Read Group-Attribute from mysql
I want to read the Group-Attribute from a mysql-database without having all users in the mysql-database. Users not in mysql should have group := default others group:= from mysql-table. Is that possible. Do you have some hints. I am using freeradius 1.0.4 Grüße Hans-Peter Fuchs Hans-Peter Fuchs - RZKR, Zimmer 20 Zentrum fuer angewandte Informatik - Universitaetsweiter Service RRZK Universität zu Köln - Tel: 0221-470-6972 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
newbie question basic passwd authentication
Hi, I am a complete newbie with radius. I need to configure this for use with a PPTP VPN. The end goal will be that radius is running on a fedora box, and authenticates against a SMBPASSWD file. PPTPd needs chap. but I am getting ahead of myself, irst I need to get a basic system working. I installed the freeradius rpm, and tried to configure some things: file clients.conf: client 127.0.0.1 { secret = testing123 shortname = localhost nastype = other } client 192.168.1.0/24 { secret = testing123 shortname = localnet } File naslist: localhost local other File users: nothing changed, all seemed oke to me. file radius.conf: cutted away some text unix { cache = no cache_reload = 600 passwd = /etc/passwd shadow = /etc/shadow group = /etc/group } When I now start the daemon as root: # radiusd -sfxxyz -l stdout. When I tried to test it from the console again: radtest ramses OfCourseThisShouldBeSomethingLessObvious localhost 1 testing123 I see this at my console: rad_recv: Access-Request packet from host 127.0.0.1:32769, id=122, length=58 User-Name = ramses User-Password = OfCourseThisShouldBeSomethingLessObvious NAS-IP-Address = 255.255.255.255 NAS-Port = 1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = ramses, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type System auth: type System Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_unix: [ramses]: invalid password modcall[authenticate]: module unix returns reject for request 0 modcall: group authenticate returns reject for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 122 to 127.0.0.1:32769 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 122 with timestamp 42ca3387 Nothing to do. Sleeping until we see a request. Ofcourse I tripple checked the typed in password, and I could find nothing wrong with that one. Now I think all I can do is shoult: HELPPP adoes anyone have any ideas? kind regards, Ramses - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS and PEAP auth problem ... sorry!!
--- Alan DeKok [EMAIL PROTECTED] wrote: Gandalf the Gray [EMAIL PROTECTED] wrote: It seems no EAP-challenge is really going on. this is the output from tre radius server after a try made by AEGIS client under windows XP, with PEAP MSCHAPv2. The AEGIS client works with FreeRADIUS. What the debug log shows Is that the client is not seeing the response from FreeRADIUS. It's probably because you have multiple IP's on the radius server, and the client is sending to one address, and seeing the response from another. Use 'tcpdump' to verify the problem, and make the server listen on only one IP. Alan DeKok. I checked and set a single IP address on my freeradius server. But it seems always the same result... this is my log by radiusd -X: rad_recv: Access-Request packet from host 192.168.127.36:21646, id=123, length=131 User-Name = attoo Framed-MTU = 1400 Called-Station-Id = 00-12-D9-B3-26-90 Calling-Station-Id = 00-50-FC-F1-7A-91 Message-Authenticator = 0x17e90f1da3ab8ca6003b033cdfa7926d EAP-Message = 0x0202000a016174746f6f NAS-Port-Type = Wireless-802.11 NAS-Port = 337 Service-Type = Framed-User NAS-IP-Address = 192.168.127.36 NAS-Identifier = appi Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module mschap returns noop for request 1 rlm_realm: No '@' in User-Name = attoo, skipping NULL due to config. modcall[authorize]: module suffix returns noop for request 1 rlm_eap: EAP packet type response id 2 length 10 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 1 users: Matched entry DEFAULT at line 152 modcall[authorize]: module files returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 1 modcall: group authenticate returns handled for request 1 Sending Access-Challenge of id 123 to 192.168.127.36:21646 EAP-Message = 0x010300061920 Message-Authenticator = 0x State = 0x305eceed6a3b96ee99d532871dffa83f Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.127.36:21646, id=123, length=131 Sending duplicate reply to client appi:21646 - ID: 123 Re-sending Access-Challenge of id 123 to 192.168.127.36:21646 --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 123 with timestamp 42ca647d Nothing to do. Sleeping until we see a request. thank you for your attention! __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS and PEAP auth problem ... sorry!!
I changed the settings of the AP, allowing Aironet Extensions and the result is a little different, now TLS is performed, but it still doesn't work fine... rad_recv: Access-Request packet from host 192.168.127.36:21646, id=158, length=145 User-Name = fresh Framed-MTU = 1400 Called-Station-Id = 00-12-D9-B3-26-90 Calling-Station-Id = 00-50-FC-F1-7A-91 Message-Authenticator = 0x44ebb1858de22fda1162620cce508446 EAP-Message = 0x020400061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 364 State = 0x730ee4d85739cac2db03508048550566 Service-Type = Framed-User NAS-IP-Address = 192.168.127.36 NAS-Identifier = appi Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module preprocess returns ok for request 6 modcall[authorize]: module mschap returns noop for request 6 rlm_realm: No '@' in User-Name = fresh, skipping NULL due to config. modcall[authorize]: module suffix returns noop for request 6 rlm_eap: EAP packet type response id 4 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 6 users: Matched entry DEFAULT at line 152 modcall[authorize]: module files returns ok for request 6 modcall: group authorize returns updated for request 6 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module eap returns handled for request 6 modcall: group authenticate returns handled for request 6 Sending Access-Challenge of id 158 to 192.168.127.36:21646 EAP-Message = 0x010502f71900170d3036303132343133323630375a30819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d4c5b19724f164acf1ffb189db1c8fbff4f14396ea7cb1e90f78d69451725377895dfe52ccb99b41e8 EAP-Message = 0x0ddeb58b127a943f4f58cbc562878192fbdc6fece9f871e7c130d35cf5188817e9b133249edd2a1c75d31043ae87553cec7a77ef26aa7d74281db9b77e17c6446c5dd9b188b43250ca0229963722a123a726b00b4027fd0203010001a381ff3081fc301d0603551d0e0416041468d36d3e1ee7bc9d5a057021c363da1365d1ade33081cc0603551d230481c43081c1801468d36d3e1ee7bc9d5a057021c363da1365d1ade3a181a5a481a230819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010 EAP-Message = 0x060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d820100300c0603551d13040530030101ff300d06092a864886f70d01010405000381810033c00b66b1e579ef73a06798252dab8d5e5511fc00fd276d80d12f834777c6743fdc2743fca1507704e4bc0979e4f60ac3ad9ee83e6f347369229d1f77229ba2e982359da563024a00163dba6d6c986c0bad28af85132ff8f0d76501bf1b7c2dff658ce1e62c01997b6e64e3e8d4373354ce9912847651539063b85bbc5485c516030100040e00 Message-Authenticator = 0x State = 0xaf2e1d273a634f616e56bde68cbf0106 Finished request 6 Going to the next request Waking up in 6 seconds... __ Yahoo! Mail Stay connected, organized, and protected. Take the tour: http://tour.mail.yahoo.com/mailtour.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem on installing Version 1.0.3 on RedHat 9.0
Here is part of the message i got, when i MAKE. Making dynamic in rlm_eap_peap... gmake[10]: Entering directory `/root/freeradius/src/modules/rlm_eap/types/rlm_eap_peap' gmake[10]: Leaving directory `/root/freeradius/src/modules/rlm_eap/types/rlm_eap_peap' Making dynamic in rlm_eap_sim... gmake[10]: Entering directory `/root/freeradius/src/modules/rlm_eap/types/rlm_eap_sim' gmake[10]: Leaving directory `/root/freeradius/src/modules/rlm_eap/types/rlm_eap_sim' Making dynamic in rlm_eap_tls... gmake[10]: Entering directory `/root/freeradius/src/modules/rlm_eap/types/rlm_eap_tls' gmake[10]: Leaving directory `/root/freeradius/src/modules/rlm_eap/types/rlm_eap_tls' Making dynamic in rlm_eap_ttls... gmake[10]: Entering directory `/root/freeradius/src/modules/rlm_eap/types/rlm_eap_ttls' gmake[10]: Leaving directory `/root/freeradius/src/modules/rlm_eap/types/rlm_eap_ttls' gmake[9]: Leaving directory `/root/freeradius/src/modules/rlm_eap/types' gmake[8]: Leaving directory `/root/freeradius/src/modules/rlm_eap/types' gmake[7]: Leaving directory `/root/freeradius/src/modules/rlm_eap' gmake[6]: Leaving directory `/root/freeradius/src/modules/rlm_eap' Making static dynamic in rlm_exec... gmake[6]: Entering directory `/root/freeradius/src/modules/rlm_exec' gmake[6]: Leaving directory `/root/freeradius/src/modules/rlm_exec' Making static dynamic in rlm_expr... gmake[6]: Entering directory `/root/freeradius/src/modules/rlm_expr' gmake[6]: Leaving directory `/root/freeradius/src/modules/rlm_expr' Making static dynamic in rlm_fastusers... gmake[6]: Entering directory `/root/freeradius/src/modules/rlm_fastusers' gmake[6]: Leaving directory `/root/freeradius/src/modules/rlm_fastusers' Making static dynamic in rlm_files... gmake[6]: Entering directory `/root/freeradius/src/modules/rlm_files' gmake[6]: Leaving directory `/root/freeradius/src/modules/rlm_files' Making static dynamic in rlm_ippool... gmake[6]: Entering directory `/root/freeradius/src/modules/rlm_ippool' gmake[6]: Leaving directory `/root/freeradius/src/modules/rlm_ippool' Making static dynamic in rlm_krb5... gmake[6]: Entering directory `/root/freeradius/src/modules/rlm_krb5' gmake[6]: Nothing to be done for `static'. gmake[6]: Nothing to be done for `dynamic'. gmake[6]: Leaving directory `/root/freeradius/src/modules/rlm_krb5' Making static dynamic in rlm_ldap... gmake[6]: Entering directory `/root/freeradius/src/modules/rlm_ldap' gmake[6]: Leaving directory `/root/freeradius/src/modules/rlm_ldap' Making static dynamic in rlm_mschap... gmake[6]: Entering directory `/root/freeradius/src/modules/rlm_mschap' gmake[6]: Leaving directory `/root/freeradius/src/modules/rlm_mschap' Making static dynamic in rlm_ns_mta_md5... gmake[6]: Entering directory `/root/freeradius/src/modules/rlm_ns_mta_md5' gmake[6]: Leaving directory `/root/freeradius/src/modules/rlm_ns_mta_md5' Making static dynamic in rlm_pam... gmake[6]: Entering directory `/root/freeradius/src/modules/rlm_pam' gmake[6]: Leaving directory `/root/freeradius/src/modules/rlm_pam' Making static dynamic in rlm_pap... gmake[6]: Entering directory `/root/freeradius/src/modules/rlm_pap' gmake[6]: Leaving directory `/root/freeradius/src/modules/rlm_pap' Making static dynamic in rlm_passwd... gmake[6]: Entering directory `/root/freeradius/src/modules/rlm_passwd' gmake[6]: Leaving directory `/root/freeradius/src/modules/rlm_passwd' Making static dynamic in rlm_preprocess... gmake[6]: Entering directory `/root/freeradius/src/modules/rlm_preprocess' gmake[6]: Leaving directory `/root/freeradius/src/modules/rlm_preprocess' Making static dynamic in rlm_radutmp... gmake[6]: Entering directory `/root/freeradius/src/modules/rlm_radutmp' gmake[6]: Leaving directory `/root/freeradius/src/modules/rlm_radutmp' Making static dynamic in rlm_realm... gmake[6]: Entering directory `/root/freeradius/src/modules/rlm_realm' gmake[6]: Leaving directory `/root/freeradius/src/modules/rlm_realm' Making static dynamic in rlm_sql... gmake[6]: Entering directory `/root/freeradius/src/modules/rlm_sql' gmake[7]: Entering directory `/root/freeradius/src/modules/rlm_sql' Making static in drivers... gmake[8]: Entering directory `/root/freeradius/src/modules/rlm_sql/drivers' /usr/bin/gmake -w WHAT_TO_MAKE=static common gmake[9]: Entering directory `/root/freeradius/src/modules/rlm_sql/drivers' Making static in rlm_sql_iodbc... gmake[10]: Entering directory `/root/freeradius/src/modules/rlm_sql/drivers/rlm_sql_iodbc' gmake[10]: Nothing to be done for `static'. gmake[10]: Leaving directory `/root/freeradius/src/modules/rlm_sql/drivers/rlm_sql_iodbc' Making static in rlm_sql_mysql... gmake[10]: Entering directory `/root/freeradius/src/modules/rlm_sql/drivers/rlm_sql_mysql' gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -DNDEBUG -I../.. -I../../../../include -I'/usr/include' -c sql_mysql.c -o sql_mysql.o sql_mysql.c:39:20: errmsg.h: No such file or directory sql_mysql.c:40:19: mysql.h: No such file or
Re: Problem on installing Version 1.0.3 on RedHat 9.0
Hi, gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -DNDEBUG -I../.. -I../../../../include -I'/usr/include' -c sql_mysql.c -o sql_mysql.o sql_mysql.c:39:20: errmsg.h: No such file or directory sql_mysql.c:40:19: mysql.h: No such file or directory - There's 1.0.4, what's the point in using 1.0.3, especially, if you're compiling yourself. - Have a look in this mailing list's archives, there's a bunch of messages about RedHat installing MySQL (and possibly other) headers in strange locations and how to work around it... Regards, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Users to IP limit Please help me
Hello, I has Freeradius with a Mysql data bank in run. Now I would like to assign the users them there are put down an IP. Also, if the user another IP Use, than they who stand in the data bank should be rejected he(it) by the radius server. How or where I can put this that are limited the users to a certain IP ? Please, Help to me I be in despair -- Weitersagen: GMX DSL-Flatrates mit Tempo-Garantie! Ab 4,99 Euro/Monat: http://www.gmx.net/de/go/dsl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 1.0.4 ldap compilation
Le 4 juil. 05 à 17:54, Alan DeKok a écrit : Marc-Henri Boisis-delavaud [EMAIL PROTECTED] wrote: /opt/freeradius/distrib.freeradius-1.0.4/src/modules/rlm_ldap/ rlm_ldap.c:2181: undefined reference to `ldap_unbind_s' Hmm... it looks like your version of OpenLDAP doesn't have the functions needed by FreeRADIUS. Or, the LDAP libraries aren't being found at compile-time. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Do you preconise openldap 2.2.26 or 2.3.4 and with what options ? Marc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Win 2000 - Cisco 3550 - freeradius
--- Ursprüngliche Nachricht --- Von: Alan DeKok [EMAIL PROTECTED] An: FreeRadius users mailing list freeradius-users@lists.freeradius.org Betreff: Re: Win 2000 - Cisco 3550 - freeradius Datum: Mon, 04 Jul 2005 12:07:39 -0400 Michael Langer [EMAIL PROTECTED] wrote: The switch only allow auhtentificated clients (windows) to send packets to the intranet. All works well, but all the time freeradius reject because no User-Password, but i insert one in the login screen. Ok... EAP-Message = 0x020100090174657374 So the supplicant is doing EAP, and the switch is sending EAP to the server. rlm_eap: EAP packet type response id 1 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation Hmm.. the EAP module should see that EAP packet as an EAP-Identity, and start doing EAP. Do you have any EAP types configured in the server? Alan DeKok. I copy the sections, if you need further information plz say it. (I thought the whole files will be to much) -radiusd.conf: modules { ... $INCLUDE §(confdir)/eap.conf ... } authorize { ... eap ... } authenticate { ... eap } - eap.conf: eap{ default_eap_type = peap ... md5 { } leap{ } gtc{ auth_type = PAP } tls{ ... } peap{ default_eap_type = mschapv2 } mschapv2{ } } -- Weitersagen: GMX DSL-Flatrates mit Tempo-Garantie! Ab 4,99 Euro/Monat: http://www.gmx.net/de/go/dsl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: newbie question basic passwd authentication
Hi, I am a complete newbie with radius. I need to configure this for use with a PPTP VPN. The end goal will be that radius is running on a fedora box, and authenticates against a SMBPASSWD file. PPTPd needs chap. I used to run it againts smbpasswd, now I'm running against LDAP :-) samba and freeradius use the same password hashes. I can share configuration if You want. but I am getting ahead of myself, irst I need to get a basic system working. I installed the freeradius rpm, and tried to configure some things: file clients.conf: client 127.0.0.1 { secret = testing123 shortname = localhost nastype = other } client 192.168.1.0/24 { secret = testing123 shortname = localnet } File naslist: localhost local other File users: nothing changed, all seemed oke to me. file radius.conf: cutted away some text unix { cache = no cache_reload = 600 passwd = /etc/passwd shadow = /etc/shadow group = /etc/group } When I now start the daemon as root: # radiusd -sfxxyz -l stdout. When I tried to test it from the console again: radtest ramses OfCourseThisShouldBeSomethingLessObvious localhost 1 testing123 I see this at my console: rad_recv: Access-Request packet from host 127.0.0.1:32769, id=122, length=58 User-Name = ramses User-Password = OfCourseThisShouldBeSomethingLessObvious NAS-IP-Address = 255.255.255.255 NAS-Port = 1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = ramses, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type System auth: type System Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_unix: [ramses]: invalid password modcall[authenticate]: module unix returns reject for request 0 modcall: group authenticate returns reject for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 122 to 127.0.0.1:32769 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 122 with timestamp 42ca3387 Nothing to do. Sleeping until we see a request. Ofcourse I tripple checked the typed in password, and I could find nothing wrong with that one. Now I think all I can do is shoult: HELPPP adoes anyone have any ideas? kind regards, Ramses - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Database Replication
Hi people, I am using freeradius 1.0.3 for lot od months and in the previous version it had been working so well. Nowadays I am changes my systems: servers. And I using instead of MySQL, Postgres. Everythings work OK. My both Postgres servers have database replicacion working well. My question is for safety: Must I put Radius replication too? What I means in radius.conf, have I to create a new Postgres configuration entry sql2 in the file? Is there any configuration for when my DB server 1fall down, Radius server writes in the DB server 2? Encuentra una aventura, un romance o al amor de tu vida. Date de alta gratis. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Read Group-Attribute from mysql
Hans-Peter Fuchs [EMAIL PROTECTED] wrote: I want to read the Group-Attribute from a mysql-database without having all users in the mysql-database. Sure. It's just another attribute. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS and PEAP auth problem ... sorry!!
Gandalf the Gray [EMAIL PROTECTED] wrote: I checked and set a single IP address on my freeradius server. But it seems always the same result... this is my log by radiusd -X: ... Which shows that the client is sending a duplicate request to the server. i.e. the client is probably never seeing the response from the server. I don't think this is a RADIUS problem. Try using 'tcpdump' or 'ethereal' to see what's going wrong in your network. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Users to IP limit Please help me
Dumpfbacke 102731 [EMAIL PROTECTED] wrote: I has Freeradius with a Mysql data bank in run. Now I would like to assign the users them there are put down an IP. Also, if the user another IP Use, than they who stand in the data bank should be rejected he(it) by the radius server. Use rlm_ippool to allocate IP addresses from the server. Do not allow the users to pick their own IP addresses. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows - VPN - Radius
If the request contained MSCHAP, yes, the mschap module should return ok. Since the request doesn't contain MSCHAP, the mschap module returns noop. Make the client send MSCHAP, or CHAP-Password, or User-Password. No amount of playing with radiusd.conf will fix the client. Now THAT would be a nice trick. How do you convince Windows to do what you wan't (or expect) it to do??? :-P Well, I tried to change the (few) options the windows VPN client gives for authentication/security, and none made windows send me the CHAP-Password in the request. Anyway, I will try to google some other options. Well, I think I finally found what's happening. Windows IS sending the proper password. The problem is with radiusclient, the program that my VPN server (poptop) uses to interface with radius. It does not have a dictionary.microsoft file by default, and due to this it's discarding some of the pairs Windows is sending. Do I need to say that the pairs discarded are the ones with the password??? I'm trying to solve this problem, but the dictionary.microsoft files I've tried didn't work. The one that comes with freeradius isn't understood by radiusclient, and the one I found in the radiusclient site didn't work properly (did overwrite non-Vendor pairs) Does somebody know where I can get properly working dictionary files for this case? (I know this is not a freeradius question, but I need it to make the client work properly. Sorry) Thank you very much, Marcos Roberto Greiner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple Sql Databases
Righ now my organization has 2 master radius servers (1 primary 1 slave) which have sql databases stored on them. I also have 4 radius servers under these two master servers which handle proxied radius requests based on realm names from the two master servers and authenticate using sql databases that are located on the two master servers. Basically I couldn't find a better way to do it and I'm now to the point where I need to add in three more sql databases and three more realms. I'm looking for a solution where I don't need to keep on adding more radius servers just to take the request and throw it back at the masters. Just incase it is hard to understand what is going on, here is what I have currently. 2 Master servers that recieve requests from an outside NAS for realms such as [EMAIL PROTECTED] [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] etc. etc. etc. These Master servers also have postgresql databases with names such as adsl, dialup, mobile etc. etc. etc. 4 Radius Servers that recieve requests from the masters. For instance in the master i might have a config in proxy.conf to forward requests for adsl.domainname.net to xxx.xxx.xxx.xxx radius server. This radius server recieves that request and authenticates the user using the database that is written in /etc/postgresql.conf. (In my case I keep all the databases on the master radius servers NOT on the individual radius servers.) So as you see these 3 radius servers seem to be a little out of place but this is the only way I could find to do this. It would be handy if I could say in proxy.conf to authenticate to localhost on database adsl etc. etc. However, as I see it you can't do that and the configurable failover is only to configure failovers so I really don't know what else to do. I can't keep on adding radius dummy radius servers everytime I make a new realm. I would appreciate ANY help all of you well experienced geniuses could give. PK - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Users to IP limit Please help me
Many thanks for the answer. But which settings must be decided around rlm_ippool to use? Or better do like I do this? MFG. Use rlm_ippool to allocate IP addresses from the server. Do not allow the users to pick their own IP addresses. Alan DeKok. -- 5 GB Mailbox, 50 FreeSMS http://www.gmx.net/de/go/promail +++ GMX - die erste Adresse für Mail, Message, More +++ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 1.0.4 ldap compilation
Marc-Henri Boisis-Delavaud [EMAIL PROTECTED] wrote: And what is the version of openldap recomended by freeradius ? Most versions should work. My guess is that the LDAP libraries are in a non-standard place, where your linker can't find them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: customer with wrong passwords
Vects [EMAIL PROTECTED] wrote: I want to implement default 'catch all' rules in radius for customers with wrong passwords, they suppose to be connected and redirected to some web proxy. In the same time that default shouldn't concern customers with correct passwords. Is below correct for my purpose? No. If the customers are rejected, their connection will be dropped by the NAS, and they won't be redirected to a web proxy. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: forming Tunnel with TLS
Stefan Winter [EMAIL PROTECTED] wrote: transport TCP and UDP packets through that tunnel. I've heard of zebedee http://www.winton.org.uk/zebedee/ I would not recommend using zedebee. They don't have integrity protection on the tunnel, which is bad. In general, home-brewed re-inventions of TLS are wrong, and should be avoided like the plague. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Database Replication
=?iso-8859-1?B?U2FudGlhZ28gQmFsYWd1ZXIgR2FyY+1h?= [EMAIL PROTECTED] wrote: ... Can you please post in plain-text? What I means in radius.conf, have I to create a new Postgres configuration entry sql2 in the file? Is there any configuration for when my DB server 1 fall down, Radius server writes in the DB server 2? Read doc/configurable_failover Alan DeKok - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows - VPN - Radius
Roberto Greiner [EMAIL PROTECTED] wrote: Well, I think I finally found what's happening. Windows IS sending the proper password. The problem is with radiusclient, the program that my VPN server (poptop) uses to interface with radius. It does not have a dictionary.microsoft file by default, and due to this it's discarding some of the pairs Windows is sending. Do I need to say that the pairs discarded are the ones with the password??? sigh RADIUS implementations should be able to handle unknown attributes, and pass them back forth. I'm trying to solve this problem, but the dictionary.microsoft files I've tried didn't work. The one that comes with freeradius isn't understood by radiusclient, and the one I found in the radiusclient site didn't work properly (did overwrite non-Vendor pairs) The ones distributed with FreeRADIUS should work, with a bit of editing. But you may have to edit the source code to radiusclient. Hmm... the last release of radiusclient was 3 years ago. That's bad. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple Sql Databases
[EMAIL PROTECTED] wrote: It would be handy if I could say in proxy.conf to authenticate to localhost on database adsl etc. etc. However, as I see it you can't do that doc/Autz-Type #--- users file DEFAULTRealm == adsl.domainname.net, Autz-Type := adsl ... #--- #--- radiusd.conf, ... modules { sql adsl { ... db for adsl } ... } ... authorize { preprocess suffix files Autz-Type adsl { adsl } ... } Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy, only if local auth fails?
In a nutshell: I'd like to like to proxy authentication requests to a Microsoft IAS server only if the attempt to first handle them locally has returned a REJECT. Details: I have IAS properly configured to authenticate AD users. FreeRADIUS (1.0.1) is running on a Linux (Debian, kernel 2.4.26) box and can authenticate properly against a local LDAP server (default realm) or proxy the requests to the IAS server (ntdomain) realm. This configuration is working. If the request contains the username in ntdomain format (e.g. domain\username), it gets forwarded to the IAS server. If the username has no prefix/suffix (e.g. username), it gets handled locally. Again, the radtest util has confirmed that this configuration is working the way that I'm expecting. However, what I'd like to do is have the server attempt to handle this request locally. If the local authentication attempt results in a 'reject', I then would like to have this request proxied to the IAS server. I could reverse the order and have the request first proxied to the IAS server and then handled locally if it's rejected, but the majority of our users have local accounts so it makes sense to try the local system first. I would greatly appreciate any suggestions that can be offered. Bryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and eDirectory
Thanks - that worked. I'm getting a tls connect. Now I have a problem testing using radtest. Using the following syntax. radtest jmuser heath10er server13.samford.edu 199.20.16.13 testing123 From the log the admin bind and login is OK - I've obscured the password, but it shows in the log exactly as it is in radiusd.conf. rlm_ldap: starting TLS rlm_ldap: bind as cn=admin,ou=cts,o=dxmltemp/xx to gwtemp.samford.edu:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful Here's the excerpt showing the request from radtest. The password is represented correctly. rad_recv: Access-Request packet from host 199.20.16.13:33419, id=137, length=58 User-Name = jmuser User-Password = heath10er NAS-IP-Address = 255.255.255.255 NAS-Port = 199 Here's the attempted bind by the user. Note that the password presented is not heath10er but aeath10er and the bind fails. rlm_ldap: starting TLS rlm_ldap: bind as cn=jmuser,ou=RD,ou=New Users,o=DXMLTEMP/aeath10er to gwtemp.samford.edu:389 rlm_ldap: waiting for bind result ... rlm_ldap: LDAP login failed: check identity, password settings in ldap section of radiusd.conf rlm_ldap: eDirectory account policy check failed. rlm_ldap: NDS error: failed authentication (-669) Changed the Universal Password to aeath10er and got the following. rlm_ldap: starting TLS rlm_ldap: bind as cn=jmuser,ou=RD,ou=New Users,o=DXMLTEMP/beath10er to gwtemp.samford.edu:389 rlm_ldap: waiting for bind result ... rlm_ldap: LDAP login failed: check identity, password settings in ldap section of radiusd.conf rlm_ldap: eDirectory account policy check failed. rlm_ldap: NDS error: failed authentication (-669) It appears that the Universal Password is being misread. Can that be true? Full log is below. Thanks Mearl [EMAIL PROTECTED] 6/27/2005 10:55:07 PM Hi, You need to extract the Self Signed certificate of the CA (from inside the Security Container). Once you have extracted that you need to configure tls_cacertfile in the ldap section of radiusd.conf. You have configured the tls_certfile. Once you do that it should start working. -Sayantan. [EMAIL PROTECTED] 06/27/05 9:20 PM I'm having trouble getting a TLS connection from freeradius to my Novell LDAP Server. I've used Novell's document Integrating Novell eDirectory with FreeRadius to set it up. The radius -X log shows rlm_ldap: could not start TLS Connect error I've configured ldap.conf to use the same certificate and am able to do a successful search using: ldapsearch -vvv -h gwtemp.samford.edu -x -Z -b o=dxmltemp cn=jmuser dn FreeRadius 1.0.4 compiled --with-edir Redhat AS3 update 5 on an IBM p615 openldap-2.0.27-17 openssl-0.9.7a-33.15 Netware 6.5 SP3 on Dell hardware. Mearl Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated
Re: Proxy, only if local auth fails?
Woods, Bryan [EMAIL PROTECTED] wrote: In a nutshell: I'd like to like to proxy authentication requests to a Microsoft IAS server only if the attempt to first handle them locally has returned a REJECT. It requires a bit of code changes, but it's possible. Hmm... edit src/modules/rlm_files.c, and add an authenticate section, copied from one of the other sections. Maybe this can go into 1.0.5, as it's a pretty small change. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius LDAP EAP/TLS
Hi, Is possible to use ldap only for authorization (by the radiusGroupName attribute), and EAP/TLS for authentication? I have tried, the authorization is works fine... and I have: user [Felice] is authorized to remote access but after I have, rad_check_password naturally the TLS authentication haven't password and i have login failed. anyone know how I can use ldap only for authorization based on the radiusGroupName, without any password control? thanks... -- Email.it, the professional e-mail, gratis per te: http://www.email.it/f Sponsor: Calzature moda sport. Da Oliviero.it le ultime novità autunno-inverno 2004/2005: Nike, Puma, Adidas * Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=2846d=5-7 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
No SSL info available. Waiting for more SSL data with Red Hat 7.1
Hi all, At home I've configured a perfectly working freeradius with PEAP/MSCHAPv2, I'd like to transfer it to my work to some really old red hat 7.1 boxes. First I configured and freeradius from source and installed in prefix /usr/local but it crashed on the old ssl, so I grabbed the latest openssl configured it and installed in /usr/local as well, recompiled freeradius with the appropiate ssl directories and it ran! I transferred the configuration from my server at home and converted the appropiate paths. I tried authenticating on but it failed, the only suspicious thing I could find is: rlm_eap_tls: No SSL info available. Waiting for more SSL data. After three of these attempts the supplicant (winxp sp2) seems to bail out, xsupplicant seems to give it some more tries. What am I missing? TIA Dick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius kerberos preauth
Kerberos pre-auth works it (the KDC) requests an encrypted timestamp before sending credentials. If your radius server has a host/fqdn entry in /etc/krb5.keyatb it will just work. You probably want hardware pre-auth and I don't know about that one. You could ask kerberos@mit.edu On Fri, 2005-07-01 at 07:57, Roy D. Hockett wrote: I ahve looked on the web and haven't found anything afirming that freeradius will support or not support preauth with kerberos v5. Is anyone using preauth with kerberos v5 and freeradius? If there is documentation on this please point me in the right direction. Thanks, -Roy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sqlcounter + PostgreSQL problem
Hi list! I have a problem with the rlm_sqlcounter. It send the Session-Time-Out correctly but when if check the time limit against the data base it always return 0. I've added some debugging output and recompile. This is the output: Tue Jul 5 14:46:51 2005 : Debug: rlm_sqlcounter: Entering module authorize code Tue Jul 5 14:46:51 2005 : Debug: sqlcounter_expand: 'SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{User-Name}' AND AcctStartTime abstime(1120539600)' Tue Jul 5 14:46:51 2005 : Debug: radius_xlat: 'SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='ceruno' AND AcctStartTime abstime(1120539600)' Tue Jul 5 14:46:51 2005 : Debug: sqlcounter_expand: '%{sqlcca3:SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='ceruno' AND AcctStartTime abstime(1120539600)}' Tue Jul 5 14:46:51 2005 : Debug: rlm_sqlcounter: querystr: %{%S:SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='ceruno' AND AcctStartTime abstime(1120539600)} Tue Jul 5 14:46:51 2005 : Debug: rlm_sqlcounter: responsestr: %{sqlcca3:SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='ceruno' AND AcctStartTime abstime(1120539600)} Tue Jul 5 14:46:51 2005 : Debug: rlm_sqlcounter: Valor obtenido de la consulta: 0 Tue Jul 5 14:46:51 2005 : Debug: rlm_sqlcounter: Valor a checkar: 90 Tue Jul 5 14:46:51 2005 : Debug: rlm_sqlcounter: (Check item - counter) is greater than zero Tue Jul 5 14:46:51 2005 : Debug: rlm_sqlcounter: Authorized user ceruno, check_item=90, counter=0 Tue Jul 5 14:46:51 2005 : Debug: rlm_sqlcounter: Sent Reply-Item for user ceruno, Type=Session-Timeout, value=90 Tue Jul 5 14:46:51 2005 : Debug: modsingle[authorize]: returned from dailycounter (rlm_sqlcounter) for request 9 Tue Jul 5 14:46:51 2005 : Debug: modcall[authorize]: module dailycounter returns ok for request 9 Tue Jul 5 14:46:51 2005 : Debug: modsingle[authorize]: calling monthlycounter (rlm_sqlcounter) for request 9 Tue Jul 5 14:46:51 2005 : Debug: rlm_sqlcounter: Entering module authorize code Tue Jul 5 14:46:51 2005 : Debug: rlm_sqlcounter: Could not find Check item value pair Tue Jul 5 14:46:51 2005 : Debug: modsingle[authorize]: returned from monthlycounter (rlm_sqlcounter) for request 9 Tue Jul 5 14:46:51 2005 : Debug: modcall[authorize]: module monthlycounter returns noop for request 9 Tue Jul 5 14:46:51 2005 : Debug: modcall: group authorize returns ok for request 9 Tue Jul 5 14:46:51 2005 : Debug: rad_check_password: Found Auth-Type System Tue Jul 5 14:46:51 2005 : Debug: auth: type System Tue Jul 5 14:46:51 2005 : Debug: Processing the authenticate section of radiusd.conf Tue Jul 5 14:46:51 2005 : Debug: modcall: entering group authenticate for request 9 Tue Jul 5 14:46:51 2005 : Debug: modsingle[authenticate]: calling unix (rlm_unix) for request 9 Tue Jul 5 14:46:51 2005 : Debug: modsingle[authenticate]: returned from unix (rlm_unix) for request 9 Tue Jul 5 14:46:51 2005 : Debug: modcall[authenticate]: module unix returns ok for request 9 Tue Jul 5 14:46:51 2005 : Debug: modcall: group authenticate returns ok for request 9 Looking at the code in rlm_sqlcounter.c in the sqlcounter_authorize function (the lines starting with * is what I've added). /* third, wrap query with sql module expand */ sprintf(querystr, %%{%%S:%s}, responsestr); sqlcounter_expand(responsestr, MAX_QUERY_LEN, querystr, instance); /* Finally, xlat resulting SQL query */ radius_xlat(querystr, MAX_QUERY_LEN, responsestr, request, NULL); * DEBUG2(rlm_sqlcounter: querystr: %s,querystr); * DEBUG2(rlm_sqlcounter: responsestr: %s,responsestr); counter = atoi(querystr); * DEBUG2(rlm_sqlcounter: Valor obtenido de la consulta: %d,counter); * DEBUG2(rlm_sqlcounter: Valor a checkar: %d,check_vp-lvalue); If you compare the output above you will note that when 'counter = atoi(querystr)' happens the value of querystr is : ' %{%S:SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='ceruno' AND AcctStartTime abstime(1120539600)}' . So I think is maybe a bug. I also have a question: Where the SQL query really happens? I couldn't figure it out :( I'am runnig in a FC3 with PostgreSQL 7.4.8 and the last stable release of freeRadius. (Version 1.0.4) I'll appreciate any help you can give me. Miguel. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius LDAP EAP/TLS
Felice Pizzurro [EMAIL PROTECTED] wrote: Is possible to use ldap only for authorization (by the radiusGroupName attribute), and EAP/TLS for authentication? Yes. I have tried, the authorization is works fine... and I have: user [Felice] is authorized to remote access but after I have, rad_check_password naturally the TLS authentication haven't password and i have login failed. You're either running an older version of the server, or are setting Auth-Type by hand. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
about the fixes for forking external programs
Hello, With regards to the fixes ( in 1.03 and 1.04) for forking external programs, could anyone elaborate on the circumstances that lead to the failure condition? Change log: * Fixes for forking external programs, so the server doesn't suddenly stop processing requests, or stop forking programs. Thanks, Archana - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sqlcounter + PostgreSQL problem
How are you testing? in the radacct table see if AcctSessionTime has some value, this is the data used for the counter, if this value is 0, the query is 0, you can test with NTRadPing sending in AcctSessionTime some value. Miguel you dont have to change the query, I had your same problem with MySQL, AcctSessionTime was 0, when this value was differente everything was OK. Good luck Carlos Martnez-Troncoso Cera Coordinador de Servicios Internet/Intranet Universidad del Norte Barranquilla, Colombia Miguel Cabrera wrote: Hi list! I have a problem with the rlm_sqlcounter. It send the Session-Time-Out correctly but when if check the time limit against the data base it always return 0. I've added some debugging output and recompile. This is the output: Tue Jul 5 14:46:51 2005 : Debug: rlm_sqlcounter: Entering module authorize code Tue Jul 5 14:46:51 2005 : Debug: sqlcounter_expand: 'SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{User-Name}' AND AcctStartTime abstime(1120539600)' Tue Jul 5 14:46:51 2005 : Debug: radius_xlat: 'SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='ceruno' AND AcctStartTime abstime(1120539600)' Tue Jul 5 14:46:51 2005 : Debug: sqlcounter_expand: '%{sqlcca3:SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='ceruno' AND AcctStartTime abstime(1120539600)}' Tue Jul 5 14:46:51 2005 : Debug: rlm_sqlcounter: querystr: %{%S:SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='ceruno' AND AcctStartTime abstime(1120539600)} Tue Jul 5 14:46:51 2005 : Debug: rlm_sqlcounter: responsestr: %{sqlcca3:SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='ceruno' AND AcctStartTime abstime(1120539600)} Tue Jul 5 14:46:51 2005 : Debug: rlm_sqlcounter: Valor obtenido de la consulta: 0 Tue Jul 5 14:46:51 2005 : Debug: rlm_sqlcounter: Valor a checkar: 90 Tue Jul 5 14:46:51 2005 : Debug: rlm_sqlcounter: (Check item - counter) is greater than zero Tue Jul 5 14:46:51 2005 : Debug: rlm_sqlcounter: Authorized user ceruno, check_item=90, counter=0 Tue Jul 5 14:46:51 2005 : Debug: rlm_sqlcounter: Sent Reply-Item for user ceruno, Type=Session-Timeout, value=90 Tue Jul 5 14:46:51 2005 : Debug: modsingle[authorize]: returned from dailycounter (rlm_sqlcounter) for request 9 Tue Jul 5 14:46:51 2005 : Debug: modcall[authorize]: module "dailycounter" returns ok for request 9 Tue Jul 5 14:46:51 2005 : Debug: modsingle[authorize]: calling monthlycounter (rlm_sqlcounter) for request 9 Tue Jul 5 14:46:51 2005 : Debug: rlm_sqlcounter: Entering module authorize code Tue Jul 5 14:46:51 2005 : Debug: rlm_sqlcounter: Could not find Check item value pair Tue Jul 5 14:46:51 2005 : Debug: modsingle[authorize]: returned from monthlycounter (rlm_sqlcounter) for request 9 Tue Jul 5 14:46:51 2005 : Debug: modcall[authorize]: module "monthlycounter" returns noop for request 9 Tue Jul 5 14:46:51 2005 : Debug: modcall: group authorize returns ok for request 9 Tue Jul 5 14:46:51 2005 : Debug: rad_check_password: Found Auth-Type System Tue Jul 5 14:46:51 2005 : Debug: auth: type "System" Tue Jul 5 14:46:51 2005 : Debug: Processing the authenticate section of radiusd.conf Tue Jul 5 14:46:51 2005 : Debug: modcall: entering group authenticate for request 9 Tue Jul 5 14:46:51 2005 : Debug: modsingle[authenticate]: calling unix (rlm_unix) for request 9 Tue Jul 5 14:46:51 2005 : Debug: modsingle[authenticate]: returned from unix (rlm_unix) for request 9 Tue Jul 5 14:46:51 2005 : Debug: modcall[authenticate]: module "unix" returns ok for request 9 Tue Jul 5 14:46:51 2005 : Debug: modcall: group authenticate returns ok for request 9 Looking at the code in rlm_sqlcounter.c in the sqlcounter_authorize function (the lines starting with * is what I've added). /* third, wrap query with sql module expand */ sprintf(querystr, "%%{%%S:%s}", responsestr); sqlcounter_expand(responsestr, MAX_QUERY_LEN, querystr, instance); /* Finally, xlat resulting SQL query */ radius_xlat(querystr, MAX_QUERY_LEN, responsestr, request, NULL); * DEBUG2("rlm_sqlcounter: querystr: %s",querystr); * DEBUG2("rlm_sqlcounter: responsestr: %s",responsestr); counter = atoi(querystr); * DEBUG2("rlm_sqlcounter: Valor obtenido de la consulta: %d",counter); * DEBUG2("rlm_sqlcounter: Valor a checkar: %d",check_vp-lvalue); If you compare the output above you will note that when 'counter = atoi(querystr)' happens the value of querystr is : ' %{%S:SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='ceruno' AND AcctStartTime abstime(1120539600)}' . So I think is maybe a bug. I also have a question: Where the SQL query really happens? I couldn't figure it out :( I'am runnig in a FC3 with PostgreSQL 7.4.8 and the last stable release of freeRadius. (Version 1.0.4) I'll appreciate any help you can give me. Miguel. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See
Re: about the fixes for forking external programs
Archana Vemulapalli [EMAIL PROTECTED] wrote: With regards to the fixes ( in 1.03 and 1.04) for forking external programs, could anyone elaborate on the circumstances that lead to the failure condition? The handling of forks SIGCHLD was wrong. For details on the old implementation, and new, see the CVS log. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sqlcounter + PostgreSQL problem
On 7/5/05, Carlos Martínez-Troncoso Cera [EMAIL PROTECTED] wrote: How are you testing? in the radacct table see if AcctSessionTime has some value, this is the data used for the counter, if this value is 0, the query is 0, you can test with NTRadPing sending in AcctSessionTime some value. Well it has the values expected, 0 for various for the users I'm testing with. I've also tested the queries outside radius directly in Postgres and I returns a number 0, for example: SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='ceruno' AND AcctStartTime abstime(1120539600). this query returns 0 but when Radius does it, it apparently returns 0, I think there is a bug in someplace. (Did you read the last part of the email?) : Looking at the code in rlm_sqlcounter.c in the sqlcounter_authorize function (the lines starting with * is what I've added). /* third, wrap query with sql module expand */ sprintf(querystr, %%{%%S:%s}, responsestr); sqlcounter_expand(responsestr, MAX_QUERY_LEN, querystr, instance); /* Finally, xlat resulting SQL query */ radius_xlat(querystr, MAX_QUERY_LEN, responsestr, request, NULL); * DEBUG2(rlm_sqlcounter: querystr: %s,querystr); * DEBUG2(rlm_sqlcounter: responsestr: %s,responsestr); counter = atoi(querystr); * DEBUG2(rlm_sqlcounter: Valor obtenido de la consulta: %d,counter); * DEBUG2(rlm_sqlcounter: Valor a checkar: %d,check_vp-lvalue); If you compare the output above you will note that when 'counter = atoi(querystr)' happens the value of querystr is : ' %{%S:SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='ceruno' AND AcctStartTime abstime(1120539600)}' . So I think is maybe a bug. I also have a question: Where the SQL query really happens? I couldn't figure it out :( I'am runnig in a FC3 with PostgreSQL 7.4.8 and the last stable release of freeRadius. (Version 1.0.4) I'll appreciate any help you can give me. Miguel. Miguel. No sabia que usaran freeRadius por Curramba. :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: errors when compiling cvs version on Fedora Core 3
Ilia Chipitsine [EMAIL PROTECTED] wrote: I'm trying to compile cvs version of freeradius using attached spec file on Fedora Core 3 (with gcc4), what can cause the following error ? The rlm_smb module isn't officially support. I suggest using ntlm_auth, instead. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Custom Reply Attribute Ranges
Chey [EMAIL PROTECTED] wrote: I am using some custom attributes in my reply packet but I am a little confused. According to the /usr/local/share/freeradius/dictionary file it states that ranges 500-999 are server-side attributes which can go in the reply list. ^^^ Based on my tests it seems the ranges for reply attributes is only 0-255. The server-side attributes are ones used internally by FreeRADIUS. They do not go into packets. I guess my question is, what are the ranges I can use for custom attributes that FreeRadius will actually send in a reply? You want to use vendor-specific attributes. See the dictionary.* files. You do NOT want to define your own attributes with numbers 0-255. You will cause yourself no end of trouble. Depending on the answer to that question...Is there a problem with the documentation in the dictionary file? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LAN clients?
HI! I have a simple question. Can I use Freeradius to authenticate Lan clients (Windows/Linux) ? The clients connected to an AP over Lan, that's in client mode, and this AP is connected by another AP (set in normal AP mode) to the Freeradius server. Is it possible? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LAN clients?
=?ISO-8859-2?Q?Gal=E1t_Bence?= [EMAIL PROTECTED] wrote: I have a simple question. Can I use Freeradius to authenticate Lan clients (Windows/Linux) ? Do the clients ask for authentication? Alan Dekok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LAN clients?
Galát Bence wrote: I have a simple question. Can I use Freeradius to authenticate Lan clients (Windows/Linux) ? The clients connected to an AP over Lan, that's in client mode, and this AP is connected by another AP (set in normal AP mode) to the Freeradius server. Is it possible? You should be able to. The only question is whether the AP that is in the client mode will correctly pass EAP packets around. Try using WPA supplicant under Linux just make sure you use the -D wired device as your network device. Vladimir - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how can i undo the effects of ./configure in the freeradius extracted directory
Hi, I am not able to build the freeradius successfully. I want to retry from beginning as root user(starting from configure) since the errors i got is related to permission problems I did make clean; but how shall i undo the effects of ./configure? is there any command thanks, meena __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and eDirectory
Hi, FreeRADIUS is trying to do SYSTEM authentication. For SYSTEM authentication to work you need to have a Unix user with the same userid found in the request(in this case jmuser). So let me know which authentication type you want to use. If you want to use LDAP to authenticate your user one simple solution will be to comment out the DEFAULT entry which is setting the Auth-Type to SYSTEM in the users file. The users file is in the raddb directory. There will a couple of lines similar to the following. Just comment them. DEFAULT Auth-Type = System Fall-Through = 1 Also Universal Password is not read wrongly. Since System authentication fails a bind with a wrong password is performed to trigger the intruder detection feature of eDirectory. HTH. Regards, -Sayantan. [EMAIL PROTECTED] 07/05/05 11:04 PM Thanks - that worked. I'm getting a tls connect. Now I have a problem testing using radtest. Using the following syntax. radtest jmuser heath10er server13.samford.edu 199.20.16.13 testing123 From the log the admin bind and login is OK - I've obscured the password, but it shows in the log exactly as it is in radiusd.conf. rlm_ldap: starting TLS rlm_ldap: bind as cn=admin,ou=cts,o=dxmltemp/xx to gwtemp.samford.edu:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful Here's the excerpt showing the request from radtest. The password is represented correctly. rad_recv: Access-Request packet from host 199.20.16.13:33419, id=137, length=58 User-Name = jmuser User-Password = heath10er NAS-IP-Address = 255.255.255.255 NAS-Port = 199 Here's the attempted bind by the user. Note that the password presented is not heath10er but aeath10er and the bind fails. rlm_ldap: starting TLS rlm_ldap: bind as cn=jmuser,ou=RD,ou=New Users,o=DXMLTEMP/aeath10er to gwtemp.samford.edu:389 rlm_ldap: waiting for bind result ... rlm_ldap: LDAP login failed: check identity, password settings in ldap section of radiusd.conf rlm_ldap: eDirectory account policy check failed. rlm_ldap: NDS error: failed authentication (-669) Changed the Universal Password to aeath10er and got the following. rlm_ldap: starting TLS rlm_ldap: bind as cn=jmuser,ou=RD,ou=New Users,o=DXMLTEMP/beath10er to gwtemp.samford.edu:389 rlm_ldap: waiting for bind result ... rlm_ldap: LDAP login failed: check identity, password settings in ldap section of radiusd.conf rlm_ldap: eDirectory account policy check failed. rlm_ldap: NDS error: failed authentication (-669) It appears that the Universal Password is being misread. Can that be true? Full log is below. Thanks Mearl [EMAIL PROTECTED] 6/27/2005 10:55:07 PM Hi, You need to extract the Self Signed certificate of the CA (from inside the Security Container). Once you have extracted that you need to configure tls_cacertfile in the ldap section of radiusd.conf. You have configured the tls_certfile. Once you do that it should start working. -Sayantan. [EMAIL PROTECTED] 06/27/05 9:20 PM I'm having trouble getting a TLS connection from freeradius to my Novell LDAP Server. I've used Novell's document Integrating Novell eDirectory with FreeRadius to set it up. The radius -X log shows rlm_ldap: could not start TLS Connect error I've configured ldap.conf to use the same certificate and am able to do a successful search using: ldapsearch -vvv -h gwtemp.samford.edu -x -Z -b o=dxmltemp cn=jmuser dn FreeRadius 1.0.4 compiled --with-edir Redhat AS3 update 5 on an IBM p615 openldap-2.0.27-17 openssl-0.9.7a-33.15 Netware 6.5 SP3 on Dell hardware. Mearl Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead