Subject: Re: Problem with PEAP auth using xp clients
atul dhingra" <[EMAIL PROTECTED]> wrote: Following is the crux of what I am stuck on now: ... So you're still getting the core dump. Let me guess... you have two versions of OpenSSL installed, and you built the server without using "--disable-shared". > Fix one of those two problems, and it will work. > Alan DeKok. I am still getting the same dump, I have used --disable-shared while building the radius server Would appreciate your comments Thanks and regards AD _ Get head-hunted by 10,500 recruiters. http://www.naukri.com/msn/index.php?source=hottag Post your CV on naukri.com today. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unsubscribe
Unscribe __ Do you Yahoo!? Yahoo! Mail - You care about security. So do we. http://promotions.yahoo.com/new_mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius + Informix HOWTO
I promised a HOWTO for those still dabbling in Informix SE the other week so here it is - http://web.pip.com.au/brads-howtos/freeradius-informix.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Interested in a script to simulate user sessions?
Hi Thor, I think tools like that are always a great addition to a development/test toolkit. Due to similar requirements I wrote something similar in Python with a GUI (as a means to improve my Python knowledge) to assist me in doing some "pseudo realistic" load testing of our server. It reads in packets to be sent from a file and sends them as fast as it can. I like the scenario idea though. I've still got a few bugs to sort out though, and its not really ready for distribution. Interesting that you chose to use radclient to send the packets, rather than one of the Perl Radius modules available from CPAN. I've written a couple of perl scripts for testing purposes (one of them trickles accounting packets into our radius server to test our accounting/billing system. It randomly starts new sessions, which it then keeps track of. It sends periodic "alive" packets with the input/output octets and session times incremented accordingly, and randomly stops open sessions). I used Authen::Radius, which seems to be pretty good. It read the freeRADIUS dictionaries no problems, supports vendor specific attributes, etc, etc. Great thing about using the Perl modules is that it then platform independent, so I can test from any client that I want without having to have freeRADIUS compiled for that client. Keep up the good work! Regards, Michael > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Thor Spruyt > Sent: Wednesday, 13 October 2004 5:15 AM > To: FreeRadius Users > Subject: Interested in a script to simulate user sessions? > > Hi, > > I have written a perl script that simulates user sessions read from a > scenario file. > You can have a look at it here: http://www.thor-spruyt.com/radscenario > The reason I wrote it is that I didn't find a good solution > to automate > several test scenarios. > At the top, there's some information on how scenarios are constructed. > > Please let me know if something like this is found usefull or not. > Any suggestions are welcome. > > -- > Regards, > > Thor Spruyt > E: [EMAIL PROTECTED] > W: www.thor-spruyt.com > M: +32 (0)475 67 22 65 > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dialup Admin - "Authentication Failed" problem.
Hi All, I'm using freeradius-0.9.3 with MySQL and Dialup Admin on a RH 9.0 machine in conjunction with a Cisco 2511 NAS. I've noticed that on several occasions, accounting "stale sessions" have led to some users been denied dialup access. Even though I when I clear all the stale sessions I still get the message below when running a user authentication test ,on say a user named "fred", (using the user Test Page that comes with Dialup admin):" Authentication failed Server response:Reply-Message = "\r\nYou are already logged in - access denied\r\n\n" ". How can I rectify this so that the user "fred" is allowed access again? Best regards, Shannon
Re: NAS-Identifier check
On Tue, Oct 12, 2004 at 07:10:47AM -0700, Alex wrote: > OK, I defined a huntgroup "testNAS-Identifier == "my_nas"" in huntgroups > file and added | eap_user| Huntgroup-Name | == | test | to radcheck table. > It says "No matching entry in the database for request from user [eap_user]" and > "auth: No authenticate method (Auth-Type) configuration found for the request" > When op for Huntgroup-Name changes to := int radcheck, user gets authenticated no > matter what it is sent in NAS-Identifier. := is assignment, it cannot work. I check NAS-IP-Address in huntgroups. Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Generic Token Cards
Hi there I lost the overview over all types of protocols and partiulary the combination of it.. What I would like to do is: The user should send his username and password. The server then should verify this data (best would be via LDAP) and if ok send a challenge for the users token card. The user then sends an answer to this challenge.. and depending on this answer the server would authenticate the user or reject it. Is there a way to do this? thanks a lot for your answer !! Hannes smime.p7s Description: S/MIME Cryptographic Signature
radwtmp question
Hey guys, sorry if this has been answered before, but I have a logging type question. I have a machine that has been up for 81 days, and the radwtmp file is a whopping 659 megs. This wouldn't concern me if we didn't frequently use radwho to see if a user is logged in. I believe the data from radwho is wrong, a lot of >999 times. I am wondering if these are related... and if we can just delete radwtmp and still have accurate logging. Is their a resource that describes how this is used? Thanks, Ryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
1.01 install failure - invalid libtool archives?
I failed to install freeradius 1.0.1 on SUSE 9.1. A summary of the failures that I noticed is below. Make is using the install folder's version of libtool, so I don't know what went wrong. When I switch to my local, and updated, version of libtool, I get the same result. I someone has any suggestions, I am willing to experiment. I didn't expect installation to be the hard part of getting freeradius working. libtool: install: `rlm_acct_unique.la' is not a valid libtool archive libtool: install: `rlm_always.la' is not a valid libtool archive libtool: install: `rlm_attr_filter.la' is not a valid libtool archive libtool: install: `rlm_attr_rewrite.la' is not a valid libtool archive libtool: install: `rlm_chap.la' is not a valid libtool archive libtool: install: `rlm_detail.la' is not a valid libtool archive libtool: install: `rlm_digest.la' is not a valid libtool archive libtool: install: `rlm_eap.la' is not a valid libtool archive libtool: install: `rlm_eap_gtc.la' is not a valid libtool archive libtool: install: `rlm_eap_leap.la' is not a valid libtool archive libtool: install: `rlm_eap_md5.la' is not a valid libtool archive libtool: install: `rlm_eap_mschapv2.la' is not a valid libtool archive install: radeapclient does not exist Thanks in advance, Kirby -- [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authorization via LDAP and Files, Authentication via LDAP
Hi all,
I have some problems getting Freeradius to work with following configuration
:
Freeradius should check if user exists in LDAP and also should authenticate
user via LDAP.
As we are not planning to integrate the the RADIUS-LDAPv3.schema and
therefore want to add Return-Attributes via users file.
I read in freeradius/docs/rlm-ldap.txt that I should add { notfound=return }
to the ldap entry in the authorize section.
When doing this I always get the error seen below :
gaia:/usr/local/etc/raddb# radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
/usr/local/etc/raddb/radiusd.conf[1654]: Unexpected end of section
Errors reading radiusd.conf
Here is my authorize section of radiusd.conf
authorize {
#
# The preprocess module takes care of sanitizing some bizarre
# attributes in the request, and turning them into attributes
# which are more standard.
#
# It takes care of processing the 'raddb/hints' and the
# 'raddb/huntgroups' files.
#
# It also adds the %{Client-IP-Address} attribute to the request.
preprocess
#
# If you want to have a log of authentication requests,
# un-comment the following line, and the 'detail auth_log'
# section, above.
# auth_log
# attr_filter
#
# The chap module will set 'Auth-Type := CHAP' if we are
# handling a CHAP request and Auth-Type has not already been set
chap
#
# If the users are logging in with an MS-CHAP-Challenge
# attribute for authentication, the mschap module will find
# the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
# to the request, which will cause the server to then use
# the mschap module for authentication.
mschap
#
# If you are using multiple kinds of realms, you probably
# want to set "ignore_null = yes" for all of them.
# Otherwise, when the first style of realm doesn't match,
# the other styles won't be checked.
#
suffix
# ntdomain
#
# This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
# authentication.
#
# It also sets the EAP-Type attribute in the request
# attribute list to the EAP type from the packet.
eap
#
# The ldap module will set Auth-Type to LDAP if it has not
# already been set
ldap
{
notfound=return
}
files
# daily
# checkval
}
Also it would be great if somebody could give me a hint if this users file
entry is correct for the above situation
radiustest Service-Type = Framed-User
Framed-Protocol = PPP,
Framed-IP-Address = 3.3.3.3
>From my understanding "Service-Type = Framed-User" is now a Check-Item, (if
I understand users file syntax correctly) but what I want to achive is that
there is no Check-Item at all in the users file and only Replay Items are
stated in users file.
Kind regards
Micheal
--
+++ GMX DSL Premiumtarife 3 Monate gratis* + WLAN-Router 0,- EUR* +++
Clevere DSL-Nutzer wechseln jetzt zu GMX: http://www.gmx.net/de/go/dsl
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Newbie question SQL-freeradius testing tools
Dirk Enrique Seiffert - CaribeNet wrote: > You might want to add some FAQs: > > Freeside and SQL: > 1) Where can I find Dialup Admin? > > The server comes with a PHP-based web user administration tool, called > dialupadmin. You also can download dialupadmin on > http://sourceforge.net/projects/dialup-admin/ Go to http://www.freeradius.org/ and read the first paragraph under "The FreeRADIUS Server Project". > 2) Were can I find documentaion on HowTo setup MySQL Accounting with > freeradius? > > Check "SB's very rough notes to FreeRadius and MySQL at > http://www.frontios.com/freeradius.html Go to http://www.freeradius.org/radiusd/doc/rlm_sql and read section "1. Miscellaneous configuration" -- Regards, Thor Spruyt E: [EMAIL PROTECTED] W: www.thor-spruyt.com M: +32 (0)475 67 22 65 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Exec-Program-Wait & Unresponsive Child Errors
Good morning. I've got some weirdness with freeradius 1.0.1 (same results in previous versions). Test systems are x86_64 and i386 Fedora Core 2 machines (2.6.8.1). Same tests on older redhat9 machine (2.6.4) do not have the same issue. My users entry looks like: DEFAULT Auth-Type := Accept Exec-Program-Wait = "/etc/raddb/scripts/pre_auth.sh", Fall-Through = Yes There are no other authentication mechanisms enabled, all requests go to pre_auth.sh. The script is configured to only exit 0 (although I get identical results when rejecting requests with exit 1) and pass attributes. Same results w/o attributes. This issue only happens when running in standard mode, in debug -x or debug -xx mode. The problem can be duplicated over and over on various platforms. The problem does not happen in -X debug mode. Problem also does not happen in single thread mode. When sending test radius packets it will authenticate the first always, then depending on the frequency of the incoming packets it will hang usually once they are sent at a rate of apx 1+/second. Sending packets continuously at 1 each 2 seconds it will never have any problem. It appears to be in the following entry that it is hanging right before it gets to the "Exec-Program: returned: 0" section. Almost as if it's not catching the return value of the external program. Later (10-15 seconds) it drops that client as unresponsive. Attaching 2 -xx debug reports, the first is the request which bombs, the 2nd is a good request. Any help in further debugging or solving this issue is greatly appreciated. ## REQUEST WHICH BOMBS ## Going to the next request Thread 7 waiting to be assigned a request rad_recv: Access-Request packet from host 63.228.227.6:2300, id=67, length=53 Waking up in 2 seconds... Thread 8 got semaphore Thread 8 handling request 6, (1 handled so far) User-Name = "[EMAIL PROTECTED]" User-Password = "x" rad_rmspace_pair: User-Name now '[EMAIL PROTECTED]' Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "attr_filter" returns noop for request 6 rlm_realm: No '#' in User-Name = "[EMAIL PROTECTED]", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "prefix" returns noop for request 6 rlm_realm: Looking up realm "visp.net" for User-Name = "[EMAIL PROTECTED]" rlm_realm: No such realm "visp.net" modcall[authorize]: module "suffix" returns noop for request 6 users: Matched DEFAULT at 36 modcall[authorize]: module "files" returns ok for request 6 modcall: group authorize returns ok for request 6 rad_check_password: Found Auth-Type Accept rad_check_password: Auth-Type = Accept, accepting the user radius_xlat: '/etc/raddb/scripts/pre_auth.sh' Exec-Program: /etc/raddb/scripts/pre_auth.sh Re-wait 2 Exec-Program output: Idle-Timeout = 1140, Session-Timeout = 28800, Service-Type = Framed-User, Framed-IP-Address = 255.255.255.254, Framed-Protocol = PPP, Simultaneous-Use = 1, Exec-Program-Wait: value-pairs: Idle-Timeout = 1140, Session-Timeout = 28800, Service-Type = Framed-User, Framed-IP-Address = 255.255.255.254, Framed-Protocol = PPP, Simultaneous-Use = 1, --- Walking the entire request list --- Cleaning up request 0 ID 61 with timestamp 416c1c9c Cleaning up request 1 ID 62 with timestamp 416c1c9c Cleaning up request 2 ID 63 with timestamp 416c1c9c Waking up in 1 seconds... Threads: total/active/spare threads = 15/1/14 --- Walking the entire request list --- Cleaning up request 3 ID 64 with timestamp 416c1c9d Cleaning up request 4 ID 65 with timestamp 416c1c9d Cleaning up request 5 ID 66 with timestamp 416c1c9d Waking up in 5 seconds... --- Walking the entire request list --- Waking up in 5 seconds... --- Walking the entire request list --- Waking up in 5 seconds... --- Walking the entire request list --- WARNING: Unresponsive child (id 1145158576) for request 6 Server rejecting request 6. Sending Access-Reject of id 67 to 63.228.227.6:2300 Waking up in 5 seconds... --- Walking the entire request list --- STRACE OUTPUT at time of error radius_xlat: '/etc/raddb/scripts/pre_auth.sh' Exec-Program: /etc/raddb/scripts/pre_auth.sh Exec-Program output: Idle-Timeout = 1140, Session-Timeout = 28800, Service-Type = Framed-User, Framed-IP-Address = 255.255.255.254, Framed-Protocol = PPP, Simultaneous-Use = 1, Exec-Program-Wait: value-pairs: Idle-Timeout = 1140, Session-Timeout = 28800, Service-Type = Framed-User, Framed-IP-Address = 255.255.255.254, Framed-Protocol = PPP, Simultaneous-Use = 1, ) = 0 (Timeout) time(NULL) = 1097605809 time(NULL) = 1097605809 write(1, "--- Walking the entire request l"..., 40--- Walking the entire request list --- ) = 40 ## REQUEST WHICH WORKS PROPERLY ## Thread 6 waiting to be assigned a r
Re: Newbie question SQL-freeradius testing tools
On Tuesday 12 October 2004 11:09, Alan DeKok wrote: > Dirk Enrique Seiffert - CaribeNet <[EMAIL PROTECTED]> wrote: > > Maybe my post was misleading: It was even hard to find where to download > > Dialup Admin, there are screenshots but no link to the project/download. > > It's included with the server. www.freeradius.org says so. But www.freeradius.org is not the bible: At least my distribution (SuSE) includes freeradius, but no dialup admin. So why should ther be a link? > > > What I am missing is some testing/troublshooting documentation on the > > sql-accounting. My authentication works fine, but I can't see any > > accounting starting: > > Read the FAQ. I read every single line, found some helpful hints and answers. If you check this mailing list archives you will see people asking frequently for the same questions not covered in the FAQ. You might want to add some FAQs: Freeside and SQL: 1) Where can I find Dialup Admin? The server comes with a PHP-based web user administration tool, called dialupadmin. You also can download dialupadmin on http://sourceforge.net/projects/dialup-admin/ 2) Were can I find documentaion on HowTo setup MySQL Accounting with freeradius? Check "SB's very rough notes to FreeRadius and MySQL at http://www.frontios.com/freeradius.html 3) I've got freeradius and MySQL to authenticate my users, how can I check If the accounting is working? echo "User-Name = test,Password = secret, Acct-Status-Type == Start" | radclient -s localhost acct testing123 If you think these questions are exotic or covered already: Read the Mailing List Archives and the FAQ, ... but read it. Best wishes Enrique > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html -- CaribeNet S.A. - Cartagena - Colombia www.caribenet.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius 1.0.1 - ALIVE-Packet proxy
hi all, is there a solution for using the/an accounting-proxy for START/STOP packets - but not for ALIVE packets ? i want log local all three packet types to a database - but want log on the remote site only start and stop and have no posibility to "filter" the alive-packets on the remote side. thx4 any suggestions & best regards, joachim -- +++ GMX DSL Premiumtarife 3 Monate gratis* + WLAN-Router 0,- EUR* +++ Clevere DSL-Nutzer wechseln jetzt zu GMX: http://www.gmx.net/de/go/dsl -- GMX ProMail mit bestem Virenschutz http://www.gmx.net/de/go/mail +++ Empfehlung der Redaktion +++ Internet Professionell 10/04 +++ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Individual timeouts for home servers.
"David" <[EMAIL PROTECTED]> wrote: > I have a few ISP's that seem to have sluggish > radius servers on their end. Rather than try > to try to continually tweak things globally in the > proxy server section, is it possible to > adjust things like retry_delay, retry_count, > dead_time, etc on a realm by realm basis > by placing those things within the realm stanzas? Not right now. There was a message on freeradius-devel the other day about doing that, though. It's probably a good idea. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Interested in a script to simulate user sessions?
Hi, I have written a perl script that simulates user sessions read from a scenario file. You can have a look at it here: http://www.thor-spruyt.com/radscenario The reason I wrote it is that I didn't find a good solution to automate several test scenarios. At the top, there's some information on how scenarios are constructed. Please let me know if something like this is found usefull or not. Any suggestions are welcome. -- Regards, Thor Spruyt E: [EMAIL PROTECTED] W: www.thor-spruyt.com M: +32 (0)475 67 22 65 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Individual timeouts for home servers.
Hi I am running FreeRadius 1.0.0 in production on
multiple servers. I use my radius servers primarily
for proxying. I proxy to nearly 100 realms for
over 60 small ISP's located across the country.
I have a few ISP's that seem to have sluggish
radius servers on their end. Rather than try
to try to continually tweak things globally in the
proxy server section, is it possible to
adjust things like retry_delay, retry_count,
dead_time, etc on a realm by realm basis
by placing those things within the realm stanzas?
For example:
realm isp2.com {
type= radius
authhost= radius.isp2.com:1645
accthost= radius.isp2.com:1646
secret = TheirKey
nostrip
retry_delay = 5
retry_count = 2
dead_time = 240
}
Thanks,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
client does not send accounting information
Hi, If the client is not sending accounting information is there any method I could know how long it was connected ? I am using freeradius 1.0.1 with mysql backend. Thank you very much! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Oracle cursor leak
Roberto Re <[EMAIL PROTECTED]> wrote: > I've installed a FreeRADIUS version 1.0.0 on a Linux Red Hat Enterprise > with Oracle Client 9.1, it never close any cursors it opened, leading to > all sorts of interesting problems when the max-open-cursor limits > were hit. > > How can I fix this problem ? http://bugs.freeradius.org/show_bug.cgi?id=128 The patch there may help. If it does, please say so on the list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: realm + accounting
"Anson Rinesmith" <[EMAIL PROTECTED]> wrote: > What if you didn't want the server to log them locally, but still send the > acct info off to the other server? Then in "accounting", delete any module which does local accounting. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRADIUS & Status-Server
Graeme Hinchliffe <[EMAIL PROTECTED]> wrote: > cool.. err any chance of a nudge as to where in the RFC's it's actually > documented? (RFC number) I checked the RADIUS one but only found > reference to it and no further detail. There is no reference or standard as to what Status-Server means. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: realm + accounting
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:freeradius-
> [EMAIL PROTECTED] On Behalf Of Alan DeKok
> Sent: Tuesday, October 12, 2004 10:12 AM
> To: [EMAIL PROTECTED]
> Subject: Re: realm + accounting
>
> marek cervenka <[EMAIL PROTECTED]> wrote:
> > i need store acct data on two places when send acct to realm
> >
> > is this possible or some way like that?
> >
> > realm serv.com {
> >type= radius
> >authhost= radius2.serv.com:1645
> >accthost= LOCAL, radius2.serv.com:1813
>
> That won't work.
>
> By default, when the server proxies accounting packets, it also logs
> them locally.
>
> Alan DeKok.
What if you didn't want the server to log them locally, but still send the
acct info off to the other server?
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: research project
hi as far as I know, german 1&1 division has been using freeradius for years for the access control of their xDSL users. however, i'm not up to date... ciao artur Henning,Rhiannon Michelle wrote: Do you mind if I ask which radius server you were using before? How many users are you currently supporting per server? Wired and wireless users? Thanks. Rhiannon Henning -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graeme Hinchliffe Sent: Tuesday, October 12, 2004 9:38 AM To: FreeRADIUS list Subject: Re: research project If you want some "we use freeRADIUS and love it" style blurb to slap on the freeRADIUS site, give me a shout I would be happy to oblige. Since we (Zen Internet) moved over to freeRADIUS a lot of headaches have gone, and people are authing faster than ever before :) We arn't a new startup either - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ip address with radius on wireless network
hi i read mail on the list which seems to give me response ( no :( ) but i want to be sure is it possible to affect ip address with radius ippool or with users file in a wireless network ( cisco AP 1100 ) thanks basile - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Oracle cursor leak
Hi, I've installed a FreeRADIUS version 1.0.0 on a Linux Red Hat Enterprise with Oracle Client 9.1, it never close any cursors it opened, leading to all sorts of interesting problems when the max-open-cursor limits were hit. How can I fix this problem ? Thanks in advance Roberto - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRADIUS & Status-Server
On Tue, 2004-10-12 at 16:13, Alan DeKok wrote: > Graeme Hinchliffe <[EMAIL PROTECTED]> wrote: > > Does freeRADIUS support the status-Server/Status-client packets? > > Yes. radclient, too. cool.. err any chance of a nudge as to where in the RFC's it's actually documented? (RFC number) I checked the RADIUS one but only found reference to it and no further detail. thanks -- - Graeme Hinchliffe (BSc) Core Internet Systems Designer Zen Internet (http://www.zen.co.uk/) Direct: 0845 058 9074 Main : 0845 058 9000 Fax : 0845 058 9005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Newbie question SQL-freeradius testing tools
Dirk Enrique Seiffert - CaribeNet <[EMAIL PROTECTED]> wrote: > Maybe my post was misleading: It was even hard to find where to download > Dialup Admin, there are screenshots but no link to the project/download. It's included with the server. www.freeradius.org says so. > What I am missing is some testing/troublshooting documentation on the > sql-accounting. My authentication works fine, but I can't see any accounting > starting: Read the FAQ. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: research project
Do you mind if I ask which radius server you were using before? How many users are you currently supporting per server? Wired and wireless users? Thanks. Rhiannon Henning -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graeme Hinchliffe Sent: Tuesday, October 12, 2004 9:38 AM To: FreeRADIUS list Subject: Re: research project If you want some "we use freeRADIUS and love it" style blurb to slap on the freeRADIUS site, give me a shout I would be happy to oblige. Since we (Zen Internet) moved over to freeRADIUS a lot of headaches have gone, and people are authing faster than ever before :) We arn't a new startup either -- - Graeme Hinchliffe (BSc) Core Internet Systems Designer Zen Internet (http://www.zen.co.uk/) Direct: 0845 058 9074 Main : 0845 058 9000 Fax : 0845 058 9005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Are there Session-Octets-Limit parameter in FreeRadius ?
[EMAIL PROTECTED] wrote: Are there Session-Octets-Limit parameter in FreeRadius ? NAS- PPPD 2.4.2, mysql_realm Hello! If you just want to send reply attributes of type Session-Octets-Limit add this to your dictionary file (located probably in /usr/local/share/freeradius): # Limit session traffic ATTRIBUTE Session-Octets-Limit227 integer # What to assume as limit - 0 in+out, 1 in, 2 out, 3 max(in,out) ATTRIBUTE Octets-Direction228 integer These are still experimental (added in PPPD 2.4.2), and may change in the future. I have modified the sqlcounter module, so that the reply attribute type it sends with the remaining ammount of the counted value is configurable, and not hard-coded to Session-Timeout. If you are interested I can send you the patch. Greetings, Rado - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: research project
On Tue, 2004-10-12 at 16:00, Alan DeKok wrote: > > Enterprises that are currently using freeRadius? Case studies? > > megapop.net. ~10^6 users or more. > > Most people using FreeRADIUS aren't interested in publicising the > fact. But I do know of a number of startups who are using FreeRADIUS > as part of their product suite. If you want some "we use freeRADIUS and love it" style blurb to slap on the freeRADIUS site, give me a shout I would be happy to oblige. Since we (Zen Internet) moved over to freeRADIUS a lot of headaches have gone, and people are authing faster than ever before :) We arn't a new startup either -- - Graeme Hinchliffe (BSc) Core Internet Systems Designer Zen Internet (http://www.zen.co.uk/) Direct: 0845 058 9074 Main : 0845 058 9000 Fax : 0845 058 9005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: received response to request we did not send
I Sent today another mail to the userlist which (hopefully) explains my problem a little better! regards ;-) On Mon, 2004-10-11 at 14:45 +0200, Nicolas Baradakis wrote: > Raimund Sacherer wrote: > > [...] > > > But THERE is somewhere a problem i could not figure out until now: > > > > If the 62.4 and the 10.4 are on different interfaces > > (eth0=62.4/eth1=10.4) the packet is send to the roamingpartner and the > > roamingpartner answers (i verified it with tcpdump) BUT the radius > > server did not seem to receive this packet. > > I'm not sure I understand the whole explanation. Please specify who is > the radius client, who is the proxy and who is the server. (an ascii > schema can help, too) > > > I tried from localhost to connect with netcat to the proxy port 1814 and > > the server recieved something (as i typed nonsens, it put's malformed > > packet in the logfile, but it was receiving something). > > > > Netstat displayed the 62.4 and 10.4 listening on 1812 and 1813 and * > > (0.0.0.0) listening on 1814. > > In radiusd.conf, are you using the directive "bind_address" > or "listen" ? > > > Currently our implementation works very well and i also could create a > > heartbeat interface now, as it is possible to listen on more > > ip-addresses, but it is not a clean solution, i want to fix this proxy > > behavior in the right way and put my patches into radius itself soon, as > > it seems without this outstanding fixes the UDPFROMTO patch is not > > complete! > > Is this the final setup you want to implement ? > >proxy1 eth0 > +> 62.4.e.f > client 1 vip 1 | > 62.4.a.b ---> 62.4.c.d -| proxy1 eth1 > | +-> 10.4.g.h > | | > | | proxy2 eth0 > +--|-> 62.4.m.n > client 2 vip 2| > 10.4.i.j ---> 10.4.k.l | proxy2 eth1 >+-> 10.4.o.p > > signature.asc Description: This is a digitally signed message part
Re: UDPFROMTO and Proxy Problem
Here is our Scenario which is working now:
Some Partners depend on an IPSec tunnel.
+--+
| Our |
| RadiusServer |
+--+
| |
eth0:1 eth0
10.0.0.10 62.62.62.62
| |
| |
| |
| |
+---+ +---+
| |
| |
+--+ +--+
| Other Radius Srv | | Other Radius Srv |
| from RaomPartner | | from RaomPartner |
+--+ +--+
If eth0:1 is another physical device (e.g. eth1) then it is NOT working.
Netstat -uan displays that the radius server is listening on all
(interfaces/ip-addresses) on port 1814.
Sending an request-package to our Roaming Partner is working (from the
correct IP also, but the respond from the Roaming Partner is not
recognized by our Radius Server but tcpdump shows that the Roaming
Partner sends an Respond (either Access Reject or Access Accept) and
that it's incoming on our interface (eth1).
If i move the IP from eth1 to eth0:1 as an alias, all is working again.
Strange is, if i locally connect with netcat to eth1 udp port 1814, our
Radius Server IS answering.
I do not really know where the problem exists, it works with IPAliases,
but i would feel much more secure if we can find a working solution for
eth1 also.
Here is an example from our configuration:
--- SNIP radiusd.conf---
#bind_address = *
#bind_address = 10.0.0.10
listen {
ipaddr = 10.0.0.10
type=auth
}
listen {
ipaddr = 10.0.0.10
type=acct
}
listen {
ipaddr = 62.62.62.62
type=auth
}
listen {
ipaddr = 62.62.62.62
type=acct
}
--- SNIP ---
--- SNIP proxy.conf---
proxy server {
synchronous = no
retry_delay = 10
retry_count = 6
dead_time = 0
default_fallback = no
post_proxy_authorize = no
proxyip = 62.62.62.62
}
realm veryFrightenedRoamingPartner {
type= radius
authhost= 172.172.172.172:1812
accthost= 172.172.172.172:1813
proxyip = 10.10.10.10
secret = ""
}
--- SNIP ---
On Tue, 2004-10-12 at 16:47 +0200, Raimund Sacherer wrote:
> Hi,
>
> i compiled freeradius (1.0.1) with the UDPFROMTO configure option and i
> applied the patch from nicolas
> (http://www.mail-archive.com/[EMAIL PROTECTED]/msg09417.html)
> and now receiving/sending local auth/acct packets with more than one ip
> address works as expected.
>
> There where two problems with proxying, first, i listen to 2 ip
> addresses, if those where on different interfaces (eth0/eth1) it is not
> working, the problem is, the packet is sent to the roamingpartner, but
> the response is not recognized by freeradius (where a local test with
> netcat is recognized), but i can see it clearly with tcpdump.
>
> It works well if these 2 ip addresses are on the same interface (with
> ip-alias).
>
> The second problem with proxying is that it used the interface which was
> defined to send data to the standard gateway as the src-ip address for
> sending proxy-packets.
>
> That was a problem for our scenario, as we have roamingpartners which
> are listening for our packets on the first ip and others on the other,
> therefore i patched freeradius to except in the realm-configuration
> another parameter which tells the proxy_send method which src-ip it
> should use to send the data, this is working and solved this second
> problem, i have the patch attached and would be happy if it made it's
> way into the source.
>
> Technical Detail about the Patch:
> 1. Add Proxy IP Address to CONF_PARSER proxy_config[], MAIN_CONFIG_T and
> into the REALM struct.
>
> 2. In generate_realms check if there is a proxy_ip set for this realm or
> a global (mainconfig.proxy_ipaddr) one. If so, apply it.
>
> 3. In proxy_send check if in the REALM is an IP address set, if so, set
> it in request->proxy->src_ipaddr so we have a src IP.
>
>
> --- snip ---
>
> --- freeradius-1.0.0-pre2/src/include/radiusd.h 2004-10-04
> 10:27:37.0 +0200
> +++ /tmp/freeradius-1.0.0-pre2-ewave/src/include/radiusd.h2004-10-12
> 12:45:24.353286104 +0200
> @@ -124,6 +124,7 @@
> charserver[64];
> characct_server[64];
> uint32_tipaddr; /* authentication */
> + uint32_tproxy_ipaddr; /* proxy via interface, rsacherer */
> uint32_tacct_ipaddr;
> u_char secret[32];
> time_t last_reply; /* last time we saw a packet */
>
Re: Newbie question SQL-freeradius testing tools
On Tuesday 12 October 2004 06:31, Kostas Kalevras wrote: > On Mon, 11 Oct 2004, Dirk Enrique Seiffert - CaribeNet wrote: > > Hello everybody, > > > > I just installed freeradius wth mysql and dialup admin. This was not > > easy, most because of missing or hard-to-find documentation. > > > > (Maybe you should at least add at least two links to the homepage: > > http://www.frontios.com/freeradius.html > > and http://sourceforge.net/projects/dialup-admin/ ) > > sourceforge.net is quite dead. And i don't understand what documentation > you were able to find there that's not included with dialupadmin. Please > could you explain more what you think is lacking? Maybe my post was misleading: It was even hard to find where to download Dialup Admin, there are screenshots but no link to the project/download. The Readme File of Dialup Admin and http://www.frontios.com/freeradius.html were great help. What I am missing is some testing/troublshooting documentation on the sql-accounting. My authentication works fine, but I can't see any accounting starting: rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type PAP auth: type "PAP" modcall: entering group Auth-Type rlm_pap: login attempt by "test2" with password test2 rlm_pap: Using password "$1$yyaVsBRp$BfNbVDvkjjG5gV7ttRrbL0" for user test2 authentication. rlm_pap: Using CRYPT encryption. rlm_pap: User authenticated succesfully modcall[authenticate]: module "pap" returns ok modcall: group Auth-Type returns ok Login OK: [test2/test2] (from client localhost port 0) Sending Access-Accept of id 199 to 127.0.0.1:1215 Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP Session-Timeout = 14400 Idle-Timeout = 600 Framed-IP-Address = 255.255.255.254 Framed-IP-Netmask = 255.255.255.255 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 199 with timestamp 416bf716 Nothing to do. Sleeping until we see a request. Thanks for any hints, links etc. Best wishes Enrique > You can use radclient to send accounting packets to the server. > > > Thanks a lot > > > > Enrique > > > > > > -- > > CaribeNet S.A. - Cartagena - Colombia > > www.caribenet.com > > > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > -- > Kostas Kalevras Network Operations Center > [EMAIL PROTECTED] National Technical University of Athens, Greece > Work Phone: +30 210 7721861 > 'Go back to the shadow' Gandalf > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html -- CaribeNet S.A. - Cartagena - Colombia www.caribenet.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRADIUS & Status-Server
Graeme Hinchliffe <[EMAIL PROTECTED]> wrote: > Does freeRADIUS support the status-Server/Status-client packets? Yes. radclient, too. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Are there Session-Octets-Limit parameter in FreeRadius ?
[EMAIL PROTECTED] wrote: > Are there Session-Octets-Limit parameter in FreeRadius ? $ grep Session-Octets-Limit /usr/local/share/freeradius/* $ I guess not. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: realm + accounting
marek cervenka <[EMAIL PROTECTED]> wrote:
> i need store acct data on two places when send acct to realm
>
> is this possible or some way like that?
>
> realm serv.com {
>type= radius
>authhost= radius2.serv.com:1645
>accthost= LOCAL, radius2.serv.com:1813
That won't work.
By default, when the server proxies accounting packets, it also logs
them locally.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: doubt about EAP/TLS mechanism
Lara Adianto <[EMAIL PROTECTED]> wrote: > Using EAP/TLS authentication, I noticed that even if the user > doesn't exist int the users file, the EAP/TLS authentication still > proceeds and the key exchange still occur, access accept is also > sent together with MS-MPPE-Recv-Key and MS-MPPE-Send-Key. Yes, because you defined the user in another database. There's nothing magic about the "users" file. It's just one of many databases the server uses to look for users. > modcall[authorize]: module "files" returns notfound for request 3 --> user lara not > found > > Is there any impact of this on the authentication process ? If the user can log in, obviously not. > What's the purpose of checking users file in the EAP/TLS > authentication ? So you can configure check && reply attributes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using realm ntdomain fails
Christoph Litauer <[EMAIL PROTECTED]> wrote: > > Please read "proxy.conf". > > Well, reading proxy.conf I found the following section: ... The whole purpose of "proxy.conf" is to define realms. There are examples in it of doing exactly what you want. If you're only going to read PART of "proxy.conf", then it would appear you're not prepared to solve your problem. > DEFAULT EAP-Type == PEAP, Proxy-To-Realm := LOCAL Don't set Proxy-To-Realm. You don't need to. READ "proxy.conf". ALL OF IT. Hint: look for "bla.com". > I don't thinks that "LAPLITAUER\litauer" is a LOCAL realm, is it? You said that you wanted the server to handle requests containing the realm "LAPLITAUER". Since you're not proxying it, that makes it a local realm. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with PEAP auth using xp clients
"atul dhingra" <[EMAIL PROTECTED]> wrote: > Following is the crux of what I am stuck on now: ... So you're still getting the core dump. Let me guess... you have two versions of OpenSSL installed, and you built the server without using "--disable-shared". Fix one of those two problems, and it will work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Custom Log module installation
Jose Guevarra <[EMAIL PROTECTED]> wrote: > I took a shot in the dark and put it into the src/modules directory and > added it to the 'stable' file. That of course didn't work. Did you try re-configuring && re-building the server? > Attached is the module ... I have no idea why. It's already at the URL you posted. Did you think no one was capable of following the URL, or downloading the module? > Can anyone show me how to get it installed? How familiar are you with Unix makefiles? If you haven't used them before, any description of what to do will be very complicated. If you have used them before, it should be fairly obvious what to do. > The capability to format, add/delete attributes from the logs seems like > a very handy thing to do. Especially if you search log events to run > scripts and such. Any chance of getting this module or one like it > added to the next version of FreeRADIUS? Submit it as a patch to bugs.freeradius.org. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: research project
"Henning,Rhiannon Michelle" <[EMAIL PROTECTED]> wrote: > Is anyone aware of any awards that freeRadius has won? Most "awards" are industry awards. i.e. trade shows, magazines, etc. Since FreeRADIUS doesn't entger trade shows, or buy advertising space in magazines, it doesn't win awards. It doesn't even get included in magazine comparisons of RADIUS servers, because the commercial vendors threaten to pull their advertising dollars if FreeRADIUS is mentioned in an article. i.e. As a RADIUS server, FreeRADIUS is significantly better than many, many commercial servers. It has more features, is more configurable, and yes, has more documentation. > Enterprises that are currently using freeRadius? Case studies? megapop.net. ~10^6 users or more. Most people using FreeRADIUS aren't interested in publicising the fact. But I do know of a number of startups who are using FreeRADIUS as part of their product suite. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
UDPFROMTO and Proxy Problem
Hi,
i compiled freeradius (1.0.1) with the UDPFROMTO configure option and i
applied the patch from nicolas
(http://www.mail-archive.com/[EMAIL PROTECTED]/msg09417.html)
and now receiving/sending local auth/acct packets with more than one ip
address works as expected.
There where two problems with proxying, first, i listen to 2 ip
addresses, if those where on different interfaces (eth0/eth1) it is not
working, the problem is, the packet is sent to the roamingpartner, but
the response is not recognized by freeradius (where a local test with
netcat is recognized), but i can see it clearly with tcpdump.
It works well if these 2 ip addresses are on the same interface (with
ip-alias).
The second problem with proxying is that it used the interface which was
defined to send data to the standard gateway as the src-ip address for
sending proxy-packets.
That was a problem for our scenario, as we have roamingpartners which
are listening for our packets on the first ip and others on the other,
therefore i patched freeradius to except in the realm-configuration
another parameter which tells the proxy_send method which src-ip it
should use to send the data, this is working and solved this second
problem, i have the patch attached and would be happy if it made it's
way into the source.
Technical Detail about the Patch:
1. Add Proxy IP Address to CONF_PARSER proxy_config[], MAIN_CONFIG_T and
into the REALM struct.
2. In generate_realms check if there is a proxy_ip set for this realm or
a global (mainconfig.proxy_ipaddr) one. If so, apply it.
3. In proxy_send check if in the REALM is an IP address set, if so, set
it in request->proxy->src_ipaddr so we have a src IP.
--- snip ---
--- freeradius-1.0.0-pre2/src/include/radiusd.h 2004-10-04
10:27:37.0 +0200
+++ /tmp/freeradius-1.0.0-pre2-ewave/src/include/radiusd.h 2004-10-12
12:45:24.353286104 +0200
@@ -124,6 +124,7 @@
charserver[64];
characct_server[64];
uint32_tipaddr; /* authentication */
+ uint32_tproxy_ipaddr; /* proxy via interface, rsacherer */
uint32_tacct_ipaddr;
u_char secret[32];
time_t last_reply; /* last time we saw a packet */
@@ -194,6 +195,7 @@
int proxy_retry_count;
int proxy_retry_delay;
int proxy_fallback;
+ char*proxy_ipaddr; /* proxy via interface, rsacherer */
int reject_delay;
int status_server;
int max_request_time;
--- freeradius-1.0.0-pre2/src/main/mainconfig.c 2004-10-04
10:27:38.0 +0200
+++ /tmp/freeradius-1.0.0-pre2-ewave/src/main/mainconfig.c 2004-10-12
12:45:16.593465776 +0200
@@ -76,6 +79,7 @@
{ "dead_time",PW_TYPE_INTEGER, 0, &mainconfig.proxy_dead_time,
Stringify(DEAD_TIME) },
{ "post_proxy_authorize", PW_TYPE_BOOLEAN, 0,
&mainconfig.post_proxy_authorize, "yes" },
{ "wake_all_if_all_dead", PW_TYPE_BOOLEAN, 0,
&mainconfig.wake_all_if_all_dead, "no" },
+ { "proxyip", PW_TYPE_STRING_PTR, 0, &mainconfig.proxy_ipaddr, NULL },
{ NULL, -1, 0, NULL, NULL }
};
@@ -347,7 +351,7 @@
CONF_SECTION *cs;
REALM *my_realms = NULL;
REALM *c, **tail;
- char *s, *t, *authhost, *accthost;
+ char *s, *t, *authhost, *accthost, *proxy_ipaddr;
char *name2;
tail = &my_realms;
@@ -369,6 +373,28 @@
c->secret[0] = '\0';
/*
+* Check first if a realm IP is set, if not
+* check the Mainconfig item, else it means 0 ;-)
+* rsacherer
+*/
+ if ((proxy_ipaddr = cf_section_value_find(cs, "proxyip")) == NULL) {
+ proxy_ipaddr = mainconfig.proxy_ipaddr;
+ }
+
+ if (proxy_ipaddr == NULL) {
+ c->proxy_ipaddr = htonl(INADDR_NONE);
+ } else {
+ c->proxy_ipaddr = ip_getaddr(proxy_ipaddr);
+ if (c->proxy_ipaddr == htonl(INADDR_NONE)) {
+ radlog(L_ERR, "%s[%d]: Host %s not found",
+ filename, cf_section_lineno(cs),
+ proxy_ipaddr);
+ return -1;
+ }
+ }
+
+
+ /*
* No authhost means LOCAL.
*/
if ((authhost = cf_section_value_find(cs, "authhost")) == NULL) {
--- freeradius-1.0.0-pre2/src/main/proxy.c 2004-10-04 10:27:38.0
+0200
+++ /tmp/freeradius-1.0.0-pre2-ewave/src/main/proxy.c 2004-10-12
12:45:16.701449360 +0200
@@ -430,6 +430,14 @@
request->proxy->timestamp = request->timestamp - (delaypair ?
delaypair
Re: define a Vendor-Specific Attribute in MYSql freeradius
Elad Kugman <[EMAIL PROTECTED]> wrote: > How can i use an attribute name from one of the vendor dictionaries. You use it like any other attribute. > When i use freeradius without sql i just wrote in the users file : > Vendor-Specific = " route:filter-redirect-gw=10.0.0.1" and its work.. That will never work. Don't do that. If you have some idea as to what "route:filter..." means, consult your NAS documentation, and they will tell you WHICH vendor specific attribute to use. Hint: It's NOT "Vendor-Specific". > how can i do this in the sql free radius.. If you can put normal attributes into SQL, you can put vendor attributes into SQL. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeRADIUS & Status-Server
Hiya Does freeRADIUS support the status-Server/Status-client packets? They look interesting for my project, not sure if it is what I want tho. Thanks -- - Graeme Hinchliffe (BSc) Core Internet Systems Designer Zen Internet (http://www.zen.co.uk/) Direct: 0845 058 9074 Main : 0845 058 9000 Fax : 0845 058 9005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-Identifier check
OK, I defined a huntgroup "test NAS-Identifier == "my_nas"" in huntgroups file and added | eap_user | Huntgroup-Name | == | test | to radcheck table. It says "No matching entry in the database for request from user [eap_user]" and "auth: No authenticate method (Auth-Type) configuration found for the request" When op for Huntgroup-Name changes to := int radcheck, user gets authenticated no matter what it is sent in NAS-Identifier. ? Oliver Graf <[EMAIL PROTECTED]> wrote: On Tue, Oct 12, 2004 at 02:11:02AM -0700, Alex wrote:> If Auth-Type is Accept, no EAP negociation occurs. What I want is TTLS established and user credentials checked and also NAS-Identifier value checked. Thai is, block some TTLS users from connecting from behind other NAS than its own. > I get users accepted if TTLS user has only 'User-Password' and '==' in the radcheck. As soon as I add 'NAS-Identifier, '==', 'my_nas', it says Auth-Type not found. Ah, ok. I use huntgroups for a semiliar thing (restriction certainaccounts to certain NASes). Perhaps this is something that might helpyou, too?Oliver.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Do you Yahoo!?vote.yahoo.com - Register online to vote today!
RE: MySQL - account logging and other problems
You can't make the radius server just guess when to perform an action or what information to use. If the client isn't sending a accounting information to the server, then I would start there and try to figure out how to get your client sending accounting information, not just authentication information. I don't think the WRV54G will send accounting information. > > Hi, > > I have installed freeradius 1.0.1 with mysql and expperimental modules. I > have > set up mysql database and instruct radius to read users and nas > information > from mysql and to write accounting logs to mysql; also to log sql traces. > > I started the server with -X option and test the connection. If I run > radtest > program it will succesfully autenthicate and it will write some info into > radpostauth table and nothing into radacct table. If I run NTRadPing and > tell > it "request type Accounting On/Off" the radacct table is updated. A friend > tried to logon to radius server with a LinkSys WRV54G router and it also > writes only into radpostauth table. Practically it writes to database when > user logs on but it doesn't write when user logs off. > > My guess about this behaviour is that the client doesn't send accountin > on/off > information to the radius server. > > Can anyone tell me how could I make freeradius write into radacct table ? > Or > how could it be instructed to write some informations to the database when > user logs off. > I am also curious if radius could be instructed to allow specific user > from > specific nas (something like user X could only came from nas Y and so on) > ? > > Thank you! > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: double echo from script-file
if you want to print 2 or more messages you must to put a comma.. for example print "Session-Timeout=111,Framed-Route=tests"; Kyriaki Gali, IT Applications Specialist Kinetix Tele.com Support Center, Tel & Fax: +30 2310 256140 GSM: +30 6947 723737 http://www.kinetix.gr e-mail: [EMAIL PROTECTED] - Original Message - From: "Edgars" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, October 12, 2004 4:42 PM Subject: double echo from script-file > Hello, > > when i'm trying to give two attributes to the client i'm getting none of > them. I should do it through script file that is called with > exec-program-wait. > I'm writing as follows: > > echo "Session-Timeout=111"; > echo "Framed-Route=tests"; > > --- > separately everything's ok. So can someone suggest how to solve the problem? > > Thanks! > Edgars > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
double echo from script-file
Hello, when i'm trying to give two attributes to the client i'm getting none of them. I should do it through script file that is called with exec-program-wait. I'm writing as follows: echo "Session-Timeout=111"; echo "Framed-Route=tests"; --- separately everything's ok. So can someone suggest how to solve the problem? Thanks! Edgars - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Are there Session-Octets-Limit parameter in FreeRadius ?
Are there Session-Octets-Limit parameter in FreeRadius ? NAS- PPPD 2.4.2, mysql_realm -- with best regards neomag mailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MySQL - account logging and other problems
Hi, I have installed freeradius 1.0.1 with mysql and expperimental modules. I have set up mysql database and instruct radius to read users and nas information from mysql and to write accounting logs to mysql; also to log sql traces. I started the server with -X option and test the connection. If I run radtest program it will succesfully autenthicate and it will write some info into radpostauth table and nothing into radacct table. If I run NTRadPing and tell it "request type Accounting On/Off" the radacct table is updated. A friend tried to logon to radius server with a LinkSys WRV54G router and it also writes only into radpostauth table. Practically it writes to database when user logs on but it doesn't write when user logs off. My guess about this behaviour is that the client doesn't send accountin on/off information to the radius server. Can anyone tell me how could I make freeradius write into radacct table ? Or how could it be instructed to write some informations to the database when user logs off. I am also curious if radius could be instructed to allow specific user from specific nas (something like user X could only came from nas Y and so on) ? Thank you! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
realm + accounting
hi,
i need store acct data on two places when send acct to realm
is this possible or some way like that?
realm serv.com {
type= radius
authhost= radius2.serv.com:1645
accthost= LOCAL, radius2.serv.com:1813
}
thanks
--
-
Marek Cervenka
Centrum Vypocetni Techniky
CVT - http://cvt.fpf.slu.cz
FPF SLU OPAVA - http://www.fpf.slu.cz
=
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Newbie question SQL-freeradius testing tools
On Mon, 11 Oct 2004, Dirk Enrique Seiffert - CaribeNet wrote: > Hello everybody, > > I just installed freeradius wth mysql and dialup admin. This was not easy, > most because of missing or hard-to-find documentation. > > (Maybe you should at least add at least two links to the homepage: > http://www.frontios.com/freeradius.html > and http://sourceforge.net/projects/dialup-admin/ ) sourceforge.net is quite dead. And i don't understand what documentation you were able to find there that's not included with dialupadmin. Please could you explain more what you think is lacking? > > Well, everything is working fine, but I want to know if ther is a war to test > accounting funcionality: I can connect by radtest, but accouning or logs wont > start. Is there a trick or tool for testing the accounting function? You can use radclient to send accounting packets to the server. > > Thanks a lot > > Enrique > > > -- > CaribeNet S.A. - Cartagena - Colombia > www.caribenet.com > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with counter module
On Tue, 12 Oct 2004 [EMAIL PROTECTED] wrote:
> Hi all,
>
> > rlm_counter: Could not find Service-Type attribute in the request.
> > Returning NOOP.
>
> So fix that. See allowed-servicetype configuration directive ( i thought
> it
> would be rather obvious).
>
> In radiusd.conf:
>
> counter daily {
> filename = ${raddbdir}/db.daily
> key = User-Name
> count-attribute = Acct-Session-Time
> reset = daily
> counter-name = Daily-Session-Time
> check-name = Max-Daily-Session
> allowed-servicetype = Framed-User
> cache-size = 5000
> }
>
> In users:
> Pablo Auth-Type := Local, Max-Daily-Session := 6, User-Password == "Pablo",
> NAS-IP-Address == "192.168.0.135"
> Service-Type = Framed-User,
> Session-Timeout := 6,
> Framed-Protocol = PPP,
> Framed-IP-Address = 255.255.255.254,
> Framed-MTU = 1500,
> Idle-Timeout = 6,
> Port-Limit = 1
>
> Even if allowed-servicetype = Framed-User (in radiusd) and Service-Type
> = Framed-User (in users), in that way it
> doesn't work, but
What has the Service-Type in users have to do with the service-type attribute in
the accounting-stop packet??!!!
Please check the attributes contained in the accounting-stop packet and setup
rlm_counter accordingly.
> if I comment out allowed-servicetype = Framed-User in radiusd, it works
> perfect!!! (I don't know why, but ok)
>
> Thanks a lot for your help, I hope those emails will be useful for other
> people!
>
>
> __
> Tiscali Adsl 640 Free: fino al 15 novembre i consumi sono GRATIS!
> Se sottoscrivi un'Adsl Free 640 entro il 14 ottobre avrai gratis tutti
> i consumi fino al 15/11/04 compreso! In piu' sono gratis il modem
> in comodato e l'attivazione. Cosa aspetti? Prima attivi, piu' risparmi!
> http://abbonati.tiscali.it/adsl/
>
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-Identifier check
On Tue, Oct 12, 2004 at 02:11:02AM -0700, Alex wrote: > If Auth-Type is Accept, no EAP negociation occurs. What I want is TTLS established > and user credentials checked and also NAS-Identifier value checked. Thai is, block > some TTLS users from connecting from behind other NAS than its own. > I get users accepted if TTLS user has only 'User-Password' and '==' in the > radcheck. As soon as I add 'NAS-Identifier, '==', 'my_nas', it says Auth-Type not > found. Ah, ok. I use huntgroups for a semiliar thing (restriction certain accounts to certain NASes). Perhaps this is something that might help you, too? Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
howto overwrite a reply item for default users
Dear List, I'm using freeRadius 0.9.3. In the default block of users file, Exec-Program-Wait = "/usr/local/iradius/radplug -t auth" USR-Framed_IP_Address_Pool_Name = "ippool" In some cases, my program is returning, USR-Framed_IP_Address_Pool_Name := "unreg" The 'man 5 users' says, it will overwrite the pool name. But, it's not doing. I ran freeRadius in debug mode and checked the outputs. Can anyone please help me? I think,there is someone who has surely faced this problem. -- tanveer ___ Do you Yahoo!? Declare Yourself - Register online to vote today! http://vote.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-Identifier check
Hello Oliver, thank you for your reply. If Auth-Type is Accept, no EAP negociation occurs. What I want is TTLS established and user credentials checked and also NAS-Identifier value checked. Thai is, block some TTLS users from connecting from behind other NAS than its own. I get users accepted if TTLS user has only 'User-Password' and '==' in the radcheck. As soon as I add 'NAS-Identifier, '==', 'my_nas', it says Auth-Type not found. I also tried: ++---+++---+| id | UserName | Attribute | op | Value |++---+++---+| 33 | eap_user | User-Password | == | || 36 | eap_user | Auth-Type | ~= | EAP|MD5 || 35 | eap_user | NAS-Identifier | == | my_nas |++---+++---+P.S. nas is a cisco and has attribute 32 customized Oliver Graf <[EMAIL PROTECTED]> wrote: On Mon, Oct 11, 2004 at 06:56:01AM -0700, Alex wrote:> Hello,> > I want TTLS users to be authenticated using their login/pwd _AND_ the NAS-Identifier attribute from the Access-Req packet. It works fine with User-Password, but when I add NAS-Identifier == 'my_router' to radcheck table, freeradius says 'Auth-Type notfound'. The debug shows that 'my_router' sends the correct value for this attribute. > When I change to :=, users can login even if the value is completely changed (i.e. I put his_router instead)Use AuthType := AcceptOliver.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Do you Yahoo!?vote.yahoo.com - Register online to vote today!
Re: Problems with counter module
Hi all,
> rlm_counter: Could not find Service-Type attribute in the request.
> Returning NOOP.
So fix that. See allowed-servicetype configuration directive ( i thought
it
would be rather obvious).
In radiusd.conf:
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
In users:
Pablo Auth-Type := Local, Max-Daily-Session := 6, User-Password == "Pablo",
NAS-IP-Address == "192.168.0.135"
Service-Type = Framed-User,
Session-Timeout := 6,
Framed-Protocol = PPP,
Framed-IP-Address = 255.255.255.254,
Framed-MTU = 1500,
Idle-Timeout = 6,
Port-Limit = 1
Even if allowed-servicetype = Framed-User (in radiusd) and Service-Type
= Framed-User (in users), in that way it
doesn't work, but
if I comment out allowed-servicetype = Framed-User in radiusd, it works
perfect!!! (I don't know why, but ok)
Thanks a lot for your help, I hope those emails will be useful for other
people!
__
Tiscali Adsl 640 Free: fino al 15 novembre i consumi sono GRATIS!
Se sottoscrivi un'Adsl Free 640 entro il 14 ottobre avrai gratis tutti
i consumi fino al 15/11/04 compreso! In piu' sono gratis il modem
in comodato e l'attivazione. Cosa aspetti? Prima attivi, piu' risparmi!
http://abbonati.tiscali.it/adsl/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
doubt about EAP/TLS mechanism
Hi, Using EAP/TLS authentication, I noticed that even if the user doesn't exist int the users file, the EAP/TLS authentication still proceeds and the key exchange still occur, access accept is also sent together with MS-MPPE-Recv-Key and MS-MPPE-Send-Key. rlm_realm: No '@' in User-Name = "lara", looking up realm NULLrlm_realm: No such realm "NULL"modcall[authorize]: module "suffix" returns noop for request 3modcall[authorize]: module "files" returns notfound for request 3 --> user lara not found Is there any impact of this on the authentication process ? What's the purpose of checking users file in the EAP/TLS authentication ? Regards, Lara La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit- Guy de Maupassant - Do you Yahoo!?vote.yahoo.com - Register online to vote today!
