mysql 4.1.0 can not run normally in Freeradius 1.0.5
Freeradius works well through authenticating users throught "files" option.
In order to authenticate users throng "sql" , I have installed mysql 4.1.0 on the machine which has the Redhat 9 operation system.
I followed the suggestion :
mysql -uroot -prootpass radius < db_mysql.sql
and made changes to radiusd.conf like below:
authorise {
preprocess
chap
mschap
#counter
#attr_filter
#eap
suffix
sql
#files
#etc_smbpasswd
}
authenticate {
authtype PAP {
pap
}
authtype CHAP {
chap
}
authtype MS-CHAP{
mschap
}
#pam
#unix
#authtype LDAP {
# ldap
#}
}
preacct {
preprocess
suffix
#files
}
accounting {
acct_unique
detail
#counter
unix
sql
radutmp
#sradutmp
}
session {
radutmp
}
However when I input : radiusd -X, only got the following errors:Starting - reading configuration files ...reread_config: reading radiusd.confConfig: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.confConfig: including file: /usr/local/etc/raddb/snmp.confConfig: including file: /usr/local/etc/raddb/eap.confConfig: including file: /usr/local/etc/raddb/sql.conf
main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct"
main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no
main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120
proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0read_config_files: reading dictionary
read_config_files: reading naslistUsing deprecated naslist file. Support for this will go away soon.read_config_files: reading clientsread_config_files: reading realmsradiusd: entering modules setup
Module: Library search path is /usr/local/libModule: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)"
exec: packet_type = "(null)"rlm_exec: Wait=yes but no output defined. Did you mean output=none?Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP
pap: encryption_scheme = "crypt"Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no
mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)"Module: Instantiated mschap (mschap)
Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = norlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP"rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = norlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = noModule: Instantiated preprocess (preprocess)
Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = noModule: Instantiated realm (suffix) Module: Loaded SQL
sql: driver = "rlm_sql_mysql" sql: server = "localhost" sql: port = "" sql: login = "root" sql: password = "rootpass" sql: radius_db = "radius"
sql: acct_table = "radacct" sql: acct_table2 = "radacct" sql: authcheck_table = "radcheck" sql: authreply_table = "radreply" sql: groupcheck_table = "radgroupcheck"
sql: groupreply_table = "radgroupreply" sql: usergroup_table = "usergroup"
RE: mysql 4.1.0 can not run normally in Freeradius 1.0.5
rlm_sql (sql): Could not link driver rlm_sql_mysql: file not found
Are you sure that you have compiled FR with mysql support ? Recompile it
with sql_mysql driver and it should work.
Regards,
Edvin
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
g] On Behalf Of yao guoxian
Sent: Dienstag, 07. März 2006 08:58
To: freeradius-users@lists.freeradius.org
Subject: mysql 4.1.0 can not run normally in Freeradius 1.0.5
Freeradius works well through authenticating users throught
"files" option.
In order to authenticate users throng "sql" , I have installed
mysql 4.1.0 on the machine which has the Redhat 9 operation system.
I followed the suggestion :
mysql -uroot -prootpass radius < db_mysql.sql
and made changes to radiusd.conf like below:
authorise {
preprocess
chap
mschap
#counter
#attr_filter
#eap
suffix
sql
#files
#etc_smbpasswd
}
authenticate {
authtype PAP {
pap
}
authtype CHAP {
chap
}
authtype MS-CHAP{
mschap
}
#pam
#unix
#authtype LDAP {
# ldap
#}
}
preacct {
preprocess
suffix
#files
}
accounting {
acct_unique
detail
#counter
unix
sql
radutmp
#sradutmp
}
session {
radutmp
}
However when I input : radiusd -X, only got the following errors:
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = "/usr/local"
main: localstatedir = "/usr/local/var"
main: logdir = "/usr/local/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir = "/usr/local/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/usr/local/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded eap
eap: default_eap_type = "md5"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"
preprocess: hints = "/usr/local/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "su
post proxy problem
Hi ! I'm trying to set up Freeradius (1.1.0) to proxy ms-chap-v2 and when I get the "accept" from ms-win2k3-ias server, then i want to assign a static ip address. Reading the doc/proxy file, i read that the user file is processed as usual after accept is received ms radius server. users : DEFAULTService-Type == Framed-User, User-Name == "username" Framed-IP-Address = 192.168.1.100 Running radius in debug mode i alway get this : Error: Warning: Found 2 auth-types on request for user '[EMAIL PROTECTED]' Is it possible to assign a ip address after a ack (accept) is received from the proxy radius server ? If yes, anybody have a config example for me ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mysql authentication doesn't work
in radiusd.conf:
authorize {
auth_log
sql
}
authenticate {
}
in sql.conf:
sql_user_name = "%{Calling-Station-Id}"
authorize_check_query = "SELECT id, UserName, Attribute, Value, op \
FROM ${authcheck_table} \
WHERE UserName = '%{SQL-User-Name}' AND User='%{User-Name}' \
ORDER BY id"
/usr/local/sbin/radiusd -X show me:
Listening on authentication XXX.XX.XX.XX:1812
Listening on accounting XXX.XX.XX.XX:1813
Ready to process requests.
rad_recv: Access-Request packet from host XXX.XX.XX.XX:1812, id=190, length=117
NAS-Identifier = "mynas2"
User-Name = "test"
User-Password = "testpass"
NAS-IP-Address = XXX.XX.XX.XX
NAS-Port-Type = Virtual
Called-Station-Id = "1000"
Calling-Station-Id = "333999"
Acct-Session-Id = "d45d6126058adce5"
Acct-Multi-Session-Id = "d45d612600010610"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
radius_xlat: '/usr/local/var/log/radius/radacct/auth-detail.log'
rlm_detail: /usr/local/var/log/radius/radacct/auth-detail.log expands to
/usr/local/var/log/radius/radacct/auth-detail.log
modcall[authorize]: module "auth_log" returns ok for request 0
radius_xlat: '333999'
rlm_sql (sql): sql_set_user escaped user --> '333999'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
radcheck WHERE UserName = '333999' AND User='test'
ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
radius_xlat: ''
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
radreply WHERE UserName = 'secondtest' ORDER BY id'
radius_xlat: ''
rlm_sql (sql): Released sql socket id: 4
rlm_sql (sql): No matching entry in the database for request from user
[333999]
modcall[authorize]: module "sql" returns notfound for request 0
modcall: leaving group authorize (returns ok) for request 0
auth: No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
auth: Failed to validate the user.
Login incorrect: [test/testpass] (from client mynas2 port 0 cli 333999)
Sending Access-Reject of id 190 to XXX.XX.XX.XX port 1812
Finished request 0
So, select from database:
mysql> SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE UserName =
'333999' AND User='test' ORDER BY id;
+-++---+++
| id | UserName | Attribute | Value | op |
+-++---+++
| 1 | 333999 | Auth-Type | Accept | := |
| 37 | 333999 | User-Password | 378b243e220ca493 | == |
| 73 | 333999 | User-Name | test | == |
| 109 | 333999 | Called-Station-Id | 1000 | == |
+-++---+++
4 rows in set (0.58 sec)
As I understand, radius cannot understand crypted "User-Password" (by mysql
function "password"). Is it possible to slide over it? How to do it, can
someone give advice?
---
http://www.one.lv - Tavs mobilais e-pasts!
Tagad lasi savu e-pastu ar mobilo telefonu - wap.one.lv!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: special characters in passwords + FR + ldap
Hi, > -Original Message- > Date: Sat, 4 Mar 2006 15:19:32 -0600 > From: "Natalia Escalera" <[EMAIL PROTECTED]> > > Hello, > > What is needed is that Freeradius accepts passwors even if special > charaters are part of them. This is what is happening: > > > pass$word -> FR -> LDAP -> FR (Answer: wrong password) > > Any ideas of how to solve it? This looks very much like the feature we have seen with FR 0.9.3. Passwords with a "special character" are truncated, resulting in password check failing. http://lists.freeradius.org/mailman/htdig/freeradius-users/2005-July/045 560.html This may be related to this bug, which is still open (I don't agree with the severity=minor :) http://bugs.freeradius.org/show_bug.cgi?id=261 We have made a small fix to the ldap-module (as seen in the link to the mailing list archive). I don't know if this has been fixed in 1.1.0. I once had a quick look at the ldap-module of 1.1.0, it should be quite easy to test if it still fails. -- Tero Turtiainen Technology Services Capgemini [EMAIL PROTECTED] This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + LDAP + Wireless auth
Alan DeKok wrote:
Ah, you have DOMAIN\user logging in, and your LDAP server knows
about "user".
Try the following in "hints":
DEFAULT User-Name =~ "\\(.*)$"
Menu = "%{1}"
Then in radiusd.conf, do:
...
ldap {
...
filter = "(uid=%{Menu:-%u})"
...
Yes, "menu' is a bad name, but it should work.
Many thanks.
I had to write the username as "(.*)$" as the backslashes themselves
needed escaping, but once that was done it's all working like a charm now.
James.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WiFi & Mac address authentication
2006/3/3, Alan DeKok <[EMAIL PROTECTED]>:
> Guillaume <[EMAIL PROTECTED]> wrote:
> > I try to set a mac authentication and a certificates based
> > authentication, but in the freeradius.cnf i dont find any entry for
> > loading a list of authorised MAC address.
>
> That's because the server doesn't come pre-configured to run on your
> local system. Instead, it comes with examples and documentation
> describing how to solve general problems. The idea is that you read
> those, and use them to create local solutions.
>
> My suggestion is to read the "rlm_passwd" man page. The grouping it
> does there for User-Name can also be applied to MAC addresses.
>
> Alan DeKok.
ok, if i understand the manpage of dictionary & rlm_passwd, i have to
add this line in:
##Dictionary file##
ATTRIBUTEmac-address 3001 string
##
##radiusd.conf file##
passwd MAC_list {
filename = /etc/radd/MAC_list
format = "mac-address:::*,User-Name"
hashsize = 50
# ignorenislike = yes
# allowmultiplekeys = yes
delimiter = ":"
and then, i have to create a file in /etc/radd named mac_list and add
my mapping with user and mac address?
i'am wrong or is it the good solution?
guillaume.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Radius server health monitor :
Can I get any idea on writing our own new open code? I mean I am looking for new small really light wait application which does monitoring and uses the best method (either snmp ping or Server status message or some radius API). Regards, Devah -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] g] On Behalf Of Peter Nixon Sent: Tuesday, March 07, 2006 4:50 AM To: FreeRadius users mailing list Subject: Re: Radius server health monitor : On Mon 06 Mar 2006 15:11, Devaraj Hattibelegal Patil wrote: > Radius server health monitor: I was looking from best way monitor the > health of the Radius server. Can some body suggest the best possible > way? > Thanks in advance Nagios, OpenNMS (Which I use) and many other NMS systems have radius monitoring plugins that work just fine. They can also monitor your backend auth and accounting stores for you (LDAP and SQL for example) -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius 1.1.0 and MSSQL
List Was the MSSQL re-connectivity issue addressed in the 1.1.0 build? I know that as of 1.0.5 if freeradius lost connectivity with the MSSQL database, freeradius would not reopen the socket. I'm curious if this was ever fixed / addressed ... Thanks, Duane Cox - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[Freeradius-Users]modcall[authenticate]: module "unix" returns notfound for request
Hi, All! When I wanna run freeradius with the support of MySQL, I found such mes * modcall[authenticate]: module "unix" returns notfound for request 12 modcall: group authenticate returns notfound for request 12 * in "radiusd -X" mode,but the user in USERS file can be authenticated successfully. I've googled,but not find the solution. And i've searched from the mailing list,though there're some troubleshooting too,no way to solove. So pls help! Thx in advance! Regards for everyone. jedliu [EMAIL PROTECTED] 2006-03-06 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Radius server health monitor :
Check out 'monit' too. It's able to take some defined actions when the server dies or something goes wrong. kr, Bart -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Devaraj Hattibelegal Patil Sent: dinsdag 7 maart 2006 15:44 To: FreeRadius users mailing list Subject: RE: Radius server health monitor : Can I get any idea on writing our own new open code? I mean I am looking for new small really light wait application which does monitoring and uses the best method (either snmp ping or Server status message or some radius API). Regards, Devah -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] g] On Behalf Of Peter Nixon Sent: Tuesday, March 07, 2006 4:50 AM To: FreeRadius users mailing list Subject: Re: Radius server health monitor : On Mon 06 Mar 2006 15:11, Devaraj Hattibelegal Patil wrote: > Radius server health monitor: I was looking from best way monitor the > health of the Radius server. Can some body suggest the best possible > way? > Thanks in advance Nagios, OpenNMS (Which I use) and many other NMS systems have radius monitoring plugins that work just fine. They can also monitor your backend auth and accounting stores for you (LDAP and SQL for example) -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 1.1.0 and MSSQL
Duane Cox wrote: > Was the MSSQL re-connectivity issue addressed in the 1.1.0 build? No. Most people are using FreeRADIUS with MySQL or PostgreSQL, therefore the MSSQL problems have a very low priority. > I know that as of 1.0.5 if freeradius lost connectivity with the MSSQL > database, freeradius would not reopen the socket. > > I'm curious if this was ever fixed / addressed ... There is a patch available under bug #341. http://bugs.freeradius.org/show_bug.cgi?id=341 -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: post proxy problem
Hi !
I'm trying to set up Freeradius (1.1.0) to proxy ms-chap-v2 and when
I get the "accept" from ms-win2k3-ias server, then i want to assign
a static ip address.
Found a odd solution :
radius.conf :
ippool pool-ip {
range-start = 192.168.1.100
range-stop = 192.168.1.101
netmask = 255.255.255.255
cache-size = 10
session-db = ${raddbdir}/db.ippool
ip-index = ${raddbdir}/db.ipindex
override = no
maximum-timeout = 0
}
huntgroups :
group NAS-IP-Address == 192.168.1.1
users :
DEFAULT Huntgroup-Name := "group", Pool-Name := "pool-ip"
Debug: rlm_ippool: Allocating ip to nas/port: vpn.domain.com/0
Debug: rlm_ippool: num: 1
Debug: rlm_ippool: Allocated ip 192.168.1.100 to client on nas
vpn.domain.com,port 0
Debug: modsingle[post-auth]: returned from pool-ip (rlm_ippool) for
request 0
Debug: modcall[post-auth]: module "pool-ip" returns ok for request 0
I'm able to give a "static" ip address, but i have to allocate two ip
addresses for each user. :-(
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Freeradius-Users]modcall[authenticate]: module "unix" returns notfound for request
the unix module searched for users in /etc/passwd (or whatever file you tell it to search). this has nothing to do with mysql. if you want to use the unix module, then make sure the user exists in /etc/passwd and that freeradius has read ability to that file. if you want to use mysql, then configure the mysql module. On 3/7/06, Jedliu <[EMAIL PROTECTED]> wrote: > Hi, > All! > > When I wanna run freeradius with the support of MySQL, > I found such mes * modcall[authenticate]: module "unix" returns notfound for > request 12 > modcall: group authenticate returns notfound for request 12 > * in "radiusd -X" mode,but the user in USERS file can be authenticated > successfully. > I've googled,but not find the solution. > And i've searched from the mailing list,though there're some troubleshooting > too,no way to solove. > So pls help! > > Thx in advance! > Regards for everyone. > > > > > > > > jedliu > [EMAIL PROTECTED] > 2006-03-06 > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + LDAP + Wireless auth
James Cort <[EMAIL PROTECTED]> wrote: > Many thanks. Good to hear it works. > I had to write the username as "(.*)$" as the backslashes themselves > needed escaping, but once that was done it's all working like a charm now. You might also try using single quotes: '\\(.*)$', as that will prevent FreeRADIUS from interpreting the backslashes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Realms allowed to some huntgroup
I am not quite finding the setup I am looking for and hope someone can point me to the files I should be updating. Currently I am running version 1.0.4 Hopefuly I can describe what I want to do and you can let me know if it is doable, and if so what files I should modify. I have questions. 1. How can I authenticate realms differently. 2. Can I set up logging based on Realm I will simplify this and say we have two service types I want to authenticate. 1. Wireless 2. VPN I currently have Wireless and VPN set up so we do some proxy. If a user signs in with either the following they can log in: waltr - no domain (us NULL realm to authhost = local in proxy.conf) [EMAIL PROTECTED] - xxx.edu domain has realm defines and proxies to remote radius server at other campus Well this works and Wireless and VPN can sign in. The thing is I want wireless to work this way, but I want VPN to only work with no domain logins. But how do I define a domain/realm to a group so I can put that into the huntgroup file. We are currently using Merit radius and it works this way (I am adding this for example only) Clients.conf (using old style for clarity) === #Clients Name Key [type] [version] [prefix] # --- --- - # iLab Radius servers vpn.xxx.edu secretvpn type=Merit:PROXY vpn wirelessAP1.xxx.edu secretwireless type=PROXY wireless wirelessAP2.xxx.edu secretwireless type=PROXY wireless The prefix would tell it to use a specific users file and authfile. So I have the following 4 files: vpn.users vpn.authfile wireless.users wireless.authfile With those files I can have users connecting to wireless clients (ie huntgroup) go to a specific user and authfule. I can set the vpn service to authenticate Null realms and drop all others while at the same time I can set wireless to authenticate Null locally and proxy the defined realms to another radius server. Question number two is can I separate the accounting for the realms to different logfiles? -- Walter Reynolds University of Michigan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Realms in DB
=?iso-8859-1?B?U2FudGlhZ28gQmFsYWd1ZXIgR2FyY+1h?= wrote: > I do roaming with third companies, so instead of add all the realms in the > file proxy.conf file, I would prefer to have them in realm table in my > postgres DB. It is easier to handle. That's nice. As I said, submit a patch. > Otherwise, what is the use of realms and realmgroup tables?? Because no one has submitted a patch to support them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql authentication doesn't work
"???, ?? " <[EMAIL PROTECTED]> wrote: > rlm_sql (sql): No matching entry in the database for request from user > [333999] That's pretty definitive. The packet has: > User-Password = "testpass" And SQL has: > | 37 | 333999 | User-Password | 378b243e220ca493 | == | Could you explain why you think that entry should match? The entry in SQL has a different password than what's in the packet. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WiFi & Mac address authentication
Guillaume <[EMAIL PROTECTED]> wrote: > ok, if i understand the manpage of dictionary & rlm_passwd, i have to > add this line in: > ##Dictionary file## > ATTRIBUTEmac-address 3001 string Why? That attribute won't ever appear in a packet. You have to use an attribute that will appear in a packet. Other than that, it looks like it should work. Alan DEKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: [Freeradius-Users]modcall[authenticate]: module "unix" returns notfound for request
Andrew Browning,
Hi!
Much appreciate of your answer.
you said "if you want to use mysql, then configure the mysql module".
I've configured the mysql module in radiusd.conf like this,
*authorize {
preprocess
chap
mschap
suffix
sql
}
accounting {
…
sql
…
}*
Is there any aditional points?
I add the users into the mysql as:
"insert into radgroupreply (groupname,attribute,op,value) values
(‘user’,‘Auth-Type’,’:=’,’Local’);
insert into radgroupreply (groupname,attribute,op,value) values
(‘user’,‘Service-Type’,’:=’,’Framed-User’);
insert into radgroupreply (groupname,attribute,op,value) values
(‘user’,‘Framed-IP-Address’,’:=’,’255.255.255.254’);
insert into radgroupreply (groupname,attribute,op,value) values
(‘user’,‘Framed-IP-Netmask’,’:=’,’255.255.255.0’);
insert into radcheck (username,attribute,op,value) values
(‘jedliu’,’User-Password’,’:=’,’jedliu’);
insert into usergroup (username,groupname) values (‘jedliu’,’user’);
"
When i authenticate the user,
I found the mes like:
"
...
rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
rlm_sql_mysql: Starting connect to MySQL server for #3
rlm_sql (sql): Connected new DB handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
rlm_sql_mysql: Starting connect to MySQL server for #4
rlm_sql (sql): Connected new DB handle, #4
Module: Instantiated sql (sql)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
...
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: No '@' in User-Name = "jedliu", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 1
users: Matched entry DEFAULT at line 165
modcall[authorize]: module "files" returns ok for request 1
radius_xlat: 'jedliu'
rlm_sql (sql): sql_set_user escaped user --> 'jedliu'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
radcheck WHERE Username = 'jedliu' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 3
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'jedliu' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
radreply WHERE Username = 'jedliu' ORDER BY id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'jedliu' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 3
modcall[authorize]: module "sql" returns ok for request 1
modcall: group authorize returns ok for request 1
rad_check_password: Found Auth-Type System
auth: type "System"
Processing the authenticate section of radiusd.conf
**
modcall: entering group authenticate for request 1
modcall[authenticate]: module "unix" returns notfound for request 1
modcall: group authenticate returns notfound for request 1
auth: Failed to validate the user.
**
...
"
So that's the problem is,i can't authenticate the user.
Appreciate everyone's help.
Thx.
===* 2006-03-08 Re: [Freeradius-Users]modcall[authenticate]: module "unix"
returns notfound for request *===
>the unix module searched for users in /etc/passwd (or whatever file
>you tell it to search). this has nothing to do with mysql. if you want
>to use the unix module, then make sure the user exists in /etc/passwd
>and that freeradius has read ability to that file. if you want to use
>mysql, then configure the mysql module.
>
>On 3/7/06, Jedliu <[EMAIL PROTECTED]> wrote:
>> Hi,
>> All!
>>
>> When I wanna run freeradius with the support of MySQL,
>> I found such mes * modcall[authenticate]: module "unix" returns notfound for
>> request 12
>> modcall: group authenticate returns notfound for request 12
>> * in "radiusd -X" mode,but the user in USERS file can be authenticated
>> successfully.
>> I've googled,but not find the solution.
>> And i've searched from the mailing list,though there're some troubleshooting
>> too,no way to solove.
>> So pls help!
>>
>> Thx in advance!
>> Regards for everyone.
>> jedliu
>> [EMAIL PROTECTED]
>> 2006-03-06
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
= = = = = = = = = = = = = = = = = = = =
Jedliu
Re: special characters in passwords + FR + ldap
Hello Mr. Turtiainen: Thank you for your response. > We have made a small fix to the ldap-module (as seen in the link to the > mailing list archive). I don't know if this has been fixed in 1.1.0. I > once had a quick look at the ldap-module of 1.1.0, it should be quite > easy to test if it still fails. The password issue is also in FR 1.1.0. I will try the patch suggested on http://bugs.freeradius.org/show_bug.cgi?id=261 and see if it works for our implementation. Thank you, Natalia. On 3/7/06, Turtiainen, Tero <[EMAIL PROTECTED]> wrote: > > Hi, > > > -Original Message- > > Date: Sat, 4 Mar 2006 15:19:32 -0600 > > From: "Natalia Escalera" <[EMAIL PROTECTED]> > > > > Hello, > > > > What is needed is that Freeradius accepts passwors even if special > > charaters are part of them. This is what is happening: > > > > > > pass$word -> FR -> LDAP -> FR (Answer: wrong password) > > > > Any ideas of how to solve it? > > This looks very much like the feature we have seen with FR 0.9.3. > Passwords with a "special character" are truncated, resulting in > password check failing. > > http://lists.freeradius.org/mailman/htdig/freeradius-users/2005-July/045 > 560.html > > This may be related to this bug, which is still open (I don't agree > with the severity=minor :) > http://bugs.freeradius.org/show_bug.cgi?id=261 > > We have made a small fix to the ldap-module (as seen in the link to the > mailing list archive). I don't know if this has been fixed in 1.1.0. I > once had a quick look at the ldap-module of 1.1.0, it should be quite > easy to test if it still fails. > -- > Tero Turtiainen > Technology Services > Capgemini > [EMAIL PROTECTED] > > This message contains information that may be privileged or confidential and > is the property of the Capgemini Group. It is intended only for the person to > whom it is addressed. If you are not the intended recipient, you are not > authorized to read, print, retain, copy, disseminate, distribute, or use > this message or any part thereof. If you receive this message in error, > please notify the sender immediately and delete all copies of this message. > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl segfault
I've just tried to get the rlm_perl module working.
I'm running debian 3.1 with perl 5.8.8. I've tried installing the
prebuilt debian packages as well as from source with "dpkg-buildpackage
-rfakeroot -uc -b"
However after loading the module freeradius segfaults.
Freeradius config:
modules {
perl ipalloc {
module = /etc/freeradius/dynip.pl
func_accounting = accounting
func_post_auth = post_auth
}
}
post-auth {
ipalloc
}
When running freeradius I get
traffic:/etc/freeradius# freeradius -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/freeradius/proxy.conf
Config: including file: /etc/freeradius/clients.conf
Config: including file: /etc/freeradius/snmp.conf
Config: including file: /etc/freeradius/eap.conf
Config: including file: /etc/freeradius/sql.conf
main: prefix = "/usr"
main: localstatedir = "/var"
main: logdir = "/var/log/freeradius"
main: libdir = "/usr/lib/freeradius"
main: radacctdir = "/var/log/freeradius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/freeradius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/var/run/freeradius/freeradius.pid"
main: user = "freerad"
main: group = "freerad"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "/etc/shadow"
unix: group = "(null)"
unix: radwtmp = "/var/log/freeradius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "md5"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/etc/freeradius/huntgroups"
preprocess: hints = "/etc/freeradius/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/etc/freeradius/users"
files: acctusersfile = "/etc/freeradius/acct_users"
files: preproxy_usersfile = "/etc/freeradius/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
"/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/var/log/free
