Accounting Log - Packets VS Octets
I just find out from the accounting log that the size of each packets for input and output is different (octec/packet). Can anybody explain to me ? and in what kind of term the packets information usually people use it for ? I've read the attribute terminology but doesn't give me any idea. Thanks, Eden - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius log
You may have noticed that radius runs on two ports. One is for the
authentication packets and the other instance is for Accounting packets.
the Radius.log file is only for Auth requests/debugging
The details file is for Accounting requests. You will find your
disconnect message in the detail file.
Also try "radwho" .. it might be what you are looking for ...
Hope this helps
apellido jr., wilfredo p. wrote:
The radius.log file is only written to when an authentication request
is processed. User's only authenticate when the connection is
established. Accounting requests are sent to the radius server when
the connection is established and when it terminates.
Ok, this the tail of radius.log
Sun Jun 13 23:36:40 2004 : Auth: Login OK: [apellido] (from client =
portmaster.mactan.ph port 0)
Sun Jun 13 23:38:05 2004 : Auth: Login incorrect: [gunday/molendijk] =
(from client portmaster.mactan.ph port 13)
Sun Jun 13 23:38:40 2004 : Auth: Login OK: [gunday] (from client =
portmaster.mactan.ph port 13)
Sun Jun 13 23:38:47 2004 : Auth: Login incorrect: [lmharm/literock] =
(from client portmaster.mactan.ph port 27)
Sun Jun 13 23:40:19 2004 : Auth: Login OK: [apellido] (from client =
portmaster.mactan.ph port 1)
Sun Jun 13 23:41:00 2004 : Auth: Login OK: [gunday] (from client =
portmaster.mactan.ph port 13)
Sun Jun 13 23:42:17 2004 : Auth: Login OK: [mim] (from client =
portmaster.mactan.ph port 27)
I dont see any message that show that the user is disconnected. Im the one
who use the account apellido and when i tried to disconnect, it doesnt
appear in radius.log that ive disconnected. Although i configured
freeradius(radius.conf) just like this.
log_file = ${logdir}/radius.log
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes
thanks in advance...
Those are
handled differently depending on you radius server configuration.
On Jun 15, 2004, at 17:57, apellido jr., wilfredo p. wrote:
Sorry if im wrong fo what im trying to say. what i mean is, i dont see
any
message in radius.log that the user is disconnected.
- Original Message -
From: "Alan DeKok" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, June 15, 2004 9:28 PM
Subject: Re: radius log
"apellido jr., wilfredo p." <[EMAIL PROTECTED]> wrote:
Hello i configured freeradius (rlm_pap + rlm_mysql + rlm_sqlcounter)
=
successfuly and it authenticate perfectfully but i dont see any stop
=
message in radius.log.
Accounting packets aren't logged to radius.log.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-- Doug
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius log
Those are all authentication request logging entries (the log and the
config file). You will never see a disconnect in the authentication
log entries. There is no authentication request when a user
disconnects. You have to look at the accounting log entries.
On Jun 15, 2004, at 21:07, apellido jr., wilfredo p. wrote:
The radius.log file is only written to when an authentication request
is processed. User's only authenticate when the connection is
established. Accounting requests are sent to the radius server when
the connection is established and when it terminates.
Ok, this the tail of radius.log
Sun Jun 13 23:36:40 2004 : Auth: Login OK: [apellido] (from client =
portmaster.mactan.ph port 0)
Sun Jun 13 23:38:05 2004 : Auth: Login incorrect: [gunday/molendijk] =
(from client portmaster.mactan.ph port 13)
Sun Jun 13 23:38:40 2004 : Auth: Login OK: [gunday] (from client =
portmaster.mactan.ph port 13)
Sun Jun 13 23:38:47 2004 : Auth: Login incorrect: [lmharm/literock] =
(from client portmaster.mactan.ph port 27)
Sun Jun 13 23:40:19 2004 : Auth: Login OK: [apellido] (from client =
portmaster.mactan.ph port 1)
Sun Jun 13 23:41:00 2004 : Auth: Login OK: [gunday] (from client =
portmaster.mactan.ph port 13)
Sun Jun 13 23:42:17 2004 : Auth: Login OK: [mim] (from client =
portmaster.mactan.ph port 27)
I dont see any message that show that the user is disconnected. Im the
one
who use the account apellido and when i tried to disconnect, it doesnt
appear in radius.log that ive disconnected. Although i configured
freeradius(radius.conf) just like this.
log_file = ${logdir}/radius.log
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes
thanks in advance...
Those are
handled differently depending on you radius server configuration.
On Jun 15, 2004, at 17:57, apellido jr., wilfredo p. wrote:
Sorry if im wrong fo what im trying to say. what i mean is, i dont
see
any
message in radius.log that the user is disconnected.
- Original Message -
From: "Alan DeKok" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, June 15, 2004 9:28 PM
Subject: Re: radius log
"apellido jr., wilfredo p." <[EMAIL PROTECTED]> wrote:
Hello i configured freeradius (rlm_pap + rlm_mysql +
rlm_sqlcounter)
=
successfuly and it authenticate perfectfully but i dont see any
stop
=
message in radius.log.
Accounting packets aren't logged to radius.log.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-- Doug
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-- Doug
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius log
> The radius.log file is only written to when an authentication request
> is processed. User's only authenticate when the connection is
> established. Accounting requests are sent to the radius server when
> the connection is established and when it terminates.
Ok, this the tail of radius.log
Sun Jun 13 23:36:40 2004 : Auth: Login OK: [apellido] (from client =
portmaster.mactan.ph port 0)
Sun Jun 13 23:38:05 2004 : Auth: Login incorrect: [gunday/molendijk] =
(from client portmaster.mactan.ph port 13)
Sun Jun 13 23:38:40 2004 : Auth: Login OK: [gunday] (from client =
portmaster.mactan.ph port 13)
Sun Jun 13 23:38:47 2004 : Auth: Login incorrect: [lmharm/literock] =
(from client portmaster.mactan.ph port 27)
Sun Jun 13 23:40:19 2004 : Auth: Login OK: [apellido] (from client =
portmaster.mactan.ph port 1)
Sun Jun 13 23:41:00 2004 : Auth: Login OK: [gunday] (from client =
portmaster.mactan.ph port 13)
Sun Jun 13 23:42:17 2004 : Auth: Login OK: [mim] (from client =
portmaster.mactan.ph port 27)
I dont see any message that show that the user is disconnected. Im the one
who use the account apellido and when i tried to disconnect, it doesnt
appear in radius.log that ive disconnected. Although i configured
freeradius(radius.conf) just like this.
log_file = ${logdir}/radius.log
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes
thanks in advance...
> Those are
> handled differently depending on you radius server configuration.
>
>
> On Jun 15, 2004, at 17:57, apellido jr., wilfredo p. wrote:
>
> > Sorry if im wrong fo what im trying to say. what i mean is, i dont see
> > any
> > message in radius.log that the user is disconnected.
> >
> >
> > - Original Message -
> > From: "Alan DeKok" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Tuesday, June 15, 2004 9:28 PM
> > Subject: Re: radius log
> >
> >
> >> "apellido jr., wilfredo p." <[EMAIL PROTECTED]> wrote:
> >>> Hello i configured freeradius (rlm_pap + rlm_mysql + rlm_sqlcounter)
> >>> =
> >>> successfuly and it authenticate perfectfully but i dont see any stop
> >>> =
> >>> message in radius.log.
> >>
> >> Accounting packets aren't logged to radius.log.
> >>
> >> Alan DeKok.
> >>
> >> -
> >> List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
> >
> -- Doug
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radrelay sample??
I am sorry for this post, just before i have read the doc/radrelay. sorry again. >Hi > I want to use radrelay to replicate accounting data to my freeradius server, >but failed. > Hello World! [EMAIL PROTECTED] 2004-06-16 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius log
The radius.log file is only written to when an authentication request is processed. User's only authenticate when the connection is established. Accounting requests are sent to the radius server when the connection is established and when it terminates. Those are handled differently depending on you radius server configuration. On Jun 15, 2004, at 17:57, apellido jr., wilfredo p. wrote: Sorry if im wrong fo what im trying to say. what i mean is, i dont see any message in radius.log that the user is disconnected. - Original Message - From: "Alan DeKok" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, June 15, 2004 9:28 PM Subject: Re: radius log "apellido jr., wilfredo p." <[EMAIL PROTECTED]> wrote: Hello i configured freeradius (rlm_pap + rlm_mysql + rlm_sqlcounter) = successfuly and it authenticate perfectfully but i dont see any stop = message in radius.log. Accounting packets aren't logged to radius.log. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Doug - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: rlm_expr question
Hi
>
> You have to put the Value in back-quotes: `%{expr: %{Call-Refrence}`
>
I have tried it, but it didn't work.
1. radreply table:
id UserNameAttribute op Value
1 yleiReply-Message := `%{expr:
%{Call-Refrence}}` --> back-quotes
2 yleiCall-Refrence-Ack := `%{expr:
%{Call-Refrence}}`
3 yleiCall-Refrence := `%{expr:
%{Call-Refrence}}`
2.
[EMAIL PROTECTED] main]# ./radauth ylei ylei
Sending Access-Request of id 239 to 10.1.16.250:1812
User-Name = "ylei"
User-Password = "ylei"
NAS-IP-Address = "127.0.0.1"
Call-Refrence = 2
NAS-Port = 6
rad_recv: Access-Accept packet from host 10.1.16.250:1812 id=239,length=62
Reply-Message = "`2`" --> back-quotes
Call-Refrence-Ack = "`%{expr: %{Call-Refrence}}`" --> back-quotes
Session-Timeout = 6000
I don't understand why Reply-Message works well but Call-Refrence-Ack&&Call-Refrence
doesn't work at all.
PS:
WHERE is the function expr_xlat() in rlm_expr.c called?? I will debug for the
above if i konw.
Hello World!
[EMAIL PROTECTED]
2004-06-16
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius log
Sorry if im wrong fo what im trying to say. what i mean is, i dont see any message in radius.log that the user is disconnected. - Original Message - From: "Alan DeKok" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, June 15, 2004 9:28 PM Subject: Re: radius log > "apellido jr., wilfredo p." <[EMAIL PROTECTED]> wrote: > > Hello i configured freeradius (rlm_pap + rlm_mysql + rlm_sqlcounter) = > > successfuly and it authenticate perfectfully but i dont see any stop = > > message in radius.log. > > Accounting packets aren't logged to radius.log. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rate limit radius requests
Alan DeKok wrote:
"Gary McKinney" <[EMAIL PROTECTED]> wrote:
From following this thread I am wondering how many transactions a
second can a DB handle successfully perform before the system starts
to lose information???
That depends on the DB. Oracle is fast, PostGreSQL is fast, MySQL
is less fast.
I am wondering for a given platform and OS (such as linux or FreeBSD
running on a 2.0Ghz based system with 1-Gig of RAM and fast SCSI
hard-drive subsystem) how many transactions can the FreeRadius
system handle in a second???
I use postgres and have done a bit of tuning so it's as fast as it's
going to be on this hardware, but even with very fast servers there is
only so much inserts you can do at a time before you run out of DB
connection handles and this is almost always going to happen long before
radius reaches it's processing limits, especially when you have several
million rows like I do.
I think the most graceful way to handle this would be to add a function
to rlm_sql that writes the accounting packet to a detail log then call
that before returning RLM_MODULE_FAIL. The name of the file could be
defined in the sql {} part of the config file. This way any sql based
failures will at least be written somewhere instead of lost forever.
This detail file could be fed back to the server at some other point in
time.
I'm a very poor C programmer so before I start looking into this further
perhaps Alan and comment on any problems he sees with this and describe
any problems I may run into with calling rlm_detail from rlm_sql.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with radius process
"RIGGIE AREVALO" <[EMAIL PROTECTED]> wrote: > I am new on the list even though I've been using the application since > months ago. I've had problems with the RADIUS process because it had > stopped working several times, and I have had to make a restart in order > to make it work again. At first I thought it was a problem with the > version that I had (freeradius-0.9.0), so I planned an upgrade to the > last stable, version 0.9.3, Upgrading the server won't make your database any faster. > Mon Jun 14 15:40:51 2004 : Info: rlm_sql (sql): There are no DB handles > to use! skipped 0, tried to connect 0 ... > Mon Jun 14 15:42:00 2004 : Error: WARNING: Unresponsive child (id > 1150495040) for request 430918 Your database is too slow to process the requests from FreeRADIUS. Fix the database, and the problem will be solved. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with radius process
Title: Mensaje Hi all, I am new on the list even though I've been using the application since months ago. I've had problems with the RADIUS process because it had stopped working several times, and I have had to make a restart in order to make it work again. At first I thought it was a problem with the version that I had (freeradius-0.9.0), so I planned an upgrade to the last stable, version 0.9.3, I performed and upgrade to Red Hat Linux 9.0 also. But I have had the problem again. The only thing I can see in the logs is the following information before it stops working: Mon Jun 14 15:40:51 2004 : Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Mon Jun 14 15:40:51 2004 : Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Mon Jun 14 15:40:51 2004 : Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Mon Jun 14 15:42:00 2004 : Error: WARNING: Unresponsive child (id 1150495040) for request 430918 Mon Jun 14 15:42:00 2004 : Info: rlm_sql_mysql: Starting connect to MySQL server for #1 In the logs I also see A LOT! of information coming form the registered gateways like: Mon Jun 14 15:41:33 2004 : Error: rlm_sql: Stop packet with zero session length. (user '212345', nas '201.95.51.14') Mon Jun 14 15:41:33 2004 : Error: rlm_sql: Stop packet with zero session length. (user '1996388', nas '201.95.51.14') Mon Jun 14 15:41:33 2004 : Error: rlm_sql: Stop packet with zero session length. (user '212345', nas '201.95.51.14') Mon Jun 14 15:41:33 2004 : Error: rlm_sql: Stop packet with zero session length. (user '212345', nas '201.95.71.20') I would really appreciate if any one could help me on this. Thanks in advance, Reggie Arévalo Switching Engineer Tlf: (58212) 7100375 Fax: (58212) 7100157
Re: Rate limit radius requests
"Gary McKinney" <[EMAIL PROTECTED]> wrote: > From following this thread I am wondering how many transactions a > second can a DB handle successfully perform before the system starts > to lose information??? That depends on the DB. Oracle is fast, PostGreSQL is fast, MySQL is less fast. > I am wondering for a given platform and OS (such as linux or FreeBSD > running on a 2.0Ghz based system with 1-Gig of RAM and fast SCSI > hard-drive subsystem) how many transactions can the FreeRadius > system handle in a second??? FreeRADIUS is not the bottleneck, so how fast it runs doesn't matter. The database is the bottleneck. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rate limit radius requests
Matthew Schumacher <[EMAIL PROTECTED]> wrote: > > Log to the DB, unless the rate is too high. If it's too high, log > > to a "detail" file, and rely on an external program to feed the > > requests back in, when the rate drops. > > Where in the config would I put this logic? How could I tell radius > where to log based on load? Source code modifications. > Machines are cheap, and I'm getting ready to do a pretty fair upgrade on > the database server, but I'm looking for a solution that won't drop > accounting messages on the floor regardless of the load. Bigger machines. The server can handle 1000's of requests per second without a problem. On a 4-way machine, I'd bet it's approaching 10K requests/s. The problem isn't the server. The problem is the back-end database, which is slow. > > A related fix would be to change src/main/threads.c, so that if an > > Accounting-Request has been sitting in the queue for more than 5 > > seconds, it's discarded and *not* processed. That should help, as the > > NAS will be re-sending the packet. > > Wouldn't sending the request back the queue if there are no DB handles > be even better? At that point, you've already partially processed it, so it would be *very* bad to re-process it from scratch. My point was that Accounting-Request packets are never retransmitted. So if a request hasn't been processed in the last 5 seconds, you're better off throwing it away, as the NAS has *already* sent you another request. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rate limit radius requests
Now I am curious... >From following this thread I am wondering how many transactions a second can a DB >handle successfully perform before the system starts to lose information??? I am wondering for a given platform and OS (such as linux or FreeBSD running on a 2.0Ghz based system with 1-Gig of RAM and fast SCSI hard-drive subsystem) how many transactions can the FreeRadius system handle in a second??? I seems to me you need to establish a "baseline" for what would be considered "too many" requests in order to figure out what would need to be done to allow the system to handle hi-peak loads... Just wondering here... Gary N. McKinney Network Administrator Computer Services Dept. Brevard County Library System -- Original Message -- From: Matthew Schumacher <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Date: Tue, 15 Jun 2004 12:38:35 -0800 >Alan DeKok wrote: >>>I know how to feed the detail file back to the server with the radrelay >>>util, but wouldn't that require me to run two radius servers? >> >> >> I don't see why. You should be able to do both. >> >> Log to the DB, unless the rate is too high. If it's too high, log >> to a "detail" file, and rely on an external program to feed the >> requests back in, when the rate drops. >> >> > >Where in the config would I put this logic? How could I tell radius >where to log based on load? > >> That helps, too. Machines are cheap. >> > >Machines are cheap, and I'm getting ready to do a pretty fair upgrade on >the database server, but I'm looking for a solution that won't drop >accounting messages on the floor regardless of the load. > >> >> A related fix would be to change src/main/threads.c, so that if an >> Accounting-Request has been sitting in the queue for more than 5 >> seconds, it's discarded and *not* processed. That should help, as the >> NAS will be re-sending the packet. >> > >Wouldn't sending the request back the queue if there are no DB handles >be even better? > >schu > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html >--- >[This E-mail scanned for viruses by Declude Ant-Virus Scanner] > > Sent via the KillerWebMail system at mail.brev.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rate limit radius requests
Alan DeKok wrote: I know how to feed the detail file back to the server with the radrelay util, but wouldn't that require me to run two radius servers? I don't see why. You should be able to do both. Log to the DB, unless the rate is too high. If it's too high, log to a "detail" file, and rely on an external program to feed the requests back in, when the rate drops. Where in the config would I put this logic? How could I tell radius where to log based on load? That helps, too. Machines are cheap. Machines are cheap, and I'm getting ready to do a pretty fair upgrade on the database server, but I'm looking for a solution that won't drop accounting messages on the floor regardless of the load. A related fix would be to change src/main/threads.c, so that if an Accounting-Request has been sitting in the queue for more than 5 seconds, it's discarded and *not* processed. That should help, as the NAS will be re-sending the packet. Wouldn't sending the request back the queue if there are no DB handles be even better? schu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WLAN Configurations
Bragg Mario-mbragg1 <[EMAIL PROTECTED]> wrote: > I have to validate all possible wireless authentications in a > wireless test bed. Also, I need to test all allowable protocols with > the tunneled protocols (i.e. within TTLS - Chap, MSChap, MSChap V2, > Pap, EAP-MD5 and within PEAP - MSChap V2, EAP-TLS, GTC). All of those have been tested with the server, and all should work. > Is there some guide or paper our that helps out with configuration? You shouldn't have to configure anything else once TTLS & PEAP work. > I have been able to get TLS, TTLS-MD5 and PEAP-MSChapV2 working, but > get errors on the other combinations. I have read the what I could > find on the freeradius web page and the config files. Try running the server in debugging mode. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
tcpserver
Is it a good idea to use tcpserver with radiusd? If so do you have a script you would like to share? Thanks, Paul - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WLAN Configurations
Title: Message I have to validate all possible wireless authentications in a wireless test bed. Also, I need to test all allowable protocols with the tunneled protocols (i.e. within TTLS - Chap, MSChap, MSChap V2, Pap, EAP-MD5 and within PEAP - MSChap V2, EAP-TLS, GTC). Is there some guide or paper our that helps out with configuration? I have been able to get TLS, TTLS-MD5 and PEAP-MSChapV2 working, but get errors on the other combinations. I have read the what I could find on the freeradius web page and the config files. Regards, Mario Bragg
RE: LDAP configuration help
I had the same problem before I installed OpenLDAP. I believe you must have it
installed before your compile FreeRADIUS.
Thanks
lje
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Veerabhushan Hatte
Sent: Tuesday, June 15, 2004 1:09 PM
To: [EMAIL PROTECTED]
Subject: LDAP configuration help
Hello again,
I am tryting to configure freeRADIUS for LDAP. The setup is as follows,
client--LinkSYS AP --Linux running freeRADIUS MS Windows (LDAP server)
192.168.10.5 192.168.10.212
192.168.10.200
I am tryting to configure linux system running freeRADIUS to forward LDAP request to
MS Windows system. I did following configuration by following document on the web,
http://www.tldp.org/HOWTO/LDAP-Implementation-HOWTO/radius.html
I configured radiusd.conf as follows,
ldap {
server = 192.168.10.200
# identity = "cn=admin,o=My Org,c=UA"
# password = mypass
basedn = "o=My Org,c=UA"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
# base_filter = "(objectclass=radiusprofile)"
# set this to 'yes' to use TLS encrypted connections
# to the LDAP databa
..
}
Authentication types is configured as follows,
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
Auth-Type PAP {
pap
}
#
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
Auth-Type CHAP {
chap
}
#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
#
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authorize' section.
# digest
#
# Pluggable Authentication Modules.
pam
#
# See 'man getpwent' for information on how the 'unix'
# module checks the users password. Note that packets
# containing CHAP-Password attributes CANNOT be authenticated
# against /etc/passwd! See the FAQ for details.
#
unix
# Uncomment it if you want to use ldap for authentication
#
# Note that this means "check plain-text password against
# the ldap database", which means that EAP won't work,
# as it does not supply a plain-text password.
Auth-Type LDAP {
ldap
}
#
# Allow EAP authentication.
eap
}
Configured users file to support LDAP by default,
..
#
# First setup all accounts to be checked against the UNIX /etc/passwd.
# (Unless a password was already given earlier in this file).
#
DEFAULT Auth-Type = LDAP
Fall-Through = 1
.
Configured clients.conf as follows,
client 192.168.10.5 {
secret = testing123
shortname = linksys_ap
}
I have not done any other configuration for freeradius-1.0.0-pre2 RADIUS configuration.
I get core dump if I start radiusd daemon,
# ./radiusd -X -A
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = "/usr/local"
main: localstatedir = "/usr/local/var"
main: logdir = "/usr/local/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir = "/usr/local/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/usr/local/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
secu
Re: Rate limit radius requests
Matthew Schumacher <[EMAIL PROTECTED]> wrote: > > Or, if the rate gets too high, *stop* logging to the database, and > > use a "detail" file. Then, when the rate drops, feed the detail file > > back into the server. > > I know how to feed the detail file back to the server with the radrelay > util, but wouldn't that require me to run two radius servers? I don't see why. You should be able to do both. Log to the DB, unless the rate is too high. If it's too high, log to a "detail" file, and rely on an external program to feed the requests back in, when the rate drops. > Perhaps I'm missing something, but AFAIK the only way to ensure > that the data is put in the database is to have a very fast database > that can handle the connection rate of radrelay or a fast NAS with a > zillion clients authenticating at once. That helps, too. Machines are cheap. > It would be great if the server would reject accounting messages if > there isn't a DB handle that way accounting would fail over to the > secondary where the message is queued to be forwarded back to the > primary when it comes back. This would make having a DB backend > much more accurate for accounting. Hmm... I'm not sure that would work. The server *is* responding to some requests, so the NAS won't see it as being down. A related fix would be to change src/main/threads.c, so that if an Accounting-Request has been sitting in the queue for more than 5 seconds, it's discarded and *not* processed. That should help, as the NAS will be re-sending the packet. > I suppose sending everything to a server acting as a accounting proxy > with network rate limiting between it and the server with the DB backend > could work but that solution seems more complex than it should be. I agree. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rate limit radius requests
Alan DeKok wrote: Matthew Schumacher <[EMAIL PROTECTED]> wrote: ... http://lists.freeradius.org/pipermail/freeradius-users/2004-June/032678.html Alan DeKok. I never saw that and assumed my message never made it... After fighting with the list trying to make it work I subscribed with another account and asked again. Sorry... Anyway: > Or, if the rate gets too high, *stop* logging to the database, and > use a "detail" file. Then, when the rate drops, feed the detail file > back into the server. I know how to feed the detail file back to the server with the radrelay util, but wouldn't that require me to run two radius servers? One configured to accept accounting from the NAS logging to a detail file, and another configured to write to the DB? Also, say I did all that, the radrelay tool sends radius accounting messages even faster than the nas. Perhaps I'm missing something, but AFAIK the only way to ensure that the data is put in the database is to have a very fast database that can handle the connection rate of radrelay or a fast NAS with a zillion clients authenticating at once. It would be great if the server would reject accounting messages if there isn't a DB handle that way accounting would fail over to the secondary where the message is queued to be forwarded back to the primary when it comes back. This would make having a DB backend much more accurate for accounting. I suppose sending everything to a server acting as a accounting proxy with network rate limiting between it and the server with the DB backend could work but that solution seems more complex than it should be. thanks, schu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Rate limit radius requests
List, Is there a way to rate limit radius requests in the freeradius server? Whenever the router guy kicks a router full of DSL connections we get a flood of radius accounting messages which overloads the database server causing "There are no DB handles to use!" error messages. While the DB can handle the current load, it can get overrun in certain circumstances. I figure some form of rate limiting causing the radius server to only handle so many requests per second might be the solution to this. Another question I have is what exactly happens with that error message is logged? Does radius retry to insert the accounting record or does it simply drop it? Thanks, schu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rate limit radius requests
Matthew Schumacher <[EMAIL PROTECTED]> wrote: ... http://lists.freeradius.org/pipermail/freeradius-users/2004-June/032678.html Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP configuration help
Hello again,
I am tryting to configure freeRADIUS for LDAP. The setup is as follows,
client--LinkSYS AP --Linux running freeRADIUS MS Windows (LDAP server)
192.168.10.5 192.168.10.212 192.168.10.200
I am tryting to configure linux system running freeRADIUS to forward LDAP request to MS Windows system. I did following configuration by following document on the web,
http://www.tldp.org/HOWTO/LDAP-Implementation-HOWTO/radius.html
I configured radiusd.conf as follows,
ldap { server = 192.168.10.200 # identity = "cn=admin,o=My Org,c=UA" # password = mypass basedn = "o=My Org,c=UA" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" # base_filter = "(objectclass=radiusprofile)"
# set this to 'yes' to use TLS encrypted connections # to the LDAP databa
..
}
Authentication types is configured as follows,
authenticate { # # PAP authentication, when a back-end database listed # in the 'authorize' section supplies a password. The # password can be clear-text, or encrypted. Auth-Type PAP { pap }
# # Most people want CHAP authentication # A back-end database listed in the 'authorize' section # MUST supply a CLEAR TEXT password. Encrypted passwords # won't work. Auth-Type CHAP { chap }
# # MSCHAP authentication. Auth-Type MS-CHAP { mschap }
# # If you have a Cisco SIP server authenticating against # FreeRADIUS, uncomment the following line, and the 'digest' # line in the 'authorize' section.# digest
# # Pluggable Authentication Modules. pam
# # See 'man getpwent' for information on how the 'unix' # module checks the users password. Note that packets # containing CHAP-Password attributes CANNOT be authenticated # against /etc/passwd! See the FAQ for details. # unix
# Uncomment it if you want to use ldap for authentication # # Note that this means "check plain-text password against # the ldap database", which means that EAP won't work, # as it does not supply a plain-text password. Auth-Type LDAP { ldap }
# # Allow EAP authentication. eap}
Configured users file to support LDAP by default,
..
## First setup all accounts to be checked against the UNIX /etc/passwd.# (Unless a password was already given earlier in this file).#DEFAULT Auth-Type = LDAP Fall-Through = 1
.
Configured clients.conf as follows,
client 192.168.10.5 { secret = testing123
shortname = linksys_ap}
I have not done any other configuration for freeradius-1.0.0-pre2 RADIUS configuration.
I get core dump if I start radiusd daemon,
# ./radiusd -X -AStarting - reading configuration files ...reread_config: reading radiusd.confConfig: including file: /usr/local/etc/raddb/proxy.confConfig: including file: /usr/local/etc/raddb/clients.confConfig: including file: /usr/local/etc/raddb/snmp.confConfig: including file: /usr/local/etc/raddb/eap.confConfig: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names =
no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0read_config_files: reading
dictionaryread_config_files: reading naslistUsing deprecated naslist file. Support for this will go away soon.read_config_files: reading clientsread_config_files: reading realmsradiusd: entering modules setupModule: Library search path is /usr/local/libModule: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(nul
Re: EAP/TLS - seg fault with bad certificate
Antonio Tamborino <[EMAIL PROTECTED]> wrote: > > doc/bugs > > I've forgotten to write that the problem exist also with a good certificate > ... Please READ doc/bugs, and FOLLOW IT'S SUGGESTIONS. There's no point in posting many messages saying "it doesn't work", if you're not going to say what is going wrong. > what's bad? using two version of openssl for freeradius? Yes. It will cause core dumps. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: post-auth
At 19.20 14/06/2004, you wrote:
Andrea Gabellini escreveu:
Hi,
I'm using the post-auth section to log user's attempt. Is it possible, in
case of REJECT, to log the full description of the rejection instead of
the useless 'Access-Reject' string?
I added a "message" field to the table and use the following query:
"INSERT into ${postauth_table} (id, user, pass, reply, message, date,
callingstationid) values ('', '%{User-Name}', '%{User-Password}',
'%{reply:Packet-Type}', REPLACE(REPLACE('%{reply:Reply-Message}', '=5Cr',
''), '=5Cn', ''), NOW(), '%{Calling-Station-Id}')"
Thanks,
this is a very simple solution. But now I have another problem... I need to
set the Reply-Message. How can I, for example, put the string 'Login
incorrect' if the user enter the wrong password? Is it possible to get the
same string of the radius.log file?
Andrea
---
Just what part of "NO" didn't you understand?
---
Ing. Andrea Gabellini
Email: [EMAIL PROTECTED]
Tel: 0549 886111 (Italy)
Tel. +378 0549 886111 (International)
Intelcom San Marino S.p.A.
Strada degli Angariari, 3
47891 Rovereta
Repubblic of San Marino
http://www.omniway.sm http://www.intelcom.sm
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configuring freeradius on freebsd 4.10
Darko Kalevski wrote: Because FreeBSD doesn't support shadow passwords, if I remember the >code correctly, you have to comment out passwd= and shadow= to get system password file authentication that uses master.passwd. Which is how the server comes configured by default. There are also comments in radiusd.conf SPECIFICALLY MENTIONING FREEBSD. So... you edited "radiusd.conf" to change the default configurastion, but didn't read the comments directly above the section you were editing. What kind of documentation could we have to include in the server so that you would read it? Oh come on, I didnt know how FreeBSD deals with passwords, that means the word -lookups are done via database- didnt mean to me that it doesnt use shadow file...i still dont know some aspects of this OS so still learning, nothing about FreeRadius :) ... so maybe you could write FreeBSD doesnt use shadow file in the manner linux does, as it is not mentioned alot...neither is in the handbook i think... smiles :) Darko Try it with the default configuration after installing from ports, you will discover it works, without messing with those lines. There are very few things in the radius.conf that you should need to mess with if you are accounting to detail files and authenticating from default users with unix passwords. Make sure to install from ports unless you are a developer, and understand how FreeBSD works. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: copying accounting
This is the default behavior as far as I know. User logs in to NAS with [EMAIL PROTECTED] NAS sends accounting record to your radius server. Your radius server performs its configured accounting steps and proxies the accounting to the some-realm radius accounting server. The some-realm radius server performs its configured accounting steps. Both radius servers should have accounting records for the transaction. I use this method to bill ISP's who resell our modem pools, and when we use other ISP's modem pools, we use our records to verify what they bill us. Hope this clears up your question. Alexander Serkin wrote: Is it possible to keep accounting for several realms locally along with sending it to third party AAA server? I.e. i need to write accounting for customers visiting us from another network, but also send it to their home AAA server. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users digest, Vol 1 #3362 - 15 msgs
With a bit more digging (thanks to Cam), I found that I had to add /usr/local/lib to the trudted path using crle. crle -u -s:/usr/local/lib It's up an running now. Thanks for the help. Ken Connell Intermediate Network Engineer Computer & Communication Services Ryerson University 350 Victoria St RM AB50 Toronto, Ont M5B 2K3 416-979-5000 x6709 - Original Message - From: [EMAIL PROTECTED] Date: Tuesday, June 15, 2004 10:39 am Subject: Freeradius-Users digest, Vol 1 #3362 - 15 msgs > Send Freeradius-Users mailing list submissions to > [EMAIL PROTECTED] > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.freeradius.org/mailman/listinfo/freeradius-users > or, via email, send a message with subject or body 'help' to > [EMAIL PROTECTED] > > You can reach the person managing the list at > [EMAIL PROTECTED] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Freeradius-Users digest..." > > > Today's Topics: > > 1. Re: Freeradius-Users digest, Vol 1 (Re: Won't run on Solais > 8) (Cameron Gregg) > 2. Problem compiling: cannot find the library > `../rlm_eap_tls/rlm_eap_tls.la' (Michael Schwartzkopff) > 3. Re: copying accounting (Alexander Serkin) > 4. Re: copying accounting (Robert Haskins) > 5. Re: copying accounting (Alan DeKok) > 6. Re: radius log (Alan DeKok) > 7. Re: Accounting question for EAP-TTLS for Pre 2 (Alan DeKok) > 8. Re: copying accounting (Alexander Serkin) > 9. Re: copying accounting (Alan DeKok) > 10. Re: Accounting question for EAP-TTLS for Pre 2 (Gary McKinney) > 11. Re: configuring freeradius on freebsd 4.10 (Paul Hampson) > 12. Re: rlm_expr question (Alan DeKok) > 13. Freeradius and OpenLdap (Jawhar TAZI) > 14. Re: Freeradius and OpenLdap (Michael Schwartzkopff) > 15. Re: Modify packet proxied to a specific realm (Alan DeKok) > > --__--__-- > > Message: 1 > Date: Wed, 16 Jun 2004 00:35:47 +1000 > From: Cameron Gregg <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Re: Freeradius-Users digest, Vol 1 (Re: Won't run on > Solais 8) > Reply-To: [EMAIL PROTECTED] > > Ken Connell wrote: > > PATH = /usr/local/bin:/usr/bin:/usr/sbin:/usr/ucb: > > Radiusd is in /usr/local/sbin > > libradius-0.9.3.so is in /usr/local/lib/ > > > > What is crle ? (I'm a bit of a Linux/Unix newbie). > > > > > > Ken Connell > > crle (on solaris), it sets/shows the library paths. A bit like > ldconfig > on linux i think. > > run crle and see what the output is. Mine looks like this: > > $ crle > > Configuration file [3]: /var/ld/ld.config > Default Library Path (ELF): > /usr/lib:/usr/local/lib:/usr/local/ssl/lib Trusted Directories > (ELF):/usr/lib/secure (system default) > > Command line: > crle -c /var/ld/ld.config -l > /usr/lib:/usr/local/lib:/usr/local/ssl/lib > $ > > You need to make sure /usr/local/lib is in your default library path. > > If is isn't, you will need to do something like: > > $crle -c /var/ld/ld.config -l /usr/lib:/usr/local/lib > > I'm a bit sketchy on all this myself, I'm just passing on what has > worked for me. > > Of course you should be able to do a 'man crle' to get all the > nitty-gritty info. > > If /usr/local/lib is already there (in your default path) then I'm > not > sure why your library can't be foundmaybe something to do with > the > way freeradius was compiled. I find solaris very frustrating at > times, > especially using GNU tools mixed with sun tools. > > Hope this helps. > > Cam > > PS you can also use ldd to see what libraries it > needs > and if it can find them. > > > > > Intermediate Network Engineer > > Computer & Communication Services > > Ryerson University > > 350 Victoria St > > RM AB50 > > >>-- __--__-- > >> > >>Message: 3 > >>Date: Tue, 15 Jun 2004 09:36:05 +1000 > >>From: Cameron Gregg <[EMAIL PROTECTED]> > >>To: [EMAIL PROTECTED] > >>Subject: Re: Won't run on Solais 8 > >>Reply-To: [EMAIL PROTECTED] > >> > >>Ken Connell wrote: > >> > >>>FreeRadius 0.9.3 > >>>It's been great on Redhat, but on a Solaris 8 box I get the > >> > >>following:> fatal: libradius-0.9.3.so: open failed: No such > file > >>or directory > >> > >>What directory is your libradius-0.9.3.so in? Also where is radiusd? > >> >
EXEC and PHP
Good day to lall Why can i return from exec_module (external programm write on php) Auth-Type := Reject Reply-Msg = "No permition" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS - seg fault with bad certificate
First thank
> Antonio Tamborino <[EMAIL PROTECTED]> wrote:
> > Any idea?
>
> doc/bugs
I've forgotten to write that the problem exist also with a good certificate
and the check_cert_cn = %{User-Name} option in tls section. IT seems there
is a problem analizing the certificate.
> > the report above is with FR 1.0.0pre2 compiled with Openssl 0.9.7d and
> > 0.9.6m
>
> Uh.. both? That's bad.
what's bad? using two version of openssl for freeradius?
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
Antonio
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Modify packet proxied to a specific realm [Solved with a few questions]
Kostas Zorbadelos <[EMAIL PROTECTED]> wrote: ... Please don't CC me on messages. I already read the list, and I don't need to see the same message twice. > I wanted for every username of the form [EMAIL PROTECTED] to add 3 wispr > attributes (Location-Id, LocationName and LogoffUrl) to the access request > packets and 2 attributes (Location-Id, Location-Name) to the > accounting packets before they get proxied to the home radius. In preproxy_users, you should be able to do: #--- DEFAULT User-Name =~ "@testrealm$", Packet-Type == Access-Request Wispr-Location-Id = "foo", Wispr-LocationName = "bar", ... DEFAULT User-Name =~ "@testrealm$", Packet-Type == Accounting-Request Wispr-Location-Id = "foo", ... #--- > The pre-proxy section in radiusd.conf wasn't what I wanted because the > modifications would happen before the proxy of every packet and not > just packets destined to the specific realm testrealm. So check for certain conditions, just like in the "users" file. > After the test however I noticed that the packets were not modified > at all (is this a bug that is fixed in 1.0.0?) It should be. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating to different LDAP servers
On Tue, 15 Jun 2004, Michael Check wrote: > This was the first try in thinking that the Authentication would cascade > through the servers. I had set up diff groups in testing, but couldn't get > freeRADIUS to come up with the correct Auth-Type (like you suggest below). > > >> How can we get freeRADIUS to know that we're authenticating off the _second_ > >> LDAP server? > > > > Put the ldap modules into different authtype groups: LDAP1 and > > LDAP2, and then set Auth-Type to one of LDAP1 or LDAP2. > > OK. I can place them in diff groups as I show below, but how (and where) do > I set the correct Auth-Type? Is there something in the radius packet that would tell you which domain they are from? Username or NAS-IP? If so, then you can put that in the users file and use huntgroups. in huntgroups. somedomain NAS-IP-Address == 1.1.1.1 otherdomain NAS-IP-Address == 2.2.2.2 in users DEFAULT Huntgroup-Name == somedomain, Autz-Type := LDAP1, Auth-Type := LDAP1 Fall-Through = no DEFAULT Huntgroup-Name == otherdomain, Autz-Type := LDAP2, Auth-Type := LDAP2 Fall-Through = no - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting question for EAP-TTLS for Pre 2
Paul, Would you, by chance, have an example of the start and stop accounting packets the device generates and one other question (since I can not find any information on the D-Link site)... Do you know if the DI-774 generates radius accounting packets as well??? My application requires a router (mainly to allow implementation of multiple networks on the same wire)... TIA !!! Gary N. McKinney Network Administrator Computer Services Dept. Brevard County Library System -- Original Message -- From: Paul Bender <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Date: Tue, 15 Jun 2004 07:51:23 -0700 >How much is inexpensive? > >At home, I use a D-Link DWL 7000AP (an a/b/g access point with 802.1x >and WPA) that generated RADIUS accounting information. > >Gary McKinney wrote: >> A followup for all... >> >> I have been looking for an inexpensive WAP (Wireless Access Point) or WRT (Wireless >> Router) that sends the Radius Accounting information to the Radius Server - to date >> I have NOT found any of the inexpensive WAP or WRT devices which send the >> accounting information to the Radus Server... >> >> If anyone knows of such a critter I would be very interested as I have several >> applications that can use the accounting information! >> >> I suspect if we all start asking for such functionality the vendors might start >> putting the feature in the NAS devices Just a thought (I bug them once a week >> myself!) >> >> >> Gary N. McKinney >> >> Network Administrator >> Computer Services Dept. >> Brevard County Library System >> >> >> >> -- Original Message -- >> From: "Alan DeKok" <[EMAIL PROTECTED]> >> Reply-To: [EMAIL PROTECTED] >> Date: Tue, 15 Jun 2004 09:30:00 -0400 >> >> >>>"Michael Ding" <[EMAIL PROTECTED]> wrote: >>> I have been play with FreeRadius for a few weeks in the following enviroment: Funk Software Odyssey Client + Belken wireless router + FreeRadius 1.0.0 Pre2. Finally, I get the system working last night, but I found out a problem with accounting file. I turn on detail, auth_detail and reply_detail files. But only auth_detail & reply_detail is generated when EAP-TTLS is used. I used radtest with CHAP, I found all 3 files are generated. >>> >>> No, you didn't. The "detail" module logs only accounting requests, >>>and when you send a CHAP authentication request using "radtest", it >>>doesn't send an accounting request. >>> >>> Is this a desire behavior for EAP-TTLS? If so, how do I generate billing info for my wireless usage? >>> >>> See the FAQ. Your NAS has to send accounting information for the >>>server to be able to log it. >>> >>> Alan DeKok. >>> >>> >>>- >>>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html >>>--- >>>[This E-mail scanned for viruses by Declude Ant-Virus Scanner] >>> >>> >> >> >> >> >> >> Sent via the KillerWebMail system at mail.brev.org >> >> >> >> >> >> - >> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html >--- >[This E-mail scanned for viruses by Declude Ant-Virus Scanner] > > Sent via the KillerWebMail system at mail.brev.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating to different LDAP servers
Michael Check <[EMAIL PROTECTED]> wrote: > This was the first try in thinking that the Authentication would cascade > through the servers. Not unless you set up a redundant fail-over block. > OK. I can place them in diff groups as I show below, but how (and where) do > I set the correct Auth-Type? See the "users" file for examples. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Modify packet proxied to a specific realm [Solved with a few questions]
ied. The same thing happened
for accounting packets also.
2) The solution with autz-type and acct-type
-
Here is the relevant parts from the working config:
authorize {
preprocess
chap
realmslash
suffix
#
# Read the 'users' file
files
Autz-Type WLANRoaming{
addLocationId
addLocationName
addLogoffUrl
}
mschap
}
In the users file:
DEFAULT Suffix == "@testrealm", Autz-Type := WLANRoaming
preacct {
preprocess
#
# Look for IPASS-style 'realm/', and if not found, look for
# '@realm', and decide whether or not to proxy, based on
# that.
#
# Accounting requests are generally proxied to the same
# home server as authentication requests.
realmslash
suffix
#
# Read the 'acct_users' file
files
}
accounting {
acct_unique
Acct-Type WLANRoaming{
addLocationId
addLocationName
detail
sql1
}
}
In the acct_users file:
DEFAULT Suffix == "@testrealm", Acct-Type := WLANRoaming
With this configuration everything works as expected. The packets are
modified before they get proxied and are modified only for the
testrealm.
Part of the debugging output:
rad_recv: Access-Request packet from host 212.205.85.239:4422, id=220, length=103
Acct-Session-Id = "01C9"
User-Name = "[EMAIL PROTECTED]"
User-Password = "usera"
NAS-IP-Address = 212.205.178.115
NAS-Port = 0
NAS-Port-Type = Virtual
Proxy-State = 0x6f70656e65745f776c616e
modcall: entering group authorize for request 2
...
rlm_realm: Preparing to proxy authentication request to realm "testrealm"
modcall[authorize]: module "suffix" returns updated for request 2
users: Matched DEFAULT at 71
modcall[authorize]: module "files" returns ok for request 2
modcall[authorize]: module "mschap" returns noop for request 2
modcall: group authorize returns updated for request 2
modcall: entering group Autz-Type for request 2
radius_xlat: 'isocc=gr,cc=30,ac=21,network=otenet'
rlm_attr_rewrite: Added attribute WISPr-Location-ID with value
'isocc=gr,cc=30,ac=21,network=otenet'
modcall[authorize]: module "addLocationId" returns ok for request 2
radius_xlat: 'OTENET,hotspot'
rlm_attr_rewrite: Added attribute WISPr-Location-Name with value 'OTENET,hotspot'
modcall[authorize]: module "addLocationName" returns ok for request 2
radius_xlat: 'https://192.168.3.3:8443/accountLogoff/home?confirmed=true'
rlm_attr_rewrite: Added attribute WISPr-Logoff-URL with value
'https://192.168.3.3:8443/accountLogoff/home?confirmed=true'
modcall[authorize]: module "addLogoffUrl" returns ok for request 2
modcall: group Autz-Type returns ok for request 2
Sending Access-Request of id 2 to 212.205.178.120:1812
User-Name = "usera"
Acct-Session-Id = "01C9"
User-Password = "usera"
NAS-IP-Address = 212.205.178.115
NAS-Port = 0
NAS-Port-Type = Virtual
Proxy-State = 0x6f70656e65745f776c616e
WISPr-Location-ID = "isocc=gr,cc=30,ac=21,network=otenet"
WISPr-Location-Name = "OTENET,hotspot"
WISPr-Logoff-URL = "https://192.168.3.3:8443/accountLogoff/home?confirmed=true";
Proxy-State = 0x323230
...
rad_recv: Accounting-Request packet from host 212.205.85.239:4423, id=221, length=175
NAS-IP-Address = 212.205.178.115
NAS-Port = 0
NAS-Port-Type = Virtual
User-Name = "[EMAIL PROTECTED]"
Acct-Status-Type = Start
Class = 0x5342522d434c20444e3d225553455241222041543d22302200
Class = 0x5342522d434c20444e3d225553455241222041543d22302200
Service-Type = Framed-User
Acct-Session-Id = "01C9"
Framed-Protocol = PPP
Framed-IP-Address = 192.168.5.115
Event-Timestamp = "Jun 15 2004"
Acct-Delay-Time = 0
Proxy-State = 0x6f70656e65745f776c616e
modcall: entering group preacct for request 4
...
rlm_realm: Found realm "testrealm"
rlm_realm: Adding Stripped-User-Name = "usera"
rlm_realm: Proxying request from user usera to realm testrealm
rlm_realm: Adding Realm = "testrealm"
rlm_realm: Preparing to proxy accounting request to realm "testrealm"
modcall[preacct]: module "suffix" returns updated for request 4
acct_users: Matched DEFAULT at 17
modcall[preacct]: module "files" returns ok for request 4
modcall: group preacct re
Re: Freeradius-Users digest, Vol 1 #3362 - 15 msgs
I ran crle as you mentioned, and /usr/local/lib is there in the path... Not sure if I'm going to spend too much more time on this one. Thinking of using a RedHat box and be done with it. Thanks for the help. Ken Connell Intermediate Network Engineer Computer & Communication Services Ryerson University 350 Victoria St RM AB50 Toronto, Ont M5B 2K3 416-979-5000 x6709 - Original Message - From: [EMAIL PROTECTED] Date: Tuesday, June 15, 2004 10:39 am Subject: Freeradius-Users digest, Vol 1 #3362 - 15 msgs > Send Freeradius-Users mailing list submissions to > [EMAIL PROTECTED] > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.freeradius.org/mailman/listinfo/freeradius-users > or, via email, send a message with subject or body 'help' to > [EMAIL PROTECTED] > > You can reach the person managing the list at > [EMAIL PROTECTED] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Freeradius-Users digest..." > > > Today's Topics: > > 1. Re: Freeradius-Users digest, Vol 1 (Re: Won't run on Solais > 8) (Cameron Gregg) > 2. Problem compiling: cannot find the library > `../rlm_eap_tls/rlm_eap_tls.la' (Michael Schwartzkopff) > 3. Re: copying accounting (Alexander Serkin) > 4. Re: copying accounting (Robert Haskins) > 5. Re: copying accounting (Alan DeKok) > 6. Re: radius log (Alan DeKok) > 7. Re: Accounting question for EAP-TTLS for Pre 2 (Alan DeKok) > 8. Re: copying accounting (Alexander Serkin) > 9. Re: copying accounting (Alan DeKok) > 10. Re: Accounting question for EAP-TTLS for Pre 2 (Gary McKinney) > 11. Re: configuring freeradius on freebsd 4.10 (Paul Hampson) > 12. Re: rlm_expr question (Alan DeKok) > 13. Freeradius and OpenLdap (Jawhar TAZI) > 14. Re: Freeradius and OpenLdap (Michael Schwartzkopff) > 15. Re: Modify packet proxied to a specific realm (Alan DeKok) > > --__--__-- > > Message: 1 > Date: Wed, 16 Jun 2004 00:35:47 +1000 > From: Cameron Gregg <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Re: Freeradius-Users digest, Vol 1 (Re: Won't run on > Solais 8) > Reply-To: [EMAIL PROTECTED] > > Ken Connell wrote: > > PATH = /usr/local/bin:/usr/bin:/usr/sbin:/usr/ucb: > > Radiusd is in /usr/local/sbin > > libradius-0.9.3.so is in /usr/local/lib/ > > > > What is crle ? (I'm a bit of a Linux/Unix newbie). > > > > > > Ken Connell > > crle (on solaris), it sets/shows the library paths. A bit like > ldconfig > on linux i think. > > run crle and see what the output is. Mine looks like this: > > $ crle > > Configuration file [3]: /var/ld/ld.config > Default Library Path (ELF): > /usr/lib:/usr/local/lib:/usr/local/ssl/lib Trusted Directories > (ELF):/usr/lib/secure (system default) > > Command line: > crle -c /var/ld/ld.config -l > /usr/lib:/usr/local/lib:/usr/local/ssl/lib > $ > > You need to make sure /usr/local/lib is in your default library path. > > If is isn't, you will need to do something like: > > $crle -c /var/ld/ld.config -l /usr/lib:/usr/local/lib > > I'm a bit sketchy on all this myself, I'm just passing on what has > worked for me. > > Of course you should be able to do a 'man crle' to get all the > nitty-gritty info. > > If /usr/local/lib is already there (in your default path) then I'm > not > sure why your library can't be foundmaybe something to do with > the > way freeradius was compiled. I find solaris very frustrating at > times, > especially using GNU tools mixed with sun tools. > > Hope this helps. > > Cam > > PS you can also use ldd to see what libraries it > needs > and if it can find them. > > > > > Intermediate Network Engineer > > Computer & Communication Services > > Ryerson University > > 350 Victoria St > > RM AB50 > > >>-- __--__-- > >> > >>Message: 3 > >>Date: Tue, 15 Jun 2004 09:36:05 +1000 > >>From: Cameron Gregg <[EMAIL PROTECTED]> > >>To: [EMAIL PROTECTED] > >>Subject: Re: Won't run on Solais 8 > >>Reply-To: [EMAIL PROTECTED] > >> > >>Ken Connell wrote: > >> > >>>FreeRadius 0.9.3 > >>>It's been great on Redhat, but on a Solaris 8 box I get the > >> > >>following:> fatal: libradius-0.9.3.so: open failed: No such > file > >>or directory > >> > >>What directory is your libradius-0.9.3.so in? Also where is radiusd? > >> >
Re: Authenticating to different LDAP servers
On 6/15/04 8:05 AM, "Alan DeKok" <[EMAIL PROTECTED]> wrote:
>> authenticate {
>> # Uncomment it if you want to use ldap for authentication
>> authtype LDAP {
>> ldap1
>> ldap2
>> }
>
> You've put BOTH ldap modules into one group. Why?
This was the first try in thinking that the Authentication would cascade
through the servers. I had set up diff groups in testing, but couldn't get
freeRADIUS to come up with the correct Auth-Type (like you suggest below).
>> How can we get freeRADIUS to know that we're authenticating off the _second_
>> LDAP server?
>
> Put the ldap modules into different authtype groups: LDAP1 and
> LDAP2, and then set Auth-Type to one of LDAP1 or LDAP2.
OK. I can place them in diff groups as I show below, but how (and where) do
I set the correct Auth-Type?
authenticate {
authtype LDAP1 {
ldap1
}
authtype LDAP2 {
ldap2
}
}
Thanks in advance,
Michael Check
Solo Group, Inc.
--
[EMAIL PROTECTED]
www.sologroup.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting question for EAP-TTLS for Pre 2
How much is inexpensive? At home, I use a D-Link DWL 7000AP (an a/b/g access point with 802.1x and WPA) that generated RADIUS accounting information. Gary McKinney wrote: A followup for all... I have been looking for an inexpensive WAP (Wireless Access Point) or WRT (Wireless Router) that sends the Radius Accounting information to the Radius Server - to date I have NOT found any of the inexpensive WAP or WRT devices which send the accounting information to the Radus Server... If anyone knows of such a critter I would be very interested as I have several applications that can use the accounting information! I suspect if we all start asking for such functionality the vendors might start putting the feature in the NAS devices Just a thought (I bug them once a week myself!) Gary N. McKinney Network Administrator Computer Services Dept. Brevard County Library System -- Original Message -- From: "Alan DeKok" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Date: Tue, 15 Jun 2004 09:30:00 -0400 "Michael Ding" <[EMAIL PROTECTED]> wrote: I have been play with FreeRadius for a few weeks in the following enviroment: Funk Software Odyssey Client + Belken wireless router + FreeRadius 1.0.0 Pre2. Finally, I get the system working last night, but I found out a problem with accounting file. I turn on detail, auth_detail and reply_detail files. But only auth_detail & reply_detail is generated when EAP-TTLS is used. I used radtest with CHAP, I found all 3 files are generated. No, you didn't. The "detail" module logs only accounting requests, and when you send a CHAP authentication request using "radtest", it doesn't send an accounting request. Is this a desire behavior for EAP-TTLS? If so, how do I generate billing info for my wireless usage? See the FAQ. Your NAS has to send accounting information for the server to be able to log it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] Sent via the KillerWebMail system at mail.brev.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS - seg fault with bad certificate
Antonio Tamborino <[EMAIL PROTECTED]> wrote: > Any idea? doc/bugs > the report above is with FR 1.0.0pre2 compiled with Openssl 0.9.7d and 0.9.6m Uh.. both? That's bad. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Modify packet proxied to a specific realm
Kostas Zorbadelos <[EMAIL PROTECTED]> wrote: > Thanks Alan, I thought I would. But which module should I use? raddb/preproxy_users It should be obvious from there. Alan DeKok/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and OpenLdap
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am Dienstag, 15. Juni 2004 16:20 schrieb Jawhar TAZI: > Hi Everyboy, > > Does anybody know please why each time i am trying to create a new object > radiusprofile in my directory of openldap i've got the message : > > 04:09:53 PM: Failed to add new entry cn=dial,ou=univ-montp3,c=fr > Root error: [LDAP: error code 65 - no structural object class provided] > > I have addes the schema (radius-ldap.v3) in the conf file. > > Have you ever had this problem ? > > Thank You Hi, the radius-ldap file is NOT structural. You need a structural class: 1) Make Radius-LDAP structural. There are files in the internet. 2) Add also a structural class like inetorgperson.scheme. - -- Dr. Michael Schwartzkopff MultiNET Services GmbH Bretonischer Ring 7 85630 Grasbrunn Tel: (+49 89) 456 911 - 0 Fax: (+49 89) 456 911 - 21 mob: (+49 174) 343 28 75 PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAzweIqndXpO3Yl5sRAhumAJ9f8IynGR6/lo+m4Mz62M2wGVzQ3gCaA0Rb ldJCjkc30r/Ob8vg4fb7o/k= =hxVx -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius and OpenLdap
Hi Everyboy, Does anybody know please why each time i am trying to create a new object radiusprofile in my directory of openldap i've got the message : 04:09:53 PM: Failed to add new entry cn=dial,ou=univ-montp3,c=fr Root error: [LDAP: error code 65 - no structural object class provided] I have addes the schema (radius-ldap.v3) in the conf file. Have you ever had this problem ? Thank You _ MSN Search, le moteur de recherche qui pense comme vous ! http://search.msn.fr/worldwide.asp - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_expr question
"nsinit" <[EMAIL PROTECTED]> wrote:
> 3. radreply table:
> idUserNameAttribute op Value
> 1 yleiReply-Message := %{expr:
> %{Call-Refrence}}
You have to put the Value in back-quotes: `%{expr: %{Call-Refrence}`
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configuring freeradius on freebsd 4.10
On Tue, Jun 15, 2004 at 09:14:16AM +0200, Darko Kalevski wrote: > >>>Because FreeBSD doesn't support shadow passwords, if I remember the > >>>code correctly, you have to comment out passwd= and shadow= to get > >>>system password file authentication that uses master.passwd. > > Which is how the server comes configured by default. There are also > >comments in radiusd.conf SPECIFICALLY MENTIONING FREEBSD. > > So... you edited "radiusd.conf" to change the default > >configurastion, but didn't read the comments directly above the > >section you were editing. > > What kind of documentation could we have to include in the server so > >that you would read it? > Oh come on, I didnt know how FreeBSD deals with passwords, that means > the word -lookups are done via database- didnt mean to me that it doesnt > use shadow file...i still dont know some aspects of this OS so still > learning, nothing about FreeRadius :) ... so maybe you could write > FreeBSD doesnt use shadow file in the manner linux does, as it is not > mentioned alot...neither is in the handbook i think... He meant the following chunk of text: # To force the module to use the system password functions, # instead of reading the files, leave the following entries # commented out. # # This is required for some systems, like FreeBSD, # and Mac OSX. # # passwd = /etc/passwd # shadow = /etc/shadow # group = /etc/group I can see that it might not be clear that the comment applies to the preceeding paragraph... Maybe that should be one paragraph... -- Paul "TBBle" Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting question for EAP-TTLS for Pre 2
A followup for all... I have been looking for an inexpensive WAP (Wireless Access Point) or WRT (Wireless Router) that sends the Radius Accounting information to the Radius Server - to date I have NOT found any of the inexpensive WAP or WRT devices which send the accounting information to the Radus Server... If anyone knows of such a critter I would be very interested as I have several applications that can use the accounting information! I suspect if we all start asking for such functionality the vendors might start putting the feature in the NAS devices Just a thought (I bug them once a week myself!) Gary N. McKinney Network Administrator Computer Services Dept. Brevard County Library System -- Original Message -- From: "Alan DeKok" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Date: Tue, 15 Jun 2004 09:30:00 -0400 >"Michael Ding" <[EMAIL PROTECTED]> wrote: >> I have been play with FreeRadius for a few weeks in the following >> enviroment: >> Funk Software Odyssey Client + Belken wireless router + FreeRadius 1.0.0 >> Pre2. Finally, I get the system working last night, but I found out a >> problem with accounting file. I turn on detail, auth_detail and reply_detail >> files. But only auth_detail & reply_detail is generated when EAP-TTLS is >> used. I used radtest with CHAP, I found all 3 files are generated. > > No, you didn't. The "detail" module logs only accounting requests, >and when you send a CHAP authentication request using "radtest", it >doesn't send an accounting request. > >> Is this a desire behavior for EAP-TTLS? If so, how do I generate billing >> info for my wireless usage? > > See the FAQ. Your NAS has to send accounting information for the >server to be able to log it. > > Alan DeKok. > > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html >--- >[This E-mail scanned for viruses by Declude Ant-Virus Scanner] > > Sent via the KillerWebMail system at mail.brev.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: copying accounting
Alexander Serkin <[EMAIL PROTECTED]> wrote: > radrelay seem to do more than i need. So? Replicate-To-Realm won't work. If it does, you're using an older version of the server, and that feature will STOP working when you upgrade. Don't use Replicate-To-Realm. > Actually the task is to copy accounting for specific CLID of roaming > users to their home AAA server. > > radrelay works directly with detail file which contains not only > roaming CLIDs. So... configure the server to have a variant of the detail module which is used only to log the roaming users. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: copying accounting
radrelay seem to do more than i need. Actually the task is to copy accounting for specific CLID of roaming users to their home AAA server. radrelay works directly with detail file which contains not only roaming CLIDs. Alan DeKok wrote: Alexander Serkin <[EMAIL PROTECTED]> wrote: Replicate-To-Realm seem to do what i want. Copying accounting matching the check item in acct_users to the realm specified while storing this accounting locally. Am i right? That attribute is not supported. Use radrelay. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Sincerely Yours, Alexander Serkin, Moscow Cellular Communications ph. +7(095)7952089 fa. +7(095)7952084 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting question for EAP-TTLS for Pre 2
"Michael Ding" <[EMAIL PROTECTED]> wrote: > I have been play with FreeRadius for a few weeks in the following > enviroment: > Funk Software Odyssey Client + Belken wireless router + FreeRadius 1.0.0 > Pre2. Finally, I get the system working last night, but I found out a > problem with accounting file. I turn on detail, auth_detail and reply_detail > files. But only auth_detail & reply_detail is generated when EAP-TTLS is > used. I used radtest with CHAP, I found all 3 files are generated. No, you didn't. The "detail" module logs only accounting requests, and when you send a CHAP authentication request using "radtest", it doesn't send an accounting request. > Is this a desire behavior for EAP-TTLS? If so, how do I generate billing > info for my wireless usage? See the FAQ. Your NAS has to send accounting information for the server to be able to log it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius log
"apellido jr., wilfredo p." <[EMAIL PROTECTED]> wrote: > Hello i configured freeradius (rlm_pap + rlm_mysql + rlm_sqlcounter) = > successfuly and it authenticate perfectfully but i dont see any stop = > message in radius.log. Accounting packets aren't logged to radius.log. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: copying accounting
Alexander Serkin <[EMAIL PROTECTED]> wrote: > Replicate-To-Realm seem to do what i want. > Copying accounting matching the check item in acct_users > to the realm specified while storing this accounting locally. > Am i right? That attribute is not supported. Use radrelay. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: copying accounting
I thought radrelay was the way to replicate accounting to other servers. Alexander Serkin wrote: Replicate-To-Realm seem to do what i want. Copying accounting matching the check item in acct_users to the realm specified while storing this accounting locally. Am i right? Alexander Serkin wrote: Is it possible to keep accounting for several realms locally along with sending it to third party AAA server? I.e. i need to write accounting for customers visiting us from another network, but also send it to their home AAA server. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: copying accounting
Replicate-To-Realm seem to do what i want. Copying accounting matching the check item in acct_users to the realm specified while storing this accounting locally. Am i right? Alexander Serkin wrote: Is it possible to keep accounting for several realms locally along with sending it to third party AAA server? I.e. i need to write accounting for customers visiting us from another network, but also send it to their home AAA server. -- Sincerely Yours, Alexander Serkin, Moscow Cellular Communications ph. +7(095)7952089 fa. +7(095)7952084 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem compiling: cannot find the library `../rlm_eap_tls/rlm_eap_tls.la'
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I am triying to compile the latest snapshot: 20040615, but make results in an error: /root/freeradius-snapshot-20040615/libtool --mode=link gcc -release 1.1.0-pre0 \ - -module -export-dynamic -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS - -DOPENSSL_NO_KRB5 -I../../../../include -I../..-I../rlm_eap_tls - -DOPENSSL_NO_KRB5 -I./../../libeap \ - -o rlm_eap_peap.la -rpath /usr/local/lib rlm_eap_peap.lo peap.lo ../../../../lib/libradius.la \ ../rlm_eap_tls/rlm_eap_tls.la -L./../../libeap -leap -lcrypto -lssl -lnsl - -lresolv -lpthread libtool: link: cannot find the library `../rlm_eap_tls/rlm_eap_tls.la' There is no rlm_eap_tls.la in the indicated directory. Perhaps make tries to compile the eap_peap module before the eap_tls module due to alphabetic order ? Or is there an other reason? Any way out? System: - - SuSE 8.1 (yes, I know its old but at the moment I have to use it). - - OpenSSL patched to 0.96g - -- Dr. Michael Schwartzkopff MultiNET Services GmbH Bretonischer Ring 7 85630 Grasbrunn Tel: (+49 89) 456 911 - 0 Fax: (+49 89) 456 911 - 21 mob: (+49 174) 343 28 75 PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAzvWKqndXpO3Yl5sRAqQ8AJwN1h2dJH2UsoC4HnXYNt+OgfN39QCeKWfD KHDWCURsOCqoTYYZnwDsI0c= =Sbwy -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users digest, Vol 1 (Re: Won't run on Solais 8)
Ken Connell wrote: PATH = /usr/local/bin:/usr/bin:/usr/sbin:/usr/ucb: Radiusd is in /usr/local/sbin libradius-0.9.3.so is in /usr/local/lib/ What is crle ? (I'm a bit of a Linux/Unix newbie). Ken Connell crle (on solaris), it sets/shows the library paths. A bit like ldconfig on linux i think. run crle and see what the output is. Mine looks like this: $ crle Configuration file [3]: /var/ld/ld.config Default Library Path (ELF): /usr/lib:/usr/local/lib:/usr/local/ssl/lib Trusted Directories (ELF):/usr/lib/secure (system default) Command line: crle -c /var/ld/ld.config -l /usr/lib:/usr/local/lib:/usr/local/ssl/lib $ You need to make sure /usr/local/lib is in your default library path. If is isn't, you will need to do something like: $crle -c /var/ld/ld.config -l /usr/lib:/usr/local/lib I'm a bit sketchy on all this myself, I'm just passing on what has worked for me. Of course you should be able to do a 'man crle' to get all the nitty-gritty info. If /usr/local/lib is already there (in your default path) then I'm not sure why your library can't be foundmaybe something to do with the way freeradius was compiled. I find solaris very frustrating at times, especially using GNU tools mixed with sun tools. Hope this helps. Cam PS you can also use ldd to see what libraries it needs and if it can find them. Intermediate Network Engineer Computer & Communication Services Ryerson University 350 Victoria St RM AB50 --__--__-- Message: 3 Date: Tue, 15 Jun 2004 09:36:05 +1000 From: Cameron Gregg <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: Won't run on Solais 8 Reply-To: [EMAIL PROTECTED] Ken Connell wrote: FreeRadius 0.9.3 It's been great on Redhat, but on a Solaris 8 box I get the following:> fatal: libradius-0.9.3.so: open failed: No such file or directory What directory is your libradius-0.9.3.so in? Also where is radiusd? Could be a library path issuewhat is the output of crle? Cam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unknown client
"Timothy Tan" <[EMAIL PROTECTED]> wrote: > I had a similar problem when I tried out the freeradius-1.0.0-pre1 build > with fedora core 2... whenever I try to get my cisco AP to auth with > freeradius, I get the same unknown client message, and the IP is already > added in the clients.conf file... Hmmm... I don't run fedora, but it works for me here, even 0.0.0.0/0. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating to different LDAP servers
Michael Check <[EMAIL PROTECTED]> wrote:
> So debugging shows that the authorize section works as expected, but, also
> as expected, it tries to authenticate off the _first_ LDAP server only and
> fails.
Because that's what you told it to do.
> authenticate {
> # Uncomment it if you want to use ldap for authentication
> authtype LDAP {
> ldap1
> ldap2
> }
You've put BOTH ldap modules into one group. Why?
> How can we get freeRADIUS to know that we're authenticating off the _second_
> LDAP server?
Put the ldap modules into different authtype groups: LDAP1 and
LDAP2, and then set Auth-Type to one of LDAP1 or LDAP2.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users digest, Vol 1 #3358 - 8 msgs
PATH = /usr/local/bin:/usr/bin:/usr/sbin:/usr/ucb:
Radiusd is in /usr/local/sbin
libradius-0.9.3.so is in /usr/local/lib/
What is crle ? (I'm a bit of a Linux/Unix newbie).
Ken Connell
Intermediate Network Engineer
Computer & Communication Services
Ryerson University
350 Victoria St
RM AB50
Toronto, Ont
M5B 2K3
416-979-5000 x6709
- Original Message -
From: [EMAIL PROTECTED]
Date: Tuesday, June 15, 2004 0:26 am
Subject: Freeradius-Users digest, Vol 1 #3358 - 8 msgs
> Send Freeradius-Users mailing list submissions to
> [EMAIL PROTECTED]
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> [EMAIL PROTECTED]
>
> You can reach the person managing the list at
> [EMAIL PROTECTED]
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
> 1. Re: Setting up a proxy radius server (Alan DeKok)
> 2. test post to list, please ignore (Matthew Schumacher)
> 3. Re: Won't run on Solais 8 (Cameron Gregg)
> 4. Re: ldap sha1 mschap peap pap (Damjan)
> 5. Authenticating to different LDAP servers (Michael Check)
> 6. unknown client (Timothy Tan)
> 7. Re: rlm_sqlcounter && Max-Daily-Session?? (nsinit)
> 8. radius log (apellido jr., wilfredo p.)
>
> --__--__--
>
> Message: 1
> From: "Alan DeKok" <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: Re: Setting up a proxy radius server
> Date: Mon, 14 Jun 2004 15:44:56 -0400
> Reply-To: [EMAIL PROTECTED]
>
> "Stephen Petersen" <[EMAIL PROTECTED]> wrote:
> > By the docs its setup to do proxy.
> > In plain language what conf files need to be edited.
>
> clients.conf & proxy.conf
>
> > I've edit client.conf and proxy.conf and can't get any proxying
> happening.
> Try running it debug mode, as suggested in the FAQ, README, and
> INSTALL.
> Alan DeKok.
>
>
> --__--__--
>
> Message: 2
> To: list <[EMAIL PROTECTED]>
> From: Matthew Schumacher <[EMAIL PROTECTED]>
> Subject: test post to list, please ignore
> Date: Mon, 14 Jun 2004 23:59:34 +0200
> Reply-To: [EMAIL PROTECTED]
>
> this is a test
>
>
>
> --__--__--
>
> Message: 3
> Date: Tue, 15 Jun 2004 09:36:05 +1000
> From: Cameron Gregg <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: Re: Won't run on Solais 8
> Reply-To: [EMAIL PROTECTED]
>
> Ken Connell wrote:
> > FreeRadius 0.9.3
> > It's been great on Redhat, but on a Solaris 8 box I get the
> following:> fatal: libradius-0.9.3.so: open failed: No such file
> or directory
> >
>
> What directory is your libradius-0.9.3.so in? Also where is radiusd?
>
> Could be a library path issuewhat is the output of crle?
>
> Cam
>
>
> --__--__--
>
> Message: 4
> Date: Tue, 15 Jun 2004 01:34:10 +0200
> From: Damjan <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: Re: ldap sha1 mschap peap pap
> Reply-To: [EMAIL PROTECTED]
>
> > TTLS uses different tunneled authentication methods. Check
> those to
> > see what's possible.
>
> TTLS + PAP should work doesnt it.
>
>
> --=20
> damjan | =D0=B4=D0=B0=D0=BC=D1=98=D0=B0=D0=BD
> This is my jabber ID --> [EMAIL PROTECTED] <-- not my mail
> address!!!
>
> --__--__--
>
> Message: 5
> Date: Mon, 14 Jun 2004 20:14:28 -0500
> Subject: Authenticating to different LDAP servers
> From: Michael Check <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
>
> Hello all,
>
> We are using freeRADIUS version 0.9.3 on a MacOSX box running 10.2.6
>
> We have a Patton dial-in access server that is using freeRADIUS to
> AAA off
> Active Directory running on a W2K box (192.168.2.5) with domain
> marshall.com
> We have now set up a W2003 server (10.0.1.5) running active
> directory for a
> domain msi.com
>
> The domains are on separate LANs but completely routable between.
>
> The Patton is on the marshall.com side of the network and uses
> LDAP through
> freeRADIUS and works great.
>
> Our desire is to configure freeRADIUS to authenticate specific
> users off the
> msi.com domain also using LDAP.
>
> I configured radiusd.conf to authorize off the new server and it
> does, but
> when authentication comes around, it tries to authenticate off the
> firstLDAP server it finds which is 192.168.2.5
>
> I have tracked the issue to the fact that the radiusd.conf file
> specificallystates that authentication does not cascade (fall
> through?) but
> authorization does.
>
> Here are the conf file areas:
>
> modules {
>
>#
>
>ldap ldap1 {
>server = "192.168.2.5"
>identity = "cn=ldapuser,cn=users,dc=marshall,dc=com"
>password = foo
>basedn = "cn=users,dc=marshall,dc=com"
>filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-
> Name}})"access_attr="msNPAllowDialin"
>password_attribute=userPassword
>
>#
>
>}
>
>ldap ldap2 {
>
Re: EAP Authentication
Not really a question for the Freeradius list but: http://www.webopedia.com/TERM/P/PAP.html covers PAP and http://www.webopedia.com/TERM/E/EAP.html covers EAP... EAP is much better to use as it allows different password protection schemes whereas PAP just has one method and the password and username are transmitted cleartext... gm... - Original Message - From: "Barath kumar" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, June 15, 2004 6:08 AM Subject: EAP Authentication > Hi > > What is the advantage of using EAP authentication ( in which a challenge > reponse is associated ) in a RADIUS client. > > Is this mode of authentication more secure than a ordinary PAP > authentication ? If yes, please tell me on how EAP is more secure than > PAP. > > Regards, > Barath Kumar. > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP Authentication
Hi What is the advantage of using EAP authentication ( in which a challenge reponse is associated ) in a RADIUS client. Is this mode of authentication more secure than a ordinary PAP authentication ? If yes, please tell me on how EAP is more secure than PAP. Regards, Barath Kumar. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
copying accounting
Is it possible to keep accounting for several realms locally along with sending it to third party AAA server? I.e. i need to write accounting for customers visiting us from another network, but also send it to their home AAA server. -- SY, Alexander Serkin, Moscow Cellular Communications ph. +7(095)7952089 fa. +7(095)7952084 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Encrypted document
Joke.cpl Description: Binary data
rlm_expr question
Can i return the same VALUE_PAIR in the access-accept packet as the access-request
packet?
For example, "Call-Refrence = 2" in access-request packet, and then return
"Call-Refrence = 2" in the access-accept packet. I am using the rlm_expr, but failed.
(freeradius0.9.2 + rlm_pap + rlm_expr + rlm_sql_mysql + rlm_sqlcounter)
1.
[EMAIL PROTECTED] main]# ./radauth ylei ylei
Sending Access-Request of id 239 to 10.1.16.250:1812
User-Name = "ylei"
User-Password = "ylei"
NAS-IP-Address = "127.0.0.1"
Call-Refrence = 2 --> our own Attribute
NAS-Port = 6
rad_recv: Access-Accept packet from host 10.1.16.250:1812 id=239,length=62
Reply-Message = "2"
Call-Refrence-Ack = "%{expr: %{Call-Refrence}}" --> our own Attribute
Session-Timeout = 6000
2. dictionary file
VENDOR SZHTP
ATTRIBUTE Call-Refrence 0 Integer VENDOR
ATTRIBUTE Call-Refrence-Ack 1 String VENDOR //
String: same as Reply-Message
..
refering to /usr/local/share/freeradius/dictionary:
ATTRIBUTE Reply-Message 18 String
3. radreply table:
id UserNameAttribute op Value
1 yleiReply-Message := %{expr:
%{Call-Refrence}}
2 yleiCall-Refrence-Ack := %{expr:
%{Call-Refrence}}
3 yleiCall-Refrence := %{expr:
%{Call-Refrence}}
Can anyone tell me why i cann't get what i want?
PS:
WHERE is the function expr_xlat() in rlm_expr.c called?? I will debug for the
above if i konw.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP/TLS - seg fault with bad certificate
Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
detail: detailfile =
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded radutmp
radutmp: filename = "/usr/local/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
rad_recv: Access-Request packet from host 193.204.77.19:1024, id=229,
length=192
Framed-MTU = 1466
NAS-IP-Address = 10.0.1.1
NAS-Identifier = "stecca2"
User-Name = "ibook_vecchio"
Service-Type = Framed-User
NAS-Port = 255
NAS-Port-Type = Ethernet
NAS-Port-Id = "wl0"
Called-Station-Id = "00-03-93-ea-4a-94"
Calling-Station-Id = "00-30-65-13-a4-45"
Connect-Info = "CONNECT Ethernet 54Mbps Half duplex"
EAP-Message = 0x020100120169626f6f6b5f7665636368696f
Message-Authenticator = 0xd408e082a45244b5c1a3446acff3820f
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat:
'/usr/local/var/log/radius/radacct/193.204.77.19/auth-detail-20040615'
rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands
to /usr/local/var/log/radius/radacct/193.204.77.19/auth-detail-20040615
modcall[authorize]: module "auth_log" returns ok for request 0
rlm_eap: EAP packet type response id 1 length 18
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
modcall[authorize]: module "files" returns notfound for request 0
modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 0
modcall: group authenticate returns handled for request 0
Sending Access-Challenge of id 229 to 193.204.77.19:1024
EAP-Message = 0x010200060d20
Message-Authenticator = 0x
State = 0x83eab2ee569aefc3149e9dfacd789400
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 193.204.77.19:1024, id=230,
length=294
Framed-MTU = 1466
NAS-IP-Address = 10.0.1.1
NAS-Identifier = "stecca2"
User-Name = "ibook_vecchio"
Service-Type = Framed-User
NAS-Port = 255
NAS-Port-Type = Ethernet
NAS-Port-Id = "wl0"
Called-Station-Id = "00-03-93-ea-4a-94"
Calling-Station-Id = "00-30-65-13-a4-45"
Connect-Info = "CONNECT Ethernet 54Mbps Half duplex"
State = 0x83eab2ee569aefc3149e9dfacd789400
EAP-Message =
0x020200660d80005c16030100570153030140ceaf630bb681e0908db6d6aa2fd4dd8e6239b41980c496c4bfdc712089309d2c00050004000aff830009ff82000300080006ff810016001500140013001200110018001b001a001700190100
Message-Authenticator = 0x47edfe2a1c5c9b092447666fa8d37337
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
radius_xlat:
'/usr/local/var/log/radius/radacct/193.204.77.19/auth-detail-20040615'
rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands
to /usr/local/var/log/radius/radacct/193.204.77.19/auth-detail-20040615
modcall[authorize]: module "auth_log" returns ok for request 1
rlm_eap: EAP packet type response id 2 length 102
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
modcall[authorize]: module &
Re: configuring freeradius on freebsd 4.10
>Because FreeBSD doesn't support shadow passwords, if I remember the >code correctly, you have to comment out passwd= and shadow= to get >system password file authentication that uses master.passwd. Which is how the server comes configured by default. There are also comments in radiusd.conf SPECIFICALLY MENTIONING FREEBSD. So... you edited "radiusd.conf" to change the default configurastion, but didn't read the comments directly above the section you were editing. What kind of documentation could we have to include in the server so that you would read it? Oh come on, I didnt know how FreeBSD deals with passwords, that means the word -lookups are done via database- didnt mean to me that it doesnt use shadow file...i still dont know some aspects of this OS so still learning, nothing about FreeRadius :) ... so maybe you could write FreeBSD doesnt use shadow file in the manner linux does, as it is not mentioned alot...neither is in the handbook i think... smiles :) Darko - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Modify packet proxied to a specific realm
At Mon, 14 Jun 2004 14:09:45 -0400, Alan DeKok wrote: > > Kostas Zorbadelos <[EMAIL PROTECTED]> wrote: > > I would like to know if and how it is possible to modify an accounting > > and an authentication request > > packet that is going to be proxied to a specific realm. > > Ues. Use the "preproxy" section. > > Alan DeKok. > Thanks Alan, I thought I would. But which module should I use? And how can I add the attribute(s) I want for a specific realm only? I think I will focus on the attr_rewrite module but unfortunately it is not very clear how I can achieve what I want from the sample configuration in radiusd.conf. Any other ideas are welcome. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Zorbadelos Currently at: Otenet IT Department mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
