Re: Authentication Responses during error conditions
Doug Hardie wrote: I am a bit confused now. I understood that if a module returns RLM_MODULE_FAIL that radiusd would not return an authorization reject. However, it appears that it still does. Have a look at doc/configurable-failover -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication Responses during error conditions
Doug Hardie wrote: I am trying to get the Ascend NASs to switch to the secondary radius server when the primary has a failure condition. I know that no response will cause that, but haven't been able to find any way to make the switch occur with the primary is not working properly. Is there a particular value to send back that would cause the switch? You should setup both your radius servers with 2 database backends in failover, so that if one db is down, both radius servers can still handle things. If freeradius itself is down or the complete host is down, then the NAS should switch to the other radius server. Maybe your NAS can also do round-robin for load-balancing. -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using RADIUS for content filtering.
Dear all, I've given one assignment to create some sort of tunneling to cache server (netcache) to do some content filtering when browsing. There will be 2 cache-server. One passing all traffic another one will do content filtering.. When user subscribe to this service (for their children maybe).. When user doing authentication, what should i include in the profile for the traffic to be diverted to cache server that do the filtering? Is it possible to use below? Or pls suggest suitable method.. Login-Service: TCP-ClearLogin-IP-Host: 10.1.1.1Service-Type: Login-UserLogin-TCP-Port: 80 I've heart about method L2TP tunnelling with ERX/SDX (juniper) .. But that seems costly... thanks.. --haizam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[ntlm_auth problem with peap] Some users are authenticated some are not
Hi,
I've setup freeradius 1.0.4 for authenticating wireless users.
I use peap authentication with ntlm_auth.
Setup work fine for most of the users.
My ntlm auth command from radiusd.conf is as follows:
ntlm_auth = /usr/local/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --domain=%{mschap:NT-Domain}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
Some user's authentication is rejected with Logon failure (0xc06d) Error.
I tried Radius exec--program in command line, it didn't work either.
Same message ...
Problematic user's active directory authentication works fine for domain.
Perhaps it is a bun in ntlm_auth.
Any idea?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TTLS and PAP inner tunnel authentication
Hi, From a suggestion on the mailing list I plan on using EAP-TTLS and PAP inner tunnel authentication. The reason I'm going this route is because I want to authenticate against linux user accounts and the password is encrypted in /etc/shadow so the ms-chap route is no good since it can't work with encrypted passwords. How do I configure free radius to work with EAP-TTLS and PAP inner tunnel authentication, I wasn't able to find much on the net. I'm quite a fast learner however. Are there any sample config files for what I'm after? Setting up the clients seems easy from here. http://vuksan.com/linux/dot1x/wpa-client-config.html Sura - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dialup_admin CVS produces checkrad defunct
Hi, yesterday I've updated dialup_admin to CVS version. Most things works great, but my radiusd produce many defunct processes now. Any ideas? radius01:/usr/local/dialup_admin/bin# pstree init-+-atd [..] |-mysqld_safe---mysqld---mysqld---22*[mysqld] |-radiusd---radiusd-+-2*[radiusd---6*[checkrad]] | |-radiusd---5*[checkrad] | |-radiusd---10*[checkrad] | `-radiusd---9*[checkrad] radius01:/usr/local/dialup_admin/bin# ps ax [...] 21874 ?Z 0:00 [checkrad defunct] 22080 ?Z 0:00 [checkrad defunct] 22335 ?Z 0:00 [checkrad defunct] 22501 ?Z 0:00 [checkrad defunct] [...] I have a second radius machine with an old CVS version (1.75) and there are no defunct's. FreeRadius is running 1.0.4 on both machines, and use mysql for usermanagement. Michael - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: adding user-name to post-proxy logs
Tariq Rashid [EMAIL PROTECTED] wrote:
since the state must be maintained in the freeradius proxy - is it
possible
to add it to the logs so that troubleshooting is easier? currently i have
to
match the timestamps.
Which log are you talking about?
Alan DeKok.
---
those that are at
$PREFIX/var/log/radius/radacct/1.2.3.4/post-proxy-detail-20050729 and
$PREFIX/var/log/radius/radacct/1.2.3.4/pre-proxy-detail-20050729 for example
- written by the following directgives in radiusd.conf :
# This module logs packets proxied to a home server.
#
# You will also need to un-comment the 'pre_proxy_log' line
# in the 'pre-proxy' section, below.
#
detail pre_proxy_log {
detailfile =
${radacctdir}/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d
#
# This MUST be 0600, otherwise anyone can read
# the users passwords!
detailperm = 0600
}
#
# This module logs response packets from a home server.
#
# You will also need to un-comment the 'post_proxy_log' line
# in the 'post-proxy' section, below.
#
detail post_proxy_log {
detailfile =
${radacctdir}/%{Client-IP-Address}/post-proxy-detail-%Y%m%d
#
# This MUST be 0600, otherwise anyone can read
# the users passwords!
detailperm = 0600
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + AP + Access Point Client
Hi Could you tel me something more about configuration this file or some examples thanks a lot [EMAIL PROTECTED] - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thursday, July 28, 2005 6:56 PM Subject: Re: Freeradius + AP + Access Point Client ManyX [EMAIL PROTECTED] wrote: How can I authenticate my access point CLIENT to AP in freeradius ?? raddb/clients.conf Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Najlepszy serwis MOTO w Polsce! http://link.interia.pl/f18a8 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using RADIUS for content filtering.
This is completely NAS-specific, so read your NAS documentation to know what attributes and values to return. P.S.: try sending plain-text mail next time :) -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - Original Message - From: Rohaizam Abu Bakar To: freeradius-users@lists.freeradius.org Sent: Friday, July 29, 2005 10:04 AM Subject: Using RADIUS for content filtering. Dear all, I've given one assignment to create some sort of tunneling to cache server (netcache) to do some content filtering when browsing. There will be 2 cache-server. One passing all traffic another one will do content filtering.. When user subscribe to this service (for their children maybe).. When user doing authentication, what should i include in the profile for the traffic to be diverted to cache server that do the filtering? Is it possible to use below? Or pls suggest suitable method.. Login-Service: TCP-Clear Login-IP-Host: 10.1.1.1 Service-Type: Login-User Login-TCP-Port: 80 I've heart about method L2TP tunnelling with ERX/SDX (juniper) .. But that seems costly... thanks.. --haizam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: ICRadius to FreeRadius Migration
I've been put in a situation in which I am forced to replace our old icradius server. Hi. I also migrated from IC-Radius to Freeradius. I'm now stuck with the task of migrating our old (mySQL) databases, as we have far too many users to re-enter manually. Just make sure you are using the right queries at the sql.conf for authorization and accounting. You can have as many columns as you wish in your tables and submit the queries in the way you want. Just make sure you RETURN the required fields to freeradius: Id, Username, Attribute, Value, Op. There is some logic in how Freeradius understands the returned fields. Read doc/rlm_sql. Thanks in advance to any who reply; if nothing at all, it will certainly be beneficial to the apparent lack of documentation on these situations. There is plenty of information out there. Just need to find it ;-) Regards, Lucas -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.338 / Virus Database: 267.9.7/60 - Release Date: 28/07/2005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ICRadius to FreeRadius Migration
Are you willing to say which columns, or do we have to guess? No, actually I was asking if there was any general information available. I can handle the finer details on my own, I was merely saying how far I've gotten along :) FreeRADIUS includes documentation on how to configure it. It doesn't include documentation on migrating from other radius server X, version Y, to FreeRADIUS. That's exactly why I asked the list :) Just make sure you are using the right queries at the sql.conf for authorization and accounting. You can have as many columns as you wish in your tables and submit the queries in the way you want. Good good, now I at least don't have to worry about how anal or not freeradius is about table structure. There is plenty of information out there. Just need to find it ;-) That's the kicker ;) cheers! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
access-challenge
Hi 1. Will FreeRadius challenges with access-challenge if auth-type is PAP? If answer is it depends on some configuration, how to configure it? 2. How FreeRadius understands incoming Radius access-request packet contains PAP authentication information, CHAP authentication information or MS-CHAP authentication information or other authentication information? -- Thanks Srinivasa Rao Chigurupati - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use Problem
On 7/28/05, Jeremy Kenney [EMAIL PROTECTED] wrote: I have posted this twice now I was wondering if someone would be kind enough to possibly answer it Hello, I am a very frustrated free radius user at this point. It's most likely my brain not working right but here is my problem I have a free radius server that does authentication for our slipstream accelerator. The accelerator passes an attribute to the radius server and identifies the client into a group. This works fine. How ever I am having problems else where we currently want to use the same radius server to do dialup authentication. It currently is working to do this. We use freeradius with mysql. I am having problems with users dialing into the system more then once from more then one location at the sometime. I.E a simultaneous use problem. I cannot check against the NAS because we don't have our own nases and are doing pass-thru radius authentication. I need to do some kind of simultaneous use checking I'm really frustrated can someone point me in the right direction. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html this is a policy issue. Radius servers contain and make available policy configurations. It is the job of the NAS to enforce policies like this, as it's the NAS that controls the remote connection. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS and PAP inner tunnel authentication
FreeRadius users mailing list freeradius-users@lists.freeradius.org on July 29, 2005 at 01:40 -0800 wrote: From a suggestion on the mailing list I plan on using EAP-TTLS and PAP inner tunnel authentication. The reason I'm going this route is because I want to authenticate against linux user accounts and the password is encrypted in /etc/shadow so the ms-chap route is no good since it can't work with encrypted passwords. How do I configure free radius to work with EAP-TTLS and PAP inner tunnel authentication, I wasn't able to find much on the net. I'm quite a fast learner however. Hi Sura, Just follow the config file comments for enabling TTLS and make it the default EAP type. Just make sure you follow the instructions here: http://rbirri.9online.fr/howto/Freeradius_+_TTLS.html for making your random and dh files -- I haven't seen this documented officially, however I have seen other instructions that *broke* our certificate use. -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Simultaneous-Use Problem
Yes but what I want is for the radius server to check the accounting logs for a session already in progress and send a access reject if its already there -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Dain Sent: Friday, July 29, 2005 11:00 AM To: freeradius-users@lists.freeradius.org Subject: Re: Simultaneous-Use Problem On 7/28/05, Jeremy Kenney [EMAIL PROTECTED] wrote: I have posted this twice now I was wondering if someone would be kind enough to possibly answer it Hello, I am a very frustrated free radius user at this point. It's most likely my brain not working right but here is my problem I have a free radius server that does authentication for our slipstream accelerator. The accelerator passes an attribute to the radius server and identifies the client into a group. This works fine. How ever I am having problems else where we currently want to use the same radius server to do dialup authentication. It currently is working to do this. We use freeradius with mysql. I am having problems with users dialing into the system more then once from more then one location at the sometime. I.E a simultaneous use problem. I cannot check against the NAS because we don't have our own nases and are doing pass-thru radius authentication. I need to do some kind of simultaneous use checking I'm really frustrated can someone point me in the right direction. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html this is a policy issue. Radius servers contain and make available policy configurations. It is the job of the NAS to enforce policies like this, as it's the NAS that controls the remote connection. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use Problem
Jeremy Kenney [EMAIL PROTECTED] wrote: Yes but what I want is for the radius server to check the accounting logs for a session already in progress and send a access reject if its already there I responded to this yesterday. Do you read the list? Read doc/Simultaneous-Use Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Disconnect-Request packet
[EMAIL PROTECTED] (Paul Hampson) wrote: This last point seems trivial until you try to proxy backwards through a chain you have only the last hop of, and the last hop doesn't neccessarily know what the previous hop was. Exaclty. Coupled with the problem that the server is *supposed* to validate the disconnect request by running it through the *proxying* code, to see if it came FROM the site an Access-Request would have been proxied TO. Yuck. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: newbie questions using freeradius as wifi access point
Will Carter [EMAIL PROTECTED] wrote: Is it correct to say that after I successfully execute the 2 commands above that I should have a set of code that I need to compile with configure, make, and make install? Yes. This is *exactly* how 1.0.4 was created. It's just a tar file from that process. When I attempt this, I get a set of files but am not successful at compiling them. Are you willng to say what errors you're seeing? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication Responses during error conditions
Doug Hardie [EMAIL PROTECTED] wrote: I am trying to get the Ascend NASs to switch to the secondary radius server when the primary has a failure condition. I know that no response will cause that, but haven't been able to find any way to make the switch occur with the primary is not working properly. Is there a particular value to send back that would cause the switch? doc/configurable_failover. Use rlm_always, and have it return handled in the authorize section. It may work. Then again, I think the server core always answers requests. Fixing that would require code changes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authenticate machine accounts with ntlm_auth
[EMAIL PROTECTED] wrote: I'm very frustrated now after spending a couple of weeks trying to get free radius to authenticate my Win2k machine accounts against active directory. :-( Sorry, blame Microsoft. It isn't possible, but they don't make it obvious that it's not possible. Alan, do you know of any way to get this working. I have been assured that Funk can do this, have you any idea how Funk are doing it. Funk costs too much. Maybe I'm not allowed to ask such questions. Funk does it by running the radius server on the AD server. At that point, they can use *internal* Windows API's or hacks to get at the data. Since FreeRADIUS is running externally, it can't use those API's, and thus won't work. FreeRADIUS *will* run on XP. If someone were to write the necessary code, you could run the server on XP, and do what Funk does. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: adding user-name to post-proxy logs
Tariq Rashid [EMAIL PROTECTED] wrote: those that are at $PREFIX/var/log/radius/radacct/1.2.3.4/post-proxy-detail-20050729 and $PREFIX/var/log/radius/radacct/1.2.3.4/pre-proxy-detail-20050729 for example Ah. The reason the username isn't there is because it's not in the packets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + AP + Access Point Client
ManyX [EMAIL PROTECTED] wrote: Could you tel me something more about configuration this file or some examples Try reading the file. It answers your questions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: access-challenge
Srinivasa Rao Chigurupati [EMAIL PROTECTED] wrote: 1. Will FreeRadius challenges with access-challenge if auth-type is PAP? No. Read the RFC's for how PAP works. 2. How FreeRadius understands incoming Radius access-request packet contains PAP authentication information, CHAP authentication information or MS-CHAP authentication information or other authentication information? It looks in the packets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Disconnect-Request packet
Alan DeKok wrote: [EMAIL PROTECTED] (Paul Hampson) wrote: This last point seems trivial until you try to proxy backwards through a chain you have only the last hop of, and the last hop doesn't neccessarily know what the previous hop was. Exaclty. Coupled with the problem that the server is *supposed* to validate the disconnect request by running it through the *proxying* code, to see if it came FROM the site an Access-Request would have been proxied TO. Yuck. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I understand this now, and why it would be... as you put it yuck. Ha Ha! Well thanks for answering my question and explaining it to me. Looks like some custom scripting for me then. :-) My only problem now is going to be figuring out how to send disconnect packets to different types of server. Thanks for your help! -- --- | Nick White | | Network Administrator | | Tele-NET Internet | | http://www.tele-net.net | | [EMAIL PROTECTED] | --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxim AP-700 AcctUniqueId
Uwe Driessen [EMAIL PROTECTED] wrote: There missing the Framed-IP-Adress and the Acctsession-ID is the MAC from the Calling Station with this Information the Unique session Id is alway for this User the same and after a separation the Radius write in the same record. The packet you quoted is an Access-Request, and doesn't contain Accounting-Session-Id. The FreeRADIUS unique id doesn't apply here, either. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco WAP 1200 Accounting for 802.1X PEAP
I am having difficulty getting my Cisco APs (all 1230s) to send accounting information regarding 802.1x PEAP authentications - stop/start info.Does anyone have this working? If so can you please post the AP config. I currently have the following: aaa accounting network eap_methods start-stop group rad_acct I get radius accounting information for exec on the APs (people logging directly into the AP), but not for wireless authentications. So I know I have the radius server and config setup correctly. Thanks Colleen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Limiting the number of connections
Hi people, I need your help. We´ve a solution that use SER athenticating, athotizing and accounting in a freeRadius+mySQL. I´ve a challenge now to limit thu number of simultaneous connections (i.e: we can permit only ten connections at the same time). Does anybody has any idea to implement this in freeRadius+mySQL ? I imagine that i need to change the sql queries in sql.conf, but i´m not sure.. Any ideas ? Tks, Lima - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Limiting the number of connections
On Fri, 29 Jul 2005 15:41:55 -0300 Jose Divino de Lima [EMAIL PROTECTED] wrote: Hi people, I need your help. We´ve a solution that use SER athenticating, athotizing and accounting in a freeRadius+mySQL. I´ve a challenge now to limit thu number of simultaneous connections (i.e: we can permit only ten connections at the same time). Totally or per account? Does anybody has any idea to implement this in freeRadius+mySQL ? I imagine that i need to change the sql queries in sql.conf, but i´m not sure.. Any ideas ? Tks, Lima - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: newbie questions using freeradius as wifi access point
Please take a look here... http://wcarter.webitects.com/freeRadiusDebug.html This url outlines what I did and has links to the terminal output with each command. I executed these commands... $ cvs -d :pserver:[EMAIL PROTECTED]:/source login $ cvs -d :pserver:[EMAIL PROTECTED]:/source co -r release_1_0 radiusd now I have a radiusd folder with what seems like all the files I need to compile. executing this configure... ./configure --localstatedir=/var --sysconfdir=/etc --with-mysql-include-dir=/usr/include/mysql --with-mysql-lib-dir=/usr/lib/mysql --with-mysql-dir=/usr/bin/mysql --with-experimental-modules configure debug make make install -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Friday, July 29, 2005 12:12 PM To: FreeRadius users mailing list Subject: Re: newbie questions using freeradius as wifi access point Will Carter [EMAIL PROTECTED] wrote: Is it correct to say that after I successfully execute the 2 commands above that I should have a set of code that I need to compile with configure, make, and make install? Yes. This is *exactly* how 1.0.4 was created. It's just a tar file from that process. When I attempt this, I get a set of files but am not successful at compiling them. Are you willng to say what errors you're seeing? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with Simultaneous-Use
Hello,
I am having problems with Simultaneous-Use and checkrad. I know that
checkrad is not running because:
grep debug /usr/local/sbin/checkrad
# Config: $debug is the file you want to put debug messages in
#$debug = ;
$debug = $logdir/checkrad.log;
and:
--
tail -F /var/log/radius/checkrad.log
Fri Jul 29 12:57:30 2005 checkrad
Usage: checkrad nas_type nas_ip nas_port login session_id
--
(nothing new is showing up in the checkrad log file, except for when I
run it by hand)
I have both the Perl SNMP modules installed, along with NET-SNMP (and
the correct syntax for NET used in the checkrad script, even though
it should be using the perl modules first).
I am able to manually use snmpwalk /fine/.
Here is how my SQL table looks:
mysql select * from radgroupcheck;
+++--++---+
| id | GroupName | Attribute| op | Value |
+++--++---+
| 1 | pirate | Simultaneous-Use | := | 2 |
| 2 | pirate-stu | Simultaneous-Use | := | 2 |
| 3 | pirate-stf | Simultaneous-Use | := | 2 |
| 4 | pirate-fac | Simultaneous-Use | := | 2 |
| 5 | pirate-its | Simultaneous-Use | := | 1 |
+++--++---+
Here are the related sections from my radiusd.conf file:
radutmp {
# Where the file is stored. It's not a log file,
# so it doesn't need rotating.
#
filename = ${logdir}/radutmp
# The field in the packet to key on for the
# 'user' name, If you have other fields which you want
# to use to key on to control Simultaneous-Use,
# then you can use them here.
#
# Note, however, that the size of the field in the
# 'utmp' data structure is small, around 32
# characters, so that will limit the possible choices
# of keys.
#
# You may want instead: %{Stripped-User-Name:-%{User-Name}}
username = %{User-Name}
# Whether or not we want to treat user the same
# as USER, or User. Some systems have problems
# with case sensitivity, so this should be set to
# 'no' to enable the comparisons of the key attribute
# to be case insensitive.
#
case_sensitive = yes
# Accounting information may be lost, so the user MAY
# have logged off of the NAS, but we haven't noticed.
# If so, we can verify this information with the NAS,
#
# If we want to believe the 'utmp' file, then this
# configuration entry can be set to 'no'.
#
check_with_nas = yes
# Set the file permissions, as the contents of this file
# are usually private.
perm = 0600
# callerid = yes
}
#
# For Simultaneous-Use tracking.
#
# Due to packet losses in the network, the data here
# may be incorrect. There is little we can do about it.
radutmp
# sradutmp
#
# Log traffic to an SQL database.
#
# See Accounting queries in sql.conf
sql
# Session database, used for checking Simultaneous-Use. Either the radutmp
# or rlm_sql module can handle this.
# The rlm_sql module is *much* faster
session {
#radutmp
#
# See Simultaneous Use Checking Querie in sql.conf
sql
}
And here is my sql.conf file:
# Simultaneous Use Checking Queries
###
# simul_count_query - query for the number of current connections
# - If this is not defined, no simultaneouls use
checking
# - will be performed by this module instance
# simul_verify_query- query to return details of current
connections for verification
# - Leave blank or commented out to disable
verification step
# - Note that the returned field order should not
be changed.
###
# Uncomment simul_count_query to enable simultaneous use checking
simul_count_query = SELECT COUNT(*) FROM ${acct_table1} WHERE
UserName='%{SQL-User-Name}' AND AcctStopTime = 0
simul_verify_query = SELECT RadAcctId, AcctSessionId, UserName,
NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM
${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0
Here is how my
Re: newbie questions using freeradius as wifi access point
Will Carter [EMAIL PROTECTED] wrote: Please take a look here... http://wcarter.webitects.com/freeRadiusDebug.html This url outlines what I did and has links to the terminal output with each command. Which doesn't show any errors or problems. So... I'm not sure what to tell you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: newbie questions using freeradius as wifi access point
Hmmm...looked at it again. In my terminal I see errors/warnings that are not appearing in the txt file when I do something like... Make configure.txt How do I get the error/warning messages to appear in the text file? -will -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Friday, July 29, 2005 4:02 PM To: FreeRadius users mailing list Subject: Re: newbie questions using freeradius as wifi access point Will Carter [EMAIL PROTECTED] wrote: Please take a look here... http://wcarter.webitects.com/freeRadiusDebug.html This url outlines what I did and has links to the terminal output with each command. Which doesn't show any errors or problems. So... I'm not sure what to tell you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: newbie questions using freeradius as wifi access point
doesn't start. There are no files in my /etc/raddb at this point. -will -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Julius Igugu Sent: Friday, July 29, 2005 4:27 PM To: FreeRadius users mailing list Subject: RE: newbie questions using freeradius as wifi access point I think you have succesfully compiled and installed FreeRADIUS. Try, radiusd -X --- Will Carter [EMAIL PROTECTED] wrote: Please take a look here... http://wcarter.webitects.com/freeRadiusDebug.html This url outlines what I did and has links to the terminal output with each command. I executed these commands... $ cvs -d :pserver:[EMAIL PROTECTED]:/source login $ cvs -d :pserver:[EMAIL PROTECTED]:/source co -r release_1_0 radiusd now I have a radiusd folder with what seems like all the files I need to compile. executing this configure... ./configure --localstatedir=/var --sysconfdir=/etc --with-mysql-include-dir=/usr/include/mysql --with-mysql-lib-dir=/usr/lib/mysql --with-mysql-dir=/usr/bin/mysql --with-experimental-modules configure debug make make install -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Friday, July 29, 2005 12:12 PM To: FreeRadius users mailing list Subject: Re: newbie questions using freeradius as wifi access point Will Carter [EMAIL PROTECTED] wrote: Is it correct to say that after I successfully execute the 2 commands above that I should have a set of code that I need to compile with configure, make, and make install? Yes. This is *exactly* how 1.0.4 was created. It's just a tar file from that process. When I attempt this, I get a set of files but am not successful at compiling them. Are you willng to say what errors you're seeing? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Julius Igugu SouthWork Co. Ltd. Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: newbie questions using freeradius as wifi access point
Will Carter [EMAIL PROTECTED] wrote: doesn't start. There are no files in my /etc/raddb at this point. Then the build and/or make install failed. $ script log.txt $ configure $ make $ make install If you see errors at any point DO NOT go to the next step. You should be able to post a summary of the errors in a message to the list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Proxim AP-700 AcctUniqueId
Uwe Driessen [EMAIL PROTECTED] wrote: There missing the Framed-IP-Adress and the Acctsession-ID is the MAC from the Calling Station with this Information the Unique session Id is alway for this User the same and after a separation the Radius write in the same record. The packet you quoted is an Access-Request, and doesn't contain Accounting-Session-Id. The FreeRADIUS unique id doesn't apply here, either. Alan DeKok. My Problem is that there is nothing Acct-Session-Id comming from the AP700. As Acct-Session-Id this AP sends the MAC off the Client no counter or other unique's for this Session. I quotet a Start and a Alive Paket how Radius -X it gives out on the screen. Is there anyone who has AP-700 in Hotspot with accounting? Can anyone tell me what i can do to use this AP as Hotspot? From Proxim i get anser that there is no unique Acct-Sesion-ID and no Framed-IP-Adress to deliver from AP to Radius. I thought could generate the Acct-Unique-Id with MySQL and select before the update write to the table. How can i do 2 sql Statements in one Radius funktion to do so. Thanks for the ansers. Mit freundlichen Grüßen Uwe Drießen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: newbie questions using freeradius as wifi access point
I am not sure what I am looking for but it appears something is going wrong after the make command. I did not continue to make install. These happen after .configure... configure: WARNING: FAILURE: rlm_eap_peap requires: OpenSSL. configure: WARNING: FAILURE: rlm_eap_tls requires: OpenSSL. configure: WARNING: FAILURE: rlm_eap_ttls requires: OpenSSL. configure: WARNING: FAILURE: rlm_krb5 requires: krb5. configure: WARNING: FAILURE: rlm_sql_postgresql requires: libpq-fe.h libpq. This is at the very end after the make command gmake[4]: *** [client.o] Error 1 gmake[4]: Leaving directory `/root/radiusd/src/main' gmake[3]: *** [common] Error 2 gmake[3]: Leaving directory `/root/radiusd/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/root/radiusd/src' gmake[1]: *** [common] Error 2 gmake[1]: Leaving directory `/root/radiusd' make: *** [all] Error 2 the full log is here: http://wcarter.webitects.com/log.txt from ./configure ... to make I very much appreciate your help! -will -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Friday, July 29, 2005 4:49 PM To: FreeRadius users mailing list Subject: Re: newbie questions using freeradius as wifi access point Will Carter [EMAIL PROTECTED] wrote: doesn't start. There are no files in my /etc/raddb at this point. Then the build and/or make install failed. $ script log.txt $ configure $ make $ make install If you see errors at any point DO NOT go to the next step. You should be able to post a summary of the errors in a message to the list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: newbie questions using freeradius as wifi access point
Will Carter [EMAIL PROTECTED] wrote: This is at the very end after the make command gmake[4]: *** [client.o] Error 1 gmake[4]: Leaving directory `/root/radiusd/src/main' gmake[3]: *** [common] Error 2 The real errors are above that. the full log is here: http://wcarter.webitects.com/log.txt You appear to NOT have followed the instructions. You have a copy of the latest CVS version, not the release_1_0 branch. I've fixed a minor problem in the CVS head, but that doesn't solve the problem that you haven't follow directions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: Proxim AP-700 AcctUniqueId
Uwe Driessen [EMAIL PROTECTED] wrote: My Problem is that there is nothing Acct-Session-Id comming from the AP700. Acct-Session-Id's are not sent in Access-Request packets. As Acct-Session-Id this AP sends the MAC off the Client no counter or other unique's for this Session. Then you're stuck. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: newbie questions using freeradius as wifi access point
You are absolutely right, I was careless to overlook the the cvs command...stupid. Anyways, I was successful at compiling the release_1_0 branch and I can run that version of the freeradius server now. BUT, my problem still remains, as is discussed here: http://lists.freeradius.org/mailman/htdig/freeradius-users/2005-June/044785. html It seems that there is no rlm_expiration module in the version that I just got: cvs release_1_0 branch. I looked in /radiusd/src/modules and don't see it. Does this sound correct? If so, how can I get a build that will compile and has the rlm_expiration module? Thanks again. -will -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Friday, July 29, 2005 5:56 PM To: FreeRadius users mailing list Subject: Re: newbie questions using freeradius as wifi access point Will Carter [EMAIL PROTECTED] wrote: This is at the very end after the make command gmake[4]: *** [client.o] Error 1 gmake[4]: Leaving directory `/root/radiusd/src/main' gmake[3]: *** [common] Error 2 The real errors are above that. the full log is here: http://wcarter.webitects.com/log.txt You appear to NOT have followed the instructions. You have a copy of the latest CVS version, not the release_1_0 branch. I've fixed a minor problem in the CVS head, but that doesn't solve the problem that you haven't follow directions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: newbie questions using freeradius as wifi access point
Will Carter [EMAIL PROTECTED] wrote: It seems that there is no rlm_expiration module in the version that I just got: cvs release_1_0 branch. That's because it doesn't exist in that branch. The server core supplies that functionality. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: newbie questions using freeradius as wifi access point
Hmm...I am trying hard to understand, but am not doing so well. Can you give me another hint as to how I can get the rlm_expiration functionality? Here's a question. when I visit: http://www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/src/modules/ I see a rlm_expiration module Do I somehow get it from there? Hmm... and if I visit here... http://www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/src/modules/rlm_expirat ion/ I see that this was added like six weeks ago. -will -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Friday, July 29, 2005 7:39 PM To: FreeRadius users mailing list Subject: Re: newbie questions using freeradius as wifi access point Will Carter [EMAIL PROTECTED] wrote: It seems that there is no rlm_expiration module in the version that I just got: cvs release_1_0 branch. That's because it doesn't exist in that branch. The server core supplies that functionality. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
