IP address with EAP authentication
Hi all I'm using Freeradius to authenticate wificustomer with EAP and DHCP and it work well. But on accounting log, the is No IP address used by the customer. How can configure have also IP address on accounting log ? Thanks for any help. Jacques - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Optimizing freeradius for very high loads
Good day. I have freeradius running on a Dual P4 server with 4GB Ram. I am using freeradius to service clients. I require performance of 200tps. I am having a problem where many clients do not get responses for authentication messages. Monitoring my cpu and memory load during busy periods, my cpu max utilization is only 10% used, 90%idle. There is also enough memory. How can I optimize freeradius to increase the tps handling capability ? Thanks Ashwin Gobind This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link http://www.vodacom.co.za/legal/email.jsp - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
File ATTRS
Hello! In the file attrs I have: domain.es Reply-Message = RADIUS OK but it doesn't return me the message. También he probado con: domain.es Packet-Type =* ANY, EAP-Message =* ANY, User-Name =* ANY, Message-Authenticator =* ANY, MS-MPPE-Send-Key =* ANY, MS-MPPE-Recv-Key =* ANY, State =* ANY, Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802, Tunnel-Private-Group-Id := 88 In the two cases it authenticates, but it doesn't return anything. Although this way if it works: DEFAULT Packet-Type =* ANY, EAP-Message =* ANY, User-Name =* ANY, Message-Authenticator =* ANY, MS-MPPE-Send-Key =* ANY, MS-MPPE-Recv-Key =* ANY, State =* ANY, Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802, Tunnel-Private-Group-Id := 88 Which the failure is? Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Optimizing freeradius for very high loads
On Mon 20 Mar 2006 10:57, Ashwin Gobind wrote: Good day. I have freeradius running on a Dual P4 server with 4GB Ram. I am using freeradius to service clients. I require performance of 200tps. I am having a problem where many clients do not get responses for authentication messages. Monitoring my cpu and memory load during busy periods, my cpu max utilization is only 10% used, 90%idle. There is also enough memory. How can I optimize freeradius to increase the tps handling capability ? 200tps is quite a low load for FreeRADIUS. A single CPU PII should be able to handle that and still have enough CPU to play MP3 on the side... Are you using a slow database backend? Do you have a high latency network between your NAS and FreeRADIUS? Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgpxT2z7Xz79m.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy Question (default_fallback)
Hello list, i got a proxy configuration in which all auth requests for a specific realm is proxied to another radius server. The problem is that if this radius server isnt reachable the server is marked as dead and every further auth request is sucessfully authenticated locally in cause of a user default accept configuration. In proxy.conf i have set for the proxy realm a default_fallback=no, but this doesnt help. Anybody with an idea why this is happening? I dont want that the auth requests are tried locally if the real radius server isnt answering. best regards, Christian Meutes systems engineer -- claranet gmbh internet service provider tel +49 (0) 69 - 40 80 18 - 300 email: [EMAIL PROTECTED] http://www.claranet.de/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Need help in setting up RADIUS for Server based AAA
Hi All, I am new to this free -radius usage, wanna setup radius on my company network for authentication and defining privilege level access on the network. I have gone through several mailing lists,docs on free radius site, whenever i issue authorization commands on the router i will be locked out on my NAS. I am using users file where i want simple authentication for few users and privilege level access. Error condition Rmcrad#show ver Command authorization failed. Here is the details . 1. radiusd -x radiusd -x Starting - reading configuration files ... Using deprecated naslist file. Support for this will go away soon. Module: Loaded exec rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded System Module: Instantiated unix (unix) Module: Loaded preprocess Module: Instantiated preprocess (preprocess) Module: Loaded realm Module: Instantiated realm (suffix) Module: Loaded files Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id Module: Instantiated acct_unique (acct_unique) Module: Loaded detail Module: Instantiated detail (detail) Module: Loaded radutmp Module: Instantiated radutmp (radutmp) Initializing the thread pool... Listening on authentication *:1645 Listening on accounting *:1646 Ready to process requests. locally tested AAA for authentication authorization and accounting on router it works fine. while authentication works for the defined users in the users file. checked for /etc/passwd /etc/group /etc/users in radiusd.conf i am able to login to the nas it authenticates the users n password . Users definition Arul Auth-Type := Local, User-Password == cisco Reply-Message = Hello, %u, cisco-avpair =shell:priv-lvl=15 vdhar Auth-Type :=system Reply-Message = Hello, %u, cisco-avpair =shell:priv-lvl=1 test Auth-Type := Local, User-Password == test123 Reply-Message = Hello, %u, cisco-avpair =shell:priv-lvl=15 Router Configuration aaa new-model aaa authentication login default group radius local aaa authentication login NO_AUTHEN none If i issue any authorization command aaa authorization exec local or aaa authorization exec default radius aaa authorization exec default group radius if-authenticated radius-server host 172.16.85.135 auth-port 1645 acct-port 1646 radius-server retransmit 3 radius-server key secret line con 0 exec-timeout 0 0 login authentication NO_AUTHEN transport input none line vty 0 4 exec-timeout 0 0 password cisco I will be locked out of the router and cannot perform any task. If any one helps me to figure out whtz the problem with authorization and any simple configuration which works out for the server based authentication would be highly appreciated. If need any more information from my side please let me know, which help you to figure out my problem. Please let me know if anybody helps me out on live chat on msn/yahoo Debug logs... 00:56:59: AAA: name=tty68 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=68 channel=0 00:56:59: AAA/MEMORY: create_user (0x81934100) user='' ruser='' port='tty68' rem_addr='172.16.85.100 ' authen_type=ASCII service=LOGIN priv=1 00:56:59: AAA/AUTHEN/START (169650279): port='tty68' list='' action=LOGIN service=LOGIN 00:56:59: AAA/AUTHEN/START (169650279): using default list 00:56:59: AAA/AUTHEN/START (169650279): Method=radius (radius) 00:56:59: AAA/AUTHEN (169650279): status = GETUSER 00:57:07: AAA/AUTHEN/CONT (169650279): continue_login (user='(undef)') 00:57:07: AAA/AUTHEN (169650279): status = GETUSER 00:57:07: AAA/AUTHEN (169650279): Method=radius (radius) 00:57:07: AAA/AUTHEN (169650279): status = GETPASS 00:57:09: AAA/AUTHEN/CONT (169650279): continue_login (user='cisco') 00:57:09: AAA/AUTHEN (169650279): status = GETPASS 00:57:09: AAA/AUTHEN (169650279): Method=radius (radius) 00:57:29: AAA/AUTHEN (169650279): status = ERROR 00:57:29: AAA/AUTHEN/START (151081203): port='tty68' list='' action=LOGIN service=LOGIN 00:57:29: AAA/AUTHEN/START (151081203): Restart 00:57:29: AAA/AUTHEN/START (151081203): Method=LOCAL 00:57:29: AAA/AUTHEN (151081203): status = GETPASS 00:57:29: AAA/AUTHEN/CONT (151081203): continue_login (user='cisco') 00:57:29: AAA/AUTHEN (151081203): status = GETPASS 00:57:29: AAA/AUTHEN/CONT (151081203): Method=LOCAL 00:57:29: AAA/AUTHEN (151081203): status = PASS 00:57:33: AAA/MEMORY: dup_user (0x81B00350) user='cisco' ruser='' port='tty68' rem_addr='172.16.85.1 00' authen_type=ASCII service=ENABLE priv=15 source='AAA dup enable' 00:57:33: AAA/AUTHEN/START (3234623993): port='tty68' list='' action=LOGIN service=ENABLE 00:57:33: AAA/AUTHEN/START (3234623993): non-console
Re: IP address with EAP authentication
JVUVANT Yahoo wrote: Hi all I'm using Freeradius to authenticate wifi customer with EAP and DHCP and it work well. But on accounting log, the is No IP address used by the customer. How can configure have also IP address on accounting log ? EAP is done before DHCP, so no IP address is assigned. Some APs can snoop the ARP/DHCP, and have the option to delay the initial accounting start, but that's specific to the AP, not a radius question. Check your AP docs. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple NAS-Identifier
How I can configure multiples NAS-Identifier attributes in my users file? Thanks in advance Germán P. Santillán Administrador de Redes Responsable Dpto. Técnico DESETech Argentina S.A. San Martín 133 - CP: B8000FIC Bahía Blanca - Argentina Tel/Fax: +54 (291) 456-5642 [EMAIL PROTECTED] http://www.desetech.com.ar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Module not loading
Alan DeKok wrote: Treated like what? Having someone disagree with you, and explain why? No. [Quote] Feel free to do the work and submit it back to the project. If you're not going to do that, your comments sound suspiciously like you're asking other people to do work, for free, that you're unwilling to do. Yes, we've been through this dicussion before with other people. You're not the first to run into this. And the end result of what you want is an endless series of messages explaining why the server isn't doing what you think it's doing. I can't see why. Hmm... That's pretty much my point. [/Quote] Just to make my point, you seem to answer concerned people from a superior stand point with the primitive of not changing anything because there's no way you can be wrong. Maybe I misunderstood but a couple of your replies were a little offending to me. They sounded somewhat like you was mocking me. Maybe I'm being too sensitive I don't know. Please just forget everything and lets start again. Thanks, Tom; - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentication Question
Hi, I'm pretty new to freeradius and need some help. In Freeradius, when a request is made can you used the supplied userid and password to authenticate off from LDAP and if the user does not exist in LDAP can force it to authenticate off from the local database? If this is possible, can you direct me to some links that can further assist me. Thanks in advance ... __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_eap: identity does not match User-Name, setting from EAP identity
my bad, I was looking thru the messages here. I
modified radiusd.conf accordingly and now it works
fine.
for those who care, here is the radiusd.conf (related
sections only)
...
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = no
with_ntdomain_hack = yes
ntlm_auth = /usr/local/WPA/etc/scripts/wpa.sh
--request-nt-key --username=%{mschap:User-Name}
--challenge=%{
mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
}
.
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
...
--- Alan DeKok [EMAIL PROTECTED] wrote:
NNTP Newsagent [EMAIL PROTECTED] wrote:
I am sorry dude but I don't see it.
You're kidding, right? 15 seconds of looking at
the list archives,
using that subject line, will get you the message.
ALan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
__
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication Question
this is always possible, simply define both backends in your configuration and it will try both backends. --On Monday, March 20, 2006 05:42:43 AM -0800 fvt3 [EMAIL PROTECTED] wrote: Hi, I'm pretty new to freeradius and need some help. In Freeradius, when a request is made can you used the supplied userid and password to authenticate off from LDAP and if the user does not exist in LDAP can force it to authenticate off from the local database? If this is possible, can you direct me to some links that can further assist me. Thanks in advance ... __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Mit freundlichen Grüßen Christian Meutes systems engineer -- claranet gmbh internet service provider tel +49 (0) 69 - 40 80 18 - 300 email: [EMAIL PROTECTED] http://www.claranet.de/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
L2tp and fixed Framed IP Address for ADSL customers
Title: L2tp and fixed Framed IP Address for ADSL customers Hello All, Ive just setup an L2tp tunnel with my ADSL service provider and would like to have some of my ADSL subscribers get a fixed IP address instead of the dynamically assigned IP Pool Im using a Cisco 3845. The ADSL users are connecting just fine over the L2tp tunnel the issue is that theyre getting dynamically assigned address from the Cisco IP pool even if a fixed IP is set on FreeRadius attributes Do you have any idea on how make this subscribers get the Radius Fixed IP instead of the dynamic one? Thanks In Advance -- |-Adil Bikarbass |-IT Manager, MTDS |-tel +212.3.767.4861 |-fax +212.3.767.4863 |-gsm +212.6.139. 4541 |-14, rue 16 novembre |-Rabat, Kingdom of Morocco - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl question (was Re: General question about authentication/authorization)
Phil Mayers wrote:
I am suggesting that in some sense (and obviously, it's only my opinion,
and as I say it's only doable to an extent with newer FR versions) the
following is better:
authenticate {
Auth-Type PAP {
krb5
}
}
That is, that the Auth-Type be set to reflect the algorithm in the
radius request, and not the backend processing that request.
OK... This makes sense, as long as all services using PAP need to use
the rlm_krb5 back end.
Now, in my case (perhaps I should have mentioned this before), I have
other services that use PAP, but not Kerberos (just Crypt-Password from
a local database). So this really is the 1 competing module for a
given Auth-Type: I'd declare two different PAP Auth-Types, then set
the appropriate one in the authorization module for each service.
IOW, this is pretty much just what I'm doing now, except that the
Auth-Type that invokes rlm_krb5 is explicitly declared in the
authenticate{} section, which is not the case for Kerberos in FR 1.0.5.
--
George C. Kaplan[EMAIL PROTECTED]
Communication Network Services510-643-0496
University of California at Berkeley
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Module not loading
=?ISO-8859-1?Q?=22Tom=E1s_A=2E_Rossi=22?= [EMAIL PROTECTED] wrote: Just to make my point, you seem to answer concerned people from a superior stand point with the primitive of not changing anything because there's no way you can be wrong. No. In the message you quoted, I very clearly said you could make the changes you wanted, and submit them back. The problem is you made it clear you *won't* make those changes. But you want *us* to make those changes. And you keep arguing, trying to convince us to make those changes, rather than doing the work yourself. It's not about being right or wrong. It's about you asking us to do work that you are unwilling to do. The only possible response then is Well, we're not going to do it, so it's only going to happen if you do it. At which point you claim to be offended. If asking you to do work is offensive, then there's very little anyone can do to help you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple NAS-Identifier
DESETech - German P. Santillan [EMAIL PROTECTED] wrote: How I can configure multiples NAS-Identifier attributes in my users file? To do what? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: L2tp and fixed Framed IP Address for ADSL customers
Adil Bikarbass [EMAIL PROTECTED] wrote: I'm using a Cisco 3845. The ADSL users are connecting just fine over the L2tp tunnel the issue is that they're getting dynamically assigned address from the Cisco IP pool even if a fixed IP is set on FreeRadius attributes Then fix the NAS. Read the Cisco documentation to see how to configure it to listen to the response from FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Backend Retry option
My specific concern is that in order to do PEAP authentication(which is outside freeradiuses control) the ntlm_auth executable looks at smb.conf file to tell it where to send passwords using the smb.conf file password server option which only allows for one server name. Maybe this is inappropriate and I apologize, but correct me if i'm wrong when specifying the backend store in freeradius it only takes one server backend not multiple. So even if I were to spread the Radius load to multiple servers I still only have the option of one server per backend so I don't see how that address my overall issue? Any advice is greatly appreciated. Don't. Load balance it by configuring load balancing in radiusd.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Backend Retry option
Craig T. Hancock [EMAIL PROTECTED] wrote: My specific concern is that in order to do PEAP authentication(which is outside freeradiuses control) the ntlm_auth executable looks at smb.conf file to tell it where to send passwords using the smb.conf file password server option which only allows for one server name. Ah. That's a limitation in Samba, not in FreeRADIUS. FreeRADIUS *does* support multiple LDAP and/or SQL backends. Maybe this is inappropriate and I apologize, but correct me if i'm wrong when specifying the backend store in freeradius it only takes one server backend not multiple. So even if I were to spread the Radius load to multiple servers I still only have the option of one server per backend so I don't see how that address my overall issue? For ntlm_auth, yes, because the server isn't treating it as a backend data store. I'd love to get a stand-alone module that can authenticate to AD like Samba does. That would allow you to do what you want. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Module not loading
Alan DeKok escribió: =?ISO-8859-1?Q?=22Tom=E1s_A=2E_Rossi=22?= [EMAIL PROTECTED] wrote: Just to make my point, you seem to answer concerned people from a superior stand point with the primitive of not changing anything because there's no way you can be wrong. No. In the message you quoted, I very clearly said you could make the changes you wanted, and submit them back. The problem is you made it clear you *won't* make those changes. But you want *us* to make those changes. And you keep arguing, trying to convince us to make those changes, rather than doing the work yourself. I keep arguing, not to convince you so you make those changes, just to convince you that my concerns are valid. Then if I convince you I would contribute doing it myself. If what you're saying is true PLEASE point me where in my messages did I mention I wanted you to do the changes. It's not about being right or wrong. It's about you asking us to do work that you are unwilling to do. The only possible response then is Well, we're not going to do it, so it's only going to happen if you do it. At which point you claim to be offended. I'm not unwilling to do anything! And your response isn't that one, your response is something like no, your suggestions makes no sense to us, we think adding that message isn't the right choice, so forget about it. Of course, then it would be futile to submit local changes concerned to this 'cos you do not agree with them. For me, now that I know the quiet behavior of the server in this aspect, it's not important to have that enhance anymore, but for other beginners that would be nice. Saying that I'm unwilling to contribute and that I'm trying to take advantage of your time (terribly bad judging my intentions) *is* indeed offensive, don't you think so?! If asking you to do work is offensive, then there's very little anyone can do to help you. No. You say that if I don't like docs then I have to improve them and submit them. I reply to that saying I would gladly help if I had the wisdom required for that, don't you read anything I write? You could simply admit, you are right, the docs aren't the best they could be, if you can help I'll gladly accept your contributions. I *never* make clear (as you say) that I won't make contributions to the docs. Maybe if I could get sufficient insight of FreeRADIUS in the future (that only can become true with time), I could help. Asking me to do work isn't offensive at all, your bad-ass attitude is offensive. Why should I submit changes if all my suggestions has been shot down and you never admitted neither of my concerns? Please don't wanna argue anymore with you, there's very little I can do to help you. Tomás A. Rossi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Module not loading
=?ISO-8859-1?Q?=22Tom=E1s_A=2E_Rossi=22?= [EMAIL PROTECTED] wrote: Why should I submit changes if all my suggestions has been shot down and you never admitted neither of my concerns? I'm sorry that you feel your suggestions were shot down when I gave reasons for not doing what you want. This may be news, but not everyone's contributions to the project are accepted. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Exec program debugging.
I am trying to execute a program in the post-proxy section on
Access-Accept packets to bring up bandwidth management for a user when
they log in:
(radiusd.conf)
exec bwup {
wait = no;
program = /etc/raddb/bwlimit start %{User-Name}
%{Calling-Station-Id} %{Tunnel-Private-Group-Id:0} %{NAS-Port}
%{GLI-Rx-Data-Rate} %{GLI-Tx-Data-Rate}
input_pairs = reply
packet_type = Access-Accept
output = none
}
post-proxy {
# post_proxy_log
# attr_rewrite
# attr_filter
exec
eap
}
However, the exec call keeps failing when called from inside radiusd -X:
Ready to process requests.
rad_recv: Access-Request packet from host xxx.xxx.6.99:1645, id=3,
length=128
User-Name =
Framed-MTU = 1400
Called-Station-Id = 00-13-19-36-C4-52
Calling-Station-Id = 00-13-D3-67-D7-05
Service-Type = Login-User
Message-Authenticator = 0x43483d78f3b3f25bcb7657f1522050ef
EAP-Message = 0x0202000501
NAS-Port-Type = Wireless-802.11
NAS-Port = 262
NAS-IP-Address = xxx.xxx.6.99
NAS-Identifier = -Ch11
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '@' in User-Name = , looking up realm NULL
rlm_realm: Found realm NULL
rlm_realm: Adding Stripped-User-Name =
rlm_realm: Proxying request from user to realm NULL
rlm_realm: Adding Realm = NULL
rlm_realm: Preparing to proxy authentication request to realm NULL
modcall[authorize]: module suffix returns updated for request 0
rlm_eap: Request is supposed to be proxied to Realm NULL. Not doing
EAP.
modcall[authorize]: module eap returns noop for request 0
modcall: group authorize returns updated for request 0
Sending Access-Request of id 0 to xxx.xxx.178.13:1645
User-Name =
Framed-MTU = 1400
Called-Station-Id = 00-13-19-36-C4-52
Calling-Station-Id = 00-13-D3-67-D7-05
Service-Type = Login-User
Message-Authenticator = 0x
EAP-Message = 0x0202000501
NAS-Port-Type = Wireless-802.11
NAS-Port = 262
NAS-IP-Address = xxx.xxx.6.99
NAS-Identifier = -Ch11
Proxy-State = 0x33
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Challenge packet from host xxx.xxx.178.13:1645, id=0,
length=80
Proxy-State = 0x33
Session-Timeout = 30
EAP-Message = 0x010300061920
State = 0x1cc3035501370001d819b40600034b872b6f01
Message-Authenticator = 0x2153f90d4c19a27ae054f7f297611c86
Processing the post-proxy section of radiusd.conf
modcall: entering group post-proxy for request 0
rlm_exec (exec): We require a program to execute
modcall[post-proxy]: module exec returns fail for request 0
modcall: group post-proxy returns fail for request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 31 seconds...
But, if I take the values from a valid Access-Accept packet for the
attributes listed above, the file executes correctly with no errors:
wireless-r1 raddb # su - radiusd
[EMAIL PROTECTED] ~ $ /etc/raddb/bwlimit start egable
00:a0:12:34:56:78 3 7 1024 512
[EMAIL PROTECTED] ~ $ /etc/raddb/bwlimit stop egable
[EMAIL PROTECTED] ~ $ exit
logout
wireless-r1 raddb #
All of my rules get added correctly when issuing a start command and
they get removed correctly when issuing the stop command, but only if I
issue the commands from the command line.
If I add more Xs to the -X, it still doesn't tell me why it is failing
(what the specific error message is):
Mon Mar 20 13:32:45 2006 : Debug: Processing the post-proxy section of
radiusd.conf
Mon Mar 20 13:32:45 2006 : Debug: modcall: entering group post-proxy for
request 0
Mon Mar 20 13:32:45 2006 : Debug: modsingle[post-proxy]: calling exec
(rlm_exec) for request 0
Mon Mar 20 13:32:45 2006 : Error: rlm_exec (exec): We require a program
to execute
Mon Mar 20 13:32:45 2006 : Debug: modsingle[post-proxy]: returned from
exec (rlm_exec) for request 0
Mon Mar 20 13:32:45 2006 : Debug: modcall[post-proxy]: module exec
returns fail for request 0
Mon Mar 20 13:32:45 2006 : Debug: modcall: group post-proxy returns fail
for request 0
Mon Mar 20 13:32:45 2006 : Debug: Going to the next request
Mon Mar 20 13:32:45 2006 : Debug: rl_next: returning NULL
Mon Mar 20 13:32:45 2006 : Debug: Waking up in 6 seconds...
I am assuming I just have the configuration for this set up wrong or
something. Obviously, the Access-Accept packet is not yet coming back
because the first Access-Challenge hasn't even been passed on to the AP
yet. So, I'm not sure why the post-proxy section even wants to fire the
program at this point in the authentication process. Does anyone know
what I did wrong?
Thanks.
Eliot Gable
Certified Wireless
Re: Exec program debugging.
Eliot, Wireless and Server Administrator,
Great Lakes Internet [EMAIL PROTECTED] wrote:
I am trying to execute a program in the post-proxy section on
Access-Accept packets to bring up bandwidth management for a user when
they log in:
(radiusd.conf)
exec bwup {
...
post-proxy {
...
exec
List bwup, not exec.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Module not loading
Alan DeKok escribió: =?ISO-8859-1?Q?=22Tom=E1s_A=2E_Rossi=22?= [EMAIL PROTECTED] wrote: Why should I submit changes if all my suggestions has been shot down and you never admitted neither of my concerns? I'm sorry that you feel your suggestions were shot down when I gave reasons for not doing what you want. This may be news, but not everyone's contributions to the project are accepted. Do not be sorry. You're a bipolar guy, submit instead of complain!!, no no, wait, not everyone's contributions to the project are accepted (specially from guys that we hate) so keep complaining, either way we'll do nothing because we make it for free, so better, please don't complain either!. Tomás A. Rossi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Module not loading
hi, I dont want debug output that lists every module not loaded. that sort of thing should be left to a tool such as 'radiuscheck' or somesuch. THAT tool is ideal for printing out 'module blahblah instantiated but never used!' types of messages. theres my 0.01 euros alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius Failed messages to MySQL -Unsupported Acct-Status-Type
I just can't get failed messages with Acct Status Type of 15 placed in a
MySQL database. The rlm_sql driver outputs an error message referring to an
unsupported status type, but I would like to know if it is possible to write
this information into the database. FreeRadius currently writes to a flat
file. Please help.
~Alan
--
Error message from FreeRadius debug:
rlm_sql (sql): Unsupported Acct-Status-Type = 15
The account type is specified in the RFC and dictionary.ser as failed:
## Acct-Status-Type Values ###
VALUE Acct-Status-Type Start 1 # RFC2866, acc
VALUE Acct-Status-Type Stop 2 # RFC2866, acc
VALUE Acct-Status-Type Failed 15 # RFC2866, acc
Missed call log from debug output for response code 603 (Decline) and 486
(Busy) which I would like this information written to the database.
Acct-Status-Type = Failed
Service-Type = Sip-Session
Sip-Response-Code = 603
Sip-Method = 1
User-Name = [EMAIL PROTECTED]
Calling-Station-Id = sip:[EMAIL PROTECTED]
Called-Station-Id = sip:[EMAIL PROTECTED]
Sip-Translated-Request-URI = sip:[EMAIL PROTECTED]:5060
Acct-Session-Id = [EMAIL PROTECTED]
Sip-To-Tag = 4c4efb52
Sip-From-Tag = ae6a1764
Sip-Cseq = 1
NAS-Port = 5060
Acct-Delay-Time = 0
NAS-IP-Address = 127.0.0.1
Acct-Status-Type = Failed
Service-Type = Sip-Session
Sip-Response-Code = 486
Sip-Method = 1
User-Name = [EMAIL PROTECTED]
Calling-Station-Id = sip:[EMAIL PROTECTED]
Called-Station-Id = sip:[EMAIL PROTECTED]
Sip-Translated-Request-URI = sip:[EMAIL PROTECTED]:5060
Acct-Session-Id = [EMAIL PROTECTED]
Sip-To-Tag = 1e237c68
Sip-From-Tag = 0678bd37
Sip-Cseq = 1
NAS-Port = 5060
Acct-Delay-Time = 0
NAS-IP-Address = 127.0.0.1
Accounting query in sql.conf:
accounting_failed_query = \
INSERT INTO ${acct_table1} \
(RadAcctId, AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress,
NASPortId, AcctStartTime, AcctStopTime, AcctSessionTime, \
AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId,
AcctTerminateCause, ServiceType, FramedProtocol, \
FramedIPAddress, AcctStartDelay, AcctStopDelay, SipResponseCode, SipMethod,
SipTranslatedRequestURI, SipToTag, SipFromTag, \
SipRPIDHeader, SourceIP, SourcePort, CanonicalURI) \
VALUES \
(NULL, '%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', SUBSTRING_INDEX('%{SQL-User-Name}', '@',-1), \
'%{NAS-IP-Address}', '%{NAS-Port}', '%S', '%S', '0', '0', '0',
'%{Called-Station-Id}', '%{Calling-Station-Id}', \
'%{Sip-Response-Code}', '%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0', \
'%{Sip-Response-Code}', '%{Sip-Method}', '%{Sip-Translated-Request-URI}',
MD5(RAND()), '%{Sip-From-Tag}', '%{Sip-RPId}', \
'%{Source-IP}', '%{Source-Port}', '%{Canonical-URI}')
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy Question (default_fallback)
I figured out what it was. The situation only arises if the nas-ip address value is set to localhost (tested with radtest) in the auth-request. In every other request with real nas-ip values the problem doesnt appear. Maybe its interesting to know why and somebody got an idea? Hello list, i got a proxy configuration in which all auth requests for a specific realm is proxied to another radius server. The problem is that if this radius server isnt reachable the server is marked as dead and every further auth request is sucessfully authenticated locally in cause of a user default accept configuration. In proxy.conf i have set for the proxy realm a default_fallback=no, but this doesnt help. Anybody with an idea why this is happening? I dont want that the auth requests are tried locally if the real radius server isnt answering. best regards, Christian Meutes systems engineer -- claranet gmbh internet service provider tel +49 (0) 69 - 40 80 18 - 300 email: [EMAIL PROTECTED] http://www.claranet.de/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Module not loading
Tomás A. Rossi wrote: Do not be sorry. You're a bipolar guy, submit instead of complain!!, no no, wait, not everyone's contributions to the project are accepted (specially from guys that we hate) so keep complaining, either way we'll do nothing because we make it for free, so better, please don't complain either!. Your comments surely shattered Alan's fragile ego and catapulted your side into the lead. We all agree with you now Ad hominem. The last refuge of a weak argument. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Failed messages to MySQL -Unsupported Acct-Status-Type
Alan [EMAIL PROTECTED] wrote: I just can't get failed messages with Acct Status Type of 15 placed in a MySQL database. The rlm_sql driver outputs an error message referring to an unsupported status type, but I would like to know if it is possible to write this information into the database. FreeRadius currently writes to a flat file. Please help. The rlm_sql module currently supports only few status types for queries. Adding more queries to the configuration file won't help, because the source code won't look for them. You'll have to edit the source code to support new queries. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Failed messages to MySQL -Unsupported Acct-Status-Type
Are there any fundamental problems with modifying rlm_sql to allow an arbitrary number (and potentially source) of additional queries in relation to how it interacts with the core FR server? What I'm saying is, are there any known issues or caveats preventing this functionality from being added or is it just resources and project priorities? Thanks, Laker --- Alan DeKok [EMAIL PROTECTED] wrote: Alan [EMAIL PROTECTED] wrote: I just can't get failed messages with Acct Status Type of 15 placed in a MySQL database. The rlm_sql driver outputs an error message referring to an unsupported status type, but I would like to know if it is possible to write this information into the database. FreeRadius currently writes to a flat file. Please help. The rlm_sql module currently supports only few status types for queries. Adding more queries to the configuration file won't help, because the source code won't look for them. You'll have to edit the source code to support new queries. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Failed messages to MySQL -Unsupported Acct-Status-Type
Laker Netman [EMAIL PROTECTED] wrote: Are there any fundamental problems with modifying rlm_sql to allow an arbitrary number (and potentially source) of additional queries in relation to how it interacts with the core FR server? No, because those queries don't interact with the server core. What I'm saying is, are there any known issues or caveats preventing this functionality from being added or is it just resources and project priorities? Just time. See rlm_sql_log in the CVS snapshots. The method it uses for picking queries is simpler and more extensible than what's in rlm_sql. It was also written years after rlm_sql, and we've learned a bit since then. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Version 1.1.1 has been released
Version 1.1.1 has just been released. http://www.freeradius.org/security.html Upgrade now, or disable EAP-MSCHAPv2. That's a bad bug. ChangeLog: Security fixes * Additional state checking in the EAP-MSCHAPv2 module. Bug found by Steffen Schuster. Feature improvements * More dictionary updates * Additional tests and fixes for Digest module from Phillipe Sultan. * Add new phone response mode to rlm_otp/cryptocard. * Put the eap sessions into a tree, so that looking them up is very fast, and no longer O(n) in the number of sessions. * Install the schema examples for a set of backends with the rest of the documentation. * Add support for xlat expansion of attributes from LDAP. Bug fixes * Fix rlm_perl crash. (closes: #348) * Fix handling of CoA-Request packets (close #344). Also correct name of CoA packets. * Fix an error on x86_64 machines when reading dictionaries. (closes: #312) * Fix compilation errors on FreeBSD and NetBSD because of rlm_otp module. (closes: #314 #328) * Workaround Cisco bug in State attribute handling in rlm_otp. * Support LP64 for async mode in rlm_otp. * Fix libtool problems on Debian with rlm_eap_peap and rlm_eap_ttls modules. (closes: #75) * Make use_tunneled_reply work properly for PEAP. * Copy the whole string when getting a one-to-one-mapped attribute from LDAP (closes: #261) * Fix net-snmp's ucd-snmp compatibility mode. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sql.conf
Why is it that when I run a radiusd X, I always come back with errors on saying that it cannot connect to the mysql server: rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql_mysql: Couldn't connect socket to MySQL server [EMAIL PROTECTED]:radius rlm_sql_mysql: Mysql error 'Access denied for user 'radius'@'localhost' (using password: YES)' rlm_sql (sql): Failed to connect DB handle #0 rlm_sql (sql): starting 1 rlm_sql (sql): starting 2 rlm_sql (sql): starting 3 rlm_sql (sql): starting 4 rlm_sql (sql): Failed to connect to any SQL server. I have put this in my sql.conf like so: # Connect info server = localhost login = radius password = x # Database table configuration radius_db = radius What am I doing wrong? I have followed a number of whitepapers to install this and most of them say the same thing. I downloaded freeradius and mysql-server using the yum install option. Now, when I do a ./configure on freeradius, do I need to do it with a withmysql option? Should I try this on something other than FC4? I am opened to options. Thanks Dwane - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication problem if CHAP is not used
Hi, I found the solution for my problem, but... I want to know what and why that's going on? When I add Auth-Type := Local to the usernames then they are working OK without CHAP. Why do I need to have that for non Chap methods? And is there anything else I should know about this? Thanks! -Original Message- From: [EMAIL PROTECTED] .org [mailto:[EMAIL PROTECTED] eeradius.org] On Behalf Of Alan DeKok Sent: Thursday, March 16, 2006 1:58 AM To: FreeRadius users mailing list Subject: Re: Authentication problem if CHAP is not used Alex M [EMAIL PROTECTED] wrote: Ok, I here is full debug info... ... [EMAIL PROTECTED] root]# radiusd -x Uh, no. Try reading the FAQ, README, INSTALL, and half of the messages to this list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql.conf
There is definitely a password problem. But it may be due to *where* your logging in from, rather than the password. Are FR and MySQL on the same box? Have you double checked with the mysql client that you can login to the database (on the machine where mysql is installed). From a command prompt just type mysql -p, enter the password. If there is no error, something else more serious is amiss or you do not have [EMAIL PROTECTED] configured in the DB where zz is the host where mysql is installed. Laker --- Atkins, Dwane P [EMAIL PROTECTED] wrote: Why is it that when I run a radiusd -X, I always come back with errors on saying that it cannot connect to the mysql server: rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql_mysql: Couldn't connect socket to MySQL server [EMAIL PROTECTED]:radius rlm_sql_mysql: Mysql error 'Access denied for user 'radius'@'localhost' (using password: YES)' rlm_sql (sql): Failed to connect DB handle #0 rlm_sql (sql): starting 1 rlm_sql (sql): starting 2 rlm_sql (sql): starting 3 rlm_sql (sql): starting 4 rlm_sql (sql): Failed to connect to any SQL server. I have put this in my sql.conf like so: # Connect info server = localhost login = radius password = x # Database table configuration radius_db = radius mailto:[EMAIL PROTECTED] What am I doing wrong? I have followed a number of whitepapers to install this and most of them say the same thing. I downloaded freeradius and mysql-server using the 'yum install' option. Now, when I do a ./configure on freeradius, do I need to do it with a -with-mysql option? Should I try this on something other than FC4? I am opened to options. Thanks Dwane - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql.conf
If it's a new install check that your iptables aren't blocking your access also - Original Message - From: Laker Netman [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Monday, March 20, 2006 5:23 PM Subject: Re: sql.conf There is definitely a password problem. But it may be due to *where* your logging in from, rather than the password. Are FR and MySQL on the same box? Have you double checked with the mysql client that you can login to the database (on the machine where mysql is installed). From a command prompt just type mysql -p, enter the password. If there is no error, something else more serious is amiss or you do not have [EMAIL PROTECTED] configured in the DB where zz is the host where mysql is installed. Laker --- Atkins, Dwane P [EMAIL PROTECTED] wrote: Why is it that when I run a radiusd -X, I always come back with errors on saying that it cannot connect to the mysql server: rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql_mysql: Couldn't connect socket to MySQL server [EMAIL PROTECTED]:radius rlm_sql_mysql: Mysql error 'Access denied for user 'radius'@'localhost' (using password: YES)' rlm_sql (sql): Failed to connect DB handle #0 rlm_sql (sql): starting 1 rlm_sql (sql): starting 2 rlm_sql (sql): starting 3 rlm_sql (sql): starting 4 rlm_sql (sql): Failed to connect to any SQL server. I have put this in my sql.conf like so: # Connect info server = localhost login = radius password = x # Database table configuration radius_db = radius mailto:[EMAIL PROTECTED] What am I doing wrong? I have followed a number of whitepapers to install this and most of them say the same thing. I downloaded freeradius and mysql-server using the 'yum install' option. Now, when I do a ./configure on freeradius, do I need to do it with a -with-mysql option? Should I try this on something other than FC4? I am opened to options. Thanks Dwane - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MySQL and Gigawords help
Hi
I have been trying to get a accounting_update_query accounting_stop_query
that will work with MySQL and record over the 4gig for data transfers. Can
anyone help?
We are needing to record AcctInputOctets and AcctOutputOctets over the 4
gig amount therefore we need to use the Acct-Input-Gigawords and
Acct-Output-Gigawords in to account. We are receiving them from our
suppliers. We need this because these days we are seeing very long session
times for ADSL links and high speed. We can record up to the 4gig mark.
I have tried:
AcctInputOctets = '%{Acct-Input-Octets}+(%{Acct-Input-Gigawords}*4294967296)'
Doesn't seem to work. Any pointing in the right direction would br greatly
appreciated.
Freeradius 1.1.0
MySQL 4.0.26
Regards
Daniel
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Associating username to a specific NAS only
Is it possible to set directives for some users so that they only can login to the specific NAS (by the NAS Called Station Id [NAS MAC Address])? Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Duplicate Accounting Start Packets
Due to some network problems today, my FreeRadius 1.1.0 server and NAS (wrt54g+Chilli) had problems with duplicate accounting packets. The NAS sent a Start packet, the reply from the radius server did not reach and the NAS sent it again. I got up to 3 identical rows in the radacct table. To avoid this I changed the 'AcctUniqueId' column to UNIQUE and it seems to work fine. I just get an error message in my debug log and instead of an INSERT an UPDATE is done. Tue Mar 21 04:36:46 2006 : Debug: rlm_sql_mysql: query: INSERT into Tue Mar 21 04:36:46 2006 : Debug: rlm_sql_mysql: MYSQL check_error: 1062 received Tue Mar 21 04:36:46 2006 : Error: rlm_sql (sql): Couldn't insert SQL accounting START record - Duplicate entry 'af40ee210a7c0400' for key 2 Tue Mar 21 04:36:46 2006 : Debug: radius_xlat: 'UPDATE ... That is exactly what I need. If the Start packet is able to write 3 identical rows, all Interim-Updates are written to the 3 rows. That means my prepaid cards are running off the time three times faster. I also tried ... INSERT (.) ON DUPLICATE KEY UPDATE , but it seems not to be necessary. Are there any implications setting the 'AcctUniqueId' column to UNIQUE? Gunther - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Avoiding ldapsearch on LDAP authentication
Hello,
I'm running Freeradius 1.0.4 with OpenLDAP 2.2.29 on my Fedora Core 4
box and try to configure radiusd so that ldap_search is not performed
on authentication (i.e. just use ldap_bind for authentication). But
so far, I've got no success. Radiusd seems to perform search anyway.
I've read the document doc/rlm_ldap and followed the instruction, but
I couldn't get it working (I must be missing something).
I configured radiusd as follows:
In users:
DEFAULT Ldap-UserDn := `uid=%{User-Name},ou=people,dc=atusi,dc=org`,
Auth-Type = LDAP
In radiusd.conf:
modules {
ldap {
server = localhost
ldap_debug = 0x
# identity = cn=admin,o=My Org,c=UA
# password = mypass
basedn = ou=people,dc=atusi,dc=org
# filter =
(uid=%{Stripped-User-Name:-%{User-Name}})
# base_filter = (objectclass=radiusprofile)
start_tls = no
access_attr = dialupAccess
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
...
}
authorize {
preprocess
chap
mschap
suffix
eap
files
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
Auth-Type LDAP {
ldap
}
eap
}
# All other parts are left as default.
When I test my setup with:
(echo 'User-Name=mytestuser'; echo 'User-Password = mypassword') |
radclient -c 1 127.0.0.1 auth testing123
radiusd (run with -X option) says:
rad_recv: Access-Request packet from host 127.0.0.1:32791, id=183,
length=43
User-Name = mytestuser
User-Password = mypassword
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '@' in User-Name = mytestuser, looking up realm
NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 0
users: Matched entry DEFAULT at line 214
modcall[authorize]: module files returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type LDAP
auth: type LDAP
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by mytestuser with password mypassword
radius_xlat: '(uid=mytestuser)'
radius_xlat: 'ou=people,dc=atusi,dc=org'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as / to localhost:389
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:389
ldap_new_socket: 6
ldap_prepare_socket: 6
ldap_connect_to_host: Trying 127.0.0.1:389
ldap_connect_timeout: fd: 6 tm: 1 async: 0
ldap_ndelay_on: 6
ldap_is_sock_ready: 6
ldap_ndelay_off: 6
ldap_open_defconn: successful
ldap_send_server_request
rlm_ldap: waiting for bind result ...
ldap_result msgid 1
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
wait4msg (timeout 4 sec, 0 usec), msgid 1
wait4msg continue, msgid 1, all 1
** Connections:
* host: localhost port: 389 (default)
refcnt: 2 status: Connected
last used: Tue Mar 21 13:31:12 2006
** Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
** Response Queue:
Empty
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid 1, all 1
ldap_read: message type bind msgid 1, original id 1
new result: res_errno: 0, res_error: , res_matched:
read1msg: 0 new referrals
read1msg: mark request completed, id = 1
request 1 done
res_errno: 0, res_error: , res_matched:
ldap_free_request (origid 1, msgid 1)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_result
ldap_msgfree
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=people,dc=atusi,dc=org, with filter
(uid=mytestuser)
ldap_search
put_filter: (uid=mytestuser)
put_filter: simple
put_simple_filter: uid=mytestuser
ldap_send_initial_request
ldap_send_server_request
ldap_result msgid 2
ldap_chkResponseList for msgid=2, all=1
ldap_chkResponseList returns NULL
wait4msg (timeout 4 sec, 0
Re: Avoiding ldapsearch on LDAP authentication
Hello,
It is my understanding that Freeradius uses Ldap search in order to
authenticate users and that the Ldap bind is used to point to the
location where the search will be done at the Ldap server.
I am using FR 1.1.0 but I think it is similar configuration in your FR version.
#users file
DEFAULT Auth-Type := LDAP
Fall-Through = 1
rlm_ldap: object not found or got ambiguous search result
Check your basedn in raddiusd.conf
For debugging I recommend you to use Ethereal. It is very useful.
Natalia.
On 21 Mar 2006 14:29:22 +0900, MAEDA [EMAIL PROTECTED] wrote:
Hello,
I'm running Freeradius 1.0.4 with OpenLDAP 2.2.29 on my Fedora Core 4
box and try to configure radiusd so that ldap_search is not performed
on authentication (i.e. just use ldap_bind for authentication). But
so far, I've got no success. Radiusd seems to perform search anyway.
I've read the document doc/rlm_ldap and followed the instruction, but
I couldn't get it working (I must be missing something).
I configured radiusd as follows:
In users:
DEFAULT Ldap-UserDn := `uid=%{User-Name},ou=people,dc=atusi,dc=org`,
Auth-Type = LDAP
In radiusd.conf:
modules {
ldap {
server = localhost
ldap_debug = 0x
# identity = cn=admin,o=My Org,c=UA
# password = mypass
basedn = ou=people,dc=atusi,dc=org
# filter =
(uid=%{Stripped-User-Name:-%{User-Name}})
# base_filter = (objectclass=radiusprofile)
start_tls = no
access_attr = dialupAccess
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
...
}
authorize {
preprocess
chap
mschap
suffix
eap
files
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
Auth-Type LDAP {
ldap
}
eap
}
# All other parts are left as default.
When I test my setup with:
(echo 'User-Name=mytestuser'; echo 'User-Password = mypassword') |
radclient -c 1 127.0.0.1 auth testing123
radiusd (run with -X option) says:
rad_recv: Access-Request packet from host 127.0.0.1:32791, id=183,
length=43
User-Name = mytestuser
User-Password = mypassword
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '@' in User-Name = mytestuser, looking up realm
NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 0
users: Matched entry DEFAULT at line 214
modcall[authorize]: module files returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type LDAP
auth: type LDAP
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by mytestuser with password mypassword
radius_xlat: '(uid=mytestuser)'
radius_xlat: 'ou=people,dc=atusi,dc=org'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as / to localhost:389
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:389
ldap_new_socket: 6
ldap_prepare_socket: 6
ldap_connect_to_host: Trying 127.0.0.1:389
ldap_connect_timeout: fd: 6 tm: 1 async: 0
ldap_ndelay_on: 6
ldap_is_sock_ready: 6
ldap_ndelay_off: 6
ldap_open_defconn: successful
ldap_send_server_request
rlm_ldap: waiting for bind result ...
ldap_result msgid 1
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
wait4msg (timeout 4 sec, 0 usec), msgid 1
wait4msg continue, msgid 1, all 1
** Connections:
* host: localhost port: 389 (default)
refcnt: 2 status: Connected
last used: Tue Mar 21 13:31:12 2006
** Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
** Response Queue:
Empty
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid 1, all 1
ldap_read: message type bind msgid 1, original id 1
new result: res_errno: 0, res_error: ,
Error building version 1.1.1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi While attempting to build the RPMs for FreeRadius version 1.1.1, I get an error during the build of libradius. Extract of the output is shown below. Build being done with 'rpmbuild -ba /usr/src/redhat/SPECS/freeradius.spec', where the spec file is taken from the 'redhat' directory in the tarball. The build is being done on Redhat Enterprise Server 3 (ES) Update 6. Looks like the Makefile in the tarball's src/lib directory is removing the '/var/tmp/freeradius-root/usr/lib/' directory and the symbolic link creation then does not find it. Making install in lib... gmake[4]: Entering directory `/usr/src/redhat/BUILD/freeradius- 1.1.1/src/lib' /usr/bin/libtool --mode=install /usr/src/redhat/BUILD/freeradius- 1.1.1/install-sh -c -c libradius.la /var/tmp/freeradius- root/usr/lib /usr/src/redhat/BUILD/freeradius-1.1.1/install-sh -c -c .libs/libradius-1.1.1.so /var/tmp/freeradius-root/usr/libradius- 1.1.1.so (cd /var/tmp/freeradius-root/usr rm -f libradius.so ln -s libradius-1.1.1.so libradius.so) /usr/src/redhat/BUILD/freeradius-1.1.1/install-sh -c -c .libs/libradius.lai /var/tmp/freeradius-root/usr/libradius.la /usr/src/redhat/BUILD/freeradius-1.1.1/install-sh -c -c .libs/libradius.a /var/tmp/freeradius-root/usr/libradius.a ranlib /var/tmp/freeradius-root/usr/libradius.a chmod 644 /var/tmp/freeradius-root/usr/libradius.a libtool: install: warning: remember to run `libtool --finish /usr/lib' rm -f /var/tmp/freeradius-root/usr/lib/libradius-1.1.1.la; ln -s libradius.la /var/tmp/freeradius-root/usr/lib/libradius- 1.1.1.la ln: creating symbolic link `/var/tmp/freeradius- root/usr/lib/libradius-1.1.1.la' to `libradius.la': No such file or directory gmake[4]: *** [install] Error 1 gmake[4]: Leaving directory `/usr/src/redhat/BUILD/freeradius- 1.1.1/src/lib' gmake[3]: *** [common] Error 2 gmake[3]: Leaving directory `/usr/src/redhat/BUILD/freeradius- 1.1.1/src' gmake[2]: *** [install] Error 2 gmake[2]: Leaving directory `/usr/src/redhat/BUILD/freeradius- 1.1.1/src' gmake[1]: *** [common] Error 2 gmake[1]: Leaving directory `/usr/src/redhat/BUILD/freeradius- 1.1.1' make: *** [install] Error 2 error: Bad exit status from /var/tmp/rpm-tmp.72933 (%install) RPM build errors: Bad exit status from /var/tmp/rpm-tmp.72933 (%install) -BEGIN PGP SIGNATURE- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.5 wkYEARECAAYFAkQfptQACgkQmw4BJyaatJ3CjQCgkE3PssxUgCxIgcQCyCOF/7akj1cA n3uM4/Yu6y5ko1XNO+2j9dfwvd3j =Kl6m -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 1.1.1 has been released
Hi, as I see, #335 didn't make it. Any particular reason or did it just get lost? IIRC, adding it was considered okay? Greetings, Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
