Re: freeradius ntlm_auth
On 4/21/05, Luis Daniel Lucio Quiroz [EMAIL PROTECTED] wrote: I have just configured freeradius with ntlm, but I dont understand your problem, Can I help you? I've just find the real problem I'm stupid, I don't think to read the log of the server when it boots before but I find that the server doesn't take care of what I put in the mschap section, for example : my ms-chap module : mschap { authtype = MS-CHAP use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = yes ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --domain=mslab --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} } and when I read the server logs : Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) In fact, I can write everything in my mschap module, nothing is applied whereas the other section works normally !!! If you have an idea about the problem, please tell me because I don't know what I can do to stop it. Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-SIM HOWTO
I have the same problem although my RADIUS server is running for two years. I don't know how authenticate the SIM cards?? From: "Giorgos Kostopoulos" [EMAIL PROTECTED] Reply-To: freeradius-users@lists.freeradius.org To: freeradius-users@lists.freeradius.org Subject: EAP-SIM HOWTO Date: Wed, 13 Apr 2005 15:42:28 +0300 Hi all, Does enybody knows if there is an EAP-SIM HOWTO available? Thank you Giorgos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Descubre la descarga digital segura. Medio millón de canciones en MSN Music. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius ntlm_auth
I finally resolve this problem by deleting the mschap section and rewrite it. I don't understand why but it works !! Thank you for your help :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Stop simultaneous active directory logins with only one account
Hello, when I authenticate an user who is in the active directory, as freeradius answers it to only know if the account exists, I can log many users in the same time with the same account. I would that only one user can use his account and if another user tries to authenticate him with the same account, he will be rejected. As I use the ntlm_auth command to authenticate users from active directory, can it possible to do that? Thanks, Sylvain Clerc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
session windows, force radius authentification
hello the team I use radius with an cisco AP and windows 2000 client (EAP TTLS, 802.1x). the question is not directly a radius problem but perhaps someone can help me. I surprise that the user in a session is connect directly. just the first time windows ask me for the authentification. I suppose that windows save the password and the login in the profile of the user. Can I force for each window login the 802.1x authentification and how ? what about a user with 2 radius login ? does he have two windows login ? best regards dom begin:vcard fn:Dominique Dal Ponte n:Dal Ponte;Dominique org;quoted-printable:Universit=C3=A9 de Technologie de Belfort-Montb=C3=A9liard;Centre de Ressource en Informatique adr;quoted-printable:;;Site de S=C3=A9venans;Belfort;;90010;France email;internet:[EMAIL PROTECTED] title;quoted-printable:Responsable R=C3=A9seau, S=C3=A9curit=C3=A9 Syt=C3=A8mes Unix tel;work:+33 3 84 58 31 49 tel;fax:+33 3 84 58 32 77 url:http://www.utbm.fr version:2.1 end:vcard
jradius with freeradius, segmentation fault
Hello, I use freeradius 1.0.2 with the jradius module and sometimes I have segmentation fault. I use a 2.4.29 kernel. Core was generated by `radiusd'. Program terminated with signal 11, Segmentation fault. Reading symbols from /lib/libcrypt.so.1...done. Loaded symbols for /lib/libcrypt.so.1 Reading symbols from /lib/libnsl.so.1...done. Loaded symbols for /lib/libnsl.so.1 Reading symbols from /lib/libresolv.so.2...done. Loaded symbols for /lib/libresolv.so.2 Reading symbols from /lib/libpthread.so.0...done. Loaded symbols for /lib/libpthread.so.0 Reading symbols from /usr/lib/libcrypto.so.0...done. Loaded symbols for /usr/lib/libcrypto.so.0 Reading symbols from /usr/lib/libssl.so.0...done. Loaded symbols for /usr/lib/libssl.so.0 Reading symbols from /usr/local/lib/libradius-1.0.2.so...done. Loaded symbols for /usr/local/lib/libradius-1.0.2.so Reading symbols from /usr/local/lib/libltdl.so.3...done. Loaded symbols for /usr/local/lib/libltdl.so.3 Reading symbols from /lib/libdl.so.2...done. Loaded symbols for /lib/libdl.so.2 Reading symbols from /lib/libc.so.6...done. Loaded symbols for /lib/libc.so.6 Reading symbols from /lib/ld-linux.so.2...done. Loaded symbols for /lib/ld-linux.so.2 Reading symbols from /usr/local/lib/libfreetype.so.6...done. Loaded symbols for /usr/local/lib/libfreetype.so.6 Reading symbols from /usr/lib/libz.so.1...done. Loaded symbols for /usr/lib/libz.so.1 Reading symbols from /lib/libnss_files.so.2...done. Loaded symbols for /lib/libnss_files.so.2 Reading symbols from /usr/local/lib/rlm_exec-1.0.2.so...done. Loaded symbols for /usr/local/lib/rlm_exec-1.0.2.so Reading symbols from /usr/local/lib/rlm_expr-1.0.2.so...done. Loaded symbols for /usr/local/lib/rlm_expr-1.0.2.so Reading symbols from /usr/local/lib/rlm_pap-1.0.2.so...done. Loaded symbols for /usr/local/lib/rlm_pap-1.0.2.so Reading symbols from /usr/local/lib/rlm_chap-1.0.2.so...done. Loaded symbols for /usr/local/lib/rlm_chap-1.0.2.so Reading symbols from /usr/local/lib/rlm_mschap-1.0.2.so...done. Loaded symbols for /usr/local/lib/rlm_mschap-1.0.2.so Reading symbols from /usr/local/lib/rlm_unix-1.0.2.so...done. Loaded symbols for /usr/local/lib/rlm_unix-1.0.2.so Reading symbols from /usr/local/lib/rlm_jradius-1.0.2.so...done. Loaded symbols for /usr/local/lib/rlm_jradius-1.0.2.so Reading symbols from /usr/local/lib/rlm_preprocess-1.0.2.so...done. Loaded symbols for /usr/local/lib/rlm_preprocess-1.0.2.so Reading symbols from /usr/local/lib/rlm_realm-1.0.2.so...done. Loaded symbols for /usr/local/lib/rlm_realm-1.0.2.so Reading symbols from /usr/local/lib/rlm_acct_unique-1.0.2.so...done. Loaded symbols for /usr/local/lib/rlm_acct_unique-1.0.2.so Reading symbols from /usr/local/lib/rlm_files-1.0.2.so...done. Loaded symbols for /usr/local/lib/rlm_files-1.0.2.so Reading symbols from /usr/local/lib/rlm_detail-1.0.2.so...done. Loaded symbols for /usr/local/lib/rlm_detail-1.0.2.so Reading symbols from /usr/local/lib/rlm_radutmp-1.0.2.so...done. Loaded symbols for /usr/local/lib/rlm_radutmp-1.0.2.so Reading symbols from /usr/local/lib/rlm_sql-1.0.2.so...done. Loaded symbols for /usr/local/lib/rlm_sql-1.0.2.so Reading symbols from /usr/local/lib/rlm_sql_mysql-1.0.2.so...done. Loaded symbols for /usr/local/lib/rlm_sql_mysql-1.0.2.so Reading symbols from /lib/libm.so.6...done. Loaded symbols for /lib/libm.so.6 Reading symbols from /lib/libnss_dns.so.2...done. Loaded symbols for /lib/libnss_dns.so.2 Reading symbols from /usr/local/lib/rlm_eap-1.0.2.so...done. Loaded symbols for /usr/local/lib/rlm_eap-1.0.2.so Reading symbols from /usr/local/lib/rlm_eap_md5-1.0.2.so...done. Loaded symbols for /usr/local/lib/rlm_eap_md5-1.0.2.so Reading symbols from /usr/local/lib/rlm_eap_leap-1.0.2.so...done. Loaded symbols for /usr/local/lib/rlm_eap_leap-1.0.2.so Reading symbols from /usr/local/lib/rlm_eap_gtc-1.0.2.so...done. Loaded symbols for /usr/local/lib/rlm_eap_gtc-1.0.2.so Reading symbols from /usr/local/lib/rlm_eap_mschapv2-1.0.2.so...done. Loaded symbols for /usr/local/lib/rlm_eap_mschapv2-1.0.2.so #0 0x403cc12b in pack_packet (ba=0xbf3ff874, p=0xdeadbeef) at rlm_jradius.c:262 262 if (pack_vps (pba, p-vps) == -1) return -1; (gdb) bt #0 0x403cc12b in pack_packet (ba=0xbf3ff874, p=0xdeadbeef) at rlm_jradius.c:262 #1 0x403cca23 in rlm_jradius_call (func=4 '\004', instance=0x8150fc0, req=0x81707a0, isproxy=0) at rlm_jradius.c:583 #2 0x403ccdc7 in jradius_accounting (instance=0x8150fc0, request=0x81707a0) at rlm_jradius.c:661 #3 0x08055f48 in call_modsingle (component=3, sp=0x8156348, request=0x81707a0, default_result=7) at modcall.c:219 #4 0x080560e3 in modcall (component=3, c=0x8156348, request=0x81707a0) at modcall.c:344 #5 0x0805605f in call_modgroup (component=3, g=0xbf3f77c4, request=0x81707a0, default_result=7) at modcall.c:252 #6 0x08056167 in modcall (component=3, c=0x8153b90, request=0x81707a0) at modcall.c:335 #7 0x08055bd5
Re: about limit
On Fri, 22 Apr 2005, avudz wrote: Hello, sorry for this fool question, perhaps this have been discuss before. i user freeradius-1.0.2 and dialup admin, the problem is, the clients still can connect through radius server even the daily limit is over. i've implement http://www.lh.freeradius.org/radiusd/doc/rlm_sqlcounter howto, and put field like this : INSERT into radcheck VALUES ('','b','Max-All-Session','400',':='); but user b still can login after 6 minutes ? so how can i limit the max-daily-session ? here is the log from dialup admin : User is not online now - Last Connection Time 2005-04-22 11:03:03 Online Time 33 minutes, 10 seconds Server 202.78.193.83 (202.78.193.83) Server Port 0 Workstation 00:E0:4C:13:8B:1B Upload 152.89 KBs Download 7.41 KBs Allowed Session user can login for 0 seconds (Out of daily quota) --- over quota ? Usefull User Description - Run the server in debug mode to see if it is rejecting the user and if things work as expected. -- Best regards, ./avd - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stop simultaneous active directory logins with only one account
On Fri, 22 Apr 2005, Sylvain Clerc wrote: Hello, when I authenticate an user who is in the active directory, as freeradius answers it to only know if the account exists, I can log many users in the same time with the same account. I would that only one user can use his account and if another user tries to authenticate him with the same account, he will be rejected. As I use the ntlm_auth command to authenticate users from active directory, can it possible to do that? If i understand you correctly you need to read doc/Simultaneous-Use Thanks, Sylvain Clerc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy reply attributes
hi. i have configured radius.conf with these lines: modules { ... attr_filter pre_proxy_filter{ attrsfile = ${confdir}/attrs_out } ... } pre-proxy { ... pre_proxy_filter ... } config of the file attrs_out: DEFAULT Tunnel-Type !* ANY, Tunnel-Medium-Type !* ANY, Tunnel-Private-Group-ID !* ANY so with this config, i say that any attributes Tunnel-* in proxy replies packets are removed (i suppose). the problem is that freeradius isn't removing any of these attributes. Is this config right ? What can be the problem ?? Any idea's ?? thanks, Tiago Fernandes On Thu, 2005-04-14 at 12:54 -0400, Alan DeKok wrote: Tiago Fernandes [EMAIL PROTECTED] wrote: what i want to know, is if it's possible to configure the freeradius in que proxied servers to only send necessary attributes in replies, even if que attr_filter is configured in the server that is going do send back only allowed attributes. That's what attr_filter does. Use it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html signature.asc Description: This is a digitally signed message part
RE: No response from Radius server
When I ran radiusd -X, I still got no response from server (time out) on Windows machine, but what I can see on the Radius machine is : Ignoring request from unknown client 192.168.107.115:2043 --Walking the entire request list-- Nothing to do. Sleeping until we see a request. rad-recv: Access-Request packet from host 192.168.107.115:2443, id=2, length=44 At least, I can see the Windows is talking with the Radius. Further assistance will be appreciated. ShawnDavid Jones [EMAIL PROTECTED] wrote: Start radiusd like this radiusd X and you should see it read the config files and it will run in the foreground. The X is extended debug mode. Equivalent to -sfxx. This should let you see where the failure is occurring. David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shawn XuSent: Thursday, April 21, 2005 2:02 PMTo: freeradius-users@lists.freeradius.orgSubject: No response from Radius server I installed Freeradius server on FreeBSD. The installation went well, but I tried to test it, I got no response from Radius server. After I ran radiusd, I got "The Apr 21 14:29:23 2005: Info: Starting-reading configuration files... ", then back to radius# If I ran ps, it seems Radius is not running, because it doesn't show Radiusd. If I ran ps -aux | grep radiusd, it shows root 798 0.0 0.7 4764 3368 ?? ss 2:29pm 0:00:00 radiusd If I tested on another Windows machine with NTRadPing Test Utility, I got no response from server. Any help will be appreciated. Shawn Post your free ad now! Yahoo! Canada PersonalsPost your free ad now! Yahoo! Canada Personals
RE: No response from Radius server
You need to check to make sure that your Windows box is listed in your clients.conf. It has to be listed in there with a secret before the radius server will even start to authenticate requests from it. Take a look at this site and it should help you out a bit http://www.frontios.com/freeradius.html David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shawn Xu Sent: Friday, April 22, 2005 7:04 AM To: freeradius-users@lists.freeradius.org Cc: [EMAIL PROTECTED] Subject: RE: No response from Radius server When I ran radiusd -X, I still got no response from server (time out) on Windows machine, but what I can see on the Radius machine is : Ignoring request from unknown client 192.168.107.115:2043 --Walking the entire request list-- Nothing to do. Sleeping until we see a request. rad-recv: Access-Request packet from host 192.168.107.115:2443, id=2, length=44 At least, I can see the Windows is talking with the Radius. Further assistance will be appreciated. Shawn David Jones [EMAIL PROTECTED] wrote: Start radiusd like this radiusd X and you should see it read the config files and it will run in the foreground. The X is extended debug mode. Equivalent to -sfxx. This should let you see where the failure is occurring. David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shawn Xu Sent: Thursday, April 21, 2005 2:02 PM To: freeradius-users@lists.freeradius.org Subject: No response from Radius server I installed Freeradius server on FreeBSD. The installation went well, but I tried to test it, I got no response from Radius server. After I ran radiusd, I got The Apr 21 14:29:23 2005: Info: Starting-reading configuration files... , then back to radius# If I ran ps, it seems Radius is not running, because it doesn't show Radiusd. If I ran ps -aux | grep radiusd, it shows root 798 0.0 0.7 4764 3368 ?? ss 2:29pm 0:00:00 radiusd If I tested on another Windows machine with NTRadPing Test Utility, I got no response from server. Any help will be appreciated. Shawn Post your free ad now! Yahoo! Canada Personals Post your free ad now! Yahoo! Canada Personals
Re: radius and LDAP
On Fri, 22 Apr 2005 16:44:31 -0400 (EDT) Dustin Doris [EMAIL PROTECTED] wrote: I have a simple RADIUS auth server with an LDAP as backend on the same machine for some realms. When authenticating with a BAD password, the LDAP rejects the authentication, but the radius sends its reject after the max_request_time (5 secs) Why is radiusd not sending the reject immediately after it has received the reject from the LDAP? Did I misconfigure something somewhere? Richard. Please post radiusd -X so we can see what it is doing. Hmmm, when running radiusd -X it's ok. I run radiusd under supervise (daemontools from D.J.Bernstein) and then it has this behaviour. But when running radius as a normal service, the problem also appears. Now I can remember an issue that the normal logfile only logs stderr instead of stdout, I see the same thing here (it's freeradius Debian Sarge 1.02). When setting this: logdir = /tmp log_file = ${logdir}/radius.log the only thing I can see is: Fri Apr 22 23:24:57 2005 : Info: Using deprecated naslist file. Support for this will go away soon. For the rest there's nothing in the logs. I posted something about this to the list in August 2004: http://lists.cistron.nl/pipermail/freeradius-users/2004-August/035089.html R. FYI: radius -X produces this (like one would expect): rlm_ldap: modcall[authenticate]: module ldap_example.com returns reject for request 0 modcall: group Auth-Type returns reject for request 0 auth: Failed to validate the user. Login incorrect (rlm_ldap: Bind as user failed): [EMAIL PROTECTED] (from client auth1.example.com port 0) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 35 to 172.30.0.2:32768 Reply-Message = Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 35 with timestamp 4269668d Nothing to do. Sleeping until we see a request. -- ___ Mac OS X proves that it's easier to make UNIX pretty than it is to make Windows secure. +--+ | Richard Lucassen, Utrecht| | Public key and email address:| | http://www.lucassen.org/mail-pubkey.html | +--+ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Win XP, EAP and Radius
Christian Zawada [EMAIL PROTECTED] wrote: I have this problem with freeradius: rlm_eap: No such EAP type peap You did not configure the PEAP module in the server. See raddb/eap.conf Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can I run two freeradius daemons on the same machine?
On Fri, 22 Apr 2005 15:56:21 -0400 Brian Gao [EMAIL PROTECTED] wrote: Hi all, Does anybody know that can I run two freeradius daemons on the same machine? Greetings, Just set them on different ports. I run one on port 1812, one on port 1635 and one on port (for debugging). Just create a seperate radiusd.conf file (I use entire directories) for each one and use the -d /path/to/radiusd.conf option. -- ·William Ragsdale ·http://www.netonecom.net ·Server Administrator ·Office Hours ·NetOne Communications, Inc. ·Work: 231-734-2917 10AM - 7PM ·2186 US 10 ·FAX: 231-734-6395 ·Sears, MI 49679 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can I run two freeradius daemons on the same machine?
Title: Can I run two freeradius daemons on the same machine? I think this must be possible if you run each on differentports. Ernesto Freyre RamírezJefe de OperacionesQnetSoluciones TecnológicasAv. Paseo de la República 4675 - Lima 34 Telf.: (511) 241-4122 Anexo 2245Fax: (511) 446-8135 Visítenos en: www.qnet.com.pe- Original Message - From: Brian Gao To: freeradius-users@lists.freeradius.org Sent: Friday, April 22, 2005 2:56 PM Subject: Can I run two freeradius daemons on the same machine? Hi all, Does anybody know that can I run two freeradius daemons on the same machine? Thanks Brian
Re[2]: about limit
Hello Kostas, Friday, April 22, 2005, 6:17:33 PM, you wrote: KK Run the server in debug mode to see if it is rejecting the user and if things KK work as expected. honestly i don't see any rejecting user message, what should i need to paste here ? here is radiusd -X result : # /usr/local/sbin/radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/sql.conf Config: including file: /usr/local/etc/raddb/sqlcounter.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = /etc/shadow unix: group = (null) unix: radwtmp = /usr/local/var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /usr/local/etc/raddb/huntgroups preprocess: hints = /usr/local/etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded SQL sql: driver = rlm_sql_mysql sql: server = localhost sql: port = sql: login = sql: password = sql: radius_db = radius sql: acct_table = radacct sql: acct_table2 = radacct sql: authcheck_table = radcheck sql: authreply_table = radreply sql: groupcheck_table = radgroupcheck sql: groupreply_table = radgroupreply sql: usergroup_table = usergroup sql: nas_table = nas sql: dict_table = dictionary sql: sqltrace = no sql: sqltracefile = /usr/local/var/log/radius/sqltrace.sql sql: readclients = no sql: deletestalesessions = yes sql: num_sql_socks = 5 sql: sql_user_name = %{User-Name} sql: default_user_profile = sql: query_on_not_found = no sql: authorize_check_query = SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER B Y id sql: authorize_reply_query = SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER B Y id sql: authorize_group_check_query = SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Val ue,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radg roupcheck.GroupName ORDER BY radgroupcheck.id sql: authorize_group_reply_query = SELECT
Re: Can I have multiple authcheck_table in postgresql.conf
Hi all, I have a freeradius configured with postgresql , both are work well. Because we have two groups of users in two different authentication tables in the DB, and I want freeradius will check both table when it get access-request. My question is in the configure file ---postgresql.conf, can I add another authcheck_table, which means can I have two (or multiple) authcheck_table in that file? Of course I have to create two tables(radcheck and radcheck_2) in DB first. Do you think it is possible?if so ,how? Thanks Brian I never use postgres, but could you just use a union on the two tables? In mysql, it would look something like this. (SELECT id,UserName,Attribute,Value,op FROM ${authcheck_table1} WHERE STRCMP(Username, '%{SQL-User-Name}') = 0 ORDER by id) UNION (SELECT id,UserName,Attribute,Value,op FROM ${authcheck_table2} WHERE STRCMP(Username, '%{SQL-User-Name}') I use something like that for reply_queries with mysql, I imagine it would work for authorization as well. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius and LDAP
richard lucassen [EMAIL PROTECTED] wrote: Forgot to say that reject_delay is set to 1. The reject should be send after 1 second AFAIUI, but it does not. The reject is sent after max_request_time. It's a bug in the server. In the short term, set reject_delay=0 Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy reply attributes
Tiago Fernandes [EMAIL PROTECTED] wrote: pre-proxy { ... pre_proxy_filter That filters attributes BEFORE the packet is sent to the home server. so with this config, i say that any attributes Tunnel-* in proxy replies packets are removed (i suppose). Don't suppose. Read the debugging output of the server. Is this config right ? What can be the problem ?? Any idea's ?? The config is wrong for what you say you want to do. The debug output of the server would tell you this. To debug problems like this, run it in debugging mode, and read the output. All of it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius and LDAP
On Fri, 22 Apr 2005 21:35:53 +0200 richard lucassen [EMAIL PROTECTED] wrote: I have a simple RADIUS auth server with an LDAP as backend on the same machine for some realms. When authenticating with a BAD password, the LDAP rejects the authentication, but the radius sends its reject after the max_request_time (5 secs) Why is radiusd not sending the reject immediately after it has received the reject from the LDAP? Did I misconfigure something somewhere? Forgot to say that reject_delay is set to 1. The reject should be send after 1 second AFAIUI, but it does not. The reject is sent after max_request_time. (btw: if reject_delay is set to 0 it immediately sends te reject, but for obvious reasons I don't want this) -- ___ Mac OS X proves that it's easier to make UNIX pretty than it is to make Windows secure. +--+ | Richard Lucassen, Utrecht| | Public key and email address:| | http://www.lucassen.org/mail-pubkey.html | +--+ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can I run two freeradius daemons on the same machine?
Title: Can I run two freeradius daemons on the same machine? Hi all, Does anybody know that can I run two freeradius daemons on the same machine? Thanks Brian
Re: radius and LDAP
On Fri, 22 Apr 2005 23:33:50 +0200 richard lucassen [EMAIL PROTECTED] wrote: On Fri, 22 Apr 2005 16:44:31 -0400 (EDT) Dustin Doris [EMAIL PROTECTED] wrote: I have a simple RADIUS auth server with an LDAP as backend on the same machine for some realms. When authenticating with a BAD password, the LDAP rejects the authentication, but the radius sends its reject after the max_request_time (5 secs) Why is radiusd not sending the reject immediately after it has received the reject from the LDAP? Did I misconfigure something somewhere? Richard. Please post radiusd -X so we can see what it is doing. Hmmm, when running radiusd -X it's ok. I run radiusd under supervise (daemontools from D.J.Bernstein) and then it has this behaviour. But when running radius as a normal service, the problem also appears. Sorry, I snipped too much when posting this. Forget it. Now I can remember an issue that the normal logfile only logs stderr instead of stdout, I see the same thing here (it's freeradius Debian Sarge 1.02). When setting this: logdir = /tmp log_file = ${logdir}/radius.log the only thing I can see is: Fri Apr 22 23:24:57 2005 : Info: Using deprecated naslist file. Support for this will go away soon. For the rest there's nothing in the logs. I posted something about this to the list in August 2004: http://lists.cistron.nl/pipermail/freeradius-users/2004-August/035089.html R. FYI: radius -X produces this (like one would expect): rlm_ldap: modcall[authenticate]: module ldap_example.com returns reject for request 0 modcall: group Auth-Type returns reject for request 0 auth: Failed to validate the user. Login incorrect (rlm_ldap: Bind as user failed): [EMAIL PROTECTED] (from client auth1.example.com port 0) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 35 to 172.30.0.2:32768 Reply-Message = Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 35 with timestamp 4269668d Nothing to do. Sleeping until we see a request. -- ___ Mac OS X proves that it's easier to make UNIX pretty than it is to make Windows secure. +--+ | Richard Lucassen, Utrecht| | Public key and email address:| | http://www.lucassen.org/mail-pubkey.html | +--+ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- ___ Mac OS X proves that it's easier to make UNIX pretty than it is to make Windows secure. +--+ | Richard Lucassen, Utrecht| | Public key and email address:| | http://www.lucassen.org/mail-pubkey.html | +--+ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL logging delay issue.
We are running freeradius 0.9.3.1 on RH ES3. CDR accounting records from a Cisco AS5350 are logged to both a detail file and to Postgres SQL running on the same box. The issue appears to be the following: For some calls, our PRI will terminate the call immediately because of unknown number, busy line, etc. So immediate, that freeradius receives both the start, start update, and stop records at basically the same time. The problem this creates is that it appears the insertion of the start record has not completed when the update for the start and then the stop record occurs (multiple handles to the database). This causes the update and stop records to “fall-thru” the update process and do an insertion of a full record for both. Thus I have instances of one CDR record that has three entries, (2 partial and 1 full) in SQL instead of the single entry that 99% of the other CDR record do. I haven’t decided if I should approach this from the Cisco side or from the freeradius side in the form of some type of delay or retry for SQL accounting records. I haven’t been able to find a freeradius configuration parameter that does this. Any ideas? I can provide more info if needed. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius and LDAP
I have a simple RADIUS auth server with an LDAP as backend on the same machine for some realms. When authenticating with a BAD password, the LDAP rejects the authentication, but the radius sends its reject after the max_request_time (5 secs) Why is radiusd not sending the reject immediately after it has received the reject from the LDAP? Did I misconfigure something somewhere? Richard. -- ___ Mac OS X proves that it's easier to make UNIX pretty than it is to make Windows secure. +--+ | Richard Lucassen, Utrecht| | Public key and email address:| | http://www.lucassen.org/mail-pubkey.html | +--+ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait
Emman S. Loloy [EMAIL PROTECTED] wrote: Is it possible for the output of Exec-Program-Wait become check item? No. See rlm_exec for that functionality. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius and LDAP
On Fri, 22 Apr 2005, richard lucassen wrote: I have a simple RADIUS auth server with an LDAP as backend on the same machine for some realms. When authenticating with a BAD password, the LDAP rejects the authentication, but the radius sends its reject after the max_request_time (5 secs) Why is radiusd not sending the reject immediately after it has received the reject from the LDAP? Did I misconfigure something somewhere? Richard. Please post radiusd -X so we can see what it is doing. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentication based on CallingStationId and UserName.
Hi, Can somebody help. I have instances of three groups created i.e. Prepaid_Monthly, CorpMonthly and Staff_Monthly. I used the sqlcounter to restrict the time Max-Session-Time for each group. However, group Staff_Monthly are staff or corporate member of the Business group and they enjoy toll free from the telcos. And they have their own callingstationid different from others. If a user now buy from the prepaid that is cheaper which belong to group Staff_Monthly card, I want access-reject for any other user of other groups who want to use another telcos number to connect to the internet. Can someone advise on how to go about it. What I need to do is how to reject Staff_Monthly users that want to use a card that is meant for the Prepaid_Monthly and CorpMonthly (because their Card is cheap but the telco tariff is at their own expense)to connect to the network. Ade - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: jradius with freeradius, segmentation fault
Schweizer Laurent [EMAIL PROTECTED] wrote: #0 0x403cc12b in pack_packet (ba=0xbf3ff874, p=0xdeadbeef) at rlm_jradius.c:262 That module doesn't come with the server. I suggest asking the author directly. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius and LDAP
On Fri, 22 Apr 2005 17:25:09 -0400 Alan DeKok [EMAIL PROTECTED] wrote: richard lucassen [EMAIL PROTECTED] wrote: Forgot to say that reject_delay is set to 1. The reject should be send after 1 second AFAIUI, but it does not. The reject is sent after max_request_time. It's a bug in the server. In the short term, set reject_delay=0 Like I replied to Dustin, when running radiusd -X everything is like it should be. But for the moment I'll put it to 0. R. -- ___ Mac OS X proves that it's easier to make UNIX pretty than it is to make Windows secure. +--+ | Richard Lucassen, Utrecht| | Public key and email address:| | http://www.lucassen.org/mail-pubkey.html | +--+ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple Pools with ippool
I am using Freeraidus Version: 1.0.1 I am attempting to get multiple pools working, and I am running into a road block. I have searched google and mailing list archives and have been unable to come up with a solution. Here is how my users file is currently setup: DEFAULT Pool-Name := DEFAULT Ascend-Client-Primary-DNS = 192.168.1.10, Ascend-Client-Secondary-DNS = 10.0.0.10, Fall-Through = yes adam Password == test Service-Type = Framed-User, Ascend-Idle-Limit = 0, Framed-Protocol = PPP, Ascend-Call-Type = Switched, Ascend-PPPoE-Enable = PPPoE-Yes, Ascend-Call-Type = 0 adam2 Password == test Service-Type = Framed-User, Framed-Protocol = PPP, Ascend-Idle-Limit = 0, Ascend-Call-Type = Switched, Ascend-PPPoE-Enable = PPPoE-Yes, Ascend-Call-Type = 0 Here are snips from my radiusd.conf file: ippool pool_1 { range-start = 192.168.1.100 range-stop = 192.168.1.200 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ippool_1 ip-index = ${raddbdir}/db.ipindex_1 override = no maximum-timeout = 0 } ippool pool_2 { range-start = 10.0.0.100 range-stop = 10.0.0.200 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ippool_2 ip-index = ${raddbdir}/db.ipindex_2 override = no maximum-timeout = 0 } post-auth { # Get an address from the IP Pool. pool_1 pool_2 } With these settings I get the message: modcall[post-auth]: module pool_1 returns noop for request 0 modcall[post-auth]: module pool_2 returns noop for request 0 and it does not hand out an IP address. If I change my config to: DEFAULT Pool-Name := pool_1 Ascend-Client-Primary-DNS = 192.168.1.10, Ascend-Client-Secondary-DNS = 10.0.0.10, Fall-Through = yes It will hand out in IP but only from pool pool_1. How do I make it use both pools? Thanks in Advance for the help Adam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with Win XP, EAP and Radius
Hello, I have this problem with freeradius: rlm_eap: No such EAP type peap rlm_eap: Failed in EAP select Login incorrect: [test/no User-Password attribute] Christian _here is the complete log file:_ radius:~# freeradius -A -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/freeradius/proxy.conf Config: including file: /etc/freeradius/clients.conf Config: including file: /etc/freeradius/snmp.conf Config: including file: /etc/freeradius/eap.conf Config: including file: /etc/freeradius/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/freeradius main: libdir = /usr/lib/freeradius main: radacctdir = /var/log/freeradius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/freeradius/radius.log main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = /var/run/freeradius/freeradius.pid main: user = freerad main: group = freerad main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /etc/freeradius/huntgroups preprocess: hints = /etc/freeradius/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded files files: usersfile = /etc/freeradius/users files: acctusersfile = /etc/freeradius/acct_users files: preproxy_usersfile = /etc/freeradius/preproxy_users files: compat = no Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port Module: Instantiated acct_unique (acct_unique) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded detail detail: detailfile = /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = /etc/shadow unix: group = (null) unix: radwtmp = /var/log/freeradius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded radutmp radutmp: filename = /var/log/freeradius/radutmp radutmp: username = %{User-Name} radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.0.1:1030, id=195, length=119 User-Name = test NAS-IP-Address = 192.168.0.1 Framed-MTU = 1496 Called-Station-Id = 00-a0-c5-5c-a2-a2:wlan-22 Calling-Station-Id = 00-20-e0-4d-06-cb NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020d00090174657374 Message-Authenticator = 0x4211f7c5bfdcbd903757e845a50fbd7e Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 rlm_eap: EAP packet type response id 13 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap
Re: SQL logging delay issue.
Greg Stooksberry [EMAIL PROTECTED] wrote: We are running freeradius 0.9.3.1 You should upgrade to 1.0.2. For some calls, our PRI will terminate the call immediately because of unknown number, busy line, etc. So immediate, that freeradius receives both the start, start update, and stop records at basically the same time. That's fairly dumb... I haven't decided if I should approach this from the Cisco side or from the freeradius side in the form of some type of delay or retry for SQL accounting records. I haven't been able to find a freeradius configuration parameter that does this. Any ideas? I can provide more info if needed. There's no configuration parameter to control this, because I've never heard of this problem before. And I'm not sure what can be done to fix it, either. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
OpenLDAP + 802.1x / WPA setup
I have updated my HOWTO on using OpenLDAP as a authentication backend for FreeRADIUS. New additions are * ChilliSpot setup * Using wpa_supplicant for 802.1x wired authentication * Dynamically assigning VLANs on Cisco switches * Other minor things Please check out http://vuksan.com/linux/dot1x/802-1x-LDAP.html and let me know if you have any corrections. Vladimir - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html