Re: RADIUS stops responding after a while
Hi, > I've got strange behavior on y FR, need to find the way to prevent it, and > find out what caused it. That is something several people are experiencing and it is being looked into. Any help in debugging would be appreciated, I guess, since the problem is indeed hard to spot. Check the mailing list archives of topic: "Version 1.1.1 stops responding". > I've just went to my radius server and found out that it doesn't want to > handle requests.. I restarted it in debug and it told me that SQL module is > unknown. (was working fine for 1 month) I restarted again in debug and now > it went OK and works fine, but this thing is not acceptable in the field . Interesting. > So does any one knows what could cause such a behavior (not accepting > requests, due to module malfunction) and more importantly is there any way > to monitor the server functionality? Let's say something like send testing > request each 30min or something and if server doesn't reply send email > notification? You could use Nagios and its RADIUS module. That's what we do and it works like a charm. You can even say sth like: if the probe failed twice, do a stop/start of service and see if it helps; if not, send a notification. Greetings, Stefan Winter -- Stefan WINTER RESTENA Foundation - Réseau Téléinformatique de l'Education Nationale et de la Recherche R&D Engineer 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg email: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Redundant ldap's bug?
Paulo Cabrita <[EMAIL PROTECTED]> wrote: > I saw the code a little closer and I think it's not worthy to try to > have one CA and two certificate for each server. The LDAP client only > support the data for one connection... > > static char *tls_opt_certfile = NULL; Yes, that's exactly what I said. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS stops responding after a while
"Alex M" <[EMAIL PROTECTED]> wrote: > I've just went to my radius server and found out that it doesn't want to > handle requests.. I restarted it in debug and it told me that SQL module is > unknown. Who edited the config file since the last time the server started? > So does any one knows what could cause such a behavior (not accepting > requests, due to module malfunction) and more importantly is there any way > to monitor the server functionality? Let's say something like send testing > request each 30min or something and if server doesn't reply send email > notification? It should be trivial to write a shell script to do that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql replication vs. radrelay
Olaf =?ISO-8859-1?Q?Sch=E4fer?= <[EMAIL PROTECTED]> wrote: > I have a redundant radius server setup with two radius servers. On each > of the servers freeradius 1.1.1 and mysql is running. If the primary > server goes down the AC falls back to the secondary server. To keep the > databases (except the radacct table) synchronised I use MySQL > replication. But I'm not sure which is the best way to replicate the > accounting information: using radrelay or mysql-replication, too? I would suggest radrelay. The reason is that (in DB terms) it uses a journal of what has to be replicated: RADIUS packets. > Besides the man page for radrelay says "The functions of radrelay > have been added to radiusd". I couldn't find any documentation about > this feature. Any hints? It shouldn't say that in the 1.1.1 release. radrelay should still be there. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pre-proxy programme
"Mark Supersonik" <[EMAIL PROTECTED]> wrote: > Please, look at the fact that we speak about DOMAINS quota, but not users > quota. That doesn't really matter. You made it clear you're trying to cancel the proxy decision AFTER you made it. That's what's causing the problem. My comments were trying to get you to NOT make the proxy decision in the first place. > The roaming users are authenticated by the authserv oh his domain (WISP). > So, apart from the users quota (which doesn't affect us because the remote > authserv does this work for us), there is a WISP quota, WISPs prepay to > proxy a volume of resources, and we, the setlement part (proxy), must > detemrine if before all want to permite this authorization That changes nothing of what I said. My solution still applies. My solution was based on general design principles, not on knowing the detail of who has what quota. As a result, my solution works in many situations, whereas other solutions may not. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql replication vs. radrelay
On Fri 07 Apr 2006 00:01, Olaf Schäfer wrote: > hello, > > I have a redundant radius server setup with two radius servers. On each > of the servers freeradius 1.1.1 and mysql is running. If the primary > server goes down the AC falls back to the secondary server. To keep the > databases (except the radacct table) synchronised I use MySQL > replication. But I'm not sure which is the best way to replicate the > accounting information: using radrelay or mysql-replication, too? My last experience with MySQL master-master replication and FreeRADIUS was that mysql corrupted my radacct table within 24 hours. This was 4-5 years ago, however you have to understand the constraints of databases and the fact that sql replication is a "hard" problem. radrelay on the other hand is easy and works perfectly! > Besides the man page for radrelay says "The functions of radrelay > have been added to radiusd". I couldn't find any documentation about > this feature. Any hints? > > regards, > olaf -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgpte1Fc2jOaB.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RADIUS stops responding after a while
I’ve got strange behavior on y FR, need to find the way to prevent it, and find out what caused it. I’ve just went to my radius server and found out that it doesn’t want to handle requests…. I restarted it in debug and it told me that SQL module is unknown… (was working fine for 1 month) I restarted again in debug and now it went OK and works fine, but this thing is not acceptable in the field … So does any one knows what could cause such a behavior (not accepting requests, due to module malfunction) and more importantly is there any way to monitor the server functionality? Let’s say something like send testing request each 30min or something and if server doesn’t reply send email notification? Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User in Multiple Groups
Someone posted that many readers of this list don't have HTML mail readers, so I cleaned up the spacing on the tables and am reposting this in text so all can read it. Scott Reed Owner NewWays Wireless Networking Network Design, Installation and Administration www.nwwnet.net -- Original Message --- From: "Scott Reed" <[EMAIL PROTECTED]> To: FreeRadius users mailing list Sent: Thu, 6 Apr 2006 07:54:08 -0500 Subject: Re: User in Multiple Groups > I did not usurp a thread, I reposted my own. > > I changed radcheck to have := instead of ==. No change. > > First query returns: > ++--+--+-++ > | id | GroupName| Attribute| Value | op | > ++--+--+-++ > | 28 | MS1-AP1 | Service-Type | Framed-User | == | > | 31 | Router-Admin | Service-Type | Login-User | == | > ++--+--+-++ > Second query returns > ++--+---+---++ > | id | GroupName| Attribute | Value | op | > ++--+---+---++ > | 34 | Router-Admin | Mikrotik-Group| full | = | > | 39 | Router-Admin | Fall-Through | Yes | = | > | 37 | MS1-AP1 | Fall-Through | Yes | = | > | 33 | MS1-AP1 | Port-Limit| 128k | = | > ++--+---+---++ > > I have a document from the FreeRadius WIKI (rlm_sql) that says, "Processing continues to the next group IF: > There was not a match for the last group's check items OR > Fall-Through was set in the last group's reply items. > If the user logs into a router, the request is for Login-User and they should get the Router-Admin replies. If they log in to an AP, the request is Framed-User and they should get the AP replies. > > Scott Reed > Owner > NewWays > Wireless Networking > Network Design, Installation and Administration > www.nwwnet.net > > -- Original Message --- > From: Phil Mayers <[EMAIL PROTECTED]> > To: FreeRadius users mailing list > Sent: Thu, 06 Apr 2006 13:22:39 +0100 > Subject: Re: User in Multiple Groups > > > Scott Reed wrote: > > > I have searched the archive and came close to figuring this out, but I have not > > > > Don't start your query as part of another thread please. > > > > > > > > Configuration tables: > > > 1 USERGROUP > > > 2 80 sreed MS1-AP1 > > > 3 76 treed MS1-AP1 > > > 4 78 sreed Router-Admin > > > 5 79 treed Router-Admin > > > 6 81 dreed Router-Admin > > > 7 > > > 8 RADCHECK > > > 9 331 dreed User-Password == password > > > 10 269 treed User-Password == password > > > 11 267 sreed User-Password == password > > > > This should be ":=" for User-Password. If the match is failing, that may > > be the issue. > > > > > 12 > > > 13 RADGROUPCHECK > > > 14 31 Router-Admin Service-Type == Login-User > > > 15 28 MS1-AP1 Service-Type == Framed-User > > > 16 > > > 17 RADREPLY > > > 18 33 sreed Fall-Through = yes > > > 19 43 treed Fall-Through = yes > > > 20 > > > 21 RADGROUPREPLY > > > 22 33 MS1-AP1 Port-Limit = 128k 15 > > > 23 34 Router-Admin Mikrotik-Group = full 10 > > > 24 39 Router-Admin Fall-Through = Yes 10 > > > 25 37 MS1-AP1 Fall-Through = Yes 15 > > > > I don't think Fall-Through does anything in rlm_sql. What are you > > expecting it to do? > > > > > rad_recv: Access-Request packet from host 192.168.100.13:1201, id=166, length=83 > > > Service-Type = Login-User > > > User-Name = "treed" > > > User-Password = "password" > > > Calling-Station-Id = "192.168.100.240" > > > NAS-Identifier = "HotSpot" > > > NAS-IP-Address = 192.168.100.13 > > > Processing the authorize section of radiusd.conf > > > modcall: entering group authorize for request 1 > > > modcall[authorize]: module "preprocess" returns ok for request 1 > > > modcall[authorize]: module "chap" returns noop for request 1 > > > modcall[authorize]: module "mschap" returns noop for request 1 > > > rlm_realm: No '@' in User-Name = "treed", looking up realm NULL > > > rlm_realm: No such realm "NULL" > > > modcall[authorize]: module "suffix" returns noop for request 1 > > > radius_xlat: 'treed' > > > rlm_sql (sql): sql_set_user escaped user --> 'treed' > > > rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE > > > Username = 'treed' ORDER BY id > > > rlm_sql_mysql: query: SELECT > > > radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op > > > FROM radgroupcheck,usergroup WHERE usergroup.Username = 'treed' AND > > > usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id > > > > What is the result of this query if you execute it directly against the > > database? > > > > > rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE > > > Username = 'treed' ORDER BY id > > >
Re: How to make FR reset the logs
Hello Thank you all for your replies , i fixed my issue using some scripts that comes with dialup_admin, /bin/ dir , it is working for know , thank you Guy Fraser.My question know , is it possible to send any attribute using dialup_admin to disconnect a user, i have a some handmade bash scripts to do that but it would be great if it can be done with dialup_adim -> radius -> pppd/pppoe-servers Thanks again - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql replication vs. radrelay
On Thu, 2006-06-04 at 23:01 +0200, Olaf Schäfer wrote: > hello, > > I have a redundant radius server setup with two radius servers. On each > of the servers freeradius 1.1.1 and mysql is running. If the primary > server goes down the AC falls back to the secondary server. To keep the > databases (except the radacct table) synchronised I use MySQL > replication. But I'm not sure which is the best way to replicate the > accounting information: using radrelay or mysql-replication, too? > > Besides the man page for radrelay says "The functions of radrelay > have been added to radiusd". I couldn't find any documentation about > this feature. Any hints? > > regards, > olaf There are many schools of thought on that. Some prefer SQL replication, others suggest it is better to build it into the management system. If you have lots of people managing the accounts and you may need a different method, than someone with only a few people maintaining accounts, since table locking and connection load balancing could become an issue. In some cases batch processing is acceptable, in other cases it can be detrimental. Can you give us an idea, about how many people will be changing user info and at what rate you would be expecting additions, modifications and removals? It would be helpful for those of us designing management systems, so we can test for possible conflicts and performance issues. I am not yet working on the SQL maintenance portion of my project but it would be helpful for me to have that information in order to do some preliminary planning. Some replication methods scale better than others, but have their own drawbacks and difficulties. PS Have you had a chance to try my PHP radiusd.conf configuration parser ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to make FR reset the logs
On Thu, 2006-06-04 at 14:12 -0400, Dennis Skinner wrote: > Guy Fraser wrote: > > vacuum; > > This is not a MySQL command. > > You probably want to look at CHECK TABLE, REPAIR TABLE, and OPTIMIZE > TABLE. But we are getting off topic here > > I will note that FreeRADIUS performance had significant improvements > once the tables were changed to InnoDB from MyISAM, especially the > radacct table as that fills up quick if you don't archive regularly. I said : " I don't use MySQL very often so do not know for sure if this would work, but here goes a simple example : select * into radacct_old from radacct where AcctStopTime < '2006-04-01 00:00:00' ; delete from radacct where AcctStopTime < '2006-04-01 00:00:00' ; vacuum; If you intend on using MySQL you will need to learn how to use it. There are many functions and some may help you do what you want. " I prefer PostgreSQL, which is SQL92 compliant and does support the SQL VACUUM command. MySQL database maintenance is of little interest to me, because I do not think it is good for anything but text and blob storage, and I don't need that very often. Since nobody else had attempted to answer the posters question I suggested a possible method he could try, and suggested he learn how to maintain MySQL if he intends on using it. I REALLY do NOT want to get into a flame war over the differences between MySQL and PostgreSQL. I based my sample on SQL standard commands hoping that MySQL would support them, but having suggested that they may not work without specifying why, may have left it open for interpretation. I am sure that for those who know MySQL well it works very well for them, but I don't care to spend the time learning how to do things the MySQL way. I have provided some assistance ensuring that the MySQL and PostgreSQL drivers had the same functionality, and have a MySQL db on the R&D machine for that purpose, but do not have any intention on using it for production. The PostgreSQL db I use for my custom Cistron server has operated flawlessly and at high efficiency since it was installed over 5 years ago. Since the Software and Hardware are long in the tooth, I will be upgrading them in the near future. I have been helping with the development of FreeRadius for a couple years, in preparation for this long anticipated upgrade. Once I have a good Management interface I will upgrade. I have spent a few days building some functions and others have been spending considerable time on similar projects, and some of us have agreed to share, our work in order to move this along, so I am hoping to have a new server in place by years end. Good luck, and have a great day. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
On Thursday 06 April 2006 08:24, Antonio Matera wrote: > Please stop using HTML when posting your messages. You just might get a few more useful responses from people who don't bother to read html-only messages. Kevin Bonner pgpIqhmYWA5QQ.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mysql replication vs. radrelay
hello, I have a redundant radius server setup with two radius servers. On each of the servers freeradius 1.1.1 and mysql is running. If the primary server goes down the AC falls back to the secondary server. To keep the databases (except the radacct table) synchronised I use MySQL replication. But I'm not sure which is the best way to replicate the accounting information: using radrelay or mysql-replication, too? Besides the man page for radrelay says "The functions of radrelay have been added to radiusd". I couldn't find any documentation about this feature. Any hints? regards, olaf -- Olaf Schäfer <[EMAIL PROTECTED]> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pre-proxy programme
Please, look at the fact that we speak about DOMAINS quota, but not users quota. The roaming users are authenticated by the authserv oh his domain (WISP). So, apart from the users quota (which doesn't affect us because the remote authserv does this work for us), there is a WISP quota, WISPs prepay to proxy a volume of resources, and we, the setlement part (proxy), must detemrine if before all want to permite this authorization [access WISP]--[PROXY]--[Home WISP] | (user from Home WISP) From: "Alan DeKok" <[EMAIL PROTECTED]> Reply-To: FreeRadius users mailing list To: FreeRadius users mailing list Subject: Re: pre-proxy programme Date: Thu, 06 Apr 2006 12:02:36 -0400 "Mark Supersonik" <[EMAIL PROTECTED]> wrote: > How can we programme the pre-proxy stage of a freeRADIUS proxy PC in order > to reject the request if the domain of the user doesn't have quota (in a > proxy's MySQL database table) ? Why are you doing this in the preproxy stage? Why not make the server avoid proxying completely if the user is over quota? Look at he place in your configuration where it tells the server to proxy the request, and then add "AND the quota is OK". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ ¿Estás pensando en cambiar de coche? Todas los modelos de serie y extras en MSN Motor. http://motor.msn.es/researchcentre/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql-devel??
>In Debian etch the MySQL client headers are in package libmysqlclient15-dev. > >However as Peter said you should just install a binary version from >Debian with apt-get. ># apt-get install freeradius-mysql freeradius-dialupadmin > >If you really want to recompile FreeRADIUS yourself, search in the FAQ >how to build a Debian package from sources. > >> and, by the way, how may i uninstall freeradius?? > >Like any other Debian package: ># apt-get remove freeradius > >-- >Nicolas Baradakis thanks so much Nicolas, but now i have a problem i installed freeradius from sources compiling it and now i need use mysql, i tested it in another pc installing first mysql and then compiling freeradius and works great. but now, are there any way to uninstall freeradius (compiled from sources) to rebuild it to use mysql?? thanks for your help ___ Halloween Humour: What did the dragon say when he saw the knight in his shining armour? postmaster.co.uk http://www.postmaster.co.uk/cgi-bin/meme/quiz.pl?id=155 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap: object not found
Thanks Sayantan it works!
Marc Delisle
Sayantan Bhowmick a écrit :
HI,
Change the filter configuration in ldap section of radiusd.conf to
the following:
filter = "(cn=%{Stripped-User-Name:-%{User-Name}})"
-Sayantan
On Wed, Apr 5, 2006 at 1:53 am, in message
<[EMAIL PROTECTED]>, Marc Delisle
<[EMAIL PROTECTED]> wrote:
Hi,
thanks to those who answered me for my previous post. It turned out
to
be a certificate problem.
Now, freeradius binds to LDAP on Netware, but does not find any
object:
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in o=college, with filter (uid=delislma)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
Thanks,
Marc Delisle
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql-devel??
>If you plan to use freeradius+mysql on debian I suggest you just install the >packages that come with it. It's not really necessary to compile it >yourself.. Thanks Peter, now my question is, i wan to use it to add security to a wlan and use hostapd and driver madwifi, so, it is not necessary to compile freeradius??, i use openssl to create certificates (use eap-peap). Second, do you know any way to uninstall freeradius in debian?? thanks again. ___ What major city is located on the mouth of the Pasig river and the head of a bay with the same name as the city? postmaster.co.uk http://www.postmaster.co.uk/cgi-bin/meme/quiz.pl?id=169 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to make FR reset the logs
Guy Fraser wrote: > vacuum; This is not a MySQL command. You probably want to look at CHECK TABLE, REPAIR TABLE, and OPTIMIZE TABLE. But we are getting off topic here I will note that FreeRADIUS performance had significant improvements once the tables were changed to InnoDB from MyISAM, especially the radacct table as that fills up quick if you don't archive regularly. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to make FR reset the logs
On Wed, 2006-05-04 at 22:06 +0300, Mordor Networks wrote: > Date: Wed, 05 Apr 2006 11:09:58 -0600 > From: Guy Fraser <[EMAIL PROTECTED]> > Subject: Re: How to make FR reset the logs > To: freeradius-users@lists.freeradius.org > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain > > On Wed, 2006-05-04 at 06:15 +0300, Mordor Networks wrote: > > hi > > Is it possible to make FR remove all monthly accounting logs from > the > > database "mysql"? > > Yikes, why would you want to do that? > > Thanks for your reply . i have pppoe-server with FR and mysql and > dialup_admin , and 600 user , so i have a lot of traffic and logs > daily/monthly I don't use MySQL very often so do not know for sure if this would work, but here goes a simple example : select * into radacct_old from radacct where AcctStopTime < '2006-04-01 00:00:00' ; delete from radacct where AcctStopTime < '2006-04-01 00:00:00' ; vacuum; If you intend on using MySQL you will need to learn how to use it. There are many functions and some may help you do what you want. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pre-proxy programme
"Mark Supersonik" <[EMAIL PROTECTED]> wrote: > How can we programme the pre-proxy stage of a freeRADIUS proxy PC in order > to reject the request if the domain of the user doesn't have quota (in a > proxy's MySQL database table) ? Why are you doing this in the preproxy stage? Why not make the server avoid proxying completely if the user is over quota? Look at he place in your configuration where it tells the server to proxy the request, and then add "AND the quota is OK". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Termination when there is no traffic
Johnny <[EMAIL PROTECTED]> wrote: > I've got a little proiblem with my radius server. I use it for > dial-in accounts via ISDN. I've the problem that connections are > terminated automatically when no traffic is on the line. The > authentification works without problems, but I do not know which > parameter I have to change so that connections wont be terminated > automatically anymore. Could anyone help me with this? Thank you! http://www.freeradius.org/rfc/attributes.html See Idle-Timeout Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql-devel??
Pelusa Vali wrote: > i use debian etch and cann't find such package, may be it's not > necessary for debian or new mysql versions don't use it any more?? In Debian etch the MySQL client headers are in package libmysqlclient15-dev. However as Peter said you should just install a binary version from Debian with apt-get. # apt-get install freeradius-mysql freeradius-dialupadmin If you really want to recompile FreeRADIUS yourself, search in the FAQ how to build a Debian package from sources. > and, by the way, how may i uninstall freeradius?? Like any other Debian package: # apt-get remove freeradius -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius cannot find rlm_sql_postgresql driver!
Peter Nixon wrote: > > The licenses of PostgreSQL and FreeRADIUS are incompatible, therefore > > Debian doesn't distribute a binary version of the PostgreSQL module. > > Since when is the BSD license incompatible with the GPL?? The old / original BSD license is not compatible. http://www.gnu.org/licenses/license-list.html#GPLIncompatibleLicenses -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can Juniper router or firewall configured on Free radius
On Thursday 06 April 2006 09:37, Venu Gopal wrote: > Thanks a lot for the reply, > i got this link for configuring radius, but wonder is > there any modification to be done apart from cisco > devices. I'm not sure what you mean. You have Cisco authenticating and want to have the same for Juniper? You probably need to define exactly what you are trying to accomplish and what you are working with. On the assumption that you have Cisco working and want Juniper, too: Decide what reply attributes you need and how you will differentiate the sources of the access request. Read about huntgroups. Or, you might include both Juniper and Cisco replies in the same users entry since the devices should ignore attributes they don't understand. I won't guarantee that will work as I've not done it myself. Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Compiling freeradius 1.1.1 in FreeBSD 6.0 with mysql support
On Wed, 2006-05-04 at 13:08 -0400, Alan DeKok wrote: > "Mark Hennessy" <[EMAIL PROTECTED]> wrote: > > I'm trying to build freeradius 1.1.1 on a FreeBSD 6.0 system with MySQL > > 4.1.15 > > Doesn't the ports system work? That exactly what I was thinking. The port was updated on Mar. 28 > > > checking for mysql_init in -lmysqlclient_r (using mysql_config)... no > > See the config.log for details. Maybe libmysqlclient_r needs > additional libraries for it to work. > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius cannot find rlm_sql_postgresql driver!
--- Nicolas Baradakis <[EMAIL PROTECTED]> wrote: > lmyho wrote: > > > I am trying to test the freeradius to work with postgresql database. > > Just installed freeradius 1.1.0 on debian system via 'aptitude > > install' command of debian. > > > > [...] > > > > Error: rlm_sql (sql): Could not link driver rlm_sql_postgresql: > > rlm_sql_postgresql.so: cannot open shared object file: No such file or > > directory > > The licenses of PostgreSQL and FreeRADIUS are incompatible, therefore > Debian doesn't distribute a binary version of the PostgreSQL module. > > You could build a Debian package from source with the tarball of > FreeRADIUS 1.1.1 from www.freeradius.org. The FAQ explains how > to do this: > > http://wiki.freeradius.org/index.php/FreeRADIUS_Wiki:FAQ Hi Nicolas, Thanks very much for telling me this! I built the pkgs from tarball-1.1.1... But I got tons of warnings in the building process, tons of them! Just list a few below. Just want to know: with so many warnings, do the pkgs I built still usable? Thanks a lot for advising!! Please see the list (only picked a few) below: radius.c: In function 'make_secret': radius.c:167: warning: pointer targets in passing argument 2 of 'librad_MD5Update' differ in signedness radius.c: In function 'make_passwd': radius.c:205: warning: pointer targets in passing argument 2 of 'librad_MD5Update' differ in signedness radius.c: In function 'make_tunnel_passwd': radius.c:294: warning: pointer targets in passing argument 2 of 'librad_MD5Update' differ in signedness rlm_passwd.c: In function 'build_hash_table': rlm_passwd.c:218: warning: pointer targets in passing argument 1 of 'hash' differ in signedness rlm_passwd.c:232: warning: pointer targets in passing argument 1 of 'hash' differ in signedness rlm_passwd.c: In function 'get_pw_nam': rlm_passwd.c:299: warning: pointer targets in passing argument 1 of 'hash' differ in signedness rlm_passwd.c: In function 'passwd_authorize': rlm_passwd.c:536: warning: pointer targets in assignment differ in signedness rlm_preprocess.c: In function 'cisco_vsa_hack': rlm_preprocess.c:126: warning: pointer targets in passing argument 1 of '__builtin_strchr' differ in signedness rlm_preprocess.c:144: warning: pointer targets in assignment differ in signedness rlm_preprocess.c: In function 'rad_mangle': rlm_preprocess.c:203: warning: pointer targets in passing argument 1 of '__builtin_strchr' differ in signedness rlm_preprocess.c:206: warning: pointer targets in passing argument 1 of 'strcpy' differ in signedness rlm_preprocess.c: In function 'huntgroup_access': rlm_preprocess.c:375: warning: pointer targets in passing argument 1 of 'strNcpy' differ in signedness rlm_preprocess.c:376: warning: pointer targets in passing argument 1 of 'strlen' differ in signedness rlm_preprocess.c: In function 'add_nas_attr': rlm_preprocess.c:404: warning: pointer targets in passing argument 1 of 'ip_hostname' differ in signedness rlm_preprocess.c:425: warning: pointer targets in passing argument 1 of 'ip_hostname' differ in signedness rlm_radutmp.c: In function 'radutmp_checksimul': rlm_radutmp.c:658: warning: pointer targets in assignment differ in signedness rlm_realm.c: In function 'check_for_realm': rlm_realm.c:209: warning: pointer targets in passing argument 1 of 'strcpy' differ in signedness rlm_sql.c: In function 'sql_groupcmp': rlm_sql.c:564: warning: pointer targets in passing argument 1 of 'strlen' differ in signedness rlm_sql.c:564: warning: pointer targets in passing argument 2 of '__builtin_strcmp' differ in signedness rlm_sql.c:564: warning: pointer targets in passing argument 2 of '__builtin_strcmp' differ in signedness rlm_sql.c:564: warning: pointer targets in passing argument 1 of 'strlen' differ in signedness rlm_sql.c:564: warning: pointer targets in passing argument 2 of '__builtin_strcmp' differ in signedness rlm_sql.c:564: warning: pointer targets in passing argument 2 of '__builtin_strcmp' differ in signedness rlm_sql.c: In function 'rlm_sql_authorize': rlm_sql.c:824: warning: pointer targets in assignment differ in signedness rlm_sql.c: In function 'rlm_sql_checksimul': rlm_sql.c:1227: warning: pointer targets in assignment differ in signedness __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql-devel??
On Thu 06 Apr 2006 06:43, Pelusa Vali wrote: > hi list, now i'd like to compile freeradius and later use dialup-admin, it > needs mysql and in book RADIUS Jonathan Hassell says it's necessary have at > least mysql-devel, but i use debian etch and cann't find such package, may > be it's not necessary for debian or new mysql versions don't use it any > more?? and, by the way, how may i uninstall freeradius?? > thanks for your help. If you plan to use freeradius+mysql on debian I suggest you just install the packages that come with it. It's not really necessary to compile it yourself.. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgpPIycTQtQn4.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius cannot find rlm_sql_postgresql driver!
On Thu 06 Apr 2006 11:58, Nicolas Baradakis wrote: > lmyho wrote: > > I am trying to test the freeradius to work with postgresql database. > > Just installed freeradius 1.1.0 on debian system via 'aptitude > > install' command of debian. > > > > [...] > > > > Error: rlm_sql (sql): Could not link driver rlm_sql_postgresql: > > rlm_sql_postgresql.so: cannot open shared object file: No such file or > > directory > > The licenses of PostgreSQL and FreeRADIUS are incompatible, therefore > Debian doesn't distribute a binary version of the PostgreSQL module. Since when is the BSD license incompatible with the GPL?? -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgpWWdtdzfP4Y.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Redundant ldap's bug?
Hi Alan, I saw the code a little closer and I think it's not worthy to try to have one CA and two certificate for each server. The LDAP client only support the data for one connection... static char *tls_opt_certfile = NULL; static char *tls_opt_keyfile = NULL; static char *tls_opt_dhfile = NULL; static char *tls_opt_cacertfile = NULL; static char *tls_opt_cacertdir = NULL; What do you think? Alan DeKok wrote: Paulo Cabrita <[EMAIL PROTECTED]> wrote: ... See: http://www.openldap.org/devel/cvsweb.cgi/~checkout~/libraries/libldap/tls.c?rev=1.133&hideattic=1&sortbydate=0 ... static char *tls_opt_cacertfile = NULL; ... Yup. It's a bug in the OpenLDAP client library. They don't support multiple users of LDAP connections in the same program. I'll file a bug with the OpenLDAP project. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Atentamente, |Paulo Cabrita, Msc| |Director do Centro de Informática | |da Universidade Autónoma de Lisboa| |Tel: +351-213177635 | |Fax: +351-213533702 | |E-mail: [EMAIL PROTECTED]| - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialup admin & ippool administraton
We have developed a new sqlippool module which exclusively uses SQL (Tested with Postgresql) and doesn't require configuration in radiusd.conf (at least no more than the existing sql module) We are currently load testing this for stability and will be rolling it into production tomorrow if all goes well. At that point we will also commit it to FR cvs. I suggest you wait a few days before you do too much more coding :-) Cheers Peter On Wed 29 Mar 2006 12:28, Olaf Schäfer wrote: > > the sqlippool module in cvs does this.. > > This module sounds interesting - something I haven't take into my > considerations keeping the dynamic ippool data in the sql-db, too. And > it's obvious to do it this way using a primary and a backup server. > > But the configuration information like "range-start" etc. is still > stored in the radiusd.conf. My idea was to put these configuration > information for each ippool into the mysql-db. > > Some background information for better understanding :) My task is to > migrate from MS-IAS to freeradius. Thus people are used to do > administration tasks with a GUI. :) At least normal production > administration tasks should be integrated within a GUI. Putting > configuration information into a db would save the parsing and editing > the radius.conf by dialup-admin scripts. > > best regards, > Olaf > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgpZU1V4Zaem7.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Hallo, I tried with EAP-TLS and PEAP/MS-CHAPv2. With the last, I have this user: vlan3 Cisco-AVPair == "ssid=VLAN3", User-Password == "test" Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 3, Tunnel-Type = VLAN If I insert the check == in the Cisco-AVPair attribute, I have this log: rad_recv: Access-Request packet from host 192.168.9.104:1645, id=21, length=240 User-Name = "vlan3" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=VLAN3" Service-Type = Login-User Message-Authenticator = 0x57cbe83313e35c36a3878a5151361c44 EAP-Message = 0x020900501900170301002029a86e41268c925e584b0924c058e045487523e0b2181541f520fe517e5fa67c1703010020ebe4e512af90e916f41fc666e138157bd279a6ed7f1ab44243f67e72d18ce012 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "260" NAS-Port = 260 State = 0xbb09e1038e24af4dc9f4002adb7d6b0a NAS-IP-Address = 192.168.9.104 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module "preprocess" returns ok for request 8 modcall[authorize]: module "mschap" returns noop for request 8 rlm_realm: No '@' in User-Name = "vlan3", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 8 rlm_eap: EAP packet type response id 9 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 8 users: Matched entry vlan3 at line 24 modcall[authorize]: module "files" returns ok for request 8 modcall: leaving group authorize (returns updated) for request 8 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 8 modcall: leaving group authenticate (returns invalid) for request 8 auth: Failed to validate the user. Login incorrect: [vlan3/] (from client ap-test port 260 cli 000c.f135.f1ba) Delaying request 8 for 1 seconds Finished request 8 The radius don't authenticate my user, but the SSID is correct! I don't understand what is wrong. Thanks a lot for your support... Antonio on 06/04/2006 14.59 Guy Davies said the following: I don't think you should be setting the Auth-Type. Just let FreeRADIUS work that out. What are you doing with your Cisco AP? Are you doing PEAP/MS-CHAPv2? If so, then you must have a User-Password == "foo" in your user database and you *must not* set Auth-Type := EAP. You should do as Sergio says and use == in your Cisco-AVPair check item. This is a comparison. Rgds, Guy On 06/04/06, Antonio Matera <[EMAIL PROTECTED]> wrote: Hallo, If I set Cisco-AVPair == "ssid=SSID1" in my user authentication, the authentication Fail with any ssid and user. If I set Cisco-AVPair := "ssid=SSID1" my users are always authenticated. Is there any other configuration to set in the radius or in the access point? In my access request there is the AVPair attribute: rad_recv: Access-Request packet from host 192.168.9.104:1645, id=19, length=166 User-Name = "TEST4" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=VLAN3" Service-Type = Login-User Message-Authenticator = 0xb2a3f1fd52d9d6ff9702cc8f1f480f46 EAP-Message = 0x020600060d00 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "260" NAS-Port = 260 State = 0x0491685cf8ece3184d685dedfedbb3d4 NAS-IP-Address = 192.168.9.104 NAS-Identifier = "ap" but I don't understand if it works... Any idea? Thanks on 06/04/2006 11.39 Sergio Sagliocco said the following: Hi I think you have to try in this way (for example): TEST4 Cisco-AVPair == "ssid=SSID1" , Auth-Type := EAP Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2, Tunnel-Type = VLAN DEFAULT Auth-Type := Reject if uou want a password: TEST4 Cisco-AVPair == "ssid=SSID1" ,User-Password="", Auth-Type := EAP Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2, Tunn
Re: Can Juniper router or firewall configured on Free radius
Thanks a lot for the reply,
i got this link for configuring radius, but wonder is
there any modification to be done apart from cisco
devices.
Regards
Venu
--- "Zoltan A. Ori" <[EMAIL PROTECTED]> wrote:
> On Thursday 06 April 2006 06:56, Venu Gopal wrote:
> > Hi All,
> >
> > Any one can help me juniper equiqments are
> configured
> > on free radius? If so please help me out the
> server
> > side configuration of users on Redhat. If there
> are
> > any referral web links please do let me know.
> > A quick response in this regard would be highly
> > appreciated.
>
> Google 'Juniper radius configuration' or read the
> 'help topic system
> radius-server' from the router cli. Juniper specific
> attributes are listed
> there.
>
> On Juniper router:
>
> [edit system]
> radius-server server-address {
> port number;
> secret password;
> retry number;
> timeout seconds;
> }
>
> On freeRADIUS make entries for the router as you
> would for any NAS in
> clients.conf and user using any of the applicable
> attributes.
>
> Zoltan Ori
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
__
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
I don't think you should be setting the Auth-Type. Just let FreeRADIUS work that out. What are you doing with your Cisco AP? Are you doing PEAP/MS-CHAPv2? If so, then you must have a User-Password == "foo" in your user database and you *must not* set Auth-Type := EAP. You should do as Sergio says and use == in your Cisco-AVPair check item. This is a comparison. Rgds, Guy On 06/04/06, Antonio Matera <[EMAIL PROTECTED]> wrote: > Hallo, > If I set Cisco-AVPair == "ssid=SSID1" in my user authentication, the > authentication Fail with any ssid and user. > If I set Cisco-AVPair := "ssid=SSID1" my users are always authenticated. > > Is there any other configuration to set in the radius or in the access > point? > > In my access request there is the AVPair attribute: > > > rad_recv: Access-Request packet from host 192.168.9.104:1645, id=19, > length=166 >User-Name = "TEST4" >Framed-MTU = 1400 >Called-Station-Id = "0012.dacb.8420" >Calling-Station-Id = "000c.f135.f1ba" >Cisco-AVPair = "ssid=VLAN3" >Service-Type = Login-User >Message-Authenticator = > 0xb2a3f1fd52d9d6ff9702cc8f1f480f46 >EAP-Message = 0x020600060d00 >NAS-Port-Type = Wireless-802.11 >Cisco-NAS-Port = "260" >NAS-Port = 260 >State = 0x0491685cf8ece3184d685dedfedbb3d4 >NAS-IP-Address = 192.168.9.104 >NAS-Identifier = "ap" > > > but I don't understand if it works... > > > Any idea? > > > Thanks > > > on 06/04/2006 11.39 Sergio Sagliocco said the following: > Hi > I think you have to try in this way (for example): > TEST4 Cisco-AVPair == "ssid=SSID1" , Auth-Type := EAP > Tunnel-Medium-Type = IEEE-802, > Tunnel-Private-Group-Id = 2, > Tunnel-Type = VLAN > DEFAULT Auth-Type := Reject > > if uou want a password: > TEST4 Cisco-AVPair == "ssid=SSID1" ,User-Password="", Auth-Type := EAP > Tunnel-Medium-Type = IEEE-802, > Tunnel-Private-Group-Id = 2, > Tunnel-Type = VLAN > DEFAULT Auth-Type := Reject > > Regards > sergio > > Antonio Matera wrote: > > > My goal is to have authenticate user only if the SSID is right! > You know how can I do it? > > Thanks > Antonio > > on 05/04/2006 17.33 Sergio Sagliocco said the following: > > > Hello > your goal is authenticate users only if the SSID is rght or to have > different EAP Authentication method based on SSID? > > regards > sergio > > > Antonio Matera wrote: > > > > Hallo, > thanks for the answer. > > With your solution my radius don't authenticate my users > Is my configuration correct or I need other change in my radius files? > > Thanks bye > > on 05/04/2006 15.27 Sergio Sagliocco said the following: > > > > Hi > I think you have to use == instead of := > For example: > > DEFAULT Cisco-AVPair == "ssid=testLEAP" , EAP-Type := Cisco-LEAP > > Regards > > > > > - List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > > -- > > -- > Antonio Matera > CREATE-NET > Via Solteri, 38 - 38100 Trento > e-mail: [EMAIL PROTECTED] > phone: +39 0461 408400 ext. 305 > fax: +39 0461 421157 > www.create-net.org > -- > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User in Multiple Groups
I did not usurp a thread, I reposted my own. I changed radcheck to have := instead of ==. No change. First query returns: ++--+--+-++ | id | GroupName | Attribute | Value | op | ++--+--+-++ | 28 | MS1-AP1 | Service-Type | Framed-User | == | | 31 | Router-Admin | Service-Type | Login-User | == | ++--+--+-++ Second query returns ++--++---++ | id | GroupName | Attribute | Value | op | ++--++---++ | 34 | Router-Admin | Mikrotik-Group | full | = | | 39 | Router-Admin | Fall-Through | Yes | = | | 37 | MS1-AP1 | Fall-Through | Yes | = | | 33 | MS1-AP1 | Port-Limit | 128k | = | ++--++---++ I have a document from the FreeRadius WIKI (rlm_sql) that says, "Processing continues to the next group IF: There was not a match for the last group's check items OR Fall-Through was set in the last group's reply items. If the user logs into a router, the request is for Login-User and they should get the Router-Admin replies. If they log in to an AP, the request is Framed-User and they should get the AP replies. Scott Reed Owner NewWays Wireless Networking Network Design, Installation and Administration www.nwwnet.net -- Original Message --- From: Phil Mayers <[EMAIL PROTECTED]> To: FreeRadius users mailing list Sent: Thu, 06 Apr 2006 13:22:39 +0100 Subject: Re: User in Multiple Groups > Scott Reed wrote: > > I have searched the archive and came close to figuring this out, but I have not > > Don't start your query as part of another thread please. > > > > > Configuration tables: > > 1 USERGROUP > > 2 80 sreed MS1-AP1 > > 3 76 treed MS1-AP1 > > 4 78 sreed Router-Admin > > 5 79 treed Router-Admin > > 6 81 dreed Router-Admin > > 7 > > 8 RADCHECK > > 9 331 dreed User-Password == password > > 10 269 treed User-Password == password > > 11 267 sreed User-Password == password > > This should be ":=" for User-Password. If the match is failing, that may > be the issue. > > > 12 > > 13 RADGROUPCHECK > > 14 31 Router-Admin Service-Type == Login-User > > 15 28 MS1-AP1 Service-Type == Framed-User > > 16 > > 17 RADREPLY > > 18 33 sreed Fall-Through = yes > > 19 43 treed Fall-Through = yes > > 20 > > 21 RADGROUPREPLY > > 22 33 MS1-AP1 Port-Limit = 128k 15 > > 23 34 Router-Admin Mikrotik-Group = full 10 > > 24 39 Router-Admin Fall-Through = Yes 10 > > 25 37 MS1-AP1 Fall-Through = Yes 15 > > I don't think Fall-Through does anything in rlm_sql. What are you > expecting it to do? > > > rad_recv: Access-Request packet from host 192.168.100.13:1201, id=166, length=83 > > Service-Type = Login-User > > User-Name = "treed" > > User-Password = "password" > > Calling-Station-Id = "192.168.100.240" > > NAS-Identifier = "HotSpot" > > NAS-IP-Address = 192.168.100.13 > > Processing the authorize section of radiusd.conf > > modcall: entering group authorize for request 1 > > modcall[authorize]: module "preprocess" returns ok for request 1 > > modcall[authorize]: module "chap" returns noop for request 1 > > modcall[authorize]: module "mschap" returns noop for request 1 > > rlm_realm: No '@' in User-Name = "treed", looking up realm NULL > > rlm_realm: No such realm "NULL" > > modcall[authorize]: module "suffix" returns noop for request 1 > > radius_xlat: 'treed' > > rlm_sql (sql): sql_set_user escaped user --> 'treed' > > rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE > > Username = 'treed' ORDER BY id > > rlm_sql_mysql: query: SELECT > > radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op > > FROM radgroupcheck,usergroup WHERE usergroup.Username = 'treed' AND > > usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id > > What is the result of this query if you execute it directly against the > database? > > > rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE > > Username = 'treed' ORDER BY id > > > rlm_sql_mysql: query: SELECT > > radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribu
Re: Can Juniper router or firewall configured on Free radius
On Thursday 06 April 2006 06:56, Venu Gopal wrote:
> Hi All,
>
> Any one can help me juniper equiqments are configured
> on free radius? If so please help me out the server
> side configuration of users on Redhat. If there are
> any referral web links please do let me know.
> A quick response in this regard would be highly
> appreciated.
Google 'Juniper radius configuration' or read the 'help topic system
radius-server' from the router cli. Juniper specific attributes are listed
there.
On Juniper router:
[edit system]
radius-server server-address {
port number;
secret password;
retry number;
timeout seconds;
}
On freeRADIUS make entries for the router as you would for any NAS in
clients.conf and user using any of the applicable attributes.
Zoltan Ori
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Hallo, If I set Cisco-AVPair == "ssid=SSID1" in my user authentication, the authentication Fail with any ssid and user. If I set Cisco-AVPair := "ssid=SSID1" my users are always authenticated. Is there any other configuration to set in the radius or in the access point? In my access request there is the AVPair attribute: rad_recv: Access-Request packet from host 192.168.9.104:1645, id=19, length=166 User-Name = "TEST4" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=VLAN3" Service-Type = Login-User Message-Authenticator = 0xb2a3f1fd52d9d6ff9702cc8f1f480f46 EAP-Message = 0x020600060d00 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "260" NAS-Port = 260 State = 0x0491685cf8ece3184d685dedfedbb3d4 NAS-IP-Address = 192.168.9.104 NAS-Identifier = "ap" but I don't understand if it works... Any idea? Thanks on 06/04/2006 11.39 Sergio Sagliocco said the following: Hi I think you have to try in this way (for example): TEST4 Cisco-AVPair == "ssid=SSID1" , Auth-Type := EAP Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2, Tunnel-Type = VLAN DEFAULT Auth-Type := Reject if uou want a password: TEST4 Cisco-AVPair == "ssid=SSID1" ,User-Password="", Auth-Type := EAP Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2, Tunnel-Type = VLAN DEFAULT Auth-Type := Reject Regards sergio Antonio Matera wrote: My goal is to have authenticate user only if the SSID is right! You know how can I do it? Thanks Antonio on 05/04/2006 17.33 Sergio Sagliocco said the following: Hello your goal is authenticate users only if the SSID is rght or to have different EAP Authentication method based on SSID? regards sergio Antonio Matera wrote: Hallo, thanks for the answer. With your solution my radius don't authenticate my users Is my configuration correct or I need other change in my radius files? Thanks bye on 05/04/2006 15.27 Sergio Sagliocco said the following: Hi I think you have to use == instead of := For example: DEFAULT Cisco-AVPair == "ssid=testLEAP" , EAP-Type := Cisco-LEAP Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Antonio Matera CREATE-NET Via Solteri, 38 - 38100 Trento e-mail: [EMAIL PROTECTED] phone: +39 0461 408400 ext. 305 fax: +39 0461 421157 www.create-net.org -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User in Multiple Groups
Scott Reed wrote:
I have searched the archive and came close to figuring this out, but I have not
Don't start your query as part of another thread please.
Configuration tables:
1 USERGROUP
2 80 sreed MS1-AP1
3 76 treed MS1-AP1
4 78 sreed Router-Admin
5 79 treed Router-Admin
6 81 dreed Router-Admin
7
8 RADCHECK
9 331 dreed User-Password == password
10 269 treed User-Password == password
11 267 sreed User-Password == password
This should be ":=" for User-Password. If the match is failing, that may
be the issue.
12
13 RADGROUPCHECK
14 31 Router-AdminService-Type== Login-User
15 28 MS1-AP1 Service-Type== Framed-User
16
17 RADREPLY
18 33 sreed Fall-Through= yes
19 43 treed Fall-Through= yes
20
21 RADGROUPREPLY
22 33 MS1-AP1 Port-Limit= 128k15
23 34 Router-AdminMikrotik-Group = full10
24 39 Router-AdminFall-Through = Yes 10
25 37 MS1-AP1 Fall-Through = Yes 15
I don't think Fall-Through does anything in rlm_sql. What are you
expecting it to do?
rad_recv: Access-Request packet from host 192.168.100.13:1201, id=166, length=83
Service-Type = Login-User
User-Name = "treed"
User-Password = "password"
Calling-Station-Id = "192.168.100.240"
NAS-Identifier = "HotSpot"
NAS-IP-Address = 192.168.100.13
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: No '@' in User-Name = "treed", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
radius_xlat: 'treed'
rlm_sql (sql): sql_set_user escaped user --> 'treed'
rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = 'treed' ORDER BY id
rlm_sql_mysql: query: SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'treed' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id
What is the result of this query if you execute it directly against the
database?
rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = 'treed' ORDER BY id
rlm_sql_mysql: query: SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'treed' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.prio
Again, what does this query give against the database?
rlm_sql (sql): No matching entry in the database for request from user [treed]
This error code is returned if the check items don't match the request.
Possibly take a look in:
src/modules/rlm_sql/rlm_sql.c
...around line 860 (depending on the version you're running) and
uncomment these lines:
/*
* Uncomment these lines for debugging
* Recompile, and run 'radiusd -X'
*/
/*
DEBUG2("rlm_sql: check items");
vp_listdebug(check_tmp);
DEBUG2("rlm_sql: reply items");
vp_listdebug(reply_tmp);
*/
...then recompile and run again.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Termination when there is no traffic
On Thursday 06 April 2006 04:29, Johnny wrote: > > I do not know which parameter I have to change so > that connections wont be terminated automatically anymore. That's a function of the NAS and/or the user's PC. Read NAS docs on session timeout value. Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can Juniper router or firewall configured on Free radius
Hi All, Any one can help me juniper equiqments are configured on free radius? If so please help me out the server side configuration of users on Redhat. If there are any referral web links please do let me know. A quick response in this regard would be highly appreciated. Regards Venugopal __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User in Multiple Groups
Surely someone has users in mulitple groups and can tell me how to make that work.
Scott Reed
Owner
NewWays
Wireless Networking
Network Design, Installation and Administration
www.nwwnet.net
-- Original Message
---
From: "Scott Reed" <[EMAIL PROTECTED]>
To: FreeRadius users mailing list
Sent: Wed, 5 Apr 2006 07:25:29 -0500
Subject: User in Multiple Groups
>
I have searched the archive and came close to figuring this out,
but I have not been able to get a user to exist in 2 groups and have each
authenticate. I have one set of systems that need Login-User and then reply
with one set of responses and another set that need Framed-User and reply with a
different set of
responses.
> I have both groups working if I have the user in just one group. If
the user is in 2 groups, one group works and the other Rejects. What is wrong
with my
configuration?
>
> There is an accounting request packet in the trace below that
show that sreed is logged into one of the Framed-User devices. Then there is
the packet from treed trying to log into a Login-User
device.
>
> Configuration
tables:
> 1
USERGROUP
> 2 80 sreed
MS1-AP1
> 3 76 treed
MS1-AP1
> 4 78 sreed
Router-Admin
> 5 79 treed
Router-Admin
> 6 81 dreed
Router-Admin
>
7
> 8
RADCHECK
> 9 331 dreed User-Password ==
password
> 10 269 treed User-Password ==
password
> 11 267 sreed User-Password ==
password
>
12
> 13
RADGROUPCHECK
> 14 31 Router-AdminService-Type==
Login-User
> 15 28 MS1-AP1 Service-Type==
Framed-User
>
16
> 17
RADREPLY
> 18 33 sreed Fall-Through=
yes
> 19 43 treed Fall-Through=
yes
>
20
> 21
RADGROUPREPLY
> 22 33 MS1-AP1 Port-Limit= 128k
15
> 23 34 Router-AdminMikrotik-Group = full
10
> 24 39 Router-AdminFall-Through = Yes
10
> 25 37 MS1-AP1 Fall-Through = Yes
15
>
> Debug
trace:
> rlm_sql_mysql: Starting connect to MySQL server for
#1
> rlm_sql (sql): Connected new DB handle,
#1
> rlm_sql (sql): starting
2
> rlm_sql (sql): Attempting to connect rlm_sql_mysql
#2
> rlm_sql_mysql: Starting connect to MySQL server for
#2
> rlm_sql (sql): Connected new DB handle,
#2
> rlm_sql (sql): starting
3
> rlm_sql (sql): Attempting to connect rlm_sql_mysql
#3
> rlm_sql_mysql: Starting connect to MySQL server for
#3
> rlm_sql (sql): Connected new DB handle,
#3
> rlm_sql (sql): starting
4
> rlm_sql (sql): Attempting to connect rlm_sql_mysql
#4
> rlm_sql_mysql: Starting connect to MySQL server for
#4
> rlm_sql (sql): Connected new DB handle,
#4
> rlm_sql (sql): -
generate_sql_clients
> rlm_sql (sql): Query: SELECT * FROM
nas
> rlm_sql (sql): Reserving sql socket id:
4
> rlm_sql_mysql: query: SELECT * FROM
nas
> rlm_sql (sql): Read entry
nasname=nwnr0004.nwadmin.net,shortname=nwnr0004,secret=sbr28tsr
> rlm_sql (sql): Adding client 10.2.49.5 (nwnr0004) to clients
list
> rlm_sql (sql): Read entry
nasname=nwnr0003.nwadmin.net,shortname=nwnr0003,secret=sbr28tsr
> rlm_sql (sql): Adding client 10.2.49.4 (nwnr0003) to clients
list
> rlm_sql (sql): Read entry
nasname=nwnr0002.nwadmin.net,shortname=nwnr0002,secret=sbr28tsr
> rlm_sql (sql): Adding client 10.0.1.4 (nwnr0002) to clients
list
> rlm_sql (sql): Read entry
nasname=hotspot.nwwhome.net,shortname=hotspot,secret=testing123
> rlm_sql (sql): Adding client 192.168.100.13 (hotspot) to clients
list
> rlm_sql (sql): Read entry
nasname=nwnr0001.nwadmin.net,shortname=nwnr0001,secret=sbr28tsr
> rlm_sql (sql): Adding client 10.0.0.1 (nwnr0001) to clients
list
> rlm_sql (sql): Released sql socket id:
4
> Module: Instantiated sql
(sql)
> Module: Loaded
Acct-Unique-Session-Id
> acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address,
NAS-Port"
> Module: Instantiated acct_unique
(acct_unique)
> Module: Loaded
detail
> detail: detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
> detail: detailperm =
384
> detail: dirperm =
493
> detail: locking =
no
> Module: Instantiated detail
(detail)
> Module: Loaded
System
> unix: cache =
no
> unix: passwd =
"(null)"
> unix: shadow =
"/etc/shadow"
> unix: group =
"(null)"
> unix: radwtmp =
"/var/log/radius/radwtmp"
> unix: usegroup =
no
> unix: cache_reload =
600
> Module: Instantiated unix
(unix)
> Module: Loaded
radutmp
> radutmp: filename =
"/var/log/radius/radutmp"
> radutmp: username =
"%{User-Name}"
> radutmp: case_sensitive =
yes
> radutmp: check_with_nas =
yes
> radutmp: perm =
384
> radutmp: callerid =
yes
> Mo
pre-proxy programme
I know, I know, I'm very tedious How can we programme the pre-proxy stage of a freeRADIUS proxy PC in order to reject the request if the domain of the user doesn't have quota (in a proxy's MySQL database table) ? I've been looking for two days the answer: a) rlm_exec module in a pre-proxy stage returning "exit 1" if a local MySQL query doen't return positive quota. --> PROBLEM: No way of return a REPLY-Message with the termination cause b) our own module rlm_X from rlm_example -->> PROBLEM: return to my C acknowledgements and back to compiling, buff ... c) Trying to do in some way a mapping between a realm and 2 authservs (1 is local mysql) and get the authentication from a AND function of both answers. Isn't there a better solution Please help us, we can't find much clear information about freeradius, neither in the Wiki! _ Un amor, una aventura, compañía para un viaje. Regístrate gratis en MSN Amor & Amistad. http://match.msn.es/match/mt.cfm?pg=channel&tcid=162349 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Hi I think you have to try in this way (for example): TEST4 Cisco-AVPair == "ssid=SSID1" , Auth-Type := EAP Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2, Tunnel-Type = VLAN DEFAULT Auth-Type := Reject if uou want a password: TEST4 Cisco-AVPair == "ssid=SSID1" ,User-Password="", Auth-Type := EAP Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2, Tunnel-Type = VLAN DEFAULT Auth-Type := Reject Regards sergio Antonio Matera wrote: > My goal is to have authenticate user only if the SSID is right! > You know how can I do it? > > Thanks > Antonio > > on 05/04/2006 17.33 Sergio Sagliocco said the following: >> Hello >> your goal is authenticate users only if the SSID is rght or to have >> different EAP Authentication method based on SSID? >> >> regards >> sergio >> >> >> Antonio Matera wrote: >> >>> Hallo, >>> thanks for the answer. >>> >>> With your solution my radius don't authenticate my users >>> Is my configuration correct or I need other change in my radius files? >>> >>> Thanks bye >>> >>> on 05/04/2006 15.27 Sergio Sagliocco said the following: >>> Hi I think you have to use == instead of := For example: DEFAULT Cisco-AVPair == "ssid=testLEAP" , EAP-Type := Cisco-LEAP Regards >>> - List info/subscribe/unsubscribe? See >>> http://www.freeradius.org/list/users.html >>> >>> >>> >> >> > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Sergio SAGLIOCCO SecureLAB - http://www.securelab.it CSP s.c. a r.l. - http://www.csp.it __ Villa Gualino Viale Settimo Severo, 63 - 10133 Torino [IT] tel. +39 011 481 5140 - Mobile +39 348 6024078 fax +39 011 481 5001 __ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Compiling freeradius 1.1.1 in FreeBSD 6.0 with mysql support
Mark Hennessy wrote: > checking for mysql_init in -lmysqlclient_r (using mysql_config)... no > checking for mysql_init in -lmysqlclient_r... no FreeRADIUS requires the thread-safe version of the MySQL client library, unless you configure it with the option --without-threads. > It's not seeing mysql libraries, but they do indeed exist: > # ls -al /usr/local/mysql/lib/mysql > total 1974 > drwxr-xr-x 2 root wheel 512 Apr 5 10:39 . > drwxr-xr-x 3 root wheel 512 Apr 5 10:39 .. > -rw-r--r-- 1 root wheel 14446 Apr 5 10:39 libdbug.a > -rw-r--r-- 1 root wheel 41928 Apr 5 10:39 libheap.a > -rw-r--r-- 1 root wheel 13640 Apr 5 10:39 libmerge.a > -rw-r--r-- 1 root wheel 331488 Apr 5 10:39 libmyisam.a > -rw-r--r-- 1 root wheel 24934 Apr 5 10:39 libmyisammrg.a > -rw-r--r-- 1 root wheel 472466 Apr 5 10:39 libmysqlclient.a > -rwxr-xr-x 1 root wheel 871 Apr 5 10:39 libmysqlclient.la > lrwxr-xr-x 1 root wheel 20 Apr 5 10:39 libmysqlclient.so -> > libmysqlclient.so.14 > -rwxr-xr-x 1 root wheel 387482 Apr 5 10:39 libmysqlclient.so.14 > -rw-r--r-- 1 root wheel 237570 Apr 5 10:39 libmystrings.a > -rw-r--r-- 1 root wheel 253852 Apr 5 10:39 libmysys.a > -rw-r--r-- 1 root wheel 105640 Apr 5 10:39 libnisam.a > -rw-r--r-- 1 root wheel5472 Apr 5 10:39 libvio.a I don't see the file "libmysqlclient_r.so" in your setup. Re-install MySQL with thread support, or configure FreeRADIUS without thread support. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius cannot find rlm_sql_postgresql driver!
lmyho wrote: > I am trying to test the freeradius to work with postgresql database. > Just installed freeradius 1.1.0 on debian system via 'aptitude > install' command of debian. > > [...] > > Error: rlm_sql (sql): Could not link driver rlm_sql_postgresql: > rlm_sql_postgresql.so: cannot open shared object file: No such file or > directory The licenses of PostgreSQL and FreeRADIUS are incompatible, therefore Debian doesn't distribute a binary version of the PostgreSQL module. You could build a Debian package from source with the tarball of FreeRADIUS 1.1.1 from www.freeradius.org. The FAQ explains how to do this: http://wiki.freeradius.org/index.php/FreeRADIUS_Wiki:FAQ -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Redundant ldap's bug?
Thanks Alan. Nevertheless I will try the solution of one CA for the two servers, if it's the same, it will probably work I will post the result later. Cheers. Alan DeKok wrote: Paulo Cabrita <[EMAIL PROTECTED]> wrote: ... See: http://www.openldap.org/devel/cvsweb.cgi/~checkout~/libraries/libldap/tls.c?rev=1.133&hideattic=1&sortbydate=0 ... static char *tls_opt_cacertfile = NULL; ... Yup. It's a bug in the OpenLDAP client library. They don't support multiple users of LDAP connections in the same program. I'll file a bug with the OpenLDAP project. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Atentamente, |Paulo Cabrita, Msc| |Director do Centro de Informática | |da Universidade Autónoma de Lisboa| |Tel: +351-213177635 | |Fax: +351-213533702 | |E-mail: [EMAIL PROTECTED]| - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Termination when there is no traffic
Hi there, I've got a little proiblem with my radius server. I use it for dial-in accounts via ISDN. I've the problem that connections are terminated automatically when no traffic is on the line. The authentification works without problems, but I do not know which parameter I have to change so that connections wont be terminated automatically anymore. Could anyone help me with this? Thank you! Regards, John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
