '2831020899', Plan:Unknown, Type:Unknown 01:57:20: Called Party Number i = 0xA1, '5603327', Plan:ISDN, Type:National 01:57:20: ISDN Se7/0:15: Incoming call id = 0x0039, dsl 0 01:57:20: ISDN Se7/0:15: NegotiateBchan: bchan 1 intid 0 serv_st 0 chan_st 0 callid 0x ev 0x90 n/w? 0 01:57:20: Negotiated int_id 0 bchan 0 cr=0x8D4A callid=0x0039 lo_chan 1 final int_id/bchan 0/1 cause 0x0 01:57:20: ISDN Se7/0:15: LIF_EVENT: ces/callid 1/0x39 CALL_INCOMING 01:57:20: ISDN Se7/0:15: CALL_INCOMING dsl 0 bchan 0 01:57:20: ISDN Se7/0:15: CALL_INCOMING: call type is VOICE ALAW, bchan = 0 01:57:20: ISDN Se7/0:15: Event: Received a VOICE call from 2831020899 on B0 at 64 Kb/s Tone Value 0 01:57:20: AAA/ACCT/DS0: channel=0, ds1=0, t3=0, slot=7, ds0=117440512 01:57:20: AAA/ACCT/DS0: channel=0, ds1=0, t3=0, slot=7, ds0=117440512 01:57:20: ISDN Se7/0:15: RM returned call_type 1 resource type 0 response 2 01:57:20: ISDN Se7/0:15: EVENT to CSM:DEV_INCALL: calltype=VOICE, bchan=0 01:57:20: ISDN Se7/0:15: TX -> CALL_PROC pd = 8 callref = 0x8D4A 01:57:20: Channel ID i = 0xA98381 01:57:20: ISDN Se7/0:15: TX -> ALERTING pd = 8 callref = 0x8D4A 01:57:20: ISDN Se7/0:15: VOICE_ANS Event: call id 0x39, bchan 0, ces 1 01:57:20: ISDN Se7/0:15: isdn_send_connect(): msg 74, call id 0x39, ces 0 bchan 0, call type VOICE 01:57:20: ISDN Se7/0:15: TX -> CONNECT pd = 8 callref = 0x8D4A 01:57:20: ISDN Se7/0:15: RX <- CONNECT_ACK pd = 8 callref = 0x0D4A 01:57:20: ISDN Se7/0:15: LIF_EVENT: ces/callid 1/0x39 CALL_PROGRESS 01:57:20: ISDN Se7/0:15: event CALL_PROGRESS dsl 0 01:57:20: ISDN Se7/0:15: CALL_PROGRESS: CALL_CONNECTED call id 0x39, bchan 0, dsl 0 01:57:20: ISDN Se7/0:15: EVENT to CSM:DEV_CONNECTED: calltype=VOICE, bchan=0 01:57:41: As1/26 LCP: I CONFREQ [Closed] id 0 len 47 01:57:41: As1/26 LCP:ACCM 0x (0x0206) 01:57:41: As1/26 LCP:MagicNumber 0x0DC129A8 (0x05060DC129A8) 01:57:41: As1/26 LCP:PFC (0x0702) 01:57:41: As1/26 LCP:ACFC (0x0802) 01:57:41: As1/26 LCP:MRRU 1614 (0x1104064E) 01:57:41: As1/26 LCP:EndpointDisc 1 Local 01:57:41: As1/26 LCP: (0x131701CE0B81A055404236BE3419D514) 01:57:41: As1/26 LCP: (0x6A9DD1) 01:57:41: As1/26 LCP: Lower layer not up, Fast Starting 01:57:41: As1/26 PPP: Treating connection as a dedicated line 01:57:41: As1/26 PPP: Phase is ESTABLISHING, Active Open 01:57:41: As1/26 PPP: Authorization required 01:57:41: As1/26 AAA/AUTHOR/LCP: Authorization succeeds trivially 01:57:41: As1/26 LCP: O CONFREQ [Closed] id 1 len 24 01:57:41: As1/26 LCP:ACCM 0x000A (0x0206000A) 01:57:41: As1/26 LCP:AuthProto PAP (0x0304C023) 01:57:41: As1/26 LCP:MagicNumber 0x0EA4084E (0x05060EA4084E) 01:57:41: As1/26 LCP:PFC (0x0702) 01:57:41: As1/26 LCP:ACFC (0x0802) 01:57:41: As1/26 LCP: O CONFREJ [REQsent] id 0 len 8 01:57:41: As1/26 LCP:MRRU 1614 (0x1104064E) 01:57:41: As1/26 LCP: I CONFACK [REQsent] id 1 len 24 01:57:41: As1/26 LCP:ACCM 0x000A (0x0206000A) 01:57:41: As1/26 LCP:AuthProto PAP (0x0304C023) 01:57:41: As1/26 LCP:MagicNumber 0x0EA4084E (0x05060EA4084E) 01:57:41: As1/26 LCP:PFC (0x0702) 01:57:41: As1/26 LCP:ACFC (0x0802) 01:57:41: As1/26 LCP: I CONFREQ [ACKrcvd] id 1 len 43 01:57:41: As1/26 LCP:ACCM 0x (0x0206) 01:57:41: As1/26 LCP:MagicNumber 0x0DC129A8 (0x05060DC129A8) 01:57:41: As1/26 LCP:PFC (0x0702) 01:57:41: As1/26 LCP:ACFC (0x0802) 01:57:41: As1/26 LCP:EndpointDisc 1 Local 01:57:41: As1/26 LCP: (0x131701CE0B81A055404236BE3419D514) 01:57:41: As1/26 LCP: (0x6A9DD1) 01:57:41: As1/26 LCP: O CONFACK [ACKrcvd] id 1 len 43 01:57:41: As1/26 LCP:ACCM 0x (0x0206) 01:57:41: As1/26 LCP:MagicNumber 0x0DC129A8 (0x05060DC129A8) 01:57:41: As1/26 LCP:PFC (0x0702) 01:57:41: As1/26 LCP:ACFC (0x0802) 01:57:41: As1/26 LCP:EndpointDisc 1 Local 01:57:41: As1/26 LCP: (0x131701CE0B81A055404236BE3419D514) 01:57:41: As1/26 LCP: (0x6A9DD1) 01:57:41: As1/26 LCP: State is Open 01:57:41: As1/26 PPP: Phase is AUTHENTICATING, by this end 01:57:42: As1/26 PAP: I AUTH-REQ id 44 len 19 from "tsigis2" 01:57:42: As1/26 PAP: Authenticating peer tsigis2 01:57:42: As1/26 PPP: Phase is FORWARDING, Attempting
Authentication Responses during error conditions
I encountered a situation where my primary radius server started logging a bunch of messages of the form: Wed Mar 17 09:36:04 2004 : Error: WARNING: Unresponsive child (id 137058304) for request 712781 Shorly after that the messages changed to: Wed Mar 17 09:40:26 2004 : Info: The maximum number of threads (100) are active, cannot spawn new thread to handle request However the NASs didn't switch to the backup radius server which was operating properly. We are trying to figure out why they didn't switch. When the radius server goes into either of those modes, what is it returning for the authentication response? I would guess from the message text its not returning anything but that should have caused the NAS to switch to the secondary radius server. Could it possibly have been returning an authentication failure? FreeRADIUS Version 0.9.3 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
