Re: Database connection failure and retry
From: "Alan DeKok" <[EMAIL PROTECTED]> > "Ming-Ching Tiew" <[EMAIL PROTECTED]> wrote: > > There is no checking whatsoever, so unixodbc driver is unable to reconnect > > upon failure. > > Ok... are you willing to supply a patch? > I am not sure if I am in position to patch it but I noticed the mysql driver is much higher quality. Other drivers such as iodbc and unixodbc are poorer quality. Cheers. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: is it possible to only allow users with a valid host ip?
On Thu, Jun 09, 2005 at 06:19:28AM -0700, [EMAIL PROTECTED] wrote: > Hi, > I wonder if I can restrict (vpn)login from users in combination with > their login (host) ip address. If you mean their source address, that would depend on how your VPN endpoint gives that information to FreeRADIUS. If it's sensible and uses the Calling-Station-ID attribute, then you can use that. -- Paul "TBBle" Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with "#" in username
On Thu, 9 Jun 2005, Kevin Bonner wrote: See safe-characters in postgresql.conf. Search the list archives for more info, as this has been talked about many times before. Thank you! I looked in the archive before posting, but I didn't find anything describing my problem. Perhaps I only tried the wrong keywords... Chris -- Christian Seitz <[EMAIL PROTECTED]> http://www.in-berlin.de/ Individual Network Berlin e.V. PGP Fingerprint: A9 17 03 0D 36 AB 07 4E D0 1E C3 8E 3F B0 66 9A - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
tinyPEAP has said they will comply
>From http://www.tinypeap.com ... 6/9/2005 tinyPEAP has stopped distributing the binaries due to the copyright infringement against FreeRADIUS Project. ... The author also says in private email that he apologizes, takes our concerns seriously, will re-write the relevant code. Thanks to everyone for their support & patience in this matter. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FW: Trouble with HTTPS and mod_auth_radius
That would be great.. I tried to work with mod_auth_radius and couldn't get it to go a while back and really wanted have a site that was only available to Authenticated users. (just my 2 cents) I was trying it out on macs running apache..(That could have been the problem) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Thursday, June 09, 2005 3:56 PM To: FreeRadius users mailing list Subject: Re: FW: Trouble with HTTPS and mod_auth_radius Zawacki Jason D Contr AFRL/IFOS <[EMAIL PROTECTED]> wrote: > Is there a mod_auth_radius list I can direct this question to? Not really. This list is good enough. > Like I said, the same setup works fine for a non-SSL URL, which > puzzles me greatly. I'm using this box to test several authentication > schemes including ldap, ntlm, and kerberos and none of demonstrated > the same behavior. I'd love to know why. When I wrote mod_auth_radius, there was little documentation about the internals of Apache. So the module may not "do the right thing". At this point, it may be worth re-writing the module to follow the outline of one which does work, and just change "ntlm" to "radius", for example. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.6.6 - Release Date: 6/8/2005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FW: Trouble with HTTPS and mod_auth_radius
Zawacki Jason D Contr AFRL/IFOS <[EMAIL PROTECTED]> wrote: > Is there a mod_auth_radius list I can direct this question to? Not really. This list is good enough. > Like I said, the same setup works fine for a non-SSL URL, which puzzles me > greatly. I'm using this box to test several authentication schemes > including ldap, ntlm, and kerberos and none of demonstrated the same > behavior. I'd love to know why. When I wrote mod_auth_radius, there was little documentation about the internals of Apache. So the module may not "do the right thing". At this point, it may be worth re-writing the module to follow the outline of one which does work, and just change "ntlm" to "radius", for example. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with "#" in username
On Thursday 09 June 2005 14:30, Christian Seitz wrote: > Hi, > > I want to replace our old radius server with freeradius and it seems that > freeradius has all the features we need - great work! We are using > freeradius 1.0.2-4 from debian unstable with a PostgreSQL database for > users and logging. > > My problem is that some of our usernames contain a "#", for example > "[EMAIL PROTECTED]". Freeradius receives this username and logs it to > radius.log, but it logs "Auth: Login incorrect". When I turn on statement > logging in PostgreSQL, I can see, that freeradius sends a select query to > PostgreSQL with "[EMAIL PROTECTED]" as the username instead of > "[EMAIL PROTECTED]". > > When I change the username to "[EMAIL PROTECTED]" in the database table, I > get "Auth: Login OK", although the client still sends "[EMAIL PROTECTED]" as > the username and freeradius logs "[EMAIL PROTECTED]" in radius.log. > > Is this a bug in freeradius? > > Chris See safe-characters in postgresql.conf. Search the list archives for more info, as this has been talked about many times before. Kevin Bonner pgpRIvu12GZBx.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem getting FR/MySQL to work with CHAP
On Thursday 09 June 2005 08:26, Rens Houben wrote: > radius_xlat: 'SELECT id,UserName,Attribute,Value,op > FROM radcheck WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' > > * This returns the following data when run in a mysql shell: > +-+--++---+--+ > > | id | UserName | Attribute | Value | op | > > +-+--++---+--+ > | 186 | [EMAIL PROTECTED] | Password | - | == | > | 271 | [EMAIL PROTECTED] | CHAP-Challenge | - | == | > | 272 | [EMAIL PROTECTED] | Auth-Type | Local | := | > +-+--++---+--+ > (password and challenge secret changed for security purposes) First suggestion, upgrade to 1.0.4 (when it's released). Auth-Type isn't necessary. Also, I don't think CHAP-Challenge should be listed there. The only attribute you should need in the db for CHAP auth is User-Password. Kevin Bonner pgpmIJhyNAntG.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mrtg
On Thursday 09 June 2005 02:21, Micko wrote: > HI! > > I use FreeRADIUS as proxy. > I would like to know if I can create mrtg using snmp on how many users are > currently connected? > > Thank you! IMO, it would be difficult for the radius server to give accurate data. MRTG should be able to query your NAS equipment to determine how many users are connected on each device under your control. We use the SNMP support in FreeRADIUS to graph packet/request info for radiusd on each server we have in production. Kevin Bonner pgpyI5DSKzyCv.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with "#" in username
I bet this is database specific. Run radius in debug mode and see what is shown by the User-Name attribute. Try to change sql query in postgresql.conf if radius accepts correct username. Cheers, Marcin On Thu, 9 Jun 2005 20:30:03 +0200 (CEST) Christian Seitz <[EMAIL PROTECTED]> wrote: > Hi, > > I want to replace our old radius server with freeradius and it seems that > freeradius has all the features we need - great work! We are using > freeradius 1.0.2-4 from debian unstable with a PostgreSQL database for > users and logging. > > My problem is that some of our usernames contain a "#", for example > "[EMAIL PROTECTED]". Freeradius receives this username and logs it to > radius.log, but it logs "Auth: Login incorrect". When I turn on statement > logging in PostgreSQL, I can see, that freeradius sends a select query to > PostgreSQL with "[EMAIL PROTECTED]" as the username instead of > "[EMAIL PROTECTED]". > > When I change the username to "[EMAIL PROTECTED]" in the database table, I > get "Auth: Login OK", although the client still sends "[EMAIL PROTECTED]" as > the username and freeradius logs "[EMAIL PROTECTED]" in radius.log. > > Is this a bug in freeradius? > > Chris > -- > Christian Seitz <[EMAIL PROTECTED]> http://www.in-berlin.de/ > Individual Network Berlin e.V. > > PGP Fingerprint: A9 17 03 0D 36 AB 07 4E D0 1E C3 8E 3F B0 66 9A > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem with "#" in username
Hi, I want to replace our old radius server with freeradius and it seems that freeradius has all the features we need - great work! We are using freeradius 1.0.2-4 from debian unstable with a PostgreSQL database for users and logging. My problem is that some of our usernames contain a "#", for example "[EMAIL PROTECTED]". Freeradius receives this username and logs it to radius.log, but it logs "Auth: Login incorrect". When I turn on statement logging in PostgreSQL, I can see, that freeradius sends a select query to PostgreSQL with "[EMAIL PROTECTED]" as the username instead of "[EMAIL PROTECTED]". When I change the username to "[EMAIL PROTECTED]" in the database table, I get "Auth: Login OK", although the client still sends "[EMAIL PROTECTED]" as the username and freeradius logs "[EMAIL PROTECTED]" in radius.log. Is this a bug in freeradius? Chris -- Christian Seitz <[EMAIL PROTECTED]> http://www.in-berlin.de/ Individual Network Berlin e.V. PGP Fingerprint: A9 17 03 0D 36 AB 07 4E D0 1E C3 8E 3F B0 66 9A - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mrtg
"Thor Spruyt" <[EMAIL PROTECTED]> wrote: > You *could* store the sessions in a database from which this info can be > retrieved. Sure. Then hack the SNMP code to export it, create MIBs, etc. I'm not sure how to do this, and the demand for it is small. If someone submits patches, great. Otherwise, oh well... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mrtg
Alan DeKok wrote: > Micko <[EMAIL PROTECTED]> wrote: >> I would like to know if I can create mrtg using snmp on how many >> users are currently connected? > > FreeRADIUS doesn't supply that information through SNMP. > You *could* store the sessions in a database from which this info can be retrieved. -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate/Attributes based on NAS-IP-Address - SOLVED
both the Dial-Up and Wireless groups. Now, if I run a test (I use NTRadPing) from anything other than 68.190.182.200, it replies with the attributes for Dial-Up. If I run a test from 68.190.182.200, it replies with the attributes for Wireless, including the Static IP. Now, if I insert "testaccount2" into radreply(assuming the user is a part of Dial-Up already), with a Static IP, but nothing in "HuntGroup" and test from anything it returns the attributes only in radreply - Static IP. You could expand upon this, as it may not be complete. Feel free to correct me or make other points. -Nick Graeme Hinchliffe wrote: Hiya, Use Client-IP rather than NAS-IP as NAS-IP can be spoofed. Graeme On Wed, 2005-06-08 at 15:30 -0700, N White wrote: Graeme Hinchliffe wrote: Hiya perhaps you could do it using huntgroups. Put the static attributes for the user in the radreply table, then assign each nas to a huntgroup, so say NAS-dynamic Then in radgroupreply you put the attributes for for dynamic IP assignment on the NAS-dynamic, and ensure there is an attribute to override the static settings. not 100% about the overriding of the static IP settings, but would think it possible using the assignment ( := ) operator and possibly a null value? Hope thats of some help. Do I need to setup a "HuntGroups" field like Mike suggested? Ok, so in huntgroups file: Wireless NAS-IP-Address = (the IP of the Wireless NAS) Autz-Type = SQL1 (modify radiusd.conf to include this, and sql.conf like in Mike's post?) NAS-dynamic NAS-IP-Address = (ip of dialup NAS) NAS-IP-Address = (ip of isdn NAS) in radgroupreply: +-+++-+---+ | GroupName | Attribute | op | Value | HuntGroup | +-+++-+---+ | Wireless | Service-Type | = | Framed-User | Wireless | | Wireless | Framed-Protocol| = | PPP | Wireless | | Wireless | Framed-IP-Address | = | 255.255.255.254 | Wireless | | Wireless | Framed-IP-Netmask | = | 255.255.255.255 | Wireless | | Wireless | Framed-Compression | = | Van-Jacobson-TCP-IP | Wireless | +-+++-+---+ All Other users would go into the Dial-Up Group, which would have a HuntGroup of NAS-dynamic? in radreply: +---+---+-+---+ | UserName | Attribute | op | Value | +---+---+-+---+ | test123 | Framed-IP-Address | := | 192.168.2.10 | +---+---+-+---+ Now in radgroupcheck do I need a NAS-IP-Address check for each group(or the wireless group?)? Thanks for everyone's help. -Nick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ NOD32 1.1135 (20050609) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com -- | Nick White | | Network Consultant | | http://www.edge9.net | | [EMAIL PROTECTED] | - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Strange Group Reply
Fabrice Delambre <[EMAIL PROTECTED]> wrote: > in the radgroupreply table, the server replies with > > Class := 0x3334. > > More generally, it does always reply with 0x33XX, XX being the value of > Class in radgroupreply. 0x3334 is hex for the ASCII characters "34". The attribute is being sent back with the exact data you wanted, it's just not being printed to the screen in a way you expect. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problems with LDAP
No,rlm_ldap* was not installed,How can I install it. Thanks very much for their answers!! --- "Mitchell, Michael J" <[EMAIL PROTECTED]> escribió: > Hi, > > Check /usr/local/radius/lib for rlm_ldap* to ensure > that rlm_ldap > actually built and was installed. > > Cheers, > Mike > > > > > > Hello, > > first, excuseme for my english > > > > I have freeradius running with EAP and PEAP > authentication > > very well, but i would like use Openldap like > database, but > > when after i do the changes, and I restart the > radius appears > > the error: > > segmetation fault > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > ___ Do You Yahoo!? La mejor conexión a Internet y 2GB extra a tu correo por $100 al mes. http://net.yahoo.com.mx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FW: Trouble with HTTPS and mod_auth_radius
Is there a mod_auth_radius list I can direct this question to? Thanks, Jason -Original Message- From: Zawacki Jason D Contr AFRL/IFOS Sent: Monday, June 06, 2005 11:43 AM To: 'freeradius-users@lists.freeradius.org' Subject: Trouble with HTTPS and mod_auth_radius Hey folks, I'm having trouble getting my configuration to work with SSL enabled in apache 1.3.33 using mod_auth_radius (mod_auth_radius.c,v 1.15 2003/03/24 19:16:15). This same setup works fine when SSL is not enabled. If I go to the page I've configured for radius auth, I get an Internal Server Error. I've shut off all other authentications for this location (NTLM) and the mod_auth module is not being activated. Even so, the apache error log indicates that it is looking for a user file as if I were using mod_auth. Here is my setup: ... LoadModule radius_auth_module libexec/mod_auth_radius.so ... #AddModule mod_auth.c ... AddModule mod_auth_radius.c ... AddRadiusAuth X.X.X.X:1812 XX AddRadiusCookieValid5 ... AllowOverride None order allow,deny allow from all AuthName "RRS Radius test" AuthType Basic NTLMAuthoritative off NTLMAuth off NTLMBasicAuth off AuthRadiusAuthoritative on AuthRadiusActive on require valid-user Like I said, the same setup works fine for a non-SSL URL, which puzzles me greatly. I'm using this box to test several authentication schemes including ldap, ntlm, and kerberos and none of demonstrated the same behavior. Any help is greatly appreciated. Jason - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Database connection failure and retry
"Ming-Ching Tiew" <[EMAIL PROTECTED]> wrote: > There is no checking whatsoever, so unixodbc driver is unable to reconnect > upon failure. Ok... are you willing to supply a patch? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mrtg
Micko <[EMAIL PROTECTED]> wrote: > I would like to know if I can create mrtg using snmp on how many users are > currently connected? FreeRADIUS doesn't supply that information through SNMP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS 1.0.2 Segfaulting
I'm using freeradius 1.0.2 with openssl 0.9.7g, configured for PEAP, trying to authenticate a Windows XP client. The script I'm running that invokes freeradius looks like this: --snip-- #!/bin/sh -x LD_LIBRARY_PATH=/usr/local/openssl/lib LD_PRELOAD=/usr/local/openssl/lib/libcrypto.so export LD_LIBRARY_PATH LD_PRELOAD /usr/local/radius/sbin/radiusd $@ --snip-- Here's the log of starting up freeradius and the client trying to authenticate. # ./radiusd -X -A + LD_LIBRARY_PATH=/usr/local/openssl/lib + LD_PRELOAD=/usr/local/openssl/lib/libcrypto.so + export LD_LIBRARY_PATH LD_PRELOAD + /usr/local/radius/sbin/radiusd -X -A Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/radius/etc/raddb/proxy.conf Config: including file: /usr/local/radius/etc/raddb/clients.conf Config: including file: /usr/local/radius/etc/raddb/snmp.conf Config: including file: /usr/local/radius/etc/raddb/eap.conf Config: including file: /usr/local/radius/etc/raddb/sql.conf main: prefix = "/usr/local/radius" main: localstatedir = "/usr/local/radius/var" main: logdir = "/usr/local/radius/var/log/radius" main: libdir = "/usr/local/radius/lib" main: radacctdir = "/usr/local/radius/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/radius/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/radius/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/radius/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/radius/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/usr/local/radius/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/usr/local/radius/etc/raddb/certs/cert-srv.pem" tls: certificate_file = "/usr/local/radius/etc/raddb/certs/cert-srv.pem" tls: CA_file = "/usr/local/radius/etc/raddb/certs/root.pem" tls: private_key_password = "whatever" tls: dh_file = "/usr/local/radius/etc/raddb/certs/dh" tls: random_file = "/usr/local/radius/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" rlm_eap: Loaded and initialized type tls ttls: default_eap_type = "md5" ttls: copy_request_to_tunnel = no ttls: use_tunneled_reply = no rlm_eap: Loaded and initialized type ttls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap
RE: syslog
> -Message d'origine- > De : [EMAIL PROTECTED] [mailto:freeradius- > [EMAIL PROTECTED] De la part de Craig Huckabee > Envoyé : jeudi 9 juin 2005 16:04 > À : FreeRadius users mailing list > Objet : Re: syslog > > Miguel Sennoun wrote: > > > > > > I would like to redirect all radius logs (even accounting). > > Well, as I mentioned accounting isn't there yet unless someone else has > done it. > > [ SNIP ] > > > > > Thank you for the extract of the radiusd.conf but in mine this section > is > > not present. Even in the 1.0.3 conf files. So I added the section but I > > don't know if it is supported by my server. > > I went back and looked - it is in the main CVS line but those changes > were not pulled up for the release versions. Looks like Alan checked in > the syslog bits ~11 months ago, but I don't see where they made it up > into a release version. Could be missing the merge, though. > > We run a build made from the CVS sources, and it works, so if that is an > option for you then I'd suggest that. Thank you I found it in the cvs snapshot, but as it is not in the released versions, I think I should better use another way to manage radius logs - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: syslog
Miguel Sennoun wrote: I would like to redirect all radius logs (even accounting). Well, as I mentioned accounting isn't there yet unless someone else has done it. [ SNIP ] Thank you for the extract of the radiusd.conf but in mine this section is not present. Even in the 1.0.3 conf files. So I added the section but I don't know if it is supported by my server. I went back and looked - it is in the main CVS line but those changes were not pulled up for the release versions. Looks like Alan checked in the syslog bits ~11 months ago, but I don't see where they made it up into a release version. Could be missing the merge, though. We run a build made from the CVS sources, and it works, so if that is an option for you then I'd suggest that. --Craig -- / Craig Huckabee| e-mail: [EMAIL PROTECTED] / / Code 715-CH | phone: (843) 218 5653 / / SPAWAR Systems Center | close proximity: "Hey You!" / / Charleston, SC|ICBM: 32.78N, 79.93W / - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RADIUS Session Closing
Title: RADIUS Session Closing Is there or which attribute is used to tell RADIUS to close all connections from the NASses? Thus something saying, close global...etc. Apart from restarting the RADIUS daemon. Thanx. André Ferreira - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: syslog
> >>Set "log_destination = syslog" and
> >>
> >>log {
> >>
syslog_facility = daemon
> >>}
> >
> >
> > I tried, but it seems not write radius logs in syslog
>
> Just to be clear - which "radius" logs are you trying to
redirect and
> did you make sure that syslog is running/configured correctly ?
I would like to redirect all radius logs (even
accounting).
And so in my etc/syslog.conf I have:
*.err;kern.notice;auth.notice
/dev/sysmsg
*.err;kern.debug;daemon.notice;mail.crit
/var/adm/messages
*.alert;kern.err;daemon.err
operator
*.alert
root
*.emerg *
*.*
/var/log/allmsg
# if a non-loghost machine chooses to have authentication messages
# sent to the loghost machine, un-comment out the following line:
#auth.notice
ifdef(`LOGHOST', /var/log/authlog,
@loghost)
mail.debug
ifdef(`LOGHOST', /var/log/syslog, @loghost)
#
# non-loghost machines will use the following lines to cause
"user"
# log messages to be logged locally.
#
ifdef(`LOGHOST', ,
user.err
/dev/sysmsg
user.err
/var/adm/messages
user.alert
`root, operator'
user.emerg
*
I believe the line *.* /var/log/allmsg
should perform the correct behaviour. I can see some system logs as user login,
but no freeradius daemon logs.
>
> >
> >
> >>in your radiusd.conf. That will get
your authentication/authorization
> >>logs going to syslog under the "daemon"
facility. This is all in the
> >>documentation, BTW.
> >
> >
> > There is nothing in my documentation (freeradius 1.0.2
> >
> >
>
> Straight from the distributed radiusd.conf:
Thank you for the extract of the
radiusd.conf but in mine this section is not present. Even in the 1.0.3 conf
files. So I added the section but I don’t know if it is supported by my
server.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
is it possible to only allow users with a valid host ip?
Hi, I wonder if I can restrict (vpn)login from users in combination with their login (host) ip address. cheers, Geer -- [EMAIL PROTECTED] -- http://www.fastmail.fm - And now for something completely different - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: segmentation fault
On Thu, 2005-06-09 at 05:21 -0700, yuniva wati wrote: > hello freeradius users, > I have configure my freeradius for accounting but when > I run it using : > > [EMAIL PROTECTED] raddb]# /usr/local/radius/sbin/radiusd > -sfxxyz -l stdout > Starting - reading configuration files ... > reread_config: reading radiusd.conf > ... snip > segmentation fault > > that I want ask is : > -Why I got that message and what part is wrong?? > thanks for all of you. > I hope anyone can help me You should run radiusd with your os syscall tracer (strace, ktrace etc.) to get more precise info on the segv reason. -- Fabrice Delambre <[EMAIL PROTECTED]> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: syslog
Miguel Sennoun wrote:
Set "log_destination = syslog" and
log {
syslog_facility = daemon
}
I tried, but it seems not write radius logs in syslog
Just to be clear - which "radius" logs are you trying to redirect and
did you make sure that syslog is running/configured correctly ?
in your radiusd.conf. That will get your authentication/authorization
logs going to syslog under the "daemon" facility. This is all in the
documentation, BTW.
There is nothing in my documentation (freeradius 1.0.2
Straight from the distributed radiusd.conf:
#
# Destination for log messages. This can be one of:
#
# files - log to ${log_file}, as defined above.
# syslog - to syslog (see also the log{} section, below)
# stdout - standard output
# stderr - standard error.
#
# The command-line option "-X" over-rides this option, and forces
# logging to go to stdout.
#
That last note is VERY important - if you are testing using -X, you
won't see anything in syslog.
and further down:
#
# Logging section. The various "log_*" configuration items
# will eventually be moved here.
#
log {
#
# Which syslog facility to use, if ${log_destination} == "syslog"
#
# The exact values permitted here are OS-dependent. You probably
# don't want to change this.
#
syslog_facility = daemon
}
--
/ Craig Huckabee| e-mail: [EMAIL PROTECTED] /
/ Code 715-CH | phone: (843) 218 5653 /
/ SPAWAR Systems Center | close proximity: "Hey You!" /
/ Charleston, SC|ICBM: 32.78N, 79.93W /
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem getting FR/MySQL to work with CHAP
Hello all, Due to a policy change with MCI we now have to change our authentication/authorization scheme for dial-in users to CHAP, but for some reason I just gan't get it to work. I've checked mailing list archives and google, and as far as I can see I've done everything right, but I'm still getting "Cleartext password not available." Here's the log from freeradius -X : rad_recv: Access-Request packet from host 195.129.12.34:1645, id=129, length=228 User-Name = "[EMAIL PROTECTED]" CHAP-Password = 0x01cf2e2a27fc74a7b6271039f9c3e1b0e6 NAS-IP-Address = 213.116.1.36 NAS-Port = 70 NAS-Port-Type = ISDN Service-Type = Framed-User Framed-Protocol = PPP State = 0x Calling-Station-Id = "774642968" Called-Station-Id = "0676011850" Acct-Session-Id = "436504632" X-Ascend-Data-Rate = 64000 X-Ascend-Xmit-Rate = 64000 Proxy-State = 0x5058303165bd93266f974b08f6115766e0d35d7719e900020691d57401240002066dc2e5a403000300020f73008d192a9815e82047235efbe3c5fbb341 modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module "chap" returns ok rlm_realm: Looking up realm "systemec.nl" for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm "systemec.nl" rlm_realm: Adding Stripped-User-Name = "testflex" rlm_realm: Proxying request from user testflex to realm systemec.nl rlm_realm: Adding Realm = "systemec.nl" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop radius_xlat: '[EMAIL PROTECTED]' rlm_sql (sql): sql_set_user escaped user --> '[EMAIL PROTECTED]' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' * This returns the following data when run in a mysql shell: +-+--++---+--+ | id | UserName | Attribute | Value | op | +-+--++---+--+ | 186 | [EMAIL PROTECTED] | Password | - | == | | 271 | [EMAIL PROTECTED] | CHAP-Challenge | - | == | | 272 | [EMAIL PROTECTED] | Auth-Type | Local | := | +-+--++---+--+ (password and challenge secret changed for security purposes) rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName, radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' ++---++---+--+ | id | GroupName | Attribute | Value | op | ++---++---+--+ | 3 | flex | Huntgroup-Name | flex | == | | 4 | flex | Auth-Type | Local | := | ++---++---+--+ radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' Empty set (0.00 sec) radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName, radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' ++---+-+-+--+ | id | GroupName | Attribute | Value | op | ++---+-+-+--+ | 1 | flex | Auth-Type | Local | := | | 4 | flex | Framed-Protocol | PPP | := | | 5 | flex | Service-type| Framed-User | := | ++---+-+-+--+ rlm_sql (sql): No matching entry in the database for request from user [EMAIL PROTECTED] rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns notfound modcall: group authorize returns ok rad_check_password: Found Auth-Type CHAP auth: type "CHAP" modcall: entering group Auth-Type rlm_chap: login attempt by "testflex" with CHAP password rlm_chap: Could not find clear text password for user testflex modcall[authenticate]: module "chap" returns invalid modcall: group Auth-Type returns invalid auth: Failed to validate the user. Login incorrect (rlm_chap: Clear text password not available): [EMAIL PROTECTED]/] (from client worldcom4 port 70 cli 774642968) Delaying request 0 for 1 seconds Finished request 0 I've tried using the attribute names 'Password', 'User-Password', 'CHAP-Password', as well as forcing Auth-Type to CHAP, in pretty much every configuration I could think of, but the end resul
segmentation fault
hello freeradius users, I have configure my freeradius for accounting but when I run it using : [EMAIL PROTECTED] raddb]# /usr/local/radius/sbin/radiusd -sfxxyz -l stdout Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/radius/etc/raddb/proxy.conf Config: including file: /usr/local/radius/etc/raddb/clients.conf Config: including file: /usr/local/radius/etc/raddb/snmp.conf Config: including file: /usr/local/radius/etc/raddb/eap.conf Config: including file: /usr/local/radius/etc/raddb/sql.conf main: prefix = "/usr/local/radius" main: localstatedir = "/usr/local/radius/var" main: logdir = "/usr/local/radius/var/log/radius" main: libdir = "/usr/local/radius/lib" main: radacctdir = "/usr/local/radius/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 1812 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = "/usr/local/radius/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/usr/local/radius/var/run/radiusd/radiusd.pid" main: user = "nobody" main: group = "nobody" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/radius/sbin/checkrad" main: proxy_requests = no proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/radius/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/usr/local/radius/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/usr/local/radius/etc/raddb/certs/cert-srv.pem" tls: certificate_file = "/usr/local/radius/etc/raddb/certs/cert-srv.pem" tls: CA_file = "/usr/local/radius/etc/raddb/certs/root.pem" tls: private_key_password = "telkom" tls: dh_file = "/usr/local/radius/etc/raddb/certs/dh" tls: random_file = "/usr/local/radius/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/radius/etc/raddb/huntgroups" preprocess: hints = "/usr/local/radius/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/local/radius/etc/raddb/users" files: acctusersfile = "/usr/local/radius/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/radius/etc/raddb/preproxy_users"
Relocation Error
Hi! I've the same error as in the thread http://lists.cistron.nl/pipermail/freeradius-users/2005-April/thread.html#43044: freeradius: relocation error: /usr/lib/perl/5.8/auto/IO/IO.so: undefined symbol: Perl_Tstack_sp_ptr nobody seemed to pinpoint the problem. I've Debian 3.1 and one perl installation. It seems, obviously, that when commenting out the perl module all works fine... Please any light on this would be appreciated. Thanks, Normando -- Normando Marcolongo | Micso s.r.l. via Tiburtina, 318 | I-65128 Pescara, Italy tel/fax (+39)08554105 | mob. (+39)3386296362 begin:vcard fn:Normando Marcolongo n:Marcolongo;Normando org:Micso s.r.l.;System & Network Engineer adr:;;via Tiburtina, 318;Pescara;;65128;Italy email;internet:[EMAIL PROTECTED] tel;work:+3908554105 tel;fax:+3908554105 tel;cell:+393386296362 x-mozilla-html:FALSE url:http://www.micso.com version:2.1 end:vcard smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: syslog
Thank you for the reply
> -Message d'origine-
> De : [EMAIL PROTECTED] [mailto:freeradius-
> [EMAIL PROTECTED] De la part de Craig Huckabee
> Envoyé : mercredi 8 juin 2005 13:29
> À : FreeRadius users mailing list
> Objet : Re: syslog
>
> Set "log_destination = syslog" and
>
> log {
> syslog_facility = daemon
> }
I tried, but it seems not write radius logs in syslog
>
> in your radiusd.conf. That will get your authentication/authorization
> logs going to syslog under the "daemon" facility. This is all in the
> documentation, BTW.
There is nothing in my documentation (freeradius 1.0.2
> If you search the list archives, you'll see where Alan kindly pointed
> out to me where to make some modifications so accounting info could be
> syslog'd as well - I have not had time to do it yet.
Argghhh didn't find this but thank you to have tried
Miguel Sennoun
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate/Attributes based on NAS-IP-Address
Hiya, Use Client-IP rather than NAS-IP as NAS-IP can be spoofed. Graeme On Wed, 2005-06-08 at 15:30 -0700, N White wrote: > Graeme Hinchliffe wrote: > > >Hiya > > perhaps you could do it using huntgroups. > > > > Put the static attributes for the user in the radreply table, then > >assign each nas to a huntgroup, so say > > > >NAS-dynamic > > > > Then in radgroupreply you put the attributes for for dynamic IP > >assignment on the NAS-dynamic, and ensure there is an attribute to > >override the static settings. > > > >not 100% about the overriding of the static IP settings, but would think > >it possible using the assignment ( := ) operator and possibly a null > >value? > > > >Hope thats of some help. > > > > > Do I need to setup a "HuntGroups" field like Mike suggested? Ok, so in > huntgroups file: > > Wireless NAS-IP-Address = (the IP of the Wireless NAS) > Autz-Type = SQL1 (modify radiusd.conf to include > this, and sql.conf like in Mike's post?) > NAS-dynamic NAS-IP-Address = (ip of dialup NAS) > NAS-IP-Address = (ip of isdn NAS) > > in radgroupreply: > > +-+++-+---+ > | GroupName | Attribute | op | Value | HuntGroup | > +-+++-+---+ > | Wireless | Service-Type | = | Framed-User | Wireless | > | Wireless | Framed-Protocol| = | PPP | Wireless | > | Wireless | Framed-IP-Address | = | 255.255.255.254 | Wireless | > | Wireless | Framed-IP-Netmask | = | 255.255.255.255 | Wireless | > | Wireless | Framed-Compression | = | Van-Jacobson-TCP-IP | Wireless | > +-+++-+---+ > All Other users would go into the Dial-Up Group, which would have a HuntGroup > of NAS-dynamic? > > in radreply: > > +---+---+-+---+ > | UserName | Attribute | op | Value | > +---+---+-+---+ > | test123 | Framed-IP-Address | := | 192.168.2.10 | > +---+---+-+---+ > > Now in radgroupcheck do I need a NAS-IP-Address check for each group(or > the wireless group?)? > Thanks for everyone's help. > > -Nick > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - Graeme Hinchliffe (BSc) Core Systems Designer Zen Internet (http://www.zen.co.uk/) Direct: 0845 058 9074 Main : 0845 058 9000 Fax : 0845 058 9005 signature.asc Description: This is a digitally signed message part - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
db model
Hi, I am building the clients list from the nas table and experienced some problems: 1) There is not nas_query prepared int the configuration file. Would it be supported? 2) select * from nas; does not return the records in the right order. I think the clients list is built from the first four fields, which are: ID (ignored) | nasname=IP | shortname=Name | secret=something With the current table structure, the fourth field is Port and not secret. How should this be solved? Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS Authentication
On Thu, Jun 09, 2005, "Ferreira, André" wrote: >If RADIUS receives and ACCESS-REQUEST packet, but RADIUS does not >authenticate >against its own database but an external server, does it also send an >ACCESS-REQUEST to the >external server? If your "external server" is a RADIUS server, yes it does. This is called RADIUS proxying : the server acts as a client for another RADIUS server. >And does the external server send and ACCESS-ACCEPT with REPLY_MESSAGE >information >If authentication is successful? What your external server does and returns is up to its configuration. -- Alexandre Coninx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[Freeradius 1.0.3] failed to lilnk to module 'rlm_eap'
Hi list, I've configure freeradius to compile with --confsysdir=/etc/ --disable-shared. When running radiusd -X -A Im getting this error line: radiusd.conf[9] Failed to link to module 'rlm_eap': /usr/local/lib/rlm_eap.a: invalid ELF header What does this mean? Pete _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RADIUS Authentication
Title: RADIUS Authentication If RADIUS receives and ACCESS-REQUEST packet, but RADIUS does not authenticate against its own database but an external server, does it also send an ACCESS-REQUEST to the external server? And does the external server send and ACCESS-ACCEPT with REPLY_MESSAGE information If authentication is successful? Thanx. André Ferreira - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Strange Group Reply
Hi, I'm getting a strange reply from the server : versions are FreeRadius 1.02 + MySQL 3.23 . Basic authentication works. Problem comes from radgroupreply : my user 'test' authenticates but when I add an entry like : Username : test Attribute : Class Value : 34 in the radgroupreply table, the server replies with Class := 0x3334. More generally, it does always reply with 0x33XX, XX being the value of Class in radgroupreply. Any ideas ? -- Fabrice Delambre <[EMAIL PROTECTED]> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to? - use/configure winbind/ntlm_auth for Windows authentication
Thanks for your solution.
I think this will be helpful for some people.
I'll try this on next opportunity.
But does it provide Single-Sign-On possibility with windows credentials like
PEAP MSCHAPv2?
I've finally managed to get the ntlm_auth working.
When one knows how to do it, it is very easy:
On my fedora core 3 (with samba) I ran the authconfig tool, checked the "use
winbind/use winbind for authentication" options, entered the domain info,
joined the windows domain via net rpc and ntlm_auth worked at once! I did
not have to touch samba config files.
Regards,
Pete
Subject: How to? - use/configure winbind/ntlm_auth for Windows
authentication
Date: Wed, 8 Jun 2005 15:00:10 -0400
I use LDAP. For each OU I want to authenticate I create an entry in
radiusd.conf
ldap MyFirstOU {
server = "your.server.dns.name"
identity = "CN=LDAP VIEW,CN=Users,DC=acs,DC=ocad,DC=ca"
password = ldapAccountPassword
basedn = "ou=yourOU,dc=acs,dc=ocad,dc=ca"
filter =
"(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})"
start_tls = no
tls_mode = no
groupname_attribute = cn
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=Gr
oupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))"
ldap_connections_number = 5
timeout = 4
timelimit = 3
access_attr_used_for_allow = yes
}
authorize {
MyFirstOU
}
Auth-Type LDAP {
MyFirstOU
}
You need a user on the AD box called "LDAP VIEW" with a password of
"ldapAccountPassword".
Works great for me.
_
FREE pop-up blocking with the new MSN Toolbar - get it now!
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
