Re: Attr Filter ...

[Stefan Winter]

Hello!

> Reply-Message == "Ok",
> Reply-Message == "remote radius"

Hm, haven't done that yet, but how about trying operator += instead of == for 
the second one? I.e.:

Reply-Message == "Ok",
Reply-Message += "remote radius"

Stefan

-- 
Stefan WINTER

Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche
Ingénieur réseau et système

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
email: [EMAIL PROTECTED]     tél.:      +352 424409-33
http://www.restena.lu                     fax:      +352 422473

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: AW: Allways 10 Times to authenticate

[Stefan Winter]

Hello!

> I think the better solution is  to learn/understand how it works !
> Anyway thanks for your answer !

The answer why there are so many "requests" is that during an EAP session, 
lots of data has to be exchanged, not just some small attributes that fit 
into a single RADIUS packet.
The important content is sent in an attribute named EAP-Message, which is of 
limited length. So, if more data has to be exchanged, the message is split in 
chunks and a lengthy EAP "conversation" takes place. This has to be done for 
example when it comes to exchanging server or client certificates as these 
tend to be long.
In that case, one party sends the first chunk of data and the other replies 
with a "go ahead" until one side is finished. Since the RADIUS protocol only 
has the two message types "Request" and "Reply", one of the two sides of the 
conversation has to be labelled a Request and the other the Reply.
As Alan said, do not confuse that Request message with an all-new "Request 
from a user to authenticate".

So, don't worry, everything will be okay.

Stefan Winter

-- 
Stefan WINTER

Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche
Ingénieur réseau et système

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
email: [EMAIL PROTECTED]     tél.:      +352 424409-33
http://www.restena.lu                     fax:      +352 422473

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

/raddb/users file updated but not showing result

[Madhu Dubey]

Hi All,

I m a new member of this fast growing mailing list. i had just started
working on FreeRadius version 1.0.1 on RedHat Linux release 2.4.18-3
I had encountered problem in authenticating user based on his/he password.

As per man radiusd,
When testing, start off by configuring a user and password in the users file.
So long as the server knows about a user, and has a clear-text password for
that user,  almost  all  ofthe authentication methods will just work".

BUT , this is not working at all !!

I removed the comments from the entry for user "dialbk"  at line 113 of the
file "/raddb/users"
Then i did ./configure ; make clean ; make all; make install

If now i run "radtest dialbk callme localhost 0 testing123" ,
debug prints on RADIUS server shows the following result :

  User-Name = "dialbk"
User-Password = "callme"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
  modcall[authorize]: module "preprocess" returns ok for request 2
  modcall[authorize]: module "chap" returns noop for request 2
  modcall[authorize]: module "mschap" returns noop for request 2
rlm_realm: No '@' in User-Name = "dialbk", looking up realm NULL
rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 2
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 2
users: Matched DEFAULT at 152
  modcall[authorize]: module "files" returns ok for request 2
modcall: group authorize returns ok for request 2
  rad_check_password:  Found Auth-Type System
auth: type "System"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
  modcall[authenticate]: module "unix" returns notfound for request 2
modcall: group authenticate returns notfound for request 2
auth: Failed to validate the user.


My question is when users file has an entry for "dialbk" at line 113 , why
does it give a match at line 152.[users: Matched DEFAULT at 152] even
though i had reissued make install.

Now if i add the user "dialbk" to my system, it will give Accept but again
 (if i guessed it right) this is due to match DEFAULT at 152, Auth-Type =
 System. so that it will look into /etc/passwd for "dialbk"


Can anybody plz look into this .. 



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radius Cisco h323 Voip

[Fabio Viração]

Hello Manda;
Thank you very much for your help... Now i am using postgrep and I can send 
the CDR to the DB. But now  I have another question ... :-) how can I get 
tha Callduration ?? I know thar I have to use disconect and connectime , but 
i do not know how . Can you pls help me ?

Thanks
Fabio
- Original Message - 
From: "Manda Costin" <[EMAIL PROTECTED]>
To: ; 
<[EMAIL PROTECTED]>
Sent: Thursday, January 27, 2005 8:47 AM
Subject: Re: Radius Cisco h323 Voip


Pe 26 Jan 2005, la 23:16, =?iso-8859-1?Q?Fabio_Vira=E7=E3o?= 
<[EMAIL PROTECTED]> a scris:

Hi ;
How can I send all these information to a Mysql Database ??
 If you look in the src/billing directory in the freeradius source packet 
you will see how to do billing with postgres. Also the reasons why mysql 
does NOT work well with Cisco. However, you can try MySQL 5.0 which is 
still in testing AFAIK, and see how it goes.
I highly recomend postgreSQL, though, and to create a good 
accounting/billing system for Cisco you need to combine the info in the 
src/billing directory with the one in 
src/modules/rlm_sql/drivers/rlm_sql_postgresql. At least this is how I did 
it.
Also, don't forget to set with_cisco_vsa_hack=yes in the radiusd.conf 
file.
Does anyone have any ideia that can help me ??
Sorry Joe
Thanks
Fabio
Mon Aug 30 14:38:18 2004
   NAS-IP-Address =3D 192.168.115.4
   Cisco-NAS-Port =3D "CAS 1:0"
   NAS-Port-Type =3D Async
   User-Name =3D "351289767299"
   Called-Station-Id =3D "17863045678"
   Calling-Station-Id =3D "351212362299"
   Acct-Status-Type =3D Stop
   Service-Type =3D Login-User
   h323-gw-id =3D "h323-gw-id=3DTest0909"
   Cisco-AVPair =3D "h323-incoming-conf-id=3DD397A0 F9CA11D8 =
9519C3E7=20
31564DA6"
   h323-call-origin =3D "h323-call-origin=3Doriginate"
   h323-call-type =3D "h323-call-type=3DTelephony"
   h323-setup-time =3D "h323-setup-time=3D14:45:00.680 GMT Mon Aug =
30 2004"
   h323-connect-time =3D "h323-connect-time=3D14:45:23.482 GMT Mon =
Aug 30=20
2004"
   h323-disconnect-time =3D "h323-disconnect-time=3D14:46:06.352 =
GMT Mon=20
Aug 30 2004"
   h323-disconnect-cause =3D "h323-disconnect-cause=3D10"
   h323-voice-quality =3D "h323-voice-quality=3D0"
   h323-conf-id =3D "h323-conf-id=3DD397A0 F9CA11D8 9519C3E7 =
31564DA6"
   Acct-Session-Id =3D "EDD9"



Home, no matter how far...
http://www.home.ro
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: LDAP?? Why

[Alan DeKok]

Chan Min Wai <[EMAIL PROTECTED]> wrote:
> And IF I really insane and want to put an MD5 encrypted password for eap
> usage in the LDAP, what kind of modification I'll be looking into and
> which program would it be?
> Openldap? freeradius LDAP module?

  As was pointed out, EAP-TTLS with PAP will work.

  Everything else is IMPOSSIBLE.  It was designed to be impossible.
No amount of money will solve the problem.  No other RADIUS server
can do it.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: LDAP?? Why

[Craig Huckabee]

Chan Min Wai wrote:
Greeting all,
After sometime on this mailing list I found most of the problem for LDAP
is the EAP stuff.
And always the passwords in LDAP MUST be clear text.
I've one question here.
Is there anyway to put encrypted password in LDAP so free radius will
work with it? (Anyway that is in your mind e.g: mschap, chap ...)
And IF I really insane and want to put an MD5 encrypted password for eap
usage in the LDAP, what kind of modification I'll be looking into and
which program would it be?
Openldap? freeradius LDAP module?
I don't mind to pay for the contribution somehow.
Regards,
Chan Min Wai
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TTLS & PAP.  You keep your LDAP passwords encrypted, 
username/password can be sent unencrypted via PAP inside EAP-TTLS 
encrypted tunnel.

Works great with OSX and Windows XP w/ SecureW2 client installed.

--
/ Craig Huckabee|  e-mail: [EMAIL PROTECTED] /
/ Code 715-CH   |   phone: (843) 218 5653   /
/ SPAWAR Systems Center | close proximity: "Hey You!"   /
/ Charleston, SC|ICBM:  32.78N, 79.93W  /
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

LDAP?? Why

[Chan Min Wai]

Greeting all,

After sometime on this mailing list I found most of the problem for LDAP
is the EAP stuff.

And always the passwords in LDAP MUST be clear text.

I've one question here.


Is there anyway to put encrypted password in LDAP so free radius will
work with it? (Anyway that is in your mind e.g: mschap, chap ...)

And IF I really insane and want to put an MD5 encrypted password for eap
usage in the LDAP, what kind of modification I'll be looking into and
which program would it be?
Openldap? freeradius LDAP module?

I don't mind to pay for the contribution somehow.

Regards,
Chan Min Wai

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Windows XP SP2 WAP/TKIP

[Zhenliu Chen]

I got the EAP-TLS + WPA + WinXP SP2 work before with a snap shot
version of Freeradius (20041220).

Zhenliu


On Thu, 27 Jan 2005 23:24:28 +0100, freeradius-users
<[EMAIL PROTECTED]> wrote:
> Hello all,
> 
> After hours of googling, I'm almost hopeless.
> Can't believe, there is no howto or script, on how to get the
> combination freeradius/windows xp with SP2 running.
> The doc section on freeradius.org is quite poor and the doc's about
> windows integration are quite old (they don't consider SP1 or SP2).
> 
> So my first question is simple:
> Has anybody a configuration with freeradius and Windows XP SP2
> (WPA/TKIP) running. (In my special case I don't want to deal with
> user-certificates, but with machine-based certificates. It is just a
> registry hack and already done.)
> If not, does anybody knows howtos or documentation about that.
> 
> Thanks
> Robert
> 
> CompuLab - Consult
> Robert Schuster
> Am Karmelkloster 16
> 53229 Bonn
> 
> mailto:[EMAIL PROTECTED]
> 
> Tel.  +49 228 97604-0
> Fax.  +49 228 97604-25
> mobil +49 175 1606254
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Windows XP SP2 WAP/TKIP

[Zoltan Ori]

On Thursday 27 January 2005 17:24, freeradius-users wrote:

> The doc section on freeradius.org is quite poor and the doc's about
> windows integration are quite old (they don't consider SP1 or SP2).

The HOWTOs are quite helpful if you don't consider the OS and consider the 
concepts. Everything is there.

> So my first question is simple:
> Has anybody a configuration with freeradius and Windows XP SP2
> (WPA/TKIP) running. (In my special case I don't want to deal with
> user-certificates, but with machine-based certificates. It is just a
> registry hack and already done.)

Yes, WPA/TKIP XP SP1 with WPA roll-up patches, XP SP2, OS X v10.3 and WM2003SE 
(Dell Axim). Avoid the use of individual certificates by using 
PEAP(msChapV2). What specifics do you need?

> If not, does anybody knows howtos or documentation about that.

I used as guides http://www.freeradius.org/doc/EAPTLS.pdf and the 05 October, 
2004 802.1x port based Authentication HOWTO. Both of which are referenced on 
the first page of the site.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius & postgreSQL - stored procedures

[Graeme Lee]

Manda Costin wrote:
Pe 27 Jan 2005, la 03:13, Graeme Lee <[EMAIL PROTECTED]> a scris:
 

Siderite wrote:
   

Hello... I am trying to make freeradius authenticate some access
packets using the output of SQL stored procedures (that eventually would
do the billing as well). Can it be done? And if yes, how?
 thank you

 

Give an example of what you're trying to do. 
   

 Well, I was thinking of something like putting in the radcheck table the 
result of a pgsql procedure. like:
username=USER,attribute=%{pgsql_stored procedure output},op='>',value=0
 Can it be done?
 

I'm going to say yes, even though I'm unclear of exactly what you are 
trying to do.  Here's my get_simul_sessions() function for you to have a 
squiz at.

Some things to note...
whos_on is a VIEW
session_log is a log of the current number of ports in use
This function allows me to allocate say 30 ports to a school 
(arbitrarily called the 'owner'), and users within the school can get 2 
lines (allowing a max of 15 users with 2 lines, 10 with 2, 10 with 1) etc.
This was my first attempt just to get something working.  I'm sure it 
needs more work.


-- Determine if a user is logged on already, and if so, if they are 
allowed any further sessions
-- Returns 0 for permission, 1 to disallow
-- Simultaneous-Use MUST be set to 1 for the user's GROUP in 
radgroupcheck to function
-- if no Simultaneous-Use for the user's group is defined, the radius 
server doesn't check
-- if Simultaneous-Use is set highter than 1, then it won't work correctly

CREATE OR REPLACE FUNCTION get_simul_sessions(varchar) RETURNS integer AS '
   DECLARE
   _user ALIAS for $1;
   user_results record;
   current_user_sessions integer;
   current_group_sessions integer;
   current_owner_sessions integer;
   max_user_sessions integer;
   max_group_sessions integer;
   max_owner_sessions integer;
   BEGIN
   SELECT INTO user_results usergroup.username, 
usergroup.groupname, owneruser.ownername
   WHERE usergroup.username = _user AND 
owneruser.username = _user;
   IF NOT FOUND THEN
   RAISE EXCEPTION ''User % does not exist'', _user;
   END IF;
   SELECT count(whos_on.username) INTO 
current_user_sessions FROM whos_on where username = _user;
   SELECT count(whos_on.username) INTO 
current_owner_sessions FROM whos_on, owneruser
   WHERE whos_on.username = owneruser.username AND 
owneruser.ownername = user_results.ownername;

   SELECT INTO max_owner_sessions value FROM radownercheck 
WHERE attribute = ''Simultaneous-Use''
   AND ownername = user_results.ownername;
   IF NOT FOUND THEN
   max_owner_sessions := 0;
   END IF;

   SELECT INTO max_user_sessions value FROM radcheck WHERE 
attribute = ''Simultaneous-Use''
   AND username = _user;
   IF NOT FOUND THEN
   max_user_sessions := 1;
   END IF;

   IF current_owner_sessions >= max_owner_sessions AND
   max_owner_sessions != 0 THEN RETURN 1;
   END IF;
   IF current_user_sessions >= max_user_sessions THEN
   RETURN 1;
   END IF;
   INSERT INTO session_log (time, usercount) VALUES
   (now(), (SELECT count(username) FROM whos_on) + 1);
   RETURN 0;
   END;
' LANGUAGE plpgsql;
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Windows XP SP2 WAP/TKIP

[freeradius-users]

Hello all,

After hours of googling, I'm almost hopeless.
Can't believe, there is no howto or script, on how to get the
combination freeradius/windows xp with SP2 running.
The doc section on freeradius.org is quite poor and the doc's about
windows integration are quite old (they don't consider SP1 or SP2).

So my first question is simple:
Has anybody a configuration with freeradius and Windows XP SP2
(WPA/TKIP) running. (In my special case I don't want to deal with
user-certificates, but with machine-based certificates. It is just a
registry hack and already done.)
If not, does anybody knows howtos or documentation about that.

Thanks
Robert
 
CompuLab - Consult
Robert Schuster
Am Karmelkloster 16
53229 Bonn
 
mailto:[EMAIL PROTECTED]
  
Tel.  +49 228 97604-0
Fax.  +49 228 97604-25
mobil +49 175 1606254


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Expire attribute

[Julius Igugu]

and "January 1 2005 12:33:44"Adrian <[EMAIL PROTECTED]> wrote:
Hello,I am new to this, so I hope I'm not stepping on anybody's toes by asking thefollowing question:can the expiration attribute include a time as well?right now we have something like: Expiration := "2005-01-27" and we would like to send to the NAS somethinglike Expiration := "2005-01-27 15:26"Is that possible? ... Is there a different time format I have to use?... Weuse a colubris box as the NAS.PS. If we send just the date, without the time, everything works fine.Much appreciated,Adrian Boros-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKokSent: Thursday, January 27, 2005 12:53 PMTo: freeradius-users@lists.freeradius.orgSubject: Re: Expire attribute Edgars
 <[EMAIL PROTECTED]>wrote:> why this Expiration attribute is not mentioned in the link below?:> http://www.freeradius.org/rfc/attributes.htmlIt's not a RADIUS attribute. It's a FreeRADIUS "internal" attribute.You won't see Auth-Type listed there, either.Alan DeKok.-List info/subscribe/unsubscribe? Seehttp://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.htmlJulius IguguSouthWork Co. Ltd.
		Do you Yahoo!? 
Yahoo! Search presents - Jib Jab's 'Second Term'

Re: about me - and a question

[Julius Igugu]

Take a look at Dialupadmin that's bundled with the freradius server.  
 
Should do that if setup correctly.Sebastian Wild <[EMAIL PROTECTED]> wrote:
Hello list,I've just joined in here. My name is Sebastian and I am from Germany. I work as adminstrator at an ISP and I also am a maintainer of a private wlan project called wlan-r.Now wlan-r uses chillispot to authenticate wireless users on hotspots via freeradius against mysql and it works fine.Recently I've seen that it is possible to get info about which users are currently online on wlan. Since that was not on a hotspot but on a website somewhere at the net I am thinking that it used a feature of the freeradius server. Now it would be very interesting to know how to get the info about which users are currently online out of free radius.Does anyone know how to do that?greets from snowy regensburg, GERSebastian- List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.htmlJulius IguguSouthWork Co. Ltd.__Do You Yahoo!?Tired of spam?  Yahoo! Mail has the best spam protection around http://mail.yahoo.com 

RE: Expire attribute

[Adrian]

Hello,

I am new to this, so I hope I'm not stepping on anybody's toes by asking the
following question:

can the expiration attribute include a time as well?

right now we have something like: 
Expiration := "2005-01-27" and we would like to send to the NAS something
like Expiration := "2005-01-27 15:26"

Is that possible? ... Is there a different time format I have to use?... We
use a colubris box as the NAS.

PS. If we send just the date, without the time, everything works fine.

Much appreciated,

Adrian Boros

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok
Sent: Thursday, January 27, 2005 12:53 PM
To: freeradius-users@lists.freeradius.org
Subject: Re: Expire attribute 

Edgars <[EMAIL PROTECTED]> wrote:
> why this Expiration attribute is not mentioned in the link below?:
> http://www.freeradius.org/rfc/attributes.html

  It's not a RADIUS attribute.  It's a FreeRADIUS "internal" attribute.

  You won't see Auth-Type listed there, either.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

about me - and a question

[Sebastian Wild]

Hello list,
I've just joined in here. My name is Sebastian and I am from Germany. I 
work as adminstrator at an ISP and I also am a maintainer of a private 
wlan project called wlan-r.
Now wlan-r uses chillispot to authenticate wireless users on hotspots 
via freeradius against mysql and it works fine.
Recently I've seen that it is possible to get info about which users are 
currently online on wlan. Since that was not on a hotspot but on a 
website somewhere at the net I am thinking that it used a feature of the 
freeradius server. Now it would be very interesting to know how to get 
the info about which users are currently online out of free radius.
Does anyone know how to do that?

greets from snowy regensburg, GER
Sebastian
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Slow second db on freeradius

[Michel van Dop]

I see the problem, when both mysql servers started i can switch sql1 and 
sql2 files and it works.
When i stop one db the first or the second. Freeradius get slow

I check a again the mysql connections, i change the radiusd.conf server 
working on one db, both mysql server working good.
So mysql connections work good. But my fail_over config in radiusd.conf do 
not working i think.

In my radiusd.conf
   $INCLUDE  ${confdir}/sql1.conf
   $INCLUDE  ${confdir}/sql2.conf
   always handled {
 rcode = handled
   }
accounting {
group {
   sql1 {
 fail  = 1
 notfound = return
 noop  = 2
 ok  = return
 updated = 3
 reject = return
 userlock = 4
 invalid = 5
 handled = 6
   }
   sql2 {
 fail  = 1
 notfound = return
 noop  = 2
 ok  = return
 updated = 3
 reject = return
 userlock = 4
 invalid = 5
 handled = 6
   }
 }
}
authorize {
group {
   sql1 {
 fail  = 1
 notfound = return
 noop  = 2
 ok  = return
 updated = 3
 reject = return
 userlock = 4
 invalid = 5
 handled = 6
   }
   sql2 {
 fail  = 1
 notfound = return
 noop  = 2
 ok  = return
 updated = 3
 reject = return
 userlock = 4
 invalid = 5
 handled = 6
   }
 }
}

- Original Message - 
From: "Alan DeKok" <[EMAIL PROTECTED]>
To: 
Sent: Thursday, January 27, 2005 8:04 PM
Subject: Re: Slow second db on freeradius


"Michel van Dop" <[EMAIL PROTECTED]> wrote:
I think this is not a dns problem but i am not a exper. When i change
sql1.conf to sql2.conf it works.
 Then the problem is in the SQL databases, not in FreeRADIUS.
 Alan DeKok.
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: AW: Allways 10 Times to authenticate

[Christian]

Thank you Alan,

I think the better solution is  to learn/understand how it works !
Anyway thanks for your answer !

Christian


> > You can see that there are 10 (0-9) requests for auth, is 
> it ok or am 
> > i doin something wrong ?
> 
>   You are confusing "client is requesting to be 
> authenticated" with "RADIUS packets".  When using PAP or 
> CHAP, the numbers are identical. When using EAP, there are 
> many "RADIUS packets" per "client requesting authentication".
> 
>   To put it another way, the server sends an Access-Accept, 
> the client is authenticated, and gets on the network.  At 
> that point, why do you care how many packets are going back and forth?
> 
>   You're getting worried about something that works, because 
> you don't understand how it works.  The solution is to stop worrying.
> 
>   Alan DeKok.
> 
> 
> - 
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
> 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: XP SP2 PEAP MSCHAPv2

[Alan DeKok]

[EMAIL PROTECTED] wrote:
> I have unsuccessfully attempted to authenticate an XP SP2
> supplicant using PEAP MSCHAPv2.  I am using freeradius 1.0.1, Solaris 8,

  There are known problems with 1.0.1 on Solaris.

  1.0.2 should be out in a week or two, or if you don't want to wait, do:

$ cvs -d :pserver:[EMAIL PROTECTED]:/source login
  

$ cvs -d :pserver:[EMAIL PROTECTED]:/source checkout -r release_1_0 radiusd

  And that will get you 99.9% of what will be in 1.0.2, now.  Most
importantly, it will get you the fixes for Solaris.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

XP SP2 PEAP MSCHAPv2

[john . ctr . gauntt]

Hi folks,
        I
have unsuccessfully attempted to authenticate an XP SP2 supplicant using
PEAP MSCHAPv2.  I am using freeradius 1.0.1, Solaris 8, and a Cisco
1100 AP.  The problem appears to be with freeradius not having an
NT-Password and perhaps not having a correct challenge value when the mschap_authenticate
function of module rlm_mschap is executing.  I have put numerous debug
statements in the code to better understand the logic flow and identify
the problem.  There was no NT-Password returned at the function pairfind
but the smbdes_mschap  no VALUE_PAIR containing an NT_Password and
the challenge value appears to be about eight bytes long.  I added
an NT-Password to the users file to see if I could get the code to move
further and validate the observation that the password was the problem.
  The code failed in the same place which brought attention to the
challenge. Where could I put a debug statement to get the earliest look
at the NT Password in the thread?  What else should I be looking at
besides the password at this phase of the dialogue?   I would like
to start with a simple configuration and then add complexity so I could
better understand the behaviour of each component.  However, with
the XP SP2 wireless configuration it is a choice of 802.1x(PEAP/MSCHAPv2
or certificates) or nothing.  Is there anyone who has gained success
with this configuration?  I appreciate any help.

Thanks,
John
(609)485-8075
[EMAIL PROTECTED] 

users
EI2F-ENDL1\\Tech_Support User-Password
== "endl1_freeradius"
        NT-Password
== "endl1_freeradius",
        Framed-IP-Address
= 12.1.10.20,
         Framed-IP-Netmask
= 255.255.255.0,
         Framed-MTU
= 1500,
        Reply-Message
= "Hello, %u",
         Fall-Through
=  no 

rlm_mschap

/*
         *
       We need an NT-Password.
         */
        nt_password
= pairfind(request->config_items, PW_NT_PASSWORD); 
        if
(nt_password) {
         
      if ((nt_password->length == 16) ||
         
          ((nt_password->length ==
32) &&
         
           (hex2bin(nt_password->strvalue,
         
               
    nt_password->strvalue, 16) == 16))) {
         
              DEBUG2("
 rlm_mschap: Found NT-Password");
         
              nt_password->length
= 16;

           
    } else {
         
              radlog(L_ERR,
"rlm_mschap: Invalid NT-Password");
         
              nt_password
= NULL;
         
      }
        }
else if (!password) {
         
      DEBUG2("  rlm_mschap: No User-Password
configured.  Cannot create NT-Password.");

        }
else {                /*
there is a configured User-Password */
         
      nt_password = pairmake("NT-Password",
"", T_OP_EQ);
         
      if (!nt_password) {
         
              radlog(L_ERR,
"No memory");
         
      } else {
         
              ntpwdhash(nt_password->strvalue,
password->strvalue);
         
              nt_password->length
= 16;
         
              pairadd(&request->config_items,
nt_password);
         
      }
        }

The null NT-Password and questionable
challenge values result in FAILED message.

/*
         
       *        The
old "mschapv2" function has been moved to
         
       *        here.
         
       *
         
       *        MS-CHAPv2
takes some additional data to create an
         
       *        MS-CHAPv1
challenge, and then does MS-CHAPv1.
         
       */
         
      challenge_hash(response->strvalue + 2,
/* peer challenge */
         
               
     challenge->strvalue, /* our challenge */
         
               
     username_string,        /*
user name */
         
               
     mschapv1_challenge); /* resulting challenge */
         
      
DEBUG2("  rlm_mschap: Told
to do MS-CHAPv2 for %s with NT-Password",
         
             username_string);

         
      if (do_mschap(inst, request, nt_password,
mschapv1_challenge,
         
               
    response->strvalue + 26, nthashhash) < 0) {
         
              DEBUG2("
 rlm_mschap: FAILED: MS-CHAP2-Response is incorrect");
         
              add_reply(&request->reply->vps,
*response->strvalue,
         
               
        "MS-CHAP-Error", "E=691
R=1", 9);
         
              return
RLM_MODULE_REJECT;
         
      }




radiusd -X

Waking up in 1 seconds...
rad_recv: Access-Request packet from
host 12.1.10.16:21647, id=128, length=254
paircreate: Name: User-Name, Attr:
1, Strvalue: 
        User-Name
= "EI2F-ENDL1\\Tech_Support"
paircreate: Name: Framed-MTU, Attr:
12, Strvalue: 
        Framed-MTU
= 1400
paircreate: Name: Called-Station-Id,
Attr: 30, Strvalue: 
        Called-Station-Id
= "0011.5c81.b2e0"
paircreate: Name: Calling-Station-Id,
Attr: 31, Strvalue: 
        Calling-Station-Id
= "000f.f736.3068"
paircreate: Name: Message-Authenticator,
Attr: 80, Strvalue: 
        Message-Authenticator
= 0x2d0787df62d97fb27613b813f61147db
paircreate: Name: EAP-Message, Attr:
79, Strvalue: 
        EAP-Message
= 0x02

Re: Proxy problem (EAP)

[Alan DeKok]

[EMAIL PROTECTED] wrote:
> I hacked rlm_eap_md5 to actually generate a fake request
> containing FreeRADIUS-Proxied-To, Username, CHAP-Challenge
> and CHAP-Response attributes and call "rad_authenticate"

  rad_authenticate doesn't do proxying.

> However, the whole point of my modification was to be able to
> proxy the generated CHAP request to some non-EAP-enabled RADIUS
> server (similar to proxying inner PAP/CHAP/MSCHAP request of
> EAP-TTLS to another server).

  Yes please see the existing TTLS and PEAP code which does
exactly this.  You have working examples in front of you.  Use them.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius hangs after a HUP

[Alan DeKok]

Joe H <[EMAIL PROTECTED]> wrote:
> I am new to using gdb so if I did something wrong let me know.

  See doc/bugs

  Type 'bt' in gdb, which will tell you where in the code it's
currently executing.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Slow second db on freeradius

[Alan DeKok]

"Michel van Dop" <[EMAIL PROTECTED]> wrote:
> I think this is not a dns problem but i am not a exper. When i change 
> sql1.conf to sql2.conf it works.

  Then the problem is in the SQL databases, not in FreeRADIUS.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: AW: Allways 10 Times to authenticate

[Alan DeKok]

"Christian" <[EMAIL PROTECTED]> wrote:
> Ok, here is my log-file for _1_ request to authenticate my client
> (radiusd -X -A)

  Yes and no.

> You can see that there are 10 (0-9) requests for auth, is it ok or am i
> doin something wrong ?

  You are confusing "client is requesting to be authenticated" with
"RADIUS packets".  When using PAP or CHAP, the numbers are identical.
When using EAP, there are many "RADIUS packets" per "client requesting
authentication".

  To put it another way, the server sends an Access-Accept, the client
is authenticated, and gets on the network.  At that point, why do you
care how many packets are going back and forth?

  You're getting worried about something that works, because you don't
understand how it works.  The solution is to stop worrying.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Slow second db on freeradius

[Michel van Dop]

I have already make the sub-domains in my named server.
I change the domain names in the log i send to this mailinglist.
I think this is not a dns problem but i am not a exper. When i change 
sql1.conf to sql2.conf it works.
So second db is working and i use same nas radius client. So i have also 
privs on the mysql db.

It looks like a loop try first db and after 240 second i go connect to 
second for 40? seconds and go to the first db (240 seconds).
Over en over.


- Original Message - 
From: "Alan DeKok" <[EMAIL PROTECTED]>
To: 
Sent: Thursday, January 27, 2005 6:46 PM
Subject: Re: Slow second db on freeradius


Manda Costin <[EMAIL PROTECTED]> wrote:
But I found out a bit later that the problem was in configuring the
host of the database as localhost and not 127.0.0.1. When I used the
numeric IP it started immediately. Maybe it's the same problem.
 If you don't set up DNS, then the process of mapping names to IP's
will take a very long time.
 FreeRADIUS has no control over DNS.  FreeRADIUS *depends* on DNS to
work properly.
 Alan DeKok.
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

AW: Allways 10 Times to authenticate

[Christian]

Ok, here is my log-file for _1_ request to authenticate my client
(radiusd -X -A)
You can see that there are 10 (0-9) requests for auth, is it ok or am i
doin something wrong ?
Thank you all
Christian


--snip---
Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /etc/raddb/proxy.conf
Config:   including file: /etc/raddb/clients.conf
Config:   including file: /etc/raddb/snmp.conf
Config:   including file: /etc/raddb/eap.conf
Config:   including file: /etc/raddb/sql.conf
 main: prefix = "/usr"
 main: localstatedir = "/var"
 main: logdir = "/var/log/radius"
 main: libdir = "/usr/lib/freeradius"
 main: radacctdir = "/var/log/radius/radacct"
 main: hostname_lookups = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = yes
 main: log_file = "/var/log/radius/radius.log"
 main: log_auth = no
 main: log_auth_badpass = yes
 main: log_auth_goodpass = yes
 main: pidfile = "/var/run/radiusd/radiusd.pid"
 main: user = "root"
 main: group = "root"
 main: usercollide = no
 main: lower_user = "no"
 main: lower_pass = "no"
 main: nospace_user = "no"
 main: nospace_pass = "no"
 main: checkrad = "/usr/sbin/checkrad"
 main: proxy_requests = yes
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: post_proxy_authorize = yes
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded exec 
 exec: wait = yes
 exec: program = "(null)"
 exec: input_pairs = "request"
 exec: output_pairs = "(null)"
 exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec) 
Module: Loaded expr 
Module: Instantiated expr (expr) 
Module: Loaded PAP 
 pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap) 
Module: Loaded CHAP 
Module: Instantiated chap (chap) 
Module: Loaded MS-CHAP 
 mschap: use_mppe = yes
 mschap: require_encryption = no
 mschap: require_strong = no
 mschap: with_ntdomain_hack = no
 mschap: passwd = "(null)"
 mschap: authtype = "MS-CHAP"
 mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap) 
Module: Loaded Pam 
 pam: pam_auth = "radiusd"
Module: Instantiated pam (pam) 
Module: Loaded System 
 unix: cache = no
 unix: passwd = "(null)"
 unix: shadow = "(null)"
 unix: group = "(null)"
 unix: radwtmp = "/var/log/radius/radwtmp"
 unix: usegroup = no
 unix: cache_reload = 600
Module: Instantiated unix (unix) 
Module: Loaded LDAP 
 ldap: server = "localhost"
 ldap: port = 389
 ldap: net_timeout = 10
 ldap: timeout = 20
 ldap: timelimit = 20
 ldap: identity = ""
 ldap: tls_mode = no
 ldap: start_tls = no
 ldap: tls_cacertfile = "(null)"
 ldap: tls_cacertdir = "(null)"
 ldap: tls_certfile = "(null)"
 ldap: tls_keyfile = "(null)"
 ldap: tls_randfile = "(null)"
 ldap: tls_require_cert = "allow"
 ldap: password = ""
 ldap: basedn = "o=notexist"
 ldap: filter = "(uid=%u)"
 ldap: base_filter = "(objectclass=radiusprofile)"
 ldap: default_profile = "(null)"
 ldap: profile_attribute = "(null)"
 ldap: password_header = "(null)"
 ldap: password_attribute = "(null)"
 ldap: access_attr = "(null)"
 ldap: groupname_attribute = "cn"
 ldap: groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=Gr
oupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
 ldap: groupmembership_attribute = "(null)"
 ldap: dictionary_mapping = "/etc/raddb/ldap.attrmap"
 ldap: ldap_debug = 0
 ldap: ldap_connections_number = 5
 ldap: compare_check_items = no
 ldap: access_attr_used_for_allow = yes
 ldap: do_xlat = yes
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from file
/etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS
Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusF

Re: Freeradius hangs after a HUP

[Joe H]

I have tried running the gdb program and it didn't mean much to me.  Here
is the output I got:

(gdb) attach 53964
Attaching to program: /usr/local/sbin/radiusd, process 53964
Symbols already loaded for /usr/lib/libcrypt.so.2
Symbols already loaded for /usr/lib/libcipher.so.2
Symbols already loaded for /usr/lib/libcrypto.so.3
Symbols already loaded for /usr/lib/libssl.so.3
Symbols already loaded for /usr/local/lib/libradius-1.0.1.so
Symbols already loaded for /usr/local/lib/libltdl.so.4
Symbols already loaded for /usr/lib/libc_r.so.4
Symbols already loaded for /usr/lib/libc.so.4
Symbols already loaded for /usr/local/lib/libldap_r.so
Symbols already loaded for /usr/local/lib/liblber-2.2.so.7
Symbols already loaded for /usr/local/lib/libsasl.so
Symbols already loaded for /usr/local/lib/libdb3.so.3
Symbols already loaded for /usr/lib/libpam.so.1
Symbols already loaded for /usr/local/lib/compat/pkg/libldap.so.2
Symbols already loaded for /usr/local/lib/compat/pkg/liblber.so.2
Symbols already loaded for /usr/lib/libssl.so.2
Symbols already loaded for /usr/lib/libcrypto.so.2
Symbols already loaded for /usr/local/lib/rlm_ldap-1.0.1.so
Symbols already loaded for /usr/local/lib/rlm_preprocess-1.0.1.so
Symbols already loaded for /usr/local/lib/rlm_realm-1.0.1.so
Symbols already loaded for /usr/local/lib/rlm_files-1.0.1.so
Symbols already loaded for /usr/local/lib/rlm_detail-1.0.1.so
Symbols already loaded for /usr/libexec/ld-elf.so.1
0x10250654 in __sys_poll () from /usr/lib/libc_r.so.4
(gdb) cont
Continuing.

** this is where I issued the restart **

Error accessing memory address 0x1029430c: No such process.


I am new to using gdb so if I did something wrong let me know.

Joe H.



On Wed, 26 Jan 2005, Alan DeKok wrote:

> Joe H <[EMAIL PROTECTED]> wrote:
> > The total controls that we use for dialup access seem to make one
> > connection to the radius server and hold it.
>
>   RADIUS is UDP.  There is no connection.
>
> > Seems like it's waiting for the connection to end before it closes.
>
>   Find out *where* in the code it's waiting.  That will tell you *why*.
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius and MD5 using /etc/passwd

[Alan DeKok]

Brandon Blank <[EMAIL PROTECTED]> wrote:
> What is the limiting factor in this case? Is it the fact that I want
> to use the XP Client, or is it the fact that I want to use the
> /etc/passwd file?

  The combination of the two.

> If this wont work, what setup would you guys recommend that I use for
> WIRED .1x auth to a Cisco switch?

  Two options: Alfa & Arris clients to do EAP-TTLS with tunneled PAP,
which will work against /etc/passwd.

  Or, use clear-text passwords on the server, and don't use /etc/passwd

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: regarding internal processing - memory allocation

[Alan DeKok]

"Alfred H. Dahl" <[EMAIL PROTECTED]> wrote:
> The whole problem seems to be related to the radutmp-file. Since I
> use sql in backend, I commented out the radutmp from the
> accounting-section (but kept the definition itself in
> radiusd.conf,because the radzap keeps looking for it) and now the
> speed and responsetime from the radius-server is definitively
> impeccable :)

  That's good to know.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Expire attribute

[Alan DeKok]

Edgars <[EMAIL PROTECTED]> wrote:
> why this Expiration attribute is not mentioned in the link below?:
> http://www.freeradius.org/rfc/attributes.html

  It's not a RADIUS attribute.  It's a FreeRADIUS "internal" attribute.

  You won't see Auth-Type listed there, either.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: assign eap_type

[Alan DeKok]

Marc-Henri Boisis-Delavaud <[EMAIL PROTECTED]> wrote:
> I have put this in users file
> 
> DEFAULT Cisco-AVPair == "ssid=criTLS"
> Auth-Type = EAP,
> EAP-Type = EAP-TLS,
> Reply-Message = "Test Reussi"
> 
> but I succed to authenticate with eap-ttls on this ssid , why ?

  Run it in debugging mode, and it will tell you.

  Also, read the "man" page for the "users" file.

  You do NOT want to specify Auth-Type.  It's not necessary.

  You want to put the EAP-Type on the first line, with the
Cisco-AVPair attribute.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Attr Filter ...

[nans]

Hello all
 
I would like to allow realm company.com to send 
multiple reply-message
i have chosen but not all other 
reply-message .
 
for example 
 
In attrs
 
Company.com
 
Reply-Message == "Ok",
Reply-Message == "remote radius"
 
But  it doens't work. is it possible to do 
that ?
I have test with just reply message ok it works but 
i'd like to allow few reply-message not one .
 
thanks

Re: FreeRadius and MD5 using /etc/passwd

[Brandon Blank]

What is the limiting factor in this case? Is it the fact that I want
to use the XP Client, or is it the fact that I want to use the
/etc/passwd file?

If this wont work, what setup would you guys recommend that I use for
WIRED .1x auth to a Cisco switch?

BB


On Mon, 24 Jan 2005 20:51:23 -0500, Alan DeKok <[EMAIL PROTECTED]> wrote:
> Brandon Blank <[EMAIL PROTECTED]> wrote:
> > I'm just wanting a basic setup that will allow me to do port
> > authentication using the included WinXP supplicant using my unix
> > /etc/passwd file.  Maybe there is a better way?
> 
>   It's possible ONLY for EAP-TTLS with tunneled PAP.
> 
>   For all other EAP authentication methods, it's impossible for any
> RADIUS implementation to do this.
> 
>   Alan DeKok.
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Slow second db on freeradius

[Alan DeKok]

Manda Costin <[EMAIL PROTECTED]> wrote:
> But I found out a bit later that the problem was in configuring the
> host of the database as localhost and not 127.0.0.1. When I used the
> numeric IP it started immediately. Maybe it's the same problem.

  If you don't set up DNS, then the process of mapping names to IP's
will take a very long time.

  FreeRADIUS has no control over DNS.  FreeRADIUS *depends* on DNS to
work properly.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Radius Reload

[Matt]

I use this simple old script to restart freeRadius once our dialup person 
has edited the users file with a file editor on our server.  What I want is 
for it to email a specific email address in the case of a typo being made in 
the users file and freeRadius could not be restarted.

Can anyone tell me how to do that?
Thanks
Matthew
#!/bin/bash
#
##Docs say not to use this anymore but it works fine for us yet
#
# A simple script to see if we need to restart radius because of
# a change in the user file.
#
# should be called from a cron job... oh say every 5 min
#
FLAGFILE="/etc/raddb/radius_timestamp";
TARGETFILE="/etc/raddb/users";
USERFILE="/home/dialup/users.txt";
if [ $USERFILE -nt $FLAGFILE ]; then
   rm -r $TARGETFILE;
   cp -f $USERFILE $TARGETFILE;
   chmod 600 $TARGETFILE;
   chown dialup:dialup $USERFILE;
   chmod 600 $USERFILE;
   echo "reloading RADIUS";
   /etc/init.d/radiusd restart;
   touch $FLAGFILE;
fi;
exit 0;

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Reading VLAN from FreeRadius and sending it to Cisco AP

[Dean Michaels]

To support radius assigned vlans, you need to supply the AP with 
Tunnel-Type, Tunnel-Medium-Type, and Tunnel-Private-Group-ID replies.

For wireless networks, use these values in the radius profiles.
Tunnel-Medium-Type = 802
Tunnel-Type = VLAN
Tunnel-Private-Group-ID = 
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Proxy problem (EAP)

[Stefan . Neis]

ap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
 gtc: challenge = "Password: "
 gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
 mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap) 
Module: Loaded preprocess 
 preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"
 preprocess: hints = "/usr/local/etc/raddb/hints"
 preprocess: with_ascend_hack = no
 preprocess: ascend_channels_per_line = 23
 preprocess: with_ntdomain_hack = no
 preprocess: with_specialix_jetstream_hack = no
 preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess) 
Module: Loaded detail 
 detail: detailfile = 
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d"
 detail: detailperm = 384
 detail: dirperm = 493
 detail: locking = no
Module: Instantiated detail (auth_log) 
Module: Loaded realm 
 realm: format = "suffix"
 realm: delimiter = "@"
 realm: ignore_default = no
 realm: ignore_null = no
Module: Instantiated realm (suffix) 
Module: Loaded files 
 files: usersfile = "/usr/local/etc/raddb/users"
 files: acctusersfile = "/usr/local/etc/raddb/acct_users"
 files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
 files: compat = "no"
Module: Instantiated files (files) 
Module: Loaded Acct-Unique-Session-Id 
 acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, 
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique) 
 detail: detailfile = 
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
 detail: detailperm = 384
 detail: dirperm = 493
 detail: locking = no
Module: Instantiated detail (detail) 
Module: Loaded radutmp 
 radutmp: filename = "/usr/local/var/log/radius/radutmp"
 radutmp: username = "%{User-Name}"
 radutmp: case_sensitive = yes
 radutmp: check_with_nas = yes
 radutmp: perm = 384
 radutmp: callerid = yes
Module: Instantiated radutmp (radutmp) 
Listening on authentication *:1645
Listening on accounting *:1646
Listening on proxy *:1648
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.1.5:33400, id=230, length=57
    FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "test1"
User-Password = "test"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat:  
'/usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20050127'
rlm_detail: 
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d 
expands to /usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20050127
  modcall[authorize]: module "auth_log" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "test1", looking up realm NULL
rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 0
users: Matched DEFAULT at 156
  modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns ok for request 0
Sending Access-Request of id 0 to 192.168.1.24:1812
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "test1"
User-Password = "test"
NAS-IP-Address = 192.168.1.5
    Proxy-State = 0x323330
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Accept packet from host 192.168.1.24:1812, id=0, length=25
Proxy-State = 0x323330
  Processing the post-proxy section of radiusd.conf
modcall: entering group post-proxy for request 0
  modcall[post-proxy]: module "eap" returns noop for request 0
modcall: group post-proxy returns noop for request 0
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat:  
'/usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20050127'
rlm_detail: 
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d 
expands to /usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20050127
  modcall[authorize]: module "auth_log" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: Proxy reply, or no User-Name.  Ignoring.
  modcall[authorize]: module "suffix" returns noop for 

Re: Setup apache2 with pam_radius_auth on Debain

[Rizwan Khan]

Thanks Raza, 
But I tried 'AuthRadiusAuthoritative On' too and it does not recognize
this syntax either.
My extensive search brought me a new scenario possible, i.e, we need a
specific module for Apache2 to talk to PAM and later PAM will talk to
freeradius. e.g.

APACHE2 <-->mod_auth_pam<-->PAM<-->pam_radius_auth<-->RADIUS

is that what should be done...and how (I have been tryin to
Goglize and test a lotta crap already :-P but no use)???

OR, were we right earlier i.e.

APACHE2<-->pam_radius_auth<-->RADIUS

what configuration is to be used with anyone of these to get the
authentication running with FreeRadius.
Help plzzz ANYONE

Regards,
Rizwan




On Wed, 26 Jan 2005 08:30:34 -0800 (PST), Cool Man
<[EMAIL PROTECTED]> wrote:
> Hi Rizwan, 
>   
> You could replace AuthPAM_Enabled with AuthRadiusAuthoritative and try. 
>   
> Regards, 
> Raza.
> 
> Rizwan Khan <[EMAIL PROTECTED]> wrote: 
> Hi all,
> I am trying to configure pam_radius_auth module with apache2
> on Debian (why not mod_auth_radius specially made for apache?
> because if this works then eventually I plan to setup the PAM module
> with BOA-Webserver used at my company).
> I have the Radius server up and running on ServerA and apache running
> on the NAS. Then I built the pam_radius_auth module that exists under
> /lib/security/, The module works fine with remote console login on the
> NAS using remote Radius Auth (/etc/pam.d/login)
> Eventually, I created a file /etc/pam.d/httpd for use by Apache server
> on the NAS and added the entry:
> auth required pam_radius_auth.so (so that Apache can use
> the PAM module)
> Then, I added the following entries to /etc/apache2/apache2.conf
> 
> AuthType Basic
> AuthName "Radius Authentication"
> AuthAuthoritative off
> AuthPAM_Enabled on
> AuthRadiusCookieValid 5
> AuthRadiusActive On
> #require valid-user (optional)
> 
> 
> But, when I start apache server..if gives the following warning:
> 
> Invalid Command 'AuthPAM_Enabled'
> 
> Which means that the command is not recognizedand I don't get any
> password prompt to access the secure html page!!!
> Can anyone kindly tell me the right command set to be added to
> apache2.conf  (or .htaccess file ) ?
> Is there anything else I will have to fix
> Thanks.
> Rizwan Khan
> 
> - 
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 
> 
>  
> Do you Yahoo!?
>  Yahoo! Mail - now with 250MB free storage. Learn more. 
> 
>

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: AW: Allways 10 Times to authenticate

[Zoltan Ori]

On Thursday 27 January 2005 07:59, Christian wrote:
> Alejandro,
>
> Yes im sure because radiusd -X counts the Requests and the count of the
> last one is allways 10 higher than the last ...
>
>

It's hard to tell what you are seeing without a debug output. Take a closer 
look at the exchanges that are taking place. I don't think you have a 
problem. 


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: regarding internal processing - memory allocation

[Alfred H. Dahl]

>> When I run a /etc/init.d/radiusd reload or restart, the first 20
minutes
>> I get a lot of
>> 
>> Fri Jan 21 10:33:51 2005 : Info: The maximum number of threads (32)
are
>> active, cannot spawn new thread to handle request

>  It takes a bit of time to reload/restart the server, and during that
> time, the clients continue to send requests.  As a result, the server
> may have a backlog of requests to process.

>  Still, taking 20 minutes to process the backlog is a bit much.

>> I run a mysql in backend, but this server reports no significant
load.

>  Is FreeRADIUS getting *fast* responses to its queries?  If not, then
> the delay is all in the DB.

The whole problem seems to be related to the radutmp-file. Since I use
sql in backend, 
I commented out the radutmp from the accounting-section (but kept the
definition itself 
in radiusd.conf,because the radzap keeps looking for it)
 
and now the speed and responsetime from the radius-server is
definitively impeccable :)


Because I use mysql, I had to do a few modifications to the
radzap-program. Basically,
I have commented out all "exit(1)" when the program fails to find the
user, fails to 
verify the connection to the radius-server etc - and I always start
radzap with 
 -r  NAS-IP port user 

This is obviously not a perfect solution, but it works.



--
Med vennlig hilsen/Sincerely
Alfred H. Dahl

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Slow second db on freeradius

[Michel van Dop]

There is a frequntie in it. So i can when i have lucky i can login every 240 
seconds.
I use second db failover first db is down.

Thu Jan 27 14:29:07 2005 : Auth: Login OK: [user/password] (from client 
nas3.domain.nl port 1812)
Thu Jan 27 14:29:10 2005 : Info: rlm_sql (sql1): Trying to (re)connect 
unconnected handle 4..
Thu Jan 27 14:29:10 2005 : Info: rlm_sql_mysql: Starting connect to MySQL 
server for #4
Thu Jan 27 14:29:13 2005 : Error: Discarding new request from client 
nas3.domain.nl:32770 - ID: 18 due to live request 15
Thu Jan 27 14:29:37 2005 : Error: Discarding new request from client 
nas3.domain.nl:32770 - ID: 18 due to live request 15
Thu Jan 27 14:29:43 2005 : Error: WARNING: Unresponsive child (id 3210005424) 
for request 15
Thu Jan 27 14:29:43 2005 : Info: rlm_sql (sql1): Trying to (re)connect 
unconnected handle 3..
Thu Jan 27 14:29:43 2005 : Info: rlm_sql_mysql: Starting connect to MySQL 
server for #3
Thu Jan 27 14:29:46 2005 : Error: Discarding new request from client 
nas3.domain.nl:32770 - ID: 22 due to live request 25
Thu Jan 27 14:29:49 2005 : Error: Discarding new request from client 
nas3.domain.nl:32770 - ID: 22 due to live request 25
Thu Jan 27 14:31:28 2005 : Error: WARNING: Unresponsive child (id 3199515568) 
for request 25
Thu Jan 27 14:31:28 2005 : Info: rlm_sql (sql1): Trying to (re)connect 
unconnected handle 2..
Thu Jan 27 14:31:28 2005 : Info: rlm_sql_mysql: Starting connect to MySQL 
server for #2
Thu Jan 27 14:31:31 2005 : Error: Discarding new request from client 
nas3.domain.nl:32771 - ID: 26 due to live request 35
Thu Jan 27 14:31:55 2005 : Error: Discarding new request from client 
nas3.domain.nl:32771 - ID: 26 due to live request 35
Thu Jan 27 14:32:06 2005 : Error: WARNING: Unresponsive child (id 3189025712) 
for request 35
Thu Jan 27 14:32:06 2005 : Info: rlm_sql (sql1): Trying to (re)connect 
unconnected handle 1..
Thu Jan 27 14:32:06 2005 : Info: rlm_sql_mysql: Starting connect to MySQL 
server for #1
Thu Jan 27 14:32:09 2005 : Error: Discarding new request from client 
nas3.domain.nl:32771 - ID: 31 due to live request 45
Thu Jan 27 14:32:19 2005 : Error: rlm_sql_mysql: Couldn't connect socket to 
MySQL server [EMAIL PROTECTED]:domain
Thu Jan 27 14:32:19 2005 : Error: rlm_sql_mysql: Mysql error 'Can't connect to 
MySQL server on '192.168.160.10' (110)'
Thu Jan 27 14:32:19 2005 : Error: rlm_sql (sql1): Failed to connect DB handle #4
Thu Jan 27 14:32:19 2005 : Info: rlm_sql (sql1): There are no DB handles to 
use! skipped 2, tried to connect 1
Thu Jan 27 14:32:19 2005 : Auth: Login OK: [user/password] (from client 
nas3.domain.nl port 1812)
Thu Jan 27 14:32:30 2005 : Error: Discarding new request from client 
nas3.domain.nl:32771 - ID: 31 due to live request 45
Thu Jan 27 14:32:33 2005 : Error: Discarding new request from client 
nas3.domain.nl:32771 - ID: 31 due to live request 45
Thu Jan 27 14:32:52 2005 : Error: rlm_sql_mysql: Couldn't connect socket to 
MySQL server [EMAIL PROTECTED]:domain
Thu Jan 27 14:32:52 2005 : Error: rlm_sql_mysql: Mysql error 'Can't connect to 
MySQL server on '192.168.160.10' (110)'
Thu Jan 27 14:32:52 2005 : Error: rlm_sql (sql1): Failed to connect DB handle #3
Thu Jan 27 14:32:52 2005 : Info: rlm_sql (sql1): There are no DB handles to 
use! skipped 2, tried to connect 1
Thu Jan 27 14:32:52 2005 : Auth: Login OK: [user/password] (from client 
nas3.domain.nl port 1812)
Thu Jan 27 14:33:06 2005 : Error: WARNING: Unresponsive child (id 3178535856) 
for request 45
Thu Jan 27 14:33:06 2005 : Info: rlm_sql (sql1): There are no DB handles to 
use! skipped 3, tried to connect 0
Thu Jan 27 14:33:06 2005 : Auth: Login OK: [user/password] (from client 
nas3.domain.nl port 1812)


> Hello freeradius users,
> 
> When is start radiusd (master db is down) i use failover db.
> See log, it take from 13:41 to 13:44 to start connect to the second db.
> Can any one see in this log whats go wrong?
>  
> Thu Jan 27 13:41:32 2005 : Info: Using deprecated naslist file.  Support for 
> this will go away soon.
> Thu Jan 27 13:41:32 2005 : Info: Using deprecated clients file.  Support for 
> this will go away soon.
> Thu Jan 27 13:41:32 2005 : Info: Using deprecated realms file.  Support for 
> this will go away soon.
> Thu Jan 27 13:41:32 2005 : Info: rlm_sql (sql1): Driver rlm_sql_mysql (module 
> rlm_sql_mysql) loaded and linked
> Thu Jan 27 13:41:32 2005 : Info: rlm_sql (sql1): Attempting to connect to 
> [EMAIL PROTECTED]:/westwireless
> Thu Jan 27 13:41:32 2005 : Info: rlm_sql_mysql: Starting connect to MySQL 
> server for #0
> Thu Jan 27 13:44:41 2005 : Error: rlm_sql_mysql: Couldn't connect socket to 
> MySQL server [EMAIL PROTECTED]:db
> Thu Jan 27 13:44:41 2005 : Error: rlm_sql_mysql: Mysql error 'Can't connect 
> to MySQL server on '192.168.160.10' (110)'
> Thu Jan 27 13:44:41 2005 : Error: rlm_sql (sql1): Failed to connect DB handle 
> #0
> Thu Jan 27 13:44:41 2005 : Info: rlm_sql (sql2): Driver rlm_sql_mysql (module 
> rlm_sql_mysql) loaded 

Re: Expire attribute

[Edgars]

why this Expiration attribute is not mentioned in the link below?:
http://www.freeradius.org/rfc/attributes.html
Edgars

Julius Igugu wrote:
N3DERJID Max-All-Session := 18000, User-Password=="7US7VZBH", 
Expiration == "Sep 11 2004"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Netmask = 255.255.255.254

*/rashad <[EMAIL PROTECTED]>/* wrote:
I want some users account to be expired starting from certain
date. Someone
wrote in mailing list that there are an Expire check attribute for
this
purpose but I can't find any doc about it. Can anyone give the
detailed doc
about this attribute?

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

Julius Igugu
SouthWork Co. Ltd.

Do you Yahoo!?
Meet the all-new My Yahoo!  – Try it today! 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

AW: Allways 10 Times to authenticate

[Christian]

Alejandro,

Yes im sure because radiusd -X counts the Requests and the count of the
last one is allways 10 higher than the last ... 


Hi Christian,

are you sure you are seeing 10 authentications? Probably they
are just 10 messages of a unique authentication process.

Best Regards,

Alejandro

> -Mensaje original-
> De: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] nombre de 
> Christian Enviado el: jueves, 27 de enero de 2005 12:38
> Para: freeradius-users@lists.freeradius.org
> Asunto: Allways 10 Times to authenticate
>
>
> Hello all,
>
> Im just a newbee here, pls forgive when im asking a stupid question.
>
> I installed freeradius on Suse 9.2 for working with Aps from 
> Linksys(Cisco). Exactly WRT54G with Alchemy Software.
>
> After awhile i figured out how to configure EAP-TLS and it worked, 
> but, i allways see the authentication 10 times at 1 Logon  Why ?
>
> Anyone had this before ?
>
> Thanks alot
> Greets Chris
>
>
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>


__
Este mensaje, y en su caso, cualquier fichero anexo al mismo, puede
contener informacion clasificada por su emisor como confidencial en el
marco de su Sistema de Gestion de Seguridad de la Informacion siendo
para uso exclusivo del destinatario, quedando prohibida su divulgacion
copia o distribucion a terceros sin la autorizacion expresa del
remitente. Si Vd. ha recibido este mensaje erroneamente, se ruega lo
notifique al remitente y proceda a su borrado. Gracias por su
colaboracion. __

This e-mail message and any attached files are confidential
and are intended solely for the use of the addressee(s) named above. If
you are not the intended recipient or person responsible for delivering
this confidential communication to the intended recipient, you have
received this communication in error, and any review, use,
dissemination, forwarding, printing, copying, or other distribution of
this e-mail message and any attached files is strictly prohibited. If
you have received this confidential communication in error, please
notify the sender immediately by reply e-mail message and permanently
delete the original message. __




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

test eap

[Bruno Ricci]

hi,
I have a freeradius installed and would like to test it...how can i 
test it???
ntradping does it?

[]'s
Bruno Ricci


smime.p7s
Description: S/MIME Cryptographic Signature

Re: Slow second db on freeradius

[Michel van Dop]

Hello freeradius users,

When is start radiusd (master db is down) i use failover db.
See log, it take from 13:41 to 13:44 to start connect to the second db.
Can any one see in this log whats go wrong?
 
Thu Jan 27 13:41:32 2005 : Info: Using deprecated naslist file.  Support for 
this will go away soon.
Thu Jan 27 13:41:32 2005 : Info: Using deprecated clients file.  Support for 
this will go away soon.
Thu Jan 27 13:41:32 2005 : Info: Using deprecated realms file.  Support for 
this will go away soon.
Thu Jan 27 13:41:32 2005 : Info: rlm_sql (sql1): Driver rlm_sql_mysql (module 
rlm_sql_mysql) loaded and linked
Thu Jan 27 13:41:32 2005 : Info: rlm_sql (sql1): Attempting to connect to 
[EMAIL PROTECTED]:/westwireless
Thu Jan 27 13:41:32 2005 : Info: rlm_sql_mysql: Starting connect to MySQL 
server for #0
Thu Jan 27 13:44:41 2005 : Error: rlm_sql_mysql: Couldn't connect socket to 
MySQL server [EMAIL PROTECTED]:db
Thu Jan 27 13:44:41 2005 : Error: rlm_sql_mysql: Mysql error 'Can't connect to 
MySQL server on '192.168.160.10' (110)'
Thu Jan 27 13:44:41 2005 : Error: rlm_sql (sql1): Failed to connect DB handle #0
Thu Jan 27 13:44:41 2005 : Info: rlm_sql (sql2): Driver rlm_sql_mysql (module 
rlm_sql_mysql) loaded and linked
Thu Jan 27 13:44:41 2005 : Info: rlm_sql (sql2): Attempting to connect to 
[EMAIL PROTECTED]:/db
Thu Jan 27 13:44:41 2005 : Info: rlm_sql_mysql: Starting connect to MySQL 
server for #0
Thu Jan 27 13:44:41 2005 : Info: rlm_sql_mysql: Starting connect to MySQL 
server for #1
Thu Jan 27 13:44:41 2005 : Info: rlm_sql_mysql: Starting connect to MySQL 
server for #2
Thu Jan 27 13:44:41 2005 : Info: rlm_sql_mysql: Starting connect to MySQL 
server for #3
Thu Jan 27 13:44:41 2005 : Info: rlm_sql_mysql: Starting connect to MySQL 
server for #4
Thu Jan 27 13:44:41 2005 : Info: Listening on IP address *, ports 1812/udp and 
1813/udp.
Thu Jan 27 13:44:41 2005 : Info: Ready to process requests.


> Hello freeradius users,
> 
> 
> I use two freeradius servers and two mysql db's (master and slave) 
> On the first db (sql1) is works great.. fast starting and fast response.
> When is stop the master db (first sql1 db for radius) he must use the second 
> db (slave)
> When is start radiusd i can wait 80 second to give:
> Starting RADIUS server:[  OK  ]
> 
> When i test radtest (radtest user password localhost 1812 keyword) 
> Is see this:
> Sending Access-Request of id 117 to 127.0.0.1:1812
> User-Name = "user"
> User-Password = "password"
> NAS-IP-Address = radius02
> NAS-Port = 1812
> Re-sending Access-Request of id 117 to 127.0.0.1:1812
> User-Name = "user"
> User-Password = 
> "\251\211\345\326\022\273\375\235\275\3515\326\240\270\001\267"
> NAS-IP-Address = radius02
> NAS-Port = 1812
> 
> Sending Access-Request of id 135 to 127.0.0.1:1812
> User-Name = "user"
> User-Password = "password"
> NAS-IP-Address = radius02
> NAS-Port = 1812
> rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=121, length=90
> rad_decode: Received Access-Reject packet from 127.0.0.1 with invalid 
> signature (err=2)!  (Shared secret is incorrect.)
> [EMAIL PROTECTED] root]# radtest user password localhost 1812 keyword
> 
> After 20 times it works i get acces see this:
>  
> Sending Access-Request of id 149 to 127.0.0.1:1812
> User-Name = "user"
> User-Password = "password"
> NAS-IP-Address = radius02
> NAS-Port = 1812
> rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=149, length=90
> WISPr-Bandwidth-Max-Down = 10
> WISPr-Bandwidth-Max-Up = 5
> WISPr-Redirection-URL = "http://www.domain.nl";
> Session-Timeout = 21600
> Idle-Timeout = 2700
> 
> In my radius.log i see this:
> 
> Thu Jan 27 10:52:37 2005 : Error: Discarding new request from client 
> nas3.domain.nl:32770 - ID: 125 due to live request 20
> Thu Jan 27 10:52:40 2005 : Error: Discarding new request from client 
> nas3.domain.nl:32770 - ID: 125 due to live request 20
> Thu Jan 27 10:52:46 2005 : Info: rlm_sql (sql1): Trying to (re)connect 
> unconnected handle 2..
> Thu Jan 27 10:52:46 2005 : Info: rlm_sql_mysql: Starting connect to MySQL 
> server for #2
> Thu Jan 27 10:52:46 2005 : Error: WARNING: Unresponsive child (id 3188931504) 
> for request 20
> Thu Jan 27 10:52:49 2005 : Error: Discarding new request from client 
> nas3.domain.nl:32770 - ID: 129 due to live request 30
> Thu Jan 27 10:54:49 2005 : Error: rlm_sql_mysql: Couldn't connect socket to 
> MySQL server [EMAIL PROTECTED]:db
> Thu Jan 27 10:54:49 2005 : Error: rlm_sql_mysql: Mysql error 'Can't connect 
> to MySQL server on '192.168.160.10' (110)'
> Thu Jan 27 10:54:49 2005 : Error: rlm_sql (sql1): Failed to connect DB handle 
> #4
> Thu Jan 27 10:54:49 2005 : Info: rlm_sql (sql1): There are no DB handles to 
> use! skipped 3, tried to connect 1
> Thu Jan 27 10:54:49 2005 : Au

Re: Free Radius and RSA/ACE Server

[Stefan . Neis]

Jeff Stout schrieb:
>
> Has any one out there configured FreeRadius to work with
> RSA?

You can either activate the RADIUS-frontend of ACE
(at least the windows version of newer ACE server should have
 such a beast) and proxy to that from FreeRadius or you
could obtain "Radiator" (which is able to translate RADIUS to
ACE specific stuff) and proxy the RADIUS request  to that
server.
I didn't actually test this with FreeRadius but with a different 
RADIUS server, but since all the RADIUS server essentially
does is proxying, that shouldn't be relevant. The interesting
thing can be how to decide which requests to proxy to the
ACE server and which you don't want to proxy ...

Regards,
   Stefan

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Reading VLAN from FreeRadius and sending it to Cisco AP

[Alejandro Martínez Marcos]

Hi 
again,
 
    here is more information about my problem, this is what I 
get in the AP logs:
 
*Mar  3 21:42:07.767: RADIUS: Received from id 21646/105 IP:PORT, 
Access-Challenge, len 78*Mar  3 21:42:07.767: RADIUS:  
authenticator (HEX STRING) - (HEX STRING)*Mar  3 21:42:07.767: 
RADIUS:  Vendor, Cisco   [26]  
14  *Mar  3 21:42:07.767: RADIUS:   Cisco 
AVpair   [1]   8   
"SSID_1"*Mar  3 21:42:07.767: RADIUS:  
EAP-Message [79]  
8   *Mar  3 21:42:07.768: RADIUS:   (HEX 
STRING)    
[? ]*Mar  3 21:42:07.768: RADIUS:  
Message-Authenticato[80]  18  **Mar  3 21:42:07.768: 
RADIUS:  
State   
[24]  18  *Mar  3 21:42:07.769: RADIUS:  (HEX 
STRING)  [???V??? B?q?-]?m]*Mar  3 21:42:07.769: RADIUS(0152): 
Received from id 21646/105*Mar  3 21:42:07.769: RADIUS/DECODE: parse 
VSA parts error*Mar  3 21:42:07.769: RADIUS/DECODE: convert VSA string; 
FAIL*Mar  3 21:42:07.769: RADIUS/DECODE: cisco VSA type 1; 
FAIL*Mar  3 21:42:07.769: RADIUS/DECODE: VSA; FAIL*Mar  3 
21:42:07.769: RADIUS/DECODE: decoder; FAIL*Mar  3 21:42:07.769: 
RADIUS/DECODE: attribute Vendor-Specific; FAIL*Mar  3 21:42:07.769: 
RADIUS/DECODE: parse response op decode; FAIL*Mar  3 21:42:07.769: 
RADIUS/DECODE: parse response; FAIL*Mar  3 21:42:07.770 UTC: 
%DOT11-7-AUTH_FAILED: Station (MAC) Authentication failed*Mar  3 
21:42:41.126 UTC: %DOT11-7-AUTH_FAILED: Station (MAC) Authentication 
failed
 
    So, the problem is that the AP does not understand the 
attribute... Anybody knows the right way to specify the VLAN or the 
SSID?
 
Best 
Regards,
 
Alejandro
 

  -Mensaje original-De: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]En nombre de 
  Alejandro Martínez MarcosEnviado el: jueves, 27 de enero de 
  2005 12:29Para: Freeradius-UsersAsunto: Reading VLAN 
  from FreeRadius and sending it to Cisco AP
  Hello,
   
      
  I am trying to configure My Cisco 1100 AP to use different SSID's 
  and VLAN's. There is a default SSID and the definite one must be given from 
  freeradius as a result of the authentication process. 
   
      
  As authentication is done with LDAP, I have modified ldap.attrmap to read the 
  value, and I can see that, after the "Access Request", FreeRadius 
  returns Cisco-AVPair="SSID_1":
   
  Sending 
  Access-Challenge of id 103 to (MY IP):(X)
      
  Cisco-AVPair = "SSID_1"    
  EAP-Message = 0x010300060d20    
  Message-Authenticator = 
  0x    
  State = 0xe9b4f1c300311251a7961f6ab94ad7fdFinished request 0Going to 
  the next request--- Walking the entire request list ---Waking up in 6 
  seconds...
      
  However, after this I can see in the AP "Authentication Failure", and nothing 
  else happens in the server.
   
      
  I have read about VLANs tunneling or sth like that, but I don't uderstand it 
  very well and I am afraid I need some more specific help. I hope somebody 
  in this list can give me hand with this. 
   
  Thanks in 
  advance,
   
  Alejandro 
  Martínez    
   
      
  
   
      
  __Este mensaje, y en su caso, 
  cualquier fichero anexo al mismo,puede contener informacion clasificada 
  por su emisor comoconfidencial en el marco de su Sistema de Gestion de 
  Seguridadde la Informacion siendo para uso exclusivo del 
  destinatario,quedando prohibida su divulgacion copia o distribucion a 
  tercerossin la autorizacion expresa del remitente. Si Vd. ha recibido 
  estemensaje erroneamente, se ruega lo notifique al remitente y 
  procedaa su borrado. Gracias por su 
  colaboracion.__This e-mail message and any 
  attached files are confidentialand are intended solely for the use of the 
  addressee(s) namedabove. If you are not the intended recipient or person 
  responsiblefor delivering this confidential communication to the 
  intendedrecipient, you have received this communication in error, and 
  anyreview, use, dissemination, forwarding, printing, copying, or 
  otherdistribution of this e-mail message and any attached files is 
  strictlyprohibited. If you have received this confidential communication 
  in error,please notify the sender immediately by reply e-mail message 
  andpermanently delete the original 
  message.Este mensaje, y en su caso, cualquier fichero anexo al mismo,puede contener informacion clasificada por su emisor comoconfidencial en el marco de su Sistema de Gestion de Seguridadde la Informacion siendo para uso exclusivo del destinatario,quedando prohibida su divulgacion copia o distribucion a tercerossin la autorizacion expresa del remitente. Si Vd. ha recibido estemensaje erroneamente, se ruega lo notifique al remitente y procedaa su borrado. Gracias por su colaboracion.__This e-mail message and any attached files are confidentialand are intended solely for the use of the addressee(s) namedabove. If you are not the intended re

RE: ntlm_auth and Windows Groups

[Øystein Gåsdal]

Title: ntlm_auth and Windows Groups



that worked!
thank you very much!
 
- 
Øystein


  
  
  From: Mike Barber 
  [mailto:[EMAIL PROTECTED] Sent: 27. januar 2005 
  12:57To: freeradius-users@lists.freeradius.orgSubject: 
  RE: ntlm_auth and Windows Groups
  
  
  Try 
  Aalesund\\Test
  
  
  From: 
  [EMAIL PROTECTED] on behalf of Øystein 
  GåsdalSent: Thu 27/01/2005 11:32To: 
  'freeradius-users@lists.freeradius.org'Subject: ntlm_auth and 
  Windows Groups
  
  Hi!Through this list I have been able to authenticate 
  users against a nt-domainusing ntlm_auth using this line in 
  radiusd.conf:ntlm_auth = "/usr/bin/ntlm_auth 
  --request-nt-key--username=%{mschap:User-Name} 
  --domain=%{mschap:NT-Domain}--challenge=%{mschap:Challenge:-00} 
  --nt-response=%{mschap:NT-Response:-00}"But now I want to take it a 
  step further, and limit it to certain groups.Say I want to authenticate 
  only users from the group Test;If I write a line like this:ntlm_auth 
  --username=og4 
  --domain=aalesund--require-membership-of='Aalesund\Test'I get this 
  message:NT_STATUS_OK: Success (0x0)But when i add the line 
  --require-membership-of='Aalesund\Test' into thentml_auth string in 
  radiusd.conf, i get this error:[2005/01/27 12:28:03, 0] 
  utils/ntlm_auth.c:get_require_membership_sid(230)  Could not parse 
  'AalesundTest' into seperate domain/name parts!So it seems to remove 
  the \ for some reason..Anyone know how to fix 
  this?Thanks!Øystein GåsdalNorway-List 
  info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: ntlm_auth and Windows Groups

[Mike Barber]

Try Aalesund\\Test



From: [EMAIL PROTECTED] on behalf of Øystein Gåsdal
Sent: Thu 27/01/2005 11:32
To: 'freeradius-users@lists.freeradius.org'
Subject: ntlm_auth and Windows Groups



Hi!
Through this list I have been able to authenticate users against a nt-domain
using ntlm_auth using this line in radiusd.conf:
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --domain=%{mschap:NT-Domain}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"

But now I want to take it a step further, and limit it to certain groups.
Say I want to authenticate only users from the group Test;
If I write a line like this:
ntlm_auth --username=og4 --domain=aalesund
--require-membership-of='Aalesund\Test'

I get this message:
NT_STATUS_OK: Success (0x0)

But when i add the line --require-membership-of='Aalesund\Test' into the
ntml_auth string in radiusd.conf, i get this error:
[2005/01/27 12:28:03, 0] utils/ntlm_auth.c:get_require_membership_sid(230)
  Could not parse 'AalesundTest' into seperate domain/name parts!

So it seems to remove the \ for some reason..
Anyone know how to fix this?

Thanks!

Øystein Gåsdal
Norway

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


<>

RE: Allways 10 Times to authenticate

[Alejandro Martinez Marcos]

Hi Christian,

are you sure you are seeing 10 authentications? Probably they are just 
10
messages of a unique authentication process.

Best Regards,

Alejandro

> -Mensaje original-
> De: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] nombre de
> Christian
> Enviado el: jueves, 27 de enero de 2005 12:38
> Para: freeradius-users@lists.freeradius.org
> Asunto: Allways 10 Times to authenticate
>
>
> Hello all,
>
> Im just a newbee here, pls forgive when im asking a stupid question.
>
> I installed freeradius on Suse 9.2 for working with Aps from
> Linksys(Cisco). Exactly WRT54G with Alchemy Software.
>
> After awhile i figured out how to configure EAP-TLS and it worked, but,
> i allways see the authentication 10 times at 1 Logon  Why ?
>
> Anyone had this before ?
>
> Thanks alot
> Greets Chris
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>


__
Este mensaje, y en su caso, cualquier fichero anexo al mismo,
puede contener informacion clasificada por su emisor como
confidencial en el marco de su Sistema de Gestion de Seguridad
de la Informacion siendo para uso exclusivo del destinatario,
quedando prohibida su divulgacion copia o distribucion a terceros
sin la autorizacion expresa del remitente. Si Vd. ha recibido este
mensaje erroneamente, se ruega lo notifique al remitente y proceda
a su borrado. Gracias por su colaboracion.
__

This e-mail message and any attached files are confidential
and are intended solely for the use of the addressee(s) named
above. If you are not the intended recipient or person responsible
for delivering this confidential communication to the intended
recipient, you have received this communication in error, and any
review, use, dissemination, forwarding, printing, copying, or other
distribution of this e-mail message and any attached files is strictly
prohibited. If you have received this confidential communication in error,
please notify the sender immediately by reply e-mail message and
permanently delete the original message.
__

Allways 10 Times to authenticate

[Christian]

Hello all,

Im just a newbee here, pls forgive when im asking a stupid question.

I installed freeradius on Suse 9.2 for working with Aps from
Linksys(Cisco). Exactly WRT54G with Alchemy Software.

After awhile i figured out how to configure EAP-TLS and it worked, but,
i allways see the authentication 10 times at 1 Logon  Why ?

Anyone had this before ?

Thanks alot
Greets Chris


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

ntlm_auth and Windows Groups

[Øystein Gåsdal]

Hi!
Through this list I have been able to authenticate users against a nt-domain
using ntlm_auth using this line in radiusd.conf:
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --domain=%{mschap:NT-Domain}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"

But now I want to take it a step further, and limit it to certain groups.
Say I want to authenticate only users from the group Test;
If I write a line like this:
ntlm_auth --username=og4 --domain=aalesund
--require-membership-of='Aalesund\Test'

I get this message:
NT_STATUS_OK: Success (0x0)

But when i add the line --require-membership-of='Aalesund\Test' into the
ntml_auth string in radiusd.conf, i get this error:
[2005/01/27 12:28:03, 0] utils/ntlm_auth.c:get_require_membership_sid(230)
  Could not parse 'AalesundTest' into seperate domain/name parts!

So it seems to remove the \ for some reason..
Anyone know how to fix this?

Thanks!

Øystein Gåsdal
Norway 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reading VLAN from FreeRadius and sending it to Cisco AP

[Alejandro Martínez Marcos]

Hello,
 
    
I am trying to configure My Cisco 1100 AP to use different SSID's and 
VLAN's. There is a default SSID and the definite one must be given from 
freeradius as a result of the authentication process. 
 
    
As authentication is done with LDAP, I have modified ldap.attrmap to read the 
value, and I can see that, after the "Access Request", FreeRadius 
returns Cisco-AVPair="SSID_1":
 
Sending 
Access-Challenge of id 103 to (MY IP):(X)
    Cisco-AVPair 
= "SSID_1"    EAP-Message = 
0x010300060d20    
Message-Authenticator = 
0x    
State = 0xe9b4f1c300311251a7961f6ab94ad7fdFinished request 0Going to the 
next request--- Walking the entire request list ---Waking up in 6 
seconds...
    
However, after this I can see in the AP "Authentication Failure", and nothing 
else happens in the server.
 
    I 
have read about VLANs tunneling or sth like that, but I don't uderstand it very 
well and I am afraid I need some more specific help. I hope somebody in 
this list can give me hand with this. 
 
Thanks in 
advance,
 
Alejandro 
Martínez    
 
    

 
    
__Este mensaje, y en su caso, cualquier fichero anexo al mismo,puede contener informacion clasificada por su emisor comoconfidencial en el marco de su Sistema de Gestion de Seguridadde la Informacion siendo para uso exclusivo del destinatario,quedando prohibida su divulgacion copia o distribucion a tercerossin la autorizacion expresa del remitente. Si Vd. ha recibido estemensaje erroneamente, se ruega lo notifique al remitente y procedaa su borrado. Gracias por su colaboracion.__This e-mail message and any attached files are confidentialand are intended solely for the use of the addressee(s) namedabove. If you are not the intended recipient or person responsiblefor delivering this confidential communication to the intendedrecipient, you have received this communication in error, and anyreview, use, dissemination, forwarding, printing, copying, or otherdistribution of this e-mail message and any attached files is strictlyprohibited. If you have received this confidential communication in error,please notify the sender immediately by reply e-mail message andpermanently delete the original message.__

Re: Slow second db on freeradius

[Michel van Dop]

I use already the outsite ip address in my second config /etc/raddb/sql2.conf 
Only on testing radtest is use localhost. But on my radius client i use te 
outsite ip address.

Thank you Mandy



>  Well, I had a similar problem when starting freeradius, it took a loong 
> time, and everybody accused a slow db.
>  But I found out a bit later that the problem was in configuring the host of 
> the database as localhost and not 127.0.0.1. When I used the numeric IP it 
> started immediately. Maybe it's the same problem.
> 
> 
> 
> 
> 
> Home, no matter how far...
> http://www.home.ro
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Met vriendelijke groet,

M. v Dop
www.westwireless.nl

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: peap problems

[ealatalo]

Quoting Michael Griego <[EMAIL PROTECTED]>:

> I'm guessing you're using the Windows XP supplicant?  This looks like a 
> classic case of your CA certificate not being present on the client machine.
> 
> --Mike
> 
> ---
> Michael Griego
> Wireless LAN Project Manager
> The University of Texas at Dallas

Hi.

Yes, I uses WinXP(sp2) supplicant and access point is Intel 2011B.
I create new certicates. Then I copy root.der and client-crt.p12 files to
supplicant. Windows shows that certificates are ok and using to remote client
identity. (I trying tls method too). Now, in authentication process, I found
following error line.


rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello
TLS_accept: SSLv3 read client hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 03a8], Certificate
TLS_accept: SSLv3 write certificate A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0044], CertificateRequest
TLS_accept: SSLv3 write certificate request A
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
  eaptls_process returned 13


Next lines tells how I create certificates.


Server certificate***

openssl genrsa -des3 -out server-key.pem 2048 
 
openssl req -new -key server-key.pem -out server-csr.pem
 
openssl req -in server-csr.pem -out server-crt.pem -key server-key.pem -x509
-days 3652

openssl ca -in server-csr.pem -out server-crt.pem -days 3652 -policy
policy_anything

 
root certificate**
 
cp server-crt.pem root.pem 
 
openssl x509 -in root -inform PEM -out root.der -outform DER


client certificate**
 
openssl genrsa -des3 -out client-key.pem 2048
 
openssl req -new -key client-key.pem -out client-csr.pem
 
openssl ca -in client-csr.pem -out client-crt.pem -days 125 -extensions
xpclient_ext -extfile xpextensions -policy policy_anything
 
openssl pkcs12 -export -in client-crt.pem -inkey client-key.pem -name "Radius
Suse" -certfile client-crt.pem -out client.p12
 
openssl x509 -inform PEM -outform DER -in client-clt.pem -out client-clt.der







  

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Slow second db on freeradius

[Manda Costin]

 Well, I had a similar problem when starting freeradius, it took a loong time, 
and everybody accused a slow db.
 But I found out a bit later that the problem was in configuring the host of 
the database as localhost and not 127.0.0.1. When I used the numeric IP it 
started immediately. Maybe it's the same problem.





Home, no matter how far...
http://www.home.ro

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Slow second db on freeradius

[Michel van Dop]

Hello freeradius users,


I use two freeradius servers and two mysql db's (master and slave) 
On the first db (sql1) is works great.. fast starting and fast response.
When is stop the master db (first sql1 db for radius) he must use the second db 
(slave)
When is start radiusd i can wait 80 second to give:
Starting RADIUS server:[  OK  ]

When i test radtest (radtest user password localhost 1812 keyword) 
Is see this:
Sending Access-Request of id 117 to 127.0.0.1:1812
User-Name = "user"
User-Password = "password"
NAS-IP-Address = radius02
NAS-Port = 1812
Re-sending Access-Request of id 117 to 127.0.0.1:1812
User-Name = "user"
User-Password = 
"\251\211\345\326\022\273\375\235\275\3515\326\240\270\001\267"
NAS-IP-Address = radius02
NAS-Port = 1812

Sending Access-Request of id 135 to 127.0.0.1:1812
User-Name = "user"
User-Password = "password"
NAS-IP-Address = radius02
NAS-Port = 1812
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=121, length=90
rad_decode: Received Access-Reject packet from 127.0.0.1 with invalid signature 
(err=2)!  (Shared secret is incorrect.)
[EMAIL PROTECTED] root]# radtest user password localhost 1812 keyword

After 20 times it works i get acces see this:
 
Sending Access-Request of id 149 to 127.0.0.1:1812
User-Name = "user"
User-Password = "password"
NAS-IP-Address = radius02
NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=149, length=90
WISPr-Bandwidth-Max-Down = 10
WISPr-Bandwidth-Max-Up = 5
WISPr-Redirection-URL = "http://www.domain.nl";
Session-Timeout = 21600
Idle-Timeout = 2700

In my radius.log i see this:

Thu Jan 27 10:52:37 2005 : Error: Discarding new request from client 
nas3.domain.nl:32770 - ID: 125 due to live request 20
Thu Jan 27 10:52:40 2005 : Error: Discarding new request from client 
nas3.domain.nl:32770 - ID: 125 due to live request 20
Thu Jan 27 10:52:46 2005 : Info: rlm_sql (sql1): Trying to (re)connect 
unconnected handle 2..
Thu Jan 27 10:52:46 2005 : Info: rlm_sql_mysql: Starting connect to MySQL 
server for #2
Thu Jan 27 10:52:46 2005 : Error: WARNING: Unresponsive child (id 3188931504) 
for request 20
Thu Jan 27 10:52:49 2005 : Error: Discarding new request from client 
nas3.domain.nl:32770 - ID: 129 due to live request 30
Thu Jan 27 10:54:49 2005 : Error: rlm_sql_mysql: Couldn't connect socket to 
MySQL server [EMAIL PROTECTED]:db
Thu Jan 27 10:54:49 2005 : Error: rlm_sql_mysql: Mysql error 'Can't connect to 
MySQL server on '192.168.160.10' (110)'
Thu Jan 27 10:54:49 2005 : Error: rlm_sql (sql1): Failed to connect DB handle #4
Thu Jan 27 10:54:49 2005 : Info: rlm_sql (sql1): There are no DB handles to 
use! skipped 3, tried to connect 1
Thu Jan 27 10:54:49 2005 : Auth: Login OK: [user/password] (from client 
nas3.domain.nl port 1812)
Thu Jan 27 10:54:59 2005 : Error: WARNING: Unresponsive child (id 3178441648) 
for request 30
Thu Jan 27 10:54:59 2005 : Info: rlm_sql (sql1): Trying to (re)connect 
unconnected handle 4..
Thu Jan 27 10:54:59 2005 : Info: rlm_sql_mysql: Starting connect to MySQL 
server for #4
Thu Jan 27 10:55:04 2005 : Info: rlm_sql (sql1): Trying to (re)connect 
unconnected handle 1..
Thu Jan 27 10:55:04 2005 : Info: rlm_sql_mysql: Starting connect to MySQL 
server for #1
Thu Jan 27 10:55:07 2005 : Error: Discarding new request from client 
nas3.domain.nl:32770 - ID: 139 due to live request 33
Thu Jan 27 10:55:10 2005 : Error: Discarding new request from client 
nas3.domain.nl:32770 - ID: 139 due to live request 33
Thu Jan 27 10:55:13 2005 : Info: rlm_sql (sql1): Trying to (re)connect 
unconnected handle 0..
Thu Jan 27 10:55:13 2005 : Info: rlm_sql_mysql: Starting connect to MySQL 
server for #0
Thu Jan 27 10:55:16 2005 : Error: Discarding new request from client 
nas3.domain.nl:32770 - ID: 144 due to live request 36
Thu Jan 27 10:55:18 2005 : Info: rlm_sql (sql1): There are no DB handles to 
use! skipped 0, tried to connect 0
Thu Jan 27 10:55:18 2005 : Auth: Login OK: [user/password] (from client 
nas3.domain.nl port 1812)
Thu Jan 27 10:55:22 2005 : Error: rlm_sql_mysql: Couldn't connect socket to 
MySQL server [EMAIL PROTECTED]:db
Thu Jan 27 10:55:22 2005 : Error: rlm_sql_mysql: Mysql error 'Can't connect to 
MySQL server on '192.168.160.10' (110)'
Thu Jan 27 10:55:22 2005 : Error: rlm_sql (sql1): Failed to connect DB handle #3
Thu Jan 27 10:55:22 2005 : Info: rlm_sql (sql1): There are no DB handles to 
use! skipped 1, tried to connect 1
Thu Jan 27 10:55:22 2005 : Auth: Login OK: [user/password] (from client 
nas3.domain.nl port 1812)
Thu Jan 27 10:55:55 2005 : Error: rlm_sql_mysql: Couldn't connect socket to 
MySQL server [EMAIL PROTECTED]:db
Thu Jan 27 10:55:55 2005 : Error: rlm_sql_mysql: Mysql error 'Can't connect to 
MySQL server on '192.168.160.10' (110)'
Thu Jan 27 10:55:55 2005 

Re: Radius Cisco h323 Voip

[Manda Costin]

Pe 26 Jan 2005, la 23:16, =?iso-8859-1?Q?Fabio_Vira=E7=E3o?= <[EMAIL 
PROTECTED]> a scris:

>Hi ;
>
>How can I send all these information to a Mysql Database ??

  If you look in the src/billing directory in the freeradius source packet you 
will see how to do billing with postgres. Also the reasons why mysql does NOT 
work well with Cisco. However, you can try MySQL 5.0 which is still in testing 
AFAIK, and see how it goes.
I highly recomend postgreSQL, though, and to create a good accounting/billing 
system for Cisco you need to combine the info in the src/billing directory with 
the one in src/modules/rlm_sql/drivers/rlm_sql_postgresql. At least this is how 
I did it.
Also, don't forget to set with_cisco_vsa_hack=yes in the radiusd.conf file.
>
>Does anyone have any ideia that can help me ??
>
>Sorry Joe
>
>Thanks
>Fabio
>
>Mon Aug 30 14:38:18 2004
>NAS-IP-Address =3D 192.168.115.4
>Cisco-NAS-Port =3D "CAS 1:0"
>NAS-Port-Type =3D Async
>User-Name =3D "351289767299"
>Called-Station-Id =3D "17863045678"
>Calling-Station-Id =3D "351212362299"
>Acct-Status-Type =3D Stop
>Service-Type =3D Login-User
>h323-gw-id =3D "h323-gw-id=3DTest0909"
>Cisco-AVPair =3D "h323-incoming-conf-id=3DD397A0 F9CA11D8 =
>9519C3E7=20
>31564DA6"
>h323-call-origin =3D "h323-call-origin=3Doriginate"
>h323-call-type =3D "h323-call-type=3DTelephony"
>h323-setup-time =3D "h323-setup-time=3D14:45:00.680 GMT Mon Aug =
>30 2004"
>h323-connect-time =3D "h323-connect-time=3D14:45:23.482 GMT Mon =
>Aug 30=20
>2004"
>h323-disconnect-time =3D "h323-disconnect-time=3D14:46:06.352 =
>GMT Mon=20
>Aug 30 2004"
>h323-disconnect-cause =3D "h323-disconnect-cause=3D10"
>h323-voice-quality =3D "h323-voice-quality=3D0"
>h323-conf-id =3D "h323-conf-id=3DD397A0 F9CA11D8 9519C3E7 =
>31564DA6"
>Acct-Session-Id =3D "EDD9"
>






Home, no matter how far...
http://www.home.ro

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius & postgreSQL - stored procedures

[Manda Costin]

Pe 27 Jan 2005, la 03:13, Graeme Lee <[EMAIL PROTECTED]> a scris:

>
>Siderite wrote:
>
>>  Hello... I am trying to make freeradius authenticate some access
>>packets using the output of SQL stored procedures (that eventually would
>>do the billing as well). Can it be done? And if yes, how?
>>
>>   thank you
>>
>>  
>>
>Give an example of what you're trying to do. 

  Well, I was thinking of something like putting in the radcheck table the 
result of a pgsql procedure. like:
username=USER,attribute=%{pgsql_stored procedure output},op='>',value=0

  Can it be done?

>
>For users with accounts based upon time (ie they pay for 5 hours, and 
>use 1, there's 4 remaining) I use a trigger to update their unique 
>Session-Timeout in the radreply table.  But you still could use a direct 
>function call from freeradius by modifying the statement in 
>postgresql.conf (as I have done for the simultaneous sessions)
>
I don't know what triggers are. yet :) I will research this avenue. Thank you 
for your reply.





Home, no matter how far...
http://www.home.ro

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Expire attribute

[Julius Igugu]

N3DERJID Max-All-Session := 18000, User-Password=="7US7VZBH", Expiration == "Sep 11 2004"  Service-Type = Framed-User,  Framed-Protocol = PPP,  Framed-IP-Netmask = 255.255.255.254rashad <[EMAIL PROTECTED]> wrote:
I want some users account to be expired starting from certain date. Someonewrote in mailing list that there are an Expire check attribute for thispurpose but I can't find any doc about it. Can anyone give the detailed docabout this attribute?- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.htmlJulius IguguSouthWork Co. Ltd.
		Do you Yahoo!? 
Meet the all-new My Yahoo! – Try it today! 

assign eap_type

[Marc-Henri Boisis-Delavaud]

Hello
I want to assign user comming from a ssid in a EAP-TYPE
I have put this in users file
DEFAULT Cisco-AVPair == "ssid=criTLS"
   Auth-Type = EAP,
   EAP-Type = EAP-TLS,
   Reply-Message = "Test Reussi"
but I succed to authenticate with eap-ttls on this ssid , why ?
Marc
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FR with ldap in debian testing

[tulga]

Hi list, 

I need howto guide for freeradius with ldap in debian testing. Help me all 
please. 

Sincerely,
Tulga.G
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

How to define freeradius as a proxy radius server and not a home server

[nans]

helloI want to use Proxy Freeradius 
features.I have 2 proxy with 2 server A & B (primary).Home 
Radius A <-> Proxy A <---> Proxy B <-> Home Radius 
Bwhen i use radtest testuser password proxya auth secret. It works 
!but when i use radtest testuser password proxya:1814 auth secret. 
Proxy A tell me : "Ignoring request from unknown home 
server130.130.93.13:32779"When i would like to use attr_rewrite 
in order to modify packets fromProxy B, Proxy A see packet "proxy_reply" as 
reply. NOT PROXY_REPLY !! I think proxy A see Proxy B as a simple Home 
server.HOW to declare Proxy A and PROXY B as PROXY RADIUS SERVER and not 
home server.please help me