RE: loading files to oracle
where I can deny access to a user when he has used more than a specific amount of bandwidth in a month (from the 1st to the last day of the month). rlm_sqlcounter seems to be what I need. I have configured it as I think it should be but when I go into debug mode the values seem to get changed at a point. Here is my sqlcounter.conf file: +++ sqlcounter monthlycounter { counter-name = Max-Bytes check-name = Max-Bytes sqlmod-inst = sql key = User-Name reset = monthly Reply-Message = You have reached your bandwidth cap for this Month query = SELECT sum(AcctOutputOctets) + sum(AcctInputOctets) FROM radacct where UserName = '%{%k}' } +++ In my radiusd.conf my authorize section is as follows: +++ authorize { preprocess chap mschap suffix sql monthlycounter } +++ When I am in debug mode I get the following: +++ Thu Nov 10 00:17:41 2005 : Debug: rlm_sql (sql): Reserving sql socket id: 4 Thu Nov 10 00:17:41 2005 : Debug: rlm_sql_mysql: query: SELECT sum(AcctOutputOctets) + sum(AcctInputOctets) FROM radacct where UserName = '[EMAIL PROTECTED]' Thu Nov 10 00:17:41 2005 : Debug: rlm_sql (sql): - sql_xlat finished Thu Nov 10 00:17:41 2005 : Debug: rlm_sql (sql): Released sql socket id: 4 Thu Nov 10 00:17:41 2005 : Debug: radius_xlat: '9628587663' Thu Nov 10 00:17:41 2005 : Debug: rlm_sqlcounter: (Check item - counter) is greater than zero Thu Nov 10 00:17:41 2005 : Debug: rlm_sqlcounter: Authorized user [EMAIL PROTECTED], check_item=-1073741824, counter=2147483647 Thu Nov 10 00:17:41 2005 : Debug: rlm_sqlcounter: Sent Reply-Item for user [EMAIL PROTECTED], Type=Session-Timeout, value=1 Thu Nov 10 00:17:41 2005 : Debug: modsingle[authorize]: returned from monthlycounter (rlm_sqlcounter) for request 2 +++ Why the altered negative number in the check_item? Is the radius_xlat doing something? Do I need to put in Max-Bytes in one of the dictionary files? The example in experimental.conf did not mention anything about adding attributes so I assumed not. Also the counter=2147483647 is not the value I have in the database for that user... I am missing something here :-) Thanks for any help Martin -- Message: 10 Date: Thu, 10 Nov 2005 08:24:16 +0300 From: Eyas Sarabi [EMAIL PROTECTED] Subject: Problem with loading files from free radius To: freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=us-ascii Hi All; I faced a major problem, My Hard disk was corrupted and the free radius wasn't being able to write to database, I still have the files generated by free radius and I want to load them to the database .Is there any tool that can load the generated files to oracle database ? Regards, Eyas -- next part -- An HTML attachment was scrubbed... URL: https://list.xs4all.nl/pipermail/freeradius-users/attachments/20051110/cbc29 384/attachment.html -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html End of Freeradius-Users Digest, Vol 7, Issue 31 *** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP MS_CHAP V2: problem with tunnel attributes on enterasys V2 switch
Hello, I run my FreeRadius in debug mode. I put a sniffer between the freeRadius server and the novell Server (users LDAP base). I don't have users file because the users base is on the novell server. I set the tunnel AVs on each user with the e-directory tool of novell server(v6.5). In debug mode and with the sniffer,i see the filter_id attributs but not the tunnel attributs. Authentication with filter_id attributes work but not with the tunnel attributes. Is it necessary to active or configure something on FreeRADIUS to use tunnel parameters ??? Best regards Stephane Selon Zoltan A. Ori [EMAIL PROTECTED]: On Wednesday 02 November 2005 04:50, you wrote: It wasn´t a problem to configure EAP-PEAP with freeradius server (running on suse) and Enterasys switches. I want to implement VLAN assignment at a enterasys switch. Any tips ?? Is it necessary to active or configure something on FreeRADIUS to use tunnel parameters ??? If you have the tunnel AVs set in you users file as replies, FreeRADIUS will send them. Run in debug mode to see. Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Solaris 10 (SPARC 64bit) - problems installing freeradius 1.0.5
hi all ... i'm trying to installing freeradius-1.0.5 on a sun-ultra-e220 (2x450MHZ ULTRASparcII), OS: Solaris 10 (SPARC 64bit), since three days without success. I've read many hours in different news-groups, mailing-lists and manuals / howtos but no way. Now i hope someone else already have successfully running freeradius on Solaris 10 - Sparc-Architcture and can tell me wat's wrong. I've attached the configure.log to this email (hope this works in mailinglists ???). Here are my environments: uname -a: SunOS r220 5.10 Generic sun4u sparc SUNW,Ultra-60 $CC /usr/local/bin/gcc $LD_LIBRARY_PATH /usr/sfw/lib/sparcv9/:/lib/sparcv9/:/usr/sfw/lib/:/lib:/usr/lib:/usr/local/lib:/usr/local/X11/lib:/usr/dt/lib:/usr/openwin/lib $PATH /usr/sbin:/usr/bin:/opt/sfw/bin/:/usr/sfw/bin:/usr/sfw/sbin/:/opt/sfw/sbin/:/sbin/:/usr/sbin/:/usr/ccs/bin/:/usr/local/bin:/usr/local/sbin:/opt/sfw/bin/:/usr/sfw/bin pkginfo | grep gcc utility GNUgcc GNU gcc 3.4.4 SPARC 64bit Solaris 10 (installed in /usr/local) system SUNWgcc gcc - The GNU C compiler system SUNWgccruntime GCC Runtime libraries /usr/local/bin/gcc -v read specs from /usr/local/lib/gcc/sparc64-sun-solaris2.10/3.4.4/specs configured with: /var/tmp/gcc-3.4.4/configure --prefix=/usr/local --host=sparc64-sun-solaris2.10 --enable-threads=posix --with-gxx-include-dir=/usr/local/include/g++ --with-system-zlib --enable-shared --with-ld=/usr/ccs/bin/ld --without-gnu-ld Thread-Modell: posix gcc-Version 3.4.4 MY PROBLEM: ./configure --localstatedir=/var/ --sysconfdir=/etc/ --with-openssl-includes=/usr/sfw/include/openssl/ --with-openssl-libraries=/usr/lib/sparcv9/ produces these warnings: ## configure: warning: the comm_err library isn't found! configure: warning: silently not building rlm_krb5. configure: warning: FAILURE: rlm_krb5 requires: krb5. configure: warning: silently not building rlm_ldap. configure: warning: FAILURE: rlm_ldap requires: libldap_r. configure: warning: iodbc headers not found. Use --with-iodbc-include-dir=path. configure: warning: sql submodule 'iodbc' disabled configure: warning: silently not building rlm_sql_postgresql. configure: warning: FAILURE: rlm_sql_postgresql requires: libpq-fe.h libpq. configure: warning: oracle headers not found. Use --with-oracle-home-dir=path. configure: warning: sql submodule 'oracle' disabled configure: warning: unixODBC headers not found. Use --with-unixodbc-include-dir=path. configure: warning: sql submodule 'unixodbc' disabled ### but finished successfully. ./make crashs with the following errors: !I've translated some lines because i use a german console! . . . creating radiusd gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -I/usr/sfw/include/openssl/ -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I../include -DHOSTINFO=\\ -DRADIUSD_VERSION=\1.0.5\ -c radwho.c gcc -L../lib -o radwho radwho.o util.o log.o conffile.o -L/usr/lib/sparcv9/ -lssl -L/usr/lib/sparcv9/ -lcrypto -lnsl -lresolv -lsocket -lposix4 -lpthread -lradius -lcrypt undefined referenced for first time Symbol in file MD5Init ../lib/libradius.a(radius.o) (symbol is part of implicit dependency /lib/libmd5.so.1) MD5Final../lib/libradius.a(radius.o) (Symbol gehört zu impliziter Abhängigkeit /lib/libmd5.so.1) MD5Update ../lib/libradius.a(radius.o) (Symbol gehört zu impliziter Abhängigkeit /lib/libmd5.so.1) ld: Fatal Error: symbol referencing error. No output in radwho written. collect2: ld returned 1 exit status gmake[4]: *** [radwho] Error 1 gmake[4]: Leaving directory `/opt/sfw/freeradius-1.0.5/src/main' gmake[3]: *** [common] Error 2 gmake[3]: Leaving directory `/opt/sfw/freeradius-1.0.5/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/opt/sfw/freeradius-1.0.5/src' gmake[1]: *** [common] Error 2 gmake[1]: Leaving directory `/opt/sfw/freeradius-1.0.5' make: *** [all] Error 2 ### Now, I'm not sure is it a comiler problem, a processor problem (64 bit / big/little endian) or, i don't think so, a freeradius problem. Great thanks to all for any
compile problem on solaris express nv23 x86
doing a configure ./configure --prefix=/opt/freeradius-snapshot-20051110 --with-openssl-includes=/usr/sfw/include/openssl --with-openssl-libraries=/usr/sfw/lib using the 20051110 snapshot - i still don't get a compile. havong said that this is much better than 1.0.2 and 1.0.5 any ideas? solaris express x86 nv23 DOES have the appropriate libraries and tools installed - openssl, gmake etc gmake gives: hmac.c: In function `lrad_hmac_md5': hmac.c:47: error: `lrad_MD5_CTX' undeclared (first use in this function) hmac.c:47: error: (Each undeclared identifier is reported only once hmac.c:47: error: for each function it appears in.) hmac.c:47: error: syntax error before context hmac.c:59: error: syntax error before tctx hmac.c:61: warning: implicit declaration of function `lrad_MD5Init' hmac.c:61: warning: nested extern declaration of `lrad_MD5Init' hmac.c:61: error: `tctx' undeclared (first use in this function) hmac.c:62: warning: implicit declaration of function `lrad_MD5Update' hmac.c:62: warning: nested extern declaration of `lrad_MD5Update' hmac.c:63: warning: implicit declaration of function `lrad_MD5Final' hmac.c:63: warning: nested extern declaration of `lrad_MD5Final' hmac.c:95: warning: nested extern declaration of `lrad_MD5Init' hmac.c:61: warning: redundant redeclaration of 'lrad_MD5Init' hmac.c:61: warning: previous implicit declaration of 'lrad_MD5Init' was here hmac.c:95: error: `context' undeclared (first use in this function) hmac.c:97: warning: nested extern declaration of `lrad_MD5Update' hmac.c:62: warning: redundant redeclaration of 'lrad_MD5Update' hmac.c:62: warning: previous implicit declaration of 'lrad_MD5Update' was here hmac.c:99: warning: nested extern declaration of `lrad_MD5Final' hmac.c:63: warning: redundant redeclaration of 'lrad_MD5Final' hmac.c:63: warning: previous implicit declaration of 'lrad_MD5Final' was here gmake[4]: *** [hmac.lo] Error 1 gmake[4]: Leaving directory `/home/tariq/freeradius/freeradius-snapshot-20051110/src/lib' gmake[3]: *** [common] Error 2 gmake[3]: Leaving directory `/home/tariq/freeradius/freeradius-snapshot-20051110/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/home/tariq/freeradius/freeradius-snapshot-20051110/src' gmake[1]: *** [common] Error 2 gmake[1]: Leaving directory `/home/tariq/freeradius/freeradius-snapshot-20051110' gmake: *** [all] Error 2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: loading files to oracle
Eyas Sarabi [EMAIL PROTECTED] wrote: Now I have file per each day including all information about the session was connected each day and want to load it to DB. Is there any tools that can be Used to write the contents of files to database directly the same way it is Automated through freeradius. radrelay. Read the detail files, and send them to FreeRADIUS. It comes with the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
accounting question
we keep getting a lot of missed stop packets that we never had problems with when we ran icradius. I don't know what the problem could be but I am getting ready to turn accounting off for us. However I have a major concern with this. We are using the mysql option with freeradius including the nas table. We use a flat file, proxy.conf, for our remote realm configurations. We proxy for a number of remote realms running their own radius authentication and they receive accounting information we receive from our upstream passed on to them. If I turn accounting off, is there a way we can still pass accounting through to our remote realms, or is it a global on/off switch that affects everyone? I just don't want to keep track of it locally until we can figure out what is causing this. I do notice a number of error messages about 0 length stop packets being received and I assume they are rejected. I have also contacted our upstream provider and asked them to be sure all is well with what they pass us. We use 1645:1646 and have those ports in iptables to freely accept.. are there possibly other ports I should be putting in there? -- Chuck - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Running as root to authenticate against system accounts..
Hello, I've recently been looking into getting a FreeRADIUS server to authenticate against the system passwd file. When I was originally testing, it always seemed to reject my access, no matter what I tried. So I did some searching on the lists, and found another person that was having a similar issue. They discovered that the system only allows root to read the shadow password file, so when radius was requesting the password, it would get rejected. So I changed my setup to run the radiusd daemon as root, and tested again. Sure enough, if radiusd is run as root, I can authenticate against the system. So now my question is: What security concerns should I have if I run the radiusd as root? Is there another way to do this that doesn't require radiusd to run as root? Basically, I just want to make sure this is the best way to authenticate against system accounts, or if there's some other method that I've missed :) thx! k - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Running as root to authenticate against system accounts..
Kevin Hanser [EMAIL PROTECTED] wrote: So I changed my setup to run the radiusd daemon as root, and tested again. Sure enough, if radiusd is run as root, I can authenticate against the system. Which is why the default is to run as root. See the user directive in radiusd.conf, and the comments above it. The only thing missing in the comments is that you might have to create a shadow group, and make /etc/shadow readable by that group. So now my question is: What security concerns should I have if I run the radiusd as root? Is there another way to do this that doesn't require radiusd to run as root? See the comments in radiusd.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Running as root to authenticate against system accounts..
Alan DeKok wrote: Kevin Hanser [EMAIL PROTECTED] wrote: So I changed my setup to run the radiusd daemon as root, and tested again. Sure enough, if radiusd is run as root, I can authenticate against the system. Which is why the default is to run as root. See the user directive in radiusd.conf, and the comments above it. The only thing missing in the comments is that you might have to create a shadow group, and make /etc/shadow readable by that group. Hmm. Wonder how I missed that :) I was changing the user to root using the user directive, but I guess I overlooked the comments directly above it that pretty much explains my question :) Thanx for pointing me to the proper place :) I was initially stumped that my system didn't have a shadow group, but then I re-read your message above and created one. Once I did that and restarted radiusd in the shadow group, system authentication is working great! Thx! k - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Couldn't open /etc/freeradius/users for reading: Permission denied
I think your problem is that the etc/raddb directory isn't readable/executable by your freerad user? If you run the server as root, it first reads the configuration files (radiusd.conf, clients.conf, proxy.conf, etc) then setuid's to the configured user before instantiating the modules, etc. Hence, the server has no problem reading the configuration files first time round. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, 11 November 2005 7:12 AM To: freeradius-users@lists.freeradius.org Subject: Couldn't open /etc/freeradius/users for reading: Permission denied # ls -lha /etc/freeradius total 244K drwxr-s--- 3 rootfreerad 4.0K 2005-11-10 14:47 . drwxr-xr-x 71 rootroot4.0K 2005-11-10 16:29 .. -rw-r- 1 freerad freerad 422 2005-10-16 14:02 acct_users -rw-r- 1 freerad freerad 4.0K 2005-10-16 14:02 attrs drwxr-s--- 3 freerad freerad 4.0K 2005-11-10 12:41 certs -rw-r- 1 freerad freerad 189 2005-10-16 14:02 clients - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius wont let realms based auth
hi, im new to the mailing list. i'd be really thanked if someone could help me with the following issue: im trying to use freeradius with sql and mysql realm based (i.e.: sql when realm=dhcp and mysql when realm=wireless). i've red acct-type and tried to do the same. is that correct?, should i use acct-type?, what should i use instead?. Nevertheless, i'll add the debug of radtest, radiusd and radiusd.conf. radtest: [EMAIL PROTECTED]:/var/log# radtest [EMAIL PROTECTED] andy localhost 1812 testing123 Sending Access-Request of id 177 to 127.0.0.1:1812 User-Name = [EMAIL PROTECTED] User-Password = andy NAS-IP-Address = andy NAS-Port = 1812 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=177, length=20 radiusd -X: rad_recv: Access-Request packet from host 127.0.0.1:32812, id=177, length=65 User-Name = [EMAIL PROTECTED] User-Password = andy NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: Looking up realm wireless for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm wireless rlm_realm: Proxying request from user andy to realm wireless rlm_realm: Adding Realm = wireless rlm_realm: auth_port is not set. Proxy cancelled. modcall[authorize]: module suffix returns noop for request 0 users: Matched entry DEFAULT at line 212 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns ok for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 177 to 127.0.0.1:32812 Waking up in 4 seconds... thanks in advance!. radiusd.conf Description: radiusd.conf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius wont let realms based auth
Andres Pazos [EMAIL PROTECTED] wrote: i've red acct-type and tried to do the same. is that correct?, should i use acct-type?, If you're sending authentication packets, acct-type isn't used at all. auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user You didn't tell the server the users correct password. It has a password in the packet, but it has no idea if it's the *right* password. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting question
Chuck [EMAIL PROTECTED] wrote: If I turn accounting off, is there a way we can still pass accounting through to our remote realms, or is it a global on/off switch that affects everyone? Yes. You can delete the detail and sql entries from accounting, and it won't log accounting to the local machine, but it will still proxy packets. I do notice a number of error messages about 0 length stop packets being received and I assume they are rejected. Yes. That shouldn't affect anything, though. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Couldn't open /etc/freeradius/users for reading: Permission denied
On Thursday 10 November 2005 21.59, Mitchell, Michael J wrote: I think your problem is that the etc/raddb directory isn't readable/executable by your freerad user? If you run the server as root, it first reads the configuration files (radiusd.conf, clients.conf, proxy.conf, etc) then setuid's to the configured user before instantiating the modules, etc. Hence, the server has no problem reading the configuration files first time round. thanks a lot it worked. and it was as easy as that. d - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: VSA id's higer than 255
I was writing to check if support for VSA Id's higher than 255 has been added in freeRadius 1.0.5. I will appreciate any feedback you guys might have. Regards, Swaran Sethi -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Tuesday, August 02, 2005 2:09 PM To: FreeRadius users mailing list Subject: Re: VSA id's higer than 255 Michael Lecuyer [EMAIL PROTECTED] wrote: The format for the long tag VSA is the same as the standard Vendor-Specific attribute (8 bit tag, 8 bit length) but the sub-attribute tag field has been expanded to 16 bits. The sub-attribute length field remains 8 bits. That doesn't sound too bad. All vendor specific attributes are coded using 16-bit attribute type in network byte order and Lucent-Vendor-Id (4846) as Vendor-Id. That makes it easier. I believe the support for long Vendor-Specific tags was discussed here in the past with limited interest in support. It's about 40 lines of code to support. The weirdness that I recall was Nortel, which mixed normal VSA's, and USR-style VSA's in the same vendor space. 192.168.1.1 ... VendorLongTags=Ascend - indicating that Ascend VSA's use long tags and all other VSA's like Cisco) would be short. Ascend / Lucent VSA's do not always use long tag VSAs. If it's always that the Lucent attributes use 16-bit id's, it's OK. This introduction of long tags is a real wart for every RADIUS server. There are probably other ways to have avoided 16 bit tags. Naturally the offender is too big to ignore and arbitrarily forced the issue. Remember that in the past Ascend (pre-Lucent) grabbed unassigned RADIUS attributes (from 119 to 255) without thinking there might be a problem with that either. Yup. I'll add something to the CVS head. Grab a snapshot in a few days, and see if it works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VSA id's higer than 255
Swaran S. Sethi [EMAIL PROTECTED] wrote: I was writing to check if support for VSA Id's higher than 255 has been added in freeRadius 1.0.5. I will appreciate any feedback you guys might have. It's not in 1.0.5, and I'm not sure it will be. It's in the CVS head, including Starent attributes, which are 16/16 bits. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sun SSH and pam_radius_auth
Has anyone seen an issue with Sun SSH and pam_radius_auth where it sends a RADIUS Access-Request packet appearntly during ssh-connection method none? Nov 10 23:30:06 aaa01 sshd[8702]: [ID 800047 auth.debug] debug1: userauth-request for user red service ssh-connection method none Nov 10 23:30:06 aaa01 sshd[8702]: [ID 800047 auth.debug] debug1: attempt 0 failures 0 Nov 10 23:30:06 aaa01 sshd[8702]: [ID 800047 auth.debug] debug1: Starting up PAM with username red Nov 10 23:30:06 aaa01 sshd[8702]: [ID 730685 auth.debug] PAM[8702]: pam_start(sshd,red,b6930:cfdc8) - debug = 1 Nov 10 23:30:06 aaa01 sshd[8702]: [ID 434390 auth.debug] PAM[8702]: pam_set_item(cfdc8:service) Nov 10 23:30:06 aaa01 sshd[8702]: [ID 434390 auth.debug] PAM[8702]: pam_set_item(cfdc8:user) Nov 10 23:30:06 aaa01 sshd[8702]: [ID 434390 auth.debug] PAM[8702]: pam_set_item(cfdc8:conv) Nov 10 23:30:06 aaa01 sshd[8702]: [ID 434390 auth.debug] PAM[8702]: pam_set_item(cfdc8:tty) Nov 10 23:30:06 aaa01 sshd[8702]: [ID 800047 auth.debug] debug1: userauth_banner: sent Nov 10 23:30:06 aaa01 sshd[8702]: [ID 434390 auth.debug] PAM[8702]: pam_set_item(cfdc8:conv) Nov 10 23:30:06 aaa01 sshd[8702]: [ID 635154 auth.debug] PAM[8702]: pam_authenticate(cfdc8, 1) Nov 10 23:30:06 aaa01 sshd[8702]: [ID 232006 auth.debug] PAM[8702]: load_modules(cfdc8, pam_sm_authenticate)=/usr/lib/security/pam_radius_auth.so.1 Nov 10 23:30:06 aaa01 sshd[8702]: [ID 971319 auth.debug] PAM[8702]: load_function: successful load of pam_sm_authenticate Nov 10 23:30:06 aaa01 sshd[8702]: [ID 232006 auth.debug] PAM[8702]: load_modules(cfdc8, pam_sm_authenticate)=/usr/lib/security/pam_unix.so.1 Nov 10 23:30:06 aaa01 sshd[8702]: [ID 971319 auth.debug] PAM[8702]: load_function: successful load of pam_sm_authenticate Nov 10 23:30:06 aaa01 sshd[8702]: [ID 338151 auth.debug] PAM[8702]: pam_get_user(cfdc8, cfdc8, NULL) Nov 10 23:30:06 aaa01 sshd[8702]: [ID 801593 auth.debug] pam_radius_auth: Got user name red Nov 10 23:30:06 aaa01 sshd[8702]: [ID 801593 auth.debug] pam_radius_auth: Sending RADIUS request code 1 Nov 10 23:30:11 aaa01 sshd[8702]: [ID 801593 auth.error] pam_radius_auth: RADIUS server 172.24.43.230 failed to respond Nov 10 23:30:11 aaa01 sshd[8702]: [ID 801593 auth.error] pam_radius_auth: All RADIUS servers failed to respond. Nov 10 23:30:11 aaa01 sshd[8702]: [ID 801593 auth.debug] pam_radius_auth: authentication failed - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: VSA id's higer than 255
Thanks Alan. -Swaran -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Thursday, November 10, 2005 3:45 PM To: FreeRadius users mailing list Subject: Re: VSA id's higer than 255 Swaran S. Sethi [EMAIL PROTECTED] wrote: I was writing to check if support for VSA Id's higher than 255 has been added in freeRadius 1.0.5. I will appreciate any feedback you guys might have. It's not in 1.0.5, and I'm not sure it will be. It's in the CVS head, including Starent attributes, which are 16/16 bits. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: compile problem on solaris express nv23 x86
Tariq Rashid [EMAIL PROTECTED] wrote: using the 20051110 snapshot - i still don't get a compile. havong said that this is much better than 1.0.2 and 1.0.5 any ideas? $ cvs update $ ./configure ... $ make The server should now use it's own header files for MD5, rather than the ones included with Solaris. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting question
On Thursday 10 November 2005 05:44 pm, Alan DeKok wrote: would it also do the same thing if I removed the simultaneous-use=1 check statement from the user group? until i can figure this out that would be my easiest thing still allowing writing to accounting for other purposes. Chuck [EMAIL PROTECTED] wrote: If I turn accounting off, is there a way we can still pass accounting through to our remote realms, or is it a global on/off switch that affects everyone? Yes. You can delete the detail and sql entries from accounting, and it won't log accounting to the local machine, but it will still proxy packets. I do notice a number of error messages about 0 length stop packets being received and I assume they are rejected. Yes. That shouldn't affect anything, though. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Chuck Windows?? You mean the thirty-two bit extension and graphical shell to a sixteen-bit patch to an eight-bit operating system originally coded for a four-bit microprocessor which was written by a two-bit company that can't stand one bit of competition? Oh, that... -- Lee Clarke - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius wont let realms based auth
thanks alan for answering so fast. i think im misunderstanding something on the entire process. could u tell me if what i am doing is correct? i want to: radius packet if realm == wireless do sql query if real == dhcp do mysql query i have sql and mysql working with radiusd. could it be done by using acct-type or i should do other thing? thanks in advance!!! Andres Pazos -Original Message- From: [EMAIL PROTECTED] on behalf of Alan DeKok Sent: Thu 11/10/2005 7:42 PM To: FreeRadius users mailing list Subject: Re: freeradius wont let realms based auth Andres Pazos [EMAIL PROTECTED] wrote: i've red acct-type and tried to do the same. is that correct?, should i use acct-type?, If you're sending authentication packets, acct-type isn't used at all. auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user You didn't tell the server the users correct password. It has a password in the packet, but it has no idea if it's the *right* password. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html winmail.dat- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius wont let realms based auth
Andres Pazos [EMAIL PROTECTED] wrote: radius packet What KIND of RADIUS packet? You appear to be confused about the difference between authentication and accounting packets. i have sql and mysql working with radiusd. I have no idea what that means. could it be done by using acct-type or i should do other thing? Have you tried reading doc/Acct-Type? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP/TLS and XP SP2
- Original Message - From: Hal Pomeranz [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Subject: Problem with EAP/TLS and XP SP2 Date: Wed, 2 Nov 2005 21:22:55 -0800 Radius Server: Freeradius 1.0.5 on Solaris 8 (Sparc) Client:Windows XP (SP2), Intel PRO/Wireless 2915 (a/b/g) Access Point: DLink DI-784 I'm having trouble getting my laptop (running Windows XP SP2) to authenticate to my access point using EAP/TLS. XP shows the wireless interface hung forever in Attempting to authenticate state. I've been beating my head against this all day without success, although I think I'm close and just missing something stupid and obvious. In the debugging log from radiusd -X below, I can see my laptop communicating with the radius server. I'm definitely seeing the correct username (HalPomeranz) from the certificate I installed on the laptop. The radius server is finding the username entry in my users file. The only thing that looks like an error is the lines that read: rlm_eap_tls: TLS 1.0 Handshake [length 005e], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A I Googled a bit for this error message and turned up some mailing list traffic describing similar problems, but no solutions. Perhaps this is a red herring, however. Note that I am successfully using this same radius server to authenticate some older clients which use LEAP to connect via a different access point, so I'm thinking my radius config is basically sound. Does anybody have any suggestions for how to resolve my problem? Anybody seen anything like this before? Thanks in advance... -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Hal Pomeranz, Founder/CEO Deer Run Associates [EMAIL PROTECTED] Network Connectivity and Security, Systems Management, Training -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /var/freeradius/etc/raddb/proxy.conf Config: including file: /var/freeradius/etc/raddb/clients.conf Config: including file: /var/freeradius/etc/raddb/snmp.conf Config: including file: /var/freeradius/etc/raddb/eap.conf Config: including file: /var/freeradius/etc/raddb/sql.conf main: prefix = /var/freeradius main: localstatedir = /var/freeradius/var main: logdir = /var/freeradius/var/log/radius main: libdir = /var/freeradius/lib main: radacctdir = /var/freeradius/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 1812 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/freeradius/var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/freeradius/var/run/radiusd/radiusd.pid main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /var/freeradius/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /var/freeradius/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = (null) unix: group = (null) unix: radwtmp = /var/freeradius/var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: