What is use of community and ports fields in nas table?
nas table is used by Freeradius instead of clients.conf . What is use of community and ports fields in nas table? Amit Gupta Mobile: 91-9891062552 Yahoo IM: amitguptainn MSN IM : amitguptainn
Re[3]: Telnet access via Radius
DD> On Wed, 12 Jan 2005, Costas Christonis wrote: >> GC> Hello, >> >> GC> Costas Christonis wrote: >> >> Hi to all, >> >> i'm trying to set the telnet access to my users through radius and ldap >> >> server. >> >> What i did untill now is that everyone tha has the attribute >> >> "Service-type" with the value "exec-user" can telnet to my cisco >> >> switches and routers in privilege level 5. >> >> I insert the attribute "Ciscoavpair" with the value >> >> "exec:priv-lvl=0" or with the value "exec:privilege-level=0" but >> >> nothing happens, everyone can telnet to my switches and logon >> >> privilege level 5. >> >> GC> It's called Cisco-AVPair not CiscoAVPair. >> >> >> Can anyone help me? >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> Best regards >> >> GC> Best Regards, >> >> >> Yes that's correct but in LDAP the attribut is radiusciscovapair anyway >> is that right? so i don't think tha the problem is that... >> DD> do you have ldap.attrmap setup to map Cisco-AVPAir to radiusciscovapair as DD> a reply item? DD> What are you actually sending back in your reply? Radiusd -X will show DD> you that. DD> - DD> List info/subscribe/unsubscribe? See DD> http://www.freeradius.org/list/users.html Hello Dustin and thanks for your response. What excactly do i have to do with the ldap.attrmap? Is there any doc to read about it? Cause the only thing that i did is to insert the ldap attribute in the account and to do some tests Ευχαριστώ Costas A. Christonis Networking & Communications Centre Gallos Campus - University of Crete email: [EMAIL PROTECTED] http://www.ucnet.uoc.gr/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: doing sql query after authentification and before reply
>rashad wrote: >> But where I must do configuration changes for Exec-Program-Wait? >See doc/README Thank you very much! It's exactly that I want. Best regards, Rashad Rustamoff - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Apache2 and mod_auth_radius-WORKING
Got it figured out. I found a typo in the httpd.conf and noted the README
states to point your browser to the http://{site}/{directory}/{filename}
Working with one-time passwords.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x with no TLS?
EAP-TTLS is basically the same thing as PEAP. Server certificate, client uses username and pass to authenticate. On Wed, 12 Jan 2005 16:22:33 -0600 (CST), [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > Hi Brandon > >Is this Mandatory? > No, it is not > >I'm just looking for the most basic way of making a username/password > >required to be able to connect wirelessly to the AP/linux box and gain > access >to the network. > In my opinion you should use PEAP > Take a glance at http://tldp.org/HOWTO/html_single/8021X-HOWTO/ > Using PEAP the client validates with a username/password, while the server > with a certificate. > Good luck! > Victoria malik de Tchara > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Justin Guidroz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius-1.0.1 die randomly
From: "Roger Peña Escobio" <[EMAIL PROTECTED]>
>it is important that a services never crash but is more important,
>for me at least, that the service can restart smouthly without human
>intervention (by a bash script for example)
The follow bash script might help in the meantime:
#!/bin/bash
RESULT=`/usr/local/bin/radtest UserName PassWord localhost 1 testing123 |
grep "Access-Accept" | wc -l`
if [ $RESULT = "0" ]
then
d=`date`
echo "$d" >> /var/log/radtest.log
echo "" >> /var/log/radtest.log
echo "Stopping Radius" >> /var/log/radtest.log
/etc/rc.d/init.d/radiusd stop
sleep 2
echo "Starting Radius in Debug Mode" >> /var/log/radtest.log
/usr/local/sbin/radiusd -X &
sleep 8
echo "Killing Debug Mode Radius" >> /var/log/radtest.log
kill `ps axf | grep radiusd | grep -v grep | awk '{print $1}'`
sleep 2
echo "Starting Radius" >> /var/log/radtest.log
/etc/rc.d/init.d/radiusd start
echo "" >> /var/log/radtest.log
echo "" >> /var/log/radtest.log
fi
You will need to change the username/password to a valid account to auth
with. Might
also need to change some other parts to work with your particular system
too.
Just run it via cron every 15 minutes or so.
Pete
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius-1.0.1 die randomly
Mensaje citado por Alan DeKok <[EMAIL PROTECTED]>: > Roger =?iso-8859-1?b?UGXxYQ==?= Escobio <[EMAIL PROTECTED]> wrote: > > but one of the servers (the secundary) logged this: > > > > Mon Jan 10 21:33:09 2005 : Error: Assertion failed in modcall.c, line 68 > > That sounds like a serious error. Can you post a backtrace, from > gdb? (see doc/bugs) > i will read the docs but i advance that i did't get any core dump, when this error happen radiusd should make a core dump? now that you point the importance of the assertion, i check the old logs and i found this: [EMAIL PROTECTED] radius]# zcat /var/log/radius/radius.log.3.gz | grep "modcall.c" Sat Dec 4 15:21:48 2004 : Error: Assertion failed in modcall.c, line 68 Sat Dec 4 15:27:53 2004 : Error: Assertion failed in modcall.c, line 68 Wed Dec 15 12:36:09 2004 : Error: Assertion failed in modcall.c, line 68 tree times, the bad new is tha i didn't record the day of the others problems but, the last time, one server report this log but not the other, and both goes down > The assertion is there to catch internal problems, so if the > assertion wasn't there, then the server would still not do the right > thing. > > Hmm... it sounds like the memory on your computer may be bad. If > the server works fine for a month, and then dies, then that code > worked fine for a month, which means that the code is OK. it could be the case, but both servers had bad RAM? the servers are identical: DL360 G2 with 2 XEON procesors and 3 GB RAM, U320 Hard disk in my previus messages i said that one of the thing that both servers has in common is the mysql db for accounting, so that mysql can cause problems to both radius server but in the last time, mysql continue working and another radius server (3er one, used only for very remote connection) still send accounting packeage to the mysql server, so mysql was alive, this 3er radius server run version 1.0.0 but it also had suffer the same problem. maybe I just point out something unimportant but is very interesting that server start working as it should only after i start it in debug mode. it is important that a services never crash but is more important, for me at least, that the service can restart smouthly without human intervention (by a bash script for example) roger -- Nodo central de la red Infomed (http://www.sld.cu) Usuario linux: 97152 (http://counter.li.org) Miembro del grupo de coordinacion de LinuxCuba (http://www.linux.cu) "Whatever you do will be insignificant, but it is very important that you do it." Gandhi -- - Este mensaje fue enviado usando el servicio de correo en web de Infomed http://webmail.sld.cu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius-1.0.1 die randomly
Roger =?iso-8859-1?b?UGXxYQ==?= Escobio <[EMAIL PROTECTED]> wrote: > but one of the servers (the secundary) logged this: > > Mon Jan 10 21:33:09 2005 : Error: Assertion failed in modcall.c, line 68 That sounds like a serious error. Can you post a backtrace, from gdb? (see doc/bugs) The assertion is there to catch internal problems, so if the assertion wasn't there, then the server would still not do the right thing. > if this problem happen to both servers at the same time is because > is related to something common to them Probably. > yes, that is the problem, the sniffer will get a __lot__ of traffic > because the problem only appear from time to time (like once a > month) and our radius has a lot of traffic (about 27000 connections > per day (weekday) ) Hmm... it sounds like the memory on your computer may be bad. If the server works fine for a month, and then dies, then that code worked fine for a month, which means that the code is OK. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x with no TLS?
I have never used EAP-TTLS, I do not know if it is better than PEAP, I just suggested you what I know and worked. Now you have to decide between them!! Victoria - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius with LDAP with error
Was this a copy/paste? Look below in the radiusd.conf section. You put
in
identify = "cn=root..."
instead of
identity = "cn=root..."
That would explain why you are trying to login without a username, as
shown in your debug output.
rlm_ldap: bind as /teste to 146.164.xx.236:389
On Wed, 12 Jan 2005, Anderson Alves de Albuquerque wrote:
>
>
> ldapsearch -x -b "dc=br" -h x.y.z.w
>
> But, I use radius to authentication. When I use ldapsearch all is okay.
> Look may config ldap:
> ---
> include /usr/home/andersonalves/work/radius/core.schema
> include /usr/home/andersonalves/work/radius/gnugk.schema
> loglevel296
> pidfile /var/run/slapd.pid
> argsfile/var/run/slapd.args
> allow bind_v2
> databasebdb
> suffix "dc=br"
> rootdn "cn=root,dc=voip,dc=nce,dc=ufrj,dc=br"
> rootpw xxx
> directory /usr/home/andersonalves/work/radius/db/
> index objectClass eq
> index uid eq
> mode0600
> cachesize 2000
> replogfile /usr/home/andersonalves/work/radius/log/replog
> -
>
> Look my radius config in ldap session:
> --
> ldap {
> server="x.y.z.w"
> identify="cn=root,dc=voip,dc=nce,dc=ufrj,dc=br"
*** that should be identity, not identify.
> password=xxx
> basedn="ou=users,dc=voip,dc=nce,dc=ufrj,dc=br"
> filter="(&(uid=%u)(objectclass=radiusprofile))"
> start_tls = no
> tls_mode = no
> dictionary_mapping = /usr/local/etc/raddb/ldap.attrmap
> ldap_cache_timeout = 120
> ldap_cache_size = 0
> ldap_connections_number = 10
> password_attribute = userPassword
> timeout = 3
> timelimit = 5
> net_timeout = 1
> compare_check_items = no
> }
>
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius with LDAP with error
ldapsearch -x -b "dc=br" -h x.y.z.w
But, I use radius to authentication. When I use ldapsearch all is okay.
Look may config ldap:
---
include /usr/home/andersonalves/work/radius/core.schema
include /usr/home/andersonalves/work/radius/gnugk.schema
loglevel296
pidfile /var/run/slapd.pid
argsfile/var/run/slapd.args
allow bind_v2
databasebdb
suffix "dc=br"
rootdn "cn=root,dc=voip,dc=nce,dc=ufrj,dc=br"
rootpw xxx
directory /usr/home/andersonalves/work/radius/db/
index objectClass eq
index uid eq
mode0600
cachesize 2000
replogfile /usr/home/andersonalves/work/radius/log/replog
-
Look my radius config in ldap session:
--
ldap {
server="x.y.z.w"
identify="cn=root,dc=voip,dc=nce,dc=ufrj,dc=br"
password=xxx
basedn="ou=users,dc=voip,dc=nce,dc=ufrj,dc=br"
filter="(&(uid=%u)(objectclass=radiusprofile))"
start_tls = no
tls_mode = no
dictionary_mapping = /usr/local/etc/raddb/ldap.attrmap
ldap_cache_timeout = 120
ldap_cache_size = 0
ldap_connections_number = 10
password_attribute = userPassword
timeout = 3
timelimit = 5
net_timeout = 1
compare_check_items = no
}
On Wed, 12 Jan 2005, Dustin Doris wrote:
> Can you bind with that username/password using a command line such as
> ldapsearch?
>
>
> On Wed, 12 Jan 2005, Anderson Alves de Albuquerque wrote:
>
> >
> >
> >
> > I only put "rootpw teste" in my slapd.conf.
> > I put in slapd.conf 'rootdn "cn=root,dc=voip,dc=nce,dc=ufrj,dc=br"'
> > and 'suffix "dc=br"'.
> > After I use "ldapadd" to create my tree with all struct expect
> > "cn=root,dc=voip,dc=nce,dc=ufrj,dc=br" .
> > I don´t create "cn=root,dc=voip,dc=nce,dc=ufrj,dc=br".
> >
> >
> >
> > Is this correct?
> >
> > Is there another step to config this ?
> >
> >
> >
> >
> > I only make this steps to config my "cn=root".
> >
> >
> > On Wed, 12 Jan 2005, Pete Conkin wrote:
> >
> > > From: "Anderson Alves de Albuquerque" <[EMAIL PROTECTED]>
> > > >
> > > > My RADIUS is make authentication in LDAP, there this error:
> > > >
> > > > rlm_ldap: LDAP login failed: check login, password settings in ldap
> > > > section of radiusd.conf
> > > > rlm_ldap: (re)connection attempt failed
> > >
> > > This part of your log seems to indicated the cause of the problem.
> > >
> > > Might be best to check the login/password in the ldap section of
> > > radiusd.conf :p
> > >
> > > Pete
> > >
> > >
> > > -
> > > List info/subscribe/unsubscribe? See
> > > http://www.freeradius.org/list/users.html
> > >
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dialup admin statistic error
hi, first, i'm sorry with my poor english i've a problem about web dialupadmin when client connect to radius server then i click statistics in web, i found syntax error like this "database query failed :unknown column c in filed list " can you help me to resolve my problem thanks, Fauzar Yahoo! Messenger - Communicate instantly..."Ping" your friends today! Download Messenger Now
Re: Radius with LDAP with error
Can you bind with that username/password using a command line such as ldapsearch? On Wed, 12 Jan 2005, Anderson Alves de Albuquerque wrote: > > > > I only put "rootpw teste" in my slapd.conf. > I put in slapd.conf 'rootdn "cn=root,dc=voip,dc=nce,dc=ufrj,dc=br"' > and 'suffix "dc=br"'. > After I use "ldapadd" to create my tree with all struct expect > "cn=root,dc=voip,dc=nce,dc=ufrj,dc=br" . > I don´t create "cn=root,dc=voip,dc=nce,dc=ufrj,dc=br". > > > > Is this correct? > > Is there another step to config this ? > > > > > I only make this steps to config my "cn=root". > > > On Wed, 12 Jan 2005, Pete Conkin wrote: > > > From: "Anderson Alves de Albuquerque" <[EMAIL PROTECTED]> > > > > > > My RADIUS is make authentication in LDAP, there this error: > > > > > > rlm_ldap: LDAP login failed: check login, password settings in ldap > > > section of radiusd.conf > > > rlm_ldap: (re)connection attempt failed > > > > This part of your log seems to indicated the cause of the problem. > > > > Might be best to check the login/password in the ldap section of > > radiusd.conf :p > > > > Pete > > > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x with no TLS?
Hi Brandon >Is this Mandatory? No, it is not >I'm just looking for the most basic way of making a username/password >required to be able to connect wirelessly to the AP/linux box and gain access >to the network. In my opinion you should use PEAP Take a glance at http://tldp.org/HOWTO/html_single/8021X-HOWTO/ Using PEAP the client validates with a username/password, while the server with a certificate. Good luck! Victoria malik de Tchara - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius with LDAP with error
I only put "rootpw teste" in my slapd.conf. I put in slapd.conf 'rootdn "cn=root,dc=voip,dc=nce,dc=ufrj,dc=br"' and 'suffix "dc=br"'. After I use "ldapadd" to create my tree with all struct expect "cn=root,dc=voip,dc=nce,dc=ufrj,dc=br" . I don´t create "cn=root,dc=voip,dc=nce,dc=ufrj,dc=br". Is this correct? Is there another step to config this ? I only make this steps to config my "cn=root". On Wed, 12 Jan 2005, Pete Conkin wrote: > From: "Anderson Alves de Albuquerque" <[EMAIL PROTECTED]> > > > > My RADIUS is make authentication in LDAP, there this error: > > > > rlm_ldap: LDAP login failed: check login, password settings in ldap > > section of radiusd.conf > > rlm_ldap: (re)connection attempt failed > > This part of your log seems to indicated the cause of the problem. > > Might be best to check the login/password in the ldap section of > radiusd.conf :p > > Pete > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring EAP User attributes
Please send plain text mail. DHCP is based on ARP, so there should be a DHCP server on the client's LAN (which can be the router for example). Optionally, that DHCP server can relay the requests to another DHCP server (which can be on the same machine as your radius server) --Regards, Thor SpruytE: [EMAIL PROTECTED]W: www.thor-spruyt.comM: +32 (0)475 67 22 65Bestel nu uw exemplaar van Operationele verkoop (Walter Spruyt - Liesbeth Huysmans) via www.salesguide.beOntdek de Telenet Hotspot service op www.telenet.be/hotspots - Original Message - From: Jacques VUVANT To: freeradius-users@lists.freeradius.org Sent: Wednesday, January 12, 2005 7:42 PM Subject: Re: Configuring EAP User attributes Hi If it's impossible for machine that use EAP to get their IP address via Radius, should then DHCP server running on same machine as Radius server, or better using router. Jacques VUVANT
Re: doing sql query after authentification and before reply
rashad wrote: But where I must do configuration changes for Exec-Program-Wait? See doc/README -- Regards, Thor Spruyt E: [EMAIL PROTECTED] W: www.thor-spruyt.com M: +32 (0)475 67 22 65 Bestel nu uw exemplaar van Operationele verkoop (Walter Spruyt - Liesbeth Huysmans) via www.salesguide.be Ontdek de Telenet Hotspot service op www.telenet.be/hotspots - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring EAP User attributes
Hi If it's impossible for machine that use EAP to get their IP address via Radius, should then DHCP server running on same machine as Radius server, or better using router. Jacques VUVANT
Re: zero username length using SQL
From: "Ossama Suleiman" <[EMAIL PROTECTED]> > > radtest '' '' localhost 1 password > below u will find the error i mentioned: > > rlm_sql (sql): zero length username not permitted > modcall[authorize]: module "sql" returns invalid for request 1 > FWIW, in the source for 0.9.3, there are comments in the rlm_sql.c that state: "They MUST have a username to do SQL authorization" Might be the same case in the version your running. Pete - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: zero username length using SQL
Dear Dustin, Below you will find the complete output of radtest.. the command is as following: radtest '' '' localhost 1 password below u will find the error i mentioned: rlm_sql (sql): zero length username not permitted modcall[authorize]: module "sql" returns invalid for request 1 this is also the same error I find in radius.log rad_recv: Access-Request packet from host 127.0.0.1:34720, id=68, length=52 User-Name = "" User-Password = "" NAS-IP-Address = 255.255.255.255 NAS-Port = 1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '/' in User-Name = "", skipping NULL due to config. rlm_realm: No '@' in User-Name = "", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 1 modcall[authorize]: module "files" returns notfound for request 1 rlm_sql (sql): zero length username not permitted modcall[authorize]: module "sql" returns invalid for request 1 modcall: group authorize returns invalid for request 1 Invalid user: [/] (from client localhost port 1) Delaying request 1 for 1 seconds Finished request 1 Going to the next request --- Walking the entire request list --- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dustin Doris Sent: Wednesday, January 12, 2005 6:18 PM To: freeradius-users@lists.freeradius.org Subject: RE: zero username length using SQL Can you post the full debug output when running in radiusd -X? On Tue, 11 Jan 2005, Ossama Suleiman wrote: > > > Thanks Dustin, > > Yes, the '==' was a typo mistake.. I am sorry for that > > Well.. when using the users file only.. that works just fine.. and it only > gets an accept, when the dialing station is correct.. > > But when doing sql authentication, I get the error: " Error: rlm_sql > (sql): zero length username not permitted" > It doesn't even check if the user will be permitted or not when the username > field is zero > > Thanks :) > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Dustin > Doris > Sent: Tuesday, January 11, 2005 6:41 PM > To: freeradius-users > Subject: Re: zero username length using SQL > > > > Hi All, > > > > i am running freeradius 1.0.1 on RHEL 3 runnng well authenticaring > > from MySQL > > > > i want to add a section to let users dialling a certain B number in > > without authentication.. so i added the following to the users file: > > > > DEFAULT Auth-Type := Accept, Called-Station-Id = '555' > > You need to use == as a check item. > > DEFAULT Called-Station-Id == "555", Auth-Type := Accept > > Put that at the top of your users file. Also, is 555 the actual > called-station-id or is it 555something? If so, use regex in your match. > > DEFAULT Called-Station-Id =~ "^555*", Auth-Type := Accept > > If that doesn't work, run radius in debug mode (radiusd -X) and check that > called-station-id is actually being sent correctly. If so, paste the > debug info if it doesn't tell you why its failing. > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius with LDAP with error
IN ldap a put:
suffix "dc=br"
rootdn "cn=root,dc=voip,dc=nce,dc=ufrj,dc=br"
rootpw teste
In radiusd:
ldap {
server="146.164.xx.236"
identify="cn=root,dc=voip,dc=nce,dc=ufrj,dc=br"
password=teste
basedn="ou=users,dc=voip,dc=nce,dc=ufrj,dc=br"
filter="(&(uid=%u)(objectclass=radiusprofile))"
.
.
.
}
On Wed, 12 Jan 2005, Pete Conkin wrote:
> From: "Anderson Alves de Albuquerque" <[EMAIL PROTECTED]>
> >
> > My RADIUS is make authentication in LDAP, there this error:
> >
> > rlm_ldap: LDAP login failed: check login, password settings in ldap
> > section of radiusd.conf
> > rlm_ldap: (re)connection attempt failed
>
> This part of your log seems to indicated the cause of the problem.
>
> Might be best to check the login/password in the ldap section of
> radiusd.conf :p
>
> Pete
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius with LDAP with error
From: "Anderson Alves de Albuquerque" <[EMAIL PROTECTED]> > > My RADIUS is make authentication in LDAP, there this error: > > rlm_ldap: LDAP login failed: check login, password settings in ldap > section of radiusd.conf > rlm_ldap: (re)connection attempt failed This part of your log seems to indicated the cause of the problem. Might be best to check the login/password in the ldap section of radiusd.conf :p Pete - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: can not connect to mysql server
[EMAIL PROTECTED] wrote: Hi, i´m have a problem whit freeradius and mysql. Some weeks ago i'm turn off the server where freeradius is running by electric resons. The problem is that when turn on the server, the radiusd start but it can not connect to the mysql server. That is not the firts time, in others ocations i have solved the problem runing freeradius in debugger mode (radiusd -x) by a few secounds and after that (service radiusd start) and everything work ok. What´s the problem? It´s a bug, or other problem? It sounds like on reboot your computer is trying to start FreeRADIUS before MySQL. Take a look at the order in which services are started. You may want to start FreeRADIUS later in the boot process so that MySQL is already running when FreeRADIUS tries to open the database connections. (It looks like the default boot priority provided to chkconfig for MySQL is 90 and for FreeRADIUS is 88.) Regards, Richard. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius with LDAP with error
My RADIUS is make authentication in LDAP, there this error: rad_recv: Access-Request packet from host 146.164.xx.235:10808, id=117, length=122 User-Name = "aaa" CHAP-Password = 0x6c662e7faba88fc9791bbf10558405bc0d NAS-IP-Address = 146.164.xx.235 NAS-Identifier = "UFRJGK" NAS-Port-Type = Virtual Service-Type = Login-User CHAP-Challenge = 0x41e563f5 Framed-IP-Address = 146.164.xx.198 Cisco-AVPair = "h323-ivr-out=terminal-alias:aaa;" rlm_ldap: - authorize rlm_ldap: performing user authorization for aaa ldap_get_conn: Got Id: 0 rlm_ldap: (re)connect to 146.164.xx.236:389, authentication 0 rlm_ldap: bind as /teste to 146.164.xx.236:389 rlm_ldap: waiting for bind result ... rlm_ldap: LDAP login failed: check login, password settings in ldap section of radiusd.conf rlm_ldap: (re)connection attempt failed rlm_ldap: search failed ldap_release_conn: Release Id: 0 rad_recv: Access-Request packet from host 146.164.xx.235:10808, id=117, length=122 Dropping packet from client localhost:10808 - ID: 117 due to dead request 16 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
802.1x with no TLS?
Greetings, I'm trying to setup a very basic radius system that authenticates over wireless (802.1x). Everything I have read so far talks about using TLS and such for authentication. Is this Mandatory? My goal is to require authentication to a linux box with a wireless card (hostap) via 802.1x just to start, then I'll make it more complex later. I'm just looking for the most basic way of making a username/password required to be able to connect wirelessly to the AP/linux box and gain access to the network. Thanks, --Brandon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius + mysql
Hello
I'm using FreeRADIUS Version 1.0.1 + mysql Ver 12.22 Distrib 4.0.22,
for portbld-freebsd5.3 (i386) on a FreeBSD 5.3-RELEASE.
Everything set-up for pppoe + radius + mysql + dialup admin on a single
pc (the internet gateway of my local network)
My radiusd.conf
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
user = radiusd
group = radiusd
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 65536
bind_address = 127.0.0.1
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions= yes
log_stripped_names = no
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes
usercollide = no
lower_user = no
lower_pass = no
nospace_user = yes
nospace_pass = yes
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 5
status_server = no
}
$INCLUDE ${confdir}/clients.conf
snmp= no
thread pool {
start_servers = 3
max_servers = 32
min_spare_servers = 1
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
encryption_scheme = clear
}
chap {
authtype = CHAP
}
$INCLUDE ${confdir}/eap.conf
mschap {
authtype = MS-CHAP
use_mppe = no
}
detail {
detailfile =
${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
$INCLUDE ${confdir}/sql.conf
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = no
check_with_nas = yes
perm = 0600
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
exec {
wait = yes
input_pairs = request
}
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = request
output_pairs = reply
}
}
instantiate {
}
authorize {
sql
chap
mschap
}
authenticate {
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
}
preacct {
acct_unique
}
accounting {
sql
}
session {
sql
}
post-auth {
sql
}
My SQL Database contains clear text password.
When I try to connect from localhost
gw# radtest levente myp455 localhost 0 cwnscr
Sending Access-Request of id 203 to 127.0.0.1:1812
User-Name = "levente"
User-Password = "myp455"
NAS-IP-Address = gw.cwn.ro
NAS-Port = 0
Re-sending Access-Request of id 203 to 127.0.0.1:1812
User-Name = "levente"
User-Password = "+\247\021\230\234\302L\221`\020_vH\n\211\377"
NAS-IP-Address = gw.cwn.ro
NAS-Port = 0
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=203, length=20
gw#
and the radiusd -X result
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host 127.0.0.1:61964, id=203, length=59
User-Name = "levente"
User-Password = "myp455"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
radius_xlat: 'levente'
rlm_sql (sql): sql_set_user escaped user --> 'levente'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = 'levente' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM
radcheck WHERE Username = 'levente' ORDER BY id
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'levente' AND
usergroup.GroupN
Re: Apache and mod_auth_radius
Ok, I found an old article referring to this problem http://lists.freeradius.org/archives/freeradius-users/2004/11/msg00096.html Now I have a different issue. I am getting "couldn't check access. No group file" in the HTTPD logs - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius-1.0.1 die randomly
Mensaje citado por Dustin Doris <[EMAIL PROTECTED]>: > > > > hello folks > > > > we are using freeradius since 0.8.x and since 0.9.x we start to use the > > rml_sql (mysql) module to store the accounting, now we also use the > > mysql db to store the user so the auth and autz also use the rml_sql > > module > > > > we had problems since the begining with that module, micelaneus > > problems, but when we switch to version 1.0.0 everything start to work > > better, good improving and nice work > > > > so, what is the problems that we are having ?, well we are trying to > > identify it, is not easy because it only had been happen 4 times since > > september (when we start using 1.0.1) very random, yesterday night was > > the last time. > > > > the radius server just stop responding and die, without any anormal log, > > the process end, if you start it it start and logs as usual but our > > users can't connect, it doesn't matter how may time you try to restart > > the services, it never give services, but if you start it in debug mode > > ( -X ) --to see if anything goes wrong-- and then restart it as usual > > (without debug because you didn't see anything anormal in debug mode) > > everything start to function as it supose and our users start to > > connect. > > > > my guest is that it is something related with the rml_sql but it is just > > a guest. > > > > the radius server is a littel busy, we have 3 Cisco AS ( 2 AS5400 a 1 > > AS5300) that make 720 lines from which between 500 and 600 are use it > > all the time > > > > as i say before, yesterday night our two server die aroung the same > > time, very extrange > > > > the enviroment is: > > OS: WhiteBox3 (RHEL3 clone) with all the updates > > freeradius rebuilded from the last SRPM provided by RH (1.0.1-1) (we need > experimental > > modules: sqlcounter) > > > > does anybody had this experience ? > > > > thanks very much > > roger > > PD: i'm apologies because of my bad english > > > > > > The fact that you say the two servers died around the same time is an > interesting fact. I would setup a packet sniffer on those machines and > capture the radius traffic going to the box and hope to capture the > traffic that is hitting the machine during the next time it goes down. Of > course this may not help, put it might be worth giving it a shot. > yes, it is but one of the servers (the secundary) logged this: Mon Jan 10 21:33:09 2005 : Error: Assertion failed in modcall.c, line 68 it was the last log the fist radius server didn't log anything anormal. probably this doesn't mean anything, but maybe it do :-) (there is always hope :-) ) if this problem happen to both servers at the same time is because is related to something common to them those servers have two thing in common. 1- the clients 2- the accounting db (mysql) the mysqld didn't goes down it was just the radiusd server the last time was exceptional because we had changed the designe of the dialup connection, in the other times that we had the problem each radius server had it own db (we sincronise the db by it's own method, but that proved to be week) so we change to a case where we have a master/prncipal radius with the master mysql db and an secundary radius server with an slave mysql db but with the secundary FR server connecting to the master mysql server just for accounting (the auth and autz is to the slave mysql db). is very interesting that when this happen (the last time that the radiusd goes down) if i try to restart it everything look fine, but only one AS can provide connectivity to the remote users the others two AS couldn't do it but i had events from those two AS in the radius.log file as usual, when i started the radius with the -X command line option everything looks fine, after that action (start radiusd -X) i went to start radiusd as usual and after that, our AS, all of then, started providing connectivity the privous ocasions with the problem (the fists 3 of them) the radius just couldn't connect to the mysql server, again, starting radius as radiusd -X sove the situation all the times, looks like the -X clean some enviroment, very wear to me > As this packet capture may get huge, you will probably want to stop it and > start over every day if your servers don't go down. The easiest way would > be a tcpdump outputing to a file and then use ethereal to analyze it. > yes, that is the problem, the sniffer will get a __lot__ of traffic because the problem only appear from time to time (like once a month) and our radius has a lot of traffic (about 27000 connections per day (weekday) ) i know i need to do more troubleshuting but is dificult because i dont have a glue about what it tha cause thanks anyway for your reply roger -- Nodo central de la red Infomed (http://www.sld.cu) Usuario linux: 97152 (http://counter.li.org) Miembro del grupo d
Re: can not connect to mysql server
Whats radiusd -X show? On Wed, 12 Jan 2005 [EMAIL PROTECTED] wrote: > Hi, i´m have a problem whit freeradius and mysql. > Some weeks ago i'm turn off the server where freeradius is > running by electric resons. The problem is that when turn on > the server, the radiusd start but it can not connect > to the mysql server. That is not the firts time, in others > ocations i have solved the problem runing freeradius in > debugger mode (radiusd -x) by a few secounds and after that > (service radiusd start) and everything work ok. > What´s the problem? It´s a bug, or other problem? > > - > Este mensaje fue enviado usando el servicio de correo en web de Infomed > http://webmail.sld.cu > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
can not connect to mysql server
Hi, i´m have a problem whit freeradius and mysql. Some weeks ago i'm turn off the server where freeradius is running by electric resons. The problem is that when turn on the server, the radiusd start but it can not connect to the mysql server. That is not the firts time, in others ocations i have solved the problem runing freeradius in debugger mode (radiusd -x) by a few secounds and after that (service radiusd start) and everything work ok. What´s the problem? It´s a bug, or other problem? - Este mensaje fue enviado usando el servicio de correo en web de Infomed http://webmail.sld.cu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: zero username length using SQL
Can you post the full debug output when running in radiusd -X? On Tue, 11 Jan 2005, Ossama Suleiman wrote: > > > Thanks Dustin, > > Yes, the '==' was a typo mistake.. I am sorry for that > > Well.. when using the users file only.. that works just fine.. and it only > gets an accept, when the dialing station is correct.. > > But when doing sql authentication, I get the error: "Error: rlm_sql > (sql): zero length username not permitted" > It doesn't even check if the user will be permitted or not when the username > field is zero > > Thanks :) > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Dustin > Doris > Sent: Tuesday, January 11, 2005 6:41 PM > To: freeradius-users > Subject: Re: zero username length using SQL > > > > Hi All, > > > > i am running freeradius 1.0.1 on RHEL 3 runnng well authenticaring > > from MySQL > > > > i want to add a section to let users dialling a certain B number in > > without authentication.. so i added the following to the users file: > > > > DEFAULT Auth-Type := Accept, Called-Station-Id = '555' > > You need to use == as a check item. > > DEFAULT Called-Station-Id == "555", Auth-Type := Accept > > Put that at the top of your users file. Also, is 555 the actual > called-station-id or is it 555something? If so, use regex in your match. > > DEFAULT Called-Station-Id =~ "^555*", Auth-Type := Accept > > If that doesn't work, run radius in debug mode (radiusd -X) and check that > called-station-id is actually being sent correctly. If so, paste the > debug info if it doesn't tell you why its failing. > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring EAP User attributes
"Jacques VUVANT" <[EMAIL PROTECTED]> wrote: > I have configured freeradius to allow EAP-TLS authentication, and would > like now to configure EAP User with IPpool It's impossible. Machines using EAP get their IP address via DHCP, not RADIUS. You need a DHCP server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: conflicts between freeradius versions
Hennie Vaatstra <[EMAIL PROTECTED]> wrote: > Authenticating against the freeradiusserver works only > with radiusclients on 64bit systems (on the same > server or other 64 bit zlinux images we're running). > Using a 31 bit zlinux image as radclient or NTRadPing > on a Win2000 laptop doensn't work - the password gets > trashed, It sounds like the version of FreeRADIUS you're running isn't 64-bit clean. Try using 1.0.1. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting packet forwarding
> Hello! > > > > In my understanding this is not the case, all Accounting packets are > > > treated on our server and I'd have to set up an instance of radrelay for > > > every realm. If I am right, this would be somewhat inconvenient as I > > > would have to duplicate a lot information that usually should be > > > contained only in proxy.conf. Plus, having many instances of radrelay > > > doesn't sound very clean to me. > > > > That's unusual, how do you have the proxy setup? What does radiusd -X > > show? > > Alright, forget it. We don't have accounting turned on yet and I was just > wondering what _might_ happen. And in the "proxy" file in doc/ the wording > seemed to imply that only authN is proxied, and that "All accounting data for > proxied requests does NOT get stored in the standard logfiles, but in a > seperate directory." > Of course I could have had a sharp look at "accthost", but, well, I am not > perfect :-) > That just means that it doesn't store it in the same place as it normaly would for detail files. It will proxy your accounting data over and store it locally. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: AW: Obtain IP Address from AD/LDAP
You could use an external script in post-auth to convert this value for
you. Here is one in php, note you'd need php cli installed on your
radius server, could just as easily use perl if you have it.
in modules section
exec getip {
wait = yes
program = "/usr/local/etc/raddb/test/getip.php"
input_pairs = reply
output_pairs = reply
packet_type = Access-Accept
}
in post-auth section add the getip module
post-auth {
getip
}
Then your script.
#!/usr/local/bin/php
The script will take the Framed-IP-Address environmental variable that is
passed to it and if it doesn't match an IP format, then it will convert to
an IP address. If it does match an IP format, then it will do nothing.
This is just a quick hack, could probably be written differently. Perl
has a similar function to convert that, I think its called inet_aton or
ntoa or something.
On Wed, 12 Jan 2005 [EMAIL PROTECTED] wrote:
> well, i got this:
> freeradius -X
>
> Sending Access-Accept of id 252 to 10.72.33.93:32768
> Framed-IP-Address = -1407490193
>
> and the radtest gets an Framed-IP-Address = 255.255.255.255
>
> i recorded with tcpdump that the freeradius sends this:
>
> Access Accept (2), id: 0xff, Authenticator:
> 17a1e40da579e4dbbde5cf54d0987873
> Framed IP Address Attribute (8), length: 6, Value: User Selected
> 0x:
> everytime there is a negativ value it is send as .
>
> so i guess that this is os specific :-( i use freeradius1.1.0-pre0 on
> intel/debian sarge
>
> I think the best way is to open a featurerequest that freeradius converts
> signed integers to unsigned integers.
>
> > -Ursprüngliche Nachricht-
> > Von: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] Im
> > Auftrag von Dustin Doris
> > Gesendet: Dienstag, 11. Januar 2005 18:19
> > An: freeradius-users@lists.freeradius.org
> > Betreff: Re: AW: Obtain IP Address from AD/LDAP
> >
> >
> > I think it should be OK. I just did a basic test with
> > radclient. Here is what radiusd -X showed me.
> >
> > Sending Access-Accept of id 52 to 127.0.0.1:2673
> > Framed-IP-Address = -1407490193
> >
> > Here is what radclient showed me.
> >
> > Received response ID 52, code 2, length = 26
> > Framed-IP-Address = 172.27.103.111
> >
> > What does radiusd -X show you?
> >
> >
> >
> > On Tue, 11 Jan 2005 [EMAIL PROTECTED] wrote:
> >
> > > Next Problem,
> > >
> > > MS AD saves the IP Address as signed INT32 so i didnt get an IP
> > > Address back, some ideas how i can convert such a thing? As
> > Example:
> > > 172.27.103.111 is saved as -1407490193
> > >
> > > Markus
> > > > -Ursprüngliche Nachricht-
> > > > Von: [EMAIL PROTECTED]
> > > > [mailto:[EMAIL PROTECTED] Im
> > Auftrag von
> > > > Dustin Doris
> > > > Gesendet: Montag, 10. Januar 2005 15:08
> > > > An: freeradius-users@lists.freeradius.org
> > > > Betreff: Re: Obtain IP Address from AD/LDAP
> > > >
> > > >
> > > >
> > > > > Hello and Happy new Year,
> > > > >
> > > > > here is my prob, hope someone can help me.
> > > > > I use freeradius to authenticate users against MS Active
> > > > > directory. Most of my users obtain their Ips from ippool within
> > > > radius, but some
> > > > > should obtain their Address from AD. Who do i get the
> > > > Address out of
> > > > > the AD and can assign it to my user?
> > > > >
> > > > > Regards
> > > > >
> > > > > Markus
> > > > >
> > > >
> > > > Find the ldap attribute in AD with their IP address and netmask.
> > > > Lets say its msipaddr and msipmask. Edit ldap.attrmap
> > and point the
> > > > correct radius attributes to the correct ad ldap attributes.
> > > >
> > > > eg
> > > >
> > > > replyItem Framed-IP-Address msipaddr
> > > > replyItem Framed-IP-Netmask msipmask
> > > >
> > > > In your ippool configuration, make sure you have the following
> > > >
> > > > override = no
> > > >
> > > > Restart radius.
> > > >
> > > > Now when the user is authorized it will search for reply
> > items. It
> > > > will look for msipaddr and msipmask and make those values the
> > > > framed-ip-address and framed-ip-netmask. The override = no, will
> > > > tell rlm_ippool not to override those values. So, if those are
> > > > already set, then rlm_ippool won't give that user an IP.
> > > >
> > > > -Dusty Doris
> > > >
> > > > -
> > > > List info/subscribe/unsubscribe? See
> > > > http://www.freeradius.org/list/users.html
> > > >
> > >
> > > -
> > > List info/subscribe/unsubscribe? See
> > > http://www.freeradius.org/list/users.html
> > >
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting packet forwarding
Hello! > > In my understanding this is not the case, all Accounting packets are > > treated on our server and I'd have to set up an instance of radrelay for > > every realm. If I am right, this would be somewhat inconvenient as I > > would have to duplicate a lot information that usually should be > > contained only in proxy.conf. Plus, having many instances of radrelay > > doesn't sound very clean to me. > > That's unusual, how do you have the proxy setup? What does radiusd -X > show? Alright, forget it. We don't have accounting turned on yet and I was just wondering what _might_ happen. And in the "proxy" file in doc/ the wording seemed to imply that only authN is proxied, and that "All accounting data for proxied requests does NOT get stored in the standard logfiles, but in a seperate directory." Of course I could have had a sharp look at "accthost", but, well, I am not perfect :-) Greetings, Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingénieur réseau et système 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg email: [EMAIL PROTECTED] tél.: +352 424409-33 http://www.restena.lu fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LDAP and SQL
Sorry I have posted the problem but not the answer. In my opinion there are two ways to solve this problem: 1.- Decrease data length to be writen in AcctSessionID 2.- Increase AcctSessionID field length in the database In my case I did the second option increasing this field to 52 chars. I dont know if it is correct for radius, but it works. Thanks for that, Egoitz what do you advice on that if the sqlcounter does not update the field.? Thankz Goksie Quoting Egoitz Aguirre <[EMAIL PROTECTED]>: > Hi all > > I have discovered why rlm_counter doesn't work properly... I think it's a > bug but I'm not sure. > In radcct table there is a field called AcctSessionId whose length is 32 > chars, in my case the data that was writen here was 34 chars long, and the > name was cut. When radius tried to update this field, it couldn't found the > row so no update happened and obviously rlm_counter didn't find timing > information. > > so...be carefull with lengths :) good luck > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can not validate the user EAP-TLS
Hi! I am using freeradius-1.0.1 with EAP-TLS, and I am having problems validating the user. I have configured the radius server, generated the certificates with the script CA.all, import root.der and cert-clt.p12 to the client machine(Windows 2000), and when I use the D-Link 510 PCI wireless card, I establish the conection succesfully. Here is the schema: wireless card - - > authenticator - -> authenticator server The situation changes when I try to do the same with my Ethernet Card(Intel PRO/100) connected with a D-Link DWL-700AP in bridge mode. Here is the schema(I do not know if it is possible or not) Ethernet card- - > access point client - - > authenticator - -> authenticator server I receive the following message: Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 10 rlm_eap: Request not found in the list rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request rlm_eap: Failed in handler modcall[authenticate]: module "eap" returns invalid for request 10 modcall: group authenticate returns invalid for request 10 auth: Failed to validate the user. I suppose there's something to be with /raddb/users file, but not know what. Here's my file: DEFAULT Auth-Type = System Fall-Through = 1 DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "SLIP" Framed-Protocol = SLIP I hope someone could help me, thanks! Victoria Malik de Tchara - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP and SQL
Check out doc/configurable_failover, it will show you how to do that. On Tue, 11 Jan 2005, Christopher Price wrote: > Is it possible to check passwords against an SQL database and an LDAP > database with the same server? If so, how does it work? Does the server > wait for one method to fail and then try another? > > Chris Price > Information Facilities Technician > Olivet Nazarene University > [EMAIL PROTECTED] > (815)928-5523 > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting packet forwarding
> Hello,
>
> I have an authentication setup involving several realms that are proxied using
> freeradius-1.0.1. AuthN works perfectly so far. I just didn't find precise
> information about Accounting packets: are they automatically proxied and
> following the same rules as AuthN packets? I.e. if a user with a realm that
> is proxied for authN is logged in and an Accounting packet is generated for
> him in the NAS, will this Accounting packet be proxied to the same server
> where the user was proxied to for authentication?
The accounting packets will be proxied to wherever you specified in your
proxy.conf file.
e.g. Look at accthost. That defines where the accounting packets are
proxied to.
#realm isp2.com {
# type= radius
# authhost= radius.isp2.com:1645
# accthost= radius.isp2.com:1646
# secret = TheirKey
# nostrip
#}
> In my understanding this is not the case, all Accounting packets are treated
> on our server and I'd have to set up an instance of radrelay for every realm.
> If I am right, this would be somewhat inconvenient as I would have to
> duplicate a lot information that usually should be contained only in
> proxy.conf. Plus, having many instances of radrelay doesn't sound very clean
> to me.
>
That's unusual, how do you have the proxy setup? What does radiusd -X
show?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: Telnet access via Radius
On Wed, 12 Jan 2005, Costas Christonis wrote: > GC> Hello, > > GC> Costas Christonis wrote: > >> Hi to all, > >> i'm trying to set the telnet access to my users through radius and ldap > >> server. > >> What i did untill now is that everyone tha has the attribute > >> "Service-type" with the value "exec-user" can telnet to my cisco > >> switches and routers in privilege level 5. > >> I insert the attribute "Ciscoavpair" with the value > >> "exec:priv-lvl=0" or with the value "exec:privilege-level=0" but > >> nothing happens, everyone can telnet to my switches and logon > >> privilege level 5. > > GC> It's called Cisco-AVPair not CiscoAVPair. > > >> Can anyone help me? > >> > >> > >> > >> > >> > >> > >> > >> Best regards > > GC> Best Regards, > > > Yes that's correct but in LDAP the attribut is radiusciscovapair anyway > is that right? so i don't think tha the problem is that... > do you have ldap.attrmap setup to map Cisco-AVPAir to radiusciscovapair as a reply item? What are you actually sending back in your reply? Radiusd -X will show you that. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius-1.0.1 die randomly
> > hello folks > > we are using freeradius since 0.8.x and since 0.9.x we start to use the > rml_sql (mysql) module to store the accounting, now we also use the > mysql db to store the user so the auth and autz also use the rml_sql > module > > we had problems since the begining with that module, micelaneus > problems, but when we switch to version 1.0.0 everything start to work > better, good improving and nice work > > so, what is the problems that we are having ?, well we are trying to > identify it, is not easy because it only had been happen 4 times since > september (when we start using 1.0.1) very random, yesterday night was > the last time. > > the radius server just stop responding and die, without any anormal log, > the process end, if you start it it start and logs as usual but our > users can't connect, it doesn't matter how may time you try to restart > the services, it never give services, but if you start it in debug mode > ( -X ) --to see if anything goes wrong-- and then restart it as usual > (without debug because you didn't see anything anormal in debug mode) > everything start to function as it supose and our users start to > connect. > > my guest is that it is something related with the rml_sql but it is just > a guest. > > the radius server is a littel busy, we have 3 Cisco AS ( 2 AS5400 a 1 > AS5300) that make 720 lines from which between 500 and 600 are use it > all the time > > as i say before, yesterday night our two server die aroung the same > time, very extrange > > the enviroment is: > OS: WhiteBox3 (RHEL3 clone) with all the updates > freeradius rebuilded from the last SRPM provided by RH (1.0.1-1) (we need > experimental > modules: sqlcounter) > > does anybody had this experience ? > > thanks very much > roger > PD: i'm apologies because of my bad english > > The fact that you say the two servers died around the same time is an interesting fact. I would setup a packet sniffer on those machines and capture the radius traffic going to the box and hope to capture the traffic that is hitting the machine during the next time it goes down. Of course this may not help, put it might be worth giving it a shot. As this packet capture may get huge, you will probably want to stop it and start over every day if your servers don't go down. The easiest way would be a tcpdump outputing to a file and then use ethereal to analyze it. If you can get lucky enough to have it happen again and see the packets coming in, then you can use radclient to resend those packets to a development machine that is running in debug mode. You will get to see if there is something interesting about the sql queries you are creating with those radius requests. I hope thats helpful. Just a suggestion on troubleshooting. I've had to do similar things before, mostly with bind. Turned out some windows sourced dns query was taking down our servers. We would have never figured that out unless we did the packet capture, as the logs showed nothing wrong. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Have freeRADIUS working on OS X all but for ...
Andrea's Wolf wrote a patch that fixes this for OS X. I have an installer up at http://home.sw.rr.com/jguidroz/radius.html that includes an updated patch to work with a December snapshot. I've been running that for a month in daemon mode with no problems. I've currently updated the patch to work with the January 6th snapshot. I'm having a few issues with it right now, but I believe it maybe more my hardware than software since the problem occurs both in debug mode and daemon mode. Once I get that straight, I'll post a new installer package on the site. Justin On Wed, 12 Jan 2005 06:59:56 -0600, Schley A Kutz <[EMAIL PROTECTED]> wrote: > So yall know, I just downloaded and built the latest snapshot and the > same semaphore error occurs. > > Ugh ... > > > On Wed, 12 Jan 2005 05:18:26 -0600, Schley A Kutz <[EMAIL PROTECTED]> wrote: > > Running it as a daemon ... > > > > Even with the current version there is still the problem of it not > > running unless you run it in debug mode or use -s and -f. > > > > This may be because I compiled it without shared libraries. However, > > when I left shared libraries on it would not load rlm_eap.so ... (was > > not installed anywhere) > > > > I would appreciate any help anyone could give me. I finally got my > > powerbook to authenticate to it and that wasn't easy. Had to set up > > EAP, TLS, TTLS (all using the test certs they give you) and MSCHAPv2. > > > > A far cry from simply user name & password attributes! : ) > > > > -- > > -a > > > > -- > -a > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Justin Guidroz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: doing sql query after authentification and before reply
>Please send plain text mail. > >This can be done with Exec-Program-Wait =3D >"/path/to/your/script" in = >the reply items. >The script can then output extra attributes which will be >added to the = >reply. Thanks. But where I must do configuration changes for Exec-Program-Wait? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: doing sql query after authentification and before reply
Please send plain text mail. This can be done with Exec-Program-Wait = "/path/to/your/script" in the reply items. The script can then output extra attributes which will be added to the reply. --Regards, Thor SpruytE: [EMAIL PROTECTED]W: www.thor-spruyt.comM: +32 (0)475 67 22 65Bestel nu uw exemplaar van Operationele verkoop (Walter Spruyt - Liesbeth Huysmans) via www.salesguide.beOntdek de Telenet Hotspot service op www.telenet.be/hotspots - Original Message - From: rashad To: freeradius-users@lists.freeradius.org Sent: Wednesday, January 12, 2005 11:53 AM Subject: doing sql query after authentification and before reply I want to run external program when some user successfully authentificated and do some SQL queries in this program, say to set new value for Session-Timeout in the table radreply. But I want this queries to be done before sending reply packet to NAS, so the updated value of Session-Timeout must be send to the NAS. How can I implement it?
Re: Have freeRADIUS working on OS X all but for ...
So yall know, I just downloaded and built the latest snapshot and the same semaphore error occurs. Ugh ... On Wed, 12 Jan 2005 05:18:26 -0600, Schley A Kutz <[EMAIL PROTECTED]> wrote: > Running it as a daemon ... > > Even with the current version there is still the problem of it not > running unless you run it in debug mode or use -s and -f. > > This may be because I compiled it without shared libraries. However, > when I left shared libraries on it would not load rlm_eap.so ... (was > not installed anywhere) > > I would appreciate any help anyone could give me. I finally got my > powerbook to authenticate to it and that wasn't easy. Had to set up > EAP, TLS, TTLS (all using the test certs they give you) and MSCHAPv2. > > A far cry from simply user name & password attributes! : ) > > -- > -a > -- -a - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: conflicts between freeradius versions
You're running a pretty old version. Give the latest stable release a try. --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas Hennie Vaatstra wrote: I'm running a freeradius server (FreeRADIUS Version 0.9.3, for host s390x-ibm-linux-gnu, built on Jan 11 2005 at 10:34:54) on 64bit SuSE linux (S390). The authentication chain we use is as follows: radiusclient > radiusserver > LDAP server on z/OS > RACF. Authenticating against the freeradiusserver works only with radiusclients on 64bit systems (on the same server or other 64 bit zlinux images we're running). Using a 31 bit zlinux image as radclient or NTRadPing on a Win2000 laptop doensn't work - the password gets trashed, and I receive this message: WARNING: Unprintable characters in the password. ? Double-check the shared secret on the server and the NAS! Does anybody know what might be wrong? ___ ALL-NEW Yahoo! Messenger - all new features - even more fun! http://uk.messenger.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Have freeRADIUS working on OS X all but for ...
Running it as a daemon ... Even with the current version there is still the problem of it not running unless you run it in debug mode or use -s and -f. This may be because I compiled it without shared libraries. However, when I left shared libraries on it would not load rlm_eap.so ... (was not installed anywhere) I would appreciate any help anyone could give me. I finally got my powerbook to authenticate to it and that wasn't easy. Had to set up EAP, TLS, TTLS (all using the test certs they give you) and MSCHAPv2. A far cry from simply user name & password attributes! : ) -- -a - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
doing sql query after authentification and before reply
I want to run external program when some user successfully authentificated and do some SQL queries in this program, say to set new value for Session-Timeout in the table radreply. But I want this queries to be done before sending reply packet to NAS, so the updated value of Session-Timeout must be send to the NAS. How can I implement it?
secondary freeradius server if the first fallback is it possible ?
It 's the same thing. Proxyradiusserver is the backup of primary wich is the backup of secondary. (I have 3 backup) If proxyradius is down, all is down. Ok for test but for example : i use radtest testuser password localhost auth secret this command order to call 127.0.0.1,but if the service freeradius is down at 127.0.0.1. Nothing work. It's normal that this solution couldn't work. I would like to have a solution which allow me to test like real condition ? Thanks for all ___[ Pub ] Envie de discuter gratuitement avec vos amis ? Téléchargez Yahoo! Messenger http://yahoo.ifrance.com _ Envie de discuter gratuitement avec vos amis ? Téléchargez Yahoo! Messenger http://yahoo.ifrance.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_sqlcounter
Hi all I have discovered why rlm_counter doesn't work properly... I think it's a bug but I'm not sure. In radcct table there is a field called AcctSessionId whose length is 32 chars, in my case the data that was writen here was 34 chars long, and the name was cut. When radius tried to update this field, it couldn't found the row so no update happened and obviously rlm_counter didn't find timing information. so...be carefull with lengths :) good luck - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: compiling freeradius 1.0.1 in HP-UX 11.11i
hi, I didn't send the output, 'cause I didn't want to occupy much of your time... A preparation step consists on making a link "ln -s /usr/include/sys/time.h /usr/include/sys/select.h", following (freely interpreted) an HP recomendation, due to HP lack of select.h (hp is a strange thing). (see http://devrsrc1.external.hp.com/STKT/impacts/i338.html). I also tried to use a "./configure --disable-shared", or using "CFLAGS='-O -Ae -D_HPUX_SOURCE'", as pointed in an old post (), but nothing significative changed. anyway, here are two cases I've tested (separated with * lines): - 1st one: with "CFLAGS=-I/openldap-2.2.20/include" (openldap sources); this ends with "Unexpected symbol" errors... (after making some "ln -s /openldap-2.2.20/include/ldap_features.h.in /openldap-2.2.20/include/ldap_features.h" cause source files were a little strange named (?)). - 2nd one: with "export CFLAGS=-I/opt/iexpress/openldap/include" (another openldap sources I had). ... gmake[6]: Entering directory `/home/roberto/freeradius-1.0.1/src/modules/rlm_ippool' gmake[6]: Nothing to be done for `static'. gmake[6]: Nothing to be done for `dynamic'. gmake[6]: Leaving directory `/home/roberto/freeradius-1.0.1/src/modules/rlm_ippool' Making static dynamic in rlm_krb5... gmake[6]: Entering directory `/home/roberto/freeradius-1.0.1/src/modules/rlm_krb5' cc -I/home/roberto/openldap-2.2.20/include -DOPENSSL_NO_KRB5 -I/usr/local/include/ -DNDEBUG -I../../include -c rlm_krb5.c -o rlm_krb5.o cc: "rlm_krb5.c", line 104: warning 611: Type conversion loses "const" qualifier. cc: "rlm_krb5.c", line 104: warning 563: Argument #2 is not the correct type. cc: "rlm_krb5.c", line 257: warning 604: Pointers are not assignment-compatible. cc: "rlm_krb5.c", line 258: warning 604: Pointers are not assignment-compatible. /home/roberto/freeradius-1.0.1/libtool --mode=link ld \ -module -static -I/home/roberto/openldap-2.2.20/include -DOPENSSL_NO_KRB5 -I/usr/local/include/ -DNDEBUG -I../../include rlm_krb5.o -o rlm_krb5.a mkdir .libs ar cru rlm_krb5.a rlm_krb5.o ranlib rlm_krb5.a /home/roberto/freeradius-1.0.1/libtool --mode=compile cc -I/home/roberto/openldap-2.2.20/include -DOPENSSL_NO_KRB5 -I/usr/local/include/ -DNDEBUG -I../../include -c rlm_krb5.c rm -f .libs/rlm_krb5.lo cc -I/home/roberto/openldap-2.2.20/include -DOPENSSL_NO_KRB5 -I/usr/local/include/ -DNDEBUG -I../../include -c rlm_krb5.c +Z -DPIC -o .libs/rlm_krb5.lo cc: "rlm_krb5.c", line 104: warning 611: Type conversion loses "const" qualifier. cc: "rlm_krb5.c", line 104: warning 563: Argument #2 is not the correct type. cc: "rlm_krb5.c", line 257: warning 604: Pointers are not assignment-compatible. cc: "rlm_krb5.c", line 258: warning 604: Pointers are not assignment-compatible. cc -I/home/roberto/openldap-2.2.20/include -DOPENSSL_NO_KRB5 -I/usr/local/include/ -DNDEBUG -I../../include -c rlm_krb5.c -o rlm_krb5.o >/dev/null 2>&1 mv -f .libs/rlm_krb5.lo rlm_krb5.lo /home/roberto/freeradius-1.0.1/libtool --mode=link cc -release 1.0.1 \ -module -export-dynamic -I/home/roberto/openldap-2.2.20/include -DOPENSSL_NO_KRB5 -I/usr/local/include/ -DNDEBUG -I../../include \ -o rlm_krb5.la -rpath /usr/local/lib rlm_krb5.lo -lk5crypto -L/usr/local/lib/ -lcrypto -lcom_err -lkrb5 -lnsl rm -fr .libs/rlm_krb5.la .libs/rlm_krb5.* .libs/rlm_krb5-1.0.1.* /usr/bin/ld -b +h rlm_krb5-1.0.1.sl +b /usr/local/lib -o .libs/rlm_krb5-1.0.1.sl rlm_krb5.lo -lk5crypto -L/usr/local/lib/ -lcrypto -lcom_err -lkrb5 -lnsl -lc (cd .libs && rm -f rlm_krb5.sl && ln -s rlm_krb5-1.0.1.sl rlm_krb5.sl) ar cru .libs/rlm_krb5.a rlm_krb5.o ranlib .libs/rlm_krb5.a creating rlm_krb5.la (cd .libs && rm -f rlm_krb5.la && ln -s ../rlm_krb5.la rlm_krb5.la) gmake[6]: Leaving directory `/home/roberto/freeradius-1.0.1/src/modules/rlm_krb5' Making static dynamic in rlm_ldap... gmake[6]: Entering directory `/home/roberto/freeradius-1.0.1/src/modules/rlm_ldap' cc -I/home/roberto/openldap-2.2.20/include -DOPENSSL_NO_KRB5 -I/usr/local/include/ -DNDEBUG -I../../include -DHAVE_LDAP_START_TLS -DHAVE_LDAP_INITIALIZE -DHAVE_LDAP_INT_TLS_CONFIG -c rlm_ldap.c -o rlm_ldap.o cc: "/home/roberto/openldap-2.2.20/include/lber_types.h", line 42: error 1000: Unexpected symbol: "ber_int_t". cc: "/home/roberto/openldap-2.2.20/include/lber_types.h", line 45: error 1000: Unexpected symbol: "ber_sint_t". cc: "/home/roberto/openldap-2.2.20/include/lber_types.h", line 45: error 1713: Illegal redeclaration for identifier "LBER_INT_T". ... ... gmake[6]: Leaving directory `/home/roberto/freeradius-1.0.1/src/modules/rlm_ippool' Making static dynamic in rlm_krb5... gmake[6]: Entering directory `/home/roberto/freeradius-1.0.1/src/modules/rlm_krb5' gmake[6]: Leaving directory `/home/roberto/freeradius-1.0.1/src/modules/rlm_krb5' Making static dynamic in rlm_ldap... gmake[6]: Entering directory `/home/roberto/freeradius-1.0.1/src/modules/rlm_ldap' c
Re: secondary freeradius server if the first fallback is it possible ?
Nans Delrieu wrote:
Thanks but how to set a proxy radius server ?
Is this fonction is integrated to freeradius ?
Yes
I haven't a REAL NAS, I have only PC.
in clients.conf (proxy radius server)
client proxyradius.domain.com {
secret = rad1
shortname = NAS1
nastype = other #it is a pc
}
client primary.domain.com {
secret = rad2
shortname = NAS2
nastype = other
}
client secondary.domain.com {
secret = rad3
shortname = NAS3
nastype = other
}
that's ok ?
In clients.conf of the proxyradius, you'll probably only need this:
client 127.0.0.1 {
shortname = localhost
secret = testing123
nastype = other
}
That should be sufficient to use radtest on the same host.
then
proxy.conf
realm domain.com {
type = radius
authhost = primaryradius.domain.com:1812
accthost = primaryradius.domain.com:1813
secret = secret **
}
realm domain.com {
type = radius
authhost = secondaryradius.domain.com:1812
accthost = secondaryradius.domain.com:1813
secret = secret **
}
Looks ok.
Make sure dns resolves correctly or use IP addresses!
(for primary radius :
clients.conf
client proxyradius.domain.com {
secret = rad1
shortname = NAS1
nastype = other # it is the same pc
}
client 127.0.0.1 {
shortname = localhost
secret = secret**
nastype = other
}
idem for secondary radius.)
but how i must configure client.conf in the proxy radius server ?
in order it knows to go to radius1 or radius 2 if radius 1 fails.
That's done in proxy.conf, not in clients.conf
The configuration you pasted above for proxy.conf should work.
The schema for freeradius is
Mobile client -> NAS -> Server Radius (here freeradius)
In your case it's: radiusclient (radtest) -> proxyradius -> homeradius
clients.conf is for freeradius in order to know NAS client.
Yes.
The radtest utility will play client of the proxyserver.
The proxyserver will play client of the homeservers.
proxy.conf is for freedius too.
Yes, that's where is configured where to send packets for a specific realm.
but how to simulate a REAL NAS with a pc ??
radtest can be used as client (but can't do failover automatically)
The proxyserver will play the NAS and will failover between the 2
homeservers.
--
Regards,
Thor Spruyt
E: [EMAIL PROTECTED]
W: www.thor-spruyt.com
M: +32 (0)475 67 22 65
Bestel nu uw exemplaar van Operationele verkoop (Walter Spruyt -
Liesbeth Huysmans) via www.salesguide.be Ontdek de Telenet Hotspot
service op www.telenet.be/hotspots
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting packet forwarding
Stefan Winter wrote: I have an authentication setup involving several realms that are proxied using freeradius-1.0.1. AuthN works perfectly so far. I just didn't find precise information about Accounting packets: are they automatically proxied and following the same rules as AuthN packets? I.e. if a user with a realm that is proxied for authN is logged in and an Accounting packet is generated for him in the NAS, will this Accounting packet be proxied to the same server where the user was proxied to for authentication? In my understanding this is not the case, all Accounting packets are treated on our server and I'd have to set up an instance of radrelay for every realm. If I am right, this would be somewhat inconvenient as I would have to duplicate a lot information that usually should be contained only in proxy.conf. Plus, having many instances of radrelay doesn't sound very clean to me. run radiusd with -X to what happens -- Regards, Thor Spruyt E: [EMAIL PROTECTED] W: www.thor-spruyt.com M: +32 (0)475 67 22 65 Bestel nu uw exemplaar van Operationele verkoop (Walter Spruyt - Liesbeth Huysmans) via www.salesguide.be Ontdek de Telenet Hotspot service op www.telenet.be/hotspots - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
secondary freeradius server if the first fallback is it possible ?
Thanks but how to set a proxy radius server ?
Is this fonction is integrated to freeradius ?
I haven't a REAL NAS, I have only PC.
in clients.conf (proxy radius server)
client proxyradius.domain.com {
secret = rad1
shortname = NAS1
nastype = other #it is a pc
}
client primary.domain.com {
secret = rad2
shortname = NAS2
nastype = other
}
client secondary.domain.com {
secret = rad3
shortname = NAS3
nastype = other
}
that's ok ?
then
proxy.conf
realm domain.com {
type = radius
authhost = primaryradius.domain.com:1812
accthost = primaryradius.domain.com:1813
secret = secret **
}
realm domain.com {
type = radius
authhost = secondaryradius.domain.com:1812
accthost = secondaryradius.domain.com:1813
secret = secret **
}
(for primary radius :
clients.conf
client proxyradius.domain.com {
secret = rad1
shortname = NAS1
nastype = other # it is the same pc
}
idem for secondary radius.)
but how i must configure client.conf in the proxy radius server ?
in order it knows to go to radius1 or radius 2 if radius 1 fails.
The schema for freeradius is
Mobile client -> NAS -> Server Radius (here freeradius)
clients.conf is for freeradius in order to know NAS client.
proxy.conf is for freedius too.
but how to simulate a REAL NAS with a pc ??
help me
___[ Pub ]
Envie de discuter gratuitement avec vos amis ?
Téléchargez Yahoo! Messenger http://yahoo.ifrance.com
_
Envie de discuter gratuitement avec vos amis ?
Téléchargez Yahoo! Messenger http://yahoo.ifrance.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: post-auth section of radiusd.conf
See doc/Post-Auth-Type
- Original Message -
From:
rashad
To: freeradius-users@lists.freeradius.org
Sent: Wednesday, January 12, 2005 7:32
AM
Subject: post-auth section of
radiusd.conf
Hi people.
Can anyone give an additional information about
how post-auth section of radiusd.conf works, especially about Post-Auth-Type
REJECT {} part.
conflicts between freeradius versions
I'm running a freeradius server (FreeRADIUS Version 0.9.3, for host s390x-ibm-linux-gnu, built on Jan 11 2005 at 10:34:54) on 64bit SuSE linux (S390). The authentication chain we use is as follows: radiusclient > radiusserver > LDAP server on z/OS > RACF. Authenticating against the freeradiusserver works only with radiusclients on 64bit systems (on the same server or other 64 bit zlinux images we're running). Using a 31 bit zlinux image as radclient or NTRadPing on a Win2000 laptop doensn't work - the password gets trashed, and I receive this message: WARNING: Unprintable characters in the password. ? Double-check the shared secret on the server and the NAS! Does anybody know what might be wrong? ___ ALL-NEW Yahoo! Messenger - all new features - even more fun! http://uk.messenger.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
accounting packet forwarding
Hello, I have an authentication setup involving several realms that are proxied using freeradius-1.0.1. AuthN works perfectly so far. I just didn't find precise information about Accounting packets: are they automatically proxied and following the same rules as AuthN packets? I.e. if a user with a realm that is proxied for authN is logged in and an Accounting packet is generated for him in the NAS, will this Accounting packet be proxied to the same server where the user was proxied to for authentication? In my understanding this is not the case, all Accounting packets are treated on our server and I'd have to set up an instance of radrelay for every realm. If I am right, this would be somewhat inconvenient as I would have to duplicate a lot information that usually should be contained only in proxy.conf. Plus, having many instances of radrelay doesn't sound very clean to me. Greetings, Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingénieur réseau et système 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg email: [EMAIL PROTECTED] tél.: +352 424409-33 http://www.restena.lu fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
