PEAP + local = OK, same config + LDAP failed
Hi, still fighting with ldap :-) If I authenticate the user local without an ldap-entry in the radiusd.conf everything works fine, but if I uncomment the ldap-entry, nothing works anymore! I thought the users file is inspected first? my log: see attachment Thanks Florian -- -- Dipl. Inf. Florian Prester Network Administration Regionales RechenZentrum Erlangen Universitaet Erlangen-Nuernberg Germany Tel.: +499131 8527813 Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /var main: logdir = /var/log main: libdir = /usr/local/lib main: radacctdir = /var/log/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = /var/log/radius.log main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = no proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded eap eap: default_eap_type = peap eap: timer_expire = 600 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /usr/local/etc/raddb/certs/cert-srv.pem tls: certificate_file = /usr/local/etc/raddb/certs/cert-srv.pem tls: CA_file = /usr/local/etc/raddb/certs/demoCA/cacert.pem tls: private_key_password = whatever tls: dh_file = /usr/local/etc/raddb/certs/dh tls: random_file = /usr/local/etc/raddb/certs/random tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = (null) rlm_eap: Loaded and initialized type tls peap: default_eap_type = mschapv2 peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /usr/local/etc/raddb/huntgroups preprocess: hints = /usr/local/etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded LDAP ldap: server = 131.188.3.53 ldap: port = 400 ldap: net_timeout = 1 ldap: timeout = 24 ldap: timelimit = 23 ldap: identity = cn=florian,ou=allro,ou=AAAdsadm,o=Universitaet Erlangen-Nuernberg,c=DE ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = (null) ldap: tls_cacertdir = (null) ldap: tls_certfile = (null) ldap: tls_keyfile = (null) ldap: tls_randfile = (null) ldap: tls_require_cert = allow ldap: password = ldap: basedn = ou=AAAuser,o=Universitaet Erlangen-Nuernberg,c=DE ldap: filter = (Userid=%{Stripped-User-Name:-%{User-Name}}) ldap: base_filter = (objectclass=radiusprofile) ldap: default_profile = (null) ldap:
Re: PEAP + RADIUS + local-Auth + LDAP
Alan DeKok wrote: Florian Prester [EMAIL PROTECTED] wrote: authorize: If I place the users-word before anything else, the authorization should take place by the users-file, which means if an user exists in the users-file it is authoized? correct? It means that the users file is processed before anything else. You don't need to move it, though. The default configuration works. authenticate: If the password matches cleartext/crypt the users is authenticated? correct? Yes. 2.) If I try to uses PEAP and LDAP I need cleartext-passwords!? correct? Or NT-Password. Who can I control, which Password should be used? If I add ldap after the users-wordin the authorize-section ldap should only be used, if the user cannot be found in the users-file? No. See doc/configurable_failover If I add password_attribute = sn thr user is authenticated, if the password-hash-challenge is matching the sn-hash-challenge, meaning the sn-attribute is taken as password? correct? Yes. 3.) What means the Groupe-authenticate/authorize if I am using ldap? I'm not sure what you mean by that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Dipl. Inf. Florian Prester Network Administration Regionales RechenZentrum Erlangen Universitaet Erlangen-Nuernberg Germany Tel.: +499131 8527813 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
executing external program
Hi all! I have a huge problem. When executing an external script I get strange error messages and my server shuts down. I find this strange because the script is tested a side and it works. Plus I have other similar scripts running and they run perfectly. I get this in the log (radiusd.log) : /Tue Jun 14 09:52:48 2005 : Error: Exec-Program: Abnormal child exit: Interrupted system call Tue Jun 14 09:52:48 2005 : Error: rlm_exec (getaccounting): External script failed/ And this in the debug mode : /radius_xlat: '/home/vicky/finalprog/compAttrs Accounting-Request' Exec-Program: /home/vicky/finalprog/compAttrs Accounting-Request MASTER: Child PID 1842 failed to catch signal 11: killing all active servers./ Has anyone encountered the same problem or has anyone any idea what may be causing this? Thanks a lot in advance! -- Vicky - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: restricting access for users
Thank you Dustin this works!! I'll be making a detailled description on how it works now. Maybe it can be posted? if not just send me an email and I will send it to anyone who wants it. Maybe I can contribute back this way Thanks again!!! Martial From: Dustin Doris [EMAIL PROTECTED] Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.org To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: RE: restricting access for users Date: Mon, 13 Jun 2005 09:49:00 -0400 (EDT) Try this. huntgroups diegem NAS-IP-Address == 10.5.x.x diegem NAS-IP-Address == 10.5.x.x diegem NAS-IP-Address == 10.5.x.x brusselsNAS-IP-Address == 10.2.x.x users file #note: there is no default auth-type = system here DEFAULT Group == NOC, Auth-Type := System replyattrs = replyvalues bob Huntgroup-Name == diegem, Auth-Type := System replyattrs = replyvalues... somebrusselluserHuntgroup-Name == brussells, Auth-Type := System reply attrs DEFAULT Auth-Type := Reject That means: If user is in group NOC, match here and authorize the user using system If user bob is coming from huntgroup diegam, match here and authorize user If user somebrusselluser is coming from huntgroup brussells, match If no matches on above, reject the user I suspect that your DEFAULT Auth-Type = system entry is at the top of your users file. Then you have some matching rules. You have a user that comes in but won't match any of your matching rules, so it will default to the auth-type = system entry that it matched at first and simply authorize the user with system. What I have above, specifies to use system when it matches each user entry or the group entry. If there is no match, then it tells you to reject the user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Free blogging with MSN Spaces http://spaces.msn.com/?mkt=nl-be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP NT-Password vs. Cleartext-Password
Hi, How can I controll if the radius should take the nt-Password or the cleartext-Password? I mapped an cleartext-Entry in ldap to the User-Password radius entry in ldap.attrmap. The request is looking in the directory for the checkItem: User-Password -- found! But for authentication it wants to do MS-CHAPv2 with the NT-Password!!??!! modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 7 rlm_mschap: Told to do MS-CHAPv2 for unrz148 with NT-Password rlm_mschap: adding MS-CHAPv2 MPPE keys modcall[authenticate]: module mschap returns ok for request 7 modcall: group Auth-Type returns ok for request 7 MSCHAP Success modcall[authenticate]: module eap returns handled for request 7 modcall: group authenticate returns handled for request 7 PEAP: Got tunneled Access-Challenge modcall[authenticate]: module eap returns handled for request 7 modcall: group authenticate returns handled for request 7 Sending Access-Challenge of id 64 to 131.188.4.191:20001 but later: rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=AAAuser,o=Universitaet Erlangen-Nuernberg,c=DE, with filter (Userid=unrz148) rlm_ldap: checking if remote access for unrz148 is allowed by uid rlm_ldap: looking for check items in directory... rlm_ldap: Adding fauUserid as User-Password, value unrz148 op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user unrz148 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 8 rlm_eap: EAP packet type response id 7 length 89 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 8 rlm_realm: No '@' in User-Name = unrz148, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 8 modcall[authorize]: module files returns notfound for request 8 modcall: group authorize returns updated for request 8 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 --- What means this? rlm_eap: Request not found in the list rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request rlm_eap: Failed in handler modcall[authenticate]: module eap returns invalid for request 8 modcall: group authenticate returns invalid for request 8 auth: Failed to validate the user. --- Login incorrect: [unrz148/no User-Password attribute] (from client airbrush port 0 cli 00-90-4B-8F-B7-3B) Delaying request 8 for 1 seconds Finished request 8 I am sorry I do not get it, here is my complete log-Output: see attachment Thanks Florian -- -- Dipl. Inf. Florian Prester Network Administration Regionales RechenZentrum Erlangen Universitaet Erlangen-Nuernberg Germany Tel.: +499131 8527813 Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /var main: logdir = /var/log main: libdir = /usr/local/lib main: radacctdir = /var/log/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = /var/log/radius.log main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = no proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is
hints and PPTP/MPPE
Hi All, I'm trying to get hints and huntgroups working with PPTP using MPPE MSCHAPv2. I want users to be able to login with uname or uname.suffix. When logging in with uname.suffix, the suffix is stripped and a hint is set using the hints file. They are also set in a huntgroup. The users file as a DEFAULT entry for that hint and huntgroup. This *works* when users connect a certain way (ipsec using clear text passwords), but fails on PPTP connections using MPPE. When connecting via PPTP, the DEFAULT entry does not get hit and it falls through to the DEFAULT entry with Auth-Type := Reject. The correct entry is hit when connecting via IPSEC. Despite this, it still sends an Access-Accept (albeit with the Reply-Message in the Reject). My suspicion is that MS Windows is generating MPPE keys based on the username with the suffix, and freeradius is correctly authenticating against the system (SMBPASSWD file) without the suffix, but generating MPPE responses also without the SUFFIX, therefore windows drops the connection. Version is 1.0.3. Any ideas? Regs, Dave -- - David Batterham Information Systems Services Manager Department of Electrical Electronic Engineering The University of Melbourne, Victoria 3010 Email: [EMAIL PROTECTED] Phone: +61 3 8344 3366 Fax: +61 3 8344 6678 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius no longer accepts Crypt-Password after upgrade
Hello group, Due to a recent catastrophic hardware failure on one of our radius servers I've had to install a new machine. In the process we also upgraded freeradius from 0.9.3 to 1.0.2-4, and somehow the radius server now refuses to accept anything other than a User-Password attribute -- it keeps failing to log in users that have a Crypt-Password set. I've attached a -xxx debug log below, minus passwords and usernames. The literal same configuration works fine on another machine running 0.9.3 and retrieving its data from the same database server. Can anyone suggest what I might be missing? -- Rens Houben |opinions are mine Resident linux guru and sysadmin | if my employers have one Systemec Internet Services. |they'll tell you themselves PGP key at http://swordbreaker.systemec.nl/~shadur/shadur.key.asc Tue Jun 14 11:52:19 2005 : Debug: Thread 1 handling request 5, (2 handled so far) User-Name = --- User-Password = --- Service-Type = Framed-User Framed-Protocol = PPP NAS-IP-Address = -- NAS-Port = 14 NAS-Port-Type = ISDN Tue Jun 14 11:52:19 2005 : Debug: Processing the authorize section of radiusd.conf Tue Jun 14 11:52:19 2005 : Debug: modcall: entering group authorize for request 5 Tue Jun 14 11:52:19 2005 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 5Tue Jun 14 11:52:19 2005 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 5 Tue Jun 14 11:52:19 2005 : Debug: modcall[authorize]: module preprocess returns ok for request 5 Tue Jun 14 11:52:19 2005 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 5 Tue Jun 14 11:52:19 2005 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 5 Tue Jun 14 11:52:19 2005 : Debug: modcall[authorize]: module chap returns noop for request 5 Tue Jun 14 11:52:19 2005 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 5 Tue Jun 14 11:52:19 2005 : Debug: rlm_realm: No '@' in User-Name = ---, looking up realm NULL Tue Jun 14 11:52:19 2005 : Debug: rlm_realm: No such realm NULL Tue Jun 14 11:52:19 2005 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 5 Tue Jun 14 11:52:19 2005 : Debug: modcall[authorize]: module suffix returns noop for request 5 Tue Jun 14 11:52:19 2005 : Debug: modsingle[authorize]: calling sql (rlm_sql) for request 5 Tue Jun 14 11:52:19 2005 : Debug: radius_xlat: '---' Tue Jun 14 11:52:19 2005 : Debug: rlm_sql (sql): sql_set_user escaped user -- '---' Tue Jun 14 11:52:19 2005 : Debug: radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '---' ORDER BY id' Tue Jun 14 11:52:19 2005 : Debug: rlm_sql (sql): Reserving sql socket id: 4 Tue Jun 14 11:52:19 2005 : Debug: radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '---' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' Tue Jun 14 11:52:19 2005 : Debug: radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '---' ORDER BY id' Tue Jun 14 11:52:19 2005 : Debug: radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '---' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' Tue Jun 14 11:52:19 2005 : Debug: rlm_sql (sql): Released sql socket id: 4 Tue Jun 14 11:52:19 2005 : Debug: modsingle[authorize]: returned from sql (rlm_sql) for request 5 Tue Jun 14 11:52:19 2005 : Debug: modcall[authorize]: module sql returns ok for request 5 Tue Jun 14 11:52:19 2005 : Debug: modcall: group authorize returns ok for request 5 Tue Jun 14 11:52:19 2005 : Debug: rad_check_password: Found Auth-Type Local Tue Jun 14 11:52:19 2005 : Debug: auth: type Local Tue Jun 14 11:52:19 2005 : Debug: auth: user supplied User-Password does NOT match local User-Password Tue Jun 14 11:52:19 2005 : Debug: auth: Failed to validate the user. Tue Jun 14 11:52:19 2005 : Auth: Login incorrect: [---/--] (from client sisr port 14) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC+EAP authentication
I use Cisco AP 1230 and I set on the authentication for MAC and EAP authentication. On client side (Centrino/Windows XP), I set as mentioned in the HOW-TO for EAP-TLS. On Freeradius, I only see EAP authentication but no MAC authentication. Am I missing something? Please help. Thanks. - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, June 14, 2005 01:03 Subject: Re: MAC+EAP authentication Jefri bin Dahari [EMAIL PROTECTED] wrote: I plan to implement simultaneous MAC+EAP authentication for my wireless users. From my observation, Freeradius can only do either MAC or EAP but not MAC and EAP authentication. Can somebody gives me some hints on how to do that? It can do both. EAP is authentication, MAC checking isn't really authentication. What are you seeing in RADIUS packets, and what do you want to happen? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
'authorize' module
still fighting with test configuration.. I have created two rlm_passwd modules. Afterwards, have put them under 'authorize' section one by one. Why the deamon is accepting the request depending only on the rlm_passwd file where User-Password is present and ignoring the one which should check NAS-IP-Address and Realm? My aim is to make it so that if the last mentioned returns wrong, the whole request is wrong. Please assist me with ideas. Edgars - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mutliple Authentication REALMS
Title: Mutliple Authentication REALMS Hi, Its been a long time, as the freeRADIUS software Ive being using for the last 3 years hasnt needed looking at since installation. So a big thank you to the development team J However, as with most things its so good Ive now got to redesign and re-implement to encompass more of our infrastructure, and Im having problems. I have a number of settings in the _users_ file that are based on the _Called_Station_ID_ then proxy the requests to a specified REALM. i.e. DEFAULT Called-Station-Id == a telephone number, Proxy-To-Realm := NULL Fall-Through = Yes DEFAULT Called-Station-Id == another telephone number, Proxy-To-Realm := NULL Fall-Through = Yes DEFAULT Called-Station-Id == yet another number, Proxy-To-Realm := SPECIAL Fall-Through = Yes Now, the NULL realm is defined in the proxy.conf file as: realm NULL { type = radius authhost = radiusserver.some.domain:1645 accthost = radiusserver.some.domain:1646 Secret = radiussecret } This works and actually points to a MS IAS server going against an NT4 Domain. Now I need to authenticate a different set of users (who dial a different number) against an LDAP repository, so as you can see from my _users_ file I direct them at the SPECIAL realm, which I have set as follows in proxy.conf: realm SPECIAL { type = radius authhost = LOCAL accthost = LOCAL } My plan was for this to then use the local radius server, which has an _ldap_ module configure, which from what I can make out is working: ldap { server = 127.0.0.1 basedn = dc=some,dc=domain,dc=co,dc=uk filter = (uid=%u) start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 } And then in the authorize and authenticate sections simply include _ldap_ authorize { preprocess chap eap ldap files mschap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type { mschap } unix ldap eap } Now all I see when using NTRadping, and sending the additional _Called_Station_Id_ attribute set to the required number is the following in my _radius.log_ Error: Dropping packet from client Dave_Test:2328 ID: 2 due to dead request 5018 When I run the radiusd with the X flag (bearing in mind its an Production Service) I can make out the call being made to my LDAP server and a rlm_ldap authorize, but then the request just finishes without giving me and Access-Accept packet, and the relevant settings from the _radreply_ table in the Postgres Database? rad_recv: Access-Request packet from host xx.xx.xx.xx:2796, id=4, length=62 User-Name = unextest20 User-Password = nexus Called-Station-Id = xx rad_lowerpair: User-Name now 'unextest20' modcall: entering group authorize for request 14 modcall[authorize]: module preprocess returns ok for request 14 modcall[authorize]: module chap returns noop for request 14 modcall[authorize]: module eap returns noop for request 14 rlm_realm: No '@' in User-Name = unextest20, looking up realm NULL rlm_realm: Found realm NULL rlm_realm: Adding Stripped-User-Name = unextest20 rlm_realm: Proxying request from user unextest20 to realm NULL rlm_realm: Adding Realm = NULL rlm_realm: Preparing to proxy authentication request to realm NULL modcall[authorize]: module suffix returns updated for request 14 radius_xlat: 'unextest20' rlm_sql (sql): sql_set_user escaped user -- 'unextest20' radius_xlat: 'SELECT id, UserName, Attribute, Value, Op ??FROM radcheck ??WHERE Username = 'unextest20' ??ORDER BY id' rlm_sql (sql): Reserving sql socket id: 8 rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op ??FROM radcheck ??WHERE Username = 'unextest20' ??ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: affected rows = radius_xlat: 'SELECT radgroupcheck.id, radgroupcheck.GroupName, ??radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op ??FROM radgroupcheck, usergroup ??WHERE usergroup.Username = 'unextest20' AND usergroup.GroupName = radgroupcheck.GroupName ??ORDER BY radgroupcheck.id' rlm_sql_postgresql: query: SELECT radgroupcheck.id, radgroupcheck.GroupName, ??radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op ??FROM radgroupcheck, usergroup ??WHERE usergroup.Username = 'unextest20' AND usergroup.GroupName = radgroupcheck.GroupName ??ORDER BY radgroupcheck.id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: affected rows = radius_xlat: 'SELECT id, UserName, Attribute, Value, Op ??FROM radreply ??WHERE Username = 'unextest20' ??ORDER BY id' rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op ??FROM radreply ??WHERE Username = 'unextest20' ??ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: affected rows = radius_xlat: 'SELECT radgroupreply.id, radgroupreply.GroupName, radgroupreply.Attribute,
SQL based Simultaneous-Use troubles
I'm having some trouble getting FreeRADIUS to use the SQL tables for determining Simultaneous-Use. I've reviewed the doc/Simultaneous-Use file. I've uncommented the simul_count_query line in sql.conf. I'm already successfully using SQL authentication and accounting. I've entered Simultaneous-Use:=1 in the radgroupcheck table. No matter what I do, this is what I get in the log: Mon Jun 13 09:32:23 2005 : Error: Check-TS: timeout waiting for checkrad You can go to http://www.tnics.com/raddb/ to see my entire etc/raddb directory (with the clients file, passwords, secrets, and other sensitive bits removed). Can anybody offer any suggestions? I'm just trying to use 100% SQL-based Simultaneous-Use checking, so checkrad shouldn't even be called, right? I'm probably missing something really simple. Thanks! --Aaron - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Debian .deb Installation Version 1.0.2 Ca.all dosn' exist
Hi @all, i read some HowTo's for installing FreeRadius/PEAP and they have used the CA.all script to create the certificats. But i can't find this script after installing FreeRadius deb version 1.0.2 on my PC. I have to install other packets ? Openssl is already installed. (After installing Freeradius) thx for hints Michael L. -- Geschenkt: 3 Monate GMX ProMail gratis + 3 Ausgaben stern gratis ++ Jetzt anmelden testen ++ http://www.gmx.net/de/go/promail ++ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Logging SQL queries to logfile
Hi all, Is there any way of logging the MSSQL queries ( with values ) to the radius.log file ? I can see the following in the radius.log file ... Tue Jun 14 00:53:53 2005 : Error: rlm_sql (sql): Couldn't update SQL accounting STOP record - HY019 [unixODBC][FreeTDS][SQL Se rver]Arithmetic overflow error converting numeric to data type numeric. ... but I do not know which values in the accounting_stop_query made this happen. I know I can run radiusd with the -X, but I'd like to run it at background. Best regards, Lucas -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.7.1 - Release Date: 13/06/2005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP + local = OK, same config + LDAP failed
Never used EAP, but perhaps this will be helpful. rlm_ldap: - authorize rlm_ldap: performing user authorization for unrzwlan1 radius_xlat: '(Userid=unrzwlan1)' radius_xlat: 'ou=AAAuser,o=Universitaet Erlangen-Nuernberg,c=DE' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=AAAuser,o=Universitaet Erlangen-Nuernberg,c=DE, with filter (Userid=unrzwlan1) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns notfound for request 6 That looks pretty clear to me that either this user does not exist in your ldap directory. Perhaps you have the search filter incorrect? Or, the user you are binding with does not have access to read that users entry. rlm_ldap: bind as cn=florian,ou=allro,ou=AAAdsadm,o=Universitaet Erlangen-Nuernberg,c=DE/zope148FP to 131.188.3.53:400 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful What happens if you do an ldapsearch from command line? # ldapsearch -D cn=florian,ou=allro,ou=AAAdsadm,o=Universitaet Erlangen-Nuernberg,c=DE -w zope148FP -b ou=AAAuser,o=Universitaet Erlangen-Nuernberg,c=DE (Userid=unrzwlan1) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple Authentication REALMS - I hope in Plain Text
Hi, It's been a long time, as the freeRADIUS software I've being using for the last 3 years hasn't needed looking at since installation. So a big thank you to the development team J However, as with most things it's so good I've now got to redesign and re-implement to encompass more of our infrastructure, and I'm having problems. I have a number of settings in the _users_ file that are based on the _Called_Station_ID_ then proxy the requests to a specified REALM. i.e. DEFAULT Called-Station-Id == a telephone number, Proxy-To-Realm := NULL Fall-Through = Yes DEFAULTCalled-Station-Id == another telephone number, Proxy-To-Realm := NULL Fall-Through = Yes DEFAULTCalled-Station-Id == yet another number, Proxy-To-Realm := SPECIAL Fall-Through = Yes Now, the NULL realm is defined in the proxy.conf file as: realm NULL { type= radius authhost= radiusserver.some.domain:1645 accthost= radiusserver.some.domain:1646 Secret = radiussecret } This works and actually points to a MS IAS server going against an NT4 Domain. Now I need to authenticate a different set of users (who dial a different number) against an LDAP repository, so as you can see from my _users_ file I direct them at the SPECIAL realm, which I have set as follows in proxy.conf: realm SPECIAL { type= radius authhost= LOCAL accthost= LOCAL } My plan was for this to then use the local radius server, which has an _ldap_ module configure, which from what I can make out is working: ldap { server = 127.0.0.1 basedn = dc=some,dc=domain,dc=co,dc=uk filter = (uid=%u) start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 } And then in the authorize and authenticate sections simply include _ldap_ authorize { preprocess chap eap ldap files mschap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type { mschap } unix ldap eap } Now all I see when using NTRadping, and sending the additional _Called_Station_Id_ attribute set to the required number is the following in my _radius.log_ Error: Dropping packet from client Dave_Test:2328 - ID: 2 due to dead request 5018 When I run the radiusd with the -X flag (bearing in mind it's an Production Service) I can make out the call being made to my LDAP server and a rlm_ldap authorize, but then the request just finishes without giving me and Access-Accept packet, and the relevant settings from the _radreply_ table in the Postgres Database? rad_recv: Access-Request packet from host xx.xx.xx.xx:2796, id=4, length=62 User-Name = unextest20 User-Password = nexus Called-Station-Id = xx rad_lowerpair: User-Name now 'unextest20' modcall: entering group authorize for request 14 modcall[authorize]: module preprocess returns ok for request 14 modcall[authorize]: module chap returns noop for request 14 modcall[authorize]: module eap returns noop for request 14 rlm_realm: No '@' in User-Name = unextest20, looking up realm NULL rlm_realm: Found realm NULL rlm_realm: Adding Stripped-User-Name = unextest20 rlm_realm: Proxying request from user unextest20 to realm NULL rlm_realm: Adding Realm = NULL rlm_realm: Preparing to proxy authentication request to realm NULL modcall[authorize]: module suffix returns updated for request 14 radius_xlat: 'unextest20' rlm_sql (sql): sql_set_user escaped user -- 'unextest20' radius_xlat: 'SELECT id, UserName, Attribute, Value, Op ??FROM radcheck ??WHERE Username = 'unextest20' ??ORDER BY id' rlm_sql (sql): Reserving sql socket id: 8 rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op ??FROM radcheck ??WHERE Username = 'unextest20' ??ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: affected rows = radius_xlat: 'SELECT radgroupcheck.id, radgroupcheck.GroupName, ??radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op ??FROM radgroupcheck, usergroup ??WHERE usergroup.Username = 'unextest20' AND usergroup.GroupName = radgroupcheck.GroupName ??ORDER BY radgroupcheck.id' rlm_sql_postgresql: query: SELECT radgroupcheck.id, radgroupcheck.GroupName, ??radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op ??FROM radgroupcheck, usergroup ??WHERE usergroup.Username = 'unextest20' AND usergroup.GroupName = radgroupcheck.GroupName ??ORDER BY radgroupcheck.id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: affected rows = radius_xlat: 'SELECT id, UserName, Attribute, Value, Op ??FROM radreply ??WHERE Username
PAM_RADIUS_AUTH setip on RHEL Linux 32 bit
HI, I am trying to setup pam_radius_auth on my RHEL WS v4. I followed the direction from the pam_radius_app pkg which I downloaded from freeradius.org. I copy the appropriate files in the right location. I configured the pam_radius_auth.conf in /etc/raddb/server folder to talk to radius server which is running on a MS Windows environment. The next problem is that I am not able to configure the PAM modules appropriately to work with pam_radius_auth.so. I was able to get the vsftpd working, I can authenticate but when I go check to the /var/log/messages I see the following message. vsftpd[X]: pam_radius_auth: No RADIUS server found in configuration file /etc/raddb/server If someone has had a similar problem and know a fix around this, please help me. Thanks, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging SQL queries to logfile
Lucas Aimaretto wrote: Is there any way of logging the MSSQL queries ( with values ) to the radius.log file ? Read rlm_sql(5) manpage and search for the sqltrace option. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR eap-ttls , winxp client configuration
Hi, i want to change my current setup (eap-tls) to eap-ttls so that i don't need the client certificates. I really not understanding how to use the options and if should i use them: copy_request_to_tunnel = no use_tunneled_reply = no Can somebody give some hints on configuring Win XP with SecureW2 in this scenario? thanks, B - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxim AP-4000 MAC Auth w/multi VLAN assignment support
You can't do RADIUS-assigned VLANs unless you're doing EAP authentication. It won't work with MAC authentication. --Mike Matthew Sweet wrote: Hello, I am looking at setting up a group of Proxim AP-4000 wireless gateways. I want to be able to authenticate via the MAC address of each user's laptop WiFi NIC. I am trying to find the raddb tags required to send / receive the information to make this work. Can someone point me in the right direction as far as this goes? Much appreciated to all. Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC+EAP authentication
Artur Hecker [EMAIL PROTECTED] wrote: implementing EAP or MAC authentication, meaning that one of both would work, is a huge security hole and requiring both is useless since EAP authentication implicitly filters away everything unauthenticated... Doing *both* ensures that known users only use known hardware to access the net. Sort of. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Multiple Authentication REALMS - I hope in Plain Text
From what you've provided, I believe what is happening is that your requests that you *want* to go to local LDAP are still being proxied to your IAS server, and for some reason IAS isn't sending an Access-Reject so you get that error about a dead request. Realm NULL is a special realm that means there is no realm as part of the username as per any definitions of the realm module in radiusd.conf. It appears from your debug output that you have the realm for @ defined (suffix realm, anything after an @ symbol is the realm). Since your new Called-Station-Id still has a user with no realm, it's proxied to NULL as your debug shows: rlm_realm: No '@' in User-Name = unextest20, looking up realm NULL rlm_realm: Found realm NULL rlm_realm: Adding Stripped-User-Name = unextest20 rlm_realm: Proxying request from user unextest20 to realm NULL rlm_realm: Adding Realm = NULL rlm_realm: Preparing to proxy authentication request to realm NULL I *believe* the behaviour you truly want is something more like this: DEFAULT Called-Station-Id == a telephone number,Proxy-To-Realm := msias Fall-Through = Yes DEFAULTCalled-Station-Id == another telephone number,Proxy-To-Realm := msias Fall-Through = Yes DEFAULTCalled-Station-Id == yet another number,Proxy-To-Realm := localldap Fall-Through = Yes And in proxy.conf: realm msias { type= radius authhost= radiusserver.some.domain:1645 accthost= radiusserver.some.domain:1646 Secret = radiussecret } realm localldap { type = radius authhost = LOCAL accthost = LOCAL } Also, I'd just make sure what line in your users file is being matched. Your debug output says a DEFAULT entry at line 90. Check your IAS event log to see if it's getting proxied requests. I usually run radiusd with -Xxx for extra debuging when a request gets proxied, you should see something like this: Fri Jun 10 15:02:47 2005 : Debug: proxy: creating 0d02a8c0:1812 Fri Jun 10 15:02:47 2005 : Debug: proxy: allocating 0d02a8c0:1812 0 Sending Access-Request of id 0 to a.b.c.d:1812 And a list of attributes. Hope this helps. -Shawn ~ Shawn O'Shea Network Engineer Airpath Wireless, Inc. Clearing the Way 781-250-3500-office 781-250-3535-direct 781-250-3503-fax [EMAIL PROTECTED] http://www.airpath.com ~ CONFIDENTIALITY STATEMENT This electronic message contains information from Airpath Wireless, Inc., and may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this message is prohibited. If you have received this electronic message in error, please notify the sender immediately by reply e-mail [EMAIL PROTECTED] or telephone at (781) 250-3500. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shepherd, Dave Sent: Tuesday, June 14, 2005 9:49 AM To: freeradius-users@lists.freeradius.org Subject: Multiple Authentication REALMS - I hope in Plain Text Hi, It's been a long time, as the freeRADIUS software I've being using for the last 3 years hasn't needed looking at since installation. So a big thank you to the development team J However, as with most things it's so good I've now got to redesign and re-implement to encompass more of our infrastructure, and I'm having problems. I have a number of settings in the _users_ file that are based on the _Called_Station_ID_ then proxy the requests to a specified REALM. i.e. DEFAULT Called-Station-Id == a telephone number, Proxy-To-Realm := NULL Fall-Through = Yes DEFAULTCalled-Station-Id == another telephone number, Proxy-To-Realm := NULL Fall-Through = Yes DEFAULTCalled-Station-Id == yet another number, Proxy-To-Realm := SPECIAL Fall-Through = Yes Now, the NULL realm is defined in the proxy.conf file as: realm NULL { type= radius authhost= radiusserver.some.domain:1645 accthost= radiusserver.some.domain:1646 Secret = radiussecret } This works and actually points to a MS IAS server going against an NT4 Domain. Now I need to authenticate a different set of users (who dial a different number) against an LDAP repository, so as you can see from my _users_ file I direct them at the SPECIAL realm, which I have set as follows in proxy.conf: realm SPECIAL { type= radius authhost= LOCAL accthost= LOCAL } My plan was for this to then use the local radius server, which has an _ldap_ module configure, which
Re: MAC+EAP authentication
Jefri bin Dahari [EMAIL PROTECTED] wrote: authentication. On client side (Centrino/Windows XP), I set as mentioned in the HOW-TO for EAP-TLS. On Freeradius, I only see EAP authentication but no MAC authentication. Am I missing something? Please help. Read your NAS documentation. There's nothing you can do to FreeRADIUS to get the NAS to behave differently. Alan DeKOk. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 'authorize' module
Edgars Klavinskis [EMAIL PROTECTED] wrote: I have created two rlm_passwd modules. Afterwards, have put them under 'authorize' section one by one. Why the deamon is accepting the request depending only on the rlm_passwd file where User-Password is present and ignoring the one which should check NAS-IP-Address and Realm? Read the debug log. My aim is to make it so that if the last mentioned returns wrong, the whole request is wrong. Read doc/configurable_failover Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL based Simultaneous-Use troubles
Aaron Paetznick [EMAIL PROTECTED] wrote: I'm having some trouble getting FreeRADIUS to use the SQL tables for determining Simultaneous-Use. I've reviewed the doc/Simultaneous-Use file. I've uncommented the simul_count_query line in sql.conf. I'm already successfully using SQL authentication and accounting. I've entered Simultaneous-Use:=1 in the radgroupcheck table. That should work. No matter what I do, this is what I get in the log: Mon Jun 13 09:32:23 2005 : Error: Check-TS: timeout waiting for checkrad So Simultaneous-Use *is* working. You now have to figure out why checkrad is taking so long. Can anybody offer any suggestions? I'm just trying to use 100% SQL-based Simultaneous-Use checking, so checkrad shouldn't even be called, right? I'm probably missing something really simple. Thanks! Checkrad is called because the server may not have received accounting data. You can turn it off by making the client type = other Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging SQL queries to logfile
Lucas Aimaretto [EMAIL PROTECTED] wrote: Is there any way of logging the MSSQL queries ( with values ) to the radius.log file ? There's the sqltrace file. rver]Arithmetic overflow error converting numeric to data type numeric. ... but I do not know which values in the accounting_stop_query made this happen. Run the server in debugging mode. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM_RADIUS_AUTH setip on RHEL Linux 32 bit
Talwar, Puneet (NIH/NIAID) [EMAIL PROTECTED] wrote: I was able to get the vsftpd working, I can authenticate but when I go check to the /var/log/messages I see the following message. vsftpd[X]: pam_radius_auth: No RADIUS server found in configuration file /etc/raddb/server So... what's the content of that file? Does it even exist? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Link error (invalid ELF header) in freeradius 1.0.3
Hello, I am getting the following error when running freeradius -X: radiusd.conf[2] Failed to link to module 'rlm_sqlcounter': /usr/lib/freeradius/rlm_sqlcounter.a: invalid ELF header Anyone can help? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PAM_RADIUS_AUTH setip on RHEL Linux 32 bit
Here is the content of the pam_radius_auth.conf file and yes it does exist in /etc/raddb/server folder. # server[:port] shared_secret timeout (s) #127.0.0.1 secret 1 IP Address XXX.XXX.XXX.XXX Secret_Key3 -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 14, 2005 11:16 AM To: FreeRadius users mailing list Subject: Re: PAM_RADIUS_AUTH setip on RHEL Linux 32 bit Talwar, Puneet (NIH/NIAID) [EMAIL PROTECTED] wrote: I was able to get the vsftpd working, I can authenticate but when I go check to the /var/log/messages I see the following message. vsftpd[X]: pam_radius_auth: No RADIUS server found in configuration file /etc/raddb/server So... what's the content of that file? Does it even exist? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:LDAP basedn context
Correct, it is unable to find the user. When set at a higher context I receive the following error: rlm_ldap: performing search in o=wheaton, with filter (cn=testacct) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed My ldap config is as follows. If I change the basedn to where the user is located (ou=cs,ou=srvc,o=wheaton) then it works. ldap test-ldap{ server = ldapserver.wheaton.edu identity = cn=admin,o=wheaton password = password basedn = o=wheaton filter = (cn=%{Stripped-User-Name:-%{User-Name}}) start_tls = yes tls_cacertfile = /etc/raddb/certs/wheatonCA/wheatonca.b64 tls_require_cert= demand access_attr = cn dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = nspmPassword timeout = 4 timelimit = 3 net_timeout = 1 } matt... Is it possible to specify the basedn above where the users are actually located and have freeradius find the user in a subcontext? For instance if my ldap is setup as ou=users1,ou=loc1,o=org and ou=users2,ou=loc2,ou=o=org can I specify basedn=o=org and find users in both users1 and users2? Thanks. I think so, is it not working for you? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC+EAP authentication
Alan, well, unfortunately not really. and most importantly: it does not assure the users use the known SOFTware to access the net. imho, hardware has never ever represented a problem so far. ciao artur On 6/14/05, Alan DeKok [EMAIL PROTECTED] wrote: Artur Hecker [EMAIL PROTECTED] wrote: implementing EAP or MAC authentication, meaning that one of both would work, is a huge security hole and requiring both is useless since EAP authentication implicitly filters away everything unauthenticated... Doing *both* ensures that known users only use known hardware to access the net. Sort of. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Expiration Module
I have downloaded the latest CVS snapshot (the 12th of June) and am running it on Redhat 9 with Postgresql. I have configured the expiration module and added an entry in the radgroupcheck table. If I send a radius request to my server for a valid user and the expiration date is set to later than now() - the server issues an access-accept but if the expiration date/time has been reached - the server traps this - but NO reply message is sent. Is there something I am missing? Attached the part of the debug log showing what happens: rlm_expiration: Checking Expiration time: '13 Jun 2005' rlm_expiration: Account has expired radius_xlat: 'Your account has expired, jacotest ' modcall[authorize]: module expiration returns userlock for request 1 modcall: leaving group authorize (returns userlock) for request 1 Invalid user (Account has expired [Expiration 13 Jun 2005]): [jacotest/jjtest] (from client localhost port 0) Delaying request 1 for 1 seconds Finished request 1 Going to the next request Any help will be appreciated Jaco van Tonder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM_RADIUS_AUTH setip on RHEL Linux 32 bit
Talwar, Puneet (NIH/NIAID) [EMAIL PROTECTED] wrote: Here is the content of the pam_radius_auth.conf file and yes it does exist in /etc/raddb/server folder. # server[:port] shared_secret timeout (s) #127.0.0.1 secret 1 IP Address XXX.XXX.XXX.XXX Secret_Key3 Either you've edited it so much as to be useless, or you're using that file as-is. Either way, I have no idea what the ACTUAL contents of the file is, and therefore I have no way to help you. If you don't know how to fix the problem on your own, any editing of the configuration files you do before posting them here is guaranteed to make those files useless. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:LDAP basedn context
Correct, it is unable to find the user. When set at a higher context I receive the following error: rlm_ldap: performing search in o=wheaton, with filter (cn=testacct) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed My ldap config is as follows. If I change the basedn to where the user is located (ou=cs,ou=srvc,o=wheaton) then it works. ldap test-ldap{ server = ldapserver.wheaton.edu identity = cn=admin,o=wheaton password = password basedn = o=wheaton filter = (cn=%{Stripped-User-Name:-%{User-Name}}) start_tls = yes tls_cacertfile = /etc/raddb/certs/wheatonCA/wheatonca.b64 tls_require_cert= demand access_attr = cn dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = nspmPassword timeout = 4 timelimit = 3 net_timeout = 1 } matt... Is it possible to specify the basedn above where the users are actually located and have freeradius find the user in a subcontext? For instance if my ldap is setup as ou=users1,ou=loc1,o=org and ou=users2,ou=loc2,ou=o=org can I specify basedn=o=org and find users in both users1 and users2? Hmmm, I thought it did a subtree search, maybe not. You could use configurable_failover to search both trees. in radiusd.conf make two ldap instances with the same config except the basedn. ldap ldap1 { config with one basedn } ldap ldap2 { config with other basedn } in authorize section define them as a group authorize { group { ldap1 ldap2 } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration Module
Jaco van Tonder [EMAIL PROTECTED] wrote: if the expiration date/time has been reached - the server traps this - but NO reply message is sent. ... Delaying request 1 for 1 seconds So... is it delayed for 1 second, or is it *never* sent? My tests show it's only delayed for reject_delay time. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple Authentication REALMS - I hope in Plain Text
Shepherd, Dave [EMAIL PROTECTED] wrote: realm SPECIAL { type= radius authhost= LOCAL accthost= LOCAL } In the latest versions, this is realm LOCAL, but that doesn't make too much difference. Auth-Type { mschap } Are you sure? How about Auth-Type mschap { ... modcall: group authorize returns updated for request 14 Finished request 14 Hmm... something is marking the request as done, without calling the authenticate section. I have no idea why, and I don't recall ever seeing anything like that. If one of you guys has had to do something similar, or can see any glaring omissions in my config (which I seem to think there is) could you please point me in the right direction. As always, start with the default configuration: it works. Then, gradually add your edits, testing after every edit, to be sure that it still works. Once you're done, you should have your local configuration , and it should still work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LDAP basedn context
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dustin Doris Sent: Tuesday, June 14, 2005 12:51 PM To: FreeRadius users mailing list Subject: Re:LDAP basedn context Correct, it is unable to find the user. When set at a higher context I receive the following error: rlm_ldap: performing search in o=wheaton, with filter (cn=testacct) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed My ldap config is as follows. If I change the basedn to where the user is located (ou=cs,ou=srvc,o=wheaton) then it works. ldap test-ldap{ server = ldapserver.wheaton.edu identity = cn=admin,o=wheaton password = password basedn = o=wheaton filter = (cn=%{Stripped-User-Name:-%{User-Name}}) start_tls = yes tls_cacertfile = /etc/raddb/certs/wheatonCA/wheatonca.b64 tls_require_cert= demand access_attr = cn dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = nspmPassword timeout = 4 timelimit = 3 net_timeout = 1 } matt... Is it possible to specify the basedn above where the users are actually located and have freeradius find the user in a subcontext? For instance if my ldap is setup as ou=users1,ou=loc1,o=org and ou=users2,ou=loc2,ou=o=org can I specify basedn=o=org and find users in both users1 and users2? Hmmm, I thought it did a subtree search, maybe not. You could use configurable_failover to search both trees. FWIW, I am taking advantage of subtree search and it works fine. I don't see anything in his setup that would prevent it from happening. in radiusd.conf make two ldap instances with the same config except the basedn. ldap ldap1 { config with one basedn } ldap ldap2 { config with other basedn } in authorize section define them as a group authorize { group { ldap1 ldap2 } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius no longer accepts Crypt-Password after upgrade
[EMAIL PROTECTED] (Rens Houben) wrote: The literal same configuration works fine on another machine running 0.9.3 and retrieving its data from the same database server. Can anyone suggest what I might be missing? It should work. Are you using the 1.0.2 dictionary files, or the 0.9.3 ones? If you're using the 0.9.3 ones, switch the server to using the new ones. That should help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PAM_RADIUS_AUTH setip on RHEL Linux 32 bit
Sorry about that, Here is the full content of the file. # cat pam_radius_auth.conf # pam_radius_auth configuration file. Copy to: /etc/raddb/server # # For proper security, this file SHOULD have permissions 0600, # that is readable by root, and NO ONE else. If anyone other than # root can read this file, then they can spoof responses from the server! # # There are 3 fields per line in this file. There may be multiple # lines. Blank lines or lines beginning with '#' are treated as # comments, and are ignored. The fields are: # # server[:port] secret [timeout] # # the port name or number is optional. The default port name is # radius, and is looked up from /etc/services The timeout field is # optional. The default timeout is 3 seconds. # # If multiple RADIUS server lines exist, they are tried in order. The # first server to return success or failure causes the module to return # success or failure. Only if a server fails to response is it skipped, # and the next server in turn is used. # # The timeout field controls how many seconds the module waits before # deciding that the server has failed to respond. # server[:port] shared_secret timeout (s) #127.0.0.1 secret 1 IP Address XXX.XXX.XXX.XXX Secret_Key3 # # having localhost in your radius configuration is a Good Thing. # # See the INSTALL file for pam.conf hints. -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 14, 2005 12:48 PM To: FreeRadius users mailing list Subject: Re: PAM_RADIUS_AUTH setip on RHEL Linux 32 bit Talwar, Puneet (NIH/NIAID) [EMAIL PROTECTED] wrote: Here is the content of the pam_radius_auth.conf file and yes it does exist in /etc/raddb/server folder. # server[:port] shared_secret timeout (s) #127.0.0.1 secret 1 IP Address XXX.XXX.XXX.XXX Secret_Key3 Either you've edited it so much as to be useless, or you're using that file as-is. Either way, I have no idea what the ACTUAL contents of the file is, and therefore I have no way to help you. If you don't know how to fix the problem on your own, any editing of the configuration files you do before posting them here is guaranteed to make those files useless. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM_RADIUS_AUTH setip on RHEL Linux 32 bit
Talwar, Puneet (NIH/NIAID) [EMAIL PROTECTED] wrote: Here is the full content of the file. ... IP Address XXX.XXX.XXX.XXX Secret_Key3 That line is NONSENSE. If it's actually in your configuration file, it WON'T WORK. You have to list the IP address, not the text IP Address. See the line just above this one, which gives an example ot what to do. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LDAP basedn context
Correct, it is unable to find the user. When set at a higher context I receive the following error: rlm_ldap: performing search in o=wheaton, with filter (cn=testacct) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed My ldap config is as follows. If I change the basedn to where the user is located (ou=cs,ou=srvc,o=wheaton) then it works. ldap test-ldap{ server = ldapserver.wheaton.edu identity = cn=admin,o=wheaton password = password basedn = o=wheaton filter = (cn=%{Stripped-User-Name:-%{User-Name}}) start_tls = yes tls_cacertfile = /etc/raddb/certs/wheatonCA/wheatonca.b64 tls_require_cert= demand access_attr = cn dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = nspmPassword timeout = 4 timelimit = 3 net_timeout = 1 } matt... Is it possible to specify the basedn above where the users are actually located and have freeradius find the user in a subcontext? For instance if my ldap is setup as ou=users1,ou=loc1,o=org and ou=users2,ou=loc2,ou=o=org can I specify basedn=o=org and find users in both users1 and users2? Hmmm, I thought it did a subtree search, maybe not. You could use configurable_failover to search both trees. FWIW, I am taking advantage of subtree search and it works fine. I don't see anything in his setup that would prevent it from happening. I thought you could do subtree. Matt, Although that looks like an admin type of user (perhaps even rootdn). If not, does the user you are binding with have proper permissions to do subtree searches? What does your ACL on the ldap server look like? What does a search from the command line give you? $ ldapsearch -D cn=admin,o=wheaton -w password -b o=wheaton (cn=testacct) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PAM_RADIUS_AUTH setip on RHEL Linux 32 bit
Well ok, would it be possible to see some examples of some pam file setting for RH environment? I think I am not setting the right pam modules. Thanks, __ Puneet Talwar Contractor/CIPS UNIX Administrator 301-451-9971 ( c ) 301-252-5366 Disclaimer: The information in this e-mail and any of its attachments is confidential and may contain sensitive information. It should not be used by anyone who is not the original intended recipient. If you have received this e-mail in error please inform the sender and delete it from your mailbox or any other storage devices. The National Institute of Allergy and Infectious Diseases (NIAID) shall not accept liability for any statement made that are the sender's own and not expressly made on behalf of the NIAID by one of its representatives. -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 14, 2005 2:57 PM To: FreeRadius users mailing list Subject: Re: PAM_RADIUS_AUTH setip on RHEL Linux 32 bit Talwar, Puneet (NIH/NIAID) [EMAIL PROTECTED] wrote: Here is the full content of the file. ... IP Address XXX.XXX.XXX.XXX Secret_Key3 That line is NONSENSE. If it's actually in your configuration file, it WON'T WORK. You have to list the IP address, not the text IP Address. See the line just above this one, which gives an example ot what to do. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL based Simultaneous-Use troubles
That worked! Maybe the docs need to be changed to reflect this fact. I.e. SQL-based Simultaneous-Use still calls checkrad unless the NAS type is set to other. Thanks for the help! --Aaron Alan DeKok wrote: Aaron Paetznick [EMAIL PROTECTED] wrote: I'm having some trouble getting FreeRADIUS to use the SQL tables for determining Simultaneous-Use. I've reviewed the doc/Simultaneous-Use file. I've uncommented the simul_count_query line in sql.conf. I'm already successfully using SQL authentication and accounting. I've entered Simultaneous-Use:=1 in the radgroupcheck table. That should work. No matter what I do, this is what I get in the log: Mon Jun 13 09:32:23 2005 : Error: Check-TS: timeout waiting for checkrad So Simultaneous-Use *is* working. You now have to figure out why checkrad is taking so long. Can anybody offer any suggestions? I'm just trying to use 100% SQL-based Simultaneous-Use checking, so checkrad shouldn't even be called, right? I'm probably missing something really simple. Thanks! Checkrad is called because the server may not have received accounting data. You can turn it off by making the client type = other Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL based Simultaneous-Use troubles
Aaron Paetznick [EMAIL PROTECTED] wrote: That worked! Maybe the docs need to be changed to reflect this fact. I.e. SQL-based Simultaneous-Use still calls checkrad unless the NAS type is set to other. Simultaneous-Use results in checkrad being called, for radutmp and sql session checking. The nas type is used by checkrad to determine what else to do, independent of radutmp/sql. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Timer...
Hello erveryone J Anyone can help-me setting freeradius to count(continuous time) and disable wireless access for users? For example: User1 just allowed for 1hour, and then account disabled User2 just allowed for 1hour, and then account disabled Thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Timer...
synackrst [EMAIL PROTECTED] wrote: Anyone can help-me setting freeradius to count(continuous time) and disable wireless access for users? For example: User1 - just allowed for 1hour, and then account disabled rlm_counter Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL based Simultaneous-Use troubles
So even though I'm trying to do pure SQL-based Simultaneous-Use checking, it's going to spawn an external process each time? I wanted to use SQL like this to avoid the overhead of spawning an external process in the first place. Hrm... --Aaron Alan DeKok wrote: Aaron Paetznick [EMAIL PROTECTED] wrote: That worked! Maybe the docs need to be changed to reflect this fact. I.e. SQL-based Simultaneous-Use still calls checkrad unless the NAS type is set to other. Simultaneous-Use results in checkrad being called, for radutmp and sql session checking. The nas type is used by checkrad to determine what else to do, independent of radutmp/sql. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL based Simultaneous-Use troubles
Aaron Paetznick [EMAIL PROTECTED] wrote: So even though I'm trying to do pure SQL-based Simultaneous-Use checking, it's going to spawn an external process each time? If you tell it to. I wanted to use SQL like this to avoid the overhead of spawning an external process in the first place. Hrm... So make your clients type=other, and checkrad won't run. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Expiration - my experiences and a partial solution
Hi, I spent a few days working on a freeradius solution in which I want to be able to create users whose logins expire 24 hours after their first login. Since I noticed that many people have been asking for similar things on this list, I thought I'd explain the solution I have ended up using. NOTE: This solution is far from perfect. First of all, it is a hack, and not too elegant, secondly it does not do exactly what it is supposed to do, but it works well enough for my purposes, and perhaps other people can use this as inspiration for an improved solution. WARNING: I am far from proficient at freeradius, having spent only the past week trying to get an understanding of how it works. This solution was hacked together from various comments and ideas on this mailing-list. So anything I say and do should be considered risky :-) What I wanted was to be able to create a number of users, printed on cards, that I could hand out to users at an event to let them access the network for 24 hours after the first time they logged in. i.e. if they log in at 15:31 on tuesday their account should expire at 15:31 on wednesday no matter how much time they have spent on-line. I am using chillispot and freeradius with mysql, all on one central gateway server, as this is a small setup with a limited number of users. I had understood from comments by Kostas Kalevras and Alan DeKok (thanks) that the way to do this in freeradius/mysql was to use a post-auth query that executed whenever a user has successfully logged into the system. In that post-auth query I would set an Attribute/Value pair Expiration := 25 May 2005 15:31 or equivalent in the radcheck table of the database. Since I didn't want this to apply to all users (I like to keep a permanent login for myself), I needed some way to distinguish users that should be timed out from other users. I came up with the following hack. When I generate the usernames (using a adapted version of phpMyPrepaid http://www.jabali.net/~carl/?link=2) I add an Attribute called Expiration with a value well in the future. In this case Expiration:='1 Jan 2005'. When a user logs in I check if there is an Expiration attribute with that particular value, and if so, I change the Date to exactly 24 hours from Now. I do this in sql.conf by adding the following query: postauth_query = UPDATE ${authcheck_table} SET Value=DATE_FORMAT(DATE_ADD(NOW(),INTERVAL ${expire} HOUR),'%%e %%b %%Y % %T') WHERE UserName='%{SQL-User-Name}' AND Attribute='Expiration' AND Value='${expiration_dummy}' At the top of the file, I have defined the following # Added by tkrag (support for Expiration) # The dummy expiration value used when creating new # users expiration_dummy = 1 Jan 2099 # How many hours an account lasts from first login expire = 24 This has the effect of changing the Expiration date only the first time a user logs in. Unfortunately as Joachim Bloche pointed out in a mail Session-Timeout not set with pending Expiration on this list, it seems that Freeradius does NOT set the Session-Timeout based on an Expiration date in the future. I have confirmed this behaviour using freeradius 1.0.1 (from the ubuntu package, but recompiled to support the rlm_sqlcounter module). This effectively means that a user who logs in at 13:30 on tuesday and logs in again at 13:29 on wednesday can then stay on-line after the Expiration time, but cannot log back in again after that time. In my situation I have handled this by also using an sqlcounter with an Attribute Max-All-Session := 86400 which then limits the user to a total of 24 hours on-line. i.e. a user could login at 13:30 on tuesday and immediately log out, after which she could relogin at 13:29 on wednesaday and stay connected for another 24 hours until 13:29 on thursday. In my case this is not a deal-breaker, as we are not selling access, but mostly trying to protect ourselves against ongoing abuse of bandwidth, but in other scenarios it might not work well. If I read the documentation correctly the current CVS version of freeradius contains a new module called rlm_expiration which apparently moves the Expiration support into a separate module, and will hopefully support returning the correct Session-Timeout attribute. I hope this helps someone out there. Regards /tomas wire.less.dk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FW: How to get Hint to match in users file
-Original Message- From: Matt Cobb Sent: Tuesday, June 14, 2005 2:07 PM To: '[EMAIL PROTECTED]' Subject: How to get Hint to match in users file What syntax do you use to get Hint to match in the users file? In Hint I have: DEFAULT Prefix == LOCKDOWN\\, Strip-User-Name = Yes Hint = LDAP1 DEFAULT Prefix == testlab\\, Strip-User-Name = Yes Hint = LDAP2 And in the users file: DEFAULT Hint == LDAP1, Auth-Type := LDAP1, Autz-Type := LDAP1 DEFAULT Hint == LDAP2, Auth-Type := LDAP2, Autz-Type := LDAP2 The user name gets stripped before going into the users section, but no Auth-Type is set. From freeradius 1.0.2... rad_recv: Access-Request packet from host 127.0.0.1:1026, id=16, length=105 User-Name = testlab\\tester User-Password = xyz Service-Type = Authenticate-Only NAS-Identifier = localhost.localdomain NAS-IP-Address = 127.0.0.1 Calling-Station-Id = 192.168.10.100 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = tester, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 modcall[authorize]: module files returns notfound for request 0 modcall: group authorize returns ok for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 16 to 127.0.0.1:1026 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 16 with timestamp 42af5799 Nothing to do. Sleeping until we see a request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem TTLS-LDAP
Hi, everybody! I have a problem on having tried to use TTLS with LDAP. I have seen solutions to this problem in this mailing list, but I have not had success. In the following line it seems that ldap realizes correctly the comparison: rlm_ldap: user prueba authorized to use remote access but after that error comes: rlm_ldap: Attribute User-Password is required for authentication. modcall[authenticate]: module ldap returns invalid for request 0 modcall: group Auth-Type returns invalid for request 0 auth: Failed to validate the user. Please, if someone have an idea to solve it, I will be grateful very much. I attach my configuration files and the complete result of the execution. Thanks Alfonso Celestino DGSCA, UNAM ___ Do You Yahoo!? La mejor conexión a Internet y b 2GB/b extra a tu correo por $100 al mes. http://net.yahoo.com.mx Radius.conf File: authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } Auth-Type LDAP { ldap } unix eap } authorize { preprocess chap mschap suffix eap files ldap } ldap { server = xxx.xxx.xxx.xxx identity = cn=redes,ou=admins,ou=radius,dc=mydomain,dc=com password = secret basedn = ou=users,ou=radius,dc=mydomain,dc=com filter = ((uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile)) password_attribute = userPassword ssword_attribute = userPassword authtype = ldap start_tls = no tls_cacertfile = /usr/local/radius/etc/raddb/certs/demoCA/cacert.pem tls_cacertdir = /usr/local/radius/etc/raddb/certs tls_certfile = /usr/local/radius/etc/raddb/certs/server.pem tls_keyfile= /usr/local/radius/etc/raddb/certs/demoCA/private/cakey.pem tls_randfile = /usr/local/radius/etc/raddb/certs/random tls_require_cert = demand dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 } eap.conf file eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no tls { private_key_password = secretpasswd private_key_file = ${raddbdir}/certs/server.pem certificate_file = ${raddbdir}/certs/server.pem CA_file = ${raddbdir}/certs/root.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 include_length = yes } ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no } mschapv2 { } } users file: DEFAULT Auth-Type := LDAP Fall-Through = No And I add to ldap.attrmap file the next: checkItem User-Password userPassword checkItem LM-Password sambaLMPassword checkItem NT-Password sambaNTPassword Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/radius/etc/raddb/proxy.conf Config: including file: /usr/local/radius/etc/raddb/clients.conf Config: including file: /usr/local/radius/etc/raddb/snmp.conf Config: including file: /usr/local/radius/etc/raddb/eap.conf Config: including file: /usr/local/radius/etc/raddb/sql.conf main: prefix = /usr/local/radius main: localstatedir = /usr/local/radius/var main: logdir = /usr/local/radius/var/log/radius main: libdir = /usr/local/radius/lib main: radacctdir = /usr/local/radius/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/radius/var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/radius/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main:
FreeRadius and PostgreSQL configuration question
Dear Gurus! We try to install Freeradius with PostgreSQL but got question We expect about 100 concurrent calls and our switch sent 3 requests to radius: Authorization, accounting start and accounting stop or update. How much max_connections we should configure in a postgresql.conf file? Normally at the same time we will get about 1-30 calls. But we are not sure How much it will be. Is there some other or special recommendation for correct configuring of PostgreSQL and FreeRadius. Please, who had installed and configured that, send this information ASAP, it's really necessary. Best regards, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem TTLS-LDAP
alfonso celestino [EMAIL PROTECTED] wrote: rlm_ldap: Attribute User-Password is required for authentication. ... users file: DEFAULT Auth-Type := LDAP Fall-Through = No Don't do that. Read eap.conf. LDAP servers don't do EAP authentication. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authorization failed
Dear list, I am using free radius, for authorizing, authenticating and accounting dial-up connection. I use sql for authorization, but users cannot be authorized Here what the log files produced Info: rlm_sql (sql): No matching entry in the database for request from user [swan] Any idea, what's wrong ? thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Expiration Module
It is never sent. I use radtest and get no replyradtest simply sends the request again and again... Regards Jaco van Tonder -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: 14 June 2005 07:07 PM To: FreeRadius users mailing list Subject: Re: Expiration Module Jaco van Tonder [EMAIL PROTECTED] wrote: if the expiration date/time has been reached - the server traps this - but NO reply message is sent. ... Delaying request 1 for 1 seconds So... is it delayed for 1 second, or is it *never* sent? My tests show it's only delayed for reject_delay time. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html