Re: Freeradius + Microsoft Active Directory
Hello all, Mr. Sandworm, I really appreciate your help. Including 'referrals no' in ldap.conf works fine! Now the FR server receives an affirmative answer from the AD server. I also appreciate Mr. Dekok and Mr. Geek help for pointing me to the correct direction. Thank you, Nataly On 2/26/06, Sandworm <[EMAIL PROTECTED]> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > "Natalia Escalera" <[EMAIL PROTECTED]> wrote: > >I have another question, how can we avoid referrals coming from AD > >Ldap server? How can we specify those settings? > > >From the list archives: > > See http://lists.freeradius.org/pipermail/freeradius-users/2004- > October/037218.html > -BEGIN PGP SIGNATURE- > Note: This signature can be verified at https://www.hushtools.com/verify > Version: Hush 2.4 > > wkYEARECAAYFAkQCP0sACgkQmw4BJyaatJ0v0wCfVh0g2C1mTgdDxuV6qzBqg8FxTnsA > nilt8+Zkbe4sXvs8HCpieRZ7kZQd > =B4JO > -END PGP SIGNATURE- > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius and MySQL boot problem
HI, I have currently setup FreeRadius 1.0.4 with ldap authentication and authorization as well as mysql authorization and its all working fine. My only problem is that when I boot the server (Fedora Core 4) and radiusd starts up there is a rlm_sql_mysql error: Wed Feb 15 18:38:51 2006 : Info: rlm_sql (sql): Trying to (re)connect unconnected handle 4..Wed Feb 15 18:38:51 2006 : Info: rlm_sql_mysql: Starting connect to MySQL server for #4Wed Feb 15 18:38:51 2006 : Error: rlm_sql_mysql: Couldn't connect socket to MySQL server [EMAIL PROTECTED]:radiusWed Feb 15 18:38:51 2006 : Error: rlm_sql_mysql: Mysql error 'Can't connect to MySQL server on 'myip' (13)'Wed Feb 15 18:38:51 2006 : Error: rlm_sql (sql): Failed to connect DB handle #4 The MySQL server is on another server with ip "myip" I initially thought it was a firewall block but even with no firewall I get this error. But once the server has started and I run "service radiusd restart" from a terminal the connect to the MySQL server works fine and has no problems. I even tried running the service from rc.local but it still fails did anyone have this problem??? is anyone running the MySQL server on another machine Is there a fix for this??? thanks diniz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Adding Ascend-Data-Filter to MySQL
>> But when I add the same Ascend-Data-Filter information above into > mysql >> database file (radgroupcheck table), although authenticates fine, I > don't >> get "Ascend-VSA-Data-Filter=\0x01\0x01\0x01 " in attribute dump. >> Below is what is added to the table: >> >> GroupName Attribute op Value >> >> Dialup Auth-Type := LOCAL >> Dialup Service-Type = Framed-User >> Dialup Framed-Protocol = PPP >> Dialup Framed-Compression = Van-Jacobsen-TCP-IP >> Dialup Ascend-Data-Filter += "ip in forward tcp est" >> Dialup Ascend-Data-Filter += "ip in forward dstip a.b.c.0/20" >> Dialup Ascend-Data-Filter += "ip in forward tcp dstport = 25" >> Dialup Ascend-Data-Filter += "ip in forward" >> > It should be in radgroupreply table > > J. Thanks, that worked. I thought it was the radgroupcheck because when I add an attribute using dialup_admin, it went into it. Go figure... ** Computer problems? ... ..http://www.multibyte.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Microsoft Active Directory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 "Natalia Escalera" <[EMAIL PROTECTED]> wrote: >I have another question, how can we avoid referrals coming from AD >Ldap server? How can we specify those settings? >From the list archives: See http://lists.freeradius.org/pipermail/freeradius-users/2004- October/037218.html -BEGIN PGP SIGNATURE- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.4 wkYEARECAAYFAkQCP0sACgkQmw4BJyaatJ0v0wCfVh0g2C1mTgdDxuV6qzBqg8FxTnsA nilt8+Zkbe4sXvs8HCpieRZ7kZQd =B4JO -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Please HELP!!! Any ideas??? MySQL and users file... Difference???
"Alex Savguira" <[EMAIL PROTECTED]> wrote: > OK, I understood your point, but would you be so kind to explain WHY > do you think it is such a bad idea As I said before: it gains you nothing but additional complexity. It's completely unnecessary. > none of the network technitians on-site can abuse user's passwords > since they are encrypted and supposedly beyound their cracking > abilities, and both PAP and MS-CHAP should work... OK, again, it > doesn't work NOW, but why shouldn't it? What's so evil about this > configuration? Nothing is evil. It just makes your life more difficult, and gains you *nothing*. > Btw, in freeradius FAQ you, guys, claim, that PAP > is better than CHAP because it allows storing passwords in encrypted > form. I kinda agree with that... Why do you now claim that storing in > clear text is better? If your requirement is to do MS-CHAP, you need either the clear-text passwords, or the NT hash. > Ok, it is less headache for me, but what about privacy rights of my users? That's up to you and your local legal situation. FreeRADIUS has to work in countries other than where you live, where laws are different. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TNC Compliance
Robert Myers <[EMAIL PROTECTED]> wrote: > Is FreeRadius TNC compliant? It implements parts of what is needed for TNC, but not all. And there's no budget for any kind of compliance testing, if that's necessary. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
TNC Compliance
Is FreeRadius TNC compliant? -Bob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Is it possible to make PAP module understand both CRYPT (MD5) and plaintext passwords?
Having
pap pap{
encryption_scheme = crypt
}
pap papplain{
encryption_scheme = clear
}
Auth-Type PAP {
pap
}
Auth-Type PAPPLAIN {
papplain
}
in radiusd.conf
having
user1 Crypt-Password := blablaencrypted
user2 User-Password := blablacleartext
in radcheck table.
having
pptp Auth-Type := PAPPLAIN
dialup Auth-Type := pap
in radgroupcheck
having
user1 ppttp
user2 dialup
in user groups...
In fact I have added extra logic to the custom dialup-admin clone I am
running to make it select the right attribute and ecnryption scheme or
none for user depending on his/her membership in a certain group.
Regards
Alex.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Is it possible to make PAP module understand both CRYPT (MD5) and plaintext passwords?
Exactly as I suggested in original post... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is it possible to make PAP module understand both CRYPT (MD5) and plaintext passwords?
Hi, > Please ignore... Found the answer already... enlighten us? :-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Please HELP!!! Any ideas??? MySQL and users file... Difference???
Alan, I've solved my problems already... I've even finished the custom modification to dialup-admin which takes care of changing the Crypt-Passwords to User-Passwords for users accessing the new services. Thanks for clearing things up... >> btest| NT-Password | == | NT-hashbla-bla-bla^&&@0-3443 >> btest| Crypt-Password | == | $$KyUhHIHD$R7mAm4rPX1q4WTEJY5rKQ1 > Which is exactly what I keep saying is not needed, and is causing > problems for you. OK, I understood your point, but would you be so kind to explain WHY do you think it is such a bad idea (besides the fact that it doesn't work with the current version of rlm_sql)... The solution seems to be perfectly logical: - none of the network technitians on-site can abuse user's passwords since they are encrypted and supposedly beyound their cracking abilities, and both PAP and MS-CHAP should work... OK, again, it doesn't work NOW, but why shouldn't it? What's so evil about this configuration? Btw, in freeradius FAQ you, guys, claim, that PAP is better than CHAP because it allows storing passwords in encrypted form. I kinda agree with that... Why do you now claim that storing in clear text is better? Ok, it is less headache for me, but what about privacy rights of my users? Thanks Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rtl8186 + radius
"Norbert Grochal" <[EMAIL PROTECTED]> wrote: > 1. wds disconnects every 3-4 hours. > 2. If count of peoples > 4 then after 1-4 hours AP stops talk with > freeradius > 3. and sometimes freezes and peoples can't connect at all Once the user is surfing the net, the AP doesn't interact with FreeRADIUS. I think the AP is broken. This has nothing to do with FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 1.1.0 and mysql5
"Seferovic Edvin" <[EMAIL PROTECTED]> wrote: > are there any known issues when installing freeradius with mysql support? I > have Suse 9.1 with mysql5 ( from RPMs ) and after compiling freeradius - > rlm_sql module is not able to link rlm_sql_myql because I do NOT have > libmysqlclient.so.12 !! The server does not include references to libmysqlclient.so.12. Instead, it links to whatever library your system provides. The conclusion is your system thinks it has that library, so the server tries to use it. But there's something wrong, becase the dynamic linker on your system can't find it. I suggest fixing your system so that it can find the libraries it has. > YES - I have tried to compile with -disable-shared, but then I get a lot of > other error messages about DynaLoader and rlm_smb??? rlm_smb is not build by default. The only way it builds is if you enable --experimental-modules. > Is there any way I can disable those modules I do not need ( or plan to use > )? Delete the rlm_smb directory and rebuild. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Please HELP!!! Any ideas??? MySQL and users file... Difference???
"Alex Savguira" <[EMAIL PROTECTED]> wrote: > An ideal situation for me would be > something like this in radcheck: > username | att| op |val > --+-++--- > btest| NT-Password | == | NT-hashbla-bla-bla^&&@0-3443 > btest| Crypt-Password | == | $1$KyUhHIHD$R7mAm4rPX1q4WTEJY5rKQ1 Which is exactly what I keep saying is not needed, and is causing problems for you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rtl8186 + radius
Hi, I try to secure wireless network with freeradius (on linux PC). Access Points on rtl8186, WPA2(mixed), clients cards edimax on ralink rt2500 and ralink rt2400, PEAP. Firmware on AP: (newest versions) Planet 4035, Planet wrt414, Edimax ew-7206, Edimax ew-7209, OvisLink Airlive... Problems (all need reset AP, after reboot all is work ok 1-4 hours...): 1. wds disconnects every 3-4 hours. 2. If count of peoples > 4 then after 1-4 hours AP stops talk with freeradius 3. and sometimes freezes and peoples can't connect at all I have connect the AP to COM on my PC and see, that there are no error messages in builtin linux, there is anough memory and ramdisc space. I think this may be problem with driver for radio (RF, RTL8180/RTL8185). Anyone succesfully 'run' freeradius with PEAP + AP on rtl8186 with WPA2(mixed) + about 10-15 users?? Norbert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius 1.1.0 and mysql5
Hello, are there any known issues when installing freeradius with mysql support? I have Suse 9.1 with mysql5 ( from RPMs ) and after compiling freeradius - rlm_sql module is not able to link rlm_sql_myql because I do NOT have libmysqlclient.so.12 !! Sun Feb 26 17:36:24 2006 : Error: rlm_sql (sql): Could not link driver rlm_sql_mysql: libmysqlclient.so.12: cannot open shared objey Sun Feb 26 17:36:24 2006 : Error: rlm_sql (sql): Make sure it (and all its dependent libraries!) are in the search path of your sys. Sun Feb 26 17:36:24 2006 : Error: radiusd.conf[14]: sql: Module instantiation failed. Sun Feb 26 17:36:24 2006 : Error: radiusd.conf[1257] Unknown module "sql". Sun Feb 26 17:36:24 2006 : Error: radiusd.conf[1243] Failed to parse accounting section. YES - I have tried to compile with -disable-shared, but then I get a lot of other error messages about DynaLoader and rlm_smb??? extracting global C symbols from `../modules/rlm_sql/drivers/rlm_sql_mysql/.libs/rlm_sql_mysql.a' (cd .libs && gcc -c -fno-builtin -fno-rtti -fno-exceptions "radiusdS.c") cc1: warning: "-fno-rtti" is valid for C++ but not for C/ObjC rm -f .libs/radiusdS.c .libs/radiusd.nm .libs/radiusd.nmS .libs/radiusd.nmT gcc .libs/radiusdS.o -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -DNDEBUG -I../include -DHt ../modules/rlm_perl/.libs/rlm_perl.a(rlm_perl.o)(.text+0x26fb): In function `xs_init': /root/software/freeradius-1.1.0/src/modules/rlm_perl/rlm_perl.c:613: undefined reference to `boot_DynaLoader' ../modules/rlm_smb/.libs/rlm_smb.a(smbencrypt.o)(.text+0x172): In function `E_md4hash': /root/software/freeradius-1.1.0/src/modules/rlm_smb/smbencrypt.c:107: undefined reference to `mdfour' collect2: ld returned 1 exit status rm -f .libs/radiusdS.o gmake[4]: *** [radiusd] Error 1 gmake[4]: Leaving directory `/root/software/freeradius-1.1.0/src/main' gmake[3]: *** [common] Error 2 gmake[3]: Leaving directory `/root/software/freeradius-1.1.0/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/root/software/freeradius-1.1.0/src' gmake[1]: *** [common] Error 2 gmake[1]: Leaving directory `/root/software/freeradius-1.1.0' make: *** [all] Error 2 Is there any way I can disable those modules I do not need ( or plan to use )? Any ideas how I can solve those problems? Thank you in advance. Regards, Edvin Seferovic - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeBSD 6.0 and mysql
Thanx for the help Rob. I had checked out my libraries and everything was linked exactly like the other working FreeBSD 6 RADIUS server. I had upgraded this box from 5.2.1 to the stable 6.0 and had recompiled some of the packages. Somewhere along the line I think the threading libraries hadn't updated correctly. My solution to fix this problem eventually was to do a portupgrade -raf -m FORCE_PKG_REGISTER=yes. This has forced everything to be recompiled correctly with the new system libraries, flushing out any old links. Rob Parker-5 wrote: > > Not sure if this is any use, but the last time I saw an error like that > was > with a box which had conflicting threading libraries on it... in the end I > just pulled the box down and reinstalled freebsd (box was not in > production, > thankfully!), but this might be useful to you (it's from a KDE mailing > list, > but the problem/solution should be the same): > > http://freebsd.kde.org/pipermail/kde-freebsd/2004-August/008692.html > > Maybe FreeRADIUS is linked against one library and MySQL is linked to > another. > > Cheers, > > Rob. > > -Original Message- > From: Alan Craig [mailto:[EMAIL PROTECTED] > Sent: 24 February 2006 10:03 > To: freeradius-users@lists.freeradius.org > Subject: RE: FreeBSD 6.0 and mysql > > > Nope this doesn't help. > > I have a suspicion it is a threading problem, but I haven't a clue on > where > to look to sort that out. > -- > View this message in context: > http://www.nabble.com/FreeBSD-6.0-and-mysql-t1168311.html#a3105556 > Sent from the FreeRadius - User forum at Nabble.com. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > -- View this message in context: http://www.nabble.com/FreeBSD-6.0-and-mysql-t1168311.html#a3132035 Sent from the FreeRadius - User forum at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Adding Ascend-Data-Filter to MySQL
> But when I add the same Ascend-Data-Filter information above into mysql > database file (radgroupcheck table), although authenticates fine, I don't > get "Ascend-VSA-Data-Filter=\0x01\0x01\0x01 " in attribute dump. > Below is what is added to the table: > > GroupName Attribute op Value > > Dialup Auth-Type := LOCAL > Dialup Service-Type = Framed-User > Dialup Framed-Protocol = PPP > Dialup Framed-Compression = Van-Jacobsen-TCP-IP > Dialup Ascend-Data-Filter += "ip in forward tcp est" > Dialup Ascend-Data-Filter += "ip in forward dstip a.b.c.0/20" > Dialup Ascend-Data-Filter += "ip in forward tcp dstport = 25" > Dialup Ascend-Data-Filter += "ip in forward" > It should be in radgroupreply table J. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
