Problems with 1.0.2
Hey, I'm trying to compile 1.0.2, and I get the following errors (snipped at the end for brevity) - it seems to be related to EAP, is the simple way to fix this or maybe an easy way to tell it I'm not interested in the EAP module? Thanks, Paul (cd .libs && rm -f libeap.la && ln -s ../libeap.la libeap.la) gmake[7]: Leaving directory `/usr/src/RPM/BUILD/freeradius-1.0.2/src/modules/rlm_eap/libeap' gcc -O2 -fomit-frame-pointer -pipe -march=i586 -mtune=pentiumpro -fpic -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -DNDEBUG -I../../include -I./libeap -o radeapclient radeapclient.o -Llibeap -leap -L../../lib -lradius -lnsl -lresolv -lpthread -lcrypto -lssl -lcrypt radeapclient.o(.text+0x2d3): In function `cleanresp': : undefined reference to `pairdelete' radeapclient.o(.text+0x2e4): In function `cleanresp': : undefined reference to `pairdelete' radeapclient.o(.text+0x31e): In function `cleanresp': : undefined reference to `pairbasicfree' radeapclient.o(.text+0x365): In function `process_eap_start': : undefined reference to `pairfind' radeapclient.o(.text+0x485): In function `process_eap_start': : undefined reference to `pairfind' radeapclient.o(.text+0x49a): In function `process_eap_start': : undefined reference to `pairfind' radeapclient.o(.text+0x4b4): In function `process_eap_start': : undefined reference to `pairfind' radeapclient.o(.text+0x5ed): In function `process_eap_start': etc .. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Upgrading freeradius 1.0.2 with freeradius-snapshot-20050502
[EMAIL PROTECTED] (Paul Hampson) wrote: > Well, I've just been handed some rlm_sql (possible) security bugs, > which I'm going to look hard at this weekend. Then we can release > 1.0.3. Ok. I think they should be fixed, but I don't think they're critical. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Questions and feature request...
"Lucas Aimaretto" <[EMAIL PROTECTED]> wrote: > This is interesting. How can I use Reply-Messages?. In the radreply > table ??? I believe this table is only used if user got an > access-accept, is it true ? No. It's used during authorization, before the server has decided if the user is accepted or rejected. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (no subject)
Babar Shafiq <[EMAIL PROTECTED]> wrote: > I know i can see the reject cause while running in debug mode but I > want to store the reject causes in database or logs it. so it will > be helpful in future for support people,customer support etc, so > they can inform users what is the exact cause of the rejection !! Then always run the server in debugging mode. Or, write scripts to log reasons for failure. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Exec-Program-Wait vs rlm_exec
[EMAIL PROTECTED] wrote: > On Thu, May 05, 2005 at 08:22:44AM -0600, [EMAIL PROTECTED] > wrote: >> [EMAIL PROTECTED] wrote: >>> On Tue, May 03, 2005 at 10:23:05AM -0600, [EMAIL PROTECTED] >>> wrote: Hi, what do you consider the best solution wheen you need to run an external program to make aditional checks when an access request in received, exec-program-wait or rlm_exec, im using exec-program-wait, sould i use rlm_exec instead, the script check some item like credit amount and returns 0 or 1 if success or fail , thanks >>> > I do this with Post-Auth-Type. How do you filter by groupname? I check the groupname vs the radgroupreply, everygroup has diferent Exec-Program-Wait. --- Miguel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
what's going foobar
Lo all, FreeBSD 5.4-STABLE... and uhm ja... Accounting WHERE UserName=LOWER('%{SQL-User-Name}') AND AcctStopTime = 0" sql: postauth_table = "radpostauth" sql: postauth_query = "" sql: safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/CENERGY rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 1 (LWP 100853)] 0x2831b010 in memset () from /lib/libc.so.5 (gdb) back #0 0x2831b010 in memset () from /lib/libc.so.5 #1 0x5f6c7173 in ?? () #2 0x28560b51 in sql_init_socket (sqlsocket=0x9072540, config=0x8eda000) at sql_mysql.c:71 #3 0x2855bf6c in connect_single_socket (sqlsocket=0x9072540, inst=0x9072440) at sql.c:70 #4 0x2855c0c4 in sql_init_socketpool (inst=0x9072440) at sql.c:130 #5 0x2855a4c7 in rlm_sql_instantiate (conf=0x85234e8, instance=0x0) at rlm_sql.c:699 #6 0x08054b9d in find_module_instance () #7 0x08055d86 in modcall () #8 0x08055312 in setup_modules () #9 0x0804cdc0 in main () Is this rlm_sql that is going foobar? Another possibility (I just feel it in my guts) is that it may be threads... whilst I did not specify --with-threads at compile time, I saw compile still used POSIX_THREADS. Anyway to force FR not to use threads?? This is FR 1.0.2 Thanks allot. -- Chris. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Questions and feature request...
> > 2) Reject Cause (feature request) > > Free radius is not informing when it rejects any user if found a > > condition false in radgroupcheck or in radcheck only send reject > > (reply:Packet-Type), is it possible to give reject with > attributes so > > we will know which attribute is the cause of reject, > > No. Even if you did that, the user being rejected wouldn't > see the information. The RADIUS clients won't show it to > them. Also, showing this information to a user is a > potential security risk. > > You can use Reply-Message to give the users a message, but > you can't use any other attribute. This is interesting. How can I use Reply-Messages?. In the radreply table ??? I believe this table is only used if user got an access-accept, is it true ? Regards, Lucas -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.11.5 - Release Date: 04/05/2005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NAS-IP member of multiple huntgroups?
Hi, I'm wondering why it is prohibited to have a particular NAS-IP-Address in more than one huntgroup. I want to use huntgroups for roaming blocking: huntgroups: DE.HDN NAS-IP-Address == 10.0.0.1 DE NAS-IP-Address == 10.0.0.1 EMEANAS-IP-Address == 10.0.0.1 DE.FRM NAS-IP-Address == 10.0.0.2 DE NAS-IP-Address == 10.0.0.2 EMEANAS-IP-Address == 10.0.0.2 DE.DTM NAS-IP-Address == 10.0.0.3 DE NAS-IP-Address == 10.0.0.3 EMEANAS-IP-Address == 10.0.0.3 UK.LND NAS-IP-Address == 10.0.1.1 UK NAS-IP-Address == 10.0.1.1 EMEANAS-IP-Address == 10.0.1.1 UK.CBG NAS-IP-Address == 10.0.1.2 UK NAS-IP-Address == 10.0.1.2 EMEANAS-IP-Address == 10.0.1.2 BE.BRU NAS-IP-Address == 10.0.2.1 BE NAS-IP-Address == 10.0.2.1 EMEANAS-IP-Address == 10.0.2.1 users: user1 User-Password == "test", Huntgroup-Name == "EMEA" ... ... user2 User-Password == "test", Huntgroup-Name == "DE" ... ... user3 User-Password == "test", Huntgroup-Name == "DE.FRM" ... ... But this doesn't work, since only the first huntgroup name for a particular IP is considered. I'm wondering especially since the multiple huntgroup names for one NAS-IP-Address are considered when the huntgroups file is read into the data structure of rlm_preprocess, but they are not considered when an user is checked using huntgroup_access. Accordingly simple is the patch to achieve this MANY_HUNTGROUP_NAMES_FOR_ONE_IP "feature": --- rlm_preprocess.c2004-10-07 22:52:31.0 +0200 +++ rlm_preprocess.c-patched2005-05-06 12:56:50.0 +0200 @@ -362,8 +362,13 @@ * We've matched the huntgroup, so add it in * to the list of request pairs. */ +#define MANY_HUNTGROUP_NAMES_FOR_ONE_ADDRESS 1 +#ifndef MANY_HUNTGROUP_NAMES_FOR_ONE_ADDRESS vp = pairfind(request_pairs, PW_HUNTGROUP_NAME); if (!vp) { +#else + { +#endif vp = paircreate(PW_HUNTGROUP_NAME, PW_TYPE_STRING); if (!vp) { @@ -379,7 +384,9 @@ } r = RLM_MODULE_OK; } +#ifndef MANY_HUNTGROUP_NAMES_FOR_ONE_ADDRESS break; +#endif } return r; Wouldn't it be an useful enhancement to be able to have one NAS-IP-Address in many huntgroups? Or is anything against the "feature" I propose, which I do not see at the moment? Thanks, Wolfgang - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authenticate just one time
Hi, does anyone know how can i disable the possibility of a user login 2 times at the same time in diferente places? TIA Pedro Amado - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple ippools with current stable FreeRADIUS-1.0.2
Hi, currently I'm using FreeRADIUS-1.0.2 with the rlm_sql_mysql backend for accounting, authentication etc. I have several users in the "radcheck" table... --8<--[ radcheck ]--8<-- id UserName Attribute op Value -- - -- --- 1 JohnDoe User-Password == secret1 2 JaneDoe User-Password == secret2 --8<-- ...and two groups in the "radgroupcheck" table, one for users with static IP addresses and one for users with dynamic IP addresses... --8<--[ radgroupcheck ]--8<-- id GroupName Attribute op Value -- - --- -- --- 1 staticAuth-Type := Local 2 staticService-Type:= Framed-User 3 staticFramed-Protocol := PPP 4 dynamic Auth-Type := Local 5 dynamic Service-Type:= Framed-User 6 dynamic Framed-Protocol := PPP 7 dynamic Pool-Name := ippool1 --8<-- ...as well as user -> group mappings in the "usergroup" table... --8<--[ usergroup ]--8<-- id UserName GroupName -- - 1 JohnDoe static 2 JaneDoe dynamic --8<-- ...the individual user's static IP addresses... --8<--[ radreply ]--8<-- id UserName Attribute op Value -- - -- --- 1 JohnDoe Framed-IP-Address = 1.2.3.1 --8<-- ...and the group replies... --8<--[ radgroupreply ]--8<-- id GroupName Attribute op Value prio -- - --- -- -- 1 staticService-Type= Framed-User0 2 staticFramed-Protocol = PPP0 3 staticCisco-AVPair= ip:dns-servers=1.2.3.250 1.2.4.250 0 4 dynamic Service-Type= Framed-User0 5 dynamic Framed-Protocol = PPP0 6 dynamic Cisco-AVPair= ip:dns-servers=1.2.3.250 1.2.4.250 0 --8<-- Here's the interesting content of radiusd.conf: --8<--[ radiusd.conf ]--8<-- [...] modules { [...] ippool ippool1 { range-start = 1.2.4.2 range-stop = 1.2.4.249 netmask = 255.255.255.255 cache-size = 3072 session-db = ${raddbdir}/ippool.d/ippool1.session-db ip-index = ${raddbdir}/ippool.d/ippool1.ip-index override = no maximum-timeout = 0 } ippool ippool2 { range-start = 1.2.8.2 range-stop = 1.2.8.249 netmask = 255.255.255.255 cache-size = 3072 session-db = ${raddbdir}/ippool.d/ippool2.session-db ip-index = ${raddbdir}/ippool.d/ippool2.ip-index override = no maximum-timeout = 0 } } accounting { ippool1 sql } session { sql } post-auth { ippool1 sql } --8<-- Everything works fine with ippool1. How can I make ippool2 being used by the "dynamic" usergroup as well? I would like to keep using the stable 1.0.2 release instead of switching to a CVS snapshot, just in case the solution is easier with a recent snapshot. Thanks in advance. -- Wolfram Schlich pgpouVbwetTMt.pgp Description: PGP signature
(no subject)
Hello, Thanks for the reply. >You can use Reply-Message to give the users a message, but you can't >use any other attribute. I don't want it for user to send him any reply. > If you, as administrator, want to see why a user is rejected, run >the server in debugging mode. > >> %{reply:Packet-Type} this give me 'reject' only but i need some >> informative answer, how to do that thing ? > > Run the server in debugging mode. > I know i can see the reject cause while running in debug mode but I want to store the reject causes in database or logs it. so it will be helpful in future for support people,customer support etc, so they can inform users what is the exact cause of the rejection !! That will be a nice addition ? when radius sends reject like reject-Bad-Password or reject-Bad-Calling-Station-Id some thing like that ??? Or same sort of thing we can do ? without running in debug mode and without using external scripts !! Thanks Babar Shafiq. God is a great Programmer __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: free radius + dependencies
Yeah, I hate RPMs. Had that same problem on my system (fedora core 3). Who wants to spend time hunting for each one (which each have their own dependencies)? Try to install apt-get then you can do a nice little: apt-get freeradius and apt-get freeradius-mysql, Very slick I've heard yum is good too but been trying to use it for installing mono and so far its a POS Hope this helps On 5/6/05, Rupak <[EMAIL PROTECTED]> wrote: > > > > > > > > Hello as you people suggested me to use free radius rpm I installed it.the > version is freeradius-1.0.1-1.x86_64.rpm.Now when I issue > the command rpm –ivh freeradius-1.0.1-1.x86_64.rpm. Then it shows me > dependencies as following > > > > error: Failed dependencies: > > libc.so.6()(64bit) is needed by freeradius-1.0.1-1 > > libc.so.6(GLIBC_2.2.5)(64bit) is needed by freeradius-1.0.1-1 > > libc.so.6(GLIBC_2.3)(64bit) is needed by freeradius-1.0.1-1 > > libc.so.6(GLIBC_2.3.4)(64bit) is needed by freeradius-1.0.1-1 > > libcom_err.so.2()(64bit) is needed by freeradius-1.0.1-1 > > libcrypt.so.1()(64bit) is needed by freeradius-1.0.1-1 > > libcrypto.so.4()(64bit) is needed by freeradius-1.0.1-1 > > libdl.so.2()(64bit) is needed by freeradius-1.0.1-1 > > libgdbm.so.2()(64bit) is needed by freeradius-1.0.1-1 > > libk5crypto.so.3()(64bit) is needed by freeradius-1.0.1-1 > > libkrb5.so.3()(64bit) is needed by freeradius-1.0.1-1 > > liblber-2.2.so.7()(64bit) is needed by freeradius-1.0.1-1 > > libldap_r-2.2.so.7()(64bit) is needed by freeradius-1.0.1-1 > > libltdl.so.3()(64bit) is needed by freeradius-1.0.1-1 > > libnsl.so.1()(64bit) is needed by freeradius-1.0.1-1 > > libpam.so.0()(64bit) is needed by freeradius-1.0.1-1 > > libpthread.so.0()(64bit) is needed by freeradius-1.0.1-1 > > libpthread.so.0(GLIBC_2.2.5)(64bit) is needed by freeradius-1.0.1-1 > > libresolv.so.2()(64bit) is needed by freeradius-1.0.1-1 > > libsasl2.so.2()(64bit) is needed by freeradius-1.0.1-1 > > libssl.so.4()(64bit) is needed by freeradius-1.0.1-1 > > > > > > Now where can I get the listed dependencies. > > thankyou .+-ŠwèþË›±ÊâmïîžË›±Êâmäžzm§ÿðÃëyêÚv+¬¢¸?–+-þë®Èmš