Re: Freeradius-Users Digest, Vol 8, Issue 71 (Away from the office)
I am away from the office, returning on the 9th of January 2006, if you have any urgent problems please forward them to SWRC IT ([EMAIL PROTECTED]). Or Call 9780 7314 . See you soon Robert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: bug in rlm_ldap?
Dusty Doris wrote: ... If this is your users file, its incorrect. Notice the placement of commas. The check-items should be on one line seperated by commas. The reply items should be over multiple lines seperated by a comma, except for the last line. HOST/lnxad.tde002.sitest.net, User-Category != 515 Fall-Through = no HOST/lnxad.tde002.sitest.net, User-Category == 515 Fall-Through = no HOST/lnxad.tde002.sitest.net, Auth-Type := Reject I changed the users file as you recommended, the ldap.attrmap contains the additional line: checkItem User-Category primaryGroupID Unfortunately also in this case only the Reject entry matches, although the primaryGroupID seems to passed to User-Category: radiusd -AX . rlm_ldap: looking for check items in directory... ldap_get_values ldap_get_values rlm_ldap: Adding LDAP attribute primaryGroupID as RADIUS attribute User-Category == 515 ldap_get_values Any ideas, what's going wrong? Thanks Norbert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius cannot Authenticate to Windows AD
Hi,
Same thing has happened, I still can not authenticate to WindowsAD. Same Error is displayed when i debug radiusd
I put quotes arround password..
radtest user 'mypass' 192.168.1.1:1812 1812 testing123
or
radtest user 'mypass' 192.168.1.1:1812 1812 testing123
What do you think is the problem?
On 12/16/05, Alhagie Puye <[EMAIL PROTECTED]> wrote:
Put quotes around the passwordone thing I learned. That
will take you further.
I have a working config. So, please let me know if you are
still running into problems.
P.S.
I will be posting a doc on the wiki once I'm done with
testing.
Alhagie Puye - Network EngineerDatawave Group of
Companies(604)295-1817
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of
Michael CalizoSent: December 15, 2005 8:26 PMTo:
Freeradius-Users@lists.freeradius.orgSubject: FreeRadius cannot
Authenticate to Windows AD
Hi Guru's,I have installed freeradius and used each
LDAP module to authenticate to WINDOWS 2003 AD. The problem is it cant do the
authentication, seems that i missed the radius.conf LDAP module configuration
which causes the LDAP module to failed when connecting to MSAD.
Below is my radius.conf config file.Hoping that you guys can help
me, coz i have been googling all day for this config and i can not make this
thing work... Thnx in advance.. radius.conf:ldap
{
server = "oberon.chikka.ph"
# identity = "cn=admin,o=My
Org,c=UA"
identity =
"cn=backops,cn=Admin,dc=chikka,dc=ph"
password =
[EMAIL PROTECTED]@n
# password =
mypass
basedn =
"dc=chikka,dc=ph"
# filter =
"(SamAccountName=%{Stripped-User-Name:-%{User-Name}})"
#filter =
"(SamAccountName=%U)"
#filter =
"(SamAccountName=%u)"
# base_filter =
"(objectclass=radiusprofile)"
base_filter =
"(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})(memberOf=Admin,DC=chikka,DC=ph))"
filter =
"(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})"
# set this to 'yes' to use TLS encrypted
connections
# to the LDAP database by using the StartTLS
extended
#
operation.
# The StartTLS operation is supposed to be used with
normal
# ldap connections instead of using ldaps (port 689)
connections
start_tls =
no
# tls_cacertfile =
/path/to/cacert.pem
# tls_cacertdir =
/path/to/ca/dir/
# tls_certfile =
/path/to/radius.crt
# tls_keyfile =
/path/to/radius.key
# tls_randfile =
/path/to/rnd
# tls_require_cert =
"demand"
# default_profile = "cn=radprofile,ou=dialup,o=My
Org,c=UA"
# profile_attribute =
"radiusProfileDn"
access_attr = "dialupAccess"ictionary_mapping =
${raddbdir}/ldap.attrmap
ldap_connections_number =
5
#
# NOTICE: The password_header directive is NOT case
insensitive
#
# password_header =
"{clear}"
#
# The server can usually figure this out on its own, and
pull
# the correct User-Password or NT-Password from the
database.
#
# Note that NT-Passwords MUST be stored as a 32-digit
hex
# string, and MUST start off with "0x", such
as:
#
#
0x000102030405060708090a0b0c0d0e0f
#
# Without the leading "0x", NT-Passwords will not
work.
# This goes for NT-Passwords stored in SQL,
too.
#
# password_attribute =
userPassword
groupname_attribute =
cn
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
groupmembership_attribute =
memberOf
timeout =
4
timelimit =
3
net_timeout =
1
# compare_check_items =
yes
# do_xlat =
yes
# access_attr_used_for_allow =
yes }Here is my the
radiusd -X -A LOG...rad_recv: Access-Request packet from host 192.168.1.13:37146, id=42,
length=59 User-Name =
"myaccount" User-Password =
"mypass" NAS-IP-Address = 255.255.255.255
NAS-Port = 1812 Processing the authorize section of
radiusd.confmodcall: entering group authorize for r
After the manual's config, chap wont work with LDAP
Hi all, We've got our freeradius servers working with LDAP fine, except for CHAP. Originally, the logs were saying "Invalid user \\user", but we fixed that by enabling an option in radiusd.conf. Now, when we dial up without encrypted password enabled, the connection comes through successfully. However, when we enable the encrypted password option and try again, we get: Thu Dec 15 18:12:52 2005 : Auth: Login incorrect (rlm_ldap: empty password supplied): [username/] (from client 123.123.123.123 port 3088 cli 2125550404) Its saying the password is empty, but we are indeed using a password. Does anyone have any ideas? We've followed the instructions in the FAQ (CHAP above LDAP in the authorize section, no := Auth-Type, etc.). it just doesn't seem to want to recognize that a password is being entered. For the record, no query hits the LDAP server during a CHAP authentication.. so its obviously something with the config of freeradius. Thanks for any help! -Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: several LDAP servers to authenticate ?
Hi Frank, Take a look at 'configurable_failover' in the doc directory. This describes how to do what you want. regards, Mike > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Frank Bonnet > Sent: Friday, 16 December 2005 3:38 AM > To: FreeRadius users mailing list > Subject: several LDAP servers to authenticate ? > > Hello > > I actually use freeradius to authenticate wi-fi users thru > the chillispot software. > > Our freeradius server use our LDAP as backend and everything > runs well now I would like to know if it is possible to use > _several_ LDAP servers with freeradius with a kind of the > following mechanism : > > If the login is not found on our local LDAP server it will be > search on the next LDAP server in a list and so on until all > LDAP servers have been searched ? > > Thanks a lot > -- > Regards > Frank > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius cannot Authenticate to Windows AD
Put quotes around the passwordone thing I learned. That
will take you further.
I have a working config. So, please let me know if you are
still running into problems.
P.S.
I will be posting a doc on the wiki once I'm done with
testing.
Alhagie Puye - Network EngineerDatawave Group of
Companies(604)295-1817
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Michael CalizoSent: December 15, 2005 8:26 PMTo:
Freeradius-Users@lists.freeradius.orgSubject: FreeRadius cannot
Authenticate to Windows AD
Hi Guru's,I have installed freeradius and used each
LDAP module to authenticate to WINDOWS 2003 AD. The problem is it cant do the
authentication, seems that i missed the radius.conf LDAP module configuration
which causes the LDAP module to failed when connecting to MSAD.
Below is my radius.conf config file.Hoping that you guys can help
me, coz i have been googling all day for this config and i can not make this
thing work... Thnx in advance.. radius.conf:ldap
{
server = "oberon.chikka.ph"
# identity = "cn=admin,o=My
Org,c=UA"
identity =
"cn=backops,cn=Admin,dc=chikka,dc=ph"
password =
[EMAIL PROTECTED]@n
# password =
mypass
basedn =
"dc=chikka,dc=ph"
# filter =
"(SamAccountName=%{Stripped-User-Name:-%{User-Name}})"
#filter =
"(SamAccountName=%U)"
#filter =
"(SamAccountName=%u)"
# base_filter =
"(objectclass=radiusprofile)"
base_filter =
"(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})(memberOf=Admin,DC=chikka,DC=ph))"
filter =
"(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})"
# set this to 'yes' to use TLS encrypted
connections
# to the LDAP database by using the StartTLS
extended
#
operation.
# The StartTLS operation is supposed to be used with
normal
# ldap connections instead of using ldaps (port 689)
connections
start_tls =
no
# tls_cacertfile =
/path/to/cacert.pem
# tls_cacertdir =
/path/to/ca/dir/
# tls_certfile =
/path/to/radius.crt
# tls_keyfile =
/path/to/radius.key
# tls_randfile =
/path/to/rnd
# tls_require_cert =
"demand"
# default_profile = "cn=radprofile,ou=dialup,o=My
Org,c=UA"
# profile_attribute =
"radiusProfileDn"
access_attr = "dialupAccess"ictionary_mapping =
${raddbdir}/ldap.attrmap
ldap_connections_number =
5
#
# NOTICE: The password_header directive is NOT case
insensitive
#
# password_header =
"{clear}"
#
# The server can usually figure this out on its own, and
pull
# the correct User-Password or NT-Password from the
database.
#
# Note that NT-Passwords MUST be stored as a 32-digit
hex
# string, and MUST start off with "0x", such
as:
#
#
0x000102030405060708090a0b0c0d0e0f
#
# Without the leading "0x", NT-Passwords will not
work.
# This goes for NT-Passwords stored in SQL,
too.
#
# password_attribute =
userPassword
groupname_attribute =
cn
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
groupmembership_attribute =
memberOf
timeout =
4
timelimit =
3
net_timeout =
1
# compare_check_items =
yes
# do_xlat =
yes
# access_attr_used_for_allow =
yes }Here is my the
radiusd -X -A LOG...rad_recv: Access-Request packet from host 192.168.1.13:37146, id=42,
length=59 User-Name =
"myaccount" User-Password =
"mypass" NAS-IP-Address = 255.255.255.255
NAS-Port = 1812 Processing the authorize section of
radiusd.confmodcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request
0 rlm_realm: No '@' in User-Name = "myaccount", looking
up realm NULL rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix"
FreeRadius cannot Authenticate to Windows AD
Hi Guru's,
I have installed freeradius and used each LDAP module to authenticate
to WINDOWS 2003 AD. The problem is it cant do the authentication, seems
that i missed the radius.conf LDAP module configuration which causes
the LDAP module to failed when connecting to MSAD. Below is
my radius.conf config file.
Hoping that you guys can help me, coz i have been googling all day for
this config and i can not make this thing work... Thnx in
advance..
radius.conf:
ldap {
server = "oberon.chikka.ph"
# identity = "cn=admin,o=My Org,c=UA"
identity = "cn=backops,cn=Admin,dc=chikka,dc=ph"
password = [EMAIL PROTECTED]@n
# password = mypass
basedn = "dc=chikka,dc=ph"
# filter =
"(SamAccountName=%{Stripped-User-Name:-%{User-Name}})"
#filter = "(SamAccountName=%U)"
#filter = "(SamAccountName=%u)"
# base_filter = "(objectclass=radiusprofile)"
base_filter =
"(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})(memberOf=Admin,DC=chikka,DC=ph))"
filter = "(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})"
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
# The StartTLS operation is supposed to be used with normal
# ldap connections instead of using ldaps (port 689) connections
start_tls = no
# tls_cacertfile =
/path/to/cacert.pem
# tls_cacertdir =
/path/to/ca/dir/
# tls_certfile =
/path/to/radius.crt
#
tls_keyfile
= /path/to/radius.key
# tls_randfile =
/path/to/rnd
# tls_require_cert = "demand"
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
access_attr = "dialupAccess"
ictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
#
# NOTICE: The password_header directive is NOT case insensitive
#
# password_header = "{clear}"
#
# The server can usually figure this out on its own, and pull
# the correct User-Password or NT-Password from the database.
#
# Note that NT-Passwords MUST be stored as a 32-digit hex
# string, and MUST start off with "0x", such as:
#
# 0x000102030405060708090a0b0c0d0e0f
#
# Without the leading "0x", NT-Passwords will not work.
# This goes for NT-Passwords stored in SQL, too.
#
# password_attribute = userPassword
groupname_attribute = cn
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
groupmembership_attribute = memberOf
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
}
Here is my the radiusd -X -A LOG...
rad_recv: Access-Request packet from host 192.168.1.13:37146, id=42, length=59
User-Name = "myaccount"
User-Password = "mypass"
NAS-IP-Address = 255.255.255.255
NAS-Port = 1812
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "myaccount", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
users: Matched DEFAULT at 152
modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type ldap
auth: type "LDAP"
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by "myaccount" with password "mypass"
radius_xlat: '(&(sAMAccountName=myaccount)'
radius_xlat: 'dc=domain,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 192.168.1.1:389, authentication 0
rlm_ldap: bind as cn=backops,cn=Admin,dc=domain
Reply message from the sqlcounter module
Just added the sqlcounter to my FreeRadius configuration.
Stumbled over the "Your maximum never usage time has been reached" reply
message
for my noresetcounter (refer to doc/rlm_sqlcounter).
Changed it to: "Your maximum access time has been reached" for the 'never'
case.
Here my Q&D solution:
Change in freeradius-1.0.5/src/modules/rlm_sqlcounter/rlm_sqlcounter.c
diff rlm_sqlcounter.c rlm_sqlcounter.c.ORIG
668,672c668
< if (strcmp(data->reset, "never") == 0) {
< snprintf(msg, sizeof(msg), "Your maximum access time
has been reached");
< } else {
< snprintf(msg, sizeof(msg), "Your maximum %s usage
time has been reached", data->reset);
< }
---
> snprintf(msg, sizeof(msg), "Your maximum %s usage time has
been reached", data->reset);
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Checkitems
Maybe my last question was unclear this morning.
Therefore I would like to rephrase it:
Checkitems may be defined via ldap.attrmap e.g. like:
checkItem User-Category primaryGroupID
Those items, retrieved from an ldapserver and thus not part of the request:
Are they supposed to be accessible by following modules?
In a case like this in radiusd.conf:
authorize { ldap { notfound = return } files }
Should the files module have access to to a check item User-Category ?
Thanks
I'm not sure, I've never tried that before, but I don't believe you can.
I think you'd need to use xlat for that. Grep for xlat in doc/rlm_ldap.
You could certainly use that ldap attribute as an Ldap-Group item, if you
are going to be keying off of it a lot.
in radiusd.conf
groupmembership_attribute = "primaryGroupID"
Then in the users file
DEFAULT Ldap-Group != "xxx", Auth-Type := Reject
or something like that.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: bug in rlm_ldap?
## HOST/lnxad.tde002.sitest.net User-Category != 515 Fall-Through = No, HOST/lnxad.tde002.sitest.net User-Category == 515 Fall-Through = No, HOST/lnxad.tde002.sitest.net Auth-Type := Reject ## If this is your users file, its incorrect. Notice the placement of commas. The check-items should be on one line seperated by commas. The reply items should be over multiple lines seperated by a comma, except for the last line. HOST/lnxad.tde002.sitest.net, User-Category != 515 Fall-Through = no HOST/lnxad.tde002.sitest.net, User-Category == 515 Fall-Through = no HOST/lnxad.tde002.sitest.net, Auth-Type := Reject - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problems with freeradius 1.0.5
the strange thing is that the 1.0.2 config file gives this error but also the default 1.0.5 config file Rick Mikhail Zolikoff wrote: It's probably something simple, like an errant bracket. If you have the same error but the same number [1682], it makes me think that something was replaced in the upgrade but didn't properly clean up the file. Riccardo Veraldi wrote: Yes these are the messages running radiusd -A -X any hints ? thanks Rick Doug Hardie wrote: On Dec 15, 2005, at 05:42, Riccardo Veraldi wrote: hell oI upgraded from freeradius 1.0.2 to 1.0.5 and nothing works anymore I have this error: radiusd.conf[1682] Unknown Auth-Type "Pam" in authenticate section. commenting out pam thne I Got this radiusd.conf[1682] Unknown Auth-Type "System" in authenticate section. and so if I comment out "unix" in the radiusd.conf fiel I get this error: rlm_eap_gtc: Unknown Auth-Type PAP rlm_eap: Failed to initialize type gtc anyone has some hints ??\ Run the server with -X and check for error messages. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No matching entry in the database for request from user
I just tested the exact same setup but this time accessing this radius server directly (instead of thru a proxy) and it works fine. So the proxy is changing something. Thoughts? Bill Schoolfield wrote: Hello, I'm getting "No matching entry in the database for request from user" returned from the sql lookup. Below I have the radclient and server diagnostics interlaced. All look correct and the querries are good (see below for them). What is wrong? Bill /usr/local/bin/radclient -x -f radclient.dat2 "194.54.234.234:1814" auth example Sending Access-Request of id 33 to 194.54.234.234:1814 Acct-Session-Id = "606B" User-Name = "[EMAIL PROTECTED]" User-Password = "example" NAS-IP-Address = 194.126.63.86 NAS-Port-Id = "32" NAS-Port-Type = Async Service-Type = Framed-User Framed-Protocol = PPP rad_recv: Access-Request packet from host 194.54.234.234:1814, id=29, length=94 Acct-Session-Id = "606B" User-Name = "GLF002" User-Password = "example" NAS-IP-Address = 194.126.63.86 NAS-Port-Id = "32" NAS-Port-Type = Async Service-Type = Framed-User Framed-Protocol = PPP Proxy-State = 0x30303164 rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, opFROM radcheck WHERE Username = 'GLF002' ORDER BY id rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'GLF002' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, opFROM radreply WHERE Username = 'GLF002' ORDER BY id rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'GLF002' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): No matching entry in the database for request from user [GLF002] rlm_sql (sql): Released sql socket id: 4 Re-sending Access-Request of id 33 to 194.54.234.234:1814 Acct-Session-Id = "606B" User-Name = "[EMAIL PROTECTED]" User-Password = "\291\246\352\320\006\303p\316\230\n%\353\255\202J\341" Group = "default" NAS-IP-Address = 194.126.63.86 NAS-Port-Id = "32" NAS-Port-Type = Async Service-Type = Framed-User Framed-Protocol = PPP rad_recv: Access-Request packet from host 194.54.234.234:1814, id=29, length=94 Sending Access-Reject of id 29 to 194.54.234.234:1814 Proxy-State = 0x30303164 rad_recv: Access-Reject packet from host 194.54.234.234:1814, id=33, length=54 Reply-Message = "Proxied request" Reply-Message = "Proxied request" Here are the querries from above. They all work: mysql> SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'GLF002' ORDER BY id; +---++-+---++ | id| UserName | Attribute | Value | op | +---++-+---++ | 60647 | GLF002 | Crypt-Password | SMVdbmrqLzh2A | == | | 60648 | GLF002 | Session-Timeout | 7200 | == | +---++-+---++ 2 rows in set (0.00 sec) mysql> SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'GLF002' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id; ++---+--+-++ | id | GroupName | Attribute| Value | op | ++---+--+-++ | 1 | default | Auth-Type| Pap | := | | 2 | default | Service-Type | Framed-User | := | | 3 | default | Framed-Protocol | PPP | := | | 4 | default | Simultaneous-Use | 1 | := | ++---+--+-++ 4 rows in set (0.00 sec) mysql> SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'GLF002' ORDER BY id; +++--+---++ | id | UserName | Attribute| Value | op | +++--+---++ | 11 | GLF002 | Simultaneous-Use | 1 | := | +++--+---++ 1 row in set (0.00 sec) mysql> SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'GLF002' AND usergroup.GroupName = radgroupreply.GroupNa
No matching entry in the database for request from user
Hello, I'm getting "No matching entry in the database for request from user" returned from the sql lookup. Below I have the radclient and server diagnostics interlaced. All look correct and the querries are good (see below for them). What is wrong? Bill /usr/local/bin/radclient -x -f radclient.dat2 "194.54.234.234:1814" auth example Sending Access-Request of id 33 to 194.54.234.234:1814 Acct-Session-Id = "606B" User-Name = "[EMAIL PROTECTED]" User-Password = "example" NAS-IP-Address = 194.126.63.86 NAS-Port-Id = "32" NAS-Port-Type = Async Service-Type = Framed-User Framed-Protocol = PPP rad_recv: Access-Request packet from host 194.54.234.234:1814, id=29, length=94 Acct-Session-Id = "606B" User-Name = "GLF002" User-Password = "example" NAS-IP-Address = 194.126.63.86 NAS-Port-Id = "32" NAS-Port-Type = Async Service-Type = Framed-User Framed-Protocol = PPP Proxy-State = 0x30303164 rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'GLF002' ORDER BY id rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'GLF002' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'GLF002' ORDER BY id rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'GLF002' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): No matching entry in the database for request from user [GLF002] rlm_sql (sql): Released sql socket id: 4 Re-sending Access-Request of id 33 to 194.54.234.234:1814 Acct-Session-Id = "606B" User-Name = "[EMAIL PROTECTED]" User-Password = "\291\246\352\320\006\303p\316\230\n%\353\255\202J\341" Group = "default" NAS-IP-Address = 194.126.63.86 NAS-Port-Id = "32" NAS-Port-Type = Async Service-Type = Framed-User Framed-Protocol = PPP rad_recv: Access-Request packet from host 194.54.234.234:1814, id=29, length=94 Sending Access-Reject of id 29 to 194.54.234.234:1814 Proxy-State = 0x30303164 rad_recv: Access-Reject packet from host 194.54.234.234:1814, id=33, length=54 Reply-Message = "Proxied request" Reply-Message = "Proxied request" Here are the querries from above. They all work: mysql> SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'GLF002' ORDER BY id; +---++-+---++ | id| UserName | Attribute | Value | op | +---++-+---++ | 60647 | GLF002 | Crypt-Password | SMVdbmrqLzh2A | == | | 60648 | GLF002 | Session-Timeout | 7200 | == | +---++-+---++ 2 rows in set (0.00 sec) mysql> SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'GLF002' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id; ++---+--+-++ | id | GroupName | Attribute| Value | op | ++---+--+-++ | 1 | default | Auth-Type| Pap | := | | 2 | default | Service-Type | Framed-User | := | | 3 | default | Framed-Protocol | PPP | := | | 4 | default | Simultaneous-Use | 1 | := | ++---+--+-++ 4 rows in set (0.00 sec) mysql> SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'GLF002' ORDER BY id; +++--+---++ | id | UserName | Attribute| Value | op | +++--+---++ | 11 | GLF002 | Simultaneous-Use | 1 | := | +++--+---++ 1 row in set (0.00 sec) mysql> SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'GLF002' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id; ++---+---+-++ | id | GroupName | Attribute | Value | op | ++---+---+-
Re: help on rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
Ok, I solved the problem. The PEAP of freeRadius 1.0.1 on solaris cannot work correctly. after I upgraded the server to 1.0.5, it is working. Jie On 12/14/05, Jie Yang <[EMAIL PROTECTED]> wrote: Hi, I removed "@domain", but still the same error. I also run an AEGIS v.2.0.5 (a very old version though) with same supplicant configuration, which also gave me the same error. It seems to me there might be something wrong at the server side. But I don't know where. my freeradius version is 1.0.1. thanks for your suggestion though. Jie On 12/14/05, Phil Mayers <[EMAIL PROTECTED] > wrote: Jie Yang wrote:> Hi, All,> When I tried to develop PEAP at client side, i found I am always rejected by > the server. The following is the log. what might be wrong?You almost certainly need to strip the "@domain" off the username beforemschap sees it - the username is used in calculating the challenge response. See the "realms" module, specifically you'll want the "suffix" instancein authorize, " spirentcom.com" as a LOCAL realm in proxy.conf andproxying turned on. -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radclient ignores 'Group' attribute
Alan, I got a little mixed up. I was thinking the sql query would use the group attribute along with the username (as though the group mechanism supported users with the same name in different groups). I know better now. What was actually happening (I should have looked at the sql closer) is one of the queries (the one for radreply) was failing because I put no user specific attributes there. Do I have to supply a dummy (constant) attribute per user? Right now, all attributes to be returned appear in the radgroupreply table. Thanks for your quick response. Bill Alan DeKok wrote: Bill Schoolfield <[EMAIL PROTECTED]> wrote: Here's our problem; the proxy works fine but the authentication (actually the user lookup) is failing when testing via radclient. The user lookup fails because the 'Group' attribute in the referenced attribute file (-f file) is being ignored (not sent) by radclient. Why is this? Is there a workaround? The "Group" attribute is specific to the internals of FreeRADIUS. It *can't* go on the wire. Perhaps you could say what you're trying to do... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Bill Schoolfield Vice President, BillMax [EMAIL PROTECTED] 877.245.5629 (USA toll free) 817.446.7776 (International) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need "account valid for" attribute/counter (continuous time)
FYI: Usable format for the Freeradius/Radius Expiration attribute (one of many): 15 December 2005 15:33:00 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radclient ignores 'Group' attribute
Bill Schoolfield <[EMAIL PROTECTED]> wrote: > Here's our problem; the proxy works fine but the authentication > (actually the user lookup) is failing when testing via radclient. The > user lookup fails because the 'Group' attribute in the referenced > attribute file (-f file) is being ignored (not sent) by radclient. > Why is this? Is there a workaround? The "Group" attribute is specific to the internals of FreeRADIUS. It *can't* go on the wire. Perhaps you could say what you're trying to do... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Checkitems
Maybe my last question was unclear this morning.
Therefore I would like to rephrase it:
Checkitems may be defined via ldap.attrmap e.g. like:
checkItem User-Category primaryGroupID
Those items, retrieved from an ldapserver and thus not part of the request:
Are they supposed to be accessible by following modules?
In a case like this in radiusd.conf:
authorize { ldap { notfound = return } files }
Should the files module have access to to a check item User-Category ?
Thanks
Norbert Wegener
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problems with freeradius 1.0.5
It's probably something simple, like an errant bracket. If you have the same error but the same number [1682], it makes me think that something was replaced in the upgrade but didn't properly clean up the file. Riccardo Veraldi wrote: Yes these are the messages running radiusd -A -X any hints ? thanks Rick Doug Hardie wrote: On Dec 15, 2005, at 05:42, Riccardo Veraldi wrote: hell oI upgraded from freeradius 1.0.2 to 1.0.5 and nothing works anymore I have this error: radiusd.conf[1682] Unknown Auth-Type "Pam" in authenticate section. commenting out pam thne I Got this radiusd.conf[1682] Unknown Auth-Type "System" in authenticate section. and so if I comment out "unix" in the radiusd.conf fiel I get this error: rlm_eap_gtc: Unknown Auth-Type PAP rlm_eap: Failed to initialize type gtc anyone has some hints ??\ Run the server with -X and check for error messages. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need "account valid for" attribute/counter (continuous time)
Alan, Perfect! Worked like a charm! Now, is it possible to have a more specific expiration date, i.e. "16:00 15 Dec 2005" ? Or perhaps a unix date? Alan DeKok wrote: Mikhail Zolikoff <[EMAIL PROTECTED]> wrote: I'd like to set a "dropdead date/time" by which a user can log into my Freeradius server. I'm thinking of an attribute or counter that sets or performs the following: See the "expiration" attribute. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radclient ignores 'Group' attribute
Hello, We are switching out a client from cistron radius to FreeRadius with MySQL. To test things out without changes to the NASs, we are proxing certain realms to the new FreeRadius server. Here's our problem; the proxy works fine but the authentication (actually the user lookup) is failing when testing via radclient. The user lookup fails because the 'Group' attribute in the referenced attribute file (-f file) is being ignored (not sent) by radclient. Why is this? Is there a workaround? The Group attribute is defined in the dictionary as: ATTRIBUTE Group 1005string The attribute file used by radclient looks like: Acct-Session-Id = "606B", User-Name = "[EMAIL PROTECTED]", User-Password = "example", Group = "default", NAS-IP-Address = 127.0.0.1, NAS-Port-Id = 32, NAS-Port-Type = Async, Service-Type = Framed-User, Framed-Protocol = PPP Thanks in advance for your response. Bill - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problems with freeradius 1.0.5
Yes these are the messages running radiusd -A -X any hints ? thanks Rick Doug Hardie wrote: On Dec 15, 2005, at 05:42, Riccardo Veraldi wrote: hell oI upgraded from freeradius 1.0.2 to 1.0.5 and nothing works anymore I have this error: radiusd.conf[1682] Unknown Auth-Type "Pam" in authenticate section. commenting out pam thne I Got this radiusd.conf[1682] Unknown Auth-Type "System" in authenticate section. and so if I comment out "unix" in the radiusd.conf fiel I get this error: rlm_eap_gtc: Unknown Auth-Type PAP rlm_eap: Failed to initialize type gtc anyone has some hints ??\ Run the server with -X and check for error messages. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and LDAP : to be continued
Phil Mayers <[EMAIL PROTECTED]> wrote: > Ok, let's take a breath. First things first: ... Could this be a Wiki page? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: several LDAP servers to authenticate ?
Frank Bonnet <[EMAIL PROTECTED]> wrote: > If the login is not found on our local LDAP server it will be search on > the next LDAP server in a list and so on until all LDAP servers have > been searched ? doc/configurable_failover. See the "notfound" return code. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pb with Mac and EAP auth
=?iso-8859-1?Q?Beno=EEt_Bianchi?= <[EMAIL PROTECTED]> wrote: > In my users file I=92ve set a list of the mac address like > this : ... > "001122334455" Auth-Type := Accept Anyone logging in with that username will get accepted. > The problem is that when doing EAP-TTLS authentication if I set the > mac address of one of the allowed card as the login name I am > authenticated!!! That's what you told it to do. But it's still a bad idea. > Is there a way to prevent this somehow? To specify that Auth-Type:=Accept > is only for non EAP authentication ??? Yes. Read the "man" page for the "users" file. See the !* operator. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and LDAP : to be continued
> Christophe Gravier wrote:
>>>
>> My password are not stored in LDAP in clear text but hashed using SHA
>> algorythm, so this won't work ;-(
>
>
> Ok, let's take a breath.
Yes, I agree, that's why I quit for today ;-)
> First things first:
>
> If your passwords are in SHA (which they are) your Radius server will
> ONLY be able to answer PAP requests.
H that's explain why I'll never make it with CHAP.
I thought it would be able to get the plain text password, then use SHA to
match it against ldap... But it seems PAP is required to do that
(regarding your method 1.)
>
> The very first log you sent in this thread indicates you have
> ChilliSpot set to use CHAP:
>
>
> rlm_ldap: - authenticate
> rlm_ldap: Attribute "User-Password" is required for authentication.
> Cannot use "CHAP-Password".
> modcall[authenticate]: module "ldap" returns invalid for request 0
> modcall: group Auth-Type returns invalid for request 0
> auth: Failed to validate the user.
>
> '''"Cannot use "CHAP-Password"''' - indicates the request (from
> ChilliSpot) came in with CHAP credentials.
>
> First, fix that. See here:
>
> http://archives.free.net.ph/message/20051025.180818.4d829f18.en.html
>
First thing I'll do back to work.
>
>
> Next, since you have SHA passwords and can only answer PAP, you have
> two choices:
>
> 1. Extract the SHA password and add it to the config items, then
> configure the Radius servers PAP module to check it:
>
> modules {
> pap {
> encryption_scheme = sha1
> }
> ldap {
> # settings go here
> }
> }
>
> authorize {
> preprocess
> ldap
> }
> authenticate {
> Auth-Type PAP {
> pap
> }
> }
>
> HOWEVER - this may not work. The "SHA" that your LDAP server uses may
> be slightly different (salting, keying) than the SHA FreeRadius uses.
>
> Much more likely to trip you up though, is when "ldap" matches in
> authorize, it will set Auth-Type = LDAP, so you either need to disable
> that or otherwise "make it work" and there are about 6 different ways
> of doing that. The most obvious would be to replace the above with:
>
> modules { as before }
> authorize { as before }
> authenticate {
> Auth-Type LDAP {
> pap
> }
> }
>
> But it might not work. Alternatively and probably simpler (but less
> formally correct) is the 2nd method:
>
> 2. Configure the LDAP module to find the user, set Auth-Type==LDAP
> then authenticate the user via simple bind:
>
> authorize {
> preprocess
> ldap
> }
> authenticate {
> Auth-Type LDAP {
> ldap
> }
> }
>
> ...and assuming the "ldap" modules is setup correctly, what will happen
> is:
>
> A. authorize called
> 1. preprocess called
> 2. suffix realm called - no-op probably
> 3. files called - no-op probably but DO NOT SET Auth-Type
> 4. ldap called - search succeeds, and "Ldap-UserDN" is set, and
> "Auth-Type" set to "LDAP"
>
> B. authenticate called
> 1. Auth-Type == LDAP, so "ldap" called and simple bind performed
>
> And it WILL WORK.
Thank you a lot, things getting a little more clearer now.
I will try these settings tomorrow morning, from method 1 and then method 2.
I am really thankfull to the quality of your answer and the time you spent
to write it down.
Cheers,
Christophe.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need "account valid for" attribute/counter (continuous time)
Mikhail Zolikoff <[EMAIL PROTECTED]> wrote: > I'd like to set a "dropdead date/time" by which a user can log into my > Freeradius server. I'm thinking of an attribute or counter that sets or > performs the following: See the "expiration" attribute. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and LDAP : to be continued
Christophe Gravier wrote:
My password are not stored in LDAP in clear text but hashed using SHA
algorythm, so this won't work ;-(
Ok, let's take a breath. First things first:
If your passwords are in SHA (which they are) your Radius server will
ONLY be able to answer PAP requests.
The very first log you sent in this thread indicates you have ChilliSpot
set to use CHAP:
rlm_ldap: - authenticate
rlm_ldap: Attribute "User-Password" is required for authentication.
Cannot use "CHAP-Password".
modcall[authenticate]: module "ldap" returns invalid for request 0
modcall: group Auth-Type returns invalid for request 0
auth: Failed to validate the user.
'''"Cannot use "CHAP-Password"''' - indicates the request (from
ChilliSpot) came in with CHAP credentials.
First, fix that. See here:
http://archives.free.net.ph/message/20051025.180818.4d829f18.en.html
Next, since you have SHA passwords and can only answer PAP, you have two
choices:
1. Extract the SHA password and add it to the config items, then
configure the Radius servers PAP module to check it:
modules {
pap {
encryption_scheme = sha1
}
ldap {
# settings go here
}
}
authorize {
preprocess
ldap
}
authenticate {
Auth-Type PAP {
pap
}
}
HOWEVER - this may not work. The "SHA" that your LDAP server uses may be
slightly different (salting, keying) than the SHA FreeRadius uses.
Much more likely to trip you up though, is when "ldap" matches in
authorize, it will set Auth-Type = LDAP, so you either need to disable
that or otherwise "make it work" and there are about 6 different ways of
doing that. The most obvious would be to replace the above with:
modules { as before }
authorize { as before }
authenticate {
Auth-Type LDAP {
pap
}
}
But it might not work. Alternatively and probably simpler (but less
formally correct) is the 2nd method:
2. Configure the LDAP module to find the user, set Auth-Type==LDAP
then authenticate the user via simple bind:
authorize {
preprocess
ldap
}
authenticate {
Auth-Type LDAP {
ldap
}
}
...and assuming the "ldap" modules is setup correctly, what will happen is:
A. authorize called
1. preprocess called
2. suffix realm called - no-op probably
3. files called - no-op probably but DO NOT SET Auth-Type
4. ldap called - search succeeds, and "Ldap-UserDN" is set, and
"Auth-Type" set to "LDAP"
B. authenticate called
1. Auth-Type == LDAP, so "ldap" called and simple bind performed
And it WILL WORK.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and LDAP : to be continued
Frank Bonnet wrote:
Hello
I have a chillispot that works with OpenLDAP
on a Debian box
Strictly the same thing I want to achieve indeed ! ;-)
How are your password in your LDAP ? (clear ? hash form ?)
Moreover, except this configuration of the ldap remote server, what did
you put in authorize and authentificate section ?
What did you put in the ldap.attrmap, only the mapping of the user
password ?
I must admit I am loosing my common sense here :-)
here are the modifications in radiusd.conf I wrote
# Lightweight Directory Access Protocol (LDAP)
#
# This module definition allows you to use LDAP for
# authorization and authentication (Auth-Type := LDAP)
#
# See doc/rlm_ldap for description of configuration options
# and sample authorize{} and authenticate{} blocks
ldap {
server = "your.ldap.server"
basedn = "ou=Person,dc=domain,dc="
#filter = "(posixAccount)(uid=%u))"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
# base_filter = "(objectclass=radiusprofile)"
access_attr = "uid"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
hope this helps
--
Christophe Gravier
Laboratoire DIOM, groupe SATIn - Doctorant
ISTASE - Ingénieur d'études
Perso: http://perso.univ-st-etienne.fr/gravchri/
SATIn: http://www.istase.com/satin
Tel : 04 7748 5034
A mediter: http://www.fsffrance.org/news/article2005-11-25.fr.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problems with freeradius 1.0.5
On Dec 15, 2005, at 05:42, Riccardo Veraldi wrote: hell oI upgraded from freeradius 1.0.2 to 1.0.5 and nothing works anymore I have this error: radiusd.conf[1682] Unknown Auth-Type "Pam" in authenticate section. commenting out pam thne I Got this radiusd.conf[1682] Unknown Auth-Type "System" in authenticate section. and so if I comment out "unix" in the radiusd.conf fiel I get this error: rlm_eap_gtc: Unknown Auth-Type PAP rlm_eap: Failed to initialize type gtc anyone has some hints ??\ Run the server with -X and check for error messages. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and LDAP : to be continued
Hello
I have a chillispot that works with OpenLDAP
on a Debian box
here are the modifications in radiusd.conf I wrote
# Lightweight Directory Access Protocol (LDAP)
#
# This module definition allows you to use LDAP for
# authorization and authentication (Auth-Type := LDAP)
#
# See doc/rlm_ldap for description of configuration options
# and sample authorize{} and authenticate{} blocks
ldap {
server = "your.ldap.server"
basedn = "ou=Person,dc=domain,dc="
#filter = "(posixAccount)(uid=%u))"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
# base_filter = "(objectclass=radiusprofile)"
access_attr = "uid"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
hope this helps
--
Cordialement
Frank Bonnet
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Need "account valid for" attribute/counter (continuous time)
Installation: Debian (sarge) + Freeradius 1.0.2 w/rlm_sqlcounter + MySQL 4.1.11 Hello, everyone! I've been trying to do the following, and I thought that I had it tonight, but I can't seem to get it: I'd like to set a "dropdead date/time" by which a user can log into my Freeradius server. I'm thinking of an attribute or counter that sets or performs the following: login-deadline or account-timeout or last-login-date or last-login-time or account-valid-for I'm not trying to limit how much a user can be logged in per unit of time (daily, monthly, etc.), but instead set the last time the user can possibly login starting from the first time they login. So, if this attribute is set to 86400, from the first time they login they can do whatever they want for a day but then they're done. Basically a continuous counter (or a math operation), whether the user is logged in or not. session-timeout works on a per session basis, so that doesn't work. Max-All-Session works like a prepaid card and only removes time in discontinuous chunks. What I really need is either an attribute or counter (like rlm_sqlcounter or rlm_counter) that can determine whether a user is close to their account deadline and let them pass through or be denied. Any thoughts? I've been banging my head against this for a while and can't seem to figure it out. I've searched just about every website and can't find a darn thing. I can get close, but nothing that takes care of the accounting without some custom programming. Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and LDAP : to be continued
Seferovic Edvin wrote:
Hi,
rather confusing. I have to admit, I have never used chillispot, but I've
just visited their website and in FAQ I found "Why should I use
CHAP-Challenge and CHAP-Password?" so this makes me think that Chillispot
uses CHAP authorization. And when you use CHAP, you do NOT need LDAP as
authorisation, but as a password storage. Okay - great.. what now?
This is really good summary of the situation ;-)
When you look at your radiusd.conf file there is a part where you can define
your LDAP server etc..
ldap ldap_users {
server = "81.xx"
# identity = "cn=admin,o=My Org,c=UA"
# password = mypass
basedn = "ou=People,dc=xxx,dc=xx"
filter = "(&(objectClass=posixAccount)(uid=%u))"
start_tls = no
..
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 10
# password_header = "{clear}"
password_attribute = userPassword
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# access_attr_used_for_allow = yes
}
I hope you have that right ( this is only a part of my working config ).
I have :
ldap {
server = "my.server.name.here"
basedn = "ou=person,o=istase,c=fr"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
I think this shall be rather good since I can see it searching in ldap
log if I launch slapd in debug mode. (nentries = 1 : OK, it founds my
userPassword using this filter -my filter seems different from yours).
Also, the User-Password->userPassword mapping is done in ldap.attrmap in
my case.
Next, what Alan said is to change the authorisation part. As I said -
chillispot aparently wants CHAP, so in following section use CHAP
authorize {
# The chap module will set 'Auth-Type := CHAP' if we are
# handling a CHAP request and Auth-Type has not already been set
Chap
# here you can also have
ldap_users
# for radtest to work ( IMHO it should be like this )
}
And in
authenticate {
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
Auth-Type CHAP {
chap
ldap_users
}
}
As it says in authenticate section - passwords in LDAP should be in clear
text...
My password are not stored in LDAP in clear text but hashed using SHA
algorythm, so this won't work ;-(
Try this out. I cannot promise you that it will work, but it is the same way
I have set up my POPTOP server with MS-CHAP, and it works.. I would also
appreciate some guru to take a look at this and publish his opinion about
this on this list ;)
Kind regards,
Edvin
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Christophe Gravier
Sent: Donnerstag, 15. Dezember 2005 16:41
To: FreeRadius users mailing list
Subject: Re: Freeradius and LDAP : to be continued
Hello Edvin,
First, I received my email posted to the list several times in my mail
client.
I higly hope this is not the case for all you ! (if it is, thunderbird
didn't like to switch from the testing wireless network back to cable
and vice versa, since they're all dated to the same hour)
If you received only one mail, it is OK, just forget what I told ;-)
For what I am trying to do:
I have an existing LDAP directory with all users being able to connect
to the wireless area.
The hotspot architecture is :
client <-> chillispot (login page served with apache2 + ssl) <->
freeradius <-> ldap.
I just want my ldap users being able to connect to the hotspot.
So, *at first*, I edited the conf file to let users be authenticate via
LDAP.
This way, radtest way just OK but not ChilliSpot. When I report it to
the list, asking how radtest is different to chillispot login, Alan
explained me:
" You're using LDAP as an authentication server. Don't do that. Use LDAP
to store passwords.
i.e. remove the "ldap" entry from the "authenticate" section. Get
radtest to work. Once that works, Chillispot will work, too."
So I remove "ldap" from authentificate (I let it in authorize section
thgouh).
But it still doesn't solve the problem.
In the end, Alan proposed to hack rlm_ldap.c to "have it *never* set
Auth-Type to LDAP. That would solve a lot of problems."
I just find it dirty to hack t
Re: Freeradius and LDAP : to be continued
> rather confusing. I have to admit, I have never used chillispot, but I've > just visited their website and in FAQ I found "Why should I use > CHAP-Challenge and CHAP-Password?" so this makes me think that Chillispot > uses CHAP authorization. And when you use CHAP, you do NOT need LDAP as > authorisation, but as a password storage. Okay - great.. what now? You can setup chillispot to use PAP too. see the documentation about uamsecret. -- damjan | дамјан This is my jabber ID --> [EMAIL PROTECTED] <-- not my mail address!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
several LDAP servers to authenticate ?
Hello I actually use freeradius to authenticate wi-fi users thru the chillispot software. Our freeradius server use our LDAP as backend and everything runs well now I would like to know if it is possible to use _several_ LDAP servers with freeradius with a kind of the following mechanism : If the login is not found on our local LDAP server it will be search on the next LDAP server in a list and so on until all LDAP servers have been searched ? Thanks a lot -- Regards Frank - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cisco-AVPair SQL accounting (attr. not duplicated)
Try using += as the op, that should do it.
Ex. Cisco-AVPair += "nas-tx-speed=53300"
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of James
Wakefield (Sunet Sysadmin)
Sent: Thursday, December 15, 2005 1:22 AM
To: FreeRadius users mailing list
Subject: Cisco-AVPair SQL accounting (attr. not duplicated)
G'day,
Sorry if this has been covered already, as I imagine it's a common
issue, but I haven't been able to rustle any working answers up after a
long time googling and grepping $FR/src.
I've got an AS5300 that sends a few attributes, with accounting stop,
encapsulated in Cisco-AVPair eg: Cisco-AVPair = "nas-tx-speed=53300" and
the VSA hack doesn't appear to let me refer to that value in my SQL
statements with either the %{nas-tx-speed} or %{Cisco-AVPair[index]}
syntaxes I've seen suggested for Cisco VSAs in various places. rlm_sql
complains of an unknown xlat function or non-existent attribute.
Has anyone managed to do this? If so, what is the correct syntax to use
these in SQL accounting statements?
Cheers,
--
James Wakefield
Systems Administrator
+61 03 5227 6888
We have now moved head office to 8-12 Pakington Street,
Geelong West.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius and LDAP : to be continued
Hi,
rather confusing. I have to admit, I have never used chillispot, but I've
just visited their website and in FAQ I found "Why should I use
CHAP-Challenge and CHAP-Password?" so this makes me think that Chillispot
uses CHAP authorization. And when you use CHAP, you do NOT need LDAP as
authorisation, but as a password storage. Okay - great.. what now?
When you look at your radiusd.conf file there is a part where you can define
your LDAP server etc..
ldap ldap_users {
server = "81.xx"
# identity = "cn=admin,o=My Org,c=UA"
# password = mypass
basedn = "ou=People,dc=xxx,dc=xx"
filter = "(&(objectClass=posixAccount)(uid=%u))"
start_tls = no
..
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 10
# password_header = "{clear}"
password_attribute = userPassword
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# access_attr_used_for_allow = yes
}
I hope you have that right ( this is only a part of my working config ).
Next, what Alan said is to change the authorisation part. As I said -
chillispot aparently wants CHAP, so in following section use CHAP
authorize {
# The chap module will set 'Auth-Type := CHAP' if we are
# handling a CHAP request and Auth-Type has not already been set
Chap
# here you can also have
ldap_users
# for radtest to work ( IMHO it should be like this )
}
And in
authenticate {
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
Auth-Type CHAP {
chap
ldap_users
}
}
As it says in authenticate section - passwords in LDAP should be in clear
text...
Try this out. I cannot promise you that it will work, but it is the same way
I have set up my POPTOP server with MS-CHAP, and it works.. I would also
appreciate some guru to take a look at this and publish his opinion about
this on this list ;)
Kind regards,
Edvin
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Christophe Gravier
Sent: Donnerstag, 15. Dezember 2005 16:41
To: FreeRadius users mailing list
Subject: Re: Freeradius and LDAP : to be continued
Hello Edvin,
First, I received my email posted to the list several times in my mail
client.
I higly hope this is not the case for all you ! (if it is, thunderbird
didn't like to switch from the testing wireless network back to cable
and vice versa, since they're all dated to the same hour)
If you received only one mail, it is OK, just forget what I told ;-)
For what I am trying to do:
I have an existing LDAP directory with all users being able to connect
to the wireless area.
The hotspot architecture is :
client <-> chillispot (login page served with apache2 + ssl) <->
freeradius <-> ldap.
I just want my ldap users being able to connect to the hotspot.
So, *at first*, I edited the conf file to let users be authenticate via
LDAP.
This way, radtest way just OK but not ChilliSpot. When I report it to
the list, asking how radtest is different to chillispot login, Alan
explained me:
" You're using LDAP as an authentication server. Don't do that. Use LDAP
to store passwords.
i.e. remove the "ldap" entry from the "authenticate" section. Get
radtest to work. Once that works, Chillispot will work, too."
So I remove "ldap" from authentificate (I let it in authorize section
thgouh).
But it still doesn't solve the problem.
In the end, Alan proposed to hack rlm_ldap.c to "have it *never* set
Auth-Type to LDAP. That would solve a lot of problems."
I just find it dirty to hack the radius then recompile to get ldap
support :-(
If you're using LDAP for your users accessing the hotspot, would you
please tell me how you achieve this ?
Best Regards,
Seferovic Edvin wrote:
>Hello,
>
>I must admit, I have been reading this thread, but I still do not
understand
>what Christophe is trying to accomplish. As far as I understand - you have
>your passwords in LDAP, and you only ( kind of ) need to authorize but NOT
>authenticate users that are in your LDAP directory..
>
>Please correct me...
>
>Regards,
>
>Edvin
>
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of
>Christophe Gravier
>Sent: Donnerstag, 15. Dezember 2005 16:05
>To: FreeRadius users mailing list
>Subject: Re: Freeradius and LDAP : to be continued
>
>Phil Mayers wrote:
>
>
>
>>Alan DeKok wrote:
>>
>>
>>
>>><[EMAIL PROTECTED]> wrote:
>>
Re: Freeradius and LDAP : to be continued
Hello Edvin,
First, I received my email posted to the list several times in my mail
client.
I higly hope this is not the case for all you ! (if it is, thunderbird
didn't like to switch from the testing wireless network back to cable
and vice versa, since they're all dated to the same hour)
If you received only one mail, it is OK, just forget what I told ;-)
For what I am trying to do:
I have an existing LDAP directory with all users being able to connect
to the wireless area.
The hotspot architecture is :
client <-> chillispot (login page served with apache2 + ssl) <->
freeradius <-> ldap.
I just want my ldap users being able to connect to the hotspot.
So, *at first*, I edited the conf file to let users be authenticate via
LDAP.
This way, radtest way just OK but not ChilliSpot. When I report it to
the list, asking how radtest is different to chillispot login, Alan
explained me:
" You're using LDAP as an authentication server. Don't do that. Use LDAP
to store passwords.
i.e. remove the "ldap" entry from the "authenticate" section. Get
radtest to work. Once that works, Chillispot will work, too."
So I remove "ldap" from authentificate (I let it in authorize section
thgouh).
But it still doesn't solve the problem.
In the end, Alan proposed to hack rlm_ldap.c to "have it *never* set
Auth-Type to LDAP. That would solve a lot of problems."
I just find it dirty to hack the radius then recompile to get ldap
support :-(
If you're using LDAP for your users accessing the hotspot, would you
please tell me how you achieve this ?
Best Regards,
Seferovic Edvin wrote:
Hello,
I must admit, I have been reading this thread, but I still do not understand
what Christophe is trying to accomplish. As far as I understand - you have
your passwords in LDAP, and you only ( kind of ) need to authorize but NOT
authenticate users that are in your LDAP directory..
Please correct me...
Regards,
Edvin
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Christophe Gravier
Sent: Donnerstag, 15. Dezember 2005 16:05
To: FreeRadius users mailing list
Subject: Re: Freeradius and LDAP : to be continued
Phil Mayers wrote:
Alan DeKok wrote:
<[EMAIL PROTECTED]> wrote:
rlm_ldap: Adding userPassword as User-Password, value { & op=11
That's better.
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type LDAP
Yuck.
My quick answer is to edit rlm_ldap.c to have it *never* set
Auth-Type to LDAP. That would solve a lot of problems.
Interesting. I mentioned this to another querier the other day:
http://lists.freeradius.org/pipermail/freeradius-users/2005-December/049221.
html
Ar. You lost me.
Still not working.
I can't imagine I'm unable to make freeradius uses LDAP password without
hacking it :-/
What then would the authenticate section look like to use LDAP?
Presumably something like:
authenticate {
Auth-Type PAP {
ldap
}
}
...but of course then you get into what happens if you want 2
different services in the same server, such as:
authenticate {
Auth-Type PAP-service1 {
ldap1
}
Auth-Type PAP-service2 {
ldap2
}
Auth-Type MSCHAP-service1 {
mschap1
}
Auth-Type MSCHAP-service2 {
mschap2
}
}
...etc. - nasty. Is it possible to do:
authenticate {
Huntgroup Service1 {
Auth-Type PAP {
ldap1
}
Auth-Type MSCHAP {
mschap1
}
}
Huntgroup Service2 {
Auth-Type PAP {
ldap2
}
Auth-Type MSCHAP {
mschap2
}
}
}
...although "Realm" might make more sense than "Huntgroup" in
understanding what I mean.
There's also the possibility of wanting to use fallback:
authenticate {
Auth-Type PAP {
ldap
pap
}
}
...although I'm pretty sure you can do that with configurable failover
and the above syntax is wrong.
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Christophe Gravier
Laboratoire DIOM, groupe SATIn - Doctorant
ISTASE - Ingénieur d'études
Perso: http://perso.univ-st-etienne.fr/gravchri/
SATIn: http://www.istase.com/satin
Tel : 04 7748 5034
A mediter: http://www.fsffrance.org/news/article2005-11-25.fr.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius and LDAP : to be continued
Hello,
I must admit, I have been reading this thread, but I still do not understand
what Christophe is trying to accomplish. As far as I understand - you have
your passwords in LDAP, and you only ( kind of ) need to authorize but NOT
authenticate users that are in your LDAP directory..
Please correct me...
Regards,
Edvin
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Christophe Gravier
Sent: Donnerstag, 15. Dezember 2005 16:05
To: FreeRadius users mailing list
Subject: Re: Freeradius and LDAP : to be continued
Phil Mayers wrote:
> Alan DeKok wrote:
>
>> <[EMAIL PROTECTED]> wrote:
>>
>>> rlm_ldap: Adding userPassword as User-Password, value { & op=11
>>
>>
>> That's better.
>>
>>> modcall: group authorize returns ok for request 0
>>> rad_check_password: Found Auth-Type LDAP
>>
>>
>> Yuck.
>>
>> My quick answer is to edit rlm_ldap.c to have it *never* set
>> Auth-Type to LDAP. That would solve a lot of problems.
>
>
> Interesting. I mentioned this to another querier the other day:
>
>
http://lists.freeradius.org/pipermail/freeradius-users/2005-December/049221.
html
>
Ar. You lost me.
Still not working.
I can't imagine I'm unable to make freeradius uses LDAP password without
hacking it :-/
>
> What then would the authenticate section look like to use LDAP?
> Presumably something like:
>
> authenticate {
> Auth-Type PAP {
> ldap
> }
> }
>
> ...but of course then you get into what happens if you want 2
> different services in the same server, such as:
>
> authenticate {
> Auth-Type PAP-service1 {
> ldap1
> }
> Auth-Type PAP-service2 {
> ldap2
> }
> Auth-Type MSCHAP-service1 {
> mschap1
> }
> Auth-Type MSCHAP-service2 {
> mschap2
> }
> }
>
> ...etc. - nasty. Is it possible to do:
>
> authenticate {
> Huntgroup Service1 {
> Auth-Type PAP {
> ldap1
> }
> Auth-Type MSCHAP {
> mschap1
> }
> }
>
> Huntgroup Service2 {
> Auth-Type PAP {
> ldap2
> }
> Auth-Type MSCHAP {
> mschap2
> }
> }
> }
>
> ...although "Realm" might make more sense than "Huntgroup" in
> understanding what I mean.
>
> There's also the possibility of wanting to use fallback:
>
> authenticate {
> Auth-Type PAP {
> ldap
> pap
> }
> }
>
> ...although I'm pretty sure you can do that with configurable failover
> and the above syntax is wrong.
> - List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
--
Christophe Gravier
Laboratoire DIOM, groupe SATIn - Doctorant
ISTASE - Ingénieur d'études
Perso: http://perso.univ-st-etienne.fr/gravchri/
SATIn: http://www.istase.com/satin
Tel : 04 7748 5034
A mediter: http://www.fsffrance.org/news/article2005-11-25.fr.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and LDAP : to be continued
Phil Mayers wrote:
Alan DeKok wrote:
<[EMAIL PROTECTED]> wrote:
rlm_ldap: Adding userPassword as User-Password, value { & op=11
That's better.
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type LDAP
Yuck.
My quick answer is to edit rlm_ldap.c to have it *never* set
Auth-Type to LDAP. That would solve a lot of problems.
Interesting. I mentioned this to another querier the other day:
http://lists.freeradius.org/pipermail/freeradius-users/2005-December/049221.html
Ar. You lost me.
Still not working.
I can't imagine I'm unable to make freeradius uses LDAP password without
hacking it :-/
What then would the authenticate section look like to use LDAP?
Presumably something like:
authenticate {
Auth-Type PAP {
ldap
}
}
...but of course then you get into what happens if you want 2
different services in the same server, such as:
authenticate {
Auth-Type PAP-service1 {
ldap1
}
Auth-Type PAP-service2 {
ldap2
}
Auth-Type MSCHAP-service1 {
mschap1
}
Auth-Type MSCHAP-service2 {
mschap2
}
}
...etc. - nasty. Is it possible to do:
authenticate {
Huntgroup Service1 {
Auth-Type PAP {
ldap1
}
Auth-Type MSCHAP {
mschap1
}
}
Huntgroup Service2 {
Auth-Type PAP {
ldap2
}
Auth-Type MSCHAP {
mschap2
}
}
}
...although "Realm" might make more sense than "Huntgroup" in
understanding what I mean.
There's also the possibility of wanting to use fallback:
authenticate {
Auth-Type PAP {
ldap
pap
}
}
...although I'm pretty sure you can do that with configurable failover
and the above syntax is wrong.
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Christophe Gravier
Laboratoire DIOM, groupe SATIn - Doctorant
ISTASE - Ingénieur d'études
Perso: http://perso.univ-st-etienne.fr/gravchri/
SATIn: http://www.istase.com/satin
Tel : 04 7748 5034
A mediter: http://www.fsffrance.org/news/article2005-11-25.fr.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius as Proxy
Everything goes through the proxy. josh. --On Thursday, December 15, 2005 15:09:22 +0100 Nicola Iotti <[EMAIL PROTECTED]> wrote: Hi, I'm using Freeradius 1.0.5 as Proxy , but does anyone knows if freeradius have just to send requests from NAS to Server or also server's replies to the nas ? I mean does the radius serves reply directly to NAS or it communicates always through the freeradius proxy? Regards Ing. Nicola Iotti Network Manager mailto: [EMAIL PROTECTED] Guglielmo S.r.l. Sede legale: Via Martiri di Minozzo, 12 Sede operativa: Via Sante Vincenzi , 2 / D 42100 Reggio Emilia ITALIA Tel.: +39-0522 - 40 63 67 Fax: +39-0522 - 54 08 16 Cell: +39-320 61 90 072 internet website: http://www.guglielmo.biz mailto:[EMAIL PROTECTED] [Image: "Add FUN to your email - CLICK HERE!"] -- --- Josh Howlett, Networking & Digital Communications, Information Systems & Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help with proxy scenario
I have a need to proxy users based on either AD group membership or a substring in the username. I am currently using LDAP to AD . AD group membership scenario: If user is in group "x" then proxy to radius server "y". Substring scenario: If username contains string "x", then strip "x" and proxy to server "y". I believe both could work. Which is easiest and what modules are needed? Also, any examples of either would be greatly appreciated. Thanks, Mark CONFIDENTIALITY NOTICE: This e-mail may contain trade secrets or privileged, undisclosed or otherwise confidential information. If you have received this e-mail in error, you are hereby notified that any review, copying or distribution of this message in whole or in part is strictly prohibited. Please inform the sender immediately and destroy the original transmittal. Thank you for your cooperation.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Pb with Mac and EAP auth
Hi, I’m using Freeradius for both Mac and WPA authentication (EAP-TTLS) of my WiFi users, and i’m facing a trouble I have no idea how to solve : In my users file I’ve set a list of the mac address like this : # Portable MACHIN "001122334455" Auth-Type := Accept Cisco-AVpair := "ssid=Machin", Cisco-AVpair += "ssid=Machin2" And for users a password crypt file ‘filecrypt’ DEFAULT Autz-Type := filecrypt The problem is that when doing EAP-TTLS authentication if I set the mac address of one of the allowed card as the login name I am authenticated!!! Is there a way to prevent this somehow? To specify that Auth-Type:=Accept is only for non EAP authentication ??? Thanks for help Benoît Bianchi. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Welcome to the "Freeradius-Users" mailing list (Digest mode)
Hello! EveryOne! Nice to meet you! You must know your password to change your options (including changingthe password, itself) or to unsubscribe. It is:uvazgi :P wanna change it now and NEVER use it again ANYWHERE as harvesters _like_ such. br mfred - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius as Proxy
Hi, I'm using Freeradius 1.0.5 as Proxy , but does anyone knows if freeradius have just to send requests from NAS to Server or also server's replies to the nas ? I mean does the radius serves reply directly to NAS or it communicates always through the freeradius proxy? Regards Ing. Nicola IottiNetwork Managermailto: [EMAIL PROTECTED] Guglielmo S.r.l. Sede legale: Via Martiri di Minozzo, 12 Sede operativa: Via Sante Vincenzi , 2 / D 42100 Reggio Emilia ITALIA Tel.: +39-0522 - 40 63 67 Fax: +39-0522 - 54 08 16 Cell: +39-320 61 90 072 internet website: http://www.guglielmo.biz mailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and LDAP : to be continued
Alan DeKok wrote:
<[EMAIL PROTECTED]> wrote:
rlm_ldap: Adding userPassword as User-Password, value { & op=11
That's better.
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type LDAP
Yuck.
My quick answer is to edit rlm_ldap.c to have it *never* set
Auth-Type to LDAP. That would solve a lot of problems.
Interesting. I mentioned this to another querier the other day:
http://lists.freeradius.org/pipermail/freeradius-users/2005-December/049221.html
What then would the authenticate section look like to use LDAP?
Presumably something like:
authenticate {
Auth-Type PAP {
ldap
}
}
...but of course then you get into what happens if you want 2 different
services in the same server, such as:
authenticate {
Auth-Type PAP-service1 {
ldap1
}
Auth-Type PAP-service2 {
ldap2
}
Auth-Type MSCHAP-service1 {
mschap1
}
Auth-Type MSCHAP-service2 {
mschap2
}
}
...etc. - nasty. Is it possible to do:
authenticate {
Huntgroup Service1 {
Auth-Type PAP {
ldap1
}
Auth-Type MSCHAP {
mschap1
}
}
Huntgroup Service2 {
Auth-Type PAP {
ldap2
}
Auth-Type MSCHAP {
mschap2
}
}
}
...although "Realm" might make more sense than "Huntgroup" in
understanding what I mean.
There's also the possibility of wanting to use fallback:
authenticate {
Auth-Type PAP {
ldap
pap
}
}
...although I'm pretty sure you can do that with configurable failover
and the above syntax is wrong.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Welcome to the "Freeradius-Users" mailing list (Digest mode)
Hello! EveryOne! Nice to meet you! 2005/12/15, [EMAIL PROTECTED] < [EMAIL PROTECTED]>: Welcome to the Freeradius-Users@lists.freeradius.org mailing list!To post to this list, send your email to:freeradius-users@lists.freeradius.orgGeneral information about the mailing list is at: http://lists.freeradius.org/mailman/listinfo/freeradius-usersIf you ever want to unsubscribe or change your options (eg, switch to or from digest mode, change your password, etc.), visit yoursubscription page at:http://lists.freeradius.org/mailman/options/freeradius-users/yaoguoxian%40gmail.com You can also make such adjustments via email by sending a message to:[EMAIL PROTECTED]with the word `help' in the subject or body (don't include the quotes), and you will get back a message with instructions.You must know your password to change your options (including changingthe password, itself) or to unsubscribe. It is:uvazgiNormally, Mailman will remind you of your lists.freeradius.org mailinglist passwords once every month, although you can disable this if youprefer. This reminder will also include instructions on how tounsubscribe or change your account options. There is also a button on your options page that will email your current password to you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problems with freeradius 1.0.5
hell oI upgraded from freeradius 1.0.2 to 1.0.5 and nothing works anymore I have this error: radiusd.conf[1682] Unknown Auth-Type "Pam" in authenticate section. commenting out pam thne I Got this radiusd.conf[1682] Unknown Auth-Type "System" in authenticate section. and so if I comment out "unix" in the radiusd.conf fiel I get this error: rlm_eap_gtc: Unknown Auth-Type PAP rlm_eap: Failed to initialize type gtc anyone has some hints ?? thank you Rick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and LDAP : to be continued
Christophe Gravier wrote:
Alan DeKok wrote:
<[EMAIL PROTECTED]> wrote:
rlm_ldap: Adding userPassword as User-Password, value { & op=11
That's better.
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type LDAP
Yuck.
My quick answer is to edit rlm_ldap.c to have it *never* set
Auth-Type to LDAP. That would solve a lot of problems.
Indeed, I have no rlm-ldap.so ;-(
(I did apt-get install freeradius-ldap on my debian box ...)
Whaou, I was so kind of tired (or in a hurry).
I of course mean :
"I have no rlm_ldap.c" ...
Alan DeKok.
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Christophe Gravier
Laboratoire DIOM, groupe SATIn - Doctorant
ISTASE - Ingénieur d'études
Perso: http://perso.univ-st-etienne.fr/gravchri/
SATIn: http://www.istase.com/satin
Tel : 04 7748 5034
A mediter: http://www.fsffrance.org/news/article2005-11-25.fr.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dictionary files for HP Procurve switch?
Seferovic Edvin wrote: Hi, I am using HP ProCurve 2626 ( smaller version of 2650 ) and I haven't seen any dictionary files nor need for a dictionary file. MAC-Based auth is working fine with freeradius and I suppose EAP would works fine as well. Get them from HP then post them with a bug report as a file and maybe they'll get in the next release. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dictionary files for HP Procurve switch?
Hi, I am using HP ProCurve 2626 ( smaller version of 2650 ) and I haven't seen any dictionary files nor need for a dictionary file. MAC-Based auth is working fine with freeradius and I suppose EAP would works fine as well. Regards, Edvin Seferovic -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Dienstag, 13. Dezember 2005 23:30 To: FreeRadius users mailing list Subject: Re: Dictionary files for HP Procurve switch? Mark Tunnell <[EMAIL PROTECTED]> wrote: > Can anyone point me to dictionary file for an HP ProCurve 2650 switch? Ask HP. I've never used one of those switches, or seen an HP dictionary. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Re[4]: how get current TRAFFIC (ACCT) ?
Hi, dictionary file on your freeradius server is usually found under /usr/share/freeradius/dictionary... Search for ATTRIBUTE Acct-Interim-Interval 85 integer On your pppoe server ( which is using radiusclient ), look at /etc/radiusclient/dictionary and add if not exists ATTRIBUTE Acct-Interim-Interval 85 integer Then it might work.. what pppoe server are you using? And please set up Acct-Interim-Interval to something greater then 2 minutes. Values lower then 120 won't work. Regards, Edvin -Original Message- From: Andreas Sokov [mailto:[EMAIL PROTECTED] Sent: Donnerstag, 15. Dezember 2005 13:21 To: [EMAIL PROTECTED] Cc: freeradius-users@lists.freeradius.org Subject: Re[4]: how get current TRAFFIC (ACCT) ? Hi. [ You wrote Thursday, December 15, 2005, 2:52:10 PM ] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- =-= SE> Well you have set up your pppoe-server to send the accounting information SE> only at the end of the session. If connection is "lost", you will have the SE> accounting data in your database with AcctTerminateCause something like SE> "terminated by server". SE> The session you have sent me is just an open session. SE> As I said - you can set the Acct-Interim-Interval attribute so that your SE> server sends the accouting packets every few minutes for example. i try i insert into radreply : id UserNameAttribute op Value 1 testFramed-IP-Address := 192.168.96.10 4 testAcct-Status-Type:= Interim-Update 5 testAcct-Interim-Interval := 60 6 testFramed-IP-Netmask := 255.255.252.0 but it is not worked you wrote : add attribute into dictionary file tell me please IN WHAT FILE I NEED ADD IT ? and what will have to line ? into /etc/freeradius folder i c one file ./dictionaty : # # This is the master dictionary file, which references the # pre-defined dictionary files included with the server. # # Any new/changed attributes MUST be placed in this file, as # the pre-defined dictionaries SHOULD NOT be edited. # # $Id: dictionary.in,v 1.4 2004/04/14 15:26:20 aland Exp $ # # # The filename given here should be an absolute path. # $INCLUDE/usr/share/freeradius/dictionary # # Place additional attributes or $INCLUDEs here. They will # over-ride the definitions in the pre-defined dictionaries. # # See the 'man' page for 'dictionary' for information on # the format of the dictionary files. # # If you want to add entries to the dictionary file, # which are NOT going to be placed in a RADIUS packet, # add them here. The numbers you pick should be between # 3000 and 4000. # #ATTRIBUTE My-Local-String 3000string #ATTRIBUTE My-Local-IPAddr 3001ipaddr #ATTRIBUTE My-Local-Integer3002integer what i need add there ? like this : ATTRIBUTE Acct-Interim-Interval3003integer ATTRIBUTE Acct-Status-Type 3004string ?? SE> -Original Message- SE> From: Andreas Sokov [mailto:[EMAIL PROTECTED] SE> Sent: Donnerstag, 15. Dezember 2005 12:42 SE> To: freeradius-users@lists.freeradius.org SE> Cc: [EMAIL PROTECTED] SE> Subject: Re[2]: how get current TRAFFIC (ACCT) ? SE> Hi. SE> [ You wrote Thursday, December 15, 2005, 2:14:10 PM ] SE> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- SE> =-= SE>> Hi, SE>> for traffic information - look at the RADACCT table in your mysql SE> database SE>> called radius. A simple sql query could be - SE> -) SE> i know what information about traffic collect in that table. SE> But please, look at this : SE> RadAcctId AcctSessionId AcctUniqueIdUserName Realm SE> NASIPAddress NASPortId NASPortType AcctStartTime AcctStopTime SE> AcctSessionTime AcctAuthentic ConnectInfo_start SE> ConnectInfo_stopAcctInputOctets AcctOutputOctets SE> CalledStationId CallingStationIdAcctTerminateCause SE> ServiceType FramedProtocol FramedIPAddress SE> AcctStartDelay AcctStopDelay SE> 19 43A154E9151B00 835535e0e65d3acetest SE> 213.159.102.146 0 Virtual 2005-12-15 14:35:05 -00-00 SE> 00:00:00 0 RADIUS 0 0 SE> Framed-User PPP 192.168.96.10 0 0 SE> 18 43A13CE87DBE00 73e57ea8afc72d3btest SE> 213.159.102.146 0 Virtual 2005-12-15 12:52:40 2005-12-15 SE> 14:10:12 4652RADIUS 6857793 7229167 SE> User-RequestFramed-User PPP 192.168.96.10 0 0 SE> look at id=19 into AcctStopTime and SE> while session OPENS! the value AcctInputOctets AcctOutputOctets == 0 SE> !!! SE> and if session will be open during 20 hourse - we can not know that current SE> val
Re[4]: how get current TRAFFIC (ACCT) ?
Hi. [ You wrote Thursday, December 15, 2005, 2:52:10 PM ] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= SE> Well you have set up your pppoe-server to send the accounting information SE> only at the end of the session. If connection is "lost", you will have the SE> accounting data in your database with AcctTerminateCause something like SE> "terminated by server". SE> The session you have sent me is just an open session. SE> As I said - you can set the Acct-Interim-Interval attribute so that your SE> server sends the accouting packets every few minutes for example. i try i insert into radreply : id UserNameAttribute op Value 1 testFramed-IP-Address := 192.168.96.10 4 testAcct-Status-Type:= Interim-Update 5 testAcct-Interim-Interval := 60 6 testFramed-IP-Netmask := 255.255.252.0 but it is not worked you wrote : add attribute into dictionary file tell me please IN WHAT FILE I NEED ADD IT ? and what will have to line ? into /etc/freeradius folder i c one file ./dictionaty : # # This is the master dictionary file, which references the # pre-defined dictionary files included with the server. # # Any new/changed attributes MUST be placed in this file, as # the pre-defined dictionaries SHOULD NOT be edited. # # $Id: dictionary.in,v 1.4 2004/04/14 15:26:20 aland Exp $ # # # The filename given here should be an absolute path. # $INCLUDE/usr/share/freeradius/dictionary # # Place additional attributes or $INCLUDEs here. They will # over-ride the definitions in the pre-defined dictionaries. # # See the 'man' page for 'dictionary' for information on # the format of the dictionary files. # # If you want to add entries to the dictionary file, # which are NOT going to be placed in a RADIUS packet, # add them here. The numbers you pick should be between # 3000 and 4000. # #ATTRIBUTE My-Local-String 3000string #ATTRIBUTE My-Local-IPAddr 3001ipaddr #ATTRIBUTE My-Local-Integer3002integer what i need add there ? like this : ATTRIBUTE Acct-Interim-Interval3003integer ATTRIBUTE Acct-Status-Type 3004string ?? SE> -Original Message- SE> From: Andreas Sokov [mailto:[EMAIL PROTECTED] SE> Sent: Donnerstag, 15. Dezember 2005 12:42 SE> To: freeradius-users@lists.freeradius.org SE> Cc: [EMAIL PROTECTED] SE> Subject: Re[2]: how get current TRAFFIC (ACCT) ? SE> Hi. SE> [ You wrote Thursday, December 15, 2005, 2:14:10 PM ] SE> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- SE> =-= SE>> Hi, SE>> for traffic information - look at the RADACCT table in your mysql SE> database SE>> called radius. A simple sql query could be - SE> -) SE> i know what information about traffic collect in that table. SE> But please, look at this : SE> RadAcctId AcctSessionId AcctUniqueIdUserName Realm SE> NASIPAddress NASPortId NASPortType AcctStartTime AcctStopTime SE> AcctSessionTime AcctAuthentic ConnectInfo_start SE> ConnectInfo_stopAcctInputOctets AcctOutputOctets SE> CalledStationId CallingStationIdAcctTerminateCause SE> ServiceType FramedProtocol FramedIPAddress SE> AcctStartDelay AcctStopDelay SE> 19 43A154E9151B00 835535e0e65d3acetest SE> 213.159.102.146 0 Virtual 2005-12-15 14:35:05 -00-00 SE> 00:00:00 0 RADIUS 0 0 SE> Framed-User PPP 192.168.96.10 0 0 SE> 18 43A13CE87DBE00 73e57ea8afc72d3btest SE> 213.159.102.146 0 Virtual 2005-12-15 12:52:40 2005-12-15 SE> 14:10:12 4652RADIUS 6857793 7229167 SE> User-RequestFramed-User PPP 192.168.96.10 0 0 SE> look at id=19 into AcctStopTime and SE> while session OPENS! the value AcctInputOctets AcctOutputOctets == 0 SE> !!! SE> and if session will be open during 20 hourse - we can not know that current SE> value of SE> AcctInputOctets AcctOutputOctets ?! SE> What you think about it ? SE>> SELECT SUM(AcctOutputOctets) as download, SUM(AcctInputOctets) as upload SE>> GROUP BY Username ORDER BY Username ASC; SE>> This should give you a list of your users and their upload and download SE>> traffic ( list is sorted ascending by usernames ). SE>> Regards, SE>> Edvin SE>> -Original Message- SE>> From: [EMAIL PROTECTED] SE>> [mailto:[EMAIL PROTECTED] On Behalf Of SE> Andreas SE>> Sokov SE>> Sent: Donnerstag, 15. Dezember 2005 11:33 SE>> To: freeradius-users@lists.freeradius.org SE>> Subject: how get current TRAFFIC (ACCT) ? SE>> Importance: High SE>> Hi, freeradius-users. SE>> Linux Debian, # uname -a SE>> Linux g48 2.6.14.3-1 #4 Sun D
RE: Re[2]: how get current TRAFFIC (ACCT) ?
Well you have set up your pppoe-server to send the accounting information only at the end of the session. If connection is "lost", you will have the accounting data in your database with AcctTerminateCause something like "terminated by server". The session you have sent me is just an open session. As I said - you can set the Acct-Interim-Interval attribute so that your server sends the accouting packets every few minutes for example. -Original Message- From: Andreas Sokov [mailto:[EMAIL PROTECTED] Sent: Donnerstag, 15. Dezember 2005 12:42 To: freeradius-users@lists.freeradius.org Cc: [EMAIL PROTECTED] Subject: Re[2]: how get current TRAFFIC (ACCT) ? Hi. [ You wrote Thursday, December 15, 2005, 2:14:10 PM ] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- =-= SE> Hi, SE> for traffic information - look at the RADACCT table in your mysql database SE> called radius. A simple sql query could be - -) i know what information about traffic collect in that table. But please, look at this : RadAcctId AcctSessionId AcctUniqueIdUserName Realm NASIPAddress NASPortId NASPortType AcctStartTime AcctStopTime AcctSessionTime AcctAuthentic ConnectInfo_start ConnectInfo_stopAcctInputOctets AcctOutputOctets CalledStationId CallingStationIdAcctTerminateCause ServiceType FramedProtocol FramedIPAddress AcctStartDelay AcctStopDelay 19 43A154E9151B00 835535e0e65d3acetest 213.159.102.146 0 Virtual 2005-12-15 14:35:05 -00-00 00:00:00 0 RADIUS 0 0 Framed-User PPP 192.168.96.10 0 0 18 43A13CE87DBE00 73e57ea8afc72d3btest 213.159.102.146 0 Virtual 2005-12-15 12:52:40 2005-12-15 14:10:12 4652RADIUS 6857793 7229167 User-RequestFramed-User PPP 192.168.96.10 0 0 look at id=19 into AcctStopTime and while session OPENS! the value AcctInputOctets AcctOutputOctets == 0 !!! and if session will be open during 20 hourse - we can not know that current value of AcctInputOctets AcctOutputOctets ?! What you think about it ? SE> SELECT SUM(AcctOutputOctets) as download, SUM(AcctInputOctets) as upload SE> GROUP BY Username ORDER BY Username ASC; SE> This should give you a list of your users and their upload and download SE> traffic ( list is sorted ascending by usernames ). SE> Regards, SE> Edvin SE> -Original Message- SE> From: [EMAIL PROTECTED] SE> [mailto:[EMAIL PROTECTED] On Behalf Of Andreas SE> Sokov SE> Sent: Donnerstag, 15. Dezember 2005 11:33 SE> To: freeradius-users@lists.freeradius.org SE> Subject: how get current TRAFFIC (ACCT) ? SE> Importance: High SE> Hi, freeradius-users. SE> Linux Debian, # uname -a SE> Linux g48 2.6.14.3-1 #4 Sun Dec 11 05:57:57 MSK 2005 i686 GNU/Linux SE> #freeradius -v SE> freeradius: FreeRADIUS Version 1.0.5, for host , built on Oct 16 2005 at SE> 11:56:56 SE> # mysql -V SE> mysql Ver 14.12 Distrib 5.0.13-rc, for pc-linux-gnu (i486) using readline SE> 5.0 SE> TELL ME PLEASE : HOW I CAN GET CURRENT TRAFFIC INFORMATION ? SE> I need to kno how much traffic user eat before it close your session. SE> Do Know anybody ? SE> I try radwho, radlast - but they show all but acct information SE> Try radacct - but it is not show anything info, just run and no information SE> ... SE> HELP PLEASE. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- =-= -- - Best Regards, Andreas Thursday, December 15, 2005 2:36:16 PM Web-Media L.t.d. +7 (901) 301-5811 ICQ UIN 177624 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco-AVPair SQL accounting (attr. not duplicated)
James Wakefield wrote:
> I've got an AS5300 that sends a few attributes, with accounting stop,
> encapsulated in Cisco-AVPair eg: Cisco-AVPair = "nas-tx-speed=53300" and
> the VSA hack doesn't appear to let me refer to that value in my SQL
> statements with either the %{nas-tx-speed} or %{Cisco-AVPair[index]}
> syntaxes I've seen suggested for Cisco VSAs in various places. rlm_sql
> complains of an unknown xlat function or non-existent attribute.
>
> Has anyone managed to do this? If so, what is the correct syntax to use
> these in SQL accounting statements?
The syntax %{Cisco-AVPair[n]} isn't supported in versions 1.0.x of
FreeRADIUS. I'd suggest to get and try the CVS version which is about
to be 1.1.0 very soon.
$ cvs -d :pserver:[EMAIL PROTECTED]:/source login
CVS password: anoncvs
$ cvs -d :pserver:[EMAIL PROTECTED]:/source checkout -r branch_1_1 radiusd
--
Nicolas Baradakis
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: HELP - Freeradius+mysql - LOST ACCOUNTING
Hi. [ You wrote Thursday, December 15, 2005, 2:14:10 PM ] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= SE> Hi, SE> use Acct-Interim-Interval attribute I TRY! and no changes Tell me please in that table i need write this attribute ? SE> ( maybe you will need to change your dictionary file ). yes, i had search this attribute and not foubd in any dictionaty Help me please - in what file of dictionalty i need write it ? SE> This also depends on pppoe which is using radclient - I SE> am not sure if it is supported by your server. I am using Poptop with SE> freeradius and it works. TEll me please what is PopTop ? SE> Regards, SE> Edvin SE> -Original Message- SE> From: [EMAIL PROTECTED] SE> [mailto:[EMAIL PROTECTED] On Behalf Of Andreas SE> Sokov SE> Sent: Donnerstag, 15. Dezember 2005 11:29 SE> To: freeradius-users@lists.freeradius.org SE> Subject: HELP - Freeradius+mysql - LOST ACCOUNTING SE> Importance: High SE> Hi, freeradius-users-bounces. SE> I use pppoe+ppp+freeradius+mysql on Linux Debian. SE> When user connect by pppoe - into radacct table insertes records, where SE> inOctets & out ==0 SE> If session will be 20 hours - data about acct will be updated after session SE> will be close. SE> But if session will be lost - i lost ALL DATA ABOUT TRAFFIC (ACCT) SE> Tel me please - how i can update with interval current traffic for ever SE> connected users ? =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -- - Best Regards, Andreas Thursday, December 15, 2005 2:42:04 PM Web-Media L.t.d. +7 (901) 301-5811 ICQ UIN 177624 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: how get current TRAFFIC (ACCT) ?
Hi. [ You wrote Thursday, December 15, 2005, 2:14:10 PM ] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= SE> Hi, SE> for traffic information - look at the RADACCT table in your mysql database SE> called radius. A simple sql query could be - -) i know what information about traffic collect in that table. But please, look at this : RadAcctId AcctSessionId AcctUniqueIdUserName Realm NASIPAddress NASPortId NASPortType AcctStartTime AcctStopTime AcctSessionTime AcctAuthentic ConnectInfo_start ConnectInfo_stopAcctInputOctets AcctOutputOctets CalledStationId CallingStationIdAcctTerminateCause ServiceType FramedProtocol FramedIPAddress AcctStartDelay AcctStopDelay 19 43A154E9151B00 835535e0e65d3acetest 213.159.102.146 0 Virtual 2005-12-15 14:35:05 -00-00 00:00:00 0 RADIUS 0 0 Framed-User PPP 192.168.96.10 0 0 18 43A13CE87DBE00 73e57ea8afc72d3btest 213.159.102.146 0 Virtual 2005-12-15 12:52:40 2005-12-15 14:10:12 4652RADIUS 6857793 7229167 User-RequestFramed-User PPP 192.168.96.10 0 0 look at id=19 into AcctStopTime and while session OPENS! the value AcctInputOctets AcctOutputOctets == 0 !!! and if session will be open during 20 hourse - we can not know that current value of AcctInputOctets AcctOutputOctets ?! What you think about it ? SE> SELECT SUM(AcctOutputOctets) as download, SUM(AcctInputOctets) as upload SE> GROUP BY Username ORDER BY Username ASC; SE> This should give you a list of your users and their upload and download SE> traffic ( list is sorted ascending by usernames ). SE> Regards, SE> Edvin SE> -Original Message- SE> From: [EMAIL PROTECTED] SE> [mailto:[EMAIL PROTECTED] On Behalf Of Andreas SE> Sokov SE> Sent: Donnerstag, 15. Dezember 2005 11:33 SE> To: freeradius-users@lists.freeradius.org SE> Subject: how get current TRAFFIC (ACCT) ? SE> Importance: High SE> Hi, freeradius-users. SE> Linux Debian, # uname -a SE> Linux g48 2.6.14.3-1 #4 Sun Dec 11 05:57:57 MSK 2005 i686 GNU/Linux SE> #freeradius -v SE> freeradius: FreeRADIUS Version 1.0.5, for host , built on Oct 16 2005 at SE> 11:56:56 SE> # mysql -V SE> mysql Ver 14.12 Distrib 5.0.13-rc, for pc-linux-gnu (i486) using readline SE> 5.0 SE> TELL ME PLEASE : HOW I CAN GET CURRENT TRAFFIC INFORMATION ? SE> I need to kno how much traffic user eat before it close your session. SE> Do Know anybody ? SE> I try radwho, radlast - but they show all but acct information SE> Try radacct - but it is not show anything info, just run and no information SE> ... SE> HELP PLEASE. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -- - Best Regards, Andreas Thursday, December 15, 2005 2:36:16 PM Web-Media L.t.d. +7 (901) 301-5811 ICQ UIN 177624 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: HELP - Freeradius+mysql - LOST ACCOUNTING
Hi, use Acct-Interim-Interval attribute ( maybe you will need to change your dictionary file ). This also depends on pppoe which is using radclient - I am not sure if it is supported by your server. I am using Poptop with freeradius and it works. Regards, Edvin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andreas Sokov Sent: Donnerstag, 15. Dezember 2005 11:29 To: freeradius-users@lists.freeradius.org Subject: HELP - Freeradius+mysql - LOST ACCOUNTING Importance: High Hi, freeradius-users-bounces. I use pppoe+ppp+freeradius+mysql on Linux Debian. When user connect by pppoe - into radacct table insertes records, where inOctets & out ==0 If session will be 20 hours - data about acct will be updated after session will be close. But if session will be lost - i lost ALL DATA ABOUT TRAFFIC (ACCT) Tel me please - how i can update with interval current traffic for ever connected users ? -- Best Regards, Andreas Thursday, December 15, 2005 3:22:10 AM "Do not hesitate to ask me" ICQ UIN 177624 http://ServersLease.net - Offshore Dedicated Servers, Offshore Collocation http://HOST-LUX.RU - Offshore Virtual Hosting, Web Hosting, as low as 5$ per 1Gb HDD/month http://Reg-Master.net - Register`s Master of Domains http://Web-Media.Ru - Web Design studio. http://VEHICLE.RU - автомобили на заказ из США - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: how get current TRAFFIC (ACCT) ?
Hi, for traffic information - look at the RADACCT table in your mysql database called radius. A simple sql query could be - SELECT SUM(AcctOutputOctets) as download, SUM(AcctInputOctets) as upload GROUP BY Username ORDER BY Username ASC; This should give you a list of your users and their upload and download traffic ( list is sorted ascending by usernames ). Regards, Edvin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andreas Sokov Sent: Donnerstag, 15. Dezember 2005 11:33 To: freeradius-users@lists.freeradius.org Subject: how get current TRAFFIC (ACCT) ? Importance: High Hi, freeradius-users. Linux Debian, # uname -a Linux g48 2.6.14.3-1 #4 Sun Dec 11 05:57:57 MSK 2005 i686 GNU/Linux #freeradius -v freeradius: FreeRADIUS Version 1.0.5, for host , built on Oct 16 2005 at 11:56:56 # mysql -V mysql Ver 14.12 Distrib 5.0.13-rc, for pc-linux-gnu (i486) using readline 5.0 TELL ME PLEASE : HOW I CAN GET CURRENT TRAFFIC INFORMATION ? I need to kno how much traffic user eat before it close your session. Do Know anybody ? I try radwho, radlast - but they show all but acct information Try radacct - but it is not show anything info, just run and no information ... HELP PLEASE. -- Best Regards, Andreas Thursday, December 15, 2005 1:29:42 PM "Do not hesitate to ask me" ICQ UIN 177624 http://ServersLease.net - Offshore Dedicated Servers, Offshore Collocation http://HOST-LUX.RU - Offshore Virtual Hosting, Web Hosting, as low as 5$ per 1Gb HDD/month http://Reg-Master.net - Register`s Master of Domains http://Web-Media.Ru - Web Design studio. http://VEHICLE.RU - автомобили на заказ из США - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how get current TRAFFIC (ACCT) ?
Hi, freeradius-users. Linux Debian, # uname -a Linux g48 2.6.14.3-1 #4 Sun Dec 11 05:57:57 MSK 2005 i686 GNU/Linux #freeradius -v freeradius: FreeRADIUS Version 1.0.5, for host , built on Oct 16 2005 at 11:56:56 # mysql -V mysql Ver 14.12 Distrib 5.0.13-rc, for pc-linux-gnu (i486) using readline 5.0 TELL ME PLEASE : HOW I CAN GET CURRENT TRAFFIC INFORMATION ? I need to kno how much traffic user eat before it close your session. Do Know anybody ? I try radwho, radlast - but they show all but acct information Try radacct - but it is not show anything info, just run and no information ... HELP PLEASE. -- Best Regards, Andreas Thursday, December 15, 2005 1:29:42 PM "Do not hesitate to ask me" ICQ UIN 177624 http://ServersLease.net - Offshore Dedicated Servers, Offshore Collocation http://HOST-LUX.RU - Offshore Virtual Hosting, Web Hosting, as low as 5$ per 1Gb HDD/month http://Reg-Master.net - Register`s Master of Domains http://Web-Media.Ru - Web Design studio. http://VEHICLE.RU - автомобили на заказ из США - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
HELP - Freeradius+mysql - LOST ACCOUNTING
Hi, freeradius-users-bounces. I use pppoe+ppp+freeradius+mysql on Linux Debian. When user connect by pppoe - into radacct table insertes records, where inOctets & out ==0 If session will be 20 hours - data about acct will be updated after session will be close. But if session will be lost - i lost ALL DATA ABOUT TRAFFIC (ACCT) Tel me please - how i can update with interval current traffic for ever connected users ? -- Best Regards, Andreas Thursday, December 15, 2005 3:22:10 AM "Do not hesitate to ask me" ICQ UIN 177624 http://ServersLease.net - Offshore Dedicated Servers, Offshore Collocation http://HOST-LUX.RU - Offshore Virtual Hosting, Web Hosting, as low as 5$ per 1Gb HDD/month http://Reg-Master.net - Register`s Master of Domains http://Web-Media.Ru - Web Design studio. http://VEHICLE.RU - автомобили на заказ из США - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and LDAP : to be continued
Alan DeKok wrote:
<[EMAIL PROTECTED]> wrote:
rlm_ldap: Adding userPassword as User-Password, value { & op=11
That's better.
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type LDAP
Yuck.
My quick answer is to edit rlm_ldap.c to have it *never* set
Auth-Type to LDAP. That would solve a lot of problems.
Indeed, I have no rlm-ldap.so ;-(
(I did apt-get install freeradius-ldap on my debian box ...)
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Christophe Gravier
Laboratoire DIOM, groupe SATIn - Doctorant
ISTASE - Ingénieur d'études
Perso: http://perso.univ-st-etienne.fr/gravchri/
SATIn: http://www.istase.com/satin
Tel : 04 7748 5034
A mediter: http://www.fsffrance.org/news/article2005-11-25.fr.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
chillispot, apache2, freeradius: my experience and howto
Hello, I wrote a little "how to" of what I have done in order to make freeradius working with chilli, regarding my configuration. Because it involves several services (apache ssl, freeradius, ldap, sql, ..) I didn't really find a suitable complete how to for my needs. That's the reason why I wrote mine (in french sorry) but then translated it into english and posted it to ChilliSpot forum (http://www.chillispot.org/forum/viewtopic.php?p=3035#3035). It aims at being exhausted, explaining thing from apache, ssl chilli, freeradius and next ldap (as soon I get it working). As someone told me on the list, I should not forget freeradius wiki ! So, do you think this is valuable ? (it covers not only freeradius in fact) . If yes, where in the wiki is it suitable to propose this ? Regards, Christophe. PS: I sent this mail on chillispot ml as well. -- Christophe Gravier Laboratoire DIOM, groupe SATIn - Doctorant ISTASE - Ingénieur d'études Perso: http://perso.univ-st-etienne.fr/gravchri/ SATIn: http://www.istase.com/satin Tel : 04 7748 5034 A mediter: http://www.fsffrance.org/news/article2005-11-25.fr.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
bug in rlm_ldap?
I want to add a checkitem from an ldap request and use it, when later the users file is processed. Therefore I added checkItem User-Category primaryGroupID to ldap.attrmap The users file contains nothing but: ## HOST/lnxad.tde002.sitest.net User-Category != 515 Fall-Through = No, HOST/lnxad.tde002.sitest.net User-Category == 515 Fall-Through = No, HOST/lnxad.tde002.sitest.net Auth-Type := Reject ## radiusd -AX : rlm_ldap: looking for check items in directory... ldap_get_values ldap_get_values . ldap_get_values rlm_ldap: Adding LDAP attribute primaryGroupID as RADIUS attribute User-Category == 515 ldap_get_values rlm_ldap: looking for reply items in directory... ldap_get_values ... ldap_get_values ldap_get_values rlm_ldap: Adding LDAP attribute primaryGroupID as RADIUS attribute User-Category = 515 ldap_get_values rlm_ldap: user HOST/lnxad.tde002.sitest.net authorized to use remote access ldap_msgfree rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap1" returns ok for request 0 users: Matched entry HOST/lnxad.tde002.sitest.net at line 12 This is the last entry of the users file with Auth-Type := Reject Neither of the entries containing the checkitem User-Category matches. Am I doing something wrong? Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
A draft of a complete howto of my chilli experience.
Hello, I wrote a little "how to" of what I have done in order to make chilli working, regarding my configuration. Because it involves several services (apache ssl, freeradius, ldap, sql, ..) I didn't really find a suitable complete how to for my needs. That's the reason why I wrote mine (in french sorry) but then translated it into english and posted it to ChilliSpot forum (http://www.chillispot.org/forum/viewtopic.php?p=3035#3035). Just feel free to add your comment to get it improved and share your opinion. Regards, Christophe. -- Christophe Gravier Laboratoire DIOM, groupe SATIn - Doctorant ISTASE - Ingénieur d'études Perso: http://perso.univ-st-etienne.fr/gravchri/ SATIn: http://www.istase.com/satin Tel : 04 7748 5034 A mediter: http://www.fsffrance.org/news/article2005-11-25.fr.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
