Re: AW: sementation fault
First, you should a new empty 'radius' database in MySQL and login user with permissions to that database. You could of course call the database and the user anything you like but we'll stick to 'radius' for both for the purposes of this discussion Next up, you need to create the schema for the database. There is a file which describes this and is actually a SQL script file. It can be found at /src/modules/rlm_sql/drivers/rlm_sql_mysql/db_mysql.sql where you untar'd FreeRadius. This is the bit that, at least at the time I originally wrote these notes, wasn't really documented anywhere and was the thing most people seemed to be asking. How you run that script is up to you and how you like to admin MySQL. The easiest way is to: mysql -uroot -prootpass radius db_mysql.sql ...where 'root' and 'rootpass' are your mysql root name and password respectively. Uwe, Thanks for your answer. About the empty database 'radius' I had already done that. This morning I ran the script 'db_mysql.sql' you talked about. Now I can see the tables in my database radius but I still have the same segmentation fault error. I have reconfigured, recompiled (with make clean) and reinstalled. That didn't help. Do you have any other ideas? Thanks for your help, --Vicky - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting to db, duplicate entries (again)
Hi, I'm having some problems with Alive messages that follow immediately after Start messages. Sometimes this causes two entries with the same acctuniqeid to be entered into the database, the only thing separating the two being a few hundreds of a second on the acctstarttime field. I find this behaviour rather annoying, and as I mentioned in an earlier mail, that was confirmed by Alan DeKok, it is cause by the following: 1) Receives a Start packet and inserts a new entry/session in the db 2) Receives Alive packet _immediately_ after the Start packet, and queries the database to see if the unique-session-id already exists. 3) The query doesn't return anything, since postgresql hasn't had time to complete the INSERT-query for the Start packet, and accounting_update_query_alt is thus run. I'm not at all experienced with databases, but I was thinking I could lock the accounting table while inserting the Start message, so that the query in pnt. 2 could not be performed until the Insert in pnt. 1 is finished. Wouldn't this elminate the problem in pnt. 3? How does freeradius react to a situation like this.. does it keep trying to perform the SELECT query in 2 until it succeds, or is the Alive packed just dropped? If the latter is the case, does anyone here know if I can make postgresql queue requests that get blocked because of the lock? Anyone else had this problem, and if so, how did you get around it, if you got around it at all? Any pointers would be highly appreciated :) Regards, Roger Kristiansen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: segmentation fault
vicky wrote: Thanks for your answer. About the empty database 'radius' I had already done that. This morning I ran the script 'db_mysql.sql' you talked about. Now I can see the tables in my database radius but I still have the same segmentation fault error. I have reconfigured, recompiled (with make clean) and reinstalled. That didn't help. Do you have any other ideas? Please post the gdb output. Follow the instructions at: http://www.freeradius.org/radiusd/doc/bugs -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: mod_radius, apache2 and the auth cookie.
Hi, Was was pointed out, you'll get authentication dialogs for every gif jpg on the page. This is a BAD idea. The gifs etc are located in an unprotected directory, surely this prevents from having to re-authenticate for each? If I get a failed login, then try to login again it just uses cached credentials and doesn't prompt for details, if I close and re-open the browser it does then allow me to enter details. Then your browser is broken. Firefox and Opera are also broken in that case. :-( A bit of a dig around reveals this from the Apache site, which implies that all browsers cache the credentials. http://httpd.apache.org/docs/howto/auth.html#basicfaq Thanks, Jezz Palmer. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: segmentation fault
Nicolas Baradakis wrote:
vicky wrote:
Thanks for your answer. About the empty database 'radius' I had already
done that. This morning I ran the script 'db_mysql.sql' you talked
about. Now I can see the tables in my database radius but I still have
the same segmentation fault error. I have reconfigured, recompiled (with
make clean) and reinstalled. That didn't help. Do you have any other ideas?
Please post the gdb output. Follow the instructions at:
http://www.freeradius.org/radiusd/doc/bugs
Nicolas,
Here is the output of gdb. Thanks a lot for your help!
--Vicky
(gdb) run
Starting program: /opt/freeradius/sbin/radiusd -X
(no debugging symbols found)...[Thread debugging using libthread_db enabled]
[New Thread 16384 (LWP 12678)]
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /opt/freeradius/etc/raddb/proxy.conf
Config: including file: /opt/freeradius/etc/raddb/clients.conf
Config: including file: /opt/freeradius/etc/raddb/snmp.conf
Config: including file: /opt/freeradius/etc/raddb/eap.conf
Config: including file: /opt/freeradius/etc/raddb/sql.conf
main: prefix = /opt/freeradius
main: localstatedir = /opt/freeradius/var
main: logdir = /opt/freeradius/var/log/radius
main: libdir = /opt/freeradius/lib
main: radacctdir = /opt/freeradius/var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /opt/freeradius/var/log/radius/radius.log
main: log_auth = yes
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /opt/freeradius/var/run/radiusd/radiusd.pid
main: user = psaadm
main: group = psaadm
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /opt/freeradius/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /opt/freeradius/lib
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: authtype = MS-CHAP
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = (null)
unix: group = (null)
unix: radwtmp = /opt/freeradius/var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = md5
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = Password:
gtc: auth_type = PAP
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded attr_rewrite
attr_rewrite: attribute = User-Name
attr_rewrite: searchfor = promo.*
attr_rewrite: searchin = packet
attr_rewrite: replacewith = %{User-Password}
attr_rewrite: append = no
attr_rewrite: ignore_case = no
attr_rewrite: new_attribute = no
attr_rewrite: max_matches = 10
Module: Instantiated attr_rewrite (attr_rewrite)
Module: Loaded preprocess
preprocess: huntgroups = /opt/freeradius/etc/raddb/huntgroups
preprocess: hints = /opt/freeradius/etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded detail
detail: detailfile =
/opt/freeradius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (auth_log)
Module: Loaded realm
realm: format = prefix
realm: delimiter = /
realm: ignore_default = yes
realm: ignore_null = yes
Module: Instantiated realm (prefix)
realm: format = suffix
realm: delimiter = @
realm: ignore_default = yes
realm: ignore_null = yes
Module: Instantiated realm (suffix)
Module:
AW: segmentation fault
Please post the gdb output. Follow the instructions at: http://www.freeradius.org/radiusd/doc/bugs Nicolas, Here is the output of gdb. Thanks a lot for your help! --Vicky Hello Vicky Look at your database that the user you have in your sql.conf is right to your database Make a new User Radius with password and right of select,insert,update on the database Radius. Put the data from this User in your sql.conf and test it too. Control that your Mysql is running at the ip and port you say in the conf (3330???)(I think that the port is not korrekt) If that not correct the problem I Think you have an Compiler failer there are a lot of dokuments when you google about mysql Program received signal SIGSEGV, Segmentation fault Mit freundlichen Grüßen Drießen Es liegt was in der Luft www.feilbingert.net Uwe Drießen Software Computer Lembergstraße 33 67824 Feilbingert Tel.: 06708 660045 Fax 06708 661397 www.edv-driessen.de - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: segmentation fault
vicky wrote: Nicolas, Here is the output of gdb. Thanks a lot for your help! [...] Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 16384 (LWP 12678)] 0x400633a2 in lt_dlsym (handle=0x8118398, symbol=0x8116698 rlm_sql_mysql) at ltdl.c:3330 3330 lensym = LT_STRLEN (symbol) + LT_STRLEN (handle-loader-sym_prefix) It's bug #98. Please look at: http://bugs.freeradius.org/show_bug.cgi?id=98 -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
// in user name ?
Hi, I asked this in morning also, and am still looking for ana answer. My set up is very simple winxp,- wireless router - free radius PEAP -MSCHPv2 .. How am I supposed to configure free radius for clients with // in their user name ? like by default it will send domainname//user-name are // allowed ? if I just add user names like this, PEAP is failing .. Anyone please guide this new bie. Cheers, Alfred - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Session-Timeout zero value
I'm wonder is it correct to reject user by setting Session-Timeout attribute to zero. In case of our NAS it works fine. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_radius, apache2 and the auth cookie.
FreeRadius users mailing list freeradius-users@lists.freeradius.org on August 2, 2005 at 01:55 -0800 wrote: Hi, Was was pointed out, you'll get authentication dialogs for every gif jpg on the page. This is a BAD idea. The gifs etc are located in an unprotected directory, surely this prevents from having to re-authenticate for each? In theory, yes. However, this has been nixed by most browsers, in that mixed content presents a security risk. Your IE users will see a message saying This page contains both secure and non-secure items... at least on first connect, the FF users may not even get that -- I don't recall what happens with mixed content in FF. If I get a failed login, then try to login again it just uses cached credentials and doesn't prompt for details, if I close and re-open the browser it does then allow me to enter details. Then your browser is broken. Firefox and Opera are also broken in that case. :-( A bit of a dig around reveals this from the Apache site, which implies that all browsers cache the credentials. http://httpd.apache.org/docs/howto/auth.html#basicfaq It sounds to me like the server isn't sending the correct error code for auth-failed, thus the browser thinks it's OK to use the old credentials. -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_radius, apache2 and the auth cookie.
Palmer J.D.F. [EMAIL PROTECTED] wrote: The gifs etc are located in an unprotected directory, surely this prevents from having to re-authenticate for each? Yes. A bit of a dig around reveals this from the Apache site, which implies that all browsers cache the credentials. http://httpd.apache.org/docs/howto/auth.html#basicfaq Well, that's changed since I wrote the module. It's irritating as heck, too. The only solution is to take a hint from mod_securid, and put the username password on an auto-generated HTML page, where the browser won't cache them. That would involve a complete re-write of the module, though. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: // in user name ?
alfred hitch [EMAIL PROTECTED] wrote: How am I supposed to configure free radius for clients with // in their user name ? You put the slash in the user name? are // allowed ? Yes. if I just add user names like this, PEAP is failing .. Probably because the XP client is lying to the server. It's known to do that. like by default it will send domainname//user-name XP? I don't think so. I think you mean domain\\username. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VSA id's higer than 255
Fawaz Qamhawi [EMAIL PROTECTED] wrote: We are using freeradius 1.0.4 and having a problem with VSA id's higher than 255 (more than 8 bit). Hmm.. those aren't in the standard dictionaries that I can see. When one of the attributes above are sent back to the NAS, it seems that radius is sending it as 8 bit thus interpreted as something else on the Lucent NAS. The code in src/lib/radius.c is responsible. It should be checking for attributes above 255, and discarding them. Any simple solution for that ? How are the attributes supposed to be encoded in the packet? The normal VSA's use one byte to represent vendor attributes. Since 287 won't fit into ne byte, something else has to be done here. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius Authentication-Please help
I have a setup as follows: FreeRadius 1.0.4 openssl .098 Dell TrueMobile 1170 Access Pointv2.3.3 802.11b/g cards for AP and supplicant Windows XP SP2 FreeRadius is not authenticating, there are no messages on the screen or the logfile. The AP does not see the FreeRadius server! I think this is a configuration issue outside of FreeRadius. Has anyone had similar problem. Any help will be greatly appreciated as i have hit a wall here and i am on a deadline! thanks Hamid. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout zero value
Rashad Rustamoff [EMAIL PROTECTED] wrote: I'm wonder is it correct to reject user by setting Session-Timeout attribute to zero. No. In case of our NAS it works fine. That's blind luck. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VSA id's higer than 255
Ascend (as Lucent) has been introducing tags with values higher than 256 in the VSA's for a while (first message I saw where the problem of long tags was mentioned was from January 2004). An example from their dictionary shows: ATTRIBUTE Ascend-MOH-Timeout 261 integer The format for the long tag VSA is the same as the standard Vendor-Specific attribute (8 bit tag, 8 bit length) but the sub-attribute tag field has been expanded to 16 bits. The sub-attribute length field remains 8 bits. All vendor specific attributes are coded using 16-bit attribute type in network byte order and Lucent-Vendor-Id (4846) as Vendor-Id. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Attr Type | Length | Vendor-Id +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Vendor-Id (cont) | Vendor Type(16-bit) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Vendor Length | Vendor-value.. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- I believe the support for long Vendor-Specific tags was discussed here in the past with limited interest in support. It seems that this is on a NAS by NAS basis and only some of the VSA's are using the 16 bit tags. The solution seems to be to indicate that long tags are used by this NAS for particular vendors. Something like: 192.168.1.1 ... VendorLongTags=Ascend - indicating that Ascend VSA's use long tags and all other VSA's like Cisco) would be short. Ascend / Lucent VSA's do not always use long tag VSAs. This introduction of long tags is a real wart for every RADIUS server. There are probably other ways to have avoided 16 bit tags. Naturally the offender is too big to ignore and arbitrarily forced the issue. Remember that in the past Ascend (pre-Lucent) grabbed unassigned RADIUS attributes (from 119 to 255) without thinking there might be a problem with that either. Alan DeKok wrote: Fawaz Qamhawi [EMAIL PROTECTED] wrote: Any simple solution for that ? How are the attributes supposed to be encoded in the packet? The normal VSA's use one byte to represent vendor attributes. Since 287 won't fit into ne byte, something else has to be done here. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Access-reject tiemout
Hi !,
I experiment a strange problem which have appeared since some weeks.
All Access-Reject sent to my AC/AP by the radius server take a lot of time
to arrive and there is a timeout on my AC/AP.
This is very strange because all Access-Accept are well-received without any
timeout and any error by the AC/AP.
And, I test on my lan with Ntradping, and the same problem of timeout
appears after an Access-Reject.
But also, when I launch Freeradius on debug mode, there is no timeout and
all Access-Reject are well-received.
This is the configuration I use :
freeradius 1.0.3
database : Postgresql release 8.0.3
Access Controller/Access Point colubris(CN3200)
Thank you for your help.
Sincerily,
Patrice Tcherkezian
Below, an debug output with a successful connection :
rad_recv: Access-Request packet from host 192.168.10.60:2631, id=8,
length=48
User-Name = estelle
CHAP-Password = 0x438c4b60518a10782d6e01d0cf399bdc14
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
rlm_chap: Setting 'Auth-Type := CHAP'
modcall[authorize]: module chap returns ok for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '@' in User-Name = estelle, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 0
radius_xlat: 'estelle'
rlm_sql (sql): sql_set_user escaped user -- 'estelle'
radius_xlat: 'SELECT radcheck.id, radcheck.UserName, radcheck.Attribute,
radcheck.Value, radcheck.Op ??FROM radcheck , user ??WHERE
radcheck.Username = 'estelle' AND radcheck.Username = user.Username AND
user.state_account = 1 ??ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: affected rows =
radius_xlat: 'SELECT radgroupcheck.id, radgroupcheck.GroupName,
??radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op ??FROM
radgroupcheck, usergroup ??WHERE usergroup.Username = 'estelle' AND
usergroup.GroupName = radgroupcheck.GroupName ??ORDER BY radgroupcheck.id'
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: affected rows =
radius_xlat: 'SELECT id, UserName, Attribute, Value, Op ??FROM radreply
??WHERE Username = 'estelle' ??ORDER BY id'
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: affected rows =
radius_xlat: 'SELECT radgroupreply.id, radgroupreply.GroupName,
radgroupreply.Attribute, ??radgroupreply.Value, radgroupreply.Op ??FROM
radgroupreply,usergroup ??WHERE usergroup.Username = 'estelle' AND
usergroup.GroupName = radgroupreply.GroupName ??ORDER BY radgroupreply.id'
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: affected rows =
rlm_sql (sql): Released sql socket id: 4
modcall[authorize]: module sql returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type Local
auth: type Local
auth: user supplied CHAP-Password matches local User-Password
Login OK: [estelle] (from client postedario port 0)
Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 0
rlm_sql (sql): Processing sql_postauth
radius_xlat: 'estelle'
rlm_sql (sql): sql_set_user escaped user -- 'estelle'
radius_xlat: 'INSERT into radpostauth (username, pass, reply,
authdate,mac_address,ip_user,hotspot_name) ??values ('estelle',
'Chap-Password', 'Access-Accept', NOW(),'', NULLIF('', '')::inet,'')'
rlm_sql (sql) in sql_postauth: query is INSERT into radpostauth (username,
pass, reply, authdate,mac_address,ip_user,hotspot_name) ??values ('estelle',
'Chap-Password', 'Access-Accept', NOW(),'', NULLIF('', '')::inet,'')
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql_postgresql: Status: PGRES_COMMAND_OK
rlm_sql_postgresql: affected rows = 1
rlm_sql (sql): Released sql socket id: 3
modcall[post-auth]: module sql returns ok for request 0
modcall: group post-auth returns ok for request 0
Sending Access-Accept of id 8 to 192.168.10.60:2631
Session-Timeout := 4813
Idle-Timeout := 600
Framed-Protocol := PPP
Service-Type := Framed-User
Framed-MTU := 1500
Colubris-AVPair += use-access-list=visiteurs
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
Below, an debug output with a refused connection :
rad_recv: Access-Request packet from host 192.168.10.60:2638, id=9,
length=46
User-Name = voila
CHAP-Password = 0x4f2988cb3ca0e0e7bfd22eea9dda72b19f
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module preprocess returns ok for request 1
Re: Access-reject tiemout
Patrice TCHERKEZIAN [EMAIL PROTECTED] wrote: All Access-Reject sent to my AC/AP by the radius server take a lot of time to arrive and there is a timeout on my AC/AP. Set reject_delay = 0 Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using a database schema other than the one created by db_mysql.sql
Hi, We have a (mysql) database where we have usernames and passwords and I recently installed freeradius on our server. I would like the freeradius server to authenticate using the database but, obviously, our database schema is completely different than the one created by db_mysql.sql. All the documentation (and examples) I've seen so far mention the db_mysql.sql script (even in the RADIUS book) and I was wondering, if it's possible to use our own database, how do I tell RADIUS that uid in the users table is the username and pwd is the password? For the tables names, I'm assuming I can just change the sql.conf file and replace whatever is inside by our own table names Like: usergroup_table = usergroup replace by usergroup_table = users Thanks, -Ana - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Using a database schema other than the one created by db_mysql.sql
Auftrag von Ana Bizarro Gesendet: Dienstag, 2. August 2005 22:35 An: freeradius-users@lists.freeradius.org Betreff: Using a database schema other than the one created by db_mysql.sql Hi, We have a (mysql) database where we have usernames and passwords and I recently installed freeradius on our server. I would like the freeradius server to authenticate using the database but, obviously, our database schema is completely different than the one created by db_mysql.sql. All the documentation (and examples) I've seen so far mention the db_mysql.sql script (even in the RADIUS book) and I was wondering, if it's possible to use our own database, how do I tell RADIUS that uid in the users table is the username and pwd is the password? For the tables names, I'm assuming I can just change the sql.conf file and replace whatever is inside by our own table names Like: usergroup_table = usergroup replace by usergroup_table = users Thanks, -Ana And for all the Other you write the SQL Statements to your Tablefields you have For a update like Tablefield = '%s' for date and Time in this field for the AcctstopTime and so on where is the Problem, The Statements in the sql.conf are pure SQL. And the Insert's as so too Mit freundlichen Grüßen Drießen Es liegt was in der Luft www.feilbingert.net Uwe Drießen Software Computer Lembergstraße 33 67824 Feilbingert Tel.: 06708 660045 Fax 06708 661397 www.edv-driessen.de - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VSA id's higer than 255
Michael Lecuyer [EMAIL PROTECTED] wrote: The format for the long tag VSA is the same as the standard Vendor-Specific attribute (8 bit tag, 8 bit length) but the sub-attribute tag field has been expanded to 16 bits. The sub-attribute length field remains 8 bits. That doesn't sound too bad. All vendor specific attributes are coded using 16-bit attribute type in network byte order and Lucent-Vendor-Id (4846) as Vendor-Id. That makes it easier. I believe the support for long Vendor-Specific tags was discussed here in the past with limited interest in support. It's about 40 lines of code to support. The weirdness that I recall was Nortel, which mixed normal VSA's, and USR-style VSA's in the same vendor space. 192.168.1.1 ... VendorLongTags=Ascend - indicating that Ascend VSA's use long tags and all other VSA's like Cisco) would be short. Ascend / Lucent VSA's do not always use long tag VSAs. If it's always that the Lucent attributes use 16-bit id's, it's OK. This introduction of long tags is a real wart for every RADIUS server. There are probably other ways to have avoided 16 bit tags. Naturally the offender is too big to ignore and arbitrarily forced the issue. Remember that in the past Ascend (pre-Lucent) grabbed unassigned RADIUS attributes (from 119 to 255) without thinking there might be a problem with that either. Yup. I'll add something to the CVS head. Grab a snapshot in a few days, and see if it works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting to db, duplicate entries (again)
Roger Kristiansen [EMAIL PROTECTED] wrote: I'm not at all experienced with databases, but I was thinking I could lock the accounting table while inserting the Start message, so that the query in pnt. 2 could not be performed until the Insert in pnt. 1 is finished. Wouldn't this elminate the problem in pnt. 3? It would slow the server down considerably. If you're willing to wait for SQL updates, you can use rlm_sql_log in the CVS head. It avoids these issues by post-processing the logs, and not running the SQL statements in a live server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using a database schema other than the one created by db_mysql.sql
On Tuesday 02 August 2005 16:35, Ana Bizarro wrote: We have a (mysql) database where we have usernames and passwords and I recently installed freeradius on our server. I would like the freeradius server to authenticate using the database but, obviously, our database schema is completely different than the one created by db_mysql.sql. If you can craft a query to return the proper rows, you shouldn't have a problem with your current schema. Read doc/rlm_sql and the comments in sql.conf as they specify what should be returned by your SQL query. Kevin Bonner pgpdTDNHRRFbd.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: huntgroups/groups with sql
Michel Jansens [EMAIL PROTECTED] wrote: Tryed to add 'Fall-Through = Yes' to all 'radgroupcheck' entries, but it didn't work. It works in the CVS head, and will be in 1.1.x and following versions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dialadmin question
hi all, can I use dialadmin for create users and autenticate this in a lan and exit out the router?? LAN (many users) - router/fw --- internet | | freeradius server thanks in advance. damon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: // in user name ?
yea I am sorry I mean \\ only .. so how to work past \\ ?? Alfred On 8/2/05, Alan DeKok [EMAIL PROTECTED] wrote: alfred hitch [EMAIL PROTECTED] wrote: How am I supposed to configure free radius for clients with // in their user name ? You put the slash in the user name? are // allowed ? Yes. if I just add user names like this, PEAP is failing .. Probably because the XP client is lying to the server. It's known to do that. like by default it will send domainname//user-name XP? I don't think so. I think you mean domain\\username. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
