Any questions about radius.log and mysql ?
Hello everybody, 1) I run freeradius 1.0.0pre2 by the command : % ./radiusd -xX out.log In radiusd.conf I put all items to create radius.log but why do I never see this file ? 2) I have the same question about sqltrace : I put sqltrace = yes in sql.conf and I don't see the file sqltrace.sql ? 3) When radiusd examines packet request from a user I obtain the message : rlm_sql (sql): No matching entry in the database for request from user [00:02...] But when I run queries manually on mysql I obtain answers. What mistakes do I do ! Thanks you in advance ! Jean Frontin System team I R I T Université Paul-Sabatier 118, rte de Narbonne 31062 Toulouse cedex 04 France tel (33)(0)5 61 55 63 03 mail [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
configure problem in rlm_ldap on Solaris9
Hi list, I'm having problems with configure of both 0.9.3 and 1.0.0 pre3 on Solaris9 I'm using the following options to configure, and as below, have openldap installed in /data/openldap. ./configure --prefix=/data/freeradius \ --exec-prefix=/data/freeradius \ --with-rlm-ldap-lib-dir=/data/openldap/lib \ --with-rlm-ldap-include-dir=/data/openldap/include My problem is, that although the configure succeeds, when I do a make, the rlm_ldap module does not find the ldap header files. If I edit the rlm_ldap/Makefile and add the path to the ldap header files as follows: RLM_CFLAGS = -DHAVE_LDAP_START_TLS -I/data/openldap/include then everything seems to be happy. Does anyone have a solution to make configure work? Or can anyone suggest what might be going wrong, or where I should look? I'm not terribly familiar with autoconf and configure scripts and don't have a lot of time to poke around and work out how it all hangs together, so an answer more detailed than in the configure scripts would be great. ;-) Thanks in advance for your time! Regards, Michael - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius.log file showing proxy not server
Hi, I am running freeradius freeradius-1.0.0-pre3 I want the /var/log/radius log to reflect NAS-IP-Address (or ideally nas FQDN name) not the Client-IP-Address. I have made a change in the config file that sorted out the detail logs Can somebody please tell me what config-options I need to change, or what I need to change in the source (Ideally I would like it to work like cistron used to) Thanks Peter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging to syslog
On Sun, 04 Jul 2004 10:15:34 -0400 Alan DeKok [EMAIL PROTECTED] wrote: http://www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/raddb/radiusd.conf.in The log_destination directive was added to the server *after* the 1.0.0 branch was created. So this feature will not be in the final 1.0.0 release? I don't know why you're trying to use those directives in 1.0.0-pre3, they're not in the default configuration file, and they won't work. Oh, I musst have mixed up the configuration files. Thanks, Daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using wildcards in realm
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Alan DeKok wrote:
|~ WARNING: You set Proxy-To-Realm = foo.com but it is a LOCAL realm!
|~ Cancelling invalid proxy request.
|
| That's a WARNING, in large letters. It's not an error.
|
Yes, I got confused by the line Cancelling invalid proxy request. I
thought the request fails because of this line.
The problem is, that this solution does not strips the realm from the
username. How do I accomplish this? I tried:
DEFAULT User-Name =~ ^([EMAIL PROTECTED])@(.*)uni-leipzig\.de$, \
Proxy-To-Realm := uni-leipzig.de, User-Name := `%{1}`
~ Fall-Through = Yes
..but it does not work. Any suggestions?
Regards,
Arne Brutschy
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFA6RUxlKz+zKOoy+oRAu/ZAKDimnYo1DiNPQHWKaIPyb00IUV2ZQCfbOt4
VDuQgysdsVZdo58SF7Ka9vk=
=W+Jp
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Client member in multiple huntgroups
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I have clients that are in multiple huntgroups (ie. in dot1xswitches, used for 802.1x auth and shellaccess used to give access to the config shell of this switch. Is it possible to have a client in multiple huntgroups? Regards, Arne -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFA6Sm1lKz+zKOoy+oRAsbUAKD4fwKhuaB2NgF+2dJtF+5+IazDBwCff6XQ 6V7lKpZJg12g49vpyCrSsbE= =//SD -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius-Users digest, Vol 1 #3436 - 11 msgs
Send Freeradius-Users mailing list submissions to [EMAIL PROTECTED] To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. Re: ./configure again (Victor A Belous) 2. OT: L2TP from Lucent/Ascend Max? (Garry Glendown) 3. Failing debuild (marcolfa) 4. Re: Re: Sniff radius (Gary McKinney) 5. Re: Ingoring unknown Client error. (Gary McKinney) 6. Re: Sniff radius (Thomas MARCHESSEAU) 7. Re: Sniff radius (Thomas MARCHESSEAU) 8. Re: FreeRadius/LDAP conf : little problem (Grant, Alastair Ian) 9. LDAP Bind authentication and Other Attributes (Grant, Alastair Ian) 10. Re: Matching Acct-Start and Acct-Stop (Alan DeKok) 11. problems with radius accounting when using mysql (Maqbool Hashim) --__--__-- Message: 1 Date: Wed, 30 Jun 2004 11:11:07 +0400 From: Victor A Belous [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: ./configure again Reply-To: [EMAIL PROTECTED] *This message was transferred with a trial version of CommuniGate(tm) Pro* Alan DeKok áÞÞÑéØÛ: Victor A Belous [EMAIL PROTECTED] wrote: When I run configure with the command line ./configure --with-openssl-includes=/usr/local/ssl/include --with-openssl-libraries=/usr/local/ssl Are you sure it isn't: ... --with-openssl-libraries=/usr/local/ssl/lib ? I had tried --with-openssl-libraries=/usr/local/ssl/lib --with-openssl-libraries=/usr/local/ssl --with-openssl-libraries=/usr/local --with-openssl-libraries=/usr --with-openssl-libraries and --with-openssl-libraries=/usr/local/ssl/lib/libssl.so with the same error. What path is correct? Tnanks. Victor Belous checking for OpenSSL version = 0.9.7... yes checking for DH_new in -lcrypto... yes checking for SSL_new in -lssl... no Yup. bash-2.05# ls /usr/local/ssl/lib libcrypto.a libcrypto.so.0 libssl.a libssl.so.0 pkgconfig libcrypto.so libcrypto.so.0.9.7 libssl.so libssl.so.0.9.7 Use the correct path. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --__--__-- Message: 2 Date: Wed, 30 Jun 2004 09:12:22 +0200 From: Garry Glendown [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: OT: L2TP from Lucent/Ascend Max? Reply-To: [EMAIL PROTECTED] Sorry, slightly off topic, but my google search didn't turn up anything helpful ... I'm wondering, is it possible to set up a Max 2000/4000 series dialup router to send certain (or, if not certain, all) dialups to another router via l2tp instead of doing auth and stuff itself? I want to/need to integrate some dialups into MPLS VRFs which are usually DSL connections terminated by a Cisco 7200 ... those DSL connections are already sent to the Cisco as l2tp traffic ... (and authenticated / accounted through FreeRadius ;) ) Tnx in advance, -gg --__--__-- Message: 3 From: marcolfa [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Failing debuild Date: Wed, 30 Jun 2004 11:17:01 +0200 Reply-To: [EMAIL PROTECTED] debuild -us -uc --lintian debian sid deb rules on snapshot 29/4 I get the deb but with inside some broken symbolic links to rlm_peap rlm_ttsl libraries, in libdrir reading the build output file i believe to see a badlinking problem: *** Warning: Linking the shared library rlm_eap_peap.la against the loadable module *** rlm_eap_tls.so is not portable! *** Warning: Linking the shared library rlm_eap_ttls.la against the loadable module *** rlm_eap_tls.so is not portable! Relinking is non effective to solve the problem. Using --disable-shared option cause a lot of errors like these ones: : undefined reference to `gnutls_certificate_get_peers' /usr/lib/libldap.a(gnutls.o)(.text+0xb3c): In function `gnutls_SSL_set_bio': : undefined reference to `gnutls_transport_set_ptr2' /usr/lib/libldap.a(gnutls.o)(.text+0xb83): In function `gnutls_SSL_set_bio': : undefined reference to `gnutls_transport_set_pull_function' /usr/lib/libldap.a(gnutls.o)(.text+0x38): In function `gnutls_ERR_error_string': and no deb package as result. Is there a method, a parameter to solve the proplem ? I need both peap and ttls. I do prefer using deb packets on remote machines' for upgrading purposes. thanks marco --__--__-- Message: 4 From: Gary McKinney [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Re: Sniff radius Date: Wed, 30 Jun 2004 05:39:10 -0400 Reply-To: [EMAIL PROTECTED] Try searching for: radiusniff (just one 's')... gm... - Original Message - From: nsinit [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Sent: Tuesday, June 29, 2004 9:22 PM Subject: Re: Re: Sniff radius yeah i found it yesterday afet the post , thx anyway . i use radiussniff too. Hi, can you tell me where i can download
Re: Client member in multiple huntgroups
Hi Ame, i hope this cut/paste will help you. extract from users file: ( note that i have modifed my real realm by realm.net) DEFAULT Realm == realm.net, Huntgroup-Name == bas, Autz-Type := autz.realm1.net DEFAULT Realm == realm.net, Huntgroup-Name == lns, Autz-Type := autz.realm2.net DEFAULT Realm == realm.net, Huntgroup-Name == nas, Autz-Type := autz.realm3.net DEFAULT Realm == realm.net, Huntgroup-Name == lns-rtc, Autz-Type := autz.realm4.net DEFAULT Realm == realm.net, Huntgroup-Name == redback, Autz-Type := autz.realm5.net I check for Nas-Ip-Address to assign the correct huntgroup and the correct authentification method. Arne Brutschy wrote: Hi, I have clients that are in multiple huntgroups (ie. in dot1xswitches, used for 802.1x auth and shellaccess used to give access to the config shell of this switch. Is it possible to have a client in multiple huntgroups? Regards, Arne - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client member in multiple huntgroups
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thomas MARCHESSEAU wrote: | DEFAULT Realm == realm.net, Huntgroup-Name == bas, Autz-Type := | autz.realm1.net | DEFAULT Realm == realm.net, Huntgroup-Name == lns, Autz-Type := | autz.realm2.net | | I check for Nas-Ip-Address to assign the correct huntgroup and the | correct authentification method. | Yes, but this won't work if you have in the huntgroups file: bas == 192.168.1.1 bas == 192.168.1.2 lns == 192.168.1.1 If the client 192.168.1.1 tries to authenticate, the line DEFAULT Realm == realm.net, Huntgroup-Name == lns, Autz-Type := autz.realm2.net fails, as the huntgroup file matches on the bas group. Or did I understand your config wrong? Regards, Arne -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFA6TH8lKz+zKOoy+oRAv1wAJ0Qel6U2tKmWBMliJDvj1CQYZukDQCgymiD QqVLyz1xxGA3IoIHU/Kr0Uk= =n+lV -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client member in multiple huntgroups
hi, my huntgroup file (a _very_ small parts :) ) # A3MITRY__95 redback NAS-IP-Address == 80.xx.xx.2 # A6CORBAS_60 redback NAS-IP-Address == 80.xx.xx.3 # LNS # #Loopback0 de ValentonLDP3/VAL3MC7213 lns NAS-IP-Address == 213.yy.yy.14 #Loopback0 de ValentonLDP4/VAL3MC7214 lns NAS-IP-Address == 213.yy.yy.20 but , you cant have sonething like lns NAS-IP-Address == a.b.c.d bas NAS-IP-Address == a.b.c.d may be i dont understand your request :) regards Thomas MARCHESSEAU Arne Brutschy wrote: Thomas MARCHESSEAU wrote: | DEFAULT Realm == realm.net, Huntgroup-Name == bas, Autz-Type := | autz.realm1.net | DEFAULT Realm == realm.net, Huntgroup-Name == lns, Autz-Type := | autz.realm2.net | | I check for Nas-Ip-Address to assign the correct huntgroup and the | correct authentification method. | Yes, but this won't work if you have in the huntgroups file: bas == 192.168.1.1 bas == 192.168.1.2 lns == 192.168.1.1 If the client 192.168.1.1 tries to authenticate, the line DEFAULT Realm == realm.net, Huntgroup-Name == lns, Autz-Type := autz.realm2.net fails, as the huntgroup file matches on the bas group. Or did I understand your config wrong? Regards, Ar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mysql development version ?
Hello, I have already a web server with mysql operationnal, but before installing freeradius I wanted to know if the version of mysql wich I installed included the development headers. I choosed standard binary : Standard 4.0.20 15.2M (not a rpm) I saw that it exist a rpm named : Libraries and header files4.0.20-0 925.7K but I don't want use a rpm for my installation. Thank henri. france (escuse for bad english ;) ) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS + OpenLDAP schema
Hi Guys, Does the LDAP schema that comes with FreeRADIUS works with OpenLDAP ? Coz the first line says it is a Netscape directory schema.. Thanks, Saket - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sending VSA with FreeRADIUS radclient
Hello, I know I can send VSA using radclient, by putting the following line in my request file: Cisco-AVPair=Hello! What I want to know, is if I can send VSA which content is not formatted like mentionned in RFC2865 (§5.26). I mean that I want to send: +++++ | 26 | Length | Vendor-ID | +++++ | Vendor-ID (cont)| My Content... ++++--... Is it possible with radclient? Thak you in advance Geoffroy Créez gratuitement votre Yahoo! Mail avec 100 Mo de stockage ! Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/ Dialoguez en direct avec vos amis grâce à Yahoo! Messenger !Téléchargez Yahoo! Messenger sur http://fr.messenger.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + OpenLDAP schema
On Mon, 05 Jul 2004 18:39:34 +0530 Saket Sathe [EMAIL PROTECTED] wrote: Hi Guys, Does the LDAP schema that comes with FreeRADIUS works with OpenLDAP ? yes. did you use the RADIUS-LDAPv3.schema ?? Coz the first line says it is a Netscape directory schema.. Thanks, Saket - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Tiago Fernandes pgplidijCtgFd.pgp Description: PGP signature
Re: radius.log file showing proxy not server
Peter Kolbe [EMAIL PROTECTED] wrote: I am running freeradius freeradius-1.0.0-pre3 I want the /var/log/radius log to reflect NAS-IP-Address (or ideally nas FQDN name) not the Client-IP-Address. In what messages? There are a lot of messages printed out by the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The duplicate VSA lines are sent.
baffy200y [EMAIL PROTECTED] wrote: I send Access-Request packet from radius client below. ... And freeradius sends Access-Accept packet back below. ... [Ascend-Data-Filter += ip in forward dstip 172.16.1.0/24 0] [Ascend-Data-Filter += ip in drop 0] [Ascend-Data-Filter += ip out forward 0] These lines are duplicate. Run the server in debugging mode. You will see that it matches *two* entries in your users file (one of which you didn't post here). That's why there are duplicate attributes: you configured the server to send the duplicate attributes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program environment
Andrea Gabellini [EMAIL PROTECTED] wrote: I need to use Exec-Program, but I need also the Sql-Group variable. Actually It's not passed to the environment. The request items are added to the environment in Exec-Program-Wait. That can't be changed. if SQL-Group isn't in the request items, it won't be added to the environment. I suggest using rlm_exec, where you can control exactly which list of attributes are passed to the program. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
redirecting to specific web page
Hi, Please I would want to know if here somebody could help me with this problem: I need my radius users to be redirected to a specific web page when connected, but my problem is that actually I only manage the RADIUS service, I have not access to manage the outgoing Internet network where my users navigates neither to the NAS equipments, So my unique option is to set some thing on RADIUS, or another artifice for get this goal. I accept ideas, thank you Ernesto Freyre Ramírez Área de Operaciones Red Privada Virtual S.A. Av. Paseo de la República 4675 - Lima 34 Telf.: (511) 241-4122 Anexo 2245 Fax: (511) 446-8135 Visítenos en: www.qnet.com.pe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Gmail
If you use email to search through the freeradius-users list, then I recommend gmail because of the way it handles conversations. It is similar to a forum. A conversation is the first message and all the replies to that message. It puts all the conversations together so you don't have to search through a long list of messages like what would be done in a normal inbox. Naturally, you can get this same effect by going through the mail archive www.mail-archive.com/freeradius-users%40lists.freeradius.org/ Gmail is still in the beta phase and you must get an invite (or buy one from ebay) to get a gmail account. Evan Stenmark - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS
Vidar Stokke [EMAIL PROTECTED] wrote: I'm having some trouble with freeradius-1.0.0-pre3 and TTLS. ... rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_tls: TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied That's a problem. Does the server have permissions to read the certificates? I've tested this with a Cisco 1200AP and Cisco 2950. Both created the same problem. The AP's aren't the problem. They just pass EAP traffic back forth. Which wireless supplicant are you using? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: redirecting to specific web page
- Original Message - From: Ernesto Freyre [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, July 05, 2004 8:04 PM Subject: redirecting to specific web page Hi, Please I would want to know if here somebody could help me with this problem: I need my radius users to be redirected to a specific web page when connected, but my problem is that actually I only manage the RADIUS service, I have not access to manage the outgoing Internet network where my users navigates neither to the NAS equipments, So my unique option is to set some thing on RADIUS, or another artifice for get this goal. The radiusserver cannot enforce anything. If you want to enforce something you have to configure your NAS equipment for that and have the radiusserver send the appropriate attributes in the accept to the NAS. I accept ideas, thank you Ernesto Freyre Ramírez Área de Operaciones Red Privada Virtual S.A. Av. Paseo de la República 4675 - Lima 34 Telf.: (511) 241-4122 Anexo 2245 Fax: (511) 446-8135 Visítenos en: www.qnet.com.pe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Gmail
this feature is usually called reading emails in threads and it probably exists since the creation of email in _every_ client i know. i recommend you stop advertising for gmail here. ciao artur Evan Stenmark wrote: If you use email to search through the freeradius-users list, then I recommend gmail because of the way it handles conversations. It is similar to a forum. A conversation is the first message and all the replies to that message. It puts all the conversations together so you don't have to search through a long list of messages like what would be done in a normal inbox. Naturally, you can get this same effect by going through the mail archive www.mail-archive.com/freeradius-users%40lists.freeradius.org/ Gmail is still in the beta phase and you must get an invite (or buy one from ebay) to get a gmail account. Evan Stenmark - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple definitions for auth-type CRAM in Dictionary???
Gary McKinney [EMAIL PROTECTED] wrote: In going through the main dictionary file I ran across the following two entries: VALUE Auth-Type CRAM 1030 VALUE Auth-Type CRAM 1032 Are these correct ( you can have the same attribute with multiple values in the dictionary)? Yes, but I'll go fix it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MySQL accounting strangeness
Hello, Forgive me if this has been covered. I'm using FreeRADIUS 0.8.1 and am using MySQL for accounting (and LDAP for authorization, but that's probably not important). This works well for getting totals of time used for each user. However, I'm now trying to write a tool to search which username was logged on at X time, and noticed some missing information in the radacct table; It seems that when a session is started, its not entering the FramedIPAddress. Strangely, if the user was logged in when accounting wasn't happening, and the session ends, it records a start time of all zeros, and the AcctStopTime, with the IP address. If the system has both the AcctStartTime and StopTime, there is no IP address.. Here's a snippet of results from my database: ++-+-+-- ---+ | UserName | FramedIPAddress | AcctStartTime | AcctStopTime| ++-+-+-- ---+ | Xuser | 66.206.230.5| -00-00 00:00:00 | 2004-04-29 11:57:27 | | Xuser | | 2004-05-03 23:33:25 | 2004-05-03 23:44:09 | All accounts are exhibiting this behavior; very few actually have a recorded IP address, only the ones without a valid start time.. Any ideas? If you need any more information, let me know.. I haven't yet tried upgrading, as I'm not sure if it will fix it, and I don't want to accidently cause any other problems by changing the version. Thanks in advance, Andre - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL accounting strangeness
Normally this could depend on your NAS configuration. Check this is sending the attributes you need. Untitled DocumentErnesto Freyre Ramírez Área de Operaciones Red Privada Virtual S.A. Av. Paseo de la República 4675 - Lima 34 Telf.: (511) 241-4122 Anexo 2245 Fax: (511) 446-8135 Visítenos en: www.qnet.com.pe - Original Message - From: Andre Fortin [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, July 05, 2004 12:26 PM Subject: MySQL accounting strangeness Hello, Forgive me if this has been covered. I'm using FreeRADIUS 0.8.1 and am using MySQL for accounting (and LDAP for authorization, but that's probably not important). This works well for getting totals of time used for each user. However, I'm now trying to write a tool to search which username was logged on at X time, and noticed some missing information in the radacct table; It seems that when a session is started, its not entering the FramedIPAddress. Strangely, if the user was logged in when accounting wasn't happening, and the session ends, it records a start time of all zeros, and the AcctStopTime, with the IP address. If the system has both the AcctStartTime and StopTime, there is no IP address.. Here's a snippet of results from my database: ++-+-+-- ---+ | UserName | FramedIPAddress | AcctStartTime | AcctStopTime| ++-+-+-- ---+ | Xuser | 66.206.230.5| -00-00 00:00:00 | 2004-04-29 11:57:27 | | Xuser | | 2004-05-03 23:33:25 | 2004-05-03 23:44:09 | All accounts are exhibiting this behavior; very few actually have a recorded IP address, only the ones without a valid start time.. Any ideas? If you need any more information, let me know.. I haven't yet tried upgrading, as I'm not sure if it will fix it, and I don't want to accidently cause any other problems by changing the version. Thanks in advance, Andre - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MySQL accounting strangeness
The NAS is apparently sending all the information (according to the network guys here). It is getting the FramedIPAddress for sessions without a start time, so it's apparently sending it.. It just doesn't put it into mysql when theres a start time.. Andre -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ernesto Freyre Sent: Monday, July 05, 2004 5:27 PM To: [EMAIL PROTECTED] Subject: Re: MySQL accounting strangeness Normally this could depend on your NAS configuration. Check this is sending the attributes you need. Untitled DocumentErnesto Freyre Ramírez Área de Operaciones Red Privada Virtual S.A. Av. Paseo de la República 4675 - Lima 34 Telf.: (511) 241-4122 Anexo 2245 Fax: (511) 446-8135 Visítenos en: www.qnet.com.pe - Original Message - From: Andre Fortin [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, July 05, 2004 12:26 PM Subject: MySQL accounting strangeness Hello, Forgive me if this has been covered. I'm using FreeRADIUS 0.8.1 and am using MySQL for accounting (and LDAP for authorization, but that's probably not important). This works well for getting totals of time used for each user. However, I'm now trying to write a tool to search which username was logged on at X time, and noticed some missing information in the radacct table; It seems that when a session is started, its not entering the FramedIPAddress. Strangely, if the user was logged in when accounting wasn't happening, and the session ends, it records a start time of all zeros, and the AcctStopTime, with the IP address. If the system has both the AcctStartTime and StopTime, there is no IP address.. Here's a snippet of results from my database: ++-+-- ---+-- ---+ | UserName | FramedIPAddress | AcctStartTime | AcctStopTime| ++-+-- ---+-- ---+ | Xuser | 66.206.230.5| -00-00 00:00:00 | 2004-04-29 11:57:27 | | Xuser | | 2004-05-03 23:33:25 | 2004-05-03 23:44:09 | All accounts are exhibiting this behavior; very few actually have a recorded IP address, only the ones without a valid start time.. Any ideas? If you need any more information, let me know.. I haven't yet tried upgrading, as I'm not sure if it will fix it, and I don't want to accidently cause any other problems by changing the version. Thanks in advance, Andre - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using wildcards in realm
Arne Brutschy [EMAIL PROTECTED] wrote:
The problem is, that this solution does not strips the realm from the
username. How do I accomplish this? I tried:
You can use the preproxy_users file to re-write the User-Name
before it's proxied.
#-- users
DEFAULT User-Name =~ ^([EMAIL PROTECTED])@(.*)uni-leipzig\.de$, Proxy-To-Realm :=
uni-leipzig.de
Fall-Through = Yes
#---
And:
#--- preproxy_users
DEFAULT User-Name =~ ^([EMAIL PROTECTED])@(.*)uni-leipzig\.de$
User-Name := `${1}`
#---
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
help
i'm getting this message when i wish to add the eap_ttls module with my radius server(freeradius-snapshot-20040705) and openssl (openssl-0.9.7-stable-SNAP-20040705). sip2:/usr/802/freeradius-snapshot-20040705/src/modules/rlm_eap/types/rlm_eap_ttls # make install if [ xrlm_eap_ttls != x ]; then \ /usr/802/freeradius-snapshot-20040705/libtool --mode=install /usr/802/freeradius-snapshot-20040705/install-sh -c -c \ rlm_eap_ttls.la /usr/local/radius/lib/rlm_eap_ttls.la; \ rm -f /usr/local/radius/lib/rlm_eap_ttls-1.1.0-pre0.la; \ ln -s rlm_eap_ttls.la /usr/local/radius/lib/rlm_eap_ttls-1.1.0-pre0.la; \ fi libtool: install: warning: relinking `rlm_eap_ttls.la' (cd /usr/802/freeradius-snapshot-20040705/src/modules/rlm_eap/types/rlm_eap_ttls; /bin/sh /usr/802/freeradius-snapshot-20040705/libtool --mode=relink gcc -release 1.1.0-pre0 -module -export-dynamic -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -I../../../../include -I./../.. -I/usr/local/openssl/include -I./../../libeap -I../rlm_eap_tls -DOPENSSL_NO_KRB5 -o rlm_eap_ttls.la -rpath /usr/local/radius/lib rlm_eap_ttls.lo ttls.lo ../../../../lib/libradius.la ../rlm_eap_tls/rlm_eap_tls.la -L./../../libeap -leap -L/usr/local/openssl/lib -lcrypto -lssl -lcrypto -lnsl -lresolv -lpthread -lcrypto ) *** Warning: Linking the shared library rlm_eap_ttls.la against the loadable module *** rlm_eap_tls.so is not portable! mv: cannot stat `rlm_eap_ttls-1.1.0-pre0.so': No such file or directory libtool: install: error: relink `rlm_eap_ttls.la' with the above command before installing it if i disable the entry for the ttls in eap.conf file then my server is working fine. when i start the server in debug mode with ttls enabled i get this message rlm_eap: Loaded and initialized type tls rlm_eap: Failed to link EAP-Type/ttls: rlm_eap_ttls.so: cannot open shared object file: No such file or directory radiusd.conf[9]: eap: Module instantiation failed. __ Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages! http://promotions.yahoo.com/new_mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: redirecting to specific web page
Thank you for your reply. Untitled DocumentErnesto Freyre Ramírez Área de Operaciones Red Privada Virtual S.A. Av. Paseo de la República 4675 - Lima 34 Telf.: (511) 241-4122 Anexo 2245 Fax: (511) 446-8135 Visítenos en: www.qnet.com.pe - Original Message - From: Thor Spruyt [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, July 05, 2004 10:59 AM Subject: Re: redirecting to specific web page - Original Message - From: Ernesto Freyre [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, July 05, 2004 8:04 PM Subject: redirecting to specific web page Hi, Please I would want to know if here somebody could help me with this problem: I need my radius users to be redirected to a specific web page when connected, but my problem is that actually I only manage the RADIUS service, I have not access to manage the outgoing Internet network where my users navigates neither to the NAS equipments, So my unique option is to set some thing on RADIUS, or another artifice for get this goal. The radiusserver cannot enforce anything. If you want to enforce something you have to configure your NAS equipment for that and have the radiusserver send the appropriate attributes in the accept to the NAS. I accept ideas, thank you Ernesto Freyre Ramírez Área de Operaciones Red Privada Virtual S.A. Av. Paseo de la República 4675 - Lima 34 Telf.: (511) 241-4122 Anexo 2245 Fax: (511) 446-8135 Visítenos en: www.qnet.com.pe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS + LDAP + CHAP problem
I've setup FreeRADIUS with LDAP. I've made sure that they both are interacting correctly using the 'radtest' test client that comes with FreeRADIUS. Now when I try authenticating a client supplying CHAP-Password, FreeRADIUS produces an error saying that: rlm_ldap: Attribute User-Password is required for authentication. Cannot use CHAP-Password. modcall[authenticate]: module ldap returns invalid How can I possibly deal with it ? Thanks, Saket - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: how to run radiusd with high debug info but in background
Hi, I have tried this with the pre3 release and -sxxyz does not seem to daemonize for some reason. Actually, -xx or -x prevent from daemonizing. I thought it would if I take out -f. Has anyone seen this? Thanks, Htin -Original Message- From: [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] On Behalf Of Paul Hampson Sent: Friday, June 25, 2004 6:05 PM To: [EMAIL PROTECTED] Subject: Re: how to run radiusd with high debug info but in background On Fri, Jun 25, 2004 at 05:13:39PM -0700, Ernesto Freyre wrote: Hi admins! Please I would want to know how to run radiusd with high debug info but in background? Instead of -X, use the individual switches... -X is simply a convinient shortcut for -sfxxyz -l stdout so take the -f out, and it'll daemonise itself as normal. (This is described in `radiusd -h`) -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unsubscribe
unsubscribe
dialup_admin ERROR
Hello guys, got this error under Online Users (user_finger.php3) Jul 6 13:22:46 diameter postgres[496]: [2-1] ERROR: column radacct.acctstarttime must appear in the GROUP BY clause or be used in an aggregate function FreeRADIUS Version 1.0.0-pre3, for host , built on Jul 6 2004 at 01:54:36 Freebsd 4.18 psql (PostgreSQL) 7.4.3 Any suggestion is highly appreciated... Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
