RE: How do I set up simple AD integration?
-Original Message- From: [EMAIL PROTECTED] ists.freer adius.org [mailto:freeradius-users-bounces+sburton=shepherd-construction [EMAIL PROTECTED] ts.freeradius.org]On Behalf Of King, Michael Sent: 11 April 2006 16:34 To: FreeRadius users mailing list Subject: RE: How do I set up simple AD integration? You would still needwith_ntdomain_hack = yes But that isn't your actual problem. It never called ntlm_auth I'd seen that. What I was trying to do (unsuccessfully 'cos I'm ignorant) was to try to find out what triggers ntlm_auth to run. Is there something in another file that sets this up? Steve. __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
different gateway for different users
Hi, I have freeradius AAA server with mysql. I have 3 gateway, is possible to assign (statically at this time) different gataway at different users? thanks, Felice -- Computers are like air conditioners: they stop work properly when you open Windows... -- Email.it, the professional e-mail, gratis per te: http://www.email.it/f Sponsor: America, Africa, Australia, Asia...con Email Phone Card chiami ovunque spendendo meno di una telefonata interurbana Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=2688d=20060412 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accessing REQUEST structure data outside FreeRADIUS module
Hello and thanks for replies
I'm using FreeRADIUS v1.1.0. I'm developping some modules and I try to
access auth_req structure (REQUEST) data from an external function (out of
my module) and it fails. All works fine when accessing this data from the
module itself but when i call an external function with the address of
REQUEST, it doesn't work.
Code which works
/***/
static int wcp_lt_vms_authorize(void *pt_instance, REQUEST *pt_request) {
VALUE_PAIR *lpt_value_pair = NULL;
...
if ((lpt_value_pair = pairfind(pt_request-packet-vps, PW_USER_NAME)) ==
NULL ) {
WCP_DEBUG(User-Name not found !);
} else {
WCP_DEBUG(RADIUS attribute name %s, value: [%s],
lpt_value_pair-name,
lpt_value_pair-strvalue);
}
...
}
/***/
This works fine, when the server receive a request
Tue Apr 11 16:05:03 2006 : wcp_lt_vms_authorize: RADIUS attribute name
User-Name, value: [330001]
The problem comes when doing the same thing but by calling a function.
/***/
static int wcp_lt_vms_authorize(void *pt_instance, REQUEST *pt_request) {
...
lib_com_filter_traffic(pt_request);
...
}
/***/
and in anotherfile, lib_com.c
int lib_com_filter_traffic(REQUEST *pt_request) {
VALUE_PAIR *lpt_value_pair = NULL;
...
if ((lpt_value_pair = pairfind(pt_request-packet-vps, PW_USER_NAME)) ==
NULL ) {
WCP_DEBUG(User-Name not found !);
} else {
WCP_DEBUG(RADIUS attribute name %s, value: [%s],
lpt_value_pair-name,
lpt_value_pair-strvalue);
}
/***/
This doesn't work. when receiving one request, FreeRADIUS takes a lot of
processor time and then the server crashes.
Tue Apr 11 17:00:30 2006 : Error: WARNING: Unresponsive child (id 3) for
request 0
I don't understand why all works when accessing REQUEST data inside the
module and not in the lib function. It's like the lib can't accessed to this
memory.
Any help would be appreciated.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accessing REQUEST structure data outside FreeRADIUS module
Hello and thanks for replies
I'm using FreeRADIUS v1.1.0. I'm developping some modules and I try to
access auth_req structure (REQUEST) data from an external function (out of
my module) and it fails. All works fine when accessing this data from the
module itself but when i call an external function with the address of
REQUEST, it doesn't work.
Code which works
/***/
static int wcp_lt_vms_authorize(void *pt_instance, REQUEST *pt_request) {
VALUE_PAIR *lpt_value_pair = NULL;
...
if ((lpt_value_pair = pairfind(pt_request-packet-vps, PW_USER_NAME)) ==
NULL ) {
WCP_DEBUG(User-Name not found !);
} else {
WCP_DEBUG(RADIUS attribute name %s, value: [%s],
lpt_value_pair-name,
lpt_value_pair-strvalue);
}
...
}
/***/
This works fine, when the server receive a request
Tue Apr 11 16:05:03 2006 : wcp_lt_vms_authorize: RADIUS attribute name
User-Name, value: [330001]
The problem comes when doing the same thing but by calling a function.
/***/
static int wcp_lt_vms_authorize(void *pt_instance, REQUEST *pt_request) {
...
lib_com_filter_traffic(pt_request);
...
}
/***/
and in anotherfile, lib_com.c
int lib_com_filter_traffic(REQUEST *pt_request) {
VALUE_PAIR *lpt_value_pair = NULL;
...
if ((lpt_value_pair = pairfind(pt_request-packet-vps, PW_USER_NAME)) ==
NULL ) {
WCP_DEBUG(User-Name not found !);
} else {
WCP_DEBUG(RADIUS attribute name %s, value: [%s],
lpt_value_pair-name,
lpt_value_pair-strvalue);
}
/***/
This doesn't work. when receiving one request, FreeRADIUS takes a lot of
processor time and then the server crashes.
Tue Apr 11 17:00:30 2006 : Error: WARNING: Unresponsive child (id 3) for
request 0
I don't understand why all works when accessing REQUEST data inside the
module and not in the lib function. It's like the lib can't accessed to this
memory.
Any help would be appreciated.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How do I set up simple AD integration?
-Original Message- From: Stephen Walsh [mailto:[EMAIL PROTECTED] Sent: 12 April 2006 00:41 To: Burton, Steven Subject: Re: How do I set up simple AD integration? Hi Steve I've just completed an AD implementation of FreeRadius across two AD domains, One AD2003 in Native mode, and one AD2000 in mixed mode. If you'd like any hints or tips, feel free to email me and I'll do what i can to help. Stephen Walsh [EMAIL PROTECTED] Stephen, thanks for your kind offer of help. What I'm trying to achieve is to get 802.1x authentication working with FreeRadius passing off authentication to a Win2003 (Win 2000 mixed mode, soon to be 2003 native) DC. When the user tried to connect to the network I can see his domain\username in the output of radiusd -A -X which (I think) suggests that the supplicant and client are setup correctly. There seems to be no attempt by the RADIUS server to contact a DC. I don't want to take too much of your time but would it be possible for you to send me any (suitably sanitized) configuration files you have customized ? If this is unacceptable I'll send you details of what I've done so far. Steve. __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Check DN in rlm_perl
Hi, I'm using Freeradius 1.1.0. Is there some possibility to check the DN of client certificate within rlm_perl module when using EAP-TLS? I don't want allow access to all users which have right certificate. I'd like to check the DN by the perl script towards the file which contains allowed DNs. Thanks for suggestions. Regards, Michal -- Michal Prochazka // [EMAIL PROTECTED] Supercomputing Center Brno Institute of Computer Science Masaryk University Botanicka 68a, 60200 Brno, CZ CESNET z.s.p.o. Zikova 4, 16200 Praha 6, CZ smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help, Chap problem
[EMAIL PROTECTED] wrote: Hello: I have this problem, i get this message in the log: Tue Apr 11 14:43:18 2006 : Auth: Login incorrect (rlm_chap: Clear text password not available): [adexus/CHAP-Password] (from client 3com port 268443649 cli 0010-a484-6e7a) I set the users file as follow: adexus Auth-Type := CHAP, User-Password == adexus Why do so many people do this? 1. Don't set Auth-Type, the server will set it if you've configured it correctly 2. Set User-Password with := username User-Password := string - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accessing REQUEST structure data outside FreeRADIUS module
Nicolas Castel wrote: Hello and thanks for replies I'm using FreeRADIUS v1.1.0. I'm developping some modules and I try to access auth_req structure (REQUEST) data from an external function (out of my module) and it fails. All works fine when accessing this data from the module itself but when i call an external function with the address of REQUEST, it doesn't work. and in anotherfile, lib_com.c What happens when your external function is in the same file as your module function? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How do I set up simple AD integration?
-Original Message- From: [EMAIL PROTECTED] ists.freer adius.org [mailto:freeradius-users-bounces+sburton=shepherd-construction [EMAIL PROTECTED] ts.freeradius.org]On Behalf Of Alan DeKok Sent: 11 April 2006 16:28 To: FreeRadius users mailing list Subject: Re: How do I set up simple AD integration? Burton, Steven [EMAIL PROTECTED] wrote: This stanza is a enclosed with the mschap section, still nothing ventured I changed the line and unfolded it and ran radiusd -X. The first request didn't match anything usefull and was rejected by System. I tried again but ticked the box 'CHAP' on NTRadPing and got the output: You can't do CHAP to MS AD. It's impossible. Alan DeKok. My bad! I'd been staring at mschap all day and I saw chap and thought mschap. I still hope to get 802.1x working with FR before I'm told to stop wasting time and buy something :-) but after two and a half days (on and off) I'm no closer. Steve. __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How do I set up simple AD integration?
Burton, Steven wrote: -Original Message- From: [EMAIL PROTECTED] ists.freer adius.org [mailto:freeradius-users-bounces+sburton=shepherd-construction [EMAIL PROTECTED] ts.freeradius.org]On Behalf Of Alan DeKok Sent: 11 April 2006 16:28 To: FreeRadius users mailing list Subject: Re: How do I set up simple AD integration? Burton, Steven [EMAIL PROTECTED] wrote: This stanza is a enclosed with the mschap section, still nothing ventured I changed the line and unfolded it and ran radiusd -X. The first request didn't match anything usefull and was rejected by System. I tried again but ticked the box 'CHAP' on NTRadPing and got the output: You can't do CHAP to MS AD. It's impossible. Alan DeKok. My bad! I'd been staring at mschap all day and I saw chap and thought mschap. I still hope to get 802.1x working with FR before I'm told to stop wasting time and buy something :-) but after two and a half days (on and off) I'm no closer. Steve, I strongly suggest you start off doing PEAP against the 'users' file, and once that's working get the domain stuff working. It sounds to me like you're trying to do too much at once, and too many things are broken for you to know where to start! Once you've got PEAP working against the 'users' file, create a machine account in the AD for the RADIUS server (using the Samba tools) and then use the ntlm_auth program (that comes with Samba) to test standard authentication. Once you've got that far, it's just a matter of configuring FreeRADIUS to use ntlm_auth. But you can worry about that later :-) This isn't difficult, it's largely a matter of making sure you do the right steps in the right order... best regards, josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accessing REQUEST structure data outside FreeRADIUS module
2006/4/12, Joe Maimon [EMAIL PROTECTED]:
Nicolas Castel wrote:
Hello and thanks for replies
I'm using FreeRADIUS v1.1.0. I'm developping some modules and I try to
access auth_req structure (REQUEST) data from an external function (out of
my module) and it fails. All works fine when accessing this data from the
module itself but when i call an external function with the address of
REQUEST, it doesn't work.
and in anotherfile, lib_com.c
What happens when your external function is in the same file as your
module function?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks for responding,
When i put the function in the module all works fine too.
I tried to access directly the packet field of the REQUEST structure
in the function in my library and it works in this case.
int lib_com_filter_traffic_bis(RADIUS_PACKET *pt_packet) {
VALUE_PAIR *lpt_value_pair = NULL;
if ((lpt_value_pair = pairfind(pt_packet-vps, PW_USER_NAME)) == NULL ) {
WCP_DEBUG(User-Name not found !);
} else {
WCP_DEBUG(RADIUS attribute name %s, value: [%s],
lpt_value_pair-name,
lpt_value_pair-strvalue);
}
So, with the RADIUS_PACKET passed in parameter, it works fine, so why
does it not work with the REQUEST parameter ? Have you any idea ? Is
REQUEST address protected or else ??? I think about static function
...
Thanks
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accessing REQUEST structure data outside FreeRADIUS module
Nicolas Castel wrote: 2006/4/12, Joe Maimon [EMAIL PROTECTED]: Nicolas Castel wrote: Hello and thanks for replies I'm using FreeRADIUS v1.1.0. I'm developping some modules and I try to access auth_req structure (REQUEST) data from an external function (out of my module) and it fails. All works fine when accessing this data from the module itself but when i call an external function with the address of REQUEST, it doesn't work. and in anotherfile, lib_com.c What happens when your external function is in the same file as your module function? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks for responding, When i put the function in the module all works fine too. Let me rewrite that: When you put the function into the same c language file as the rest of the module functions, all works fine. If that is correct, than I would suggest you are having an include file problem and/or a linking problem. If I am correct, there isnt much I can do without seeing your code other than suggest you duplicate what you do for the file that works and/or you examine other successfull built modules with multiple files and their build process. Of course, I could be very wide off the mark here. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WiFi Mac address authentication
Solved the problem a couple of weeks ago... the error was actually in
eap.conf, the following two attributes were required when the MAC
check was active:
peap: copy_request_to_tunnel = no
peap: use_tunneled_reply = no
I set them both to yes and it worked !
Thanks for your support.
Hmm. I still say you need to read and understand the docs, but try this:
passwd MAC-IP {
filename = ${raddbdir}/MAC-IP
format = *Calling-Station-Id:
delimiter = :
}
(...)
authorize {
preprocess
MAC-IP {
# If the MAC isn't in the file, the modules returns notfound
# in that case, exit authorize with reject immediately
notfound = reject
}
files
eap
}
That is, have no authtype on the passwd module. If that doesn't work,
you may try something like:
passwd MAC-IP {
filename = ${raddbdir}/MAC-IP
format = *Calling-Station-Id:~Group
delimiter = :
}
(...)
authorize {
preprocess
MAC-IP
files
eap
}
/etc/raddb/MAC-IP:
00-11-22-33-44-55:FAKEGROUP
aa-bb-cc-dd-ee-ff:FAKEGROUP
/etc/raddb/users:
The DEFAULT Group is no longer necessary to make it work.
DEFAULT Group !* ANY, Auth-Type := Reject
user1 NT-Password := abcdefg...
user2 NT-Password := abcdefg...
-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How do I set up simple AD integration?
n DeKok.--Message: 4Date: Tue, 11 Apr 2006 20:57:53 -0700 (PDT)From: radhika putty [EMAIL PROTECTED]Subject: Regarding VLANTo: freeradius-users@lists.freeradius.orgMessage-ID: [EMAIL PROTECTED]Content-Type: text/plain; charset="iso-8859-1"Hi
I tried sending tunneling attributes from Radius server and it shows sending those tunneling attributes.. But the access point doesnt seem to understand it anyway. I had configured both the access point and the switch for this.. What can be the problem-Yahoo! Messenger with Voice. PC-to-Phone calls for ridiculously low rates.-- next part --An HTML attachment was scrubbed...URL: https://list.xs4all.nl/pipermail/freeradius-users/attachments/20060411/c9140c84/attachment-0001.html--Message: 5Date: Wed, 12 Apr 2006 00:05:52 -0500From: Josh Restivo [EMAIL PROTECTED]Subject: pam_radius_auth token userTo: freeradius-users@lists.freeradius.orgMessage-ID: [EMAIL PROTECTED]Content-Type: text/plain; charset="us-ascii"This question appears in various forums time and time again though I've yet todiscover a solution for it under linux. It *must* be a common issueThe need exists to map users who are successfully authenticated viapam_radius_auth and who do not have a local account to a default 'tokenuser'. FreeBSD's radius/pam module has a simple and obvious 'template_user'directive that suits this precise purpose well. Linux pam_radius_auth lacksthis feature.Deploying centralized authentication only to require that all other user infobe manually configured on each and every device anyway doesn't make anysense. Nor should it involve a full-blown and often unwieldy NIS (or similar)infrastructure to function. Surely I'm overlooking something.--Message: 6Date: Wed, 12 Apr 2006 08:46:12 +0100From: "Burton, Steven" [EMAIL PROTECTED]Subject: RE: How do I set up simple AD integration?To: "FreeRadius users mailing list"freeradius-users@lists.freeradius.orgMessage-ID:[EMAIL PROTECTED]Content-Type: text/plain; charset="iso-8859-1" -Original Message- From: [EMAIL PROTECTED] ists.freer adius.org [mailto:freeradius-users-bounces+sburton=shepherd-construction [EMAIL PROTECTED] ts.freeradius.org]On Behalf Of King, Michael Sent: 11 April 2006 16:34 To: FreeRadius users mailing list Subject: RE: How do I set up simple AD integration? You would still needwith_ntdomain_hack = yes But that isn't your actual problem. It never called ntlm_authI'd seen that. What I was trying to do (unsuccessfully 'cos I'm ignorant) was to try to find out what triggers ntlm_auth to run. Is there something in another file that sets this up?Steve.__This email has been scanned by the MessageLabs Email Security System.For more information please visit http://www.messagelabs.com/email__--Message: 7Date: Wed, 12 Apr 2006 10:00:06 +0200From: "Felice.pizzurro" [EMAIL PROTECTED]Subject: different gateway for different usersTo: freeradius-users@lists.freeradius.orgMessage-ID: [EMAIL PROTECTED]Content-Type: text/plain; charset="iso-8859-1"Hi,I have freeradius AAA server with mysql.I have 3 gateway, is possible to assign (statically at this time) differentgataway at different users?thanks,Felice--Computers are like air conditioners: they stop work properly when you openWindows...--Email.it, the professional e-mail, gratis per te: http://www.email.it/fSponsor:America, Africa, Australia, Asia...con Email Phone Card chiami ovunquespendendo meno di una telefonata interurbanaClicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=2688d=20060412--Message: 8Date: Wed, 12 Apr 2006 10:12:41 +0200From: "Nicolas Castel" [EMAIL PROTECTED]Subject: Accessing REQUEST structure data outside FreeRADIUS moduleTo: freeradius-users@lists.freeradius.orgMessage-ID:[EMAIL PROTECTED]Content-Type: text/plain; charset=ISO-8859-1Hello and thanks for repliesI'm using FreeRADIUS v1.1.0. I'm developping some modules and I try toaccess auth_req structure (REQUEST) data from an external function (out ofmy module) and it fails. All works fine when accessing this data from themodule itself but when i call an external function with the address ofREQUEST, it doesn't work.Code which works/***/static int wcp_lt_vms_authorize(void *pt_instance, REQUEST *pt_request) {VALUE_PAIR *lpt_value_pair = NULL;...if ((lpt_value_pair = pairfind(pt_request-packet-vps, PW_USER_NAME)) ==NULL ) {WCP_DEBUG("User-Name not found !");} else {
WCP_DEBUG("RADIUS attribute name %s, value: [%s]",lpt_value_pair-name,lpt_valu
RE: How do I set up simple AD integration?
-Original Message- From: [EMAIL PROTECTED] ists.freer adius.org [mailto:freeradius-users-bounces+sburton=shepherd-construction [EMAIL PROTECTED] ts.freeradius.org]On Behalf Of Josh Howlett Sent: 12 April 2006 11:48 To: FreeRadius users mailing list Subject: Re: How do I set up simple AD integration? Burton, Steven wrote: -Original Message- From: [EMAIL PROTECTED] ists.freer adius.org [mailto:freeradius-users-bounces+sburton=shepherd-construction [EMAIL PROTECTED] ts.freeradius.org]On Behalf Of Alan DeKok Sent: 11 April 2006 16:28 To: FreeRadius users mailing list Subject: Re: How do I set up simple AD integration? Burton, Steven [EMAIL PROTECTED] wrote: This stanza is a enclosed with the mschap section, still nothing ventured I changed the line and unfolded it and ran radiusd -X. The first request didn't match anything usefull and was rejected by System. I tried again but ticked the box 'CHAP' on NTRadPing and got the output: You can't do CHAP to MS AD. It's impossible. Alan DeKok. My bad! I'd been staring at mschap all day and I saw chap and thought mschap. I still hope to get 802.1x working with FR before I'm told to stop wasting time and buy something :-) but after two and a half days (on and off) I'm no closer. Steve, I strongly suggest you start off doing PEAP against the 'users' file, and once that's working get the domain stuff working. It sounds to me like you're trying to do too much at once, and too many things are broken for you to know where to start! Once you've got PEAP working against the 'users' file, create a machine account in the AD for the RADIUS server (using the Samba tools) and then use the ntlm_auth program (that comes with Samba) to test standard authentication. Once you've got that far, it's just a matter of configuring FreeRADIUS to use ntlm_auth. But you can worry about that later :-) This isn't difficult, it's largely a matter of making sure you do the right steps in the right order... best regards, josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Well, IT'S WORKING!! Thank you all for your help, advice and support. Alas, I didn't backup the files last night so I'm not sure exactly what I did to make it work but I can now see it authenticating and then the connection is made. I have set it to put user names in the log and I hope to have it write accounting logs soon. More worryingly, I'm seeing this error message in radiusd.log: Wed Apr 12 13:20:48 2006 : Info: rlm_exec: Wait=yes but no output defined. Did y ou mean output=none? Wed Apr 12 13:20:48 2006 : Info: rlm_eap_tls: Loading the certificate file as a chain Wed Apr 12 13:20:48 2006 : Info: Ready to process requests. Wed Apr 12 13:21:06 2006 : Error: TLS_accept:error in SSLv3 read client cert ificate A Wed Apr 12 13:21:06 2006 : Info: rlm_eap_mschapv2: Issuing Challenge Wed Apr 12 13:21:06 2006 : Auth: Login OK: [DOMAIN\\USERNAME] (from client localhost port 0) Wed Apr 12 13:21:06 2006 : Auth: Login OK: [DOMAIN\\USERNAME] (from client 192.168.5 0.45 port 26 cli 0012f0311af1) Wed Apr 12 13:21:06 2006 : Error: TLS_accept:error in SSLv3 read client cert ificate A Wed Apr 12 13:21:07 2006 : Info: rlm_eap_mschapv2: Issuing Challenge Wed Apr 12 13:21:07 2006 : Auth: Login OK: [DOMAIN\\USERNAME] (from client localhost port 0) Wed Apr 12 13:21:07 2006 : Auth: Login OK: [DOMAIN\\USERNAME] (from client 192.168.5 0.45 port 26 cli 0012f0311af1) AFAIK there is no certificate A on the client (or supplicant) so the error message is probably correct but is it a problem in security terms? __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How do I set up simple AD integration?
Burton, Steven wrote: AFAIK there is no certificate A on the client (or supplicant) so the error message is probably correct but is it a problem in security terms? No. It's an OpenSSL-ism. Ignore it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How do I set up simple AD integration?
Wed Apr 12 13:21:06 2006 : Error: TLS_accept:error in SSLv3 read client cert ificate A Wed Apr 12 13:21:07 2006 : Info: rlm_eap_mschapv2: Issuing Challenge Wed Apr 12 13:21:07 2006 : Auth: Login OK: [DOMAIN\\USERNAME] (from client localhost port 0) Wed Apr 12 13:21:07 2006 : Auth: Login OK: [DOMAIN\\USERNAME] (from client 192.168.5 0.45 port 26 cli 0012f0311af1) AFAIK there is no certificate A on the client (or supplicant) so the error message is probably correct but is it a problem in security terms? The Semi-Offical answer (from Alan) is to just ignore it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql replication vs. radrelay
On Fri, 2006-07-04 at 10:12 +0200, Olaf Schäfer wrote: Not yet! That's what I'm looking for. I've already started to do something in this direction regarding ip-pools. Where can I find your parser? regards, Olaf The quick site I set up hosting the files is at: http://sphinx.incentre.net/radius.html Let me know what you think. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question
I have been running Freeradius for a while but It can only use CHAP and for some reason I can not get PAP to work. I have the config set to the basic on most things. Can anyone help me figure out if I am missing something Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question
Chad Stanphill wrote: I have been running Freeradius for a while but It can only use CHAP and for some reason I can not get PAP to work. I have the config set to the basic on most things. Can anyone help me figure out if I am missing something Thanks Please run freeradius in debug mode (radiusd -X) and post the output. best regards, josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question
Thanks for the reply
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = /usr/local
main: localstatedir = /usr/local/var
main: logdir = /usr/local/var/log/radius
main: libdir = /usr/local/lib
main: radacctdir = /usr/local/var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /usr/local/var/log/radius/radius.log
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /usr/local/var/run/radiusd/radiusd.pid
main: user = (null)
main: group = (null)
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/local/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = clear
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: authtype = MS-CHAP
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = (null)
unix: group = (null)
unix: radwtmp = /usr/local/var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded preprocess
preprocess: huntgroups = /usr/local/etc/raddb/huntgroups
preprocess: hints = /usr/local/etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = /usr/local/etc/raddb/users
files: acctusersfile = /usr/local/etc/raddb/acct_users
files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users
files: compat = no
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = /usr/local/var/log/radius/radutmp
radutmp: username = %{Stripped-User-Name:-%{User-Name}}
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Module: Loaded eap
eap: default_eap_type = md5
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = Password:
gtc: auth_type = PAP
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
This is what I get when I do PAP
rad_recv: Access-Request packet from host 63.137.246.178:3980, id=1,
length=53
User-Name = chadstanphill
User-Password = test
Processing the authorize section of radiusd.conf
modcall:
Freeradius, mysql, please help!!!
Hi,I'm getting desperate here.I've been trying for a week now to make freeradius work with mysql.Can someone please help me out here?Tnx!some info:debiancompiled freeradius 1.1.1 with mysqlRadius is working fine, i get an Acces-accept packet when i radtest a user from the users fileradius:/var/log/radius# radtest yves test localhost 1812 testing123Sending Access-Request of id 213 to 127.0.0.1 port 1812User-Name = yvesUser-Password = testNAS-IP-Address = 255.255.255.255NAS-Port = 1812 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=213, length=20radius:/var/log/radius# I've created some testusers in de mysql database as well (sorry for layout, pasting from the shell) mysql connect radiusReading table information for completion of table and column namesYou can turn off this feature to get a quicker startup with -AConnection id: 61Current database: radius mysql select * from usergroup;+--+---+--+| UserName | GroupName | priority |+--+---+--+| | general |1 || steve | general |1 | | maureen | general |1 || john | general |1 |+--+---+--+4 rows in set (0.00 sec)mysql select * from radcheck;++--+---+++ | id | UserName | Attribute | op | Value |++--+---+++| 1 | steve | User-Password | := | $1$nyiGAEuR$5wcFr5bT7SfkVjIChnbZo0 | | 2 | maureen | User-Password | := | $1$LTvKoOtc$X2fVg8uDqyP4.mU.iLNKm0 || 3 | john | User-Password | := | $1$bkW9WNor$tq5sRRiUcwOV4/fwk3CYM/ |++--+---+++ 3 rows in set (0.00 sec)Though when i try to authenticate john (or other from de db),i get a reject packet and i don't know why!radius:/var/log/radius# radtest john test localhost 1812 testing123 Sending Access-Request of id 240 to 127.0.0.1 port 1812User-Name = johnUser-Password = testNAS-IP-Address = 255.255.255.255NAS-Port = 1812Re-sending Access-Request of id 240 to 127.0.0.1 port 1812User-Name = johnUser-Password = test NAS-IP-Address = 255.255.255.255NAS-Port = 1812rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=240, length=20 radius:/var/log/radius# Debug output:radius:/usr/local/dialup_admin/conf# radiusd -XStarting - reading configuration files ...reread_config: reading radiusd.confConfig: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.confConfig: including file: /usr/local/etc/raddb/snmp.confConfig: including file: /usr/local/etc/raddb/eap.confConfig: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/localmain: localstatedir = /usr/local/varmain: logdir = /usr/local/var/log/radiusmain: libdir = /usr/local/libmain: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = nomain: max_request_time = 30main: cleanup_delay = 5main: max_requests = 1024main: delete_blocked_requests = 0main: port = 0main: allow_core_dumps = nomain: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.logmain: log_auth = nomain: log_auth_badpass = nomain: log_auth_goodpass = nomain: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null)main: group = (null)main: usercollide = nomain: lower_user = nomain: lower_pass = nomain: nospace_user = nomain: nospace_pass = no main: checkrad = /usr/local/sbin/checkradmain: proxy_requests = yesproxy: retry_delay = 5proxy: retry_count = 3proxy: synchronous = noproxy: default_fallback = yesproxy: dead_time = 120 proxy: post_proxy_authorize = noproxy: wake_all_if_all_dead = nosecurity: max_attributes = 200security: reject_delay = 1security: status_server = nomain: debug_level = 0read_config_files: reading dictionary read_config_files: reading naslistUsing deprecated naslist file. Support for this will go away soon.read_config_files: reading clientsread_config_files: reading realmsUsing deprecated realms file. Support for this will go away soon. radiusd: entering modules setupModule: Library search path is /usr/local/libModule: Loaded execexec: wait = yesexec: program = (null)exec: input_pairs = requestexec: output_pairs = (null) exec: packet_type = (null)rlm_exec: Wait=yes but no output defined. Did you mean output=none?Module: Instantiated exec (exec)Module: Loaded exprModule: Instantiated expr (expr)Module: Loaded PAP pap: encryption_scheme = cryptModule: Instantiated pap (pap)Module: Loaded CHAPModule: Instantiated chap (chap)Module: Loaded MS-CHAPmschap: use_mppe = yesmschap: require_encryption = no mschap: require_strong = nomschap: with_ntdomain_hack = nomschap: passwd = (null)mschap: authtype = MS-CHAPmschap: ntlm_auth = (null)Module: Instantiated mschap (mschap) Module: Loaded Systemunix: cache = nounix: passwd = (null)unix: shadow = (null)unix: group = (null)unix: radwtmp = /usr/local/var/log/radius/radwtmp unix:
Re: Freeradius, mysql, please help!!!
YvesDM [EMAIL PROTECTED] wrote: mysql select * from radcheck; ++--+---+++ | id | UserName | Attribute | op | Value | ++--+---+++ | 1 | steve| User-Password | :=3D | $1$nyiGAEuR$5wcFr5bT7SfkVjIChnbZo0= | These are *not* clear-text passwords. They're encrypted passwords. Change the attribute name to Crypt-Password, and it should work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question
Hi, modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type System auth: type System try removing the default System authentication method from your users file. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, mysql, please help!!!
Hi, I've created some testusers in de mysql database as well (sorry for layout, pasting from the shell) mysql select * from radcheck; ++--+---+++ | id | UserName | Attribute | op | Value | ++--+---+++ | 1 | steve| User-Password | := | $1$nyiGAEuR$5wcFr5bT7SfkVjIChnbZo0 | | 2 | maureen | User-Password | := | $1$LTvKoOtc$X2fVg8uDqyP4.mU.iLNKm0 | | 3 | john | User-Password | := | $1$bkW9WNor$tq5sRRiUcwOV4/fwk3CYM/ | ++--+---+++ Though when i try to authenticate john (or other from de db), i get a reject packet and i don't know why! radius:/var/log/radius# radtest john test localhost 1812 testing123 Sending Access-Request of id 240 to 127.0.0.1 port 1812 User-Name = john User-Password = test NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 Re-sending Access-Request of id 240 to 127.0.0.1 port 1812 User-Name = john User-Password = test NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=240, length=20 radius:/var/log/radius# ummm. I'm not too certain here but wasnt the password you defined in the mySQL database for john $1$bkW9WNor$tq5sRRiUcwOV4/fwk3CYM/ if this is a crypted password then surely the attribute is Crypt-Password rather than User-Password? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accessing REQUEST structure data outside FreeRADIUS module
Nicolas Castel [EMAIL PROTECTED] wrote: I'm using FreeRADIUS v1.1.0. I'm developping some modules and I try to access auth_req structure (REQUEST) data from an external function (out of my module) and it fails. All works fine when accessing this data from the module itself but when i call an external function with the address of REQUEST, it doesn't work. It's possible. Lots and lots of modules do it. The problem is most likely that you're passing different compile-time flags to the different C files. As a result, the magic entry at the top of the REQUEST structure is used in one C file, but not in another. There is no such magic in the RADIUS_PACKET structure, so that always works. The solution is to build your module either as you're building the server, or pass -DNDEBUG as an option to the compiler. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Check DN in rlm_perl
Michal Prochazka [EMAIL PROTECTED] wrote: I'm using Freeradius 1.1.0. Is there some possibility to check the DN of client certificate within rlm_perl module when using EAP-TLS? No. The certificate is not stored in a place that's accessible by the Perl module. The solution would be to patch the source. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How do I set up simple AD integration?
Josh Howlett [EMAIL PROTECTED] wrote: It sounds to me like you're trying to do too much at once, and too many things are broken for you to know where to start! I really can't emphasize that enough. Many problems are caused by people trying to do everything at once. Alan DEKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS and SNMP
DESETech - German P. Santillan [EMAIL PROTECTED] wrote: But... I can't obtain a valid response for OID 1.3.6.1.4.1.3317 Run the server in debugging mode as suggested in the README, FAQ, INSTALL, and daily on this list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, mysql, please help!!!
On 4/12/06, Alan DeKok [EMAIL PROTECTED] wrote: YvesDM [EMAIL PROTECTED] wrote: mysql select * from radcheck; ++--+---+++ | id | UserName | Attribute | op | Value| ++--+---+++ |1 | steve| User-Password | :=3D | $1$nyiGAEuR$5wcFr5bT7SfkVjIChnbZo0=|These are *not* clear-text passwords.They're encrypted passwords. Change the attribute name to Crypt-Password, and it shouldwork.Alan DeKok.Tnx for the reply, but it didn't solve my problem.mysql select * from radcheck; ++--++++| id | UserName | Attribute | op | Value |++--++++ | 1 | steve | User-Password | := | $1$nyiGAEuR$5wcFr5bT7SfkVjIChnbZo0 || 2 | maureen | Crypt-Password | := | $1$LTvKoOtc$X2fVg8uDqyP4.mU.iLNKm0 || 3 | john | Crypt-Password | := | $1$bkW9WNor$tq5sRRiUcwOV4/fwk3CYM/ | ++--++++3 rows in set (0.00 sec)mysql quitByeradius:/usr/local/etc/raddb# radtest john test localhost 1812 testing123Sending Access-Request of id 213 to 127.0.0.1 port 1812 User-Name = john User-Password = test NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 Re-sending Access-Request of id 213 to 127.0.0.1 port 1812 User-Name = john User-Password = test NAS-IP-Address = 255.255.255.255 NAS-Port = 1812rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=213, length=20radius:/usr/local/etc/raddb# radtest maureen test localhost 1812 testing123 Sending Access-Request of id 219 to 127.0.0.1 port 1812 User-Name = maureen User-Password = test NAS-IP-Address = 255.255.255.255 NAS-Port = 1812Re-sending Access-Request of id 219 to 127.0.0.1 port 1812 User-Name = maureen User-Password = test NAS-IP-Address = 255.255.255.255 NAS-Port = 1812rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=219, length=20 radius:/usr/local/etc/raddb# Any other suggestions?Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question
Chad Stanphill [EMAIL PROTECTED] wrote: users: Matched entry DEFAULT at line 154 users: Matched entry chadstanphill at line 217 modcall[authorize]: module files returns ok for request 0 Is the users password defined in line 217? rad_check_password: Found Auth-Type System auth: type System Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 modcall[authenticate]: module unix returns notfound for request 0 OK, what part of that is unclear? It looks like line 154 of the users file sets Auth-Type to System, and you later try to give the user a clear-text password. If you don't want to authenticate against /etc/password, don't set Auth-Type to System. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, mysql, please help!!!
On 4/12/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi,ummm. I'm not too certain here but wasnt the password you defined in the mySQL database for john $1$bkW9WNor$tq5sRRiUcwOV4/fwk3CYM/if this is a crypted password then surely the attribute is Crypt-Passwordrather than User-Password?alan-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.htmlCorrect, alan DeKok told me too. I changed it, but it didn't solve the problem.tnxyves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question
On 4/12/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:Hi, modcall: leaving group authorize (returns ok) for request 0 rad_check_password:Found Auth-Type System auth: type Systemtry removing the default System authentication method from yourusers file.alanWorking now! i changed system to radius in the users file and now it's working.# First setup all accounts to be checked against the UNIX /etc/passwd.# (Unless a password was already given earlier in this file). #DEFAULT Auth-Type = Radius Fall-Through = 1 Many tnxYves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, mysql, please help!!!
--- YvesDM [EMAIL PROTECTED] wrote: On 4/12/06, Alan DeKok [EMAIL PROTECTED] wrote: YvesDM [EMAIL PROTECTED] wrote: mysql select * from radcheck; ++--+---+++ | id | UserName | Attribute | op | Value | ++--+---+++ | 1 | steve| User-Password | :=3D | $1$nyiGAEuR$5wcFr5bT7SfkVjIChnbZo0= | These are *not* clear-text passwords. They're encrypted passwords. Change the attribute name to Crypt-Password, and it should work. Alan DeKok. Tnx for the reply, but it didn't solve my problem. mysql select * from radcheck; ++--++++ | id | UserName | Attribute | op | Value | ++--++++ | 1 | steve| User-Password | := | $1$nyiGAEuR$5wcFr5bT7SfkVjIChnbZo0 | | 2 | maureen | Crypt-Password | := | $1$LTvKoOtc$X2fVg8uDqyP4.mU.iLNKm0 | | 3 | john | Crypt-Password | := | $1$bkW9WNor$tq5sRRiUcwOV4/fwk3CYM/ | ++--++++ 3 rows in set (0.00 sec) mysql quit Bye radius:/usr/local/etc/raddb# radtest john test localhost 1812 testing123 Sending Access-Request of id 213 to 127.0.0.1 port 1812 User-Name = john User-Password = test NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 Re-sending Access-Request of id 213 to 127.0.0.1 port 1812 User-Name = john User-Password = test NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=213, length=20 radius:/usr/local/etc/raddb# radtest maureen test localhost 1812 testing123 Sending Access-Request of id 219 to 127.0.0.1 port 1812 User-Name = maureen User-Password = test NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 Re-sending Access-Request of id 219 to 127.0.0.1 port 1812 User-Name = maureen User-Password = test NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=219, length=20 radius:/usr/local/etc/raddb# Any other suggestions? Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Try switching everything back to clear text, with User-Password attribute and *clear text passwords* and see if anybody can auth that way. Laker __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple Locations and configuring 2 different methods of Access
Hello, I am running freeradius 1.0.5 on FC4 i386 My end-users right now are getting authenticated by the login-based mysql radcheck table from freeradius and they are coming from multiple locations through a web-based portal redirected by their gateway. My question is, if there is a way to setup freeradius for example: to allow for 3 locations to login through the login based authentication (the way it is setup right now) and at the same time grant 2 other locations access without the need of using login based authentication, I now there is an option to allow access without authentication, but to my understanding this is global for all locations, I am looking for a way to allow access without athentication for a specific location and at the same time not interfere with the locations that are using login-based authentication. Is this possible? If so, where can I get more documentation on this topic and where can I see an actual configuration example of this type of setup? If this is not possible out of the box, where can I get documentation on a work around or similar solutions? Thank you in advance for all your help, James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS and SNMP
On Wednesday 12 April 2006 10:48, DESETech - German P. Santillan wrote: But... I can't obtain a valid response for OID 1.3.6.1.4.1.3317 The OIDs you want to query are: radiusAuthServ 1.3.6.1.2.1.67.1.1.1.1.* (or mib-2.67.1.1.1.1.*) radiusAccServ 1.3.6.1.2.1.67.2.1.1.1.* (or mib-2.67.2.1.1.1.*) Loading the MIBS from the mibs/ directory in the FR source will allow you to query the actual names instead of OIDs. Kevin Bonner pgpy0cSSrJGE3.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS 1.1.1 Segmentation fault on Fedora 4
I am running FreeRADIUS 1.1.1 on a Fedora Core 4 server (kernel 2.6.11-1.1369_FC4smp) to authenticate using EAP-SIM.After ~400 successful auths at 20 requests/second the radiusd service encounters a segmentation fault. The output of the gdb dump is as follows:Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -1208572224 (LWP 9805)] 0x0072ec33 in _int_malloc () from /lib/libc.so.6 (gdb) bt #0 0x0072ec33 in _int_malloc () from /lib/libc.so.6 #1 0x00730792 in malloc () from /lib/libc.so.6 #2 0x005007e4 in eap_compose (handler=0x8fb8220) at eap.c:395 #3 0x004ffa94 in eap_authenticate (instance=0x8f8e4b8, request=0x8fbe648) at rlm_eap.c:341 #4 0x08053009 in modcall () #5 0x0805351d in modcall () #6 0x0805312d in modcall () #7 0x080525ba in find_module_instance () #8 0x0804c532 in rad_check_password () #9 0x0804cb03 in rad_authenticate () #10 0x08054c0a in rad_respond () #11 0x08056287 in main () (gdb)I have another FreeRADIUS 1.0.3 server running on a Red Hat 9 server (kernel 2.4.20-8) that has had no problems running this kind of traffic.Any help in diagnosing the reason why I'm encountering a fault in malloc would be much appreciated.Thanks, Nik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question Regarding FreeRADIUS debug ----please help!
Hii am new to this group and joined just few minutes back. I had a question regarding how to view the milliseonds resolution in the RADIUS debugi am trying to collect the output from the proxy radius serveri think all i can get is debug with seconds resolution...but for my project i have to take milli seconds readingsplease help! Thanks, Silpa http://akkinasilpa.blogspot.com Yahoo! Messenger with Voice. PC-to-Phone calls for ridiculously low rates.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question Regarding FreeRADIUS debug ----please help!
Silpa Akkina [EMAIL PROTECTED] wrote: serveri think all i can get is debug with seconds resolution...but for my project i have to take milli seconds readingsplease help! Edit the source code. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 1.1.1 Segmentation fault on Fedora 4
Nikolas Thoman [EMAIL PROTECTED] wrote: Any help in diagnosing the reason why I'm encountering a fault in malloc would be much appreciated. It usually happens because something else in the code is over-writing a buffer, or writing to free'd memory. Run the server under valgrind to see what's going on. You'll have to pass special options to work around the infinite SSL warnings, but those warnings can be ignored. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 12, Issue 56 (Out Of Office)
I will be out of the office Thu, April 13 through Fri, April 21. If you require assistance prior to April 24, email the Network Services Unit at: [EMAIL PROTECTED] freeradius-users 04/12/06 17:12 Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. Re: Freeradius, mysql, please help!!! (YvesDM) 2. Re: Question (YvesDM) 3. Re: Freeradius, mysql, please help!!! (Laker Netman) 4. Multiple Locations and configuring 2 different methods of Access (James) 5. Re: FreeRADIUS and SNMP (Kevin Bonner) 6. FreeRADIUS 1.1.1 Segmentation fault on Fedora 4 (Nikolas Thoman) 7. Question Regarding FreeRADIUS debug please help! (Silpa Akkina) -- Message: 1 Date: Wed, 12 Apr 2006 20:43:22 +0200 From: YvesDM [EMAIL PROTECTED] Subject: Re: Freeradius, mysql, please help!!! To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=iso-8859-1 On 4/12/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi, ummm. I'm not too certain here but wasnt the password you defined in the mySQL database for john $1$bkW9WNor$tq5sRRiUcwOV4/fwk3CYM/ if this is a crypted password then surely the attribute is Crypt-Password rather than User-Password? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Correct, alan DeKok told me too. I changed it, but it didn't solve the problem. tnx yves -- next part -- An HTML attachment was scrubbed... URL: https://list.xs4all.nl/pipermail/freeradius-users/attachments/20060412/8e9693ce/attachment-0001.html -- Message: 2 Date: Wed, 12 Apr 2006 20:58:34 +0200 From: YvesDM [EMAIL PROTECTED] Subject: Re: Question To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=iso-8859-1 On 4/12/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi, modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type System auth: type System try removing the default System authentication method from your users file. alan Working now! i changed system to radius in the users file and now it's working. # First setup all accounts to be checked against the UNIX /etc/passwd. # (Unless a password was already given earlier in this file). # DEFAULT Auth-Type = Radius Fall-Through = 1 Many tnx Yves -- next part -- An HTML attachment was scrubbed... URL: https://list.xs4all.nl/pipermail/freeradius-users/attachments/20060412/2b4efff6/attachment-0001.html -- Message: 3 Date: Wed, 12 Apr 2006 12:23:05 -0700 (PDT) From: Laker Netman [EMAIL PROTECTED] Subject: Re: Freeradius, mysql, please help!!! To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=iso-8859-1 --- YvesDM [EMAIL PROTECTED] wrote: On 4/12/06, Alan DeKok [EMAIL PROTECTED] wrote: YvesDM [EMAIL PROTECTED] wrote: mysql select * from radcheck; ++--+---+++ | id | UserName | Attribute | op | Value | ++--+---+++ | 1 | steve| User-Password | :=3D | $1$nyiGAEuR$5wcFr5bT7SfkVjIChnbZo0= | These are *not* clear-text passwords. They're encrypted passwords. Change the attribute name to Crypt-Password, and it should work. Alan DeKok. Tnx for the reply, but it didn't solve my problem. mysql select * from radcheck; ++--++++ | id | UserName | Attribute | op | Value | ++--++++ | 1 | steve| User-Password | := | $1$nyiGAEuR$5wcFr5bT7SfkVjIChnbZo0 | | 2 | maureen | Crypt-Password | := | $1$LTvKoOtc$X2fVg8uDqyP4.mU.iLNKm0 | | 3 | john | Crypt-Password | := | $1$bkW9WNor$tq5sRRiUcwOV4/fwk3CYM/ | ++--++++ 3 rows in set (0.00 sec) mysql quit Bye radius:/usr/local/etc/raddb# radtest john test localhost 1812 testing123 Sending Access-Request of id 213
freeradius 1.0.5 - Max-All-Session, Max-Daily-Session and Max-Monthly-Session maximum value limit
Hello I am using freeradius 1.0.5, what is the maximum value of seconds allowed in the attributes: Max-All-Session, Max-Daily-Session and Max-Monthly-Session ? I cannot find this information in my research. Thank you, James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 1.0.5 - Max-All-Session, Max-Daily-Session and Max-Monthly-Session maximum value limit
James [EMAIL PROTECTED] wrote: Hello I am using freeradius 1.0.5, what is the maximum value of seconds allowed in the attributes: Max-All-Session, Max-Daily-Session and Max-Monthly-Session ? They're integers, so 32-bits, or 4 billion. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use Issue
I have freeradius 1.0.5 installed my end-users are able to login simultaneously using the same username and password, the radacct table is recording the aggregating session time that the multiple simultaneous users use. in my radcheck table I have all my users login attributes set to: User-Password = somepassword Max-All-Session = 123456 Simultaneous-Use := 1 Is there extra attributes that I need to set or configuration that I need to add in order to not let the same user login simultaneously through different machines? Thank you, James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
