Re: Colubris
Thanks. I was able to resolve the problem. The operator type was wrong. Prabh --- Livraizone <[EMAIL PROTECTED]> wrote: > Hi, > > I am new to FreeRadius and trying to configure it > with Colubris device. > I have defined many Colubris-AVPair in radgroupreply > table but for some reason only first AVPair is > being passed. > > Thanks for your help. > > Debug Log: > > rlm_mschap: adding MS-CHAPv1 MPPE keys > modcall[authenticate]: module "mschap" returns ok > for request 0 > modcall: group Auth-Type returns ok for request 0 > Login OK: [john/] (from > client colubris port 0 cli 00-02-6F-08-50-B8) > Sending Access-Accept of id 40 to 121.138.0.150:1026 > Colubris-AVPair = > "login-url=https://login.xyz.net/CN3000BI/login.php?NASid=%n"; > Port-Limit = 1 > MS-CHAP-MPPE-Keys = > 0x1375b00d2ad7d73bea5a4a3jsp0cd188b0c2613a1d6b26aa > MS-MPPE-Encryption-Policy = 0x0001 > MS-MPPE-Encryption-Types = 0x0006 > Finished request 0 > > > > > > > > - > Post your free ad now! Yahoo! Canada Personals > __ Post your free ad now! http://personals.yahoo.ca - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Colubris
Hi, I am new to FreeRadius and trying to configure it with Colubris device. I have defined many Colubris-AVPair in radgroupreply table but for some reason only first AVPair is being passed. Thanks for your help. Debug Log: rlm_mschap: adding MS-CHAPv1 MPPE keys modcall[authenticate]: module "mschap" returns ok for request 0modcall: group Auth-Type returns ok for request 0Login OK: [john/] (from client colubris port 0 cli 00-02-6F-08-50-B8)Sending Access-Accept of id 40 to 121.138.0.150:1026 Colubris-AVPair = "login-url=""> Port-Limit = 1 MS-CHAP-MPPE-Keys = 0x1375b00d2ad7d73bea5a4a3jsp0cd188b0c2613a1d6b26aa MS-MPPE-Encryption-Policy = 0x0001 MS-MPPE-Encryption-Types = 0x0006Finished request 0 Post your free ad now! Yahoo! Canada Personals
radacct table definition issue
Hiya Have just noticed on a fresh build with freeRADIUS 1.0.0-pre1 that using the postgresql db schema creates a radacct table where the NASportId field is only defined as an integer. This will not be sufficient on some larger systems (RedBack for instance). I don't know if it's a change I made or not, but the systems I setup using older versions of freeRADIUS have this set as a bigint. Just thought I would point it out. -- - Graeme Hinchliffe (BSc) Core Internet Systems Designer Zen Internet (http://www.zen.co.uk/) ICQ 3842605 (link) Direct: 0845 058 9074 Main : 0845 058 9000 Fax : 0845 058 9005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS - rlm_ippool: Could not find Pool-Name attribute.
On Sat, 2004-06-05 at 17:26, Alan DeKok wrote: > Zdenek Pizl <[EMAIL PROTECTED]> wrote: > > OK, why radius server shows that error message > > Because you told the server to use the ippool module, but didn't > tell it *which* ippool module to use. Since the ippool module doesn't > do EAP, it doesn't know that assigning an IP will be pointless. ok, i understand it. thx. > > and how can the station (supplicant?) get an IP address for its work > > in this usecase? > > DHCP, or a static IP. You have NO other options. just to clarify my mind - The SMC Barricade does DHCP server (i think inside is some type of BSD OS :) but the supplicant does not get an address. There is something misconfigured, because RADIUS is printing Login OK, but station shows message "Cannot log in the network ..." I can't figure where the error is. Thank you anyway, Alan, for yout help. z.p. > > Oh, does exist a howto about freeradius configuration and 802.1x > > wireless communication? I dont mind the generally known articles, > > because it do not describe CONFIGURATION of freeradius in that case. > > They describe how to configure the server. Some even give sample > configurations. They don't describe how to configure the server to do > what *you* want, because every site is different. > > Alan DeKok. > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Zdenek Pizl Systinet Corporation Vinohradska 190 130 00 Praha 3 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Replyitem forcing?
hello, im having problems in understanding, how freeradius differentiate between replyitems, which are replied everytime not matter about successful authentication like the Attribute "Reply-Message" and Attributes, which are only replied if the authentication is successful. im asking this for integrating "Cisco AV-Pairs" correctly as ReplyItems, which should be only replied if the authentication is successful. at the moment they are replied every time, whether if the supplied User-Password is correct or not. thanks for any hints! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: User ID & Password
Great. I will try it. Thanks. Kirti -Original Message- From: Keith Yoder [mailto:[EMAIL PROTECTED] Sent: Saturday, June 05, 2004 3:29 PM To: [EMAIL PROTECTED] Subject: Re: User ID & Password >vpopmail is used to add UID & PW and the data is stored in vpopmail DB in >MySQL. Now freeRADIUS also uses UID & PW to authenticate and has its own >data structure. I like to know if there is a way so that user data is stored >in one table in MySQL so vpopmail and freeRADIUS can access the same >information?? > > With vpopmail you can't change the db schema or queries but you CAN with Freeradius. I would suggest altering the Freeradius queries in sql.conf to pull data from the vpopmail table. Hope that helps, Keith Yoder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User ID & Password
vpopmail is used to add UID & PW and the data is stored in vpopmail DB in MySQL. Now freeRADIUS also uses UID & PW to authenticate and has its own data structure. I like to know if there is a way so that user data is stored in one table in MySQL so vpopmail and freeRADIUS can access the same information?? With vpopmail you can't change the db schema or queries but you CAN with Freeradius. I would suggest altering the Freeradius queries in sql.conf to pull data from the vpopmail table. Hope that helps, Keith Yoder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authorization not working w/ Cisco
I have already provided such output in my original posting. Please read my posting again - thoroughly. Here is another instance of radiusd debug output (again, similar to my orig. posting): rad_recv: Access-Request packet from host 172.20.1.10:1645, id=61, length=80 NAS-IP-Address = 172.20.1.10 NAS-Port = 19 NAS-Port-Type = Virtual User-Name = "topruser" Calling-Station-Id = "172.20.1.200" User-Password = "t1e2s3t4" modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "topruser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched DEFAULT at 164 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type System auth: type "System" modcall: entering group authenticate for request 0 modcall[authenticate]: module "unix" returns ok for request 0 modcall: group authenticate returns ok for request 0 Sending Access-Accept of id 61 to 172.20.1.10:1645 Finished request 0 Going to the next request If use either one of the following aaa authorization entries on the router, authorization works fine: aaa authorization exec default local (or) aaa authorization exec default if-authenticated local In my users file, I have simply: DEFAULT Auth-Type = System Fall-Through = 1 as the user "topruser" is in the freeradius server's /etc/passwd file. Again, authentication for this user via freeradius works. But "aaa authorization exec default group radius local" fails. I have also looked at tcpdump network traces of the failures, and they reveal nothing. The issue is with freeradius, perhaps a configuration I am missing. I have read about profiles that need to be added to a RADIUS server for authorization, but I have failed to find any freeradius-related documentation relating to such (not even in the O'Reilly book). --john > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf > Of Milver > S. Nisay > Sent: Saturday, June 05, 2004 6:29 AM > To: [EMAIL PROTECTED] > Subject: Re: Authorization not working w/ Cisco > > > better to show radiusd -X with the case WHEN you cannot get > it., that will > help isolating the problem. > //milver > - Original Message - > From: "John Sasso Jr" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Saturday, June 05, 2004 2:56 PM > Subject: RE: Authorization not working w/ Cisco > > > > This does not answer my question, which IS related to > freeradius. I have > > gone through the O'Reilly "RADIUS" book, which does a good job at > explaining > > implementing Authentication and Accounting with freeradius, > but neglects > > Authorization (which is what I am trying to do). Again, I > am trying to > > implement authorization through RADIUS, not local to the > Cisco router > > itself. I gave the exec issue as one example; I had a > similar issue with > > network as well (authorization only, NOT accounting and > authentication). > > > > Thanks --john > > > > > -Original Message- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] Behalf > > > Of Milver > > > S. Nisay > > > Sent: Friday, June 04, 2004 9:44 PM > > > To: [EMAIL PROTECTED] > > > Subject: Re: Authorization not working w/ Cisco > > > > > > > > > > > > > > If I remove the "aaa authorization exec default group > radius local" > > > > entry on the router, I can get in fine. I should note that > > > > authentication works A-OK with my freeradius box. Its the > > > authorization > > > > that is giving me issues. > > > > > > this happens to be cisco related question and be directed to > > > cisco search > > > link > > > anyway, this works for me, have u tried this before since its > > > authorization > > > issue accdg to you. > > > > > > aaa authorization exec default local > > > aaa authorization network default local group radius > > > > > > here is the link to look for it if it didnt work for you > > > http://www.cisco.com/pcgi-bin/search/search.pl?searchPhrase=ro > > ute-cache&nv=S > > > earch+All+cisco.com%23%23cisco.com&nv=Technical+Support+%26+do cumentation%23 > > > %23cisco.com%23TSD&language=en&country=US&accessLevel=Guest&si > teToSearch=cis > > co.com > > > > u can > > > > > > > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > > > > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - L
Re: NAS-IP-Address
On Saturday 05 June 2004 17:27, Alan DeKok wrote: > jesk <[EMAIL PROTECTED]> wrote: > > > can somebody help me, why this dont works? > > Have you tried reading the FAQ? > > > i have to correct me, the check item "NAS-IP-Address" works never :( > > I don't believe you. The problem lies elsewhere. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html hi alan, ok maybe i told you not enough of my setup. i changed my configuration, and put the DEFAULT entry in mysql. i got the following in mysql radgroupcheck: -- | 33 | DEFAULT | Auth-Type| := | Accept | | 34 | DEFAULT | NAS-IP-Address | != | 172.20.0.1 | -- and this in radgroupreply: -- | 3 | DEFAULT | Framed-Protocol| = | PPP |0 | | 4 | DEFAULT | Framed-IP-Address | = | 255.255.255.254 |0 | | 5 | DEFAULT | Service-Type | = | Framed-User |0 | | 6 | DEFAULT | Port-Limit | = | 2 | 0 | -- with this setup i want that everyone connecting from clients that are not 127.20.0.1 will be get the default replyitems if the user is not found, but when i user is not found and is coming from ip 172.20.0.1 i want that the request is reject. the problem is that with setting every request comming from 172.20.0.1 is rejected. i dont know how to get around it, please help. regards, christian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
User ID & Password
Hello: I am posting this message on freeRADIUS, vpopmail & mysql lists. This may get few people upset but please read I am trying to install (on RH9), qmail, vpopmail, mysql, Courier-IMAP, squirrelmail, etc., with backend data on MySQL. On another computer I have installed RH9 & freeRADIUS server. vpopmail is used to add UID & PW and the data is stored in vpopmail DB in MySQL. Now freeRADIUS also uses UID & PW to authenticate and has its own data structure. I like to know if there is a way so that user data is stored in one table in MySQL so vpopmail and freeRADIUS can access the same information?? Thanks in advance. Kirti - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
zombies and crashes
Hi, while my proxy radiusd is now behaving very nicely with the new code i have a problem with the home server. Every thread that exits goes zombie and with really high load the radiusd is crashing after some minutes. Here are some backtraces: Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 16384 (LWP 18450)] 0x402e847b in memset () from /lib/libc.so.6 (gdb) bt #0 0x402e847b in memset () from /lib/libc.so.6 #1 0x080594fa in request_enqueue (request=0x40507ab8, fun=0) at threads.c:225 #2 0x08059ed8 in thread_pool_addrequest (request=0x40507ab8, fun=0) at threads.c:760 #3 0x0804d99e in main (argc=135115592, argv=0x80535b0) at radiusd.c:1446 Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 1196106 (LWP 22119)] 0x402e32ab in mallopt () from /lib/libc.so.6 (gdb) bt #0 0x402e32ab in mallopt () from /lib/libc.so.6 #1 0x402e207f in free () from /lib/libc.so.6 #2 0x400504b9 in pairbasicfree (pair=0x1f8) at valuepair.c:111 #3 0x4005050e in pairfree (pair_ptr=0x41a12b78) at valuepair.c:127 #4 0x0804e21b in rad_respond (request=0x41603528, fun=0x80535b0 ) at radiusd.c:1877 #5 0x08059924 in request_handler_thread (arg=0x40a08120) at threads.c:458 #6 0x400f6e51 in pthread_start_thread () from /lib/libpthread.so.0 #7 0x400f6ecf in pthread_start_thread_event () from /lib/libpthread.so.0 #8 0x4034866a in clone () from /lib/libc.so.6 Program received signal SIGABRT, Aborted. [Switching to Thread 16384 (LWP 22840)] 0x4029a721 in kill () from /lib/libc.so.6 (gdb) bt #0 0x4029a721 in kill () from /lib/libc.so.6 #1 0x400f9771 in pthread_kill () from /lib/libpthread.so.0 #2 0x400f9a7b in raise () from /lib/libpthread.so.0 #3 0x4029a4d4 in raise () from /lib/libc.so.6 #4 0x4029b9e8 in abort () from /lib/libc.so.6 #5 0x0805004e in rad_assert_fail (file=0x0, line=0) at util.c:331 #6 0x0805de40 in rl_next (request=0x4151b9e0) at request_list.c:918 #7 0x0805e528 in rl_clean_list (now=0) at request_list.c:1397 #8 0x0804d89a in main (argc=0, argv=0x0) at radiusd.c:1491 Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 16384 (LWP 24258)] pairmove2 (to=0xbfffe5e8, from=0x4121e620, attr=79) at valuepair.c:474 474 next = i->next; (gdb) (gdb) bt #0 pairmove2 (to=0xbfffe5e8, from=0x4121e620, attr=79) at valuepair.c:474 #1 0x0805026b in rfc_clean (packet=0x4121e5e8) at util.c:456 #2 0x0805036a in request_reject (request=0x4121e528) at util.c:510 #3 0x0805e0aa in refresh_request (request=0x4121e528, data=0x9cc2) at request_list.c:1124 #4 0x0805ddf0 in rl_walk (walker=0x805df10 , data=0xbfffe680) at request_list.c:895 #5 0x0805e42b in rl_clean_list (now=5328) at request_list.c:1425 #6 0x0804d89a in main (argc=0, argv=0x80535b0) at radiusd.c:1491 Regards Stephan Jaeger - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-IP-Address
jesk <[EMAIL PROTECTED]> wrote: > > can somebody help me, why this dont works? Have you tried reading the FAQ? > i have to correct me, the check item "NAS-IP-Address" works never :( I don't believe you. The problem lies elsewhere. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS - rlm_ippool: Could not find Pool-Name attribute.
Zdenek Pizl <[EMAIL PROTECTED]> wrote: > OK, why radius server shows that error message Because you told the server to use the ippool module, but didn't tell it *which* ippool module to use. Since the ippool module doesn't do EAP, it doesn't know that assigning an IP will be pointless. > and how can the station (supplicant?) get an IP address for its work > in this usecase? DHCP, or a static IP. You have NO other options. > Oh, does exist a howto about freeradius configuration and 802.1x > wireless communication? I dont mind the generally known articles, > because it do not describe CONFIGURATION of freeradius in that case. They describe how to configure the server. Some even give sample configurations. They don't describe how to configure the server to do what *you* want, because every site is different. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS - rlm_ippool: Could not find Pool-Name attribute.
On Fri, 2004-06-04 at 19:13, Alan DeKok wrote: > Zdenek Pizl <[EMAIL PROTECTED]> wrote: > > I am trying to connect our SMC2804WBR wireless routes to the freeradius > > 1.0.0pre1 (RedHat 9 Linux) and to get connected from WinXP station > > throuhg 802.1x EAP TLS connection. > > That will work. Hallo Alan, that was quite quick response. I am glad it will work :) anyway it still does not work, so I cannot be satisfied with it. > > DEFAULT Pool-Name := "systinetpool" > > Fall-Through = yes > > That won't. > You can't assign IP addresses for systems which authenticate via EAP. OK, why radius server shows that error message and how can the station (supplicant?) get an IP address for its work in this usecase? Oh, does exist a howto about freeradius configuration and 802.1x wireless communication? I dont mind the generally known articles, because it do not describe CONFIGURATION of freeradius in that case. Thanks a lot, z.p. > Alan DeKok. -- Zdenek Pizl Systinet Corporation Vinohradska 190 130 00 Praha 3 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-IP-Address
On Saturday 05 June 2004 15:02, jesk wrote: > hello, > > i got some problem with NAS-IP-Address. when im using the "==" operator in > checking the nas then everything works fine, but when im using the oposite > "!=" then the following default entry is evertime accepted though the > request cames from the ip from which is shouldnt be accepted > > > DEFAULT Auth-Type := Accept,NAS-IP-Address != xxx.xxx.xxx.xxx > Framed-IP-Address = 255.255.255.254, > Framed-Protocol = PPP, > Service-Type = Framed-User > > can somebody help me, why this dont works? > > regards, > christian > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html hi again, i have to correct me, the check item "NAS-IP-Address" works never :( i got this DEFAULT entry in users-file everything else is in sql. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NAS-IP-Address
hello, i got some problem with NAS-IP-Address. when im using the "==" operator in checking the nas then everything works fine, but when im using the oposite "!=" then the following default entry is evertime accepted though the request cames from the ip from which is shouldnt be accepted DEFAULT Auth-Type := Accept,NAS-IP-Address != xxx.xxx.xxx.xxx Framed-IP-Address = 255.255.255.254, Framed-Protocol = PPP, Service-Type = Framed-User can somebody help me, why this dont works? regards, christian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization not working w/ Cisco
better to show radiusd -X with the case WHEN you cannot get it., that will help isolating the problem. //milver - Original Message - From: "John Sasso Jr" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, June 05, 2004 2:56 PM Subject: RE: Authorization not working w/ Cisco > This does not answer my question, which IS related to freeradius. I have > gone through the O'Reilly "RADIUS" book, which does a good job at explaining > implementing Authentication and Accounting with freeradius, but neglects > Authorization (which is what I am trying to do). Again, I am trying to > implement authorization through RADIUS, not local to the Cisco router > itself. I gave the exec issue as one example; I had a similar issue with > network as well (authorization only, NOT accounting and authentication). > > Thanks --john > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] Behalf > > Of Milver > > S. Nisay > > Sent: Friday, June 04, 2004 9:44 PM > > To: [EMAIL PROTECTED] > > Subject: Re: Authorization not working w/ Cisco > > > > > > > > > > If I remove the "aaa authorization exec default group radius local" > > > entry on the router, I can get in fine. I should note that > > > authentication works A-OK with my freeradius box. Its the > > authorization > > > that is giving me issues. > > > > this happens to be cisco related question and be directed to > > cisco search > > link > > anyway, this works for me, have u tried this before since its > > authorization > > issue accdg to you. > > > > aaa authorization exec default local > > aaa authorization network default local group radius > > > > here is the link to look for it if it didnt work for you > > http://www.cisco.com/pcgi-bin/search/search.pl?searchPhrase=ro > ute-cache&nv=S > earch+All+cisco.com%23%23cisco.com&nv=Technical+Support+%26+documentation%23 > %23cisco.com%23TSD&language=en&country=US&accessLevel=Guest&siteToSearch=cis > co.com > > u can > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html