NoCat + FreeRadius + LDAP
Greeting, I'm trying to setup a computer with the above configuration. Anyone know about how to pass the NoCat Attribute of (Member) back to the NoCat Gateway? I've got this in the radtest Vendor-32767-Attr-1 = 0x4d656d626572 Idle-Timeout = 300 Anyone know if I'm on the right track? This is the NoCat Dictionary files VENDOR NoCat 32767 BEGIN-VENDORNoCat ATTRIBUTE NoCat-Groups1 string # Space delimited list of groups ATTRIBUTE NoCat-Groups-Admin 2 string # Space delimited list of groups user is admin of END-VENDOR NoCat - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using NAS-ID in clients.conf
I have a situation when some of my 'nas's will have dynamic ip address's.
So, I could use a generalized case to allow my radius server to listen..
something like this.
client 0.0.0.0/0 {
secret = test
-
I guess this would be ok, if I had lots of nas's. }
However I have lots more than one 'nas', that I want to use. And I want each
nas to use a different secrect. How can I identify the NAS without using
its IP address?
Is it possible to use the NAS-IDENTIFIER?If so, how do I do that.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS with Freeradius, how to check locality ?
Hello, I would like to authenticate my users who have a certificate but I want to check the /L field (locality name) of the certificate and not the user name which is the /CN of the certificate. is there a way to do this with Freeradius ? thank you Rick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ntlm_auth + domain nt
Hi, i have to use ntlm_auth command with freeradius. Before, i want to execute ntlm_auth manually. For this job i use samba and winbind. the result command is : ntlm_auth --requeset-nt-key --domain=micro --username=alex password: NT_STATUS_NO_LOGON_SERVERS: No logon servers (0xc05e) Before i entered my computer in nt domain which name is "DOMAIN" like this: net rpc join -S micro -U administrator Password: Joined domain DOMAIN. and wbinfo -u :wbinfo -u Error looking up domain users and wbinfo -g : BUILTINSystem Operators,BUILTINReplicators BUILTINGuests,BUILTINPower Users BUILTINPrint Operators,BUILTINAdministrators BUILTINAccount Operators,BUILTINBackup Operators BUILTINUsers So, can you please return your experience about this subjet, particulary authentication with nt domain Regards, durale - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: check-radiusd-config problem in freeradius-1.0.0 and 1.0.1
Dave Plonka wrote:
> We noticed that as of in freeradius-1.0.0 and again in 1.0.1 that the
> check-radiusd-config script is broken. This is because it used the
> "-p " option of radiusd, which is deprecated and ignored as of
> freeradius-1.0.0.
That's right. The command line option was removed when the "listen"
directive was added to the config file. (they can't work together)
> +# since radiusd's "-p" option is no longer supported as of freeradius-1.0.0,
> +# edit lines that look like "port = n" to test radiusd on port 32768 instead:
> +perl -pi -e 's/(port\s*=\s*)\d+/${1}32768/' ${raddbdir##*/}/radiusd.conf
I hope nobody use a module with an option named "port", "support", or
anything that will match the regex above, too.
--
Nicolas Baradakis
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RE: Install problems on Solaris 8
Hi, > >The problem seems to be, again, that even one adds > >> >--with-ltdl-lib=/opt/csw/share/libtool/libltdl > >> >--with-ltdl-include=/opt/csw/share/libtool/libltdl > >"make" does not seem to care about it. > > > I've found this to be the case with several (if not all) of the > --with-BLAH-lib and with --with-BLAH-include options. A relatively easy way around that problem would be to use CFLAGS="relevant -I options" LDFLAGS="relevant -L and -l options" ./configure ... That way, you can even reorder the libs as necessary, as I found necessary e.g. with 1.0.0 to get OpenSSL stuff compiled in (the default configure script would try to compile stuff with -lcrypto -lssl which fails at least for static libs, while "-lssl -lcrypto" in LDFLAGS telled configure to do the right thing). Regards, Stefan P.S.: Of course, fixing the configure script for 1.0.2 as needed would be really nice, I just thought I'd mention that there's an easier way to get things to work right now than editing generated makefiles. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dialup_Admin Additionl attributes
On Mon, 31 Jan 2005, Cris Boisvert wrote: Is their a way for me to add other attributes through the Dialup admin that are not currently in the screens? See the documentation in dialup_admin/doc In short, yes. Check the conf/user_edit.attrs. Depending on your user db (ldap or sql) you should use also check if you need to add anything in the attribute mapping files. I need to be able to set multiple ascend data filters for different users . Is their a way to have an "Other1" , "Other2", "other3"...etcc.etcc so I can add attributes and values that are not their? Thanx --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.806 / Virus Database: 548 - Release Date: 12/5/2004 -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.8.3 - Release Date: 1/31/2005 -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth + domain nt
This is really a question for one of the Samba mailing lists. If Samba's own utilities can't see users, then your problem is in your Samba configs. Get that working first, then come back to your FreeRADIUS installation. --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas durale wrote: Hi, i have to use ntlm_auth command with freeradius. Before, i want to execute ntlm_auth manually. For this job i use samba and winbind. the result command is : ntlm_auth --requeset-nt-key --domain=micro --username=alex password: NT_STATUS_NO_LOGON_SERVERS: No logon servers (0xc05e) Before i entered my computer in nt domain which name is "DOMAIN" like this: net rpc join -S micro -U administrator Password: Joined domain DOMAIN. and wbinfo -u :wbinfo -u Error looking up domain users and wbinfo -g : BUILTINSystem Operators,BUILTINReplicators BUILTINGuests,BUILTINPower Users BUILTINPrint Operators,BUILTINAdministrators BUILTINAccount Operators,BUILTINBackup Operators BUILTINUsers So, can you please return your experience about this subjet, particulary authentication with nt domain Regards, durale - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CVS 1.0.2 PEAP MSCHAPv2
Thank you to Alan and Matthias for your suggestion. John and I went through countless configuration iterations and debugs in the 1.0.1 baseline and the CVS pre 1.0.2 snapshot without success. Lastly, we were successful when we started clean yesterday with another download of the CVS 1.0.2 snapshot and enabled the ntdomain_hack. Our environment consists of a Windows XP SP2 supplicant, a Cisco 1100 AP, and freeradius CVS 1.0.2 running on a Solaris 2.8 platform. We are successfully authenticating our supplicant using PEAP/MSCHAPv2 with WEP. We will now begin performing various security tests for our application requirements. Thanks to all who took time to try to help us. Chris Malitsky EnRoute Integration and Interoperability Facility Sr. Network and Systems Engineer 609.485.7921 |-+---> | | "Alan DeKok" <[EMAIL PROTECTED]> | | | Sent by:| | | [EMAIL PROTECTED]| | | eradius.org | | | | | | | | | 02/01/2005 01:05 PM | | | Please respond to | | | freeradius-users| |-+---> >--| | | | To: freeradius-users@lists.freeradius.org | | cc: | | Subject: Re: CVS 1.0.2 PEAP MSCHAPv2 | >--| [EMAIL PROTECTED] wrote: > We have been unsuccessful in integrating a wireless environment utilizing a > Windows XP SP2 supplicant, a Cisco 1100 AP, and a freeradius server running > on Solaris 2.8. Specifically, we have been testing the developmental > version 1.0.2 after using the CVS snapshot suggested by Alan. That *should* solve MD4 related problems in 1.0.1. > The expectation of running the developmental 1.0.2 build was to > correct the errors we experienced. Is there any way we can assist > debugging this error efficiently? Try logging in as a simple user *without* a domain name. If that works, then the problem is the domain name. The issue is that MSCHAP depends on the "username". For XP, it sends "DOMAIN\username" in the User-Name attribute. The MSCHAP module uses the whole User-Name to calculate MSCHAP data, and decides that the data doesn't match what you sent, so you can't log in. > rlm_mschap: NT Domain delimeter found, should we have enabled > with_ntdomain_hack? Try this suggestion. The rlm_mschap module has the "with_ntdomain_hack" configuration entry for precisely this situation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NoCat + FreeRadius + LDAP
Hi, > I've got this in the radtest > > Vendor-32767-Attr-1 = 0x4d656d626572 > Idle-Timeout = 300 Interesting approach. Maybe it's really worth adding support for such syntax (if it doesn't exist) if someone just doesn't want to add vendor attributes to the dictionary. OTOH, it's rather unreadable. > Anyone know if I'm on the right track? I guess not, unless I didn't notice a matching feature of FreeRadius, yet. The normal way to proceed is to include the Nocat dictionary in the FreeRadius dictionary (essentially copy the NoCat file in a suitable diretory and add an "include 'name of Nocat dictionary file'" in the main dictionary file of FreeRadius (have a look at dictionary and one of the files included in the configuration you get OOTB and you'll see how it works). Then, simply use the attribute name as specified in the dictionary file, i.e. "Nocat-Groups" instead of "Vendor-23767-Attr-1". HTH, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Monthly problem
Hi! I'm using freeradius 0.9.3 on Red Hat 7.3 system but i have a monthly problem. Monthly, i think freeradius "reset" all connection, for example at 31 of January i have 20 users conected and at 04:00 (01 of February) all users dissapear, and they need to reconnect again. Can you help me? I search in google.com if anyone are in my same situation, but i dont find nothing, i read freeradius faq and freeradius mailing-list and nothing, please help me. -- Thanks In Advance Andoni - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dynamic IP Pools on Freeradius
Hi all,
sorry to bother you, I searched all on google but didn`t find a solution,
either it is not designed as I think or I misunderstand something
So here the story :
I have to assign IP addresses via dynamic pools on Freeradius and via some
local pool on NAS. (requirement)
So I added in radiusd.conf
ippool my_pool {
some stuff , mostly copied form main_pool
}
in the usersfile I added a testuser
test Password == "test", Pool-Name := "my_pool"
after restarting the server and some trying, I never got a IP returned from
Freeradius. I expected to see Framed-IP-Address attribute added to the user
with some IP of the specified pool. Is this how it should work or is my
assumption wrong.
When running radius in Debug mode (radiusd -X ) I just can see log messages
"module my_pool returns NOOP"
Did I miss something to configure ? I haven`t found much documentation about
radius based IP pools.
Sorry that I can`t post the whole debugging log currently, it`s located on a
PC in a non-internet connected area.
Any could help with this issue.
Thanks and regards
Michael
--
Sparen beginnt mit GMX DSL: http://www.gmx.net/de/go/dsl
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Radius with SSL
Thanks, My Radius with LDAP is OKAY now.
How can I configure the password in LDAP with MD5. Example:
in the LDAP I put:
rootpw {MD5}aY3BnUicTk23PiinE+qwew==
In the Radius.conf I put:
ldap {
server="ldaps.xxx.com"
identity="cn=root,dc=com"
password={MD5}aY3BnUicTk23PiinE+qwew==
.
.
.
}
--
But radius don´t get to do authentication.
How can I put password LDAP in radius.conf with HAS MD5 or SHA1 ou SSHA?
On Mon, 10 Jan 2005, Willey Kurt D wrote:
> Use port 636 to your ldaps server, and let the radius server do the
> work. The hardest part is generating the certificate trust.
>
> Sample radiusd.conf for ldaps to Win2K AD:
> server = "127.0.0.1"
> port = 636
> identity = "cn=ldapuser,cn=users,dc=domain,dc=com"
> password = yourpass
> basedn = "dc=domain,dc=com"
> filter =
> "(&(samaccountname=%{Stripped-User-Name:-%{User-Name}}))"
> start_tls = no
> tls_cacertfile =
> /usr/local/ssl/certs/sslcertificate.pem
> tls_cacertdir = /usr/local/ssl/certs/
>
> If you can get ldapsearch to work, radiusd is a breeze.
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Anderson Alves de Albuquerque
> Sent: Monday, January 10, 2005 9:18 AM
> To: freeradius-users@lists.freeradius.org
> Subject: Radius with SSL
>
>
>
> I need one manual about Radius + SSL.
>
> I have RADIUS making authentication in LDAP Server, but I need to pass
> the authentication with SSL.
> How can I make ?
> How cak I help me ? Please...
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Monthly problem
Hi, > Monthly, i think freeradius "reset" all connection, FreeRadius (or any other Radius server) does not touch connections at all. It's the NAS that is doing all this. The only thing that FreeRadius does is deciding whether or not to accept a connection, if it's asked by a NAS. Also, it _can_ be configured to return specific attributes in the "Access-Accept" packet which will tell the NAS to reset/close a connection that it is currently establishing at a given time. But it's the NAS which actually has to take any action. So, I'd recommend to read documentation of your NAS rather than searching (pointlessly) through FreeRadius documentation. HTH, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Radius with SSL
On Wed, 2 Feb 2005, Anderson Alves de Albuquerque wrote:
Thanks, My Radius with LDAP is OKAY now.
How can I configure the password in LDAP with MD5. Example:
in the LDAP I put:
rootpw {MD5}aY3BnUicTk23PiinE+qwew==
In the Radius.conf I put:
ldap {
server="ldaps.xxx.com"
identity="cn=root,dc=com"
password={MD5}aY3BnUicTk23PiinE+qwew==
The root password encryption method does matter. You should store it in the
password configuration directive unencrypted.
.
.
.
}
--
But radius don?t get to do authentication.
How can I put password LDAP in radius.conf with HAS MD5 or SHA1 ou SSHA?
On Mon, 10 Jan 2005, Willey Kurt D wrote:
Use port 636 to your ldaps server, and let the radius server do the
work. The hardest part is generating the certificate trust.
Sample radiusd.conf for ldaps to Win2K AD:
server = "127.0.0.1"
port = 636
identity = "cn=ldapuser,cn=users,dc=domain,dc=com"
password = yourpass
basedn = "dc=domain,dc=com"
filter =
"(&(samaccountname=%{Stripped-User-Name:-%{User-Name}}))"
start_tls = no
tls_cacertfile =
/usr/local/ssl/certs/sslcertificate.pem
tls_cacertdir = /usr/local/ssl/certs/
If you can get ldapsearch to work, radiusd is a breeze.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Anderson Alves de Albuquerque
Sent: Monday, January 10, 2005 9:18 AM
To: freeradius-users@lists.freeradius.org
Subject: Radius with SSL
I need one manual about Radius + SSL.
I have RADIUS making authentication in LDAP Server, but I need to pass
the authentication with SSL.
How can I make ?
How cak I help me ? Please...
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Huntgroup "GROUP"?
That line below means if the client is not 1.2.3.4, then reject. On Tue, 1 Feb 2005, Cris Boisvert wrote: > Does this mean... the client ip has to be 1.2.3.4 if not reject > Or if the client ip is this reject? > > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok > Sent: Monday, January 31, 2005 5:14 PM > To: freeradius-users@lists.freeradius.org > Subject: Re: Huntgroup "GROUP"? > > "Cris Boisvert" <[EMAIL PROTECTED]> wrote: > > Is their a way to do that to keep users from authenticating from other > nas's > > Other than adding all the users to the appropriate huntgroup? > > user Client-IP-Address != 1.2.3.4, Auth-Type := Reject > ... > > > For multiple NASes, the huntgroups are the simplest way (for now). > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > -- > No virus found in this incoming message. > Checked by AVG Anti-Virus. > Version: 7.0.300 / Virus Database: 265.8.3 - Release Date: 1/31/2005 > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic IP Pools on Freeradius
rlm_ippool requires that the packet contain NAS-IP-Address and NAS-Port.
Are you sending those attributes?
If not, you may need to modify rlm_ippool to uniquely identify a user by
something else.
On Wed, 2 Feb 2005, Michael Kopp wrote:
> Hi all,
>
> sorry to bother you, I searched all on google but didn`t find a solution,
> either it is not designed as I think or I misunderstand something
>
> So here the story :
> I have to assign IP addresses via dynamic pools on Freeradius and via some
> local pool on NAS. (requirement)
>
> So I added in radiusd.conf
>
> ippool my_pool {
> some stuff , mostly copied form main_pool
> }
>
> in the usersfile I added a testuser
>
> test Password == "test", Pool-Name := "my_pool"
>
> after restarting the server and some trying, I never got a IP returned from
> Freeradius. I expected to see Framed-IP-Address attribute added to the user
> with some IP of the specified pool. Is this how it should work or is my
> assumption wrong.
>
> When running radius in Debug mode (radiusd -X ) I just can see log messages
> "module my_pool returns NOOP"
>
> Did I miss something to configure ? I haven`t found much documentation about
> radius based IP pools.
>
> Sorry that I can`t post the whole debugging log currently, it`s located on a
> PC in a non-internet connected area.
>
> Any could help with this issue.
>
> Thanks and regards
> Michael
>
> --
> Sparen beginnt mit GMX DSL: http://www.gmx.net/de/go/dsl
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fail_over mysql again!
On Tue, 1 Feb 2005, Michel van Dop wrote: > When i only connect freeradius to the slave db it works great! Same on only > master db! > I think there is a radiusd.conf problem i find on google more configs > old/and very old but not a working solution. > The fail-over document on the own radius directory is very old from 2000. > > Okay thank you for the radrelay tip. Is there i example or document for > this? > And when i use radrelay is there a option to set only master db to write > sessions on finisch sessions? > Or radrelay working only for account reading? Check out doc/radrelay, it will show you how to use it. You will set it up to send to a certain server, so in your case you just point it at your master accounting server. The replication setup between your master and slave sql database will take care of replicating the data to the slave. > > - Original Message - > From: "Dustin Doris" <[EMAIL PROTECTED]> > To: > Sent: Tuesday, February 01, 2005 4:08 PM > Subject: Re: Fail_over mysql again! > > > > > >> Hello, > >> > >> I have problems on FC1 freeradius 0.9.3 on failover and mysql db's. I use > >> two mysql db's replication. One master db and slave db. > >> So when master is down freeradius server go on on the second slave db > >> whit accounting. > >> > >> So i think there is a bug in version 0.9.3 or sql/driver/module. > >> > >> Now i install two machines FC2 whit: > >> freeradius-1.0.1-0.FC2 and freeradius-mysql-1.0.1-0.FC2 > >> But same problems on fail_over on sql1 and sql2. Sql1 is down and second > >> db, sql2 is up. > >> Start slow and user request hi give every 240 second a good replay. > >> When i start the first db everithing works!!! ? > >> > >> So can some one send me good sample or tips how to use fail_over mysql > >> on 2 db's. It's only for accounting so users get a replay when masterdb > >> is down. > >> > >> Michel > >> > > > > How does it perform when you have it only talking to the slave server? > > For example, if you just take out the redundancy and setup to only use the > > slave/failover server for sql? Is it fast then or do you see a similar > > slow startup and query issues? > > > > Another option, is what I do, is use radrelay to send the accounting > > packets to the sql database. That way the radius server just logs to a > > detail file, which is quick, and the accounting packet is done. Then > > radrelay constantly tries to send those accounting packets over to our sql > > server for storage. With that you can afford some downtime on the sql > > server, because as soon as it comes back up, radrelay will send over all > > the missed packets. When everything is up, the accounting packets are > > pretty close to real-time in the sql server. I guess it depends how close > > to real-time you need in the sql database. > > > > BTW. I'm not saying to stop trying to make failover work, just offering > > another option to it, if you can't get it to work. > > > > -Dusty > > > > > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mod_auth_radius
Hi, I'm not sure I'm supposed to post about mod_auth_radius here. Sorry if I'm not. My apache (2.0) server is installed with rpm's. DSO's are enabled. So, I use apxs. When I launch the command "apxs2 -i -a -c mod_auth_radius-2.0.c", the result is : " /usr/lib/apache2/build/libtool --silent --mode=compile gcc -prefer-pic -O2 -fomit-frame-pointer -pipe -march=i586 -mcpu=pentiumpro -fno-omit-frame-pointer -DAP_HAVE_DESIGNATED_INITIALIZER -DLINUX=2 -D_REENTRANT -D_XOPEN_SOURCE=500 -D_BSD_SOURCE -D_SVID_SOURCE -D_GNU_SOURCE -O2 -fomit-frame-pointer -pipe -march=i586 -mcpu=pentiumpro -fno-omit-frame-pointer -pthread -DRECORD_FORWARD -I/usr/include/apache2 -I/usr/include/apache2 -I/usr/include/apache2 -c -o mod_auth_radius-2.0.lo mod_auth_radius-2.0.c && touch mod_auth_radius-2.0.slo mod_auth_radius-2.0.c:560: warning: initialization from incompatible pointer type ln: création d'un lien symbolique `mod_auth_radius-2.0.lo' vers `mod_auth_radius-2.0.o': Operation not permitted apxs:Error: Command failed with rc=65536 " Versions: Linux Mandrake 10.0 Official Apache 2.0.48-6 Mod_auth_radius 1.5.7 Freeradius 1.0.1 Can anyone help me? Loïc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Monthly problem
From: "Andoni Ayala - KNET" <[EMAIL PROTECTED]> > Hi! > > I'm using freeradius 0.9.3 on Red Hat 7.3 system but i have a monthly > problem. > > Monthly, i think freeradius "reset" all connection, for example at 31 of > January i have 20 users conected and at 04:00 (01 of February) all users > dissapear, and they need to reconnect again. Can you help me? Hmm...could it be that your log files are set to rotate at 4:00am monthly and it "appears" that your users are disconnected since the new log files are empty ? See /etc/logrotate.conf and /etc/logrotate.d/x Pete - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Monthly problem
Yes
Thanks, the reason are that monthly rotate log:
/var/log/radius/radutmp {
monthly
rotate 100
create
compress
missingok
}
/var/log/radius/radwtmp {
monthly
rotate 100
create
compress
missingok
And the new radutmp and radwtmp are empty.
Many thanks
Hmm...could it be that your log files are set to rotate at 4:00am monthly
and it "appears" that your users are disconnected since the new log files
are empty ?
See /etc/logrotate.conf and /etc/logrotate.d/x
Pete
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NoCat + FreeRadius + LDAP
[EMAIL PROTECTED] wrote: > > Vendor-32767-Attr-1 =3D 0x4d656d626572 > > Idle-Timeout =3D 300 > > Interesting approach. Maybe it's really worth adding support for > such syntax (if it doesn't exist) if someone just doesn't want to add > vendor attributes to the dictionary. OTOH, it's rather unreadable. It's there. And yes, it's awkward, but it's extensible, well-defined, and easy to parse. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using NAS-ID in clients.conf
Andrew Frazer <[EMAIL PROTECTED]> wrote: > I have a situation when some of my 'nas's will have dynamic ip address's. That's always bad. > However I have lots more than one 'nas', that I want to use. And I want each > nas to use a different secrect. How can I identify the NAS without using > its IP address? You can't, really. The security of RADIUS depends on knowing the NAS IP. My only suggestion is to get the DHCP server to tell the RADIUS server when it assigns an IP to a NAS. That involves serious work on both ends. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radiusd using up 99% CPU
My freeradius installation on FreeBSD5.3 is using up 99% of CPU resources. it is running with postgresql in a dual intel 800 machine with 1 gb ram. Basic functionality it provides is only accounting. Anyone has any input on this ? -Apu = --- Before God we are all equally wise - and equally foolish. -Albert Einstein __ Do you Yahoo!? Yahoo! Mail - Find what you need with new enhanced search. http://info.mail.yahoo.com/mail_250 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fail_over mysql again!
Hi,
I fount i 85% solution for my problem.
Set in sql1 (masterdb) connect_failure_retry_delay = 1800
So if master db is down is use slave:
authorize {
redundant {
sql1
sql2
}
}
He go slow (180 seconds down) from sql1 to sql2 and try connect after 1800
secondes retry to sql1.
So 1800 seconden up on slave db and 180 second down and again up and
litle down and over again.
When master db is up sql1 he do not go to sql2.
I think there is a bug in rlm_sql_mysql driver you need set a time out when
not response. Time out is now to long!!
180 seconds now and i need 4 seconds good! And than my solutions is perfect!
My clients NAS (chillispot) have a first radius and second. If first is down
than he go to the second. So this is sort of proxy.
I think that radrelay is the same?!
Thank you i hope there is a solutions for time out on rlm_sql_mysql driver?
Michel
- Original Message -
From: "Dustin Doris" <[EMAIL PROTECTED]>
To:
Sent: Wednesday, February 02, 2005 4:41 PM
Subject: Re: Fail_over mysql again!
On Tue, 1 Feb 2005, Michel van Dop wrote:
When i only connect freeradius to the slave db it works great! Same on
only
master db!
I think there is a radiusd.conf problem i find on google more configs
old/and very old but not a working solution.
The fail-over document on the own radius directory is very old from 2000.
Okay thank you for the radrelay tip. Is there i example or document for
this?
And when i use radrelay is there a option to set only master db to write
sessions on finisch sessions?
Or radrelay working only for account reading?
Check out doc/radrelay, it will show you how to use it. You will set it
up to send to a certain server, so in your case you just point it at your
master accounting server. The replication setup between your master and
slave sql database will take care of replicating the data to the slave.
- Original Message -
From: "Dustin Doris" <[EMAIL PROTECTED]>
To:
Sent: Tuesday, February 01, 2005 4:08 PM
Subject: Re: Fail_over mysql again!
>
>> Hello,
>>
>> I have problems on FC1 freeradius 0.9.3 on failover and mysql db's. I
>> use
>> two mysql db's replication. One master db and slave db.
>> So when master is down freeradius server go on on the second slave db
>> whit accounting.
>>
>> So i think there is a bug in version 0.9.3 or sql/driver/module.
>>
>> Now i install two machines FC2 whit:
>> freeradius-1.0.1-0.FC2 and freeradius-mysql-1.0.1-0.FC2
>> But same problems on fail_over on sql1 and sql2. Sql1 is down and
>> second
>> db, sql2 is up.
>> Start slow and user request hi give every 240 second a good replay.
>> When i start the first db everithing works!!! ?
>>
>> So can some one send me good sample or tips how to use fail_over mysql
>> on 2 db's. It's only for accounting so users get a replay when
>> masterdb
>> is down.
>>
>> Michel
>>
>
> How does it perform when you have it only talking to the slave server?
> For example, if you just take out the redundancy and setup to only use
> the
> slave/failover server for sql? Is it fast then or do you see a similar
> slow startup and query issues?
>
> Another option, is what I do, is use radrelay to send the accounting
> packets to the sql database. That way the radius server just logs to a
> detail file, which is quick, and the accounting packet is done. Then
> radrelay constantly tries to send those accounting packets over to our
> sql
> server for storage. With that you can afford some downtime on the sql
> server, because as soon as it comes back up, radrelay will send over
> all
> the missed packets. When everything is up, the accounting packets are
> pretty close to real-time in the sql server. I guess it depends how
> close
> to real-time you need in the sql database.
>
> BTW. I'm not saying to stop trying to make failover work, just
> offering
> another option to it, if you can't get it to work.
>
> -Dusty
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Troubles with EAP-TTLS
Hi, this our first message to the list. We are trying to deploy a Wireless LAN based on 802.1X EAP-TTLS. We have have built an authentication infraestructure with the following components: - A Radius server (Linux SuSe 9.0 + FreeRadius CVS version from March'2004). - Access Point Aironet 1100 (Cisco). - SecureW2 EAP-TTLS supplicant (on the client side, over Windows XP). We have created two VLANS for wireless access: the GUESTs VLAN and the PRIVATE VLAN (with authentication required for our users). We are having some troubles with some laptops (not all) working with XP-SP2, because they only "can see" the GUEST VLAN, but "can´t see" the PRIVATE VLAN. We sniffed the traffic between the client and the AP and we saw the following: - First, the user tries to get in the PRIVATE VLAN. - Then the AP answers him, trying to establish the connection and ask him for the authentication information (user and password). - But in this point it seems like the client can't understand the request and send back null packets; so the AP doesn't validate the connection and the user is sent to the GUEST VLAN. We are in a mess, because we don´t know if this problem is due to the Wireless NIC of the client (hardware), the drivers, or even caused by the opperating system. May anybody help us? Thants to all. * Francisco J. Sampalo Lainz ([EMAIL PROTECTED]) Jefe del Servicio de Informática Universidad Politécnica de Cartagena Tlf: 968-325717 / 5730 * - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
could not connect to database
Can somebody help out. I try to run my dialup_admin interface but only what am seeing is "Could not connect to database. Your help will be appreciated\ Thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Troubles with EAP-TTLS
Hi Francisco, Are you authenticating the RADIUS server or just ignoring the validity (or otherwise) of the certificate it sends? If you are trying to authenticate the RADIUS server and it's either sending an invalid (or self signed) certificate or the root certificate authority that signed the RADIUS server's certificate is not known to the client, then the client will not recognise the server and will not send any credentials. Rgds, Guy > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Francisco Sampalo > Sent: 02 February 2005 17:04 > To: freeradius-users@lists.freeradius.org > Subject: Troubles with EAP-TTLS > > > Hi, this our first message to the list. We are trying > to deploy a Wireless > LAN based on 802.1X EAP-TTLS. > > We have have built an authentication infraestructure > with the following > components: > - A Radius server (Linux SuSe 9.0 + FreeRadius CVS > version from March'2004). > - Access Point Aironet 1100 (Cisco). > - SecureW2 EAP-TTLS supplicant (on the client side, > over Windows XP). > > We have created two VLANS for wireless access: the > GUESTs VLAN and the > PRIVATE VLAN (with authentication required for our users). We > are having > some troubles with some laptops (not all) working with > XP-SP2, because they > only "can see" the GUEST VLAN, but "can´t see" the PRIVATE > VLAN. We sniffed > the traffic between the client and the AP and we saw the following: > - First, the user tries to get in the PRIVATE VLAN. > - Then the AP answers him, trying to establish the > connection and ask him > for the authentication information (user and password). > - But in this point it seems like the client can't > understand the request > and send back null packets; so the AP doesn't validate the > connection and > the user is sent to the GUEST VLAN. > > We are in a mess, because we don´t know if this problem > is due to the > Wireless NIC of the client (hardware), the drivers, or even > caused by the > opperating system. > > May anybody help us? Thants to all. > > > * > Francisco J. Sampalo Lainz > ([EMAIL PROTECTED]) > Jefe del Servicio de Informática > Universidad Politécnica de Cartagena > Tlf: 968-325717 / 5730 > * > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > This e-mail is private and may be confidential and is for the intended recipient only. If misdirected, please notify us by telephone and confirm that it has been deleted from your system and any copies destroyed. If you are not the intended recipient you are strictly prohibited from using, printing, copying, distributing or disseminating this e-mail or any information contained in it. We use reasonable endeavours to virus scan all e-mails leaving the Company but no warranty is given that this e-mail and any attachments are virus free. You should undertake your own virus checking. The right to monitor e-mail communications through our network is reserved by us. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Huntgroup "GROUP"?
I have this in the users file pork1 Client-IP-Address != 208.243.100.5, Auth-Type := reject, Password == "test" When I test from that nas I get a reject every time. Ideas? Thanx -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dustin Doris Sent: Wednesday, February 02, 2005 10:26 AM To: freeradius-users@lists.freeradius.org Subject: RE: Huntgroup "GROUP"? That line below means if the client is not 1.2.3.4, then reject. On Tue, 1 Feb 2005, Cris Boisvert wrote: > Does this mean... the client ip has to be 1.2.3.4 if not reject > Or if the client ip is this reject? > > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok > Sent: Monday, January 31, 2005 5:14 PM > To: freeradius-users@lists.freeradius.org > Subject: Re: Huntgroup "GROUP"? > > "Cris Boisvert" <[EMAIL PROTECTED]> wrote: > > Is their a way to do that to keep users from authenticating from other > nas's > > Other than adding all the users to the appropriate huntgroup? > > user Client-IP-Address != 1.2.3.4, Auth-Type := Reject > ... > > > For multiple NASes, the huntgroups are the simplest way (for now). > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > -- > No virus found in this incoming message. > Checked by AVG Anti-Virus. > Version: 7.0.300 / Virus Database: 265.8.3 - Release Date: 1/31/2005 > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.8.3 - Release Date: 1/31/2005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: could not connect to database
On Wed, 2 Feb 2005 18:25:38 +0100, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > Can somebody help out. > > I try to run my dialup_admin interface but only what am seeing is "Could > not connect to database. Can you connect to the database from the machine dialup-admin runs on? > Your help will be appreciated\ > > Thank you > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-SIM Authentication
Hi all, I am a new user of Freeradius and i need your help. Do you know if there is any way to achieve EAP-SIM based Auhtentication using Freeradius? Do i need to include more files in the freeradius server; Thanks in advance! Giorgos
RE: Dialup admin
I'm setting up dialupadmin. I get in the left had column nothing but php code Why, and could someone point me in the direction to correct it. Joel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Free radius for redhat 9
Can anyone tell me where I can find binaries for FreeRadius for Redhat 9 George Schoggins Enterasys Networks Phone: 407-268-9894 FAX: 407-268-9881 Cell: 407-808-6013 Email: [EMAIL PROTECTED] www: http://www.enterasys.com <>
Re: Huntgroup "GROUP"?
"Cris Boisvert" <[EMAIL PROTECTED]> wrote: > I have this in the users file > > pork1 Client-IP-Address != 208.243.100.5, Auth-Type := reject, Password == > "test" > > When I test from that nas I get a reject every time. See what debugging mode says. > Ideas? Try putting the password in a different entry of the "users" file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS with Freeradius, how to check locality ?
Riccardo Veraldi <[EMAIL PROTECTED]> wrote: > I would like to authenticate my users who have a certificate > but I want to check the /L field (locality name) of the certificate > and not the user name which is the /CN of the certificate. > is there a way to do this with Freeradius ? Source code modifications. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Huntgroup "GROUP"?
Firstly, run the server in debug mode (as it says in the doco), and you can see exactly what its doing, and why you are being rejected: radiusd -X Secondly, the user password attribute is called User-Password (as per the examples in the users file), so try that. Regards, Mike >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf >Of Cris Boisvert >Sent: Thursday, 3 February 2005 4:39 AM >To: freeradius-users@lists.freeradius.org >Subject: RE: Huntgroup "GROUP"? > >I have this in the users file > >pork1 Client-IP-Address != 208.243.100.5, Auth-Type := >reject, Password == >"test" > >When I test from that nas I get a reject every time. > >Ideas? > >Thanx > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: configure script nightmare with ucd-snmp - patch
Hi Paul, > >You're looking for the block around line 3925 in aclocal.m4, >with the following comment block: >dnl # >dnl # That didn't work. Try adding the '-lcrypto' line. >dnl # Some SNMP libraries are linked against SSL... >dnl # > >Copy from the next line through fi, paste below the fi, and >change the line with LIBS and SNMP_LIBS to include -lkstat. >Run aclocal and then autoconf (from the autotools2.13 release, >not any autotools 2.5x release) and try configuring again with >--with-snmp-lib-dir and --with-snmp-include-dir. It _ought_ to >work. ^_^ > >Let us know if this works, since it looks like a fairly safe >change which could make 1.0.2 if you're quick. ^_^ > Yeah, it definitely helped (learning a bit more about autoconf too :o) ). I had to combine doing this with a patch to replace $snmp_*_dir with $with_snmp_*_dir. This also resolved the same issue on my linux box, where the --with-snmp-lib-dir and --with-snmp-include-dir is seemingly ignored. The issue is that when the configure script processes the --with-* arguments, it creates variables called $with_*, whereas aclocal.m4 specifies $snmp_*_dir. So I think its probably a required patch (also for CVS head). My entire patch is at the end of this email... >FreeRADIUS 1.1.0 supports net-snmp in ucd-compatibility mode. >If you want to patch 1.0.1 to also support this, I've got >patches in the Debian release of FreeRADIUS 1.0.1 which I >could split out if you like. >I don't recall if they made it into 1.0.2 though. > I applied your net-snmp patches also, and 1.0.1 compiled ok (Solaris and Linux)...not tested though... Thanks for your help! Regards, Mike --- aclocal.m4.orig 2005-02-02 22:57:10.0 +1100 +++ aclocal.m4 2005-02-02 23:13:42.0 +1100 @@ -3782,7 +3782,7 @@ dnl # if test "x$ucdsnmp" = "x"; then old_CFLAGS="$CFLAGS" - for try in /usr/include /usr/local/include $snmp_include_dir; do + for try in /usr/include /usr/local/include $with_snmp_include_dir; do CFLAGS="$old_CFLAGS -I$try" AC_TRY_COMPILE([ #ifdef HAVE_SYS_TYPES_H @@ -3815,7 +3815,7 @@ if test "x$ucdsnmp" = "x"; then old_CFLAGS="$CFLAGS" - for try in /usr/include/ucd-snmp /usr/local/include/ucd-snmp $snmp_include_dir; do + for try in /usr/include/ucd-snmp /usr/local/include/ucd-snmp $with_snmp_include_dir; do CFLAGS="$old_CFLAGS -I$try" dnl # dnl # First, see if we can build it WITHOUT using any special includes and without ucd-snmp @@ -3854,7 +3854,7 @@ dnl # if test "x$ucdsnmp" = "x"; then old_CFLAGS="$CFLAGS" - for try in /usr/include/ucd-snmp /usr/local/include/ucd-snmp $snmp_include_dir; do + for try in /usr/include/ucd-snmp /usr/local/include/ucd-snmp $with_snmp_include_dir; do CFLAGS="$old_CFLAGS -I$try" AC_TRY_COMPILE([ #ifdef HAVE_SYS_TYPES_H @@ -3911,7 +3911,7 @@ SNMP_LIBS=) if test "x$SNMP_LIBS" = "x"; then -for try in /usr/lib /usr/local/lib /usr/local/snmp/lib $snmp_lib_dir; do +for try in /usr/lib /usr/local/lib /usr/local/snmp/lib $with_snmp_lib_dir; do LIBS="$old_LIBS -L$try -lsnmp" AC_TRY_LINK([extern char snmp_build_var_op();], [ snmp_build_var_op()], @@ -3932,6 +3932,19 @@ if test "x$SNMP_LIBS" != "x"; then break; fi +dnl # +dnl # That didn't work. Try adding the '-lkstat' line. +dnl # Some SNMP libraries are linked against Kernel Statistics, +dnl # in particular, Solaris 9... +dnl # + LIBS="$old_LIBS -L$try -lsnmp -lcrypto -lkstat" + AC_TRY_LINK([extern char snmp_build_var_op();], + [ snmp_build_var_op()], + SNMP_LIBS="-L$try -lsnmp -lcrypto -lkstat", + SNMP_LIBS=) + if test "x$SNMP_LIBS" != "x"; then +break; + fi done fi LIBS="$old_LIBS" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
configure for rlm_ldap on Solaris
Title: configure for rlm_ldap on Solaris Hi List, I've done some more investigation into why configure doesn't work out of the box on Solaris for rlm_ldap. I've found the reason, now I need to find a solution, hopefully with someone's help... By default, Solaris comes with ldap include files in /usr/include. However, rlm_ldap doesn't compile with these headers out of the box, as there are missing defines... We are using openLDAP, and therefore I have specified --with-rlm-ldap-include-dir and --with-rlm-ldap-lib-dir to configure to point to my openLDAP installation (which is not in /usr/local). It appears that the rlm_ldap configure script finds the /usr/include ldap headers, which are enough to pass the configure compile tests. However, what this means is that configure says "I don't need the --with-rlm-ldap-include-dir directory", and doesn't add it to the CFLAGS in the Makefile. Since Solaris doesn't have a liblber.so, the configure correctly uses the --with-rlm-ldap-lib-dir (as openLDAP does have the liblber.so). So, my problem now, is that I don't have enough knowledge to immediately say "here's how to fix configure". Or even if there's anything that can be done to make the configure script work "out of the box" for Solaris. Any help to fix this for future releases would be greatly appreciated... Sure, its easy to get around it, but it would be nice (for freeRADIUS) if it worked out of the box... Sorry this was so long winded! Regards, Mike
Values in radacct problem
FreeRADIUS 1.0
RH8
NoCat=Radius client
Mysql
Hi.
There are certain attributes such as the
FramedIPAddress, AcctTerminateCause,service type etc,
are remain empty when accounting session is started
and stoped. From what I seek, the RADIUS client is not
sending those attributes value.Some of the values
suppose to be returned from the sql table containing
the user information.
By Using radius.pm (some altering done here), in the
log files, there are some added attributes
successfully return value in detail log file. Although
trying to allow some attributes such as mention
before, there are still no value appear in the radacct
table and the detail file (framedipaddress for now).
For Dialupadmin, there are 4 remaining table remain
empty, even the accounting session is started. tables
are members, baduser, totacct and mtotacct.Is it
because the scripts to write the value to sql db isn't
running or configuration probs in radius conf or
dialup conf?
Below are the RADIU.pm file that we used.
___
package NoCat::Accounting::RADIUS;
use NoCat::Source;
use Authen::Radius;
use strict;
use vars qw( @ISA @REQUIRED );
@ISA= qw( NoCat::Accounting );
@REQUIRED = qw(
RADIUS_Host RADIUS_Secret
);
sub radius {
my ($self) = @_;
unless ($self->{Radius}) {
my $r;
my $Hosts = $self->{RadiusHostsToUse};
if(! defined($Hosts)) { #This is really the first
time through and I need to generate my list of servers
$self->{RADIUS_Host} =~ s/,,/,/g; #just to
eliminate any blank entries
my(@Hosts) = split(/,/,$self->{RADIUS_Host});
if($self->{RADIUS_Order} &&
$self->{RADIUS_Order}) { #mix em up.
my @TmpHosts;
my %UsedHosts;
for(my $i=0;$i <= $#Hosts; $i++) {
my $TmpHost;
while(! $TmpHost || ($TmpHost &&
$UsedHosts{$TmpHost})) {
$TmpHost = $Hosts[int(rand($#Hosts + 1))];
last if ! $UsedHosts{$TmpHost};
}
$UsedHosts{$TmpHost} = 1;
$TmpHosts[$i] = $TmpHost;
}
@Hosts = @TmpHosts;
}
$self->{RadiusHostsToUse} = [EMAIL PROTECTED]; #List
generated.
}
if($self->{RadiusHostsToUse}) { #go through
servers one by one
foreach my $Host
(@{$self->{RadiusHostsToUse}}) {
my $Secret = $self->{RADIUS_Secret} ?
$self->{RADIUS_Secret} : "";
if($Host =~ s/\*(.*)$//) {
$Secret = $1;
}
$self->log( 0, "Connecting to RADIUS server
$Host with Timeout " . $self->{RADIUS_TimeOut} );
$r = Authen::Radius->new(
Host=> $Host,
Secret => $Secret,
Timeout =>
$self->{RADIUS_TimeOut},
Accounting => 1
);
last if $r; #If we have a good connection,
we're done
$self->log( 0, "Failed to connect to RADIUS
server $Host" );
}
if ($r) { # This is almost always the case...
$self->{Radius} = $r;
} else {
$self->log( 0, "Can't connect to RADIUS
server(s) $self->{RADIUS_Host}" );
}
} else {
return undef; #no host for them!
}
}
return $self->{Radius};
}
sub usenextserver { #If I fail, take the most recent
host out and
my $self = shift;
return unless $self->{RadiusHostsToUse}; #unless
I've been through the radius sub above, forget it
my @Hosts = @{$self->{RadiusHostsToUse}};
my $popped = shift(@Hosts); #say goodbye to the
first one
$self->log(0, "popped $popped in usenextserver");
undef($self->{Radius}); #so radius above will get
a new one.
$self->{RadiusHostsToUse} = [EMAIL PROTECTED];
}
sub create_session_id {
my $self = shift;
return $self->radius->NewSessionID();
}
sub start{
my ($self, $peer, $stats) = @_;
if(! $peer->session_id)
{
$peer->session_id($self->radius->NewSessionId());
}
return $self->accounting(
{ Name => 1, Value => $peer->user,
Type => 'string'},
#User - Name
{ Name => 4, Value =>
$self->{GatewayAddr}, Type
=> 'ipaddr'},
#NAS-IP-Address
{ Name => 8, Type => 'ipaddr' , Value
=>
$peer->id},
# Framed-IP-Address
{ Name => 31, Value => $peer->id, Type
=>
'string'},
#Calling-Station-Id
{ Name => 40, Value => '1', Type =>
'integer' },
# Acct-Status-Type(Start)
{ Name => 40, V
Exec-Program-Wait
Dear All: [EMAIL PROTECTED]@How can I check username/passowrd/calling-station-id. I can't use the calling-station-id when I run external file. With radiusd -X -A,folled is my log module "eap" returns ok for request 7 modcall: group authenticate returns ok for request 7 radius_xlat: '/usr/local/radius/etc/raddb/test jimmy _ localhost 20050203 14 /usr/local/radius/var/log/radius 0 /usr/local/radius/etc/raddb 2005-02-03 14:19:40' Exec-Program: /usr/local/radius/etc/raddb/test jimmy _ localhost 20050203 14 /usr/local/radius/var/log/radius 0 /usr/local/radius/etc/raddb 2005-02-03 14:19:40 Exec-Program output: jimmy++_++_++1107411580++/usr/local/radius/var/log/radius/radacct++localhost Reply-Message = Exec-Program-Wait: plaintext: jimmy++_++_++1107411580++/usr/local/radius/var/log/radius/radacct++localhost Reply-Message = Exec-Program: returned: 1 modcall[authorize]: module "suffix" returns noop for request 8 rlm_eap: EAP packet type response id 223 length 43 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 8 users: Matched jimmy at 107 radius_xlat: '/usr/local/radius/etc/raddb/test jimmy 00-6a-25-00-00-a8 followed is my configuration users: test User-Password == "" Exec-Program-Wait = "usr/local/radius/etc/raddb/test $u $i" test: DB=/var/db/userlit if grep "$1:$2" $DB then exit 0 else exit 1 fi userlist: test:00-01-01-01-01-01 Thanks help ___ Yahoo!奇摩電子信箱 [EMAIL PROTECTED]@信送愛心,Yahoo!奇摩兒童助學計畫 http://tw.promo.yahoo.com/2004charity/index.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Strange Error
I don't presume anyone has seen the following error and I presume I have pulled the whole process below. Maybe however one who knows the code a little better than myself will point me in the right direction. This occurs from an Ericsson Tigris unit. I used to happen on one we had on a remote site and not the one here, but now it has started on this one to. I have the radius connected to a network Informix server running the unixODBC connectors. Thu Feb 3 18:22:34 2005 : Error: rlm_sql_unixodbc: 'HY000 [unixODBC][Informix][Informix ODBC Driver][Informix]Routine (unix_timestamp) can not be resolved. ' Thu Feb 3 18:22:34 2005 : Error: rlm_sql (sql): Couldn't update SQL accounting for Acct On/Off packet - 0 Thu Feb 3 18:22:34 2005 : Error: rlm_sql_unixodbc: 'HY000 [unixODBC][Informix][Informix ODBC Driver][Informix]Routine (unix_timestamp) can not be resolved. ' Thu Feb 3 18:22:34 2005 : Error: rlm_sql (sql): Couldn't update SQL accounting for Acct On/Off packet - 0 Thu Feb 3 18:23:34 2005 : Info: rlm_radutmp: NAS tigris restarted (Accounting-On packet seen) Thu Feb 3 18:23:34 2005 : Info: rlm_radutmp: NAS tigris restarted (Accounting-On packet seen) Regards Brad Dixon Internet Manager Preferred Internet Provider. Email: [EMAIL PROTECTED] Phone: +61-2-94887655 sip:[EMAIL PROTECTED] Fax: +61-2-94887761 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic IP Pools on Freeradius
Hi Dustin,
thanks , that worked for me !
(didn`t know that the NAS-Port is necessary)
Regards
Michael
> --__--__--
>
> Message: 3
> Date: Wed, 2 Feb 2005 10:39:32 -0500 (EST)
> From: Dustin Doris <[EMAIL PROTECTED]>
> To: freeradius-users@lists.freeradius.org
> Subject: Re: Dynamic IP Pools on Freeradius
> Reply-To: freeradius-users@lists.freeradius.org
>
> rlm_ippool requires that the packet contain NAS-IP-Address and NAS-Port.
> Are you sending those attributes?
>
> If not, you may need to modify rlm_ippool to uniquely identify a user by
> something else.
>
>
> On Wed, 2 Feb 2005, Michael Kopp wrote:
>
> > Hi all,
> >
> > sorry to bother you, I searched all on google but didn`t find a
> solution,
> > either it is not designed as I think or I misunderstand something
> >
> > So here the story :
> > I have to assign IP addresses via dynamic pools on Freeradius and via
> some
> > local pool on NAS. (requirement)
> >
> > So I added in radiusd.conf
> >
> > ippool my_pool {
> > some stuff , mostly copied form main_pool
> > }
> >
> > in the usersfile I added a testuser
> >
> > test Password == "test", Pool-Name := "my_pool"
> >
> > after restarting the server and some trying, I never got a IP returned
> from
> > Freeradius. I expected to see Framed-IP-Address attribute added to the
> user
> > with some IP of the specified pool. Is this how it should work or is my
> > assumption wrong.
> >
> > When running radius in Debug mode (radiusd -X ) I just can see log
> messages
> > "module my_pool returns NOOP"
> >
> > Did I miss something to configure ? I haven`t found much documentation
> about
> > radius based IP pools.
> >
> > Sorry that I can`t post the whole debugging log currently, it`s located
> on a
> > PC in a non-internet connected area.
> >
> > Any could help with this issue.
> >
> > Thanks and regards
> > Michael
> >
> > --
> > Sparen beginnt mit GMX DSL: http://www.gmx.net/de/go/dsl
> >
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> >
>
--
GMX im TV ... Die Gedanken sind frei ... Schon gesehen?
Jetzt Spot online ansehen: http://www.gmx.net/de/go/tv-spot
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error in the Radius.log file
Hi... I have two FreeRadius System on RH9 working with Oracle9 DB each have its own DB at the same server, I found in the radius.log file this message: There is no DB handle to use! Skipped 0, tried to connect 0 What is the cause of this problem and how could I solve it? Another that the Access Servers write on both Radius Systems, but in the Reporting from the DB there is a big difference between the two reports, how could I check the reason for the difference? Thanks in advance for your help. Regards, Nader Sayeh * The contents of this email and any attachments are confidential. It is intended for the named recipient(s) only. If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to any one or make copies. * PALTEL E-Safety System scanned this email and found NO viruses, vandals or malicious content. * Should you need any information or clarifications regarding this system, please do not hesitate to contact our team at the IP Dep. <[EMAIL PROTECTED]>. *
