Re: freeradius ntlm_auth
On 4/21/05, Luis Daniel Lucio Quiroz [EMAIL PROTECTED] wrote:
I have just configured freeradius with ntlm, but I dont understand your
problem, Can I help you?
I've just find the real problem I'm stupid, I don't think to read
the log of the server when it boots before but I find that the server
doesn't take care of what I put in the mschap section, for example :
my ms-chap module :
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--domain=mslab
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
}
and when I read the server logs :
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: authtype = MS-CHAP
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
In fact, I can write everything in my mschap module, nothing is
applied whereas the other section works normally !!!
If you have an idea about the problem, please tell me because I don't
know what I can do to stop it.
Thanks.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-SIM HOWTO
I have the same problem although my RADIUS server is running for two years. I don't know how authenticate the SIM cards?? From: "Giorgos Kostopoulos" [EMAIL PROTECTED] Reply-To: freeradius-users@lists.freeradius.org To: freeradius-users@lists.freeradius.org Subject: EAP-SIM HOWTO Date: Wed, 13 Apr 2005 15:42:28 +0300 Hi all, Does enybody knows if there is an EAP-SIM HOWTO available? Thank you Giorgos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Descubre la descarga digital segura. Medio millón de canciones en MSN Music. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius ntlm_auth
I finally resolve this problem by deleting the mschap section and rewrite it. I don't understand why but it works !! Thank you for your help :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Stop simultaneous active directory logins with only one account
Hello, when I authenticate an user who is in the active directory, as freeradius answers it to only know if the account exists, I can log many users in the same time with the same account. I would that only one user can use his account and if another user tries to authenticate him with the same account, he will be rejected. As I use the ntlm_auth command to authenticate users from active directory, can it possible to do that? Thanks, Sylvain Clerc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
session windows, force radius authentification
hello the team I use radius with an cisco AP and windows 2000 client (EAP TTLS, 802.1x). the question is not directly a radius problem but perhaps someone can help me. I surprise that the user in a session is connect directly. just the first time windows ask me for the authentification. I suppose that windows save the password and the login in the profile of the user. Can I force for each window login the 802.1x authentification and how ? what about a user with 2 radius login ? does he have two windows login ? best regards dom begin:vcard fn:Dominique Dal Ponte n:Dal Ponte;Dominique org;quoted-printable:Universit=C3=A9 de Technologie de Belfort-Montb=C3=A9liard;Centre de Ressource en Informatique adr;quoted-printable:;;Site de S=C3=A9venans;Belfort;;90010;France email;internet:[EMAIL PROTECTED] title;quoted-printable:Responsable R=C3=A9seau, S=C3=A9curit=C3=A9 Syt=C3=A8mes Unix tel;work:+33 3 84 58 31 49 tel;fax:+33 3 84 58 32 77 url:http://www.utbm.fr version:2.1 end:vcard
jradius with freeradius, segmentation fault
Hello, I use freeradius 1.0.2 with the jradius module and sometimes I have segmentation fault. I use a 2.4.29 kernel. Core was generated by `radiusd'. Program terminated with signal 11, Segmentation fault. Reading symbols from /lib/libcrypt.so.1...done. Loaded symbols for /lib/libcrypt.so.1 Reading symbols from /lib/libnsl.so.1...done. Loaded symbols for /lib/libnsl.so.1 Reading symbols from /lib/libresolv.so.2...done. Loaded symbols for /lib/libresolv.so.2 Reading symbols from /lib/libpthread.so.0...done. Loaded symbols for /lib/libpthread.so.0 Reading symbols from /usr/lib/libcrypto.so.0...done. Loaded symbols for /usr/lib/libcrypto.so.0 Reading symbols from /usr/lib/libssl.so.0...done. Loaded symbols for /usr/lib/libssl.so.0 Reading symbols from /usr/local/lib/libradius-1.0.2.so...done. Loaded symbols for /usr/local/lib/libradius-1.0.2.so Reading symbols from /usr/local/lib/libltdl.so.3...done. Loaded symbols for /usr/local/lib/libltdl.so.3 Reading symbols from /lib/libdl.so.2...done. Loaded symbols for /lib/libdl.so.2 Reading symbols from /lib/libc.so.6...done. Loaded symbols for /lib/libc.so.6 Reading symbols from /lib/ld-linux.so.2...done. Loaded symbols for /lib/ld-linux.so.2 Reading symbols from /usr/local/lib/libfreetype.so.6...done. Loaded symbols for /usr/local/lib/libfreetype.so.6 Reading symbols from /usr/lib/libz.so.1...done. Loaded symbols for /usr/lib/libz.so.1 Reading symbols from /lib/libnss_files.so.2...done. Loaded symbols for /lib/libnss_files.so.2 Reading symbols from /usr/local/lib/rlm_exec-1.0.2.so...done. Loaded symbols for /usr/local/lib/rlm_exec-1.0.2.so Reading symbols from /usr/local/lib/rlm_expr-1.0.2.so...done. Loaded symbols for /usr/local/lib/rlm_expr-1.0.2.so Reading symbols from /usr/local/lib/rlm_pap-1.0.2.so...done. Loaded symbols for /usr/local/lib/rlm_pap-1.0.2.so Reading symbols from /usr/local/lib/rlm_chap-1.0.2.so...done. Loaded symbols for /usr/local/lib/rlm_chap-1.0.2.so Reading symbols from /usr/local/lib/rlm_mschap-1.0.2.so...done. Loaded symbols for /usr/local/lib/rlm_mschap-1.0.2.so Reading symbols from /usr/local/lib/rlm_unix-1.0.2.so...done. Loaded symbols for /usr/local/lib/rlm_unix-1.0.2.so Reading symbols from /usr/local/lib/rlm_jradius-1.0.2.so...done. Loaded symbols for /usr/local/lib/rlm_jradius-1.0.2.so Reading symbols from /usr/local/lib/rlm_preprocess-1.0.2.so...done. Loaded symbols for /usr/local/lib/rlm_preprocess-1.0.2.so Reading symbols from /usr/local/lib/rlm_realm-1.0.2.so...done. Loaded symbols for /usr/local/lib/rlm_realm-1.0.2.so Reading symbols from /usr/local/lib/rlm_acct_unique-1.0.2.so...done. Loaded symbols for /usr/local/lib/rlm_acct_unique-1.0.2.so Reading symbols from /usr/local/lib/rlm_files-1.0.2.so...done. Loaded symbols for /usr/local/lib/rlm_files-1.0.2.so Reading symbols from /usr/local/lib/rlm_detail-1.0.2.so...done. Loaded symbols for /usr/local/lib/rlm_detail-1.0.2.so Reading symbols from /usr/local/lib/rlm_radutmp-1.0.2.so...done. Loaded symbols for /usr/local/lib/rlm_radutmp-1.0.2.so Reading symbols from /usr/local/lib/rlm_sql-1.0.2.so...done. Loaded symbols for /usr/local/lib/rlm_sql-1.0.2.so Reading symbols from /usr/local/lib/rlm_sql_mysql-1.0.2.so...done. Loaded symbols for /usr/local/lib/rlm_sql_mysql-1.0.2.so Reading symbols from /lib/libm.so.6...done. Loaded symbols for /lib/libm.so.6 Reading symbols from /lib/libnss_dns.so.2...done. Loaded symbols for /lib/libnss_dns.so.2 Reading symbols from /usr/local/lib/rlm_eap-1.0.2.so...done. Loaded symbols for /usr/local/lib/rlm_eap-1.0.2.so Reading symbols from /usr/local/lib/rlm_eap_md5-1.0.2.so...done. Loaded symbols for /usr/local/lib/rlm_eap_md5-1.0.2.so Reading symbols from /usr/local/lib/rlm_eap_leap-1.0.2.so...done. Loaded symbols for /usr/local/lib/rlm_eap_leap-1.0.2.so Reading symbols from /usr/local/lib/rlm_eap_gtc-1.0.2.so...done. Loaded symbols for /usr/local/lib/rlm_eap_gtc-1.0.2.so Reading symbols from /usr/local/lib/rlm_eap_mschapv2-1.0.2.so...done. Loaded symbols for /usr/local/lib/rlm_eap_mschapv2-1.0.2.so #0 0x403cc12b in pack_packet (ba=0xbf3ff874, p=0xdeadbeef) at rlm_jradius.c:262 262 if (pack_vps (pba, p-vps) == -1) return -1; (gdb) bt #0 0x403cc12b in pack_packet (ba=0xbf3ff874, p=0xdeadbeef) at rlm_jradius.c:262 #1 0x403cca23 in rlm_jradius_call (func=4 '\004', instance=0x8150fc0, req=0x81707a0, isproxy=0) at rlm_jradius.c:583 #2 0x403ccdc7 in jradius_accounting (instance=0x8150fc0, request=0x81707a0) at rlm_jradius.c:661 #3 0x08055f48 in call_modsingle (component=3, sp=0x8156348, request=0x81707a0, default_result=7) at modcall.c:219 #4 0x080560e3 in modcall (component=3, c=0x8156348, request=0x81707a0) at modcall.c:344 #5 0x0805605f in call_modgroup (component=3, g=0xbf3f77c4, request=0x81707a0, default_result=7) at modcall.c:252 #6 0x08056167 in modcall (component=3, c=0x8153b90, request=0x81707a0) at modcall.c:335 #7 0x08055bd5
Re: about limit
On Fri, 22 Apr 2005, avudz wrote:
Hello,
sorry for this fool question, perhaps this have been discuss before.
i user freeradius-1.0.2 and dialup admin, the problem is, the
clients still can connect through radius server even the daily limit
is over.
i've implement
http://www.lh.freeradius.org/radiusd/doc/rlm_sqlcounter howto, and
put field like this :
INSERT into radcheck VALUES ('','b','Max-All-Session','400',':=');
but user b still can login after 6 minutes ? so how can i limit the
max-daily-session ?
here is the log from dialup admin :
User is not online now
-
Last Connection Time 2005-04-22 11:03:03
Online Time 33 minutes, 10 seconds
Server 202.78.193.83 (202.78.193.83)
Server Port 0
Workstation 00:E0:4C:13:8B:1B
Upload 152.89 KBs
Download 7.41 KBs
Allowed Session user can login for 0 seconds (Out of daily quota)
--- over quota ?
Usefull User Description -
Run the server in debug mode to see if it is rejecting the user and if things
work as expected.
--
Best regards,
./avd
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stop simultaneous active directory logins with only one account
On Fri, 22 Apr 2005, Sylvain Clerc wrote: Hello, when I authenticate an user who is in the active directory, as freeradius answers it to only know if the account exists, I can log many users in the same time with the same account. I would that only one user can use his account and if another user tries to authenticate him with the same account, he will be rejected. As I use the ntlm_auth command to authenticate users from active directory, can it possible to do that? If i understand you correctly you need to read doc/Simultaneous-Use Thanks, Sylvain Clerc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy reply attributes
hi.
i have configured radius.conf with these lines:
modules {
...
attr_filter pre_proxy_filter{
attrsfile = ${confdir}/attrs_out
}
...
}
pre-proxy {
...
pre_proxy_filter
...
}
config of the file attrs_out:
DEFAULT
Tunnel-Type !* ANY,
Tunnel-Medium-Type !* ANY,
Tunnel-Private-Group-ID !* ANY
so with this config, i say that any attributes Tunnel-* in proxy
replies packets are removed (i suppose).
the problem is that freeradius isn't removing any of these attributes.
Is this config right ? What can be the problem ?? Any idea's ??
thanks,
Tiago Fernandes
On Thu, 2005-04-14 at 12:54 -0400, Alan DeKok wrote:
Tiago Fernandes [EMAIL PROTECTED] wrote:
what i want to know, is if it's possible to configure the freeradius in
que proxied servers to only send necessary attributes in replies,
even if que attr_filter is configured in the server that is going do
send back only allowed attributes.
That's what attr_filter does. Use it.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
signature.asc
Description: This is a digitally signed message part
RE: No response from Radius server
When I ran radiusd -X, I still got no response from server (time out) on Windows machine, but what I can see on the Radius machine is : Ignoring request from unknown client 192.168.107.115:2043 --Walking the entire request list-- Nothing to do. Sleeping until we see a request. rad-recv: Access-Request packet from host 192.168.107.115:2443, id=2, length=44 At least, I can see the Windows is talking with the Radius. Further assistance will be appreciated. ShawnDavid Jones [EMAIL PROTECTED] wrote: Start radiusd like this radiusd X and you should see it read the config files and it will run in the foreground. The X is extended debug mode. Equivalent to -sfxx. This should let you see where the failure is occurring. David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shawn XuSent: Thursday, April 21, 2005 2:02 PMTo: freeradius-users@lists.freeradius.orgSubject: No response from Radius server I installed Freeradius server on FreeBSD. The installation went well, but I tried to test it, I got no response from Radius server. After I ran radiusd, I got "The Apr 21 14:29:23 2005: Info: Starting-reading configuration files... ", then back to radius# If I ran ps, it seems Radius is not running, because it doesn't show Radiusd. If I ran ps -aux | grep radiusd, it shows root 798 0.0 0.7 4764 3368 ?? ss 2:29pm 0:00:00 radiusd If I tested on another Windows machine with NTRadPing Test Utility, I got no response from server. Any help will be appreciated. Shawn Post your free ad now! Yahoo! Canada PersonalsPost your free ad now! Yahoo! Canada Personals
RE: No response from Radius server
You need to check to make sure that your Windows box is listed in your clients.conf. It has to be listed in there with a secret before the radius server will even start to authenticate requests from it. Take a look at this site and it should help you out a bit http://www.frontios.com/freeradius.html David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shawn Xu Sent: Friday, April 22, 2005 7:04 AM To: freeradius-users@lists.freeradius.org Cc: [EMAIL PROTECTED] Subject: RE: No response from Radius server When I ran radiusd -X, I still got no response from server (time out) on Windows machine, but what I can see on the Radius machine is : Ignoring request from unknown client 192.168.107.115:2043 --Walking the entire request list-- Nothing to do. Sleeping until we see a request. rad-recv: Access-Request packet from host 192.168.107.115:2443, id=2, length=44 At least, I can see the Windows is talking with the Radius. Further assistance will be appreciated. Shawn David Jones [EMAIL PROTECTED] wrote: Start radiusd like this radiusd X and you should see it read the config files and it will run in the foreground. The X is extended debug mode. Equivalent to -sfxx. This should let you see where the failure is occurring. David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shawn Xu Sent: Thursday, April 21, 2005 2:02 PM To: freeradius-users@lists.freeradius.org Subject: No response from Radius server I installed Freeradius server on FreeBSD. The installation went well, but I tried to test it, I got no response from Radius server. After I ran radiusd, I got The Apr 21 14:29:23 2005: Info: Starting-reading configuration files... , then back to radius# If I ran ps, it seems Radius is not running, because it doesn't show Radiusd. If I ran ps -aux | grep radiusd, it shows root 798 0.0 0.7 4764 3368 ?? ss 2:29pm 0:00:00 radiusd If I tested on another Windows machine with NTRadPing Test Utility, I got no response from server. Any help will be appreciated. Shawn Post your free ad now! Yahoo! Canada Personals Post your free ad now! Yahoo! Canada Personals
Re: radius and LDAP
On Fri, 22 Apr 2005 16:44:31 -0400 (EDT)
Dustin Doris [EMAIL PROTECTED] wrote:
I have a simple RADIUS auth server with an LDAP as backend on the
same machine for some realms. When authenticating with a BAD
password, the LDAP rejects the authentication, but the radius sends
its reject after the max_request_time (5 secs)
Why is radiusd not sending the reject immediately after it has
received the reject from the LDAP? Did I misconfigure something
somewhere?
Richard.
Please post radiusd -X so we can see what it is doing.
Hmmm, when running radiusd -X it's ok. I run radiusd under supervise
(daemontools from D.J.Bernstein) and then it has this behaviour. But
when running radius as a normal service, the problem also appears.
Now I can remember an issue that the normal logfile only logs stderr
instead of stdout, I see the same thing here (it's freeradius Debian
Sarge 1.02). When setting this:
logdir = /tmp
log_file = ${logdir}/radius.log
the only thing I can see is:
Fri Apr 22 23:24:57 2005 : Info: Using deprecated naslist file. Support
for this will go away soon.
For the rest there's nothing in the logs. I posted something about this
to the list in August 2004:
http://lists.cistron.nl/pipermail/freeradius-users/2004-August/035089.html
R.
FYI: radius -X produces this (like one would expect):
rlm_ldap:
modcall[authenticate]: module ldap_example.com returns
reject for request 0 modcall: group Auth-Type returns reject for request
0 auth: Failed to validate the user.
Login incorrect (rlm_ldap: Bind as user failed):
[EMAIL PROTECTED] (from client auth1.example.com port 0)
Delaying request 0 for 1 seconds Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 35 to 172.30.0.2:32768
Reply-Message =
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 35 with timestamp 4269668d
Nothing to do. Sleeping until we see a request.
--
___
Mac OS X proves that it's easier to make UNIX pretty than it is to
make Windows secure.
+--+
| Richard Lucassen, Utrecht|
| Public key and email address:|
| http://www.lucassen.org/mail-pubkey.html |
+--+
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Win XP, EAP and Radius
Christian Zawada [EMAIL PROTECTED] wrote: I have this problem with freeradius: rlm_eap: No such EAP type peap You did not configure the PEAP module in the server. See raddb/eap.conf Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can I run two freeradius daemons on the same machine?
On Fri, 22 Apr 2005 15:56:21 -0400 Brian Gao [EMAIL PROTECTED] wrote: Hi all, Does anybody know that can I run two freeradius daemons on the same machine? Greetings, Just set them on different ports. I run one on port 1812, one on port 1635 and one on port (for debugging). Just create a seperate radiusd.conf file (I use entire directories) for each one and use the -d /path/to/radiusd.conf option. -- ·William Ragsdale ·http://www.netonecom.net ·Server Administrator ·Office Hours ·NetOne Communications, Inc. ·Work: 231-734-2917 10AM - 7PM ·2186 US 10 ·FAX: 231-734-6395 ·Sears, MI 49679 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can I run two freeradius daemons on the same machine?
Title: Can I run two freeradius daemons on the same machine? I think this must be possible if you run each on differentports. Ernesto Freyre RamírezJefe de OperacionesQnetSoluciones TecnológicasAv. Paseo de la República 4675 - Lima 34 Telf.: (511) 241-4122 Anexo 2245Fax: (511) 446-8135 Visítenos en: www.qnet.com.pe- Original Message - From: Brian Gao To: freeradius-users@lists.freeradius.org Sent: Friday, April 22, 2005 2:56 PM Subject: Can I run two freeradius daemons on the same machine? Hi all, Does anybody know that can I run two freeradius daemons on the same machine? Thanks Brian
Re[2]: about limit
Hello Kostas,
Friday, April 22, 2005, 6:17:33 PM, you wrote:
KK Run the server in debug mode to see if it is rejecting the user and if
things
KK work as expected.
honestly i don't see any rejecting user message, what should i need to
paste here ? here is radiusd -X result :
# /usr/local/sbin/radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/sql.conf
Config: including file: /usr/local/etc/raddb/sqlcounter.conf
main: prefix = /usr/local
main: localstatedir = /usr/local/var
main: logdir = /usr/local/var/log/radius
main: libdir = /usr/local/lib
main: radacctdir = /usr/local/var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /usr/local/var/log/radius/radius.log
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = /usr/local/var/run/radiusd/radiusd.pid
main: user = radiusd
main: group = radiusd
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/local/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: authtype = MS-CHAP
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = /etc/shadow
unix: group = (null)
unix: radwtmp = /usr/local/var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = md5
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = /usr/local/etc/raddb/huntgroups
preprocess: hints = /usr/local/etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded SQL
sql: driver = rlm_sql_mysql
sql: server = localhost
sql: port =
sql: login =
sql: password =
sql: radius_db = radius
sql: acct_table = radacct
sql: acct_table2 = radacct
sql: authcheck_table = radcheck
sql: authreply_table = radreply
sql: groupcheck_table = radgroupcheck
sql: groupreply_table = radgroupreply
sql: usergroup_table = usergroup
sql: nas_table = nas
sql: dict_table = dictionary
sql: sqltrace = no
sql: sqltracefile = /usr/local/var/log/radius/sqltrace.sql
sql: readclients = no
sql: deletestalesessions = yes
sql: num_sql_socks = 5
sql: sql_user_name = %{User-Name}
sql: default_user_profile =
sql: query_on_not_found = no
sql: authorize_check_query = SELECT id,UserName,Attribute,Value,op FROM
radcheck WHERE Username = '%{SQL-User-Name}'
ORDER B
Y id
sql: authorize_reply_query = SELECT id,UserName,Attribute,Value,op FROM
radreply WHERE Username = '%{SQL-User-Name}'
ORDER B
Y id
sql: authorize_group_check_query = SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Val
ue,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username =
'%{SQL-User-Name}' AND usergroup.GroupName =
radg
roupcheck.GroupName ORDER BY radgroupcheck.id
sql: authorize_group_reply_query = SELECT
Re: Can I have multiple authcheck_table in postgresql.conf
Hi all,
I have a freeradius configured with postgresql , both are work well.
Because we have two groups of users in two different authentication tables
in the DB, and I want freeradius will check both table when it get
access-request.
My question is in the configure file ---postgresql.conf, can I add another
authcheck_table, which means can I have two (or multiple)
authcheck_table in that file? Of course I have to create two
tables(radcheck and radcheck_2) in DB first.
Do you think it is possible?if so ,how?
Thanks
Brian
I never use postgres, but could you just use a union on the two tables?
In mysql, it would look something like this.
(SELECT id,UserName,Attribute,Value,op FROM ${authcheck_table1} WHERE
STRCMP(Username, '%{SQL-User-Name}') = 0 ORDER by id) UNION (SELECT
id,UserName,Attribute,Value,op FROM ${authcheck_table2} WHERE
STRCMP(Username, '%{SQL-User-Name}')
I use something like that for reply_queries with mysql, I imagine it would
work for authorization as well.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius and LDAP
richard lucassen [EMAIL PROTECTED] wrote: Forgot to say that reject_delay is set to 1. The reject should be send after 1 second AFAIUI, but it does not. The reject is sent after max_request_time. It's a bug in the server. In the short term, set reject_delay=0 Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy reply attributes
Tiago Fernandes [EMAIL PROTECTED] wrote:
pre-proxy {
...
pre_proxy_filter
That filters attributes BEFORE the packet is sent to the home server.
so with this config, i say that any attributes Tunnel-* in proxy
replies packets are removed (i suppose).
Don't suppose. Read the debugging output of the server.
Is this config right ? What can be the problem ?? Any idea's ??
The config is wrong for what you say you want to do. The debug
output of the server would tell you this.
To debug problems like this, run it in debugging mode, and read the
output. All of it.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius and LDAP
On Fri, 22 Apr 2005 21:35:53 +0200 richard lucassen [EMAIL PROTECTED] wrote: I have a simple RADIUS auth server with an LDAP as backend on the same machine for some realms. When authenticating with a BAD password, the LDAP rejects the authentication, but the radius sends its reject after the max_request_time (5 secs) Why is radiusd not sending the reject immediately after it has received the reject from the LDAP? Did I misconfigure something somewhere? Forgot to say that reject_delay is set to 1. The reject should be send after 1 second AFAIUI, but it does not. The reject is sent after max_request_time. (btw: if reject_delay is set to 0 it immediately sends te reject, but for obvious reasons I don't want this) -- ___ Mac OS X proves that it's easier to make UNIX pretty than it is to make Windows secure. +--+ | Richard Lucassen, Utrecht| | Public key and email address:| | http://www.lucassen.org/mail-pubkey.html | +--+ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can I run two freeradius daemons on the same machine?
Title: Can I run two freeradius daemons on the same machine? Hi all, Does anybody know that can I run two freeradius daemons on the same machine? Thanks Brian
Re: radius and LDAP
On Fri, 22 Apr 2005 23:33:50 +0200
richard lucassen [EMAIL PROTECTED] wrote:
On Fri, 22 Apr 2005 16:44:31 -0400 (EDT)
Dustin Doris [EMAIL PROTECTED] wrote:
I have a simple RADIUS auth server with an LDAP as backend on the
same machine for some realms. When authenticating with a BAD
password, the LDAP rejects the authentication, but the radius
sends its reject after the max_request_time (5 secs)
Why is radiusd not sending the reject immediately after it has
received the reject from the LDAP? Did I misconfigure something
somewhere?
Richard.
Please post radiusd -X so we can see what it is doing.
Hmmm, when running radiusd -X it's ok. I run radiusd under
supervise (daemontools from D.J.Bernstein) and then it has this
behaviour. But when running radius as a normal service, the problem
also appears.
Sorry, I snipped too much when posting this. Forget it.
Now I can remember an issue that the normal logfile only logs stderr
instead of stdout, I see the same thing here (it's freeradius Debian
Sarge 1.02). When setting this:
logdir = /tmp
log_file = ${logdir}/radius.log
the only thing I can see is:
Fri Apr 22 23:24:57 2005 : Info: Using deprecated naslist file.
Support for this will go away soon.
For the rest there's nothing in the logs. I posted something about
this to the list in August 2004:
http://lists.cistron.nl/pipermail/freeradius-users/2004-August/035089.html
R.
FYI: radius -X produces this (like one would expect):
rlm_ldap:
modcall[authenticate]: module ldap_example.com returns
reject for request 0 modcall: group Auth-Type returns reject for
request 0 auth: Failed to validate the user.
Login incorrect (rlm_ldap: Bind as user failed):
[EMAIL PROTECTED] (from client auth1.example.com port 0)
Delaying request 0 for 1 seconds Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 35 to 172.30.0.2:32768
Reply-Message =
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 35 with timestamp 4269668d
Nothing to do. Sleeping until we see a request.
--
___
Mac OS X proves that it's easier to make UNIX pretty than it is to
make Windows secure.
+--+
| Richard Lucassen, Utrecht|
| Public key and email address:|
| http://www.lucassen.org/mail-pubkey.html |
+--+
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
___
Mac OS X proves that it's easier to make UNIX pretty than it is to
make Windows secure.
+--+
| Richard Lucassen, Utrecht|
| Public key and email address:|
| http://www.lucassen.org/mail-pubkey.html |
+--+
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL logging delay issue.
We are running freeradius 0.9.3.1 on RH ES3. CDR accounting records from a Cisco AS5350 are logged to both a detail file and to Postgres SQL running on the same box. The issue appears to be the following: For some calls, our PRI will terminate the call immediately because of unknown number, busy line, etc. So immediate, that freeradius receives both the start, start update, and stop records at basically the same time. The problem this creates is that it appears the insertion of the start record has not completed when the update for the start and then the stop record occurs (multiple handles to the database). This causes the update and stop records to “fall-thru” the update process and do an insertion of a full record for both. Thus I have instances of one CDR record that has three entries, (2 partial and 1 full) in SQL instead of the single entry that 99% of the other CDR record do. I haven’t decided if I should approach this from the Cisco side or from the freeradius side in the form of some type of delay or retry for SQL accounting records. I haven’t been able to find a freeradius configuration parameter that does this. Any ideas? I can provide more info if needed. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius and LDAP
I have a simple RADIUS auth server with an LDAP as backend on the same machine for some realms. When authenticating with a BAD password, the LDAP rejects the authentication, but the radius sends its reject after the max_request_time (5 secs) Why is radiusd not sending the reject immediately after it has received the reject from the LDAP? Did I misconfigure something somewhere? Richard. -- ___ Mac OS X proves that it's easier to make UNIX pretty than it is to make Windows secure. +--+ | Richard Lucassen, Utrecht| | Public key and email address:| | http://www.lucassen.org/mail-pubkey.html | +--+ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait
Emman S. Loloy [EMAIL PROTECTED] wrote: Is it possible for the output of Exec-Program-Wait become check item? No. See rlm_exec for that functionality. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius and LDAP
On Fri, 22 Apr 2005, richard lucassen wrote: I have a simple RADIUS auth server with an LDAP as backend on the same machine for some realms. When authenticating with a BAD password, the LDAP rejects the authentication, but the radius sends its reject after the max_request_time (5 secs) Why is radiusd not sending the reject immediately after it has received the reject from the LDAP? Did I misconfigure something somewhere? Richard. Please post radiusd -X so we can see what it is doing. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentication based on CallingStationId and UserName.
Hi, Can somebody help. I have instances of three groups created i.e. Prepaid_Monthly, CorpMonthly and Staff_Monthly. I used the sqlcounter to restrict the time Max-Session-Time for each group. However, group Staff_Monthly are staff or corporate member of the Business group and they enjoy toll free from the telcos. And they have their own callingstationid different from others. If a user now buy from the prepaid that is cheaper which belong to group Staff_Monthly card, I want access-reject for any other user of other groups who want to use another telcos number to connect to the internet. Can someone advise on how to go about it. What I need to do is how to reject Staff_Monthly users that want to use a card that is meant for the Prepaid_Monthly and CorpMonthly (because their Card is cheap but the telco tariff is at their own expense)to connect to the network. Ade - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: jradius with freeradius, segmentation fault
Schweizer Laurent [EMAIL PROTECTED] wrote: #0 0x403cc12b in pack_packet (ba=0xbf3ff874, p=0xdeadbeef) at rlm_jradius.c:262 That module doesn't come with the server. I suggest asking the author directly. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius and LDAP
On Fri, 22 Apr 2005 17:25:09 -0400 Alan DeKok [EMAIL PROTECTED] wrote: richard lucassen [EMAIL PROTECTED] wrote: Forgot to say that reject_delay is set to 1. The reject should be send after 1 second AFAIUI, but it does not. The reject is sent after max_request_time. It's a bug in the server. In the short term, set reject_delay=0 Like I replied to Dustin, when running radiusd -X everything is like it should be. But for the moment I'll put it to 0. R. -- ___ Mac OS X proves that it's easier to make UNIX pretty than it is to make Windows secure. +--+ | Richard Lucassen, Utrecht| | Public key and email address:| | http://www.lucassen.org/mail-pubkey.html | +--+ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple Pools with ippool
I am using Freeraidus Version: 1.0.1
I am attempting to get multiple pools working, and I am running into a
road block. I have searched google and mailing list archives and have
been unable to come up with a solution.
Here is how my users file is currently setup:
DEFAULT Pool-Name := DEFAULT
Ascend-Client-Primary-DNS = 192.168.1.10,
Ascend-Client-Secondary-DNS = 10.0.0.10,
Fall-Through = yes
adam Password == test
Service-Type = Framed-User,
Ascend-Idle-Limit = 0,
Framed-Protocol = PPP,
Ascend-Call-Type = Switched,
Ascend-PPPoE-Enable = PPPoE-Yes,
Ascend-Call-Type = 0
adam2 Password == test
Service-Type = Framed-User,
Framed-Protocol = PPP,
Ascend-Idle-Limit = 0,
Ascend-Call-Type = Switched,
Ascend-PPPoE-Enable = PPPoE-Yes,
Ascend-Call-Type = 0
Here are snips from my radiusd.conf file:
ippool pool_1 {
range-start = 192.168.1.100
range-stop = 192.168.1.200
netmask = 255.255.255.0
cache-size = 800
session-db = ${raddbdir}/db.ippool_1
ip-index = ${raddbdir}/db.ipindex_1
override = no
maximum-timeout = 0
}
ippool pool_2 {
range-start = 10.0.0.100
range-stop = 10.0.0.200
netmask = 255.255.255.0
cache-size = 800
session-db = ${raddbdir}/db.ippool_2
ip-index = ${raddbdir}/db.ipindex_2
override = no
maximum-timeout = 0
}
post-auth {
# Get an address from the IP Pool.
pool_1
pool_2
}
With these settings I get the message:
modcall[post-auth]: module pool_1 returns noop for request 0
modcall[post-auth]: module pool_2 returns noop for request 0
and it does not hand out an IP address.
If I change my config to:
DEFAULT Pool-Name := pool_1
Ascend-Client-Primary-DNS = 192.168.1.10,
Ascend-Client-Secondary-DNS = 10.0.0.10,
Fall-Through = yes
It will hand out in IP but only from pool pool_1. How do I make it use
both pools?
Thanks in Advance for the help
Adam
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with Win XP, EAP and Radius
Hello,
I have this problem with freeradius:
rlm_eap: No such EAP type peap
rlm_eap: Failed in EAP select
Login incorrect: [test/no User-Password attribute]
Christian
_here is the complete log file:_
radius:~# freeradius -A -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/freeradius/proxy.conf
Config: including file: /etc/freeradius/clients.conf
Config: including file: /etc/freeradius/snmp.conf
Config: including file: /etc/freeradius/eap.conf
Config: including file: /etc/freeradius/sql.conf
main: prefix = /usr
main: localstatedir = /var
main: logdir = /var/log/freeradius
main: libdir = /usr/lib/freeradius
main: radacctdir = /var/log/freeradius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /var/log/freeradius/radius.log
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = /var/run/freeradius/freeradius.pid
main: user = freerad
main: group = freerad
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded eap
eap: default_eap_type = md5
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
gtc: challenge = Password:
gtc: auth_type = PAP
rlm_eap: Loaded and initialized type gtc
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = /etc/freeradius/huntgroups
preprocess: hints = /etc/freeradius/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded files
files: usersfile = /etc/freeradius/users
files: acctusersfile = /etc/freeradius/acct_users
files: preproxy_usersfile = /etc/freeradius/preproxy_users
files: compat = no
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port
Module: Instantiated acct_unique (acct_unique)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded detail
detail: detailfile =
/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = /etc/shadow
unix: group = (null)
unix: radwtmp = /var/log/freeradius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded radutmp
radutmp: filename = /var/log/freeradius/radutmp
radutmp: username = %{User-Name}
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.0.1:1030, id=195,
length=119
User-Name = test
NAS-IP-Address = 192.168.0.1
Framed-MTU = 1496
Called-Station-Id = 00-a0-c5-5c-a2-a2:wlan-22
Calling-Station-Id = 00-20-e0-4d-06-cb
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020d00090174657374
Message-Authenticator = 0x4211f7c5bfdcbd903757e845a50fbd7e
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
rlm_eap: EAP packet type response id 13 length 9
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap
Re: SQL logging delay issue.
Greg Stooksberry [EMAIL PROTECTED] wrote: We are running freeradius 0.9.3.1 You should upgrade to 1.0.2. For some calls, our PRI will terminate the call immediately because of unknown number, busy line, etc. So immediate, that freeradius receives both the start, start update, and stop records at basically the same time. That's fairly dumb... I haven't decided if I should approach this from the Cisco side or from the freeradius side in the form of some type of delay or retry for SQL accounting records. I haven't been able to find a freeradius configuration parameter that does this. Any ideas? I can provide more info if needed. There's no configuration parameter to control this, because I've never heard of this problem before. And I'm not sure what can be done to fix it, either. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
OpenLDAP + 802.1x / WPA setup
I have updated my HOWTO on using OpenLDAP as a authentication backend for FreeRADIUS. New additions are * ChilliSpot setup * Using wpa_supplicant for 802.1x wired authentication * Dynamically assigning VLANs on Cisco switches * Other minor things Please check out http://vuksan.com/linux/dot1x/802-1x-LDAP.html and let me know if you have any corrections. Vladimir - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
