Re: rlm_ldap: could not start TLS
Hi, Please make sure that you have entered the DNS name of your ldap serer(eDirectory) in the ldap section of radiusd.conf. -Sayantan. On Sat, Apr 1, 2006 at 6:58 pm, in message [EMAIL PROTECTED], [EMAIL PROTECTED] wrote: Hi, I'm trying to make freeradius 1.1.0 contact a LDAP server. I configured freeradius -- with- edir. The error I get is rlm_ldap: could not start TLS Can't contact LDAP server I followed this document http://www.novell.com/coolsolutions/tip/15922.html except that in my case, the LDAP server is on Netware 6.5 SP5. On this Netware server, LDAP responds correctly over SSL, as tested with Novell's ldapsearch on port 636. In radiusd.conf, in the ldap section, I use tls_cacertfile = /usr/local/freeradius/etc/raddb/certs/rootder.b64 which is the self- signed certificate exported from the Netware's CA object. I can provide other details about my LDAP server object in Netware upon request. Thanks in advance, Marc Delisle - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VLAN and SSID
Anyone can help me please? Thanks, Antonio on 30/03/2006 17.39 Antonio Matera said the following: hi, ok, now the authentication request works (the problem was that if I restart the AP I lost this configuration. How can I save it using the web configuration?) Now the log is the following: rad_recv: Access-Request packet from host 192.168.9.104:1645, id=19, length=166 User-Name = TEST4 Framed-MTU = 1400 Called-Station-Id = 0012.dacb.8420 Calling-Station-Id = 000c.f135.f1ba Cisco-AVPair = ssid=VLAN3 Service-Type = Login-User Message-Authenticator = 0xb2a3f1fd52d9d6ff9702cc8f1f480f46 EAP-Message = 0x020600060d00 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = 260 NAS-Port = 260 State = 0x0491685cf8ece3184d685dedfedbb3d4 NAS-IP-Address = 192.168.9.104 NAS-Identifier = ap Processing the authorize section of radiusd.conf modcall: entering group authorize for request 18 modcall[authorize]: module preprocess returns ok for request 18 modcall[authorize]: module mschap returns noop for request 18 rlm_realm: No '@' in User-Name = TEST4, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 18 rlm_eap: EAP packet type response id 6 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 18 users: Matched entry TEST4 at line 11 modcall[authorize]: module files returns ok for request 18 modcall: leaving group authorize (returns updated) for request 18 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 18 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap: Freeing handler modcall[authenticate]: module eap returns ok for request 18 modcall: leaving group authenticate (returns ok) for request 18 Login OK: [TEST4/no User-Password attribute] (from client ap-test port 260 cli 000c.f135.f1ba) Sending Access-Accept of id 19 to 192.168.9.104 port 1645 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 2 Tunnel-Type:0 = VLAN MS-MPPE-Recv-Key = 0x9cb007ac1a5c0cc6da1deaf25177ef52e7f8c195d876f95b2d18ac6106b497da MS-MPPE-Send-Key = 0x5cbd4de84c364538ec07001adad683cbbf80a349d0299d4790f4f16389aff161 EAP-Message = 0x03060004 Message-Authenticator = 0x User-Name = TEST4 Finished request 18 and I have this users: TEST4 Auth-Type := EAP, Cisco-AVPair := ssid=SSID1 Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2, Tunnel-Type = VLAN user2 Auth-Type := EAP, Cisco-AVPair := ssid=VLAN3 Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 3, Tunnel-Type = VLAN Now in the log there is Cisco-AVPair = ssid=VLAN3 but user TEST4 is authenticated on the incorrect SSID (VLAN3). I suppose that the Cisco-AVPair check doesn't work in my configuration Are there other mistakes? Thanks for your answers... Bye Antonio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: pppoe-server
Hi, 1. try sending the interval in the Acct-Interim-Interval attribute to your pppoe-server 2. try to send the questions to the mailing list Regards, Edvin From: Wassim abbas [mailto:[EMAIL PROTECTED] Sent: Montag, 03. April 2006 00:18 To: [EMAIL PROTECTED] Subject: Re: (no subject) Hello 1. modify your pppoe-server to send accouting updates every hour or less How? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with LDAP against Active Directory
Hi folks, I want authenticate users from a WLAN with freeradius. The Users are stored in the Active Directory of a Windows 2003 Server. With some Tutorials from the Internet I have configured freeradius to make that. Unfortunately the Authentication function not succesfully. Thats the output from FreeRadius during the Authentication: rad_recv: Access-Request packet from host 192.168.210.15:4596, id=13, length=100 NAS-Port-Type = Ethernet Service-Type = Login-User User-Name = ldap User-Password = ldap Called-Station-Id = 00:01:02:ad:64:f7 Calling-Station-Id = 00:c0:49:54:b5:43 NAS-Port = 1 Mon Apr 3 11:12:08 2006 : Debug: Processing the authorize section of radiusd.conf Mon Apr 3 11:12:08 2006 : Debug: modcall: entering group authorize for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modcall[authorize]: module preprocess returns ok for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modcall[authorize]: module chap returns noop for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modcall[authorize]: module mschap returns noop for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 2 Mon Apr 3 11:12:08 2006 : Debug: rlm_realm: No '@' in User-Name = ldap, looking up realm NULL Mon Apr 3 11:12:08 2006 : Debug: rlm_realm: No such realm NULL Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modcall[authorize]: module suffix returns noop for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 2 Mon Apr 3 11:12:08 2006 : Debug: rlm_eap: No EAP-Message, not doing EAP Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modcall[authorize]: module eap returns noop for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: calling files (rlm_files) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modcall[authorize]: module files returns notfound for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: calling ldap (rlm_ldap) for request 2 Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: - authorize Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: performing user authorization for ldap Mon Apr 3 11:12:08 2006 : Debug: radius_xlat: '(uid=ldap)' Mon Apr 3 11:12:08 2006 : Debug: radius_xlat: 'ou=Sion, o=ad.ch' Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: attempting LDAP reconnection Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: closing existing LDAP connection Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: (re)connect to ad.ch:389, authentication 0 Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: bind as / to ad.ch:389 Mon Apr 3 11:12:18 2006 : Debug: rlm_ldap: waiting for bind result ... Mon Apr 3 11:12:18 2006 : Debug: rlm_ldap: Bind was successful Mon Apr 3 11:12:18 2006 : Debug: rlm_ldap: performing search in ou=Sion, o=ad.ch, with filter (uid=ldap) Mon Apr 3 11:12:18 2006 : Error: rlm_ldap: ldap_search() failed: Operations error Mon Apr 3 11:12:18 2006 : Debug: rlm_ldap: search failed Mon Apr 3 11:12:18 2006 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Mon Apr 3 11:12:18 2006 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 2 Mon Apr 3 11:12:18 2006 : Debug: modcall[authorize]: module ldap returns fail for request 2 Mon Apr 3 11:12:18 2006 : Debug: modcall: group authorize returns fail for request 2 Mon Apr 3 11:12:18 2006 : Debug: Finished request 2 Mon Apr 3 11:12:18 2006 : Debug: Going to the next request Mon Apr 3 11:12:18 2006 : Debug: --- Walking the entire request list --- Mon Apr 3 11:12:18 2006 : Debug: Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.210.15:4596, id=13, length=100 Mon Apr 3 11:12:18 2006 : Debug: Discarding duplicate request from client testnet:4596 - ID: 13 Mon Apr 3 11:12:18 2006 : Debug: --- Walking the entire request list --- Mon Apr 3 11:12:18 2006 : Debug: Cleaning up request 2 ID 13 with
Re: rlm_ldap: could not start TLS
Hi. I had the same problem with the same version of freeradius to authenticate to an OpenLDAP. Check this (it worked for me): - verify your TLS configuration: you must have the same name as the certificate. For instance, don't use IP address when it is expecting the DNS name. - verify that your ldap library has TLS suport: I used OpenLDAP's library without tls and had the same problem. - configure and compile freeradius with the open-ssl flags: point to the openssl that you want/need. Marc Delisle wrote: George C. Kaplan a écrit : On Apr 1, 2006, at 5:28 AM, Marc Delisle wrote: Hi, I'm trying to make freeradius 1.1.0 contact a LDAP server. I configured freeradius --with-edir. The error I get is rlm_ldap: could not start TLS Can't contact LDAP server I followed this document http://www.novell.com/coolsolutions/tip/15922.html except that in my case, the LDAP server is on Netware 6.5 SP5. On this Netware server, LDAP responds correctly over SSL, as tested with Novell's ldapsearch on port 636. I had a problem similar to this: 'ldapsearch' worked, but Freeradius couldn't make an LDAP connection with TLS. It turns out that my system had two versions of the openssl library, and radiusd was linking to the wrong version. It was kind of confusing, since the rlm_ldap module was linked to the correct library (in /usr/local/lib), but radiusd was linked to the one in /usr/lib, and that's the one that got loaded at run time. I ended up setting --with-openssl-includes and --with-openssl-libraries in the Makefile for the port (I'm using FreeBSD 5.4), and that solved the problem. --George C. Kaplan[EMAIL PROTECTED] Communication Network Services510-643-0496 University of California at Berkeley Thanks George for your answer. I checked: both radiusd and rlm_ldap-1.1.0.so are linked to /usr/lib/libssl.so.0.9.7. I am on Linux. Should this version (openssl 0.9.7e) work? Marc Delisle - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Atentamente, |Paulo Cabrita, Msc| |Director do Centro de Informática | |da Universidade Autónoma de Lisboa| |Tel: +351-213177635 | |Fax: +351-213533702 | |E-mail: [EMAIL PROTECTED]| - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Separate query for authentication and authorization
thanks a lot Alan. was very much confused between the two Authentication and Authorization -- View this message in context: http://www.nabble.com/Separate-query-for-authentication-and-authorization-t1373817.html#a3722776 Sent from the FreeRadius - User forum at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Implimenting Capping with FreeRadius
Hi, OS: Fedora C4 FR: 1.0.2-2 DB: MySQL 4.1.11-2 I was wondering if anybody has a more elegant solution to implementing capping with FreeRadius than writing a script that totals the bytes in/out in the radacct table every couple of minutes and updates the radcheck table to deny further logins? Shawn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with LDAP against Active Directory
Hi Dominique There appears to be something wrong with the search base definition for your LDAP search. It looks like you are using the traditional LDAP basename which goes ou=mydepartment, o=mycompany, c=ch. Active Directory uses basenames that look like dc=ad, dc=ch. Your LDAP server is returning operations error, so I should look in its log file for more details. By the way, bear in mind that unless you use Microsoft IAS, you can only do RADIUS authentication against AD using PAP (i.e. users send passwords in cleartext), which isn't too secure. Max Caines -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] eeradius.o rg]On Behalf Of [EMAIL PROTECTED] Sent: 03 April 2006 10:27 To: freeradius-users@lists.freeradius.org Subject: Problem with LDAP against Active Directory Hi folks, I want authenticate users from a WLAN with freeradius. The Users are stored in the Active Directory of a Windows 2003 Server. With some Tutorials from the Internet I have configured freeradius to make that. Unfortunately the Authentication function not succesfully. Thats the output from FreeRadius during the Authentication: rad_recv: Access-Request packet from host 192.168.210.15:4596, id=13, length=100 NAS-Port-Type = Ethernet Service-Type = Login-User User-Name = ldap User-Password = ldap Called-Station-Id = 00:01:02:ad:64:f7 Calling-Station-Id = 00:c0:49:54:b5:43 NAS-Port = 1 Mon Apr 3 11:12:08 2006 : Debug: Processing the authorize section of radiusd.conf Mon Apr 3 11:12:08 2006 : Debug: modcall: entering group authorize for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modcall[authorize]: module preprocess returns ok for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modcall[authorize]: module chap returns noop for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modcall[authorize]: module mschap returns noop for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 2 Mon Apr 3 11:12:08 2006 : Debug: rlm_realm: No '@' in User-Name = ldap, looking up realm NULL Mon Apr 3 11:12:08 2006 : Debug: rlm_realm: No such realm NULL Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modcall[authorize]: module suffix returns noop for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 2 Mon Apr 3 11:12:08 2006 : Debug: rlm_eap: No EAP-Message, not doing EAP Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modcall[authorize]: module eap returns noop for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: calling files (rlm_files) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modcall[authorize]: module files returns notfound for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: calling ldap (rlm_ldap) for request 2 Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: - authorize Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: performing user authorization for ldap Mon Apr 3 11:12:08 2006 : Debug: radius_xlat: '(uid=ldap)' Mon Apr 3 11:12:08 2006 : Debug: radius_xlat: 'ou=Sion, o=ad.ch' Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: attempting LDAP reconnection Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: closing existing LDAP connection Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: (re)connect to ad.ch:389, authentication 0 Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: bind as / to ad.ch:389 Mon Apr 3 11:12:18 2006 : Debug: rlm_ldap: waiting for bind result ... Mon Apr 3 11:12:18 2006 : Debug: rlm_ldap: Bind was successful Mon Apr 3 11:12:18 2006 : Debug: rlm_ldap: performing search in ou=Sion, o=ad.ch, with filter (uid=ldap) Mon Apr 3 11:12:18 2006 : Error: rlm_ldap: ldap_search() failed: Operations error Mon Apr 3 11:12:18 2006 : Debug: rlm_ldap: search failed Mon
MACs
HelloI\'m trying to log the users MAc address using pppoe and FR + mysqli added AVpair to the users file calling-station-id but checkval could not find itenrlm_checkval: Could not find item named Calling-Station-Id in request rlm_checkval: Could not find attribute named Calling-Station-Id in check pairsmodcall[authorize]: module checkval returns notfound for request 21 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Implimenting Capping with FreeRadius
Shawn Hamman [EMAIL PROTECTED] wrote: I was wondering if anybody has a more elegant solution to implementing capping with FreeRadius than writing a script that totals the bytes in/out in the radacct table every couple of minutes and updates the radcheck table to deny further logins? Have a script that runs when the server receives accounting packets, and do the work there. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
JRadius module for post-auth
Hi, This is related to my previous mail on setting up Freeradius for 2 factor authentication with chanllenge-response. I looked at what JRadius module can do and am going to attempt the following approach 1. insert a JRadius module into the post-auth section, such that the module will process an Access-Accept packet into an Access-Chanllange packet Question: is this allowed by FreeRadius? i.e. would FreeRadius allow an module in post-auth to change the packet type(Code)? 2. insert a JRadius module into either the authorize or authenticate section, such that it will recognize an access-request packet which answers the chanllenge, and process it using its own logic Question: Would freeradius allow a module called in authorize part to directly accept or reject a request, without making it go through to the authenticate section? Thank you and best regards Kaden --- Alan DeKok [EMAIL PROTECTED] wrote: Yizhi Lao [EMAIL PROTECTED] wrote: What I am worried about is not the second authentication method, but to chain two authentication together. is there any convenient way to do it? As I said, you have to write you own module to do this. The example module that is included with the server shows how to chain two authentications together. Take a look at it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Two times authorization and/or both proxying and serving
I know I'm a little bit tedious, but i need your help, please... I need to find the cheapest way to reject a request in proxy radius in the case that a domain doesn't has quota. If domain has quota, the proxy must forward the request to the corresponding authserv and finish the cycle in its natural porpose. Sorry for my bad english, i'm trying to write it as clearest as i can! From: Mark Supersonik [EMAIL PROTECTED] Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.org To: freeradius-users@lists.freeradius.org Subject: Re: Two times authorization and/or both proxying and serving Date: Fri, 31 Mar 2006 12:00:54 +0200 First of all, thanks for your help !!! We appreciate so much!! Let me explain that the misunderstanding of the sentence is probably much a problem of my poor acaedemichal english semantics. Well, I will explain the scenario I told again, trying to do it finnest possible: We have a proxy Radius that must proxy or reject the request depending on if the authserver's WISP has quota on our system. Inside proxy, we must forward the incoming request from a roaming user to a domain authserv ONLY AND ONLY IF we can verify WISP-domain has a prepaid quota in proxy's database. We want so to programme the pre-proxy block in order to determine if the request must be proxied to the final authserv or must be reject by the proxy. How can we implement this functionality from a technical point of view? Can we use a module in pre-proxy state? Or we only have the solution of programme JRadius handling the incoming request to proxy? Or maybe the logical solution is to use exec module? We need a little more help...sorry and thanks a lot from all the stuff here!!! Nets Research Group (Pompeu Fabra University of Barcelona) From: Alan DeKok [EMAIL PROTECTED] Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.org To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: Two times authorization and/or both proxying and serving Date: Thu, 30 Mar 2006 13:19:30 -0500 Mark Supersonik [EMAIL PROTECTED] wrote: My doubt is: can a freeradius server do first an authorization of a request throught a DB (i.e MySQL) and proxy then if so or reject it (if all isn't in rule)? Yes. We want only to accept access if each one of the two servers process the authentication successfully. MySQL doesn't do authentication. Your statement is incorrect. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Grandes éxitos, superhéroes, imitaciones, cine y TV... http://es.msn.kiwee.com/ Lo mejor para tu móvil. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Grandes éxitos, superhéroes, imitaciones, cine y TV... http://es.msn.kiwee.com/ Lo mejor para tu móvil. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Implimenting Capping with FreeRadius
On Mon 03 Apr 2006 16:22, Shawn Hamman wrote: Hi, OS: Fedora C4 FR: 1.0.2-2 DB: MySQL 4.1.11-2 I was wondering if anybody has a more elegant solution to implementing capping with FreeRadius than writing a script that totals the bytes in/out in the radacct table every couple of minutes and updates the radcheck table to deny further logins? Sure. The elegant solution is to simply check the sum of the user's minutes/bytes from the radacct table in the same query that queries the radcheck table. You can either do this as a (quite complex) join or preferably inside a stored procedure. (You may wish to put appropriate indexes on the radacct table to speed things up) Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgpNPCiXlewzQ.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Other attributes
Hi all Does freeradius integer specific attributes from boxes as redback ? if yer, how can we use it ? Thanks Jacques ___ Nouveau : téléphonez moins cher avec Yahoo! Messenger ! Découvez les tarifs exceptionnels pour appeler la France et l'international. Téléchargez sur http://fr.messenger.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with LDAP against Active Directory
Hello, Can you say me, which log-file I must control? I use already the other basename and also I use PAP. Greets Dominique PS: Sorry for my bad english! Which log-File Am Montag, den 03.04.2006, 14:42 +0100 schrieb Caines, Max: Hi Dominique There appears to be something wrong with the search base definition for your LDAP search. It looks like you are using the traditional LDAP basename which goes ou=mydepartment, o=mycompany, c=ch. Active Directory uses basenames that look like dc=ad, dc=ch. Your LDAP server is returning operations error, so I should look in its log file for more details. By the way, bear in mind that unless you use Microsoft IAS, you can only do RADIUS authentication against AD using PAP (i.e. users send passwords in cleartext), which isn't too secure. Max Caines -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] eeradius.o rg]On Behalf Of [EMAIL PROTECTED] Sent: 03 April 2006 10:27 To: freeradius-users@lists.freeradius.org Subject: Problem with LDAP against Active Directory Hi folks, I want authenticate users from a WLAN with freeradius. The Users are stored in the Active Directory of a Windows 2003 Server. With some Tutorials from the Internet I have configured freeradius to make that. Unfortunately the Authentication function not succesfully. Thats the output from FreeRadius during the Authentication: rad_recv: Access-Request packet from host 192.168.210.15:4596, id=13, length=100 NAS-Port-Type = Ethernet Service-Type = Login-User User-Name = ldap User-Password = ldap Called-Station-Id = 00:01:02:ad:64:f7 Calling-Station-Id = 00:c0:49:54:b5:43 NAS-Port = 1 Mon Apr 3 11:12:08 2006 : Debug: Processing the authorize section of radiusd.conf Mon Apr 3 11:12:08 2006 : Debug: modcall: entering group authorize for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modcall[authorize]: module preprocess returns ok for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modcall[authorize]: module chap returns noop for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modcall[authorize]: module mschap returns noop for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 2 Mon Apr 3 11:12:08 2006 : Debug: rlm_realm: No '@' in User-Name = ldap, looking up realm NULL Mon Apr 3 11:12:08 2006 : Debug: rlm_realm: No such realm NULL Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modcall[authorize]: module suffix returns noop for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 2 Mon Apr 3 11:12:08 2006 : Debug: rlm_eap: No EAP-Message, not doing EAP Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modcall[authorize]: module eap returns noop for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: calling files (rlm_files) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modcall[authorize]: module files returns notfound for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: calling ldap (rlm_ldap) for request 2 Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: - authorize Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: performing user authorization for ldap Mon Apr 3 11:12:08 2006 : Debug: radius_xlat: '(uid=ldap)' Mon Apr 3 11:12:08 2006 : Debug: radius_xlat: 'ou=Sion, o=ad.ch' Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: attempting LDAP reconnection Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: closing existing LDAP connection Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: (re)connect to ad.ch:389, authentication 0 Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: bind as / to ad.ch:389 Mon Apr 3 11:12:18 2006 : Debug: rlm_ldap:
conflicts/duplicates need
List: I've been using free radius for about a month and learning as I go. But I've noticed that I get a period every few hours when freeradius doesn't authenticate. I'm not sure what the problem is, but here is the log as captured in /var/log/radiusd Any idea what could be causing this? Thanks Duane Cox Mon Apr 3 15:02:36 2006 : Auth: Login OK: [intermapper] (from client intermapper port 0) Mon Apr 3 15:03:06 2006 : Auth: Login OK: [intermapper] (from client intermapper port 0) Mon Apr 3 15:03:09 2006 : Error: Dropping conflicting packet from client intermapper:32769 - ID: 81 due to unfinished request 1345 Mon Apr 3 15:03:12 2006 : Error: Dropping conflicting packet from client intermapper:32769 - ID: 81 due to unfinished request 1345 Mon Apr 3 15:03:34 2006 : Error: Dropping conflicting packet from client omnilec2:1647 - ID: 62 due to unfinished request 1346 Mon Apr 3 15:03:38 2006 : Error: WARNING: Unresponsive child (id 32771) for request 1345 Mon Apr 3 15:03:39 2006 : Error: Dropping conflicting packet from client intermapper:32769 - ID: 83 due to unfinished request 1347 Mon Apr 3 15:03:40 2006 : Error: Dropping conflicting packet from client omnilec2:1647 - ID: 62 due to unfinished request 1346 Mon Apr 3 15:03:42 2006 : Error: Dropping conflicting packet from client intermapper:32769 - ID: 83 due to unfinished request 1347 Mon Apr 3 15:03:44 2006 : Error: Discarding duplicate request from client omnilec2:1647 - ID: 177 due to unfinished request 1348 Mon Apr 3 15:03:45 2006 : Error: Dropping conflicting packet from client omnilec2:1647 - ID: 62 due to unfinished request 1346 Mon Apr 3 15:03:49 2006 : Error: Discarding duplicate request from client omnilec2:1647 - ID: 177 due to unfinished request 1348 Mon Apr 3 15:03:50 2006 : Error: Dropping conflicting packet from client omnilec2:1647 - ID: 62 due to unfinished request 1346 Mon Apr 3 15:03:53 2006 : Error: Discarding duplicate request from client omnilec2:1647 - ID: 177 due to unfinished request 1348 Mon Apr 3 15:03:54 2006 : Error: Discarding duplicate request from client omnilec1:1647 - ID: 120 due to unfinished request 1349 Mon Apr 3 15:03:59 2006 : Error: Discarding duplicate request from client omnilec1:1647 - ID: 120 due to unfinished request 1349 Mon Apr 3 15:03:59 2006 : Error: Discarding duplicate request from client omnilec2:1647 - ID: 177 due to unfinished request 1348 Mon Apr 3 15:04:03 2006 : Error: Discarding duplicate request from client omnilec1:1647 - ID: 120 due to unfinished request 1349 Mon Apr 3 15:04:03 2006 : Error: WARNING: Unresponsive child (id 49156) for request 1346 Mon Apr 3 15:04:06 2006 : Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Mon Apr 3 15:04:09 2006 : Error: Discarding duplicate request from client omnilec1:1647 - ID: 120 due to unfinished request 1349 Mon Apr 3 15:04:09 2006 : Error: WARNING: Unresponsive child (id 16386) for request 1347 Mon Apr 3 15:04:09 2006 : Error: WARNING: Unresponsive child (id 65541) for request 1348 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: conflicts/duplicates need
Duane Cox [EMAIL PROTECTED] wrote: But I've noticed that I get a period every few hours when freeradius doesn't authenticate. I'm not sure what the problem is, but here is the log as captured in /var/log/radiusd Any idea what could be causing this? Usually it's because your database is slow or not responding. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Segmentation fault due to bind_address = 0.0.0.0
Hi, I got a segmentation fault when i tried to run freeradius (Versions 1.0.4, 1.0.5, 1.1.0 and 1.1.1) on Debian (Sarge) or Suse (10.0) with options enabled in the attached config-file. Meanwhile I found out that the segmentation fault happened because of the following setting: bind_address = 0.0.0.0 No I replaced it with the default value bind_address = * and everything is fine :) Thanks for reading, best regards, Rainer ## ## radiusd.conf -- FreeRADIUS server configuration file. ## ## http://www.freeradius.org/ ## $Id: radiusd.conf.in,v 1.161 2003/11/17 18:10:27 kkalev Exp $ ## # PATHS # prefix = /usr/local/freeradius exec_prefix = ${prefix} sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/freeradius raddbdir = ${sysconfdir}/freeradius radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/freeradius log_file = ${logdir}/radius.log libdir = ${exec_prefix}/lib/freeradius pidfile = ${run_dir}/freeradius.pid # GLOBAL SETTINGS # max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = 0.0.0.0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions= yes log_stripped_names = no log_auth = no log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_pass = no nospace_user = no nospace_pass = no Checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = yes $INCLUDE ${confdir}/clients.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } # MODULE SETTINGS # modules { pap { encryption_scheme = crypt } chap { authtype = CHAP } pam { pam_auth = radiusd } mschap { authtype = MS-CHAP } realm realmslash { format = prefix delimiter = / } realm suffix { format = suffix delimiter = @ } realm realmpercent { format = suffix delimiter = % } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users compat = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } acct_unique { key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id } radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = yes } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = no } attr_filter { attrsfile = ${confdir}/attrs } counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } digest { } exec { wait = yes input_pairs = request } exec echo { wait = yes program = /bin/echo %{User-Name} input_pairs = request output_pairs = reply } } authorize { preprocess realmslash suffix files } preacct { preprocess suffix files } accounting { acct_unique detail radutmp } session { radutmp } post-auth { } pre-proxy { } pumba:/etc/freeradius# gdb /usr/local/freeradius/sbin/radiusd GNU gdb 6.4-debian Copyright 2005 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public
(no subject)
Hi all, i want to use FreeRADIUS (1.0.5) as an RADIUS Proxy, and must change the NAS-IP-Address and the User-Realm before sending it to an other Rasius Server. I tried it within the preproxy_users file with DEFAULT User-Name := `%{Stripped-User-Name:[EMAIL PROTECTED], NAS-IP-Address := x.x.x.x The change of the User-Realm works, but not the NAS-IP-Address. The server sends the authentication requests with its hostname (in detail with the aoutput of the /etc/hostname command). Any ideas of helpfull information are welcome. Regards Oliver Stutzke - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
change NAS-IP-Address before relaying
Title: change NAS-IP-Address before relaying sorry all, the first mail had no subject Hi all, i want to use FreeRADIUS (1.0.5) as an RADIUS Proxy, and must change the NAS-IP-Address and the User-Realm before sending it to an other Rasius Server. I tried it within the preproxy_users file with DEFAULT User-Name := `%{Stripped-User-Name:[EMAIL PROTECTED], NAS-IP-Address := x.x.x.x The change of the User-Realm works, but not the NAS-IP-Address. The server sends the authentication requests with its hostname (in detail with the aoutput of the /etc/hostname command). Any ideas of helpfull information are welcome. Regards Oliver Stutzke - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault due to bind_address = 0.0.0.0
Rainer Poisel [EMAIL PROTECTED] wrote: I got a segmentation fault when i tried to run freeradius (Versions 1.0.4, 1.0.5, 1.1.0 and 1.1.1) on Debian (Sarge) or Suse (10.0) with options enabled in the attached config-file. Please see doc/bugs Meanwhile I found out that the segmentation fault happened because of the following setting: bind_address = 0.0.0.0 I don't see why that would affect anything. It's always worked in my tests. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Why must clients exist when radius starts?
Is there a configuration option that will allow me to put a client IP in the clients file without the client actually existing yet? It seems when radius starts, if a client doesn't exist the daemon dies. I looked in the archives but I don't quite know what to query for. Also is it the case that when the log is rolled, the daemon re-reads the config files and would die if it can't contact a client at this time? Regards Doug P - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Why must clients exist when radius starts?
Douglas Phillipson [EMAIL PROTECTED] wrote: Is there a configuration option that will allow me to put a client IP in the clients file without the client actually existing yet? It seems when radius starts, if a client doesn't exist the daemon dies. Huh? It does that only if you put a hostname in, and the hostname isn't resolvable to an IP address. The answer is to use IP addresses in the clients.conf file. Since IP addresses always exist, the serbver will always start. Also is it the case that when the log is rolled, the daemon re-reads the config files and would die if it can't contact a client at this time? The server never contacts the clients. The clients always start off the RADIUS conversation by contacting the server. You can list 10,000 IP's in the clients.conf file, none of which are real machines, and the server will *always* start. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Two times authorization and/or both proxying and serving
Mark Supersonik [EMAIL PROTECTED] wrote: I need to find the cheapest way to reject a request in proxy radius in the case that a domain doesn't has quota. If domain has quota, the proxy must forward the request to the corresponding authserv and finish the cycle in its natural porpose. Write a shell script to do this. Without a more detailed description of *how* you check if a domain has enough quota, it's impossible to give a better answer. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Why must clients exist when radius starts?
Alan DeKok wrote: Douglas Phillipson [EMAIL PROTECTED] wrote: Is there a configuration option that will allow me to put a client IP in the clients file without the client actually existing yet? It seems when radius starts, if a client doesn't exist the daemon dies. Huh? It does that only if you put a hostname in, and the hostname isn't resolvable to an IP address. The answer is to use IP addresses in the clients.conf file. Since IP addresses always exist, the serbver will always start. Or if you really feel you must have a domain name in there, add it to your local /etc/hosts file until it is added to DNS. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html