Re: discarding duplicate request - but duplicate it is not
Je le savais : j'aurai dû apprendre le C;) Alan DeKok a écrit : "L.C. (Laurentiu C. Badea)" <[EMAIL PROTECTED]> wrote: Two issues I noticed while looking at the source for my problem: in threads.c I believe it would be safer to end the fork_mutex critical section after the forkers structure is updated (after line 1069), not before (1051). Also it seems like if it ran out of slots it will return without unblocking SIG_CHLD (threads.c:1058). Not sure if this is intentional or not. Fixed, thanks. These will be in 1.0.2 and all later versions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - David ROUMANET Tel : 04 76 51 46 08 Centre Interuniversitaire de Calcul Grenoblois Fax : 04 76 42 11 71 - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to change personal fields dialup_admin?
Hello, I wanne change in the dialup_admin the Personal Information page fields. I now i can change in the admin.conf the user-info tabelname. But how can i change the tabel fields, i can change the the user_info.php3. But i thing there is a better solutions for this, but i don't now how? Thank you, Michel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeBSD 5.3 compile problem (Re: krb5 errors when compiling on Fedora Core 3)
Hi, > "E. Dean Sahutske" <[EMAIL PROTECTED]> wrote: > > I was able to compilethe source. I ran ./configure --without-rlm_krb5 > > --without-rlm_x99_token (there was a problem with that too). What ist > > lost by not having these features enabled? When does freeradius require > > kerberos? > > When you want to use it. > > As for the Fedora Core issues, they moved the kerberos headers to a > stupid place where the C compiler can't find them. See the mailing > list archives for many similar complaints. I'm having a similar issue with rlm_krb5 on a FreeBSD 5.3 box. I have FreeRADIUS working 100% fine with kerberos etc on a Fedora Core 2 box (home compiled too - although I started the experiment with an RPM) could someone give me some compile pointers for FreeBSD 5.3? All I have dumped to my screen roght now is gmake[5]: Entering directory `/root/freeradius-1.0.1/src/modules/rlm_krb5' gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I../../include -c rlm_krb5.c -o rlm_krb5.o rlm_krb5.c: In function `verify_krb5_tgt': rlm_krb5.c:96: warning: implicit declaration of function `krb5_princ_component' rlm_krb5.c:96: warning: nested extern declaration of `krb5_princ_component' rlm_krb5.c:96: error: `c' undeclared (first use in this function) rlm_krb5.c:96: error: (Each undeclared identifier is reported only once rlm_krb5.c:96: error: for each function it appears in.) rlm_krb5.c:96: error: invalid type argument of `->' rlm_krb5.c:105: warning: passing arg 2 of `krb5_kt_read_service_key' discards qualifiers from pointer target type rlm_krb5.c: In function `krb5_auth': rlm_krb5.c:217: warning: initialization makes pointer from integer without a cast rlm_krb5.c:219: warning: excess elements in struct initializer rlm_krb5.c:219: warning: (near initialization for `tgtname') rlm_krb5.c:292: error: request for member `length' in something not a structure or union rlm_krb5.c:293: error: request for member `data' in something not a structure or union rlm_krb5.c:296: error: request for member `length' in something not a structure or union rlm_krb5.c:297: error: request for member `data' in something not a structure or union gmake[5]: *** [rlm_krb5.o] Error 1 gmake[5]: Leaving directory `/root/freeradius-1.0.1/src/modules/rlm_krb5' gmake[4]: *** [common] Error 1 gmake[4]: Leaving directory `/root/freeradius-1.0.1/src/modules' gmake[3]: *** [all] Error 2 gmake[3]: Leaving directory `/root/freeradius-1.0.1/src/modules' gmake[2]: *** [common] Error 1 gmake[2]: Leaving directory `/root/freeradius-1.0.1/src' gmake[1]: *** [all] Error 2 gmake[1]: Leaving directory `/root/freeradius-1.0.1/src' gmake: *** [common] Error 1 *** Error code 2 Stop in /root/freeradius-1.0.1. Alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rewrite vlan id
Hello everyone,
Some of the authentication requests are proxied and come back with a
wrong vlan id. I try to rewrite the attribute Tunnel-Private-Group-Id,
but I can't get it to work.
this is how answer from the proxy server on which the user is known
looks like:
rad_recv: Access-Accept packet from host x.x.x.x:1812, id=1, length=83
Tunnel-Type:1 = VLAN:1
Tunnel-Medium-Type:1 = IEEE-802
Tunnel-Private-Group-Id:1 = "163"
User-Name = "[EMAIL PROTECTED]"
Proxy-State = 0x323036
I want the vlan to become 207 in stead of 163
so i did the following:
attr_rewrite changeVLAN {
attribute = "Tunnel-Private-Group-Id"
# also tried: attribute = "Tunnel-Private-Group-Id:1"
# but server says:
# rlm_attr_rewrite: No such attribute Tunnel-Private-Group-Id:1
# radiusd.conf[962]: changeVLAN: Module instantiation failed.
searchin = proxy_reply
searchfor = "161"
replacewith = "207"
}
and in:
post-proxy {
changeVLAN
eap
}
this is what the radiusd says:
modcall: entering group post-proxy for request 11
rlm_attr_rewrite: Could not find value pair for attribute
Tunnel-Private-Group-Id
modcall[post-proxy]: module "changeVLAN" returns noop for request 11
TTLS: Passing reply from proxy back into the tunnel.
POST-AUTH 2
TTLS: Final reply from tunneled session code 2
Tunnel-Type:1 = VLAN:1
Tunnel-Medium-Type:1 = IEEE-802
Tunnel-Private-Group-Id:1 = "163"
User-Name = "[EMAIL PROTECTED]"
Proxy-State = 0x323138
I also tried:
Can someone give me a hint on how to configure this?
idealy I want to use a wildcard for the vlan id, replace "any vlan-id"
with 207. is this possible? and how :)
regards Andree
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS with tunneled PAP Users files
> I have a radius box set up using 1.0.1. Currently it is doing
> authentication and working fine. I am trying to integrate in 802.1x
> auth. I have the EAP-TTLS w/ PAP working fine with a users entry of
> "username" User-Password == "test", but I am confused how the users
> and authorize and authenticate sections of the radiusd file should be
> set to have EAP look at an LDAP entry. I know I have to set the pap
> module to md5 to work with the LDAP and that I will have a new
> huntgroup just for the .1x authentication, but I am stumped from
> there. Below is how my users file and radiusd look now, my question is
> really how should they look when I intergrate in the .1x
>
> Thanks in advance guys, you have helped me out in the past and I would
> appreciate anything else you could do for me now.
>
> - Joe
>
>
> ***radiusd.conf
> ...
> authorize {
> autztype VPN_LDAP {
> redundant {
> VPN_LDAP1
> VPN_LDAP2
> }
> }
>
> autztype Dial_LDAP {
> redundant {
> Dial_LDAP1
> Dial_LDAP2
> }
> }
> ...
> authenticate {
> authtype VPN_LDAP {
> redundant {
> VPN_LDAP1
> VPN_LDAP2
> }
> }
>
> authtype Dial_LDAP {
> redundant {
> Dial_LDAP1
> Dial_LDAP2
> }
> }
>
> ***users
>
> DEFAULT Autz-Type := VPN_LDAP, Auth-Type := VPN_LDAP, Huntgroup-Name == VPN
>
>
> DEFAULT Autz-Type := Dial_LDAP, Auth-Type := Dial_LDAP, Huntgroup-Name == DIAL
> Service-Type == Framed-User,
> Ascend-Assign-IP-Pool = 1,
> Framed-IP-Address = 255.255.255.254,
> Framed-MTU = 1524,
> Service-Type = Framed-User,
> Fall-Through = No
>
> -
Do you have eap in your authorize and authenticate sections?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to change personal fields dialup_admin?
On Thu, 16 Dec 2004, Michel van Dop wrote: Hello, I wanne change in the dialup_admin the Personal Information page fields. I now i can change in the admin.conf the user-info tabelname. But how can i change the tabel fields, i can change the the user_info.php3. But i thing there is a better solutions for this, but i don't now how? Thank you, Currently, dialupadmin does not allow configuring the Personal Information user fields. That's on TODO. You can always update the corresponding code to add a new field, it's not too much work (though it requires knowledge of PHP and how dialupadmin works). Michel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Switching from Cistron radius to Free radius
Hi, I have a radius server currently authenticating dialup users using Cistron. I'm in the process of switching over to Free radius. I have downloaded and installed Free radius 1.0.1 and have edited radiusd.conf to suit my needs. I haven't started using it yet in place of Cistron but I'm about ready to. I have a qauestion though: In .../freeradius-1.0.1/scripts there is a script to start the radius daemon called rc.radiusd. My cistron is currently started with a script in /etc/init.d called radiusd. Should I just copy rc.radiusd to /etc/init.d then rename it radiusd? Actually, in .../freeradius-1.0.1/scripts, there are two scripts: rc.radiusd and rc.radiusd.in What's the difference between these and which should I use? Thanks, Lisa Casey - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeBSD 5.3 compile problem (Re: krb5 errors when compiling on Fedora Core 3)
Hi, > There are multiple libraries which implement kerberos. On FreeBSD, > I think you'll have to give an extra option to 'configure': > > $ configure --enable-heimdal-krb5 thanks! - i'll follow this up. > and it should make the kerberos module use the right kerberos libraries. > > But isn't there a freeradius package on FreeBSD? yes, there is. Its by Brian Somers <[EMAIL PROTECTED]> (sorry if thats wrong, please correct me!) BUT it doesnt do rlm_krb5 by default at all - and even enabling the 'experimental' doesnt give me the joy and happiness I am used to :-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeBSD 5.3 compile problem (Re: krb5 errors when compiling on Fedora Core 3)
In message <[EMAIL PROTECTED]>, "Alan DeKok" writes:
> [EMAIL PROTECTED] wrote:
> > I'm having a similar issue with rlm_krb5 on a FreeBSD 5.3 box.
> >
> > I have FreeRADIUS working 100% fine with kerberos etc on a Fedora Core 2 bo
>x
> > (home compiled too - although I started the experiment with an RPM)
>
> There are multiple libraries which implement kerberos. On FreeBSD,
> I think you'll have to give an extra option to 'configure':
>
> $ configure --enable-heimdal-krb5
>
> and it should make the kerberos module use the right kerberos libraries.
I just dealt with this issue a couple of weeks ago. The heimdal config
switch didn't work (can't remember why), but I was able to get it to
compile with MIT kerberos. The MIT Kerberos port puts its libraries in
/usr/local, so you'll have to use something like
configure --with-rl-krb5-lib-dir=/usr/local/lib \
--with-rlm-krb5-include-dir=/usr/local/include
Also, the 'configure' file in src/modules/rlm-krb5 wasn't honoring the
--with-rlm-krb5-include-dir option. A patch for 'configure.in' is
appended.
> But isn't there a freeradius package on FreeBSD?
Yes, in the ports collection, but it doesn't build the Kerberos
support. I've sent my modifications to the maintainer, who says he'll
be including them soon.
--
George C. Kaplan[EMAIL PROTECTED]
Communication & Network Services510-643-0496
University of California at Berkeley
*** src/modules/rlm_krb5/configure.in.orig Mon Mar 17 11:51:30 2003
--- src/modules/rlm_krb5/configure.in Thu Dec 2 15:24:50 2004
***
*** 35,40
--- 35,41
;;
*)
rlm_krb5_include_dir="$withval"
+ krb5_i_cflags="-I${rlm_krb5_include_dir}"
;;
esac ]
)
***
*** 95,101
fi
krb5_ldflags=$SMART_LIBS
! krb5_cflags="${krb5_h_cflags} $SMART_CFLAGS"
AC_SUBST(krb5_cflags)
AC_SUBST(krb5_ldflags)
--- 96,102
fi
krb5_ldflags=$SMART_LIBS
! krb5_cflags="${krb5_i_cflags} ${krb5_h_cflags} $SMART_CFLAGS"
AC_SUBST(krb5_cflags)
AC_SUBST(krb5_ldflags)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS with tunneled PAP Users files
EAP is in both the authenticate and authorize sections. I still have
not gotten it to work, today I am trying several different
permutations of the users file.
- Joe
On Thu, 16 Dec 2004 08:44:20 -0500 (EST), Dustin Doris
<[EMAIL PROTECTED]> wrote:
>
> > I have a radius box set up using 1.0.1. Currently it is doing
> > authentication and working fine. I am trying to integrate in 802.1x
> > auth. I have the EAP-TTLS w/ PAP working fine with a users entry of
> > "username" User-Password == "test", but I am confused how the users
> > and authorize and authenticate sections of the radiusd file should be
> > set to have EAP look at an LDAP entry. I know I have to set the pap
> > module to md5 to work with the LDAP and that I will have a new
> > huntgroup just for the .1x authentication, but I am stumped from
> > there. Below is how my users file and radiusd look now, my question is
> > really how should they look when I intergrate in the .1x
> >
> > Thanks in advance guys, you have helped me out in the past and I would
> > appreciate anything else you could do for me now.
> >
> > - Joe
> >
> >
> > ***radiusd.conf
> > ...
> > authorize {
> > autztype VPN_LDAP {
> > redundant {
> > VPN_LDAP1
> > VPN_LDAP2
> > }
> > }
> >
> > autztype Dial_LDAP {
> > redundant {
> > Dial_LDAP1
> > Dial_LDAP2
> > }
> > }
> > ...
> > authenticate {
> > authtype VPN_LDAP {
> > redundant {
> > VPN_LDAP1
> > VPN_LDAP2
> > }
> > }
> >
> > authtype Dial_LDAP {
> > redundant {
> > Dial_LDAP1
> > Dial_LDAP2
> > }
> > }
> >
> > ***users
> >
> > DEFAULT Autz-Type := VPN_LDAP, Auth-Type := VPN_LDAP, Huntgroup-Name == VPN
> >
> >
> > DEFAULT Autz-Type := Dial_LDAP, Auth-Type := Dial_LDAP, Huntgroup-Name ==
> > DIAL
> > Service-Type == Framed-User,
> > Ascend-Assign-IP-Pool = 1,
> > Framed-IP-Address = 255.255.255.254,
> > Framed-MTU = 1524,
> > Service-Type = Framed-User,
> > Fall-Through = No
> >
> > -
>
> Do you have eap in your authorize and authenticate sections?
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Certificate generating problems
I arrived at the point where I thought it would be a good idea to go ahead and purchase a certifcate for my radius server rather than just using myself as the authority, and I somehow botched it and radius will not work. I have my guess as to what I did wrong, but to be sure can anyone fire back to me the command they issued for their certificate request. thanks, Dan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS with tunneled PAP Users files
If you are still failing, I would suggest you send the list a copy of your
radiusd.conf file and the output of radiusd -X when it fails. The debug
messages when it does fail, should be able to tell you why it is failing.
Without the debug info, we can only guess.
-Dusty Doris
On Thu, 16 Dec 2004, Joe Raviele wrote:
> EAP is in both the authenticate and authorize sections. I still have
> not gotten it to work, today I am trying several different
> permutations of the users file.
>
> - Joe
>
>
> On Thu, 16 Dec 2004 08:44:20 -0500 (EST), Dustin Doris
> <[EMAIL PROTECTED]> wrote:
> >
> > > I have a radius box set up using 1.0.1. Currently it is doing
> > > authentication and working fine. I am trying to integrate in 802.1x
> > > auth. I have the EAP-TTLS w/ PAP working fine with a users entry of
> > > "username" User-Password == "test", but I am confused how the users
> > > and authorize and authenticate sections of the radiusd file should be
> > > set to have EAP look at an LDAP entry. I know I have to set the pap
> > > module to md5 to work with the LDAP and that I will have a new
> > > huntgroup just for the .1x authentication, but I am stumped from
> > > there. Below is how my users file and radiusd look now, my question is
> > > really how should they look when I intergrate in the .1x
> > >
> > > Thanks in advance guys, you have helped me out in the past and I would
> > > appreciate anything else you could do for me now.
> > >
> > > - Joe
> > >
> > >
> > > ***radiusd.conf
> > > ...
> > > authorize {
> > > autztype VPN_LDAP {
> > > redundant {
> > > VPN_LDAP1
> > > VPN_LDAP2
> > > }
> > > }
> > >
> > > autztype Dial_LDAP {
> > > redundant {
> > > Dial_LDAP1
> > > Dial_LDAP2
> > > }
> > > }
> > > ...
> > > authenticate {
> > > authtype VPN_LDAP {
> > > redundant {
> > > VPN_LDAP1
> > > VPN_LDAP2
> > > }
> > > }
> > >
> > > authtype Dial_LDAP {
> > > redundant {
> > > Dial_LDAP1
> > > Dial_LDAP2
> > > }
> > > }
> > >
> > > ***users
> > >
> > > DEFAULT Autz-Type := VPN_LDAP, Auth-Type := VPN_LDAP, Huntgroup-Name ==
> > > VPN
> > >
> > >
> > > DEFAULT Autz-Type := Dial_LDAP, Auth-Type := Dial_LDAP, Huntgroup-Name ==
> > > DIAL
> > > Service-Type == Framed-User,
> > > Ascend-Assign-IP-Pool = 1,
> > > Framed-IP-Address = 255.255.255.254,
> > > Framed-MTU = 1524,
> > > Service-Type = Framed-User,
> > > Fall-Through = No
> > >
> > > -
> >
> > Do you have eap in your authorize and authenticate sections?
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeBSD 5.3 compile problem (Re: krb5 errors when compiling on Fedora Core 3)
Hi, > > $ configure --enable-heimdal-krb5 > > > > and it should make the kerberos module use the right kerberos libraries. > > I just dealt with this issue a couple of weeks ago. The heimdal config > switch didn't work (can't remember why), but I was able to get it to when I try the heimdal configure option, I get past the krb5_auth stuff, but then the system fails on the x99_rlm stuff instead. ..i'm playing with the CVS version as I write this nowsee if there are interesting differences.. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Administration.
I must have missed that one. I'll take another look. Thanks for being patient with me. --- Julius Igugu <[EMAIL PROTECTED]> wrote: > Dialup Admin. > > It's bundled with freeradius. > > --- tekchip <[EMAIL PROTECTED]> wrote: > > > Is there an administration application, possibly a web based one > that > > will do the administration of radius and through radius the back > end > > user dbase or is the best bet to pick a management application > that > > connects directly to the back end? For example I'm planning to > use > > freeradius with mysql. My choices now are ? through freeradius or > > something like phpmysql directly to mysql. I was kind of thinking > > management through freeradius might be better that way when > theres a > > major issue with freeradius or the dbase you see it on the > management > > tool. Eliminates the possability that a user would call and say > 'I > > cant log in' and having the tech say, well the database is > > working...knowing that radius has gone down when it happens vs. > when > > a user calls. Not a huge difference but I was thinking it's a > small > > advantage. Thanks for any help/input you can provide. > > > > = > > Brock Hatfield > > [EMAIL PROTECTED] > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > > = > Julius Igugu > SouthWork Co. Ltd. > > > > __ > Do you Yahoo!? > All your favorites on one personal page Try My Yahoo! > http://my.yahoo.com > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > = Brock Hatfield [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeBSD 5.3 compile problem (Re: krb5 errors when compiling on Fedora Core 3)
In message <[EMAIL PROTECTED]>, [EMAIL PROTECTED] writes : > > I just dealt with this issue a couple of weeks ago. The heimdal config > > switch didn't work (can't remember why), but I was able to get it to > > when I try the heimdal configure option, I get past the krb5_auth stuff, but >then the system fails on the x99_rlm stuff instead. OK, you shamed me into reviewing my notes. This is what happened to me, too, when I tried to build the 1.0.1 release downloaded from ftp.freeradius.org. When that happened, I switched to trying to build the freeradius in the FreeBSD ports collection (which also uses version 1.0.1). For some reason I didn't pursue the heimdal option, but went right to fixing it up to use MIT Kerberos. Anyway, the freeradius port includes a patch for x99_rlm.c, so that it'll build without problems. -- George C. Kaplan[EMAIL PROTECTED] Communication & Network Services510-643-0496 University of California at Berkeley - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Execute a script at the end of a session
On Thu, Dec 16, 2004 at 09:12:59AM +, Santiago Balaguer García wrote:
> The action you proposed is create a new attribute, for instance,
> Exec-Program-End, and insert in the radreply table. For example, if I have
> this entries in this table:
> +-+--+---++--+
> | id | UserName | Attribute | op | Value|
> +-+--+---++--+
> | 168 | 11101| Exec-Program-Wait | = | /home/blackbox/start_script.sh
> %u %n |
> | 169 | 11101| Session-Timeout | := | |
> | 170 | 11101| Idle-Timeout | := | 300 |
>
>
> The information for this user would be:
> +-+--+---++--+
> | id | UserName | Attribute | op | Value|
> +-+--+---++--+
> | 168 | 11101| Exec-Program-Wait | = | /home/blackbox/start_script.sh
> %u %n |
> | 169 | 11101| Session-Timeout | := | |
> | 170 | 11101| Idle-Timeout | := | 300 |
> | 171 | 11101| Exec-Program-End | = | /home/blackbox/finish_script.sh
> %u %n |
I should point out that Exec-Program-Wait is executed at the end of
authentication, not the start of accounting. It's probably fairly close
though.
> I locate the accounting section, but I unknown what I must modify. So I
> attach my radius.conf.
Here's what I meant:
This won't quite work, since the contents of radreply doesn't go into
accounting packet responses. But this should give you the idea... You
might be better off using the acct_users file to set the
Exec-Program-End attribute, if it's as generic as the above.
_Or_ unify your scripts into one script for every user, and use the
parameters to determine what to do.
> #
> # This is a more general example of the execute module.
> #
> # If you wish to execute an external program in more than
> # one section (e.g. 'authorize', 'pre_proxy', etc), then it
> # is probably best to define a different instance of the
> # 'exec' module for every section.
> #
> exec echo {
> #
> # Wait for the program to finish.
> #
> # If we do NOT wait, then the program is "fire and
> # forget", and any output attributes from it are ignored.
> #
> # If we are looking for the program to output
> # attributes, and want to add those attributes to the
> # request, then we MUST wait for the program to
> # finish, and therefore set 'wait=yes'
> #
> # allowed values: {no, yes}
> wait = yes
>
> #
> # The name of the program to execute, and it's
> # arguments. Dynamic translation is done on this
> # field, so things like the following example will
> # work.
> #
> program = "/bin/echo %{User-Name}"
>
> #
> # The attributes which are placed into the
> # environment variables for the program.
> #
> # Allowed values are:
> #
> # request attributes from the request
> # reply attributes from the reply
> # proxy-request attributes from the proxy request
> # proxy-reply attributes from the proxy reply
> #
> # Note that some attributes may not exist at some
> # stages. e.g. There may be no proxy-reply
> # attributes if this module is used in the
> # 'authorize' section.
> #
> input_pairs = request
>
> #
> # Where to place the output attributes (if any) from
> # the executed program. The values allowed, and the
> # restrictions as to availability, are the same as
> # for the input_pairs.
> #
> output_pairs = reply
>
> #
> # When to execute the program. If the packet
> # type does NOT match what's listed here, then
> # the module does NOT execute the program.
> #
> # For a list of allowed packet types, see
> # the 'dictionary' file, and look for VALUEs
> # of the Packet-Type attribute.
> #
> # By default, the module executes on ANY packet.
> # Un-comment out the following line to tell the
> # module to execute only if an Access-Accept is
> # being sent to the
Re: regarding "stale" IP in ippool
On Thu, Dec 16, 2004 at 09:34:21PM +0100, Alfred H. Dahl wrote: > >> we have a problem with our IP-POOL. > >> We run pppoe-servers from Mikrotik, and we assign IP to the client > >> using freeradius 0.9.3. > >> If a Mikrotik pppoe-server stops, or the accounting-stop-packet from > >> the pppoe-server does not reach the radius-server, the IP-address is > >> not freed from the ip_pool, meaning we get "stale" sessions in the > >> IP-Pool. Now I think about it, there's supposed to be an accounting packet that comes in when a NAS is shut down... I just don't recall if rlm_ippool processes it or not. ^_^ > >Depending on the port-numbers you're getting from the pppoe server, this > >shouldn't be a problem. If your port numbers are densely populated, > >and there are less than the entries in your IP pool, stale entries aren't a > >problem. > > what does this mean? If the IP is marked as "active" - will the plugin check > to see if the session still exist, and if not, free the IP? If a new session comes in on a NAS/port combination with an IP address marked as active, the ippool code frees that IP before it tries to allocate one. Or at least that's how I remember it, code unseen. > what happens when all the IP's are marked as active, and the server receives > yet another login? Then you have more ports than IP addresses, and rlm_ippool has issues, as I said above, or you have exactly the same number of ports as IP addresses, and the incoming request should clear the old IP address on that port/IP, and then reassign it again. -- Paul "TBBle" Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users digest, Vol 1 #4080 - 11 msgs
I'm home sick today. Please call 608-868-9570 for urgent issues. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian compile issues in conjunction with eap
Sven Juergensen <[EMAIL PROTECTED]> wrote: > after some research i found out that someone fixed this with the > > --without-rlm_x99_token That should be fixed, but the maintainer of the module hasn't been actively involved in the project for a while. > it compiles but gives me a segfault once radiusd -X > is invoked: > > [...] > gtc: challenge = "Password: " > gtc: auth_type = "PAP" > rlm_eap: Loaded and initialized type gtc > Segmentation fault > > which doesn't really surprise me, since i believe it's > because of the --without-rlm_x99_token parameter. No. The modules are completely independent, and don't affect each other. My suggestion would be to use gdb (see doc/bugs), or configure && compile the server statically. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian compile issues in conjunction with eap
thanks alan, here goes the backtrace then: clt173:/install/freeradius-1.0.1# gdb /usr/local/sbin/radiusd core GNU gdb 6.1-debian Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-linux"...Using host libthread_db library "/lib/libthread_db.so.1". Core was generated by `/usr/local/sbin/radiusd -X'. Program terminated with signal 11, Segmentation fault. Reading symbols from /lib/libcrypt.so.1...done. Loaded symbols for /lib/libcrypt.so.1 Reading symbols from /usr/local/lib/libradius-1.0.1.so...done. Loaded symbols for /usr/local/lib/libradius-1.0.1.so Reading symbols from /usr/local/lib/libltdl.so.3...done. Loaded symbols for /usr/local/lib/libltdl.so.3 Reading symbols from /lib/libdl.so.2...done. Loaded symbols for /lib/libdl.so.2 Reading symbols from /lib/libnsl.so.1...done. Loaded symbols for /lib/libnsl.so.1 Reading symbols from /lib/libresolv.so.2...done. Loaded symbols for /lib/libresolv.so.2 Reading symbols from /lib/libpthread.so.0...done. [Thread debugging using libthread_db enabled] Loaded symbols for /lib/libpthread.so.0 Reading symbols from /lib/libc.so.6...done. Loaded symbols for /lib/libc.so.6 Reading symbols from /lib/ld-linux.so.2...done. Loaded symbols for /lib/ld-linux.so.2 Reading symbols from /lib/libnss_files.so.2...done. Loaded symbols for /lib/libnss_files.so.2 Reading symbols from /usr/local/lib/rlm_exec-1.0.1.so...done. Loaded symbols for /usr/local/lib/rlm_exec-1.0.1.so Reading symbols from /usr/local/lib/rlm_expr-1.0.1.so...done. Loaded symbols for /usr/local/lib/rlm_expr-1.0.1.so Reading symbols from /usr/local/lib/rlm_pap-1.0.1.so...done. Loaded symbols for /usr/local/lib/rlm_pap-1.0.1.so Reading symbols from /usr/local/lib/rlm_chap-1.0.1.so...done. Loaded symbols for /usr/local/lib/rlm_chap-1.0.1.so Reading symbols from /usr/local/lib/rlm_mschap-1.0.1.so...done. Loaded symbols for /usr/local/lib/rlm_mschap-1.0.1.so Reading symbols from /usr/local/lib/rlm_unix-1.0.1.so...done. Loaded symbols for /usr/local/lib/rlm_unix-1.0.1.so Reading symbols from /usr/local/lib/rlm_eap-1.0.1.so...done. Loaded symbols for /usr/local/lib/rlm_eap-1.0.1.so Reading symbols from /usr/local/lib/rlm_eap_md5-1.0.1.so...done. Loaded symbols for /usr/local/lib/rlm_eap_md5-1.0.1.so Reading symbols from /usr/local/lib/rlm_eap_leap-1.0.1.so...done. Loaded symbols for /usr/local/lib/rlm_eap_leap-1.0.1.so Reading symbols from /usr/local/lib/rlm_eap_gtc-1.0.1.so...done. Loaded symbols for /usr/local/lib/rlm_eap_gtc-1.0.1.so #0 0x400600df in lt_dlsym (handle=0x8152ac8, symbol=0xbfffe8f0 "rlm_eap_tls") at ltdl.c:3330 3330 lensym = LT_STRLEN (symbol) + LT_STRLEN (handle->loader->sym_prefix) (gdb) bt #0 0x400600df in lt_dlsym (handle=0x8152ac8, symbol=0xbfffe8f0 "rlm_eap_tls") at ltdl.c:3330 #1 0x402325d7 in eaptype_load (type=0xb, eap_type=11, cs=0xb) at eap.c:114 #2 0x40231b2a in eap_instantiate (cs=0x80a80b0, instance=0xb) at rlm_eap.c:134 #3 0x08055a83 in find_module_instance (instname=0x80ac0d8 "eap") at modules.c:358 #4 0x08056f6d in do_compile_modsingle (component=0, ci=0x80ac0b8, filename=0x8062720 "radiusd.conf", grouptype=0, modname=0xbfffeb68) at modcall.c:814 #5 0x080570f2 in compile_modsingle (component=0, ci=0xb, filename=0xb , modname=0xb) at modcall.c:829 #6 0x08055f8d in load_component_section (cs=0x80abec0, comp=0, filename=0x8062720 "radiusd.conf") at modules.c:584 #7 0x08056364 in setup_modules () at modules.c:874 #8 0x0804cf1d in main (argc=2, argv=0xbd84) at radiusd.c:965 (gdb) any idea? cheers, sven Alan DeKok wrote: Sven Juergensen <[EMAIL PROTECTED]> wrote: after some research i found out that someone fixed this with the --without-rlm_x99_token That should be fixed, but the maintainer of the module hasn't been actively involved in the project for a while. it compiles but gives me a segfault once radiusd -X is invoked: [...] gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc Segmentation fault which doesn't really surprise me, since i believe it's because of the --without-rlm_x99_token parameter. No. The modules are completely independent, and don't affect each other. My suggestion would be to use gdb (see doc/bugs), or configure && compile the server statically. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian compile issues in conjunction with eap
and again,
http://bugs.freeradius.org/show_bug.cgi?id=98
configuring with --disable-shared && make halts
at the message of my first email, something with
the rlm_x99_token.
some strace output:
[..]
write(1, " gtc: challenge = \"Password: \"\n", 31 gtc: challenge = "Password: "
) = 31
time(NULL) = 1103255116
write(1, " gtc: auth_type = \"PAP\"\n", 24 gtc: auth_type = "PAP"
) = 24
time(NULL) = 1103255116
write(1, "rlm_eap: Loaded and initialized "..., 41rlm_eap: Loaded and
initialized type gtc
) = 41
open("/usr/local/lib/rlm_eap_tls.la", O_RDONLY) = -1 ENOENT (No such file or
directory)
open("/lib/rlm_eap_tls.la", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/lib/rlm_eap_tls.la", O_RDONLY) = -1 ENOENT (No such file or
directory)
open("rlm_eap_tls.la", O_RDONLY)= -1 ENOENT (No such file or directory)
access("/usr/local/lib/rlm_eap_tls.so", R_OK) = -1 ENOENT (No such file or
directory)
access("/lib/rlm_eap_tls.so", R_OK) = -1 ENOENT (No such file or directory)
access("/usr/lib/rlm_eap_tls.so", R_OK) = -1 ENOENT (No such file or directory)
open("/usr/local/lib/rlm_eap_tls.so", O_RDONLY) = -1 ENOENT (No such file or
directory)
open("/etc/ld.so.cache", O_RDONLY) = 6
fstat64(6, {st_mode=S_IFREG|0644, st_size=8877, ...}) = 0
old_mmap(NULL, 8877, PROT_READ, MAP_PRIVATE, 6, 0) = 0x40241000
close(6)= 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/tls/rlm_eap_tls.so", O_RDONLY) = -1 ENOENT (No such file or
directory)
open("/lib/rlm_eap_tls.so", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/lib/i686/cmov/rlm_eap_tls.so", O_RDONLY) = -1 ENOENT (No such file
or directory)
open("/usr/lib/i686/rlm_eap_tls.so", O_RDONLY) = -1 ENOENT (No such file or
directory)
open("/usr/lib/rlm_eap_tls.so", O_RDONLY) = -1 ENOENT (No such file or
directory)
munmap(0x40241000, 8877)= 0
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV (core dumped) +++
i'm hardly able to code or make sense of this,
are there any suggestions to what might be
going wrong here? missing libraries?
/usr/local/lib/rlm_eap_tls.la, like the strace
output suggests, isn't there.
thanks again,
sven
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: discarding duplicate request - but duplicate it is not
I found that SIGCHLD can be delivered to the parent even while it's still blocked. It makes no sense but I am pretty sure that's what's happening. If the child finishes fast enough, the parent does the signal handler before getting to create the forker entry, so later on it blocks on sem_wait forever. That's why the problem is easily reproducible with "/bin/true" or any non-existent path, but not with "/bin/sleep 0.01" (for example). I can't reproduce this in a standalone program without threads, so I am guessing threads have something to do with this. Hmm. -- L.C. (Laurentiu C. Badea) Alan DeKok wrote: "L.C. (Laurentiu C. Badea)" <[EMAIL PROTECTED]> wrote: With Red Hat 9 and the 2.4.20-8 kernel it does the same thing (same freeradius as before but rebuilt for RH 9 from the src.rpm). So it seems that a wider range of kernels is affected. Tried on a dual cpu machine with both smp and up kernels to make sure. Do you have any pointers as to what this bug is, or what kernel versions contain the fix ? Search the list archives. I don't recall much more than that. I suppose outside of getting a "fixed" kernel, there really isn't another way to overcome this problem ? Run the server in single-threading mode. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NT_KEY not fed back to FR
It seems no response to the question that I post about “mschapv2 not
Working”. But I've made some progress myself and got another problem.
The winbind and ntlm problem is solved. When I copy the
ntlm_auth statement to command line, it could successfully return a
NT_KEY.
According to the winbindd.log, the authentication was (NT_STATUS_OK).
Unfortunately, the NT_KEY is not fed back to FR.
Would someone give me a hand by checking the log as following:
Thank you.
Chris Huang
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
main: prefix = "/usr/local/freeradius"
main: localstatedir = "/var"
main: logdir = "/var/log/radius"
main: libdir = "/usr/local/freeradius/lib"
main: radacctdir = "/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = yes
main: log_file = "/var/log/radius/radius.log"
main: log_destination = "files"
main: log_auth = no
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/freeradius/sbin/checkrad"
main: debug_level = 0
main: proxy_requests = yes
log: syslog_facility = "daemon"
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
proxy: proxy_fail_type = "(null)"
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/freeradius/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded Expiration
expiration: reply-message = "Password Has Expired "
Module: Instantiated expiration (expiration)
Module: Loaded logintime
logintime: reply-message = "You are calling outside your allowed
timespan "
logintime: minimum-timeout = 60
Module: Instantiated logintime (logintime)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = yes
mschap: require_strong = yes
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%
{Stripped-User-Name:-%{User-Name:-None}} --challenge=%
{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} --
domain=CODE1"
Module: Instantiated mschap (mschap)
Module: Loaded eap
eap: default_eap_type = "peap"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/etc/raddb/certs/cert-srv.pem"
tls: certificate_file = "/etc/raddb/certs/cert-srv.pem"
tls: CA_file = "/etc/raddb/certs/demoCA/cacert.pem"
tls: private_key_password = "whatever"
tls: dh_file = "/etc/raddb/certs/dh"
tls: random_file = "/etc/raddb/certs/random"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = "(null)"
rlm_eap: Loaded and initialized type tls
peap: default_eap_type = "mschapv2"
peap: copy_request_to_tunnel = yes
peap: use_tunneled_reply = no
peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/etc/raddb/huntgroups"
preprocess: hints = "/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "prefix"
realm: delimiter = "\"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (ntdomain)
Module: Loaded detail
Re: Freeradius-Users digest, Vol 1 #4081 - 7 msgs
I'm home sick today. Please call 608-868-9570 for urgent issues. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users digest, Vol 1 #4082 - 1 msg
I'm home sick today. Please call 608-868-9570 for urgent issues. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Execute a script at the end of a session
The action you proposed is create a new attribute, for instance,
Exec-Program-End, and insert in the radreply table. For example, if I have
this entries in this table:
+-+--+---++--+
| id | UserName | Attribute | op | Value|
+-+--+---++--+
| 168 | 11101| Exec-Program-Wait | = | /home/blackbox/start_script.sh
%u %n |
| 169 | 11101| Session-Timeout | := | |
| 170 | 11101| Idle-Timeout | := | 300 |
The information for this user would be:
+-+--+---++--+
| id | UserName | Attribute | op | Value|
+-+--+---++--+
| 168 | 11101| Exec-Program-Wait | = | /home/blackbox/start_script.sh
%u %n |
| 169 | 11101| Session-Timeout | := | |
| 170 | 11101| Idle-Timeout | := | 300 |
| 171 | 11101| Exec-Program-End | = | /home/blackbox/finish_script.sh
%u %n |
I locate the accounting section, but I unknown what I must modify. So I
attach my radius.conf.
Subject: Re: Execute a script at the end of a session
Date: Sat, 11 Dec 2004 15:26:18 +1100
On Fri, Dec 10, 2004 at 04:38:05PM +, Santiago Balaguer García wrote:
> I read acct_users and others files, but what I want to do is to add some
> register in the MySQL DB and can execute a different script to each
user.
Create yourself a new attribute, with the name of the script, create a
new instance of the exec module and call it in the accounting stanza of
radius.conf.
Of course, if the script name is the same as the user name or some other
attribute, you don't need to add a new one. ^_^
Find the "exec echo" instance in radius.conf for an example.
--
Paul "TBBle" Hampson, on an alternate email client.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
_
Descarga gratis la Barra de Herramientas de MSN
http://www.msn.es/usuario/busqueda/barra?XAPID=2031&DI=1055&SU=http%3A//www.hotmail.com&HL=LINKTAG1OPENINGTEXT_MSNBH
##
## radiusd.conf -- FreeRADIUS server configuration file.
##
## http://www.freeradius.org/
## $Id: radiusd.conf.in,v 1.148 2003/06/24 12:54:05 3APA3A Exp $
##
# The location of other config files and
# logfiles are declared in this file
#
# Also general configuration for modules can be done
# in this file, it is exported through the API to
# modules that ask for it.
#
# The configuration variables defined here are of the form ${foo}
# They are local to this file, and do not change from request to
# request.
#
# The per-request variables are of the form %{Attribute-Name}, and
# are taken from the values of the attribute in the incoming
# request. See 'doc/variables.txt' for more information.
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
# Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
#
# The logging messages for the server are appended to the
# tail of this file.
#
log_file = ${logdir}/radius.log
#
# libdir: Where to find the rlm_* modules.
#
# This should be automatically set at configuration time.
#
# If the server builds and installs, but fails at execution time
# with an 'undefined symbol' error, then you can use the libdir
# directive to work around the problem.
#
# The cause is usually that a library has been installed on your
# system in a place where the dynamic linker CANNOT find it. When
# executing as root (or another user), your personal environment MAY
# be set up to allow the dynamic linker to find the library. When
# executing as a daemon, FreeRADIUS MAY NOT have the same
# personalized configuration.
#
# To work around the problem, find out which library contains that symbol,
# and add the directory containing that library to the end of 'libdir',
# with a colon separating the directory names. NO spaces are allowed.
#
# e.g. libdir = /usr/local/lib:/opt/package/lib
#
# You can also try setting the LD_LIBRARY_PATH environment variable
# in a script which starts the server.
#
# If that does not work, then you can re-configure and re-build the
# server to NOT use shared libraries, via:
#
# ./configure --disable-shared
# make
# make install
#
libdir = ${exec_prefix}/lib:/usr/local/lib:/usr/lib/mysql
libdir = /usr/lib/mysql
# pidfile: Where to place the PID of the RADIUS server.
#
# The server may be signalled while it's running by using
Re: FreeBSD 5.3 compile problem (Re: krb5 errors when compiling on Fedora Core 3)
[EMAIL PROTECTED] wrote: > I'm having a similar issue with rlm_krb5 on a FreeBSD 5.3 box. > > I have FreeRADIUS working 100% fine with kerberos etc on a Fedora Core 2 box > (home compiled too - although I started the experiment with an RPM) There are multiple libraries which implement kerberos. On FreeBSD, I think you'll have to give an extra option to 'configure': $ configure --enable-heimdal-krb5 and it should make the kerberos module use the right kerberos libraries. But isn't there a freeradius package on FreeBSD? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Administration.
Is there an administration application, possibly a web based one that will do the administration of radius and through radius the back end user dbase or is the best bet to pick a management application that connects directly to the back end? For example I'm planning to use freeradius with mysql. My choices now are ? through freeradius or something like phpmysql directly to mysql. I was kind of thinking management through freeradius might be better that way when theres a major issue with freeradius or the dbase you see it on the management tool. Eliminates the possability that a user would call and say 'I cant log in' and having the tech say, well the database is working...knowing that radius has gone down when it happens vs. when a user calls. Not a huge difference but I was thinking it's a small advantage. Thanks for any help/input you can provide. = Brock Hatfield [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Administration.
Dialup Admin. It's bundled with freeradius. --- tekchip <[EMAIL PROTECTED]> wrote: > Is there an administration application, possibly a web based one that > will do the administration of radius and through radius the back end > user dbase or is the best bet to pick a management application that > connects directly to the back end? For example I'm planning to use > freeradius with mysql. My choices now are ? through freeradius or > something like phpmysql directly to mysql. I was kind of thinking > management through freeradius might be better that way when theres a > major issue with freeradius or the dbase you see it on the management > tool. Eliminates the possability that a user would call and say 'I > cant log in' and having the tech say, well the database is > working...knowing that radius has gone down when it happens vs. when > a user calls. Not a huge difference but I was thinking it's a small > advantage. Thanks for any help/input you can provide. > > = > Brock Hatfield > [EMAIL PROTECTED] > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > = Julius Igugu SouthWork Co. Ltd. __ Do you Yahoo!? All your favorites on one personal page Try My Yahoo! http://my.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS with tunneled PAP Users files
Hi, i need help to configure freeradius + asterisk (PBX) is anybody in this list that can help me? Thank you Carlos.- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
regarding "stale" IP in ippool
>> we have a problem with our IP-POOL. >> We run pppoe-servers from Mikrotik, and we assign IP to the client >> using freeradius 0.9.3. >> If a Mikrotik pppoe-server stops, or the accounting-stop-packet from >> the pppoe-server does not reach the radius-server, the IP-address is >> not freed from the ip_pool, meaning we get "stale" sessions in the >> IP-Pool. >Depending on the port-numbers you're getting from the pppoe server, this >shouldn't be a problem. If your port numbers are densely populated, >and there are less than the entries in your IP pool, stale entries aren't a >problem. what does this mean? If the IP is marked as "active" - will the plugin check to see if the session still exist, and if not, free the IP? what happens when all the IP's are marked as active, and the server receives yet another login? In v. 1.0.1 there are a new value for IP-pools - maximum_timeout - when does the "timeout" expire - when we have no session-time-limit in our system? I do know, that of the 900 or so IP's marked as active in my IPPool, only 600+ are actually IN USE. This disturbs me. I have upgraded to version 1.0.1, but the behaviour is the same. It seems like the IP's are still not "freed" after a client disconnects. >> Is there a way to manipulate the "active"-flag in the IP-Pool for a >> given IP? Does the radzap-routine also remove the active entry from >> the IP-POOL when the corresponding account is zap'ed? >rlm_ippool_tool should be able to do it... Be careful though, the file format >changed (I think) in the 1.0.0 release. On the other hand, I >don't recall when rlm_ippool_tool was integrated into FreeRADIUS... You may >have to glance at the CVS logs for rlm_ipool_tool.c for that sort >of detail. >^_^ >radzap _ought_ to clear entries from the ippool, but I never had any luck with >it in 0.9.3. Kostas made some large improvements for the 1.0.0 >release involving some locking issues, and it seems to be working much better >here. I have tried to radzap both a NAS, and a NAS+PORT, but the IP is not marked as non-active in the IP-pool. -- Med vennlig hilsen/Sincerely Alfred H. Dahl Hostmaster Élla Kommunikasjon Tlf: +47 3860 8575 Fax: +47 3860 8501 -- Paul "TBBle" Hampson, on an alternate email client. --__--__-- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: regarding "stale" IP in ippool
"Alfred H. Dahl" <[EMAIL PROTECTED]> wrote: > I do know, that of the 900 or so IP's marked as active in my IPPool, > only 600+ are actually IN USE. This disturbs me. > I have upgraded to version 1.0.1, but the behaviour is the same. > It seems like the IP's are still not "freed" after a client disconnects. The IP's can only be free'd if the NAS tells the server that the user has disconnected. If the NAS fails to do this, then FreeRADIUS won't de-allocate the IP. > I have tried to radzap both a NAS, and a NAS+PORT, but the IP is not > marked as non-active in the IP-pool. Use the IP in the pool for radzap, not the IP of the NAS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
debian compile issues in conjunction with eap
hello people, tried compiling the 1.0.1 freeradius on a debian woody. the apt-package won't work, because it's missing the '--disable-shared' configure parameter. if that one is omitted i'm getting an error that crashes radiusd -X: rlm_eap: Failed to link EAP-Type/tls: rlm_eap_tls.so: cannot open shared object file: No such file or directory ok so now i downloaded the latest tarball from www.freeradius.org and tried compiling it with the --disable-shared parameter. so far so good, compiles to the point where it says: [...] gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I../../include -DX99_MODULE_NAME=\"rlm_x99_token\" -DFREERADIUS -c x99_rlm.c -o x99_rlm.o In file included from x99_rlm.c:54: x99.h:26:42: openssl/des.h: No such file or directory In file included from x99_rlm.c:54: x99.h:146: error: parse error before "des_cblock" x99.h:146: warning: no semicolon at end of struct or union x99.h:147: warning: type defaults to `int' in declaration of `x99_user_info_t' x99.h:147: warning: data definition has no type or storage class x99.h:152: error: parse error before "des_cblock" x99.h:152: warning: function declaration isn't a prototype x99.h:153: error: parse error before "des_cblock" x99.h:153: warning: function declaration isn't a prototype x99.h:165: error: parse error before "des_cblock" x99.h:165: warning: function declaration isn't a prototype x99.h:166: warning: type defaults to `int' in declaration of `des_cblock' x99.h:166: error: parse error before "keyblock" x99.h:167: warning: function declaration isn't a prototype x99.h:170: error: parse error before "x99_user_info_t" x99.h:170: warning: function declaration isn't a prototype x99.h:180: error: parse error before "des_cblock" x99.h:180: warning: function declaration isn't a prototype x99.h:182: warning: type defaults to `int' in declaration of `des_cblock' x99.h:182: error: parse error before "keyblock" x99.h:182: warning: function declaration isn't a prototype x99_rlm.c: In function `x99_token_authorize': x99_rlm.c:294: error: parse error before "user_info" x99_rlm.c:331: error: `user_info' undeclared (first use in this function) x99_rlm.c:331: error: (Each undeclared identifier is reported only once x99_rlm.c:331: error: for each function it appears in.) x99_rlm.c: In function `x99_token_authenticate': x99_rlm.c:460: error: parse error before "user_info" x99_rlm.c:492: error: `user_info' undeclared (first use in this function) x99_rlm.c:550: warning: deprecated use of label at end of compound statement make[6]: *** [x99_rlm.o] Error 1 make[6]: Leaving directory `/install/freeradius-1.0.1/src/modules/rlm_x99_token' make[5]: *** [common] Error 1 make[5]: Leaving directory `/install/freeradius-1.0.1/src/modules' make[4]: *** [all] Error 2 make[4]: Leaving directory `/install/freeradius-1.0.1/src/modules' make[3]: *** [common] Error 1 make[3]: Leaving directory `/install/freeradius-1.0.1/src' make[2]: *** [all] Error 2 make[2]: Leaving directory `/install/freeradius-1.0.1/src' make[1]: *** [common] Error 1 make[1]: Leaving directory `/install/freeradius-1.0.1' make: *** [all] Error 2 after some research i found out that someone fixed this with the --without-rlm_x99_token parameter. using the mentioned parameters at the ./configure command, it compiles but gives me a segfault once radiusd -X is invoked: [...] gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc Segmentation fault which doesn't really surprise me, since i believe it's because of the --without-rlm_x99_token parameter. what can i do in this situation? running out of options here ;) thank you for any hints or pointers. cheers, sven - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users digest, Vol 1 #4080 - 11 msgs
ADAM WANNINGER wrote: I'm home sick today. Please call 608-868-9570 for urgent issues. LOL -- Regards, Thor Spruyt E: [EMAIL PROTECTED] W: www.thor-spruyt.com M: +32 (0)475 67 22 65 Bestel nu uw exemplaar van Operationele verkoop (Walter Spruyt - Liesbeth Huysmans) via www.salesguide.be Ontdek de Telenet Hotspot service op www.telenet.be/hotspots - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
