Billing
Hello, In a prepaid kind of application how do i get the information regarding the talk time availability ? Is there any attribute which is used to convey to the radius server from a radius client that a total of 500 minutes of talk time is available ? When the call is connected for ten minutes, how do we send this information to the radius server ? Now since the totol talk time is 490 minutes, how can the radius client get the information from the radius server ? Are there any attributes to 1. To convey to the radius server from the radius client the total talk time available before making the first call using the calling card ? 2. To convey the call connection time ? 3. The time available before making the second call ? If there are any attributes for the above mentioned , then are they sent in accounting or authentication (access request, access accept or access reject) packets ? Thanks in advance, Prabha N - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dynamic vlan affectation and proxyRADIUS
Hi to all and my best wishes ! I'm trying to create a structure with proxy-RADIUS and multiples vlans on different sites (on a 802.1x WIFI network) My project is to differenciate a local user (with all rights on the local network) and a remote user (authentificated by a proxy-Radius). The first will fall in vlan 10, the second in vlan 20 (for example) even if groups are the same. Example : John DOE in "job_titular" group at Paris shouln't be considered as "job_titular" in New-York... (of course, vlan 10 in Paris doesn't match vlan 10 in NY but vlan 11 and vlan 20 in Paris correspond to vlan 12 in NY)... local authentification : group ==> vlan affectation remote authentification : group has to be changed in "remote_job_titular" ==> vlan affectation I'm a newbee with freeradius and have order the "Radius" book (but at present time, it is not disponible because "re"-printed), so I just need some help to know if it's possible and wich files should I modify... Thanks to all, David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Block group of ISDN connection
Hi, > 1) users file > ## > DEFAULTNAS-Port-Type == "ISDN" ,Connection-Type == UNLIMITED, > Auth-Type := Reject >Reply-Message = "Your account has been disabled." > > DEFAULT Auth-Type := LDAP How many lines do you actually have? I.e., there should be no linebreak after the "UNLIMITED," in the first line above, but the line should continue till after the "Reject". Quoting long lines via e-mails always is dependent on mail clients (and possibly server) involved, but I'll try anyway. That should be: DEFAULT NAS-Port-Type == "ISDN" ,Connection-Type == UNLIMITED, Auth-Type := Reject Reply-Message = "Your account has been disabled." (just two lines). HTH, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
acct_users file is not working
Hi people. I have a radius server installed and working correctly. Now I want an external program to be executed every time when accounting stop packet received as described in acct_users file. Here are my configuration: file: acct_users DEFAULT Acct-Status-Type == Stop Exec-Program = "/usr/local/sbin/testacct" where testacct is shell script for testing (chmod-ed correctly): file: /usr/local/sbin/testacct #!/bin/shecho "" >> testacct.txt After restarting the server, when radius receives accounting stop packet the file is not executed! Where may be the problem?
Re: radzap problem
Hello guys I would like to know if there is some difference in the source code of freeradiusd 0.9.1, or in compilation options, between linux and freeBSD, because when i run radzap, compiled by the same code, in linux it works, in FreeBSD does not. thanks very much, Luiz Gustavo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: acct_users file is not working
Try this... In acct_users: DEFAULT Acct-Status-Type == Stop Exec-Program = "logger received_stop_packet" Then send a acct stop packet to the server and check your syslog. --Regards, Thor SpruytE: [EMAIL PROTECTED]W: www.thor-spruyt.comM: +32 (0)475 67 22 65Bestel nu uw exemplaar van Operationele verkoop (Walter Spruyt - Liesbeth Huysmans) via www.salesguide.beOntdek de Telenet Hotspot service op www.telenet.be/hotspots - Original Message - From: rashad To: freeradius-users@lists.freeradius.org Sent: Tuesday, January 04, 2005 11:46 AM Subject: acct_users file is not working Hi people. I have a radius server installed and working correctly. Now I want an external program to be executed every time when accounting stop packet received as described in acct_users file. Here are my configuration: file: acct_users DEFAULT Acct-Status-Type == Stop Exec-Program = "/usr/local/sbin/testacct" where testacct is shell script for testing (chmod-ed correctly): file: /usr/local/sbin/testacct #!/bin/shecho "" >> testacct.txt After restarting the server, when radius receives accounting stop packet the file is not executed! Where may be the problem?
subscribe
subscribe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radzap problem
Oliver Zimmermann <[EMAIL PROTECTED]> wrote: > > The only thing radzap needs from the configuration files is the > > location of the radutmp file, and that can easily be specified on the > > command line of radzap. > > No, radzap from 0.7 had no directory-parameters: Umm... I know that. It had the directory hard-coded in it. > And in radzap from 1.0.0 one can specify the general raddb dir: Because radzap reads radiusd.conf. > But that's all not the point. The point is, radzap from 1.0.0 does not work, > due to some socket related problems when a radiusd is running on the machine > (as Luiz Gustavo wrote). Yes, I know. The reason there are socket issues is that the "read radiusd.conf" code is there for radiusd, not for radzap. radzap should probably NOT be reading radiusd.conf, for a whole number of reasons. > And so did the previous versions i know (except 0.7), which makes me > wonder, that only a few people use radzap really. But to kill lost > sessions, radzap is really essential for us and the problem in the > C-code is documented in the beginning of thread. I understand. The longer term solution is to fix radzap so it takes the path to the radutmp file as a parameter, and calls radclient to send the packets. That way there's less code, and it doesn't need to read radiusd.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Block group of ISDN connection
"Rohaizam Abu Bakar" <[EMAIL PROTECTED]> wrote: > /usr/local/etc/raddb/users[41]: Unexpected trailing comma in check item list > for entry DEFAULT So... did you read "users", to see if line 41 had a trailing comma? > DEFAULTNAS-Port-Type == "ISDN" ,Connection-Type == UNLIMITED, > Auth-Type := Reject The "Auth-Type" should be on the same line as DEFAULT. Please read the "man" page for the "users" file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radzap problem
"Luiz Gustavo Anflor Pereira" <[EMAIL PROTECTED]> wrote: > I would like to know if there is some difference in the source code > of freeradiusd 0.9.1, or in compilation options, between linux and > freeBSD, because when i run radzap, compiled by the same code, in > linux it works, in FreeBSD does not. No. It is the same source code. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
acct_users file is not working
Sorry, but it not working in anyway. What configuration directives affected on executing external programs?
FreeRadius with LDAP
Now, I am using Freeradius with LDAP. My system GNUGK make authentication in the FreeRadius, after Freeradius look in tne LDAP server. My authentication is Okay, but Free Radius need to send to GNUGK the ALIAS. This ALIAS is telephone Number E.164. In debug option in Freeraius with "-X" I look: - FreeRadius -- rlm_ldap: bind as cn=root,dc=mydomain,dc=com/teste to 146.164.247.236:389 rlm_ldap: waiting for bind result ... rlm_ldap: performing search in ou=users,ou=radius,dc=mydomain,dc=com, with filter (&(uid=ufrj4)(objectclass=radiusprofile)) rlm_ldap: Added password teste in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusAuthType as Auth-Type, value CHAP & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding CISCO-AVPair as Service-Type, value h323-ivr-in=terminal-alias:ufrj4,025980003; & op=11 rlm_ldap: Adding CISCO-AV-Pair as Service-Type, value h323-ivr-in=terminal-alias:ufrj4,025980003; & op=11 rlm_ldap: Adding h323-ivr-out as Service-Type, value terminal-alias:ufrj4,025980002; & op=11 rlm_ldap: Adding h323-ivr-in as Service-Type, value terminal-alias:ufrj4,025980001; & op=11 rlm_ldap: user ufrj4 authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type CHAP auth: type "CHAP" modcall: entering group authtype for request 0 rlm_chap: login attempt by "ufrj4" with CHAP password rlm_chap: Using clear text password teste for user ufrj4 authentication. rlm_chap: chap user ufrj4 authenticated succesfully modcall[authenticate]: module "chap" returns ok for request 0 modcall: group authtype returns ok for request 0 Sending Access-Accept of id 146 to 146.164.247.235:10061 Finished request 0 Going to the next request --- end --- I have other Freeradis tha make authentication in SQL server, in this Freeradius there is line with "sending". After this line radius send string "Cisco-AV-Pair". - Cisco-AV-Pair --- Sending Access-Accept of id 23 to 146.164.247.196:10201 Cisco-AVPair = "h323-ivr-in=terminal-alias:mauricio,02598" --- I don´t know how I can talk to freeradius send this string to GNUGK. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeRadius, PEAP, MSCHAP, Segment Fault(coredump)
Hi folks, This is my second try at this post; the first was too long. I read the archives and then attempted to configure freeRadius using PEAP MSCHAP. After some initial success I am stuck with a Segment Fault(coredump). I am using an Windows XP 802.1x client, Cisco 1100 AP and Sun Solaris ver. 8 for freeRadius 1.0.1. After configuring the client, the AP and the radiusd.conf, the client.conf and the users files (not yet the eap.conf file) I was successful in getting the freeRadius server to authenticate the client. Next I attempted to configure the client and the eap.conf file for PEAP MSCHAP, resulting in the coredump. Enabling PEAP results in error messages directing the configuration of TLS. Enabling TLS results in the coredump. I have tried numerous combinations of configuration, some of these I copied from the archive, with the same result. The "radius -X" output, the "gdb bt" output, the eap.conf file, and a slice of the radiusd.conf file follow this text. I appreciate any help on this problem. Thanks, John Gauntt radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = yes main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = no mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/usr/local/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc Segmentation Fault(coredump) gdb bt GNU gdb 5.0 Copyright 2000 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "sparc-sun-solaris2.8"... Core was generated by `radiusd -X'. Program terminated with signal 9, Killed. Reading symbols from /usr/lib/libcrypt_i.so.1...done. Loaded symbols for /usr/lib/libcrypt_i.so.1 Reading symbols from /usr/local/lib/libradius-1.0.1.so...done. Loaded symbols for /usr/local/lib/libradius-1.0.1.so Reading symbols from /usr/local/lib/libltdl.so.3...done. Loaded symbols for /usr/local/lib/libltdl.so.3 Reading symbols from /usr/lib/libdl.so.1...don
Re: freeRadius, PEAP, MSCHAP, Segment Fault(coredump)
[EMAIL PROTECTED] wrote: > This is my second try at this post; the first was too long. I read the > archives and then attempted to > configure freeRadius using PEAP MSCHAP. After some initial success I am > stuck with a Segment Fault(coredump). It's another stupid bug in libltdl. The fix is to do: $ configure --disable-shared $ make $ make install Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Confirmation of LDAP/CHAP and AD
I have been running FreeRADIUS for over 3 years now and I can say that it is hands down one of the best pieces of software out there. I have spent the last few hours going through the archives, FAQ, etc. and think I know the answer to this, but would appreciate it if someone can confirm this. I have FreeRADIUS doing password auth against AD via LDAP. I have a switch that allows port based security, but uses CHAP passwords. From my understanding, you can do this if the LDAP database has the passwords stored as clear-text passwords. You cannot do this with Active Directory since it does not store the passwords in clear-text. Am I correct? Can someone with much more CHAP/LDAP/FreeRADIUS knowledge than myself confirm this? Thanks, Mark Capelle - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Huntgroup
I’m trying to setup our database to have the nas device receive different attributes based on which device, and group the user is in… User bob in group dialup gets the x-ascend filters when he dials into huntgroup1 And User joe in group Wireless gets the RB-Context attribute when he connects through huntgroup2. The below Config doesn’t seem to be working? Any Ideas.. Thanx Cris Huntgroup1 NAS-IP-ADDRESS == 1.2.3.4 Group = Dialup Slipstream-Auth = "true", X-Ascend-Data-Filter == "ip in forward tcp est", X-Ascend-Data-Filter == "ip in forward dstip 1.2.5.4/32", X-Ascend-Data-Filter == "ip in drop tcp dstport = 25", X-Ascend-Data-Filter == "ip in forward", Huntgroup2 NAS-IP-ADDRESS == 1.2.3.5 Group =Wireless RB-Context-Name = local, Fall-Through = yes, -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.296 / Virus Database: 265.6.7 - Release Date: 12/30/2004
Re: Huntgroup
> Im trying to setup our database to have the nas device receive different > attributes based on which device, and group the user is in > > User bob in group dialup gets the x-ascend filters when he dials into > huntgroup1 > > And > > User joe in group Wireless gets the RB-Context attribute when he connects > through huntgroup2. > > > > > > The below Config doesnt seem to be working? > > > > Any Ideas.. > > Thanx > > Cris > > > > Huntgroup1NAS-IP-ADDRESS == 1.2.3.4 > >Group = Dialup > >Slipstream-Auth = "true", > >X-Ascend-Data-Filter == "ip in forward tcp est", > >X-Ascend-Data-Filter == "ip in forward dstip 1.2.5.4/32", > >X-Ascend-Data-Filter == "ip in drop tcp dstport = 25", > >X-Ascend-Data-Filter == "ip in forward", > > > > Huntgroup2NAS-IP-ADDRESS == 1.2.3.5 > > Group =Wireless > > RB-Context-Name = local, > > Fall-Through = yes, > > > > > > Please post in plain text. Anyway, what file is that? Please post your huntgroups file and users file and specify which one is which. It looks to me like you are combining the two. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with hints file when i use freeradius-1.0.1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am Dienstag, 4. Januar 2005 08:56 schrieb Helmut Tröbs: > Hello, > > i want to upgrade from freeradius-0.8.1 to freeradius-1.0.1. > My hints file: > > DEFAULT Prefix == "t", Strip-User-Name = No > Hint = "TUM" DEFAULT Prefix = "t", Strip-User-Name = No Hint = "TUM" nur mit einem "=" nach "Prefix"? MfG, - -- Dr. Michael Schwartzkopff MultiNET Services GmbH Bretonischer Ring 7 85630 Grasbrunn Tel: (+49 89) 456 911 - 0 Fax: (+49 89) 456 911 - 21 mob: (+49 174) 343 28 75 PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFB2uwSqndXpO3Yl5sRAtgPAJ9ac+7vtkWGIl5kI4G3E1zGeXGPHwCdED9O NJMHUU9ovtH32uLh2IP2UmE= =SzqN -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Huntgroup
I apologize about the plain text. This is what I have in the huntgroup file. Huntgroup1NAS-IP-ADDRESS == 1.2.3.4 Group = Dialup Slipstream-Auth = "true", X-Ascend-Data-Filter == "ip in forward tcp est", X-Ascend-Data-Filter == "ip in forward dstip 1.2.5.4/32", X-Ascend-Data-Filter == "ip in drop tcp dstport = 25", X-Ascend-Data-Filter == "ip in forward", Huntgroup2NAS-IP-ADDRESS == 1.2.3.5 Group =Wireless RB-Context-Name = local, Fall-Through = yes, My users file is empty because I use a Mysql database for the users names. The database is setup like this Usernamegroup password Joe Wirelesstest Bob Dialup test Currently the sql group table responds based on the group I put them in.. I want it not to be that way. I want it to respond based on the NAS device the users connects from.. Currently some users connect through one nas and get the correct Attribute reply (because that’s what the sql table says) but they cannot get on from another nas device with the same user, so I have to make multiple users for one person to when they login they get the correct attributes. I have read the docs in the huntgroup file (multiple time) and the users file but I still don’t have it working. Thanx -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dustin Doris Sent: Tuesday, January 04, 2005 1:28 PM To: freeradius-users@lists.freeradius.org Subject: Re: Huntgroup > I’m trying to setup our database to have the nas device receive different > attributes based on which device, and group the user is in… > > User bob in group dialup gets the x-ascend filters when he dials into > huntgroup1 > > And > > User joe in group Wireless gets the RB-Context attribute when he connects > through huntgroup2. > > > > > > The below Config doesn’t seem to be working? > > > > Any Ideas.. > > Thanx > > Cris > > > > Huntgroup1NAS-IP-ADDRESS == 1.2.3.4 > >Group = Dialup > >Slipstream-Auth = "true", > >X-Ascend-Data-Filter == "ip in forward tcp est", > >X-Ascend-Data-Filter == "ip in forward dstip 1.2.5.4/32", > >X-Ascend-Data-Filter == "ip in drop tcp dstport = 25", > >X-Ascend-Data-Filter == "ip in forward", > > > > Huntgroup2NAS-IP-ADDRESS == 1.2.3.5 > > Group =Wireless > > RB-Context-Name = local, > > Fall-Through = yes, > > > > > > Please post in plain text. Anyway, what file is that? Please post your huntgroups file and users file and specify which one is which. It looks to me like you are combining the two. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.296 / Virus Database: 265.6.7 - Release Date: 12/30/2004 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.296 / Virus Database: 265.6.7 - Release Date: 12/30/2004 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authorize with LDAP auhtenticate with proxy
Does anyone know if it’s possible to do authorization towards an LDAP server and proxy the request towards another radius server if the authorization requirements are fullfilled? I’d like to use LDAP for authorization and a proxy for authentication. //Hank
Re: Confirmation of LDAP/CHAP and AD
[EMAIL PROTECTED] wrote: > I have FreeRADIUS doing password auth against AD via LDAP. I have a switch > that allows port based security, but uses CHAP passwords. From my > understanding, you can do this if the LDAP database has the passwords > stored as clear-text passwords. You cannot do this with Active Directory > since it does not store the passwords in clear-text. Exactly. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorize with LDAP auhtenticate with proxy
"Henrik Thorsell (KI/EAB)" <[EMAIL PROTECTED]> wrote: > Does anyone know if it's possible to do authorization towards an LDAP > server and proxy the request towards another radius server if the > authorization requirements are fullfilled? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WAP authentication problem
I'm having some trouble getting a USR8054 WAP authenticating against a FreeRADIUS server. Currently, I'm using MSCHAPv2 against an entry in users for simplicity's sake, but I hope to move that to ntlm_auth off our NT PDC later. To do the data transfer, I'm using PEAP over TLS. I generated certificates with the certs.sh script provided in the source package. I copied the cert-srv.pem to the server and cert-clt.pem to the client, and root.pem to both. The problem manifests itself like this. My testing machine is a Linux box with open1x.org's Xsupplicant installed and a Cisco Aironet wireless card. The card gets an initial connection just fine from the WAP, but when I try to authenticate against RADIUS, xsupplicant spits this back after curState goes to AUTHENTICATING: [ALL] Got EAP-Failure! Failure! [ALL] (TLS-FUNCS) Cleaning up (possible after a failure)! [AUTH TYPE] (EAP-TLS) Freeing mytls_vars->ctx! [ALL] (EAP-PEA) Failed. Resetting I have the FreeRADIUS server in -X mode, and I see this at that point: SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 7 modcall: group authenticate returns reject for request 7 auth: Failed to validate the user. I don't see any obvious errors on either client or server up to this point. The user is authenticated fine: rad_recv: Access-Request packet from host 192.168.0.251:1207, id=1, length=123 User-Name = "skylar" NAS-IP-Address = 192.168.0.251 NAS-Port = 0 Called-Station-Id = "00-c0-49-ee-4a-b2" Calling-Station-Id = "00-40-96-44-c4-ec" NAS-Identifier = "" Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201000b01736b796c6172 Message-Authenticator = 0x569ec933397b73cc649fe1d15cdf7af1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "skylar", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 1 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched DEFAULT at 152 users: Matched skylar at 215 modcall[authorize]: module "files" returns ok for request 0 The only other possible error I can see on the server side is this: modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 1 modcall: group authenticate returns handled for request 1 But after some Google'ing, it appears that the TLS error isn't fatal. Any ideas? -- -- Skylar Thompson ([EMAIL PROTECTED]) -- http://www.cs.earlham.edu/~skylar/ signature.asc Description: OpenPGP digital signature
Re: Block group of ISDN connection
Yes.. it is on one line NOT different line... DEFAULT NAS-Port-Type == "Async" ,Jaring-Connection-Type == "ISDN", Auth-Type := Reject --haizam - Original Message - From: "Alan DeKok" <[EMAIL PROTECTED]> To: Sent: Tuesday, January 04, 2005 23:14 Subject: Re: Block group of ISDN connection "Rohaizam Abu Bakar" <[EMAIL PROTECTED]> wrote: /usr/local/etc/raddb/users[41]: Unexpected trailing comma in check item list for entry DEFAULT So... did you read "users", to see if line 41 had a trailing comma? DEFAULTNAS-Port-Type == "ISDN" ,Connection-Type == UNLIMITED, Auth-Type := Reject The "Auth-Type" should be on the same line as DEFAULT. Please read the "man" page for the "users" file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Block group of ISDN connection
YES... it is on one line until "Reject"... just breaking up while pasting... DEFAULT NAS-Port-Type == "ISDN" ,Connection-Type == "UNLIMITED", Auth-Type := Reject Reply-Message = "Your account has been disabled." but still giving the same trailing coma problem.. /usr/local/etc/raddb/users[42]: Unexpected trailing comma in check item list for entry DEFAULT --haizam - Original Message - From: <[EMAIL PROTECTED]> To: Sent: Tuesday, January 04, 2005 18:33 Subject: Re: Block group of ISDN connection Hi, 1) users file ## DEFAULTNAS-Port-Type == "ISDN" ,Connection-Type == UNLIMITED, Auth-Type := Reject Reply-Message = "Your account has been disabled." DEFAULT Auth-Type := LDAP How many lines do you actually have? I.e., there should be no linebreak after the "UNLIMITED," in the first line above, but the line should continue till after the "Reject". Quoting long lines via e-mails always is dependent on mail clients (and possibly server) involved, but I'll try anyway. That should be: DEFAULT NAS-Port-Type == "ISDN" ,Connection-Type == UNLIMITED, Auth-Type := Reject Reply-Message = "Your account has been disabled." (just two lines). HTH, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html [ Scanned by JARING E-Mail Virus Scanner ( http://www.jaring.my ) ] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR/MySQL Auth/CHAP
I just foudn out that one of my dialup providers is slowly adding NASs that only use CHAP. I have FR authing against MySQL with PAP, but now I have to figure out how to make it auth *either* PAP or CHAP. Is there a quick pointer that anyone can give me? I've searched the archives, and googled myself blind, so, if it's there, I'm missing it. I'm hoping it's as simple as adding another entry for each user to radcheck with CHAP-Password instead of Crypt-Password... Tim -- >< >> Tim Sailer (at home) >< Coastal Internet, Inc. << >> Network and Systems Operations >< PO Box 726 << >> http://www.buoy.com >< Moriches, NY 11955 << >> [EMAIL PROTECTED]/[EMAIL PROTECTED] >< (631)399-2910 (888) 924-3728 >> << >< - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
