Basic Question about group management
Hello, I m using Freeradius with mysql for PPP since two years, everything work great. I want to allow some user to use a vpn (VPNcisco3000). I don't have any problem to identify a user in PPP, or to identify a user in from the concentrator. But I don't know how to set correctly the group (radgroupreply, radgroupcheck) to be able to give: - Only PPP for some users - Only VPN for some users - Both for some users The only way I have found is using a negation group ex: a NOVPN group and a NOPPP group. I'm sure is not the good way to do it. I have read lot of documentation about this, but apperently not the good one. If someone can send me a link to some documentation it could be great. Thanks in advance. Julien Gabry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: nas-identifier and ldap.attrmap
Solved Thank you guys, you made my day!! :-) I didn't know that there was a checkval-modul in freeradius. This modul does exactly what I want!! Thank you very much!! regards peda - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ip-pool
Hi everybody, I'm using a Cisco Aironet 1200 AP and I want that my laptop get an ip address from my specified ip-pool in the radiusd.conf file. The radius server is sending the correct Framed-IP-Address with the Access-Accept message, but it isn't assigned to the connection. How can I solve this problem? Thanks Tom Fritz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ip-pool
Hi everybody, I'm using a Cisco Aironet 1200 AP and I want that my laptop get an ip address from my specified ip-pool in the radiusd.conf file. The radius server is sending the correct Framed-IP-Address with the Access-Accept message, but it isn't assigned to the connection. How can I solve this problem? Thanks Tom Fritz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_tcl module
On Mon, Apr 18, 2005 at 01:27:17PM -0400, Alan DeKok wrote: Date: Mon, 18 Apr 2005 13:27:17 -0400 From: Alan DeKok [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Reply-To: freeradius-users@lists.freeradius.org Subject: Re: rlm_tcl module Alexei Chetroi [EMAIL PROTECTED] wrote: Hmm, documentation states that TCL was developed as language easy to embed in other applications. That's strange for me it has memory leaks problem. Anyway I'm going to do some experiments to see what happens. It has *intentional* memory leaks. They're not called memory leaks by the TCL people, but they're still problematic. Long-running TCL scripts, unless they're written carefully, may use large amounts of memory. Understood. Thanks for information, will seek further on this issue. Best wishes -- Alexei Chetroi Smile... Tomorrow will be worse. (c) Murphy's Law - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: deployment question
Sorry, what I'm trying to ask is: Most secure way to create a unix login whose sole function is to execute adduser to add users to the /etc/passwd file. I'm running openbsd. Hmmm... as I finish writing this question it looks like this is rather off topic. Anyhows any ideas welcome. Thanks Dustin Doris wrote: Dustin any input on this one? Maqbool Hashim wrote: Hi there, I've finally come to a decision as to what sort of backend we're going to use. Thanks for all the discussion it was very helpful in coming to the final decision. Heres what I'm going to go with: Use the UNIX password file on the machine that holds the radius server to authenticate users against. Users will be able to add users on that machine, with a special login. They won't have access to the radius configuration files at all. Users will only be able to login to the RADIUS machine over the LAN. The idea is that we trust our users and they will only be allowed to login to the RADIUS machine over the LAN. I was thinking of creating a UNIX login, which instead of providing a shell, executes a script to add the new radius user. Ideas on doing this as securely as possible would be appreciated. I have freeradius running on OpenBSD. We have something similar to this in our network. Users can telnet into the box and they don't get a shell, but instead are given some kind of menu. Its been years since I've looked at it, but I'll see if I can track down if we still have it and see if I can find anything about it. Maybe I can send you a partial copy of the code, or at least how it was built and with what tools. -Dusty - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius in demon mode problem.
Hi, When I start radius with freeradius -X everythin working ok. But when I run freeradius in demon mode (from Debian startup scripts) it can't authorize anybody. == radius.log == Tue Apr 19 10:38:48 2005 : Info: Using deprecated naslist file. Support for this will go away soon. Tue Apr 19 10:38:48 2005 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Tue Apr 19 10:38:48 2005 : Info: rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked Tue Apr 19 10:38:48 2005 : Info: rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radius Tue Apr 19 10:38:48 2005 : Info: rlm_sql_mysql: Starting connect to MySQL server for #0 Tue Apr 19 10:38:48 2005 : Info: rlm_sql_mysql: Starting connect to MySQL server for #1 Tue Apr 19 10:38:48 2005 : Info: Ready to process requests. Tue Apr 19 10:39:04 2005 : Error: Discarding duplicate request from client ln_nas01:32979 - ID: 244 due to unfinished request 0 Tue Apr 19 10:39:04 2005 : Info: Detach perl 0x81fefe8 Tue Apr 19 10:39:04 2005 : rlm_perl: rlm_perl::Detaching. Reloading. Done. Tue Apr 19 10:39:04 2005 : Info: detach at 0x81fefe8 returned status 0 Tue Apr 19 10:39:04 2005 : Info: Detach perl 0x8237590 Tue Apr 19 10:39:04 2005 : rlm_perl: rlm_perl::Detaching. Reloading. Done. Tue Apr 19 10:39:04 2005 : Info: detach at 0x8237590 returned status 0 Tue Apr 19 10:39:04 2005 : Info: Detach perl 0x826f548 Tue Apr 19 10:39:04 2005 : rlm_perl: rlm_perl::Detaching. Reloading. Done. Tue Apr 19 10:39:04 2005 : Info: detach at 0x826f548 returned status 0 Tue Apr 19 10:39:04 2005 : Info: Detach perl 0x82a7590 Tue Apr 19 10:39:04 2005 : rlm_perl: rlm_perl::Detaching. Reloading. Done. Tue Apr 19 10:39:04 2005 : Info: detach at 0x82a7590 returned status 0 Tue Apr 19 10:39:04 2005 : Info: Detach perl 0x81ba658 It is sth. with rlm_perl but in -X mode works OK... -- EW - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl and perl modules
Hi,
Can I use any perl modules in rlm_perl script?
I try to use DBI and I get
freeradius: relocation error: /usr/lib/perl5/auto/DBI/DBI.so: undefined
symbol: Perl_Gthr_key_ptr
I try to use Socket and I get
freeradius: relocation error: /usr/lib/perl/5.8/auto/Socket/Socket.so:
undefined symbol: Perl_Tstack_sp_ptr
I'm using Debian with perl 5.8.4
DBI 1.46 (but I tested with newest end older)
---
Ok... I use rlm_perl module:
sql_user_name = %{perl:/etc/freeradius/scripts/UserRealName}
Huh? I have no idea what you think you're doing here.
but I have new problem... I try to use Mysql perl module...
use Mysql;
Why is your perl script doing SQL stuff?
Alan DeKok.
I use chillispot feature to login users by his mac. So I have diffrent
radmaccheck which have UserName, MacAddresWithClientId, ClientPassword.
So user can log automaticaly (when hi start chilli try to log user)
using radmaccheck table or hi can login normaly by his username and
password using radcheck table. BUT... if he login automatic or by
user/password it is the same user... so every logs in tables (accounting
and so...) are made using his login. So UserRealName script test if
login is mac or not. If it is mac, script return real username to log
all data as this user. Second script choos table to auth user.
So I need use database connection in script to get user real name from
table.
Now I'm using exec to run scripts (PHP and shell) (PHP is faster than
Perl for short scripts like this)
But running scripts every time is slow (chilli get sometimes timeout
waiting for radius response). So I'm looking for better method to do
this staff.
--
EW
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: verify server certificate XP supplicant ?
Hi! That's right! I had the same problems during my tests. But I didn't try to solve the problem! Maybe there is a bug in Windows XP?? Bw tom -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von [EMAIL PROTECTED] Gesendet: Dienstag, 19. April 2005 12:55 An: freeradius-users@lists.freeradius.org Betreff: Re: verify server certificate XP supplicant ? I had the same problem, If i take the software from wireless card evrything works. i think its only a problem of windows not freeradius. Alain Zitat von Riccardo Veraldi [EMAIL PROTECTED]: Hello, I am using EAP-TLS. Windows XP, Cisco 1200 AP, freeradius. Everything is working fine unless I enable the verify server certificate checkbox on XP. In this case I am not authenticated anymore by the radius server. I Cannot understand why. I have the CA certificate installed I cannot understand why it does not work. any hints ? thank you very much Rick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.9.17 - Release Date: 19.04.2005 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.9.17 - Release Date: 19.04.2005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
User Account Expiration
I am using freeradius 0.9.3 running with a Posgres sql db. If I add an Expiration attribute to the radcheck table - it only works for the date and not the time. For example it makes no difference is I enter 19 April 2005 or 19 April 2005 21:00:00 as the expiration value. The server still allows access for the whole day on the 19th. What can be wrong? I have run the server in debug mode but nothing obvious gets logged Jaco van Tonder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: verify server certificate XP supplicant ?
[Jeopardy-style follow-ups, mis-quoting and excess text corrected...] PhonTom [EMAIL PROTECTED] wrote: [mailto:[EMAIL PROTECTED] Im Auftrag von [EMAIL PROTECTED] Zitat von Riccardo Veraldi [EMAIL PROTECTED]: Hello, I am using EAP-TLS. Windows XP, Cisco 1200 AP, freeradius. Everything is working fine unless I enable the verify server certificate checkbox on XP. In this case I am not authenticated anymore by the radius server. I Cannot understand why. I have the CA certificate installed I cannot understand why it does not work. any hints ? thank you very much Rick I had the same problem, If i take the software from wireless card evrything works. i think its only a problem of windows not freeradius. Alain Hi! That's right! I had the same problems during my tests. But I didn't try to solve the problem! Maybe there is a bug in Windows XP?? If it's not a real cert, issued by a real CA, traceable back to a root cert server, it won't verify, yes? I suppose it would also be possible to run your own cert server and have the cert validate back to that, as well. Jim -- Note: My mail server employs *very* aggressive anti-spam filtering. If you reply to this email and your email is rejected, please accept my apologies and let me know via my web form at http://jimsun.linxnet.com/scform.php. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Stop Date and Time field
Hello, I wated to put stop date and time in diffrent field of mySQL databse. For the example. the date should be StoDate_field and the time should be in StopTime_field. How i can add this quey in sql.cfg file? thank You __ Do you Yahoo!? Plan great trips with Yahoo! Travel: Now over 17,000 guides! http://travel.yahoo.com/p-travelguide - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
reached maximum clones 33 cannot grow
Problem like this:
radius_xlat: Running registered xlat function of module perl for string
'getAuthTableName %u'
reached maximum clones 33 cannot grow
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM WHERE
Username = 'test2' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 1
rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM WHERE
Username = 'test2' ORDER BY id
rlm_sql_mysql: MYSQL check_error: 1064 received
rlm_sql_getvpdata: database query error
rlm_sql (sql): SQL query error; rejecting user
rlm_sql (sql): Released sql socket id: 1
modcall[authorize]: module sql returns fail for request 22
modcall: group authorize returns fail for request 22
I use:
authcheck_table = %{perl:getAuthTableName %u}
it just return table name based on UserName:
if($action eq getAuthTableName){
return $config{'macchecktable'} if $a =~ /^\w\w-\w\w-\w\w-\w
\w-\w\w-\w\w/;
return $config{'userchecktable'};
}
--
EW
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
xlat LDAP woes
I'm using FreeRadius 1.0.1 on Linux RHES3 and would like to return
a dynamically constructed Framed-IP-Address. Unfortunately, I can't
get xlat to work correctly for that.
This works when in a user's LDAP entry:
radiusReplyItem: Reply-Message += JP
%{ldap1:ldap:///dc=retail-sc,dc=com?cn?sub?uid=su00-%n};
and correctly returns Reply-Message = JP 1.1.1.1 to the client,
but this doesn't work:
radiusFramedIPAddress:
%{ldap1:ldap:///dc=retail-sc,dc=com?cn?sub?uid=su00-%n};
I cannot see why. Any help?
Thanks,
-JP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and perl modules
Dnia 19-04-2005, wto o godzinie 11:03 +0200, Emil Wilmanski napisa(a): Can I use any perl modules in rlm_perl script? I don't know what the problem is... noone of perl modules dos work... Can't load '/usr/local/lib/perl/5.8.4/auto/Data/Dumper/Dumper.so' for module Data::Dumper: /usr/local/lib/perl/5.8.4/auto/Data/Dumper/Dumper.so: undefined symbol: Perl_sv_cmp at /usr/lib/perl/5.8/XSLoader.pm line 68. at /usr/local/lib/perl/5.8.4/Data/Dumper.pm line 27 I have sth wrong with perl libs ? It is problem with my system? -- EW - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius ntlm_auth
Hello, I'm using freeradius 1.0.2 in PEAP-mschapv2, All is ok when I authenticate an user who is in the users file but when I want to authenticate a user who is in an active directory database, I have this error : rad_recv: Access-Request packet from host 10.74.1.110:3072, id=0, length=211 User-Name = mobil NAS-IP-Address = 10.74.1.110 Called-Station-Id = 000f6610df4b Calling-Station-Id = 000e35be0159 NAS-Identifier = 000f6610df4b NAS-Port = 230 Framed-MTU = 1400 State = 0xe344a026b507ba325ecaf835d7dcbe63 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02070050190017030100204ac713ab760161e2057ddf6ea635b3eefbe3241b15c89cd1a2777955084d1840170301002015279db846068b3791d9b6b9b187235ab7aef20e0d769d46770cfa3005c33eed Message-Authenticator = 0xf49104f1efe72794cbee86bf86af00df Processing the authorize section of radiusd.conf [...] rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. //The problem is here, if the user is in the users file, the following line is Success but here... rlm_eap_peap: Had sent TLV failure, rejecting. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 50 modcall: group authenticate returns invalid for request 50 auth: Failed to validate the user. Delaying request 50 for 1 seconds Finished request 50 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Sending Access-Reject of id 0 to 10.74.1.110:3072 EAP-Message = 0x04070004 Message-Authenticator = 0x Cleaning up request 50 ID 0 with timestamp 4264dda6 Nothing to do. Sleeping until we see a request. So, if you have an idea about that, please tell me. Thank you, Sylvain Clerc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sql_mysql problem on compiling freeradius1.0.2 on solaris sparcv9,plz help!
Hi, today i tried to compile freeradius1.0.2 on solaris v9. I want to make mysql as the database server for freeradius. During the process of making freeradius, error occured as the following: ar cru rlm_sql_mysql.a sql_mysql.oar: cannot open sql_mysql.o No such file or directoryar: sql_mysql.o not found make[10]: *** [rlm_sql_mysql.a] Error 1 I have read some articles about such problem here, and I have tried both the binary version source version of mysql, but none seems helpful. Is there any opinion about it? thanks much! __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
bug in scripts/certs.sh?
I think there's a tiny bug in certs.sh. Line 21 is
$(SSL)/bin/openssl gendh dh
but the parentheses should either not be there or should be curly:
${SSL}/bin/openssl gendh dh
Perhaps this is a shell peculiarity. I'm using FreeRadius 1.0.2 on
WhiteBox Linux 2.4.21-20.0.1.EL. The shell is GNU bash, version
2.05b.0(1). With round brackets, bash tries, and fails, to run SSL.
--
--
Norman PatersonSenior Scientific Officer
School of Computer Science http://www.dcs.st-and.ac.uk/~norman/
University of St Andrews Tel +44 (0) 1334 463262
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users digest, Vol 1 #4534 - 14 msgs
Hi all. freeradius can use two database mssql primary and mysql secondary Thanks you. -- Vicente Barrientos V. Tecnico en Telecomunicaciones L.@C. Sistemas S.A. Telf.(511) 422-4959 Email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Session resumption
Does FreeRADIUS v1.0.1 support session resumption (fast reconnect during reauthentication) for TLS, TTLS and PEAP? Thanks, Bilal _ Don't just search. Find. Check out the new MSN Search! http://search.msn.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL accounting and users on seperate servers
I'm trying to get a 2 server SQL setup going where all user data is kept on one system, and the accounting is on another. I have tried several things (including copyingrenaming sql.conf to sqlacct.conf then using them both... no joy!) Of course, I could do this with radrelay but that seems to be inefficent arguous - is there no way to log directly into one SQL system while authenticating against another? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unsubscribe
Unsubscribe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL accounting and users on seperate servers
On Tue, 19 Apr 2005, Greg Ulyatt wrote: I'm trying to get a 2 server SQL setup going where all user data is kept on one system, and the accounting is on another. I have tried several things (including copyingrenaming sql.conf to sqlacct.conf then using them both... no joy!) Of course, I could do this with radrelay but that seems to be inefficent arguous - is there no way to log directly into one SQL system while authenticating against another? There is, you can just create multiple sql module instances. Hint: Look at how the detail module multiple instances are created and used. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session resumption
Not yet. --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas Bilal Shahid wrote: Does FreeRADIUS v1.0.1 support session resumption (fast reconnect during reauthentication) for TLS, TTLS and PEAP? Thanks, Bilal _ Don't just search. Find. Check out the new MSN Search! http://search.msn.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Radrelay error
Thanks for the help! Once I created the file and just add the secret my command executed and is now populating my secondary accounting server with data. The key for me was finding out that I need the file with the secret in it instead of trying to pull it from a clients.conf file on either server. I wish the docs has spoke more to this instead of implying that you could just pull it from the clients file. Maybe I am just too thick headed and read a little too deeply. Thanks Kevin David --- On Monday 18 April 2005 16:35, David Jones wrote: So I end up with a command looking like this.. /usr/local/bin/radrelay -a /var/log/radius/raddact -d /etc/raddb/ \ -S /path/to/clients.conf -r localhost:1646 detail combined And I get. Secret in /path/toMerit/clients is to short. David, The file holding the secret for radrelay to use must only have that secret in it. Something like this... /usr/bin/radrelay -a /var/log/radius/radacct -d /etc/raddb -S /etc/raddb/secret.localhost -r localhost:1646 detail /etc/raddb/secret.localhost: testing123 Kevin Bonner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Radrelay error
Thanks for the help! Once I created the file and just add the secret my command executed and is now populating my secondary accounting server with data. The key for me was finding out that I need the file with the secret in it instead of trying to pull it from a clients.conf file on either server. I wish the docs has spoke more to this instead of implying that you could just pull it from the clients file. Maybe I am just too thick headed and read a little too deeply. Thanks Kevin David Should have read the man page. man radrelay -S secret_file Read remote server secret from file, the file should contain nothing other then the plain-text secret. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
syslog and freeradius
I want to collect messages from different machines on a single server . Is it possible to forward freeradius' (1.0.2) logging to another machine? man radiusd says, that -l with the special value syslog sends the log information with syslog and that this option is deprecated. See log_dir in radiusd.conf. In radiusd.conf however I do not see how this could be achieved. Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL accounting and users on seperate servers
aha! works like a charm. I was mis-reading the docs on that, but I now see how it works. Cheers! Kostas Kalevras wrote: On Tue, 19 Apr 2005, Greg Ulyatt wrote: I'm trying to get a 2 server SQL setup going where all user data is kept on one system, and the accounting is on another. I have tried several things (including copyingrenaming sql.conf to sqlacct.conf then using them both... no joy!) Of course, I could do this with radrelay but that seems to be inefficent arguous - is there no way to log directly into one SQL system while authenticating against another? There is, you can just create multiple sql module instances. Hint: Look at how the detail module multiple instances are created and used. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas KalevrasNetwork Operations Center [EMAIL PROTECTED]National Technical University of Athens, Greece Work Phone:+30 210 7721861 'Go back to the shadow'Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius can use 2 databases disctints?
Hi all. Freeradius can use two database mssql primary on other pc with w2k server and mysql secondary on itself pc? Thanks you. Las mejores tiendas, los precios mas bajos, entregas en todo el mundo, YupiMSN Compras: Haz clic aquí... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ip-pool
Tom Fritz [EMAIL PROTECTED] wrote: The radius server is sending the correct Framed-IP-Address with the Access-Accept message, but it isn't assigned to the connection. Then the NAS is not doing what it's told. Either the NAS is buggy, or you didn't assign Framed-Protocol and Service-Type, too. See the RFC's, or your NAS documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: xlat LDAP woes
Jan-Piet Mens [EMAIL PROTECTED] wrote:
and correctly returns Reply-Message = JP 1.1.1.1 to the client,
but this doesn't work:
radiusFramedIPAddress:
%{ldap1:ldap:///dc=retail-sc,dc=com?cn?sub?uid=su00-%n};
The LDAP attribute is supposed to be an IP address, not a string
that requires more processing before it becomes an IP address.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius ntlm_auth
Sylvain Clerc [EMAIL PROTECTED] wrote: //The problem is here, if the user is in the users file, the following line is Success but here... rlm_eap_peap: Had sent TLV failure, rejecting. Please read ALL of the debugging output. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: bug in scripts/certs.sh?
Richard Arkner [EMAIL PROTECTED] wrote:
but the parentheses should either not be there or should be curly:
${SSL}/bin/openssl gendh dh
Fixed, thanks.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: syslog and freeradius
Norbert Wegener [EMAIL PROTECTED] wrote: I want to collect messages from different machines on a single server . Is it possible to forward freeradius' (1.0.2) logging to another machine? Not really. It doesn't work in 1.0.2. It *does* work in the CVS head. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and perl modules
Emil Wilmanski wrote: Can I use any perl modules in rlm_perl script? I try to use DBI and I get I don't know about any, must normally they *should* work. For example, I use the following: use strict; use DBI; Write a normal perl script that uses the module's functions and see if that works. -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(no subject)
Hi,
I have a very strange problem.
I authenticate a user agains a Novell 6 Server, which is not the
problem.
But I need some Attributes from the authentication brought back to the
NAS
I put these in the users file and it worked with another server:
Users (complete)
-
DEFAULT Auth-Type :=LDAP ,Ldap-Group == CN=WGRAS,O=FKEL
Reply-Message = Welcome, you are allowed to have dialup
access,
Framed-Filter-Id = std.ppp,
Fall-Through = 0
--
The Ldap portion of the radiusd.conf (comments removed)
ldap {
server = 170.56.185.59
identity = anonymous
basedn = OU=Abteilungen,O=FKEL
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
groupmembership_attribute = radiusGroupName
timeout = 20
timelimit = 20
net_timeout = 10
}
Strangely the binds need a very long time (up to 8 seconds each) - but
what has this to do with the not transmitting the Attributes ??
As I said, the authentication works, but the Attributes are missing -
Any Ideas ?
Regards
Andre
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and perl modules
On Tuesday 19 April 2005 11:03, Emil Wilmanski wrote:
Hi,
Can I use any perl modules in rlm_perl script?
Yes, you can.
I try to use DBI and I get
freeradius: relocation error: /usr/lib/perl5/auto/DBI/DBI.so: undefined
symbol: Perl_Gthr_key_ptr
I try to use Socket and I get
freeradius: relocation error: /usr/lib/perl/5.8/auto/Socket/Socket.so:
undefined symbol: Perl_Tstack_sp_ptr
I'm using Debian with perl 5.8.4
DBI 1.46 (but I tested with newest end older)
It works for me(c) on:
a) FreeBSD 5.x
b) OpenWall Linux
c) Slackware Linux 10.0 10.1
simple snippet from radiusd.conf:
perl macauth {
func_authenticate = authenticate
func_authorize = authorize
func_detach = detach
module = [path_to_script]/auth.pl
}
simple parts from auth.pl:
#!/usr/bin/perl -W
use strict;
use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK);
use Data::Dumper;
# your code here
sub authenticate {
}
sub authorize {
}
sub detach {
}
detach;
---8---
but you must rember about returing good values from authorize and authenticate
( look at example.pl in freeradius source directory or in raddb )
--
Jakub Wartak
-vnull
FreeBSD/OpenBSD/Linux/Network Administrator
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radreply works even with access-reject
Hi all, I have the following situation. The user XXX exists in the radcheck table. He has its password and everytingh works ok. Upon an access-request, if user/password provided are ok, I get an access-accept response with a reply containing the attribute assigned to the XXX user in the radreply table. The rare ( rare? ) thing is the following: If the password provided is wrong, I get the access-reject response, but all the attributes in the radreply table are sent to the nas ... is this correct Because, I do not really want this to happen ... Thank you in advance Regards, Lucas -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.9.17 - Release Date: 19/04/2005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RV: radreply works even with access-reject
I have the following situation. The user XXX exists in the radcheck table. He has its password and everytingh works ok. Upon an access-request, if user/password provided are ok, I get an access-accept response with a reply containing the attribute assigned to the XXX user in the radreply table. The rare ( rare? ) thing is the following: If the password provided is wrong, I get the access-reject response, but all the attributes in the radreply table are sent to the nas ... is this correct Because, I do not really want this to happen ... Thank you in advance I've also discovered that when using CHAP, I get the access-reject, but the reply-attributes are sent. Whereas, when using Plain-text password ... I also get the access-reject, but no reply-attributes are sent. Any hint ? Regards, Lucas -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.9.17 - Release Date: 19/04/2005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and perl modules
I don't know about any, must normally they *should* work. For example, I use the following: use strict; use DBI; Hmmm... I need DBI to work :) Write a normal perl script that uses the module's functions and see if that works. All of normal scripts work perfect with any module... Only radius say that have problem with libs. I don't know why.maybe somebody have any idea... Maybe perl 5.8.4 is not for this, or I have to compile freeradius with some other flags. I just use dpkg-buildpackage. Any idea? Maybe wrong path to libs? (how to set it?) Thanx for any help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to use exec and expr
From: Ming-Ching Tiew [EMAIL PROTECTED]
To: freeradius-users@lists.freeradius.org
Sent: Tuesday, April 19, 2005 12:53 PM
Subject: how to use exec and expr
I have exec and expr included in the instantiate{}. Then
in mssql.conf, somewhere in the middle I do this :-
Acct-Authentic = `%{exec: /bin/echo 123}`
Then I checked the database and the log files, the values
for Acct-Authentic did not change accordingly. What am
I doing wrong ? I must be understanding something wrongly .
OK I got the attribute changed by using attr_rewrite instead,
for example,
attr_rewrite getip
{
attribute = Acct-Session-Id
# search for IP address aaa.bbb.ccc.ddd
searchfor = .*[^0-9]\(\([0-9]\{1,3\}\.\)\{3\}[0-9]\{1,3\}\).*
replacewith = \\1
append = no
}
The problem I have is the replacewith string. The way I understand it is
that the replace with is a static string. In my case, I would like to
looking for a match in the string, strip everything else except the
matched string.
In shell script, it is something like this :-
| sed -e 's/^.*[^0-9]\(\([0-9]\{1,3\}\.\)\{3\}[0-9]\{1,3\}\).*$/\1/'
Note the \1 in the sed command, it strips everything except the matched.
How to do this using the attri_rewrite scheme ?
Cheers
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: redirect
--- Kevin Hoffer [EMAIL PROTECTED] wrote: Question about re-directing? I have a friend who uses radius who wants pop-up a message to everyone who signs in through his radio server. Hi Kevin. You're looking for a captive portal. http://www.linuxjournal.com/article/6887 __ Do you Yahoo!? Plan great trips with Yahoo! Travel: Now over 17,000 guides! http://travel.yahoo.com/p-travelguide - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (no subject)
HI Can you run the server in debug mode and post the messages that you get. -Sayantan.[EMAIL PROTECTED] 04/19/05 5:52 pm HiI have a very strange problem.I authenticate a user agains a Novell 6 Server which is not theproblem.But I need some Attributes from the authentication brought back to theNASI put these in the users file and it worked with another server:Users complete-DEFAULT Auth-Type :=LDAP Ldap-Group == CN=WGRASO=FKELReply-Message = Welcome you are allowed to have dialupaccessFramed-Filter-Id = std.pppFall-Through = 0--The Ldap portion of the radiusd.conf comments removedldapserver = 170.56.185.59identity = anonymousbasedn = OU=AbteilungenO=FKELfilter = uid=Stripped-User-Name:-User-Namestart_tls = nodictionary_mapping = raddbdir/ldap.attrmapldap_connections_number = 5groupmembership_attribute = radiusGroupNametimeout = 20timelimit = 20net_timeout = 10Strangely the binds need a very long time up to 8 seconds each - butwhat has this to do with the not transmitting the Attributes As I said the authentication works but the Attributes are missing -Any Ideas RegardsAndre-List info/subscribe/unsubscribe See http://www.freeradius.org/list/users.html
Re: xlat LDAP woes
On Tue Apr 19 2005 at 18:46:49 CEST, Alan DeKok wrote:
Jan-Piet Mens [EMAIL PROTECTED] wrote:
and correctly returns Reply-Message = JP 1.1.1.1 to the client,
but this doesn't work:
radiusFramedIPAddress:
%{ldap1:ldap:///dc=retail-sc,dc=com?cn?sub?uid=su00-%n};
The LDAP attribute is supposed to be an IP address, not a string
that requires more processing before it becomes an IP address.
Would it be possible and can you please give me a hint, perhaps a pointer to
documentation?
-JP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
