Error when run in debug mode with Module: Loaded SQL
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to root@/var/tmp:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql_mysql: Couldn't connect socket to MySQL server root@/var/tmp:radius rlm_sql_mysql: Mysql error 'Unknown MySQL server host '/var/tmp' (1)' rlm_sql (sql): Failed to connect DB handle #0 rlm_sql (sql): starting 1 rlm_sql (sql): starting 2 rlm_sql (sql): starting 3 rlm_sql (sql): starting 4 rlm_sql (sql): Failed to connect to any SQL server. - What is cause of this problem ? , and how to fix ? -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: With-edir in 1.02 / Novell eDirectory
Hi, From: Dennis Comeaux [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Subject: Re: With-edir in 1.02 / Novell eDirectory Reply-To: freeradius-users@lists.freeradius.org Believe it or not, I have found the information. The i-Manager plug in is the file radius_npm.tar.gz. This file is on the You are correct. This is the iManager plug in. forge.novell.com site and is placed in a manner that mislead me into believing that it was not the imanager plugin required for freeradius. We're actually planning on using freeradius 1.02 with edirectory in a production environment. I'll post any gotchas to the list and help in any way that I can. Thanks, Dennis On Thu, 17 Feb 2005 08:58:44 -0600, Dennis Comeaux [EMAIL PROTECTED] wrote: Novell has worked with the most recent release of freeradius to include support for eDirectory. (Thank you, Novell.) Up until now I've only been able to make freeradius work with eDirectory over clear text ldap on TCP:389. We really want to have freradius connect via ldaps on TCP:636. I have been able to get freeradius to work over ldaps with openldap, but not with edirectory. You need to extract the Self Signed Certificate of the certificate authority in base64 format. In the ldap module section of radiusd.conf set the following options. port = 636 tls_mode = yes tls_cacertfile = path to self signed cert You should be able to connect to edirectory via ldaps. For more information you can refer to the Integrating Novell eDirectory with FreeRADIUS Administration Guide at the following location: http://www.novell.com/documentation/edir_radius/index.html The new integration with edirectory (compile with --with-edir) is supposed to work. However Novell has not distributed the Radius plug-in for iManager (it's locked away on their beta servers). Does ANYONE here know of a way to get ahold of this plug-in? I've contacted some fairly high level engineers at Novell and for several days we haven't been able to get the plug-in. I can only assume that the developers from novell and those of you who develop for free-radius have some information that my sources don't about this plug-in. There's a link to the plug-in on the open source site forge.novell.com so I'm hoping that this plug-in is GPL. BTW - You coders have built a ROCK SOLID product. I have no idea how you manage to do this and still keep a day job. Regards, -Sayantan. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Config file 1.radiusd.conf ,2.postgresql.conf to use postgresql
I want to use postgresql , and I config file follow guide please tell me it is true ? and how to config it to use postgresql ,It only 2 file to config or is more ? 1.radiusd.conf -- $INCLUDE ${confdir}/postgresql.conf authorize { preprocess # auth_log # chap # attr_filter # eap # suffix # sql files noresetcounter --what is for ? } session { radutmp sql } accouting { acct_unique detail sql # main_pool } - 2. postgresql.conf sql{ driver=rlm_sql_postgresql server=localhost login = postgres password = postgres radius_db=radiusdb - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: test freeradius
Hi! windows unable ti find a certificate to log you on to the network xxx Maybe you have instructed your Windows Client to authenticate via TLS (or Use a certificate or smartcard, but actually didn't give it any cert? Hard to say more as you were somewhat unclear in your posting. You should give more details if you want specific help. And what the hell does all of this have to do with Internet Explorer? Stefan -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingénieur réseau et système 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg email: [EMAIL PROTECTED] tél.: +352 424409-33 http://www.restena.lu fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error when run in debug mode with Module: Loaded SQL
Hi. rlm_sql_mysql: Mysql error 'Unknown MySQL server host '/var/tmp' (1)' Host names are not allowed to contain slashes. You probably just mean localhost. No need to fiddle around with the internal path names used _within_ MySQL. Stefan -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingénieur réseau et système 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg email: [EMAIL PROTECTED] tél.: +352 424409-33 http://www.restena.lu fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How can I unsubscribe
On Fri, Feb 18, 2005 at 10:55:57AM +0800, Zhao Yu,SCNB RD NNA(BJ) wrote: How can I unsubscribe? http://lists.freeradius.org/mailman/listinfo/freeradius-users -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: huntgroup question
Hi, It woks fine here . Thomas. Kostas Kalevras wrote: On Wed, 16 Feb 2005, Dustin Doris wrote: I was wondering if you can add multiple check-items to huntgroup lines, besides Nas-Port-Id. Right now, it appears to be working for me, with Nas-Port-Type. Using something like this dialNAS-IP-Address == 127.0.0.1, Nas-Port-Type == Async isdnNAS-IP-Address == 127.0.0.1, Nas-Port-Type == ISDN It seems to be working fine for me, just wanted to check to see if that is intended behavior. I only see reference to Nas-Port-ID in the documentation, which is why I ask. I think you can. Thanks Dusty Doris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas KalevrasNetwork Operations Center [EMAIL PROTECTED]National Technical University of Athens, Greece Work Phone:+30 210 7721861 'Go back to the shadow'Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 1.0.2 has been released.
On Thu, Feb 17, 2005 at 03:16:30PM +0200, Kostas Kalevras wrote: The patch was just commited in CVS. Could you check it out and make sure everything works as expected? -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf Kostas, I performed a diff between my patched sql_oracle.c file and the same file as seen in the freeradius CVS tree and there are no differences. Since this patch runs without problems in our production environment, everything seems to be OK. So we are expecting to see the patch included in the next release. Thanks again for everything. -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem with radutmp
i have got a problem with radutmp maybe i forget something but can t see what i have configured the radutmp modules , i have activate it in accounting section but i have no radutmp file and when i use radwho there s nobody logged. my nas is a cisco AP1100. -- bmathieu [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP problem when user profile in database
Hi, all I tried to control access using MAC address. If user profile stored in /etc/raddb/users, it works. But when I migrate to PostgreSQL, it stop working. I have the following 2 entries in radcheck table: 1 | Vincent | Auth-Type | := | EAP 5 | Vincent | Calling-Station-Id | == | 00-00-00-00-00-00 Even my actural MAC address is 00-00-00-00-00-01, radius still accept my connection. What might be wrong? BTW: What attributes can be used in EAP/TLS? RFC has a long list, can I use them all? How can I tell if this attribute used in check or reply? Thanks, Vincent Chen - Yahoo! http://tw.avatar.yahoo.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR 1.0.2 + Mysql
Hi all, I have a problem with FR 1.0.2 and Mysql, I do not arrive has to compile (with the snapshot no problem) System : Debian Sarge with libmysqlclient14-dev and mysql-server installed I have test with ./configure --sysconfdir=/etc --disable-shared or ./configure --sysconfdir=/etc --with-rlm-mysql-include-dir=/usr/include/mysql --with-rlm-mysql-lib-dir=/usr/include/mysql --disable-shared And with make make[7]: Entering directory `/root/freeradius-1.0.2/src/modules/rlm_sql' Making static in drivers... make[8]: Entering directory `/root/freeradius-1.0.2/src/modules/rlm_sql/drivers' /usr/bin/make -w WHAT_TO_MAKE=static common make[9]: Entering directory `/root/freeradius-1.0.2/src/modules/rlm_sql/drivers' Making static in rlm_sql_iodbc... make[10]: Entering directory `/root/freeradius-1.0.2/src/modules/rlm_sql/drivers/rlm_sql_iodbc' make[10]: Rien à faire pour « static ». make[10]: Leaving directory `/root/freeradius-1.0.2/src/modules/rlm_sql/drivers/rlm_sql_iodbc' Making static in rlm_sql_mysql... make[10]: Entering directory `/root/freeradius-1.0.2/src/modules/rlm_sql/drivers/rlm_sql_mysql' gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -DNDEBUG -I../.. -I../../../../include -I/root/freeradius-1.0.2/libltdl -c sql_mysql.c -o sql_mysql.o sql_mysql.c:39:20: errmsg.h : Aucun fichier ou répertoire de ce type sql_mysql.c:40:19: mysql.h : Aucun fichier ou répertoire de ce type sql_mysql.c:47: error: erreur d'analyse syntaxique before MYSQL sql_mysql.c:47: attention : pas de point virgule à la fin de la structure ou de l'union sql_mysql.c:48: attention : type defaults to `int' in declaration of `sock' sql_mysql.c:48: attention : data definition has no type or storage class sql_mysql.c:49: error: erreur d'analyse syntaxique before '*' token sql_mysql.c:49: attention : type defaults to `int' in declaration of `result' sql_mysql.c:49: attention : data definition has no type or storage class sql_mysql.c:51: error: erreur d'analyse syntaxique before '}' token sql_mysql.c:51: attention : type defaults to `int' in declaration of `rlm_sql_mysql_sock' sql_mysql.c:51: attention : data definition has no type or storage class sql_mysql.c: Dans la fonction « sql_init_socket »: sql_mysql.c:62: error: `mysql_sock' undeclared (first use in this function) sql_mysql.c:62: error: (Each undeclared identifier is reported only once sql_mysql.c:62: error: for each function it appears in.) sql_mysql.c:65: error: erreur d'analyse syntaxique before ')' token sql_mysql.c:76: attention : implicit declaration of function `mysql_init' sql_mysql.c:77: attention : implicit declaration of function `mysql_real_connect' sql_mysql.c:84: error: `CLIENT_FOUND_ROWS' undeclared (first use in this function) sql_mysql.c:86: attention : implicit declaration of function `mysql_error' sql_mysql.c:86: attention : l'argument de format n'est pas un pointeur (arg 3) sql_mysql.c: Dans la fonction « sql_check_error »: sql_mysql.c:122: error: `CR_SERVER_GONE_ERROR' undeclared (first use in this function) sql_mysql.c:123: error: `CR_SERVER_LOST' undeclared (first use in this function) sql_mysql.c:131: error: `CR_OUT_OF_MEMORY' undeclared (first use in this function) sql_mysql.c:132: error: `CR_COMMANDS_OUT_OF_SYNC' undeclared (first use in this function) sql_mysql.c:133: error: `CR_UNKNOWN_ERROR' undeclared (first use in this function) sql_mysql.c: Dans la fonction « sql_query »: sql_mysql.c:151: error: `mysql_sock' undeclared (first use in this function) sql_mysql.c:160: attention : implicit declaration of function `mysql_query' sql_mysql.c:161: attention : implicit declaration of function `mysql_errno' sql_mysql.c: Dans la fonction « sql_store_result »: sql_mysql.c:175: error: `mysql_sock' undeclared (first use in this function) sql_mysql.c:181: attention : implicit declaration of function `mysql_store_result' sql_mysql.c:184: attention : l'argument de format n'est pas un pointeur (arg 3) sql_mysql.c: Dans la fonction « sql_num_fields »: sql_mysql.c:202: error: `mysql_sock' undeclared (first use in this function) sql_mysql.c:207: attention : implicit declaration of function `mysql_num_fields' sql_mysql.c:211: attention : l'argument de format n'est pas un pointeur (arg 3) sql_mysql.c: Dans la fonction « sql_num_rows »: sql_mysql.c:257: error: `mysql_sock' undeclared (first use in this function) sql_mysql.c:260: attention : implicit declaration of function `mysql_num_rows' sql_mysql.c: Dans la fonction « sql_fetch_row »: sql_mysql.c:277: error: `mysql_sock' undeclared (first use in this function) sql_mysql.c:286: attention : implicit declaration of function `mysql_fetch_row' sql_mysql.c:286: attention : affectation transforme un entier en pointeur sans transtypage sql_mysql.c: Dans la fonction « sql_free_result »: sql_mysql.c:305: error: `mysql_sock' undeclared (first use in this function) sql_mysql.c:308: attention : implicit declaration of function `mysql_free_result' sql_mysql.c: Dans la fonction « sql_error »:
Freeradius + PEAT/TLS + MsWindowsXP Client = :-(
Hi radfriends! I'm getting insane reading the next error message 400 times a day... What am I doing wrong? I've changed almost everything in radiusd.conf, sometimes I get an error message talking about a realm suffix and the @ delimiter, sometimes talks me about the LM-Password, NT-Password. Well I think I'm lost... Sorry for disturbing and thanks in advance. PEAP: Got tunneled reply RADIUS code 3 MS-CHAP-Error = \006E=691 R=1 EAP-Message = 0x04060004 Message-Authenticator = 0x PEAP: Processing from tunneled session code 0x9040ff0 3 MS-CHAP-Error = \006E=691 R=1 EAP-Message = 0x04060004 Message-Authenticator = 0x -- _ 'There's more than one way to do it' Linux Registered User #368181 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius with LDAP
dbx is your friend... But check to see that the ldap module actually built... unless you've got things installed in the default places, it can take a little work to get the ldap module to compile on Solaris... José Berenguer wrote: Hello! We are trying to authenticate the last version of freeradius (1.0.1) in Solaris 9 against LDAP and we are always getting the same error when we try to start radius with the command: /usr/local/sbin/radiusd -S -X You can view the radiusd.conf and users files, and the error we get is this: Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Segmentation Fault Anyone can help us? Thanks very much! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Grouping accounts
Hi, Currently our users log on to our system and are authenticated by the Radius server. Then, when they access a server, they log in with local user accounts. Sometimes these accounts are the same name as the Radius account they logged into originally, but not always. Is it possible, using FreeRadius, to group these accounts together and have all access controlled by the Radius server. For instance: joeuser logs into the system and is authenticated by Radius. He then logs onto the ftp server. Can this be authorized by Radius using a different id/password but as a subset of joeuser so he can still be tracked and billed using just the main Radius account? Thanks, Steven Wayne -- .''`. : :' : `. `'` `- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius with LDAP
Rlm_ldap needs some openldap libraries to compile well on solaris. One solution is to install OpenLDAP even if you use Sun LDAP. This way the module will compile. Regards, -- Sebastien Cantos [EMAIL PROTECTED] Network / System Manager Neopost DIVA -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Michael Mitchell Envoyé : vendredi 18 février 2005 13:30 À : freeradius-users@lists.freeradius.org Objet : Re: FreeRadius with LDAP dbx is your friend... But check to see that the ldap module actually built... unless you've got things installed in the default places, it can take a little work to get the ldap module to compile on Solaris... José Berenguer wrote: Hello! We are trying to authenticate the last version of freeradius (1.0.1) in Solaris 9 against LDAP and we are always getting the same error when we try to start radius with the command: /usr/local/sbin/radiusd -S -X You can view the radiusd.conf and users files, and the error we get is this: Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Segmentation Fault Anyone can help us? Thanks very much! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
simultaneous use in wireless network
i want to unable people connecting with same login more than one time in a wireless network with cisco AP1100 first when i use radcheck i have reults like that : checkrad -d cisco 195.220.107.35 981 SNMP 0 snmpget: /usr/bin/snmpget -r 1 -t 5 -v2c -c 'xxx' 195.220.107.35 .iso.org.dod.internet.private.enterprises.9.2.9.2.1.18.981 user at port S981: Instance snpwalk: /usr/bin/snmpwalk -r 1 -t 5 -v2c -c 'xxx' 195.220.107.35 .iso.org.dod.internet.private.enterprises.9.10.19.1.3.1.1.3 Returning 0 (login ok) sentinelle raddb # checkrad -d cisco 195.220.107.35 980 SNMP 0 snmpget: /usr/bin/snmpget -r 1 -t 5 -v2c -c 'xxx' 195.220.107.35 .iso.org.dod.internet.private.enterprises.9.2.9.2.1.18.980 user at port S980: Instance snpwalk: /usr/bin/snmpwalk -r 1 -t 5 -v2c -c '' 195.220.107.35 .iso.org.dod.internet.private.enterprises.9.10.19.1.3.1.1.3 Returning 0 (login ok) sentinelle raddb # checkrad -d cisco 195.220.107.35 900 SNMP 0 snmpget: /usr/bin/snmpget -r 1 -t 5 -v2c -c '' 195.220.107.35 .iso.org.dod.internet.private.enterprises.9.2.9.2.1.18.900 user at port S900: Instance snpwalk: /usr/bin/snmpwalk -r 1 -t 5 -v2c -c '' 195.220.107.35 .iso.org.dod.internet.private.enterprises.9.10.19.1.3.1.1.3 Returning 0 (login ok) sentinelle raddb # checkrad -d cisco 195.220.107.35 10 SNMP 0 snmpget: /usr/bin/snmpget -r 1 -t 5 -v2c -c '' 195.220.107.35 .iso.org.dod.internet.private.enterprises.9.2.9.2.1.18.10 user at port S10: snpwalk: /usr/bin/snmpwalk -r 1 -t 5 -v2c -c 'xxx' 195.220.107.35 .iso.org.dod.internet.private.enterprises.9.10.19.1.3.1.1.3 Returning 0 (login ok) sentinelle raddb # checkrad -d cisco 195.220.107.35 1000 SNMP 0 snmpget: /usr/bin/snmpget -r 1 -t 5 -v2c -c 'xxx' 195.220.107.35 .iso.org.dod.internet.private.enterprises.9.2.9.2.1.18.1000 user at port S1000: Instance snpwalk: /usr/bin/snmpwalk -r 1 -t 5 -v2c -c 'xxx' 195.220.107.35 .iso.org.dod.internet.private.enterprises.9.10.19.1.3.1.1.3 Returning 0 (login ok) sentinelle raddb # how must i understand this result it seems to me it that nas-Port and session id could be arbitrary , because the NAS-Port of the last response from server was 981 , and why does ot tell me same thing with NAS-Port = 1000 second when someone is connected on one AP and try to connect on another AP how checkrad will do to see the first connection ? here is the aaa configuration of an AP aaa new-model ! ! aaa group server radius rad_eap server xxx.xxx.xxx auth-port 1812 acct-port 1813 ! aaa group server radius rad_mac ! aaa group server radius rad_acct server xxx.xxx.xxx auth-port 1812 acct-port 1813 ! aaa group server radius rad_admin ! aaa group server tacacs+ tac_admin ! aaa group server radius rad_pmip ! aaa group server radius dummy ! aaa authentication login default local aaa authentication login eap_methods group rad_eap aaa authentication login mac_methods local aaa authorization exec default local aaa authorization ipmobile default group rad_pmip aaa accounting network acct_methods start-stop group radius aaa session-id common thanks for help basile -- bmathieu [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error in radius.log
On Fri, 18 Feb 2005 07:22:42 + nake116 nake116 [EMAIL PROTECTED] wrote: Fri Feb 18 06:26:50 2005 : Info: Using deprecated naslist file. Support for this will go away soon. Fri Feb 18 06:26:50 2005 : Info: Using deprecated clients file. Support for this will go away soon. Fri Feb 18 06:26:50 2005 : Info: Using deprecated realms file. Support for this will go away soon. Fri Feb 18 06:26:50 2005 : Error: rlm_eap_tls: conf N ctx stored Fri Feb 18 06:26:50 2005 : Info: Listening on IP address *, ports 1812/u dp and 1813/udp, with proxy on 1814/udp. Fri Feb 18 06:26:50 2005 : Info: Ready to process requests. What is cause of this problem ?, and how to fix it ? - delete the naslist,clients and realms files from the configuration directory. Freeradius now uses SQL or other files for the same purpose. -- Siderite [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Set EAP-TLS and Postgresql
I have confuse about to set freeradius with 1.EAP-TLS 2.use Postgresql Database I don't know the right way to set config file I just sent my project to my teacher in this month(THAILAND) Please give me the tip about set it or A document HOW TO ,I search it on google and read for a several source but I don't have the right way ...Please ...Please If somebody know , the URL or the source that can make me under stand HOW TO set config Freeradius with EAP-TLS and Postgresqld Database Please tell me... Thank you very much - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
howto check authorizations on a regular time basis ?
Hello, I'm testing freeRadius 1.0.1 to manage a WLAN network by using EAP-TLS. Even if the freeRadius server is a NetBSD-2.99.14/i386 OS running in a VMware 3.x (host OS is windows XP), it's working nice ;-) My EAP-TLS stuff is working, but I've noticed that once a wireless client (supplicant) is allowed to use the WLAN network, the AP (freeRadius client in terminology) never re-check authorization of the supplicant to use this wireless network until the supplicant is leaving this WLAN network then comes back. I would like that the Access Point re-checks authorization of supplicants every hour for instance without ending its wireless session if the authorization (and authentication) is still ok. I've tried to modify my attrs file like this (copy below), but since I did not find the exact meaning of Session-Timeout and Idle-Timeout keywords, it's a bit empiristic (and does not work, of course). I designed my conf. with short values just for debugging purpose (30 sec and 60 sec). $ cat /etc/raddb/attrs [snip] DEFAULT [snip] Session-Timeout = 30, Idle-Timeout = 60, [snip] Any clue ? Thanks in advance for any reply, Pierre Bourgin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_ippool - reliance on NAS-Port parameter
The rlm_ippool module appears to rely on the NAS IP address and the NAS-Port parameter to mark down IP addresses as being used. This makes sense to me if you are using something like a modem bank or some NAS that actually has ports but what if your NAS is something that doesn't rely on ports in that way? For instance a router that is sending radius auth requests for VPN users, there is no physical port like a modem bank would have. In my specific case I am using radius auth requests from a piece of equipment which doesn't care about port and specifies a NAS-Port-Type = Virtual . This obviously doesn't work with rlm_ippool since it requires NAS-Port. I was unable to find a way around this issue, I thought maybe I could rewrite parameters but I don't think that would work. I do receive a Calling-Station-ID which could be used as a unique identifier if I could get rlm_ippool to use this parameter instead but short of changing the source code I couldn't find a way. I'm a little confused as to the necessity of having the NAS-Port because wouldn't a normal accounting Stop packet have the IP address in it anyway which would tell rlm_ippool which IP to free up. -Jeff - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: howto check authorizations on a regular time basis ?
Pierre Bourgin wrote: My EAP-TLS stuff is working, but I've noticed that once a wireless client (supplicant) is allowed to use the WLAN network, the AP (freeRadius client in terminology) never re-check authorization of the supplicant to use this wireless network until the supplicant is leaving this WLAN network then comes back. Look at your AP documentation. I would like that the Access Point re-checks authorization of supplicants every hour for instance without ending its wireless session if the authorization (and authentication) is still ok. Look at your AP documentation. I've tried to modify my attrs file like this (copy below), but since I did not find the exact meaning of Session-Timeout and Idle-Timeout keywords, Session-Timeout = seconds after which the session has to be terminated Idle-Timeout = seconds that the user did nothing (was idle) after which to terminate the session -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Set EAP-TLS and Postgresql
nake116 nake116 wrote: I have confuse about to set freeradius with 1.EAP-TLS 2.use Postgresql Database I don't know the right way to set config file You could start with http://www.google.com/search?q=Freeradius+EAP-TLS+Postgresql -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Config file 1.radiusd.conf ,2.postgresql.conf to use postgresql
nake116 nake116 [EMAIL PROTECTED] wrote: I want to use postgresql , and I config file follow guide please tell me it is true ? What guide did you follow? 1.radiusd.conf ... Hmmm... you've seriously edited the file. Why? noresetcounter --what is for ? If you don't know, why did you put it there? Please start with the default configuration that ships with the server. It works. Make as few changes as possible to get postgresql to work. The more changes you make without understanding them, the more likely it is that the server won't do what you want. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.0.1 + MPPE
Denis Shaposhnikov [EMAIL PROTECTED] wrote: MS-MPPE-Recv-Key = 0xacf70aae5a8f00777af15a1b6fe0606d MS-MPPE-Send-Key = 0x90a47bd168ebfc11af4d29b85443494d MS-MPPE-Encryption-Policy = 0x0001 MS-MPPE-Encryption-Types = 0x0006 Finished request 29 And cisco again said: MPPC: no encryption keys available, disabling optional MPPE. shrug FreeRADIUS is sending them. Ask Cisco why their NAS is ignoring the MPPE keys. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with radutmp
bmathieu [EMAIL PROTECTED] wrote: i have got a problem with radutmp maybe i forget something but can t see what i have configured the radutmp modules , i have activate it in accounting section but i have no radutmp file and when i use radwho there s nobody logged. See the FAQ. Is the NAS sending accounting packets? If not, there's nothing to log... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAT/TLS + MsWindowsXP Client = :-(
=?ISO-8859-1?Q?Javier_Pi=F1ero?= [EMAIL PROTECTED] wrote: I'm getting insane reading the next error message 400 times a day... What am I doing wrong? I've changed almost everything in radiusd.conf, That's most likely the problem. The default configuration works. Change as little as possible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Grouping accounts
Steven Wayne [EMAIL PROTECTED] wrote: joeuser logs into the system and is authenticated by Radius. He then logs onto the ftp server. Can this be authorized by Radius using a different id/password but as a subset of joeuser so he can still be tracked and billed using just the main Radius account? If you have some way to tie that id to joeuser. There's no standard way to do that, though. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: howto check authorizations on a regular time basis ?
Pierre Bourgin [EMAIL PROTECTED] wrote: I've tried to modify my attrs file like this (copy below), but since I did not find the exact meaning of Session-Timeout and Idle-Timeout keywords, http://www.freeradius.org/rfc/attributes.html Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ippool - reliance on NAS-Port parameter
Jeff Synnestvedt [EMAIL PROTECTED] wrote: The rlm_ippool module appears to rely on the NAS IP address and the NAS-Port parameter to mark down IP addresses as being used. This makes sense to me if you are using something like a modem bank or some NAS that actually has ports but what if your NAS is something that doesn't rely on ports in that way? http://bugs.freeradius.org/show_bug.cgi?id=42 I'm a little confused as to the necessity of having the NAS-Port because wouldn't a normal accounting Stop packet have the IP address in it anyway which would tell rlm_ippool which IP to free up. normally, yes. Not all NASes are normal. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: howto check authorizations on a regular time basis ?
Thor Spruyt a écrit : Pierre Bourgin wrote: My EAP-TLS stuff is working, but I've noticed that once a wireless client (supplicant) is allowed to use the WLAN network, the AP (freeRadius client in terminology) never re-check authorization of the supplicant to use this wireless network until the supplicant is leaving this WLAN network then comes back. Look at your AP documentation. [...] I've tried to modify my attrs file like this (copy below), but since I did not find the exact meaning of Session-Timeout and Idle-Timeout keywords, Session-Timeout = seconds after which the session has to be terminated Idle-Timeout = seconds that the user did nothing (was idle) after which to terminate the session OK, thanks for your reply and these definitions. Regards, Pierre Bourgin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to authenticate user who browse the internet with mod_auth_radius
Hi all, Currently i manage to authenticate user who login a localhost's web server.It is possible to authenticate user who want to browse the inernet, using mod_auth_radius? Can it be done? Do you Yahoo!? Yahoo! Mail - now with 250MB free storage. Learn more.
Re: How to authenticate user who browse the internet with mod_auth_radius
Please send PLAIN TEXT mails! http://www.freeradius.org/mod_auth_radius/ - Original Message - From: chiam kuosiang To: freeradius-users@lists.freeradius.org Sent: Friday, February 18, 2005 6:51 PM Subject: How to authenticate user who browse the internet with mod_auth_radius Hi all, Currently i manage to authenticate user who login a localhost's web server. It is possible to authenticate user who want to browse the inernet, using mod_auth_radius? Can it be done? Do you Yahoo!? Yahoo! Mail - now with 250MB free storage. Learn more. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Grouping accounts
Hi, Currently our users log on to our system and are authenticated by the Radius server. Then, when they access a server, they log in with local user accounts. Sometimes these accounts are the same name as the Radius account they logged into originally, but not always. Is it possible, using FreeRadius, to group these accounts together and have all access controlled by the Radius server. For instance: joeuser logs into the system and is authenticated by Radius. He then logs onto the ftp server. Can this be authorized by Radius using a different id/password but as a subset of joeuser so he can still be tracked and billed using just the main Radius account? Thanks, Steven Wayne -- I would really try to move to the same username/password pair for all users. It will uncomplicate your work a lot. Proftpd supports radius as well as sql and ldap for authentication. So you could switch your FTP server to use proftpd and then have it use radius to authenticate. Or if you users are stored in a backend like ldap or sql, you could connect directly to it instead of using radius. If you do that, you will need to add some more things to your radius/backend, such as user homdir, shell, uid, gid, but it would be worth it in the long run. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP / PAP ?
Mike, That did it. I changed the users file in /etc/raddb/ # First setup all accounts to be checked against the UNIX /etc/passwd. # (Unless a password was already given earlier in this file). # DEFAULT Auth-Type = System Fall-Through = 1 to: DEFAULT Auth-Type = PAP Fall-Through = 1 Then change in the radiusd.conf in /etc/raddb/ In the Modules section for the PAP module change: pap { encryption_scheme = crypt } to: pap { encryption_scheme = clear } This will allow the webtv receivers to authenticate with freeradius using PAP. And it will still use CHAP for the PC users. BIG THANKS to you Mike. And a BIG THANKS to you Alan for your input also. Joel - Original Message - From: Joel Eddy [EMAIL PROTECTED] To: Joel Eddy [EMAIL PROTECTED] Sent: Thursday, February 17, 2005 10:28 PM Subject: Fw: CHAP / PAP ? try this on freeradius to auth PAP - Original Message - From: Michael Mitchell [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Thursday, February 17, 2005 7:06 PM Subject: Re: CHAP / PAP ? Hi Joel, Yep, the default users file sets Auth-Type := System by default. The order, and behaviour of the modules in your 'authorize' section of radiusd.conf which Auth-Type is eventually used. I believe that each module will set the Auth-Type appropriate, *IF* the Auth-Type hasn't already been set... I've never really worked out the best way to change this behaviour that still adheres to the intended design, and still get the results I want. If you don't need to process the users file for authorization, you should be able to remove it from the 'authorize', section. Otherwise, if you do need to process the users file, probably the easiest is to change the default behaviour in the users file, ie change: # # First setup all accounts to be checked against the UNIX /etc/passwd. # (Unless a password was already given earlier in this file). # DEFAULT Auth-Type = System Fall-Through = 1 to: DEFAULT Auth-Type = PAP Fall-Through = 1 That should still let CHAP work when specified, but will default to PAP if no other method of authentication has already been specified. This is untested of course, so please report back to me if it worked or not... Alan or others may want to comment on this... regards, Mike Joel Eddy [EMAIL PROTECTED] wrote: I'm running the server that way at all times. I was reading in the Radius book to run it that way so you can see the log file go by. When I look at it says rad_check_password: Found Auth-Type System auth: type System modcall[authenticate]: module unix returns notfound for request 969 modcall; group authenticate returns notfound for request 969 auth: Failed to validate user I know I didn't set auth type to system. Or at least rather sure. I made sure not to set that as I've seen Alan go ape if that gets set. So I didn't want the rath of kan for setting it. ;-) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius and LDAP
I'm new to LDAP and Freeradius. I'm trying to find out if there is a way to configure Freeradius to get information from the LDAP database and assign it to one of the radius atributes(like Framed-IP-Address and Framed-IP-Netmask) for a uids that have any of that information in the LDAP database. Thanks for any help. Cris _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Called-Station-Id
Hi, I`m using freeradius with mysql and i have an entry on the radgroupcheck table like this: groupname attribute op value . . . . . . . . . . . . MyGroupNameCalled-Station-Id !=PhoneNumber The problem is that there somes NAS that do not send the Called-Station-Id attribute and then all users that connected to thats NAS are rejected because there are not any Called-Station-Id on the request. I think that must be any way to configure the server in order that the server check the Called-Station_Id only if this attribute is present in the request and in oder case, just ignore it. Is that possible? - Este mensaje fue enviado usando el servicio de correo en web de Infomed http://webmail.sld.cu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and LDAP
On Fri, 18 Feb 2005, E L wrote: I'm new to LDAP and Freeradius. I'm trying to find out if there is a way to configure Freeradius to get information from the LDAP database and assign it to one of the radius atributes(like Framed-IP-Address and Framed-IP-Netmask) for a uids that have any of that information in the LDAP database. Thanks for any help. Cris ldap.attrmap maps ldap attributes to radius attributes. Say you have Framed-IP-Address in ldap as radiusFramedIPAddress. Then in ldap.attrmap, you would need a line that says replyItem Framed-IP-Address radiusFramedIPAddress That tells freeradius to pull the radiusFramedIPAddress from the directory and add it as a reply item of Framed-IP-Address. Read doc/ldap-howto.txt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about radrelay and file deletion/rotation
Okay, hopefully this is a pretty easy question; if i want to go through my large file (accounting packets from all NAS devices) about once a month so it doesn't grow too large, do i have to shutdown both radius and radrelay or can i just shutdown radius, do my housecleaning, and start it back up? (In the radius.conf file i'm setting locking=yes for this detail file) Thanks in advance. t- -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and LDAP
You may want to read http://www.linuxchange.com/opendocs/howto/authentication/radius/index.es.html however it's on spanish LD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Exec-Program-Wait and logging failed password
I'm getting what seems to be an unexplained radius.log entry due to interaction between rejected access due to bad password and rejected access due to Exec-Program-Wait returning a non-zero value. Do I misunderstand the documentation, or is this a bug? Can anyone suggest a work-around, short of writing my own logging function (which I'll do if I have to)? Debug output and users file is included at the end of this message. When the external program is not involved, the logging mechanism works as expected using the configuration shown below - only failed passwords show up in radius.log. Good passwords are not displayed. in radius.conf: --- log_auth = yes log_auth_badpass = yes log_auth_goodpass = no When the external program is in the picture (same radius.conf), the following happens: If the password is good, and the external program returns 0, the access is accepted and the good password is not logged. This is expected behavior. Log entry looks like this: === Wed Feb 16 15:55:53 2005 : Auth: Login OK: [dls] (from client BAMNet002 port 1 cli 6096318457) === If the password is BAD, the external program isn't executed, as I would expect, and I and get a log entry that looks like this, which includes the bad password, also as expected: === Wed Feb 16 15:57:56 2005 : Info: rlm_sql (sql): No matching entry in the database for request from user [dls] Wed Feb 16 15:57:56 2005 : Auth: Login incorrect: [dls/badpasswd] (from client BAMNet002 port 1 cli 6096318457) Wed Feb 16 15:58:17 2005 : Error: rlm_radutmp: Logout for NAS BAMNet002 port 1, but no Login record === The error message regarding rlm_radutmp looks odd, but appears to cause no problem. I think the NAS is getting confused, but I'll look into that later. - - - - - - - - - - - The above two scenarios are working as expected, per the documentation. Now for the anomalous behavior: If the password is GOOD, but the external program returns a non-zero value based on other user considerations, I would expect NOT to see the good password logged, but it IS logged. Log entry looks like this: === Wed Feb 16 16:23:39 2005 : Auth: Login incorrect (external check failed): [dls/mygoodpass] (from client BAMNet002 port 1 cli 6096318457) === This results in showing good passwords in the log file, which is a security problem. I do want to show bad passwords, to assist the help desk folks, so I don't want to turn off password logging completely. Is there a way around this? Is this correct behavior given log_auth_goodpass = no? On a related subject, it would be nice to get the return code value from the external program to show up in the log file. The old Cistron radius provided this. Have I missed some option to add this? It would be nice to see the message in radius.log read (external check failed: 20) or anything that would include the return code. This paragraph has been a feature request. Do not confuse this feature request with the rest of this post regarding the improper logging (I think) of good passwords despite setting log_auth_goodpass = no. Here are some more details: Version: freeRADIUS 1.0.1 and freeRADIUS 1.0.2 Authentication via mysql. Hopefully relevant part of debug output: (from 1.0.1 but same result on 1.0.2) - This is output from a request with a GOOD password but external check will fail. I expect good password NOT to be logged, but it is. ... ... ... rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module sql returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password matches local User-Password radius_xlat: '/home/dls/perl/radscan3' Exec-Program: /home/dls/perl/radscan3 Exec-Program output: Reply-Message = Error 20 Exec-Program-Wait: plaintext: Reply-Message = Error 20 Exec-Program: returned: 20 Login incorrect (external check failed): [dls/mygoodpass] (from client BAMNet002 port 1 cli 6096318457) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 70 to 8.10.241.74:1645 Reply-Message := Reply-Message = Error 20 Users file --- DEFAULT
Re: Freeradius and LDAP
Thanks Dustin. I'll give a try. Thanks to Luis too, but unfortunately is don't speak Spanish. Cris _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ippool - reliance on NAS-Port parameter
On Fri, Feb 18, 2005 at 12:19:05PM -0500, Jeff Synnestvedt wrote: I'm a little confused as to the necessity of having the NAS-Port because wouldn't a normal accounting Stop packet have the IP address in it anyway which would tell rlm_ippool which IP to free up. And if the Stop packet is misplaced, the next Start on that same NAS/port will let rlm_ippool know that that IP address is free. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
/etc/raddb missing
Hello everyone, I have installed FreeRadius on Solaris 9 as per the install procedure given in the site. And tested with radiusd x and radius seems to be fine. When I am about to configure it, I noticed that there is no folder called /etc/raddb in my server. I couldnt find clients, users.conf anywhere on the machine. Then read the install documentation again it said that Once the main dictionary file has been updated, and the server hasbeen verified to work, all of the other (old) dictionary files in/etc/raddb may be deleted..In usr/local/share/freeradius, I could only find the dictionary files and none of the config filesWhat is the problem? Would appreciate any help on this.Thank you,Regards,Janakan Rajendran
Re: /etc/raddb missing
Janakan Rajendran [EMAIL PROTECTED] wrote: I have installed FreeRadius on Solaris 9 as per the install procedure given in the site. And tested with radiusd -x and radius seems to be fine. When I am about to configure it, I noticed that there is no folder called /etc/raddb in my server. I couldn't find clients, users.conf anywhere on the machine. Probably /usr/local/etc/raddb Watch make install, it tells you where the files are being installed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Called-Station-Id
On Fri, 18 Feb 2005 [EMAIL PROTECTED] wrote: Hi, I`m using freeradius with mysql and i have an entry on the radgroupcheck table like this: groupname attribute op value . . . . . . . . . . . . MyGroupNameCalled-Station-Id !=PhoneNumber The problem is that there somes NAS that do not send the Called-Station-Id attribute and then all users that connected to thats NAS are rejected because there are not any Called-Station-Id on the request. I think that must be any way to configure the server in order that the server check the Called-Station_Id only if this attribute is present in the request and in oder case, just ignore it. Is that possible? Check the checkval module - Este mensaje fue enviado usando el servicio de correo en web de Infomed http://webmail.sld.cu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radrelay and coredumps...
Okay all you smart people out there, here is one for you. i'm running radius 1.0.0 on a solaris 9 box. pretty standard config but with 2 detail files instead of one. one file for each nas device, and one file/day for each nas device. when i run radrelay on accounting packets from a 3com termserver, redback, or even our dinosaur of a livingston portmaster i have no problems, but when i try to radrelay packets from a PDSN (Nortel Shasta running simple ip), radrelay doesn't start (in fact, it cores) and if i start with -xx i get Bus Error (core dumped) I'm not having any problems with authentication from this device and i'm still recieving accounting packets from the device. my command line was as follows (only without the \ ): /opt/bin/radrelay -a /opt/var/log/radius/radacct/12.21.213.86 -d \ /opt/etc/raddb -r 209.4.229.75:1813 -S /path/to/filename detail-NAS from the core (with -xx) [just getting this by doing strings core | more] CORE radrelay /opt/bin/radrelay -xx -a /opt/var/log/radius/radacct/12.21.213.86 -d /opt/etc/r CORE SUNW,Sun-Fire-280R CORE rela t/va /rad 13.8 CORE CORE are/freeare/free/opt//shy.cisco. CORE radrelay /opt/bin/radrelay -xx -a /opt/var/log/radius/radacct/12.21.213.86 -d /opt/etc/r CORE are/freeare/free/opt//shy.cisco. CORE SUNW,Sun-Fire-280R CORE CORE SunOS david Generic_112233-11 sun4u CORE CORE CORE are/freeare/free/opt//shy.cisco. CORE an attribute name Expected end of line or comma failed to get value expecting '=' Read a comment instead of a token $Id: token.c,v 1.17 2003/09/12 19:25:29 phampson Exp $ $Id: misc.c,v 1.41.2.1 2004/06/14 15:25:15 aland Exp $ %d.%d.%d.%d %x:%x:%x:%x 0123456789abcdef $Id: log.c,v 1.7 2003/09/12 19:25:29 phampson Exp $ $Id: filters.c,v 1.36 2004/02/26 19:04:20 aland Exp $ ... snip out list of all running processes ... 0123456789ABCDEFabcdef Unknown string %s in IPX data filter Invalid character in IP address 0123456789 Unknown IP protocol %s in IP data filter Unknown extra string %s in IP data filter Unknown string %s in IP data filter Invalid string %s in generic data filter Unknown Ascend filter direction %s Unknown Ascend filter action %s Unknown Ascend filter type %s %02x %s %s %s %u %02x more srcipxnet 0x%04x srcipxnode 0x%02x%02x%02x%02x%02x%02x dstipxnet 0x%04x dstipxnode 0x%02x%02x%02x%02x%02x%02x dstipxsock %s 0x%04x srcipxsock %s 0x%04x srcip %d.%d.%d.%d/%d dstip %d.%d.%d.%d/%d est dstport %s %d srcport %s %d $Id: rbtree.c,v 1.10 2004/05/14 08:34:44 aland Exp $ $Id: radrelay.c,v 1.22 2004/04/28 21:22:40 kkalev Exp $ ... snip out what looks like binary stuff ... /opt/etc/raddb Van-Jacobsen-TCP-IP VJ-TCP-IP Shell-User Unix Dialback-Login-User Dialback-Framed-User Login Framed Callback-Login Callback-Framed Exec-User None Local 3Com-Monitor 3Com-Manager 3Com-Administrator Qy files the p Q:26:20 a Qshare/fr Qr-ride t Qfor info Qdictiona Qmbers yo QTRIBUTE qX 8 ?fQfy TC_{| ~(pE XkSm eL%2nO m{S4Zi ;8J\ *s3J 5T;^ Fri Feb 18 10:24:54 2005 Acct-Status-Type = Stop User-Name = wap Event-Timestamp = Feb 18 2005 10:26:31 AKST Service-Type = Framed-User NAS-IP-Address = 64.4.239.197 Shasta-Attr-4 = 0x53686173746120353030303a2069534f532028746d292c207064736e2d6d74 632d332e302e3128352900 Acct-Session-Id = 0b000d73 3GPP2-Correlation-Id = 0b000d72 Calling-Station-Id = 09073559898 NAS-Port = 184552818 NAS-Port-Type = Virtual Framed-IP-Netmask = 255.255.255.255 3GPP2-IP-Technology = 1 3GPP2-BSID = 07FA0001013B Acct-Authentic = RADIUS Framed-IP-Address = 64.4.233.5 Acct-Input-Octets = 1468 Acct-Output-Octets = 4612 Acct-Input-Packets = 22 Acct-Output-Packets = 9 Acct-Terminate-Cause = User-Request 3GPP2-Release-Indicator = 3 3GPP2-Session-Continue = 0 Acct-Session-Time = 47 3GPP2-Bad-PPP-Frame-Count = 0 3GPP2-Received-HDLC-Octets = 1779 Client-IP-Address = 12.21.213.86 Acct-Unique-Session-Id = 609d3811c1efae36 Timestamp = 1108754694 Fri Feb 18 10:30:20 2005 Acct-Status-Type = Start User-Name = wap Event-Timestamp = Feb 18 2005 10:31:58 AKST Service-Type = Framed-User NAS-IP-Address = 64.4.239.197 Shasta-Attr-4 = 0x53686173746120353030303a2069534f532028746d292c207064736e2d6d74 632d332e302e3128352900 Acct-Session-Id = 0b000d74 3GPP2-Correlation-Id = 0b000d73 Calling-Station-Id = 09073559993 NAS-Port = 184552819 NAS-Port-Type = Virtual Framed-IP-Netmask = 255.255.255.255 3GPP2-Forward-FCH-Mux-Option = 15 3GPP2-Reverse-FCH-Mux-Option = 13 3GPP2-Attr-14 = 0x0003 3GPP2-Attr-15 = 0x00ff 3GPP2-Service-Option = 33 3GPP2-Forward-Traffic-Type = 1 3GPP2-Reverse-Traffic-Type = 1 3GPP2-FCH-Frame-Size = 0 3GPP2-Forward-FCH-RC = 3 3GPP2-Reverse-FCH-RC = 3 3GPP2-IP-Technology = 1 3GPP2-BSID = 07FA0001012D Acct-Authentic = RADIUS Framed-IP-Address = 64.4.233.10 3GPP2-PCF-IP-Address = 172.16.200.2 3GPP2-Compulsory-Tunnel-Indicator = 0 3GPP2-Begin-Session = 1 Client-IP-Address = 12.21.213.86 Acct-Unique-Session-Id = cee384ac39a4612c Timestamp = 1108755020 Fri Feb 18 10:31:44 2005 Acct-Status-Type = Stop User-Name = wap Event-Timestamp
Re: Append realm to username but sorted by dnis
On Tuesday 15 February 2005 08:42, Scott B. Lowe wrote: I use dnis to proxy to several radius servers for various clients. One of our clients would like a realm added to the end of their user's username when it is proxied to them. Basically I need to be able to attach a realm on the end of every user comming from a certain dnis before I proxy the request to another radius server. Is this possible? I checked out attr_rewrite but it did not seem to be what I needed. If it is please show me the syntax I should use as I am not familiar with that module at all. Thanks Take a look at the preproxy_users file used by the rlm_files module. Just put 'files' in the pre-proxy section in radiusd.conf and it should work. -Kevin pgpKePlyRbGMd.pgp Description: PGP signature
Is it possible to limit access using NAS-IP-Address attribute?
Hi, all I have an AP which has ip address 10.1.2.5, and Freeradius get request according log: rad_recv: Access-Request packet from host 10.1.2.5:1024, id=171, length=95 User-Name = Presario 2135AD NAS-IP-Address = 10.1.2.5 NAS-Identifier = AWL500 State = 0x520972a7955c03b6ae1090d3b8e32c36 EAP-Message = 0x022a00060d00 Message-Authenticator = 0x3e4904287b7a5dfdf7f71e5400bc5f46 My notebook has an entry in /etc/raddb/users file: Presario 2135AD Auth-Type := EAP, NAS-IP-Address == 10.1.2.5 Session-Timeout = 300 Freeradius tell AP to accept conection. Later I change profile to this: Presario 2135AD Auth-Type := EAP, NAS-IP-Address == 10.1.2.6 Session-Timeout = 300 Freeradius tell AP to accept conection again. If I really have 2 AP with IP address 10.1.2.5,10.1.2.6, How can I limit Presario 2135AD only has access to 10.1.2.5? Is Freeradius suppose to check NAS-IP-Address attribute in request and reject requests which do not match? Thanks, Vincent Chen - Yahoo! http://tw.avatar.yahoo.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html