Re: Signal 10
Hi, shows there either. I suspect its a request from somewhere. I am going to enable tcpdump on the secondary server but am at a loss to figure out how to get a core dump. I don't see any place in the code where signal 10 is redirected. Any other ideas on how to diagnose this problem? Thanks. I don't think Signal 10 is supposed to be handled by freeradius in some way -- it just crashes. Producing a core dump proved surprisingly tricky for me. Citing Alan's posting from Oct 11: If you've set user or group in radiusd.conf, you won't get a core file. I'd suggest running the server in debugging mode, and redirecting the output to /dev/null. That way you control which directory it runs in, and you're guaranteed to get a core file (assuming ulimit is set) There's one more point at least: The core dump will always be created in the Current working Directory of the respective process. On Linux, look at /proc/pid/cwd. To my surprise, it turned out to be / (root dir). (Hey, is this a bug or a feature?) So somehow freeradius must be able to write to a core file there. I succeeded by pre-creating a file named /core and chown'ing it to the freerad user, but not before getting the ulimit business straight. Good Luck Martin -- Dr. Martin Pauly Fax:49-6421-28-26994 HRZ Univ. MarburgPhone: 49-6421-28-23527 Hans-Meerwein-Str. E-Mail: [EMAIL PROTECTED] D-35032 Marburg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE:Configuring freeRADIUS and NAS
Hi, I use Linksys WRT54G Routers and I suggest that you check out DD-WRT firmware. It includes Chillispot and is easy to setup. I've posted a tutorial here http://swarmhotspots.com/faq.html BTW the new WRT54G (Release 5 Firmware) uses VxWorks and not Linux anyone needing to use third party firmware like DD-WRT should buy WRT54GL instead. I hope this helps. Regards, Sean Bracken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
question on ldap_escape_func in rlm_ldap.c (author: Kostas Kalevras)
Hi All, I'm new to Radius, now encountered problems with ldap_escape_func in rlm_ldap. please help me since it's really a bit urgent. the comments regarding to this function is 'Add an ldap_escape_func. Escape the * character from the filter so that we can avoid the trivial DoS of username=*'. if i was not wrong, this function intends to filter out the * which follows theusername, i.e, if username is 'userid*' in access-request packet, ldapsearch is only based on 'userid'. but what's the purpose for doing this and is it secure? or did i misunderstand the comments? the lastest version freeradius-1.0.5 has a slightly different version for this piece of code, * freeradius-1.0.5 if (strchr("*=\\,()", *in)) { static const char *hex = "0123456789abcdef"; if (outlen = 3) break; *(out++) = '\\'; *(out++) = hex[((*in) 4) 0x0f]; *(out++) = hex[(*in) 0x0f]; outlen -= 3; continue; } ** freeradius-1.0.4 and previous if (strchr("*", *in)) { in++; outlen--; continue; } i couldn't figure out what does the change intend to do, is it to filter out '*', '\\', '()' and '=' from username? and why should it be in that way? please help me. thanks a lot in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_counter
Alan DeKok wrote: Lisa Casey [EMAIL PROTECTED] wrote: I have Freeradius 1.01 on FreeBSD 5.3. Two questions: *please* upgrade to 1.0.5. You really should follow Alan's advices. See http://freeradius.org/security.html -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (no subject)
Hi, Josh. the following describes the 'group lock' feature, considering a Cisco VPN 3000 concentrator and a RADIUS server (check the RADIUS Class attribute) : http://www.cisco.com/en/US/customer/tech/tk59/technologies_configuration_example09186a00800946a2.shtml It is mentioned hereafter that the Cisco PIX Security Appliance supports RADIUS group locking : http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_data_sheet0900aecd801a9de9.html It looks like your RADIUS client is actually a Cisco PIX SA (beware of Cisco's terminology though), so I hope this can help you solve your problem. Regards, Philippe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question on ldap_escape_func in rlm_ldap.c
Qin Zhen wrote: i couldn't figure out what does the change intend to do, is it to filter out '*', '\\', '()' and '=' from username? and why should it be in that way? please help me. thanks a lot in advance. The function ldap_escape_func() filters all LDAP-specific characters from RFC 2254. This prevents LDAP injection attacks. BTW there's a known bug in this function, you can get a fixed version here. (the patch will be included in next release) http://www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/src/modules/rlm_ldap/rlm_ldap.c?rev=1.122.2.8 -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: attrs file
On Wednesday 07 December 2005 12:56 am, Alan DeKok wrote: now why didn't i see that yesterday? guess i was reading too much :) thank you kind sir! Chuck Chuck [EMAIL PROTECTED] wrote: I have a need on one of my radius servers to pass every reply attribute my realms I proxy for send up to me regardless of what they are. I then pass these replies upstream. Everything I read describing the default 'realm' in the attrs file mention adding attributes I want to pass on. However in this one instance I would have to list every dictionary attribute. Is there not a way to tell radius to pass everything, maybe with a * on a single line or maybe nothing in the default section? Or must I list every single one? Don't use the attrs module. The default in the server is to pass all of the attributes. The attrs module filters out attributes. Alan Dekok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Chuck Windows?? You mean the thirty-two bit extension and graphical shell to a sixteen-bit patch to an eight-bit operating system originally coded for a four-bit microprocessor which was written by a two-bit company that can't stand one bit of competition? Oh, that... -- Lee Clarke - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OS Update broke FR - rlm_exec-1.0.0.so not found
Landon Cox wrote: On a freeradius box I have which is working, I did: radius1:/usr/lib/freeradius # ldd rlm_exec-1.0.0.so linux-gate.so.1 = (0xe000) libnsl.so.1 = /lib/libnsl.so.1 (0x40018000) libresolv.so.2 = /lib/libresolv.so.2 (0x4002f000) libpthread.so.0 = /lib/tls/libpthread.so.0 (0x40042000) libcrypto.so.0.9.7 = /usr/lib/libcrypto.so.0.9.7 (0x40054000) libssl.so.0.9.7 = /usr/lib/libssl.so.0.9.7 (0x40145000) ^^ This has nothing to do with your problem, but can you please indicate whether you're using a binary package from Suse? If that's the case, Suse is distributing software with incompatible licenses linked together. I think maybe they are violating either the GPL or the OpenSSL license. http://www.fsf.org/licensing/licenses/index_html#GPLIncompatibleLicenses -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
multiple groups behind one NAS
Hi, I have problem with multiple groups behind one NAS after upgrade from freeradius0.9.x to 1.0.4-1. There was no problem with this configuration before upgrade. Scenario: 2 groups: GPRS_1 and GPRS_2 both groups are behind NAS 1.1.1.1 user_1 is member of group GPRS_2 and he and all members of GPRS_2 are rejected. It looks that only members of first group matched in huntgroups file are positive processed. my users file: DEFAULT Huntgroup-Name == DENY, Auth-Type := Reject Reply-Message = !!! You are NOT allowed to access the resource !!! DEFAULT Huntgroup-Name == GPRS_1, Ldap-Group == cn=GPRS_1,cn=radius,dc=my,dc=domain Fall-Through = no DEFAULT Huntgroup-Name == GPRS_2, Ldap-Group == cn=GPRS_2,cn=radius,dc=my,dc=domain Fall-Through = no #(I tried Fall-Through = yes but without success ) my huntgroups file: GPRS_1 NAS-IP-Address == 1.1.1.1 GPRS_2 NAS-IP-Address == 1.1.1.1 debug rad_recv: Access-Request packet from host 1.1.1.1:49152, id=113, length=282 User-Name = user_1 User-Password = *** Acct-Session-Id = C35B9B41550234E2DB NAS-IP-Address = 1.1.1.1 Service-Type = Framed-User Framed-Protocol = GPRS-PDP-Context Calling-Station-Id = 01234567898 Called-Station-Id = apn NAS-Port-Type = Wireless-Other NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 rlm_checkval: Item Name: NAS-IP-Address, Value: 1.1.1.1 rlm_checkval: Could not find attribute named NAS-IP-Address in check pairs modcall[authorize]: module nas-ip returns notfound for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for user_1 radius_xlat: '(uid=user_1)' radius_xlat: 'cn=radius,dc=my, dc=domain' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=Manager,dc=my,dc=domain/*** to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in cn=radius ,dc=my, dc=domain, with filter (uid=user_1) rlm_ldap: Password header not found in password {MD5}M6SF989545MZxq0dPLluAAoY for user user_1 rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusCallingStationId as Calling-Station-Id, value 01234567898 op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusFramedIPAddress as Framed-IP-Address, value 10.10.10.10 op=11 rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol, value PPP op=11 rlm_ldap: Adding radiusServiceType as Service-Type, value Framed-User op=11 rlm_ldap: user user_1 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'cn=radius ,dc=my, dc=domain' radius_xlat: '((objectClass=groupOfUniqueNames)(uniquemember=uid=user_1,cn=GPRS_1,dc=my,dc=domain))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in cn=GPRS_1,cn=radius,dc=my,dc=domain, with filter ((objectClass=groupOfUniqueNames)(uniquemember=uid=user_1,cn=GPRS_1,cn=radius,dc=my,dc=domain)) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group cn=GPRS_1,cn=radius,dc=my,dc=domain not found or user is not a member. users: Matched entry DEFAULT at line 128 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type Reject rad_check_password: Auth-Type = Reject, rejecting user auth: Failed to validate the user. Thanx for adviced :) Aktivujte si aj vy schranku s neobmedzenou kapacitou na ATLAS.SK. http://mail.atlas.sk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question on ldap_escape_func in rlm_ldap.c
thanks for Nicolas's reply. so in lastest version (1.0.5), a username 'jam\' will be converted into 'jam\5c' and ldapsearch will be based on 'jam\5c' right? so this username is supposed not to be found in ldap in this case? but how come in my server, the ldapsearch will base on 'jam' and those invalid charactors r just simply eliminated? scratching head...pls assist..thanks so much - Original Message - From: Nicolas Baradakis [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, December 07, 2005 6:51 PM Subject: Re: question on ldap_escape_func in rlm_ldap.c Qin Zhen wrote: i couldn't figure out what does the change intend to do, is it to filter out '*', '\\', '()' and '=' from username? and why should it be in that way? please help me. thanks a lot in advance. The function ldap_escape_func() filters all LDAP-specific characters from RFC 2254. This prevents LDAP injection attacks. BTW there's a known bug in this function, you can get a fixed version here. (the patch will be included in next release) http://www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/src/modules/rlm_ldap/rlm_ldap.c?rev=1.122.2.8 -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question on ldap_escape_func in rlm_ldap.c
Qin Zhen wrote: so in lastest version (1.0.5), a username 'jam\' will be converted into 'jam\5c' and ldapsearch will be based on 'jam\5c' right? so this username is supposed not to be found in ldap in this case? but how come in my server, the ldapsearch will base on 'jam' and those invalid charactors r just simply eliminated? scratching head...pls assist..thanks so much That's what is said in http://www.ietf.org/rfc/rfc2254.txt If a value should contain any of the following characters Character ASCII value --- * 0x2a ( 0x28 ) 0x29 \ 0x5c NUL 0x00 the character must be encoded as the backslash '\' character (ASCII 0x5c) followed by the two hexadecimal digits representing the ASCII value of the encoded character. The case of the two hexadecimal digits is not significant. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: question on ldap_escape_func in rlm_ldap.c
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nicolas Baradakis Sent: 07 December 2005 13:18 To: FreeRadius users mailing list Subject: Re: question on ldap_escape_func in rlm_ldap.c Qin Zhen wrote: so in lastest version (1.0.5), a username 'jam\' will be converted into 'jam\5c' and ldapsearch will be based on 'jam\5c' right? so this username is supposed not to be found in ldap in this case? but how come in my server, the ldapsearch will base on 'jam' and those invalid charactors r just simply eliminated? scratching head...pls assist..thanks so much That's what is said in http://www.ietf.org/rfc/rfc2254.txt If a value should contain any of the following characters Character ASCII value --- * 0x2a ( 0x28 ) 0x29 \ 0x5c NUL 0x00 the character must be encoded as the backslash '\' character (ASCII 0x5c) followed by the two hexadecimal digits representing the ASCII value of the encoded character. The case of the two hexadecimal digits is not significant. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This e-mail is private and may be confidential and is for the intended recipient only. If misdirected, please notify us by telephone and confirm that it has been deleted from your system and any copies destroyed. If you are not the intended recipient you are strictly prohibited from using, printing, copying, distributing or disseminating this e-mail or any information contained in it. We use reasonable endeavours to virus scan all e-mails leaving the Company but no warranty is given that this e-mail and any attachments are virus free. You should undertake your own virus checking. The right to monitor e-mail communications through our network is reserved by us. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question on ldap_escape_func in rlm_ldap.c
Hi, thanks Nicolas. sorry to trouble u, but i am still not so clear abt the lastest freeradius's behaviour. suppose there is an username 'james', when i trys to login with username 'james*', ldap_escape_fun acctually converts it into 'james\2a\2a\2a\2a\2a\2a...', but the radius debug mode still shows Debug: rlm_ldap:performing search in dc=sg, o=company, with filter (objectclass=radiusprofile)(userlogin=james)) that measn ldap still search based on filter 'userlogin=james' and ignores those '\2a\2a\2a' followed, and hence it finds the username 'james' from ldap and allows the user to login. is it the way lastest freeradius supposed to be? or there's anyth wrong with my configuration? if user james can use 'james*' or 'james\\' to login as usual, isnt it unsecure? thanks really a lt! - Original Message - From: Nicolas Baradakis [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, December 07, 2005 9:17 PM Subject: Re: question on ldap_escape_func in rlm_ldap.c Qin Zhen wrote: so in lastest version (1.0.5), a username 'jam\' will be converted into 'jam\5c' and ldapsearch will be based on 'jam\5c' right? so this username is supposed not to be found in ldap in this case? but how come in my server, the ldapsearch will base on 'jam' and those invalid charactors r just simply eliminated? scratching head...pls assist..thanks so much That's what is said in http://www.ietf.org/rfc/rfc2254.txt If a value should contain any of the following characters Character ASCII value --- * 0x2a ( 0x28 ) 0x29 \ 0x5c NUL 0x00 the character must be encoded as the backslash '\' character (ASCII 0x5c) followed by the two hexadecimal digits representing the ASCII value of the encoded character. The case of the two hexadecimal digits is not significant. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dictionary: adding MONTHLY-TIME-LIMIT
don james [EMAIL PROTECTED] writes: Oh, yeah, right. It may as well be written in Greek. Thanks for nothing. I've found this document to be a valuable source of information: http://www.catb.org/~esr/faqs/smart-questions.html These two sections seem to apply to your problem in particular: http://www.catb.org/~esr/faqs/smart-questions.html#goal http://www.catb.org/~esr/faqs/smart-questions.html#rtfm Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: dictionary: adding MONTHLY-TIME-LIMIT
I, for one, have used the services of Cladju Consulting, as listed in the freeradius business directory. Well worth the few dollars we spent. Rob -Original Message- If you want a perfect answer, see: http://www.freeradius.org/business/ I'm sure if you pay someone they'll tell you what you need to do. If you're not willing to spend the time to read the docs, and you're not willing to pay anyone, good luck solving the problem. --- Checked for viruses by Transact Bermuda - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question on ldap_escape_func in rlm_ldap.c
Qin Zhen wrote: when i trys to login with username 'james*', ldap_escape_fun acctually converts it into 'james\2a\2a\2a\2a\2a\2a...', but the radius debug mode still shows Debug: rlm_ldap:performing search in dc=sg, o=company, with filter (objectclass=radiusprofile)(userlogin=james)) that measn ldap still search based on filter 'userlogin=james' and ignores those '\2a\2a\2a' followed, and hence it finds the username 'james' from ldap and allows the user to login. is it the way lastest freeradius supposed to be? No, it's a known bug in FreeRADIUS 1.0.5. That's why I told you earlier to get a fixed version in CVS. if user james can use 'james*' or 'james\\' to login as usual, isnt it unsecure? I think james* (without escaping) in a LDAP filter is insecure, it may disclose informations about other users named jamesfoo or jamesbar ... -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dialupadmin wont connect to mysql
Hello, I've got Dialupadmin running however when I click through the various menus it keeps telling me that it cannot connect to sql database. This is no surprise to me as I have not setup anything on the mysql side of things for dialupadmin nor have I told dialupadmin what user and password to connect with. My question is where do I go to set the database options? And what, if any, database items do I need to create on the mysql side for it to work? Thanks, Sean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dialupadmin wont connect to mysql
See thes page. It's in french but all of the configs are in english. http://www.pervasive-network.org/SPIP/Installation-de-Freeradius-sur-une - Original Message - From: Sean Ali [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Tuesday, December 06, 2005 9:27 PM Subject: Dialupadmin wont connect to mysql Hello, I've got Dialupadmin running however when I click through the various menus it keeps telling me that it cannot connect to sql database. This is no surprise to me as I have not setup anything on the mysql side of things for dialupadmin nor have I told dialupadmin what user and password to connect with. My question is where do I go to set the database options? And what, if any, database items do I need to create on the mysql side for it to work? Thanks, Sean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Compatibility Question: Will FreeRADIUS work with Quintum NAS for VoIP?
Hi All! I am quite new to RADIUS, both protocol and FreeRadius. I am developing a billing application for VoIP, and need to use Quintum Nas as well as JRadius! The things I am wondering is as follows: I need to know if FreeRADIUS, the great program it is, supports VSA's from a Quintum NAS? I need a tutorial or something to integrate JRADIUS into FreeRadius. These might seem like dumb questions - for that I am sorry - but I've been troubleshooting my FreeRadius for 3 days, finally got it to simulate and I'm running out of time( By the way Thanks to the guys for the comments! As well as such a great debug mode. I'm still new to all this but if I was more experienced it wouldn't have taken 4 hours). So please forgive me if it seems I am taking an easy way out. All the theory is worked out, algorithms the works just the programs need to be installed and physical coding. Thanks. ___Get the FREE email that has everyone talking at http://www.mail2world.com Unlimited Email Storage POP3 Calendar SMS Translator Much More!- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(no subject)
Nicolas Baradakis wrote: libssl.so.0.9.7 = /usr/lib/libssl.so.0.9.7 (0x40145000) ^^ This has nothing to do with your problem, but can you please indicate whether you're using a binary package from Suse? If that's the case, Suse is distributing software with incompatible licenses linked together. I think maybe they are violating either the GPL or the OpenSSL license. The file was rlm_exec so file was timestamped 11-01-05 and I know I haven't built anything from source for a long time on that box, so would have to think it was a binary package unless somehow the SuSE update pulls and compiles source on my behalf...I don't think so. Landon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Compatibility Question: Will FreeRADIUS work with Quintum NAS for VoIP?
Henk Crafford [EMAIL PROTECTED] wrote: I need to know if FreeRADIUS, the great program it is, supports VSA's from a Quintum NAS? Yes. I need a tutorial or something to integrate JRADIUS into FreeRadius. See the jradius documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_ldap: ldap_search() failed: Bad search filter:
I am still trying to let freeradius query AD, but not yet too successfull. Using the following vars with ldapsearch, gives me the desired result, as shown below, but fails with rlm_ldap. ## server=mchm967a.tww006.sitest.net port=3268 identity=[EMAIL PROTECTED] mypass=mypass basedn=dc=TDE002,dc=SITEST,dc=NET filter=((sAMAccountName=28TEF003$)(objectclass=computer)) sAMAccountName userAccountControl # ldapsearch -x -h $server -p $port -b $basedn $filter -D $identity -w $mypass -x # extended LDIF # # LDAPv3 # base dc=TDE002,dc=SITEST,dc=NET with scope sub # filter: ((sAMAccountName=28TEF003$)(objectclass=computer)) # requesting: sAMAccountName userAccountControl # # 28TEF003, CAT-Computers, OU16, MchP, tde002.sitest.net dn: CN=28TEF003,OU=CAT-Computers,OU=OU16,OU=MchP,DC=tde002,DC=sitest,DC=net userAccountControl: 4096 sAMAccountName: 28TEF003$ # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 ## So far, so good. When I take the same vars in radiusd.conf, I get: rlm_ldap: ldap_search() failed: Bad search filter radiusd.conf: ldap ldap1 { server=mchm967a.tww006.sitest.net port=3268 identity=[EMAIL PROTECTED] mypass=mypass basedn=dc=TDE002,dc=SITEST,dc=NET filter=((sAMAccountName=28TEF003$)(objectclass=computer)) sAMAccountName userAccountControl ldap_debug= 0x ldap_connections_number = 5 timeout = 40 timelimit = 30 net_timeout = 10 tls { } dictionary_mapping = ${raddbdir}/ldap.attrmap } rlm_ldap: Bind was successful^M rlm_ldap: performing search in dc=TDE002,dc=SITEST,dc=NET, with filter ((sAMAccountName=28TEF003$)(objectclass=computer)) sAMAccountName userAccountControl^M ldap_search^M put_filter: ((sAMAccountName=28TEF003$)(objectclass=computer)) sAMAccountName userAccountControl^M put_filter: AND^M put_filter_list (sAMAccountName=28TEF003$)(objectclass=computer)^M put_filter: (sAMAccountName=28TEF003$)^M put_filter: simple^M put_simple_filter: sAMAccountName=28TEF003$^M put_filter: (objectclass=computer)^M put_filter: simple^M put_simple_filter: objectclass=computer^M put_filter: default^M put_simple_filter: sAMAccountName userAccountControl^M rlm_ldap: ldap_search() failed: Bad search filter: ((sAMAccountName=28TEF003$)(objectclass=computer)) sAMAccountName userAccountControl^M ldap_msgfree^M rlm_ldap: search failed^M What am I doing wrong? Thanks Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_ldap: ldap_search() failed: Bad search filter:
Look like your syntax is wrong Why don't you have parenthesis around sAMAccountName userAccountControl? You are also missing an = between the two words. Alhagie Puye - Network Engineer Datawave Group of Companies (604)295-1817 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Norbert Wegener Sent: December 7, 2005 12:30 PM To: FreeRadius users mailing list Subject: rlm_ldap: ldap_search() failed: Bad search filter: I am still trying to let freeradius query AD, but not yet too successfull. Using the following vars with ldapsearch, gives me the desired result, as shown below, but fails with rlm_ldap. ## server=mchm967a.tww006.sitest.net port=3268 identity=[EMAIL PROTECTED] mypass=mypass basedn=dc=TDE002,dc=SITEST,dc=NET filter=((sAMAccountName=28TEF003$)(objectclass=computer)) sAMAccountName userAccountControl # ldapsearch -x -h $server -p $port -b $basedn $filter -D $identity -w $mypass -x # extended LDIF # # LDAPv3 # base dc=TDE002,dc=SITEST,dc=NET with scope sub # filter: ((sAMAccountName=28TEF003$)(objectclass=computer)) # requesting: sAMAccountName userAccountControl # # 28TEF003, CAT-Computers, OU16, MchP, tde002.sitest.net dn: CN=28TEF003,OU=CAT-Computers,OU=OU16,OU=MchP,DC=tde002,DC=sit est,DC=net userAccountControl: 4096 sAMAccountName: 28TEF003$ # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 ## So far, so good. When I take the same vars in radiusd.conf, I get: rlm_ldap: ldap_search() failed: Bad search filter radiusd.conf: ldap ldap1 { server=mchm967a.tww006.sitest.net port=3268 identity=[EMAIL PROTECTED] mypass=mypass basedn=dc=TDE002,dc=SITEST,dc=NET filter=((sAMAccountName=28TEF003$)(objectclass=computer)) sAMAccountName userAccountControl ldap_debug= 0x ldap_connections_number = 5 timeout = 40 timelimit = 30 net_timeout = 10 tls { } dictionary_mapping = ${raddbdir}/ldap.attrmap } rlm_ldap: Bind was successful^M rlm_ldap: performing search in dc=TDE002,dc=SITEST,dc=NET, with filter ((sAMAccountName=28TEF003$)(objectclass=computer)) sAMAccountName userAccountControl^M ldap_search^M put_filter: ((sAMAccountName=28TEF003$)(objectclass=computer)) sAMAccountName userAccountControl^M put_filter: AND^M put_filter_list (sAMAccountName=28TEF003$)(objectclass=computer)^M put_filter: (sAMAccountName=28TEF003$)^M put_filter: simple^M put_simple_filter: sAMAccountName=28TEF003$^M put_filter: (objectclass=computer)^M put_filter: simple^M put_simple_filter: objectclass=computer^M put_filter: default^M put_simple_filter: sAMAccountName userAccountControl^M rlm_ldap: ldap_search() failed: Bad search filter: ((sAMAccountName=28TEF003$)(objectclass=computer)) sAMAccountName userAccountControl^M ldap_msgfree^M rlm_ldap: search failed^M What am I doing wrong? Thanks Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change. We will use alternate communication means upon request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap: ldap_search() failed: Bad search filter:
Alhagie Puye wrote: Look like your syntax is wrong The errormessage let's me assume, it is so, yes. The paranthesis did not change anything. I want to extract sAMAccountName userAccountControl from the AD and do not want to compare them. As mentioned, it works with ldapsearch and I wonder where there are the differences to rlm_ldap. Norbert Why don't you have parenthesis around sAMAccountName userAccountControl? You are also missing an = between the two words. Alhagie Puye - Network Engineer Datawave Group of Companies (604)295-1817 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Norbert Wegener Sent: December 7, 2005 12:30 PM To: FreeRadius users mailing list Subject: rlm_ldap: ldap_search() failed: Bad search filter: I am still trying to let freeradius query AD, but not yet too successfull. Using the following vars with ldapsearch, gives me the desired result, as shown below, but fails with rlm_ldap. ## server=mchm967a.tww006.sitest.net port=3268 identity=[EMAIL PROTECTED] mypass=mypass basedn=dc=TDE002,dc=SITEST,dc=NET filter=((sAMAccountName=28TEF003$)(objectclass=computer)) sAMAccountName userAccountControl # ldapsearch -x -h $server -p $port -b $basedn $filter -D $identity -w $mypass -x # extended LDIF # # LDAPv3 # base dc=TDE002,dc=SITEST,dc=NET with scope sub # filter: ((sAMAccountName=28TEF003$)(objectclass=computer)) # requesting: sAMAccountName userAccountControl # # 28TEF003, CAT-Computers, OU16, MchP, tde002.sitest.net dn: CN=28TEF003,OU=CAT-Computers,OU=OU16,OU=MchP,DC=tde002,DC=sit est,DC=net userAccountControl: 4096 sAMAccountName: 28TEF003$ # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 ## So far, so good. When I take the same vars in radiusd.conf, I get: rlm_ldap: ldap_search() failed: Bad search filter radiusd.conf: ldap ldap1 { server=mchm967a.tww006.sitest.net port=3268 identity=[EMAIL PROTECTED] mypass=mypass basedn=dc=TDE002,dc=SITEST,dc=NET filter=((sAMAccountName=28TEF003$)(objectclass=computer)) sAMAccountName userAccountControl ldap_debug= 0x ldap_connections_number = 5 timeout = 40 timelimit = 30 net_timeout = 10 tls { } dictionary_mapping = ${raddbdir}/ldap.attrmap } rlm_ldap: Bind was successful^M rlm_ldap: performing search in dc=TDE002,dc=SITEST,dc=NET, with filter ((sAMAccountName=28TEF003$)(objectclass=computer)) sAMAccountName userAccountControl^M ldap_search^M put_filter: ((sAMAccountName=28TEF003$)(objectclass=computer)) sAMAccountName userAccountControl^M put_filter: AND^M put_filter_list (sAMAccountName=28TEF003$)(objectclass=computer)^M put_filter: (sAMAccountName=28TEF003$)^M put_filter: simple^M put_simple_filter: sAMAccountName=28TEF003$^M put_filter: (objectclass=computer)^M put_filter: simple^M put_simple_filter: objectclass=computer^M put_filter: default^M put_simple_filter: sAMAccountName userAccountControl^M rlm_ldap: ldap_search() failed: Bad search filter: ((sAMAccountName=28TEF003$)(objectclass=computer)) sAMAccountName userAccountControl^M ldap_msgfree^M rlm_ldap: search failed^M What am I doing wrong? Thanks Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change. We will use alternate communication means upon request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap: ldap_search() failed: Bad search filter:
Norbert Wegener wrote: When I take the same vars in radiusd.conf, I get: rlm_ldap: ldap_search() failed: Bad search filter radiusd.conf: ldap ldap1 { server=mchm967a.tww006.sitest.net port=3268 identity=[EMAIL PROTECTED] mypass=mypass basedn=dc=TDE002,dc=SITEST,dc=NET filter=((sAMAccountName=28TEF003$)(objectclass=computer)) sAMAccountName userAccountControl I don't think you can append a list of attributes to the filter. (like in ldap_search) -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MySQL accounting stop query
I noticed that the stop query changed at some point between 0.9.3 and 1.0.1. Here are the queries: ## 0.9.3 ## accounting_stop_query = UPDATE ${acct_table2} SET AcctStopTime = '%S', AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets = '%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}', AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}', ConnectInfo_stop = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}' AND AcctStopTime = 0 ## 1.0.1 (same as 1.0.5) ## accounting_stop_query = UPDATE ${acct_table2} SET AcctStopTime = '%S', AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets = '%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}', AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}', ConnectInfo_stop = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}' Notice the last item in the WHERE clause is missing in the later version. After looking at the data in my own radacct table, it looks like the change would cut down on duplicates, but at the cost of modifying rows that are potentially days or weeks old with new stoptime data. If the NAS reuses SessionID for the same user 2 weeks after the initial use, then the user will end up with a 2 week long session and if sqlcounter is in use, will likely be shutoff. It seems the 0.9.3 version is safer. I don't see specific mention of the change in the ChangeLog. Was there a reason for the change? I am working out the details of a modification of my own. At this point the WHERE clause looks like this (untested): WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}' AND ABS((UNIXTIMESTAMP(AcctStartTime) - UNIXTIMESTAMP(DATE_SUB('%S',INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND))) 3600) Basically, it uses AcctUniqueId which is a hash of AcctSessionId (from the NAS), the NAS-IP, UserName, and Nas-Port and then makes sure the AcctStarttime already in the table is within an hour of the derrived time based on the stoptime and the session length. NOTE: Those using MySQL 5.0+ can use TIMESTAMPDIFF instead of converting and subtracting. I think this change should help reduce duplicate accounting entries. It will incurr some added load for the date calc, but I'm hoping not too much given the AcctUniqueId should be indexed and have a low number of duplicates. Any thoughts? -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting login fail
I have in NAS log something like this: Dec/08/2005 00:44:33 Accounting login fail Dec/08/2005 00:44:28 Send Accounting login message debik Dec/08/2005 00:44:23 Send Accounting login message debik Dec/08/2005 00:44:18 Send Accounting login message debik Dec/08/2005 00:44:18 Authentication success 00-0F-CB-B0-06-86 Dec/08/2005 00:44:18 EAP-Success 00-0F-CB-B0-06-86 Dec/08/2005 00:44:12 Accounting logout fail Dec/08/2005 00:44:09 EAP-Response/Identity debik Dec/08/2005 00:44:09 EAP-Request/Identity Dec/08/2005 00:44:08 Wireless PC connected 00-0F-CB-B0-06-86 What does it mean ?? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problems with real @
hi these are my configuration files users radius Auth-Type:= Local, User-Password == radius Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 172.16.3.33, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = Broadcast-Listen, Framed-Filter-Id = std.ppp, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP proxy.conf realm local { type= radius authhost= LOCAL accthost= LOCAL secret = secret } clients.conf client x.x.x.x { secret = secret shortname = prueba } Ok. when i use tools NtRadPing with user [EMAIL PROTECTED] and password radius, everything is OK. Login OK: [EMAIL PROTECTED] (from client prueba port 0) But when i try with the same user and pass from a mode DSL that use a RedBack to authentication appear this mistake. rad_recv: Access-Request packet from host 200.58.72.31:1812, id=177, length=101 User-Name = [EMAIL PROTECTED] User-Password = radius NAS-Identifier = Redback NAS-Real-Port = 268438312 Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 3892320806 Connect-Info = ubr-adsl Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module preprocess returns ok for request 5 modcall[authorize]: module chap returns noop for request 5 modcall[authorize]: module mschap returns noop for request 5 rlm_realm: Looking up realm local for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm local rlm_realm: Adding Stripped-User-Name = radius rlm_realm: Proxying request from user radius to realm local rlm_realm: Adding Realm = local rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module suffix returns noop for request 5 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 5 users: Matched DEFAULT at 99 users: Matched DEFAULT at 118 users: Matched DEFAULT at 130 modcall[authorize]: module files returns ok for request 5 modcall: group authorize returns ok for request 5 rad_check_password: Found Auth-Type System auth: type System ## i think here is the mistake, but i don´t understand why, in my user file put Auth-Type == Local and in the log appear System. Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_unix: [radius]: invalid password modcall[authenticate]: module unix returns reject for request 5 modcall: group authenticate returns reject for request 5 auth: Failed to validate the user. Login incorrect: [EMAIL PROTECTED]/radius] (from client iRedBack port 3892320806) Delaying request 5 for 1 seconds Finished request 5 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 177 to 200.58.72.31:1812 i think that mistake is when try to authentication, but i don´t understand, why in my user file put Auth-Type == Local and in the log appear System. how can i change it. Tnanks Alvaro This message was sent using IMP, the Internet Messaging Program. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Postgres
I am new to this freeradius server, can you give me some idea on how to authenticate freeradius in a postgres database? Also, I need sample configuration to test the server. My NAS client is CISCO(2500) with 11.3 IOS. Help is highly appreciated.. Thank you... Nuel __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problems with real @
[EMAIL PROTECTED] wrote: Ok. when i use tools NtRadPing with user [EMAIL PROTECTED] and password radius, everything is OK. Login OK: [EMAIL PROTECTED] (from client prueba port 0) And what does the debug log say? But when i try with the same user and pass from a mode DSL that use a RedBack to authentication appear this mistake. ... rad_recv: Access-Request packet from host 200.58.72.31:1812, id=177, length=101 ... Compare the debug log from the working session to this one. The differences are the cause of the problem. users: Matched DEFAULT at 99 users: Matched DEFAULT at 118 users: Matched DEFAULT at 130 You may try looking at those lines of the users file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How many Request handle by Free Radius at same time form same client.
Hi All I have one question? How many Request handle by Free Radius at same time form same client. I have one Free Radius Server, One client and one other server.Client send request to radius server and then radius server will send it to other server and wait for replay for that request. After getting reply form other server radius will do some process and send replay to client. I want to implement a Radius system such as my radius server will be able to handle 5000 request form client as same time. Mean radius is able to listen 5000 request form client and then send all request to other server and wait. After Getting replay from other server , radius will send replay to client. How can I implement such requirements . Thanks RegardManoj Patel Mobile: +91-9881403519 * Disclaimer: The contents of this E-mail (including the contents of the enclosure(s) or attachment(s) if any) are privileged and confidential material of MBT and should not be disclosed to, used by or copied in any manner by anyone other than the intended addressee(s). In case you are not the desired addressee, you should delete this message and/or re-direct it to the sender. The views expressed in this E-mail message (including the enclosure(s) or attachment(s) if any) are those of the individual sender, except where the sender expressly, and with authority, states them to be the views of MBT. This e-mail message including attachment/(s), if any, is believed to be free of any virus. However, it is the responsibility of the recipient to ensure that it is virus free and MBT is not responsible for any loss or damage arising in any way from its use * - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sql_mysql on FreeBSD 5.4 - Segmentation fault at startup
Hi All, I'm having trouble getting FreeRadius (CVS) working with MySQL 5.0.15 on FreeBSD 5.4. I have been testing successfully with PostgreSQL up until now. Running under gdb: ... rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): failed after re-connect rlm_sql (sql): Error retrieving group list rlm_sql (sql): Error processing groups; rejecting user rlm_sql (sql): Released sql socket id: 0 Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 1 (LWP 100524)] 0x08059635 in safe_unlock (instance=0x0) at modcall.c:227 227 if (instance-mutex) (gdb) bt #0 0x08059635 in safe_unlock (instance=0x0) at modcall.c:227 #1 0x0805971c in call_modsingle (component=1, sp=0x8139140, request=0x806f800, default_result=6) at modcall.c:258 #2 0x08059dc6 in modcall (component=1, c=0x8139140, request=0x806f800) at modcall.c:590 #3 0x0805979f in call_one (component=1, p=0x8139140, request=0x806f800, priority=0xbfbfd1e0, result=0xbfbfd1e4) at modcall.c:287 #4 0x08059896 in call_modgroup (component=1, g=0x8135ec0, request=0x806f800, default_result=6) at modcall.c:342 #5 0x08059d3b in modcall (component=1, c=0x8135ec0, request=0x806f800) at modcall.c:575 #6 0x0805876c in indexed_modcall (comp=1, idx=0, request=0x806f800) at modules.c:428 #7 0x08059271 in module_authorize (autz_type=0, request=0x806f800) at modules.c:936 #8 0x0804d412 in rad_authenticate (request=0x806f800) at auth.c:548 #9 0x0805e00a in rad_respond (request=0x806f800, fun=0x804d25c rad_authenticate) at request_process.c:451 #10 0x0805fbad in thread_pool_addrequest (request=0x806f800, fun=0x804d25c rad_authenticate) at threads.c:901 #11 0x0805be34 in main (argc=2, argv=0xbfbfebfc) at radiusd.c:668 I noticed that people have had somewhat similar problems (http://lists.cistron.nl/pipermail/freeradius-users/2005-September/047030.html), but I'm not sure that this is the same thing. Matthew. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How many Request handle by Free Radius at same time form same client.
Manojkumar Patel [EMAIL PROTECTED] wrote: How many Request handle by Free Radius at same time form same client. It depends on RAM, CPU, etc. I want to implement a Radius system such as my radius server will be able to handle 5000 request form client as same time. Mean radius is able to listen 5000 request form client and then send all request to other server and wait. After Getting replay from other server , radius will send replay to client. =0D Receive 5000 requests before sending any reply to the client? I doubt that's the way it works. FreeRADIUS is deployed in sites with millions of users. 5000 users is a very small site. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How many Request handle by Free Radius at same time form sameclient.
Hi First thanks Supose I have latest confi. In my system(P-V, 135 gb HDD,512MB RAM Etc), then ? U forget about system configuration. Tell ME, how many request handele by free radius server from same client at the same time? Thanks Regard Manoj Patel -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Thursday, December 08, 2005 12:22 PM To: FreeRadius users mailing list Subject: Re: How many Request handle by Free Radius at same time form sameclient. Manojkumar Patel [EMAIL PROTECTED] wrote: How many Request handle by Free Radius at same time form same client. It depends on RAM, CPU, etc. I want to implement a Radius system such as my radius server will be able to handle 5000 request form client as same time. Mean radius is able to listen 5000 request form client and then send all request to other server and wait. After Getting replay from other server , radius will send replay to client. =0D Receive 5000 requests before sending any reply to the client? I doubt that's the way it works. FreeRADIUS is deployed in sites with millions of users. 5000 users is a very small site. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html * Disclaimer: The contents of this E-mail (including the contents of the enclosure(s) or attachment(s) if any) are privileged and confidential material of MBT and should not be disclosed to, used by or copied in any manner by anyone other than the intended addressee(s). In case you are not the desired addressee, you should delete this message and/or re-direct it to the sender. The views expressed in this E-mail message (including the enclosure(s) or attachment(s) if any) are those of the individual sender, except where the sender expressly, and with authority, states them to be the views of MBT. This e-mail message including attachment/(s), if any, is believed to be free of any virus. However, it is the responsibility of the recipient to ensure that it is virus free and MBT is not responsible for any loss or damage arising in any way from its use * - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html