Postgresql Authentication How to
Hi All, I am using Freeradius 0.9.1. How to configure Freeradius to do authentication using Postgresql database. I have a running database. I have included Postgresql.conf file in radiusd.conf file. But exactly how to configure radiusd.conf and postgresql.conf file so that it will do the authentication from the database ? Anyone please help me in this regard. Thank u in advance Jagan = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem in Accounting Port
Your client is sending accounting packets to the port on which freeRADIUS is listening for proxy responses. Configure the client to send accounting packets to the correct port (probably 1646), and you should be good... Emman S. Loloy wrote: Hi guys, anyone knows how to solve this problem? Sat Feb 5 12:19:04 2005 : Error: Accounting-Request packet sent to a non-accounting port from client server:1647 - ID 0 : IGNORED Thanks, Emman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem in Accounting Port
Hi guys, anyone knows how to solve this problem? Sat Feb 5 12:19:04 2005 : Error: Accounting-Request packet sent to a non-accounting port from client server:1647 - ID 0 : IGNORED Thanks, Emman ** This message was sent through GLOBALink Webmail Service. If you are a GLOBALink Internet subscriber or among its affiliates, go to http://webmail.globalink.net.ph to check emails. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: high cpu
Try running with LD_ASSUME_KERNEL=2.4.19. This will force runtime linking against the standard libc libs instead of the thread-local storage (tls) libs. So, on the command line, run "LD_ASSUME_KERNEL=2.4.19 radiusd -X" and see if that segfaults. --Mike Alan DeKok wrote: Daniel J McDonald <[EMAIL PROTECTED]> wrote: Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 1076829024 (LWP 17140)] 0x40079e54 in pthread_mutex_lock () from /lib/tls/libpthread.so.0 (gdb) bt #0 0x40079e54 in pthread_mutex_lock () from /lib/tls/libpthread.so.0 #1 0x406215dd in ldap_pvt_thread_mutex_lock () from /usr/lib/libldap_r.so.2 #2 0x40628443 in ldap_pvt_sasl_mutex_lock () from /usr/lib/libldap_r.so.2 #3 0x4042028e in sasl_dispose () from /usr/lib/libsasl2.so.2 Sounds like a library conflict to me. I'm not sure what to suggest... Alan DEKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Firewall Issue
"Leon" <[EMAIL PROTECTED]> wrote: > I was finally able to track down the problem using the debug setting on the > RADIUS server. Apparently, while the server receives requests for > authenication on port 1812 it sends the "accept" message on port 1036. Uh, no. FreeRADIUS doesn't do that. > Anybody know what the story with port 1036? I'll bet that the firewall is doing the port mapping. Use tcpdump to look at the packets sent out by FreeRADIUS, they WILL be sent from port 1812. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: high cpu
Daniel J McDonald <[EMAIL PROTECTED]> wrote: > Program received signal SIGSEGV, Segmentation fault. > [Switching to Thread 1076829024 (LWP 17140)] > 0x40079e54 in pthread_mutex_lock () from /lib/tls/libpthread.so.0 > (gdb) bt > #0 0x40079e54 in pthread_mutex_lock () from /lib/tls/libpthread.so.0 > #1 0x406215dd in ldap_pvt_thread_mutex_lock () > from /usr/lib/libldap_r.so.2 > #2 0x40628443 in ldap_pvt_sasl_mutex_lock () > from /usr/lib/libldap_r.so.2 > #3 0x4042028e in sasl_dispose () from /usr/lib/libsasl2.so.2 Sounds like a library conflict to me. I'm not sure what to suggest... Alan DEKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Firewall Issue
I was finally able to track down the problem using the debug setting on the RADIUS server. Apparently, while the server receives requests for authenication on port 1812 it sends the "accept" message on port 1036. Once I had my ISP pipe that thru the client worked GREAT!. Anybody know what the story with port 1036? Leon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: high cpu
On Fri, 2005-02-04 at 18:15 -0500, Alan DeKok wrote: > Daniel J McDonald <[EMAIL PROTECTED]> wrote: > > Following up to myself, I just compiled 1.0.1 and had the same issues - > > 97% cpu and does not send the authentication response, radiusd -X > > generates a segmentation fault. > > That's very weird. I've never seen that myself... > > > I changed radiusd.conf to allow corefiles, but it did not produce one > > that I could find. I tried to use gdb to get a stack dump, but radiusd > > -X wouldn't respond to radius queries while running gdb. > > Try: > > $ gdb radiusd > (gdb) set args -X . > (gdb) run ok... rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user mcdonalddj authenticated succesfully Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 1076829024 (LWP 17140)] 0x40079e54 in pthread_mutex_lock () from /lib/tls/libpthread.so.0 (gdb) bt #0 0x40079e54 in pthread_mutex_lock () from /lib/tls/libpthread.so.0 #1 0x406215dd in ldap_pvt_thread_mutex_lock () from /usr/lib/libldap_r.so.2 #2 0x40628443 in ldap_pvt_sasl_mutex_lock () from /usr/lib/libldap_r.so.2 #3 0x4042028e in sasl_dispose () from /usr/lib/libsasl2.so.2 #4 0x406277bb in ldap_int_sasl_close () from /usr/lib/libldap_r.so.2 #5 0x40633c8c in ldap_free_connection () from /usr/lib/libldap_r.so.2 #6 0x4062a7d9 in ldap_ld_free () from /usr/lib/libldap_r.so.2 #7 0x4062aa74 in ldap_unbind_ext () from /usr/lib/libldap_r.so.2 #8 0x4062abd9 in ldap_unbind_s () from /usr/lib/libldap_r.so.2 #9 0x40604acd in ?? () from /usr/lib/freeradius/rlm_ldap.so #10 0x0818f6a8 in ?? () #11 0x0818e80c in ?? () #12 0xbfffce7c in ?? () #13 0x0611487b in ?? () #14 0xbfffcee8 in ?? () #15 0x40007930 in _dl_lookup_symbol_x (undef_name=0x0, undef_map=0x1, ref=0x0, symbol_scope=0x81868c8, version=0x818e308, type_class=-1073752104, flags=134547776, skip_map=0x1) at dl-lookup.c:246 #16 0x08056958 in modcall () #17 0x08056aa9 in modcall () #18 0x08055e38 in find_module_instance () #19 0x08052b4a in rad_check_password () #20 0x08052fdf in rad_authenticate () ---Type to continue, or q to quit--- #21 0x0804c515 in rad_respond () #22 0x0804dd86 in main () -- Daniel J McDonald, CCIE # 2495, CNX Austin Energy [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: high cpu
Daniel J McDonald <[EMAIL PROTECTED]> wrote: > Following up to myself, I just compiled 1.0.1 and had the same issues - > 97% cpu and does not send the authentication response, radiusd -X > generates a segmentation fault. That's very weird. I've never seen that myself... > I changed radiusd.conf to allow corefiles, but it did not produce one > that I could find. I tried to use gdb to get a stack dump, but radiusd > -X wouldn't respond to radius queries while running gdb. Try: $ gdb radiusd (gdb) set args -X . (gdb) run and you should see any error there. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Disabling radwtmp/radutmp For Some Clients
I was wondering if there was a way I could disable writing to radutmp and radwtmp for some clients, or whether this is an all or nothing proposition. -- A. Clausen [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: high cpu
On Fri, 2005-02-04 at 14:42 -0600, Daniel J McDonald wrote: > I have an instance of freeradius 1.0.0 that is consuming 60-100% of a > cpu (I have a two-processor box, so I can watch it do this). I am using > ldap for the backend database. > Following up to myself, I just compiled 1.0.1 and had the same issues - 97% cpu and does not send the authentication response, radiusd -X generates a segmentation fault. I changed radiusd.conf to allow corefiles, but it did not produce one that I could find. I tried to use gdb to get a stack dump, but radiusd -X wouldn't respond to radius queries while running gdb. Environment is Mandrake 10.1 - Linux ldap2.austin-energy.net 2.6.8.1-24mdksmp #1 SMP Thu Jan 13 23:11:43 MST 2005 i686 Intel(R) Pentium(R) III CPU - S 1400MHz unknown GNU/Linux -- Daniel J McDonald, CCIE # 2495, CNX Austin Energy [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: database/ldap for configuration?
There is currently support to read the clients from the sql module. In addition, I've been working on the same for LDAP... just waiting on some feedback from Kostas regarding the "draft patch" I submitted a week or so ago to the freeradius-devel list... so it should be coming... regards, Mike Daniel J McDonald wrote: I use freeradius to manage administrative sessions on a large number of routers and switches. For redundancy, I have two boxes. I'd like to use some sort of a database or directory to configure all of the clients devices rather than the flatfile clients.conf. Is that on the roadmap anywhere? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Firewall Issue
"Leon" <[EMAIL PROTECTED]> wrote: > Trying to authenicate thru firwalls on client and Server side. I can > authenicate inside the server firewall with out problem. I can authenicate > outside the server firewall from a dialup account. So no firewall there. > When I try to authenicate from inside my client firewall though I get > nothing. RADIUS depends on the client IP. With a firewall, you probably have to list the IP of the firewall. > I have the proper IP's configured in clients.conf. I know this because I get > an "Ignoring request from unknown client" error in the radius log with the > entry out. Ok... if you list that IP in "clients.conf" it should work. > I have tried both Solaris (java) clients and Windows clients. Both get no > response from server and no entries in the server log. If the server prints *nothing* in debugging mode, then it isn't seeing the request. If it does print something, then running it in debugging mode will tell you what went wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
database/ldap for configuration?
I use freeradius to manage administrative sessions on a large number of routers and switches. For redundancy, I have two boxes. I'd like to use some sort of a database or directory to configure all of the clients devices rather than the flatfile clients.conf. Is that on the roadmap anywhere? -- Daniel J McDonald, CCIE # 2495, CNX Austin Energy [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
high cpu
I have an instance of freeradius 1.0.0 that is consuming 60-100% of a
cpu (I have a two-processor box, so I can watch it do this). I am using
ldap for the backend database.
clients.conf has about 160 devices in it, but this is the secondary box,
and there are only a few of us who use the radius system.
running radiusd -X, I get a segmentation fault:
[EMAIL PROTECTED] radius]# radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
main: prefix = "/usr"
main: localstatedir = "/var"
main: logdir = "/var/log/radius"
main: libdir = "/usr/lib/freeradius"
main: radacctdir = "/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: user = "radius"
main: group = "radius"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded LDAP
ldap: server = "ldap2.austin-energy.net"
ldap: port = 389
ldap: net_timeout = 1
ldap: timeout = 4
ldap: timelimit = 3
ldap: identity = ""
ldap: tls_mode = no
ldap: start_tls = no
ldap: tls_cacertfile = "(null)"
ldap: tls_cacertdir = "(null)"
ldap: tls_certfile = "(null)"
ldap: tls_keyfile = "(null)"
ldap: tls_randfile = "(null)"
ldap: tls_require_cert = "allow"
ldap: password = ""
ldap: basedn = "dc=austin-energy,dc=net"
ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
ldap: base_filter = "(objectclass=radiusprofile)"
ldap: default_profile = "(null)"
ldap: profile_attribute = "(null)"
ldap: password_header = "(null)"
ldap: password_attribute = "(null)"
ldap: access_attr = "dialupAccess"
ldap: groupname_attribute = "cn"
ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=
%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=
%{Ldap-UserDn})))"
ldap: groupmembership_attribute = "(null)"
ldap: dictionary_mapping = "/etc/raddb/ldap.attrmap"
ldap: ldap_debug = 0
ldap: ldap_connections_number = 5
ldap: compare_check_items = no
ldap: access_attr_used_for_allow = yes
ldap: do_xlat = yes
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from
file /etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS
Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS
Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLo
Firewall Issue
Just installed FreeRadius 1.0.1 on Redhat FC2.
Trying to authenicate thru firwalls on client and Server side. I can
authenicate inside the server firewall with out problem. I can authenicate
outside the server firewall from a dialup account. So no firewall there.
When I try to authenicate from inside my client firewall though I get
nothing.
I have the ISP, where the client is, allow port 1812 (and later 1813),
protocol UDP, to and from the server firewall.
I have the proper IP's configured in clients.conf. I know this because I get
an "Ignoring request from unknown client" error in the radius log with the
entry out. my entry looks like:
client xxx.xxx.xxx.xxx/32 {
secret = secret
shortname = my-network
}
I have tried both Solaris (java) clients and Windows clients. Both get no
response from server and no entries in the server log. What should I be
doing with the ckient firewall that I am not?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSCHAP V2 local
"DeYoung, Brandon" <[EMAIL PROTECTED]> wrote: > I've tried this and a few other things in the users file. > test Auth-Type = Local, Password = "testing" Don't set Auth-Type. > Authentication against the AD backend works from my clients with mschap v2. > But my local users still don't work when sent through mschap. Because the mschap module is calling ntlm_auth. > Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=AM > --username=test --challenge=4cd9c1a15948bb64 > --nt-response=0f8afe37aac4a6d8c1f42aae8f2c4582f90e8f33e07877cd > Exec-Program output: Account locked out (0xc234) > Exec-Program-Wait: plaintext: Account locked out (0xc234) > Exec-Program: returned: 1 > rlm_mschap: External script failed. Hmm... looking at the module source, it could be a little more forgiving. In the mean time, try: #--- test User-Password == "testing", MS-CHAP-Use-NTLM-Auth = No #--- Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Authentication problem with SER
"M.V. Jaga Mohan" <[EMAIL PROTECTED]> wrote: > I have downloaded freeradius 0.9.1 Why? You should be using 1.0.1. > when I am trying to run ser I am getting error called > : > init_mod() : Error while initializing module. Please ask the SER people. They should have a list. This is the FreeRADIUS list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about upgrading from 0.9.3 to 1.0.1
Joe Meslovich <[EMAIL PROTECTED]> wrote: > What should my entry look like in the users file to get this to > authenticate. When I tried running 1.0.1 last night I was getting an error > about Auth-Type of EAP being an unknown Auth-Type. Hmm... be sure that 1.0.1 is using the dictionaries from 1.0.1, and not the 0.9.3 dictionaries. > We used the full domain name for the CN in the certificates. I see in the > eap.conf for 1.0.1 that setting Auth-Type to EAP is not recommended. This > entry in question is for a computer that is doing machine authentication. If you know what you're doing, and it works, setting "Auth-Type = EAP" is OK. In general, though, most people get it wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help appreciated (accounting only data)
Johnny Chavez <[EMAIL PROTECTED]> wrote: > Hello I am new to this list and I wondering if a topic has been > touched on yet or if anyone can help with a question. Has anyone > setup radiator Huh? You are subscribed to the wrong list. > Thank you for your help on this topic. If I am missing important > information that is needed to help please let me know and I will > update my post. Thank you. If you using Radiator, you shouldn't post to this list again. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attributes Remain Empty in radacct
zack musa <[EMAIL PROTECTED]> wrote: > values like ... > are still unavailable both in radacct and detail file. Fix the NAS. See the FAQ. > Do we need to enable any scripts through some > configuration file to write it in radacct or detail > log files? There is nothing you can do to the server to log data it doesn't have. Read the FAQ. > From the dictionary, some of the attributes have many > value, and how is the value being recorded to radacct? > Is it automatically detected (intelligently) by > dedicated NAS machine The NAS sends data to the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free radius for redhat 9
Try compile and install the freeradius-1.0.1.tar.gz package in your Redhat 9 system. I use this version of freeradius to test cenarious whith yours R2 AP, and work whith PEAP and MS-CHAPv2 authentication. Regards caceres Schoggins, George wrote: >Can anyone tell me where I can find binaries for FreeRadius for Redhat 9 > >George Schoggins >Enterasys Networks >Phone: 407-268-9894 >FAX: 407-268-9881 >Cell: 407-808-6013 >Email: mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] >www: http://www.enterasys.com http://www.enterasys.com >cid:[EMAIL PROTECTED] > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help appreciated (accounting only data)
Hello I am new to this list and I wondering if a topic has been touched on yet or if anyone can help with a question. Has anyone setup radiator to only receive accounting data from multiple locations? We are currently running Radiator 3.3.1, I know its old but for the time being we need this version. We need to accept accounting data from about 8 different locations. I am looking for an example config if anyone has one. We are currently logging our accounting data to an SQL server remote from the actual radius servers. Has anyone setup radiator to send accounting data to two different locations? This will also help as I know a few of these other locations are currently using radiator. Thank you for your help on this topic. If I am missing important information that is needed to help please let me know and I will update my post. Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
handling of sql accounting stop queries (main and alternate)
Hi,
We are having difficulty making FreeRadius efficient in our environment
because we cannot reliably attempt to insert records in the SQL database
prior to attempting an update.
In one environment, our NAS'es are sending STOP accounting requests only (no
START and UPDATE). In such a case, it is much more efficient to use this in
sql.conf:
accounting_stop_query = "INSERT into ${acct_table1} [...]
accounting_stop_query_alt = "UPDATE ${acct_table1} [...]
than the inverse, because most (99.9%) of the time, a record will not be
there.
But there's a functional problem with the above order.
The current rlm_sql implementation (rlm_sql.c) assumes that the first stop
query (accounting_stop_query) will be an SQL UPDATE query, and will not
attempt the accounting_stop_query_alt query if it fails. It will only
attempt the alternate query if the first query succeeds, but with 0 affected
rows. However, an SQL INSERT fails if there was already a record, so the
alternate query is not attempted.
This would not be a problem when we receive Radius packets from a normal
client, but with RadRelay (which we also use for replication across two
FreeRadius servers), this sometimes causes problems. If a packet is
correctly inserted into the database but the acknowledgment of a packet is
lost, RadRelay will (correctly) retransmit the packet, but this will fail
because the record is effectively already in the SQL database, causing the
INSERT to fail. The alternate query, which would be an update, is thus not
attempted. RadRelay then hangs there forever, retransmitting the same
packet over and over. To work around this, we have to set sql.conf to do
the SQL UPDATE before the INSERT, reducing the FreeRadius server throughput
considerably.
Would it be possible to always (perhaps this needs to be configurable)
attempt the accounting_stop_query_alt query, even if the
accounting_stop_query fails (rather than only on success with 0 affected
rows)? That is, make the logic of the stop query like the logic of, e.g.,
the start query.
PS: I think I never updated you after I tried the "load-balance" in the
accounting section back in early December - well, it was working perfectly
well...
Bruno Lague
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Web interface similar to Dialup Admin but for dialup users to change their login passwords.
A page with one option to change password would be great. Apache could authenticate off the radius server for access. Then pass the user attribute to php and bring up the page for the correct user. Letting them submit a new password. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kostas Kalevras Sent: Friday, February 04, 2005 10:21 AM To: freeradius-users@lists.freeradius.org Subject: Re: Web interface similar to Dialup Admin but for dialup users to change their login passwords. On Fri, 4 Feb 2005, Shannon Sariman wrote: > Hi All, > > I am using freeradius with mysql and dialup admin. Is there any open source > solution out there that can cater for dialup users to manually change their > password using a similar web interface like dialup admin? Please help. Not that i know of. dialupadmin will be extended at some point to provide this type of functionality. > > Regards, > > Shannon -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.8.5 - Release Date: 2/3/2005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Web interface similar to Dialup Admin but for dialup users to change their login passwords.
On Fri, 4 Feb 2005, Shannon Sariman wrote: Hi All, I am using freeradius with mysql and dialup admin. Is there any open source solution out there that can cater for dialup users to manually change their password using a similar web interface like dialup admin? Please help. Not that i know of. dialupadmin will be extended at some point to provide this type of functionality. Regards, Shannon -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (no subject)
Anderson Alves de Albuquerque schrieb: > After I need that RADIUS use crypt or DES to have > password in clean txt. It's impossible. Once you have the password crypted, you cannot get the clear text from it anymore. It's like making an omelette. You can make one from eggs, but you can't get the eggs back from the omelette. > How could I tell RADIUS use crypt or DES to have clean > TXT? How can you tell your cook to turn the omelette back into eggs? > If RADIUS know like have original password is stored in > LDAP the RADIUS > could done the HASH. Then RADIUS could know if this hash > is like of the > hash that RADIUS receive of the [aplication]. No. If you create two hashes from the same password, they are different. Just looking at the two, nobody can tell if they were created from the same password or not. HTH, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
question about upgrading from 0.9.3 to 1.0.1
I am trying to upgrade our freeradius server from 0.9.3 to 1.0.1. We are doing some EAP-TLS authentication for an 802.1x deployment. In 0.9.3 we have entries in the users file for these 802.1x systems like this writingcart1.bridgewater.eduAuth-Type := EAP We used the full domain name for the CN in the certificates. I see in the eap.conf for 1.0.1 that setting Auth-Type to EAP is not recommended. This entry in question is for a computer that is doing machine authentication. What should my entry look like in the users file to get this to authenticate. When I tried running 1.0.1 last night I was getting an error about Auth-Type of EAP being an unknown Auth-Type. Joe Meslovich [EMAIL PROTECTED] Network/Systems EngineerIT Center Tel: (540) 828 - 5343 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problems with ttls using SecureW2
Thanks for the suggestions, I'll look into them.
Again, thank you for your help.
> -Original Message-
> From: Rok Papez [mailto:[EMAIL PROTECTED]
> Sent: 4. februar 2005 14:56
> To: freeradius-users@lists.freeradius.org
> Subject: Re: Problems with ttls using SecureW2
>
> Hello Øystein.
>
> Dne petek 04 februar 2005 08:37 je Øystein Gåsdal napisal(a):
>
> > I think Alan wrote that the job with getting ttls to work
> was to set
> > up tls properly... Freeradius works with the built-in 802.1x
> > supplicant, so I guess that tls is in fact set up properly?
> >
> > In eap.conf i have unchecked these lines:
> >
> > ttls {
> >
> > default_eap_type = md5
> >
> >copy_request_to_tunnel = yes
> >
> > use_tunneled_reply = no
> > }
> >
> > Anyone else having this problem, or at least knows what i'm doing
> > wrong? :)
>
> No, EAP-TTLS is working just fine for me (FreeRADIUS and SecureW2) :).
> This is my eap.conf:
>
> eap {
> default_eap_type = ttls
> timer_expire = 60
> ignore_unknown_eap_types = no
> # Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given
> # a User-Name attribute in an Access-Accept, it copies one
> # more byte than it should.
> #
> # We can work around it by configurably adding an extra
> # zero byte.
> cisco_accounting_username_bug = yes
> tls {
> private_key_file = /etc/ssl/key.pem
> certificate_file = /etc/ssl/cert.pem
> CA_file = /etc/ssl/cacert.pem
> dh_file = /etc/ssl/dh
> random_file = /dev/urandom
> fragment_size = 1024
> include_length = yes
> }
> ttls {
> use_tunneled_reply = yes
> }
> }
>
> And here are the instructions how to set-up the SecureW2
> client (they are in Slovenian language, but screenshots are
> from an English Windows XP):
> http://www.arnes.si/bio/nastavitve/nastavitve_secure_w2_sp2.html
>
> --
> lep pozdrav,
> Rok Papež.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how can freeradius log the transaction and failed logins?
Hi all, I use Freeradius 1.0.1 dialupadmin, and mysql under Fedora core 2, nad Using Patton 2960 as my Nas. Everything works fine, except when my user failed logging in with any reason, freeradius didnot put those failed transactions into the database. and then how can i make freeradius put any events happen into the database when a user try to dial the number, ringing, authenticating, and then online or dead the connection. Like System Log. is 'log_auth' does any good in this matter? i tried to uncomment it in radiusd.conf, but still not working Desperately needs help Thanks a lot Regards Marendra - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with ttls using SecureW2
Hello Ãystein.
Dne petek 04 februar 2005 08:37 je Ãystein GÃsdal napisal(a):
> I think Alan wrote that the job with getting ttls to work was to set up tls
> properly... Freeradius works with the built-in 802.1x supplicant, so I guess
> that tls is in fact set up properly?
>
> In eap.conf i have unchecked these lines:
>
> ttls {
>
> default_eap_type = md5
>
>copy_request_to_tunnel = yes
>
> use_tunneled_reply = no
> }
>
> Anyone else having this problem, or at least knows what i'm doing wrong? :)
No, EAP-TTLS is working just fine for me (FreeRADIUS and SecureW2) :).
This is my eap.conf:
eap {
default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
# Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given
# a User-Name attribute in an Access-Accept, it copies one
# more byte than it should.
#
# We can work around it by configurably adding an extra
# zero byte.
cisco_accounting_username_bug = yes
tls {
private_key_file = /etc/ssl/key.pem
certificate_file = /etc/ssl/cert.pem
CA_file = /etc/ssl/cacert.pem
dh_file = /etc/ssl/dh
random_file = /dev/urandom
fragment_size = 1024
include_length = yes
}
ttls {
use_tunneled_reply = yes
}
}
And here are the instructions how to set-up the SecureW2 client (they are in
Slovenian language, but screenshots are from an English Windows XP):
http://www.arnes.si/bio/nastavitve/nastavitve_secure_w2_sp2.html
--
lep pozdrav,
Rok PapeÅ.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Attributes Remain Empty in radacct
Hi
RH 8
NoCat Gateway+NocatAuthserver on linux
FR 1.0.*
I have some problems with my accounting data. We let
the radius server to write accounting data inside the
detail log files. We use RADIUS.pm to add some
attributes and get their values on accounting process,
and it works but not for all. values like
framedipaddress
stop/startconnnectioninfo
terminatecause
NASportType
calledstationid
are still unavailable both in radacct and detail file.
Do we need to enable any scripts through some
configuration file to write it in radacct or detail
log files?
Some of these attr values are available in the other
table in radius db (same db for radacct).Can just the
value be returned from that table (radreply) as
authentication get the return value for the
framedIPaddress (eg)?
>From the dictionary, some of the attributes have many
value, and how is the value being recorded to radacct?
Is it automatically detected (intelligently) by
dedicated NAS machine (since I used Linux as my RADIUS
client-NAS)??Some attributes have no value such as
start/stopconnectioninfo, realm and calledstationID.
Is this value need to be set in any files or scripts
or configuration file? I search but for now can't find
where...Help please..
below are the scripts of RADIUS.pm that had being
altered. critical value that we try to get is the
FramedIPAddress.
++
package NoCat::Accounting::RADIUS;
use NoCat::Source;
use Authen::Radius;
use strict;
use vars qw( @ISA @REQUIRED );
@ISA= qw( NoCat::Accounting );
@REQUIRED = qw(
RADIUS_Host RADIUS_Secret
);
sub radius {
my ($self) = @_;
unless ($self->{Radius}) {
my $r;
my $Hosts = $self->{RadiusHostsToUse};
if(! defined($Hosts)) { #This is really the first
time through
and I need to generate my list of servers
$self->{RADIUS_Host} =~ s/,,/,/g; #just to
eliminate any blank entries
my(@Hosts) = split(/,/,$self->{RADIUS_Host});
if($self->{RADIUS_Order} &&
$self->{RADIUS_Order}) { #mix em up.
my @TmpHosts;
my %UsedHosts;
for(my $i=0;$i <= $#Hosts; $i++) {
my $TmpHost;
while(! $TmpHost || ($TmpHost &&
$UsedHosts{$TmpHost})) {
$TmpHost = $Hosts[int(rand($#Hosts + 1))];
last if ! $UsedHosts{$TmpHost};
}
$UsedHosts{$TmpHost} = 1;
$TmpHosts[$i] = $TmpHost;
}
@Hosts = @TmpHosts;
}
$self->{RadiusHostsToUse} = [EMAIL PROTECTED]; #List
generated.
}
if($self->{RadiusHostsToUse}) { #go through
servers one by one
foreach my $Host (@{$self->{RadiusHostsToUse}})
{
my $Secret = $self->{RADIUS_Secret} ?
$self->{RADIUS_Secret} : "";
if($Host =~ s/\*(.*)$//) {
$Secret = $1;
}
$self->log( 0, "Connecting to RADIUS server
$Host with Timeout
" . $self->{RADIUS_TimeOut} );
$r = Authen::Radius->new(
Host=> $Host,
Secret => $Secret,
Timeout =>
$self->{RADIUS_TimeOut},
Accounting => 1
);
last if $r; #If we have a good connection,
we're done
$self->log( 0, "Failed to connect to RADIUS
server $Host" );
}
if ($r) { # This is almost always the case...
$self->{Radius} = $r;
} else {
$self->log( 0, "Can't connect to RADIUS
server(s)
$self->{RADIUS_Host}" );
}
} else {
return undef; #no host for them!
}
}
return $self->{Radius};
}
sub usenextserver { #If I fail, take the most recent
host out and
my $self = shift;
return unless $self->{RadiusHostsToUse}; #unless
I've been
through the radius sub above, forget it
my @Hosts = @{$self->{RadiusHostsToUse}};
my $popped = shift(@Hosts); #say goodbye to the
first one
$self->log(0, "popped $popped in usenextserver");
undef($self->{Radius}); #so radius above will get
a new one.
$self->{RadiusHostsToUse} = [EMAIL PROTECTED];
}
sub create_session_id {
my $self = shift;
return $self->radius->NewSessionID();
}
sub start {
my ($self, $peer, $stats) = @_;
if (! $peer->session_id)
{
$peer->session_id($self->radius->NewSessionId());
}
return $self->accounting({ Name => 1, Value =>
$peer->user, Type
=> 'string'}, # User-Name
{ Name => 4, Value =>
$self->{GatewayAddr}, Type => 'ipaddr'},
# NAS-IP-Address
{ Name => 5, Value =>
$self->{GatewayPort}, Type => 'integer'},
# NAS-Port
{ Name => 7, Value => '1', Type =>
'integer'}, #
Framed-Protocol
{ Name => 8, Type => 'ipaddr' , Value
=> $peer->id},
# Framed-IP-Address
{ Name => 31, Value => $peer->id, Type
=> 'string'},
{ Name => 32, Value =>
$peer->{GatewayAddr}, Type => 'string'},
#
Calling-Station-Id
Re: Problems with ttls using SecureW2
> Under Configure in SecureW2, under Authentication, the Authentication
> Method EAP, is selected, and EAP type is PEAP.
If you want to use TTLS you should not tell SecureW2 to do PEAP but TTLS.
> I think Alan wrote that the job with getting ttls to work was to set up tls
> properly... Freeradius works with the built-in 802.1x supplicant, so I
> guess that tls is in fact set up properly?
>
> In eap.conf i have unchecked these lines:
>
> ttls {
>
> default_eap_type = md5
>
>copy_request_to_tunnel = yes
>
> use_tunneled_reply = no
> }
If you want to use TTLS you should not comment out the ttls section.
Greetings,
Stefan Winter
--
Stefan WINTER
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de
la Recherche
Ingénieur réseau et système
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
email: [EMAIL PROTECTED] tél.: +352 424409-33
http://www.restena.lu fax: +352 422473
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
