Re: windowsXP+LDAP+freeradius
Hi,
> I have Link sys wireless router, windows XP clients, freeradius
> and LDAP server (Linux). I want to make the user authentication for the
> windows XP clients against freeradius to connect to Link sys router. I
> have all the users in LDAP. The LDAP server is set as user database for
> freeradius sever. Is this possible?. If possible, can you please give me
> the idea how to do this.
Perfectly fine. Take a look at the ldap { } section in radiusd.conf (it's
pretty much self explanatory), and enable ldap in authorize { } and
authenticate { }. For wireless, you'll also need at least a server
certificate, a script for generating one is in the scripts/ subdirectory of
freeradius. Use that certificate for the eap.conf configuration, where you
will have to enable at least the tls { } part, and either peap or ttls,
depending on what supplicant you use on the Win XP side. The built-in
supplicant (not recommended, but working) is using peap.
Greetings,
Stefan Winter
--
Stefan WINTER
Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de
la Recherche
Ingenieur Forschung & Entwicklung
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1
http://www.restena.lu Fax: +352 422473
pgpZUGgABPajL.pgp
Description: PGP signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
windowsXP+LDAP+freeradius
Dear all, I have Link sys wireless router, windows XP clients, freeradius and LDAP server (Linux). I want to make the user authentication for the windows XP clients against freeradius to connect to Link sys router. I have all the users in LDAP. The LDAP server is set as user database for freeradius sever. Is this possible?. If possible, can you please give me the idea how to do this. Thanks and Regards, Muthu. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: The maximum number of threads (32) are active, cannot spawn new thread to handle request
> -Original Message- > See "thread pool" in radiusd.conf. > > It looks like your DB is slow... > Entirely possible. It is Active Directory (Via the ntlm_auth program) so I have no control over it. :-( > > So, I've rolled back to my freeRADIUS 1.0.4 server, cause it hasn't > > crashed like my 1.1.3 has been doing. > > Very weird, and very annoying. Maybe running it under > valgrind will help? > Got a good howto out on the Interweb.? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Possible Rlm_sql issues
Hi there,Really new to Radius, only managed to start playing with it tonight. Had a lot of issues with it, but have managed to sort the vast majority of them.If I run sudo radiusd -X from a terminal, I am presented with a load of output followed by:
Listening on authentication *:1812Listening on accounting *:1813Ready to process requests.And then the server sits there and waits. So far, so good. However, when an authentication request is received, the following occurs:
rad_recv: Access-Request packet from host 192.168.4.36:2051, id=0, length=228 User-Name = "[EMAIL PROTECTED]" CHAP-Challenge = 0x02b726656ced1242cf5923c5481f0e4b
CHAP-Password = 0x00aab0ad1434ef8bccb0c3632e1d2a1526 NAS-IP-Address = 0.0.0.0 Service-Type = Login-User Framed-IP-Address =
192.168.182.3 Calling-Station-Id = "00-30-65-0F-87-C2" Called-Station-Id = "00-16-01-10-1D-B6" NAS-Identifier = "hotspot" Acct-Session-Id = "44ff9ab8"
NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Message-Authenticator = 0x2fbec7ec4ff9392a17b6d894850925a6 WISPr-Logoff-URL = "" href="http://192.168.182.1:3990/logoff">http://192.168.182.1:3990/logoff
"Segmentation faultAt which point the server is (obviously) pretty dead. I am using Rlm_sql with MySql 5.0.2 on Ubuntu 6.0.6. I tried downgrading to MySql 4 but you can't do a downgrade from 5->4 it seems :-( But that may be part of the issue, so if anyone knows how to do that it could be a good way of starting to troubleshoot the issue.
Full output from sudo radiusd -X is posted below:[EMAIL PROTECTED]:/usr/src/src/modules/rlm_sql$ sudo radiusd -XStarting - reading configuration files ...reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/clients.confConfig: including file: /usr/local/etc/raddb/snmp.confConfig: including file: /usr/local/etc/raddb/sql.confConfig: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib"
main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0
main: port = 1812 main: allow_core_dumps = yes main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = noBad value "1" for boolean variable log_auth_badpass
read_config_files: reading dictionaryread_config_files: reading naslistUsing deprecated naslist file. Support for this will go away soon.read_config_files: reading clientsread_config_files: reading realms
radiusd: entering modules setupModule: Library search path is /usr/local/libModule: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)"
exec: packet_type = "(null)"rlm_exec: Wait=yes but no output defined. Did you mean output=none?Module: Instantiated exec (exec)Module: Loaded exprModule: Instantiated expr (expr)Module: Loaded SQL Counter
sqlcounter: counter-name = "Max-All-Session-Time" sqlcounter: check-name = "Max-All-Session" sqlcounter: key = "User-Name" sqlcounter: sqlmod-inst = "sql" sqlcounter: query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{%k}'"
sqlcounter: reset = "never" sqlcounter: safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"rlm_sqlcounter: Counter attribute Max-All-Session-Time is number 1830
rlm_sqlcounter: Check attribute Max-All-Session is number 1831rlm_sqlcounter: Current Time: 1157594692 [2006-09-07 03:04:52], Next reset 0 [2006-09-07 03:00:00]rlm_sqlcounter: Current Time: 1157594692 [2006-09-07 03:04:52], Prev reset 0 [2006-09-07 03:00:00]
Module: Instantiated sqlcounter (noresetcounter)Module: Loaded PAP pap: encryption_scheme = "crypt"Module: Instantiated pap (pap)Module: Loaded CHAPModule: Instantiated chap (chap)Module: Loaded MS-CHAP
mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: ntlm_auth = "(null)"Module: Instantiated mschap (mschap)
Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = noModule: Instantiated preprocess (preprocess)
Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = noModule: Instantiated realm (suffix)Module: Loaded SQL
sql: driver = "rlm_sql_mysql" sql: server = "127.0.0.1" sql: port = "" sql: login = "root" sql: password = "x
Re: rlm_perl and accounting -- radrelay?
Justin Church <[EMAIL PROTECTED]> wrote: > OK. The patch worked, since I can now run radiusd -n radrelay w/o the > Abort, but I still am not seeing a way to replicate to multiple > accounting servers with radiusd -n radrelay. Unfortunately, it doesn't yet do that. The issue is that the server core is really designed to forward packets, not to clone them. I think it's possible to clone the packets, it just requires additional work in the server core. > I need to take accounting requests that arrive at "main-radius" in > "radrelay-detail" and replicate them to "remote-radius1", > "remote-radius2", "remote-radius3" in parallel. It appears as if my > only two options in radrelay.conf are to store accounting data in > sql or proxy to other servers. You can do more than that. Pretty much anything the server can do is valid in radrelay, it's just that the example config is simpler. > With the old radrelay, I believe I could have just run #radrelay -r > remote-radius1 radrelay-detail; radrelay -r remote-radius2 > radrelay-detail; radrelay -r remote-radius3 radrelay-detail. i.e. one radrelay per detail file. You can still do this with the new code, you just have to create "radrelay1.conf", radrelay2.conf", etc. It's a big pain, and something that should be fixed before 2.0. > Am I missing something, and is this still possible with radiusd -n > radrelay? Yes, it is. But it's more work. And looking at the conf files, I think the main "libdir", "raddbdir", etc. stuff at the top should be moved into a separate "directories.conf" file. That way all of the other "radiusd.conf" and "radrelay.conf" files can just $INCLUDE it, which gives a central point for storing all changes. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.1.3 on Solaris 10 (sparc)
"Rafiqul Ahsan" <[EMAIL PROTECTED]> wrote: > I am planning to add EAP-AKA on the Free radius, as I understand this does > not support currently. Any idea where to start ? There's a patch on bugzilla. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: one attribute with more values
Fonci <[EMAIL PROTECTED]> wrote: > I have to make a dictionary file, but I have a little problem: > There is an attribute in the vsa attributes, which has more > than one value. Is it possible to separate it in the > dictionary file? Is there a class attribute, or something? "man 5 users". Use the "+=" operator. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The maximum number of threads (32) are active, cannot spawn new thread to handle request
"King, Michael" <[EMAIL PROTECTED]> wrote: > I got this today in it's debug logs. Is there a config option to > increase the number of threads? Is there a better way to fix that? See "thread pool" in radiusd.conf. It looks like your DB is slow... > So, I've rolled back to my freeRADIUS 1.0.4 server, cause it hasn't > crashed like my 1.1.3 has been doing. Very weird, and very annoying. Maybe running it under valgrind will help? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA/RADIUS Problems
On Wed 06 Sep 2006 23:05, Lewis Bergman wrote: > - Original Message - > From: "Alan DeKok" <[EMAIL PROTECTED]> > > > I plan on addressing at least some of that with my book. > > > >> P.S: I look for a good book, covering all about radius and especially > >> FR. As an overview and as a reference. > > > > I'm writing one. I've got about 60 pages of good content, and 50 > > pages of rough notes. > > I would be glad to send you some of my configs for examples. Many of them > you instructed me on how to accomplish the goal on the list. I posted a > bunch on the wiki but that thing keeps getting spammed =( > I would think at least ISP's would gain some insight from some of them. The wiki should be mostly spam free these days as I have implimented some counter measures. If you notice any spam, please remove it AND notify me. Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgpokm5pMVY0U.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and accounting -- radrelay?
OK. The patch worked, since I can now run radiusd -n radrelay w/o the Abort, but I still am not seeing a way to replicate to multiple accounting servers with radiusd -n radrelay. I need to take accounting requests that arrive at "main-radius" in "radrelay-detail" and replicate them to "remote-radius1", "remote-radius2", "remote-radius3" in parallel. It appears as if my only two options in radrelay.conf are to store accounting data in sql or proxy to other servers. Proxy is closer to what I want, but from looking at proxy.conf, it seems I can only proxy each accounting request received to a single remote-radius server either in failover or round-robin mode. With the old radrelay, I believe I could have just run #radrelay -r remote-radius1 radrelay-detail; radrelay -r remote-radius2 radrelay-detail; radrelay -r remote-radius3 radrelay-detail. Am I missing something, and is this still possible with radiusd -n radrelay? Thanks. -jc Alan DeKok wrote: Justin Church <[EMAIL PROTECTED]> wrote: However, I notice that radrelay has been deprecated and the functionality moved into radiusd. How am I to run simultaneous instances of radiusd on the same host - 1 to listen to type 'acct' and 1 to listen to type 'detail'? I apologize if I'm missing something simple. Yes. See raddb/radrelay.conf Wed Sep 6 11:31:19 2006 : Info: FreeRADIUS Version 2.0.0-pre0, for host i686-pc-linux-gnu, built on Sep 6 2006 at 10:15:27 Wed Sep 6 11:31:19 2006 : Info: Starting - reading configuration files ... Wed Sep 6 11:31:19 2006 : Error: Assertion failed in listen.c, line 1996 That's a bug. I've just committed a fix. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.1.3 on Solaris 10 (sparc)
Hi Lin, and others It worked with the path. I am able to build, and install the free radius on Solaris 10. Thanks for your help. I am planning to add EAP-AKA on the Free radius, as I understand this does not support currently. Any idea where to start ? Thanks for your help. Rafi On 9/6/06, Lin Richardson <[EMAIL PROTECTED]> wrote: So to confirm the observations and comments above:My environment worked without any errors. The following give some detail as to why.bash-3.00# which ar/usr/ccs/bin/arbash-3.00# echo $PATH /usr/local/bin:/usr/bin:/usr/ccs/bin:/usr/sbin ar is a command line tool that is not in your path, so I guess ./configure sets it to false... and then tries to run it with the command "false".Fix your path to include the location of ar and you will probably have better results. Thanks to the others on the list for catching this detail. It may be a good idea to add to the wiki as well. Lin On 9/6/06, Rafiqul Ahsan <[EMAIL PROTECTED] > wrote: Thanks to Lin, Mercel, and Rob for your input. I am not sure about Mercel's comment on value of AR, this has been set to false in the Makefile at libltdl/ directory (where it actually fails). The question is what value should it be ? Also, Rob - when I put the /usr/ccs/bin/ on top of my PATH, it picks a make that gives me error as "make: Fatal error in reader: Makefile, line 41: Unexpected end of line seen". Wheras my earlier picks on make file from /usr/local/bin - did not give me this error. Following is the various command output FYI. Also - I could you please explain a little more on where to put this get -R/path/to/dep alongside the -L linker flags (an example would be appreciated). Is it needed to add on the Makefile on ./libltdl/ directory ? Thanks for your help. Rafi # /usr/local/bin/make -vGNU Make 3.80Copyright (C) 2002 Free Software Foundation, Inc.This is free software; see the source for copying conditions.There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.# /usr/ccs/bin/make -vmake: Warning: Ignoring DistributedMake -v optionmake: Fatal error in reader: Makefile, line 41: Unexpected end of line seen Here is my PATH (after I added /usr/ccs/bin - as suggested by Rob) # echo $PATH/usr/ccs/bin:/usr/sbin:/usr/bin:/usr/sfw/bin/:/usr/local/bin On 9/6/06, Rob Shepherd <[EMAIL PROTECTED] > wrote: [EMAIL PROTECTED] wrote:> Lin Richardson wrote: >> You should post this to thet userlist (I am cc'ing them on this>> reply). Perhaps someone there has seen the "false cru" error before... I'm no compiler guru, but google tells me that libtool may be to >> blame. I don't acutally show libtool installed on my box and don't>> know much about it.> I'm no compiler guru either, but the system appears to be missing 'ar' > (I thought I remembered 'ar' being called with options 'cru' before, and > the config.log confirms this:)For solaris...Add /usr/ccs/bin to the top of your path.In addition, as mentioned in this thread. The preferable way of satisfying run time lib dependencies on solaris is by get -R/path/to/dep alongside the -L linker flags.Rob--Rob Shepherd | Computer and Network Engineer | Technium CAST | LL57 4HJ [EMAIL PROTECTED] | 01248 675024 | 07776 210516 -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Rafiqul Ahsan630-717-1698(h) 2120 Periwinkle Ln 630-689-1457(h)Naperville, IL 60540847-812-6176(c)-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html-- Rafiqul Ahsan630-717-1698(h)2120 Periwinkle Ln 630-689-1457(h)Naperville, IL 60540847-812-6176(c) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Link MAC adress to user after 1st login
Hi, > Ofcourse we are aware of how easy a MAC can be spoofed, but its better then > nothing. I wonder if anyone else has read the recent research into 'fingerprinting' of the wireless signal...and how future AP and NAS kit might be able to identify machines I'm wondering when we'll be looking at having a FingerprintID column in our SQL tables with an eg := NetgearWAG511 next to the known MAC entry ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + Cisco VoIP
Not much mention there unfortunately. A practical example would help me most. Thanks Gef -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] rg] On Behalf Of Alan DeKok Sent: 06 September 2006 18:00 To: FreeRadius users mailing list Subject: Re: Freeradius + Cisco VoIP "Geoffrey Cauchi" <[EMAIL PROTECTED]> wrote: > Can anyone provide a sample config of the AV Pairs required by a cisco VoIP > gateway to accept a user? See the NAS documentation. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
one attribute with more values
Hi! I have to make a dictionary file, but I have a little problem: There is an attribute in the vsa attributes, which has more than one value. Is it possible to separate it in the dictionary file? Is there a class attribute, or something? How can I separate the items of the attribute? Thank you for your advice! F! Ne csak a lakást nézze, hanem a környéket is! Válogasson több ezer ingatlanból légifotós-kereső segítségével! http://ad.adverticum.net/b/cl,1,6022,110356,177661/click.prm - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wiki problems
On Wed 06 Sep 2006 14:38, Luca Corti wrote: > The wiki main page is empty and it seems there is no content at all in > the Wiki. There has been no maintenece work on the wiki in the last few days. It should be working fine. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgpPaYkAA01T6.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA/RADIUS Problems
- Original Message - From: "Alan DeKok" <[EMAIL PROTECTED]> I plan on addressing at least some of that with my book. P.S: I look for a good book, covering all about radius and especially FR. As an overview and as a reference. I'm writing one. I've got about 60 pages of good content, and 50 pages of rough notes. I would be glad to send you some of my configs for examples. Many of them you instructed me on how to accomplish the goal on the list. I posted a bunch on the wiki but that thing keeps getting spammed =( I would think at least ISP's would gain some insight from some of them. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HOW-TO for Linux radius client
Nicolas Baradakis <[EMAIL PROTECTED]> wrote: > My tests indicate that you need to implement only 2 functions to get login, > xdm, ssh, etc. working on the client machines. > > enum nss_status _nss_radius_getpwnam_r(const char *name, struct passwd > *result, char *buffer, size_t buflen); > enum nss_status _nss_radius_getpwuid_r(uid_t uid, struct passwd *result, char > *buffer, size_t buflen); I took a look at doing this a few years ago, and got lost in the morass of glibc internals. Apparently PAM can do UID/GID/etc mappings, too, but it's not documented. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
The maximum number of threads (32) are active, cannot spawn new thread to handle request
So, I've rolled back to my freeRADIUS 1.0.4 server, cause it hasn't crashed like my 1.1.3 has been doing. I got this today in it's debug logs. Is there a config option to increase the number of threads? Is there a better way to fix that? Wed Sep 6 13:08:22 2006 : Auth: Login OK: [BSC\\j2kelley] (from client localhost port 0) Wed Sep 6 13:08:22 2006 : Info: rlm_eap_tls: Received EAP-TLS ACK message Wed Sep 6 13:08:22 2006 : Info: The maximum number of threads (32) are active, cannot spawn new thread to handle request Wed Sep 6 13:08:22 2006 : Info: The maximum number of threads (32) are active, cannot spawn new thread to handle request Wed Sep 6 13:08:22 2006 : Info: The maximum number of threads (32) are active, cannot spawn new thread to handle request Wed Sep 6 13:08:22 2006 : Info: The maximum number of threads (32) are active, cannot spawn new thread to handle request Wed Sep 6 13:08:22 2006 : Auth: Login OK: [BSC\\j2kelley] (from client New-Network port 29 cli 00-12-F0-88-A6-94) Wed Sep 6 13:08:22 2006 : Auth: Login OK: [BSC\\emulhern] (from client localhost port 0) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.1.3 on Solaris 10 (sparc)
So to confirm the observations and comments above:My environment worked without any errors. The following give some detail as to why.bash-3.00# which ar/usr/ccs/bin/arbash-3.00# echo $PATH/usr/local/bin:/usr/bin:/usr/ccs/bin:/usr/sbin ar is a command line tool that is not in your path, so I guess ./configure sets it to false... and then tries to run it with the command "false".Fix your path to include the location of ar and you will probably have better results. Thanks to the others on the list for catching this detail. It may be a good idea to add to the wiki as well.LinOn 9/6/06, Rafiqul Ahsan <[EMAIL PROTECTED] > wrote:Thanks to Lin, Mercel, and Rob for your input. I am not sure about Mercel's comment on value of AR, this has been set to false in the Makefile at libltdl/ directory (where it actually fails). The question is what value should it be ? Also, Rob - when I put the /usr/ccs/bin/ on top of my PATH, it picks a make that gives me error as "make: Fatal error in reader: Makefile, line 41: Unexpected end of line seen". Wheras my earlier picks on make file from /usr/local/bin - did not give me this error. Following is the various command output FYI. Also - I could you please explain a little more on where to put this get -R/path/to/dep alongside the -L linker flags (an example would be appreciated). Is it needed to add on the Makefile on ./libltdl/ directory ? Thanks for your help. Rafi # /usr/local/bin/make -vGNU Make 3.80Copyright (C) 2002 Free Software Foundation, Inc.This is free software; see the source for copying conditions.There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.# /usr/ccs/bin/make -vmake: Warning: Ignoring DistributedMake -v optionmake: Fatal error in reader: Makefile, line 41: Unexpected end of line seen Here is my PATH (after I added /usr/ccs/bin - as suggested by Rob) # echo $PATH/usr/ccs/bin:/usr/sbin:/usr/bin:/usr/sfw/bin/:/usr/local/bin On 9/6/06, Rob Shepherd <[EMAIL PROTECTED] > wrote: [EMAIL PROTECTED] wrote:> Lin Richardson wrote: >> You should post this to thet userlist (I am cc'ing them on this>> reply). Perhaps someone there has seen the "false cru" error before... I'm no compiler guru, but google tells me that libtool may be to >> blame. I don't acutally show libtool installed on my box and don't>> know much about it.> I'm no compiler guru either, but the system appears to be missing 'ar'> (I thought I remembered 'ar' being called with options 'cru' before, and > the config.log confirms this:)For solaris...Add /usr/ccs/bin to the top of your path.In addition, as mentioned in this thread. The preferable way ofsatisfying run time lib dependencies on solaris is by get -R/path/to/dep alongside the -L linker flags.Rob--Rob Shepherd | Computer and Network Engineer | Technium CAST | LL57 4HJ [EMAIL PROTECTED] | 01248 675024 | 07776 210516 -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Rafiqul Ahsan630-717-1698(h) 2120 Periwinkle Ln 630-689-1457(h)Naperville, IL 60540847-812-6176(c) -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and accounting -- radrelay?
Justin Church <[EMAIL PROTECTED]> wrote: > However, I notice that radrelay has been deprecated and the > functionality moved into radiusd. How am I to run simultaneous > instances of radiusd on the same host - 1 to listen to type 'acct' and 1 > to listen to type 'detail'? I apologize if I'm missing something simple. Yes. See raddb/radrelay.conf > Wed Sep 6 11:31:19 2006 : Info: FreeRADIUS Version 2.0.0-pre0, for host > i686-pc-linux-gnu, built on Sep 6 2006 at 10:15:27 > Wed Sep 6 11:31:19 2006 : Info: Starting - reading configuration files ... > Wed Sep 6 11:31:19 2006 : Error: Assertion failed in listen.c, line 1996 That's a bug. I've just committed a fix. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA with Chillispot in proxy mode, problem
Sorry... fixed in 1.1.3. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA with Chillispot in proxy mode, problem
"Giuseppina Venezia" <[EMAIL PROTECTED]> wrote: > I'm trying to use FreeRADIUS with WPA and Chillispot in proxy mode. > When I try to login, chillispot give me this error: > > radius.c: 1602: Received unknown radius packet 11! > chilli.c:3751: radius_proxy_ind() failed! It's a bug in 1.1.2 that was fixed in 1.1.2. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.1.3 on Solaris 10 (sparc)
"Rafiqul Ahsan" <[EMAIL PROTECTED]> wrote: > Thanks to Lin, Mercel, and Rob for your input. I am not sure about Mercel's > comment on value of AR, this has been set to false in the Makefile at > libltdl/ directory (where it actually fails). The question is what value > should it be ? It should be the path to the working "ar" on your system. It should be automatically set up by "configure". > Also, Rob - when I put the /usr/ccs/bin/ on top of my PATH, it picks a make > that gives me error as "make: Fatal error in reader: Makefile, line 41: Don't use Solaris "make". Use "gmake". Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Link MAC adress to user after 1st login
Hi Yves, It is for a customer having a wireless ISP setup. In the webinterface (dailupadmin based) the administrator can reset the recorded mac if needed. They want this to avoid prepayed card swapping between people who bought a ticket for like 5 hours, so its not for regular subscribed users :) Ofcourse we are aware of how easy a MAC can be spoofed, but its better then nothing. Thanks for thinking with me! Jurgen -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Yves ruff Verzonden: woensdag 6 september 2006 14:25 Aan: FreeRadius users mailing list Onderwerp: Re: Link MAC adress to user after 1st login Jurgen van Vliet wrote: > Hi people, hi, > At the 1st login of a client, the MAC adress is put into the database > At all next logins, if the MAC adress of that client does not match > the allready recorded MAC adress the login gets rejected. > <> Imho, linking user and hardware is not a good idea: what if a user get an new network card, a new pc ? -- yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed Logins
"King, Michael" <[EMAIL PROTECTED]> wrote: > How can I get you more information? No idea. I'd ask on an OpenSSL list. > Should all the machines be named the same, and have the same cert? No, that's not what I read from the email. The email said if you have two different certs with the same name, you'll run into problems. Maybe you have a server cert that you generated a few months ago, but the clients have a server cert with the same name that was generated a year ago. If the errors happen for the same clients, that would appear to be the problem. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wiki problems
On Wed, 2006-09-06 at 11:47 -0400, Alan DeKok wrote: > Looks fine from here. Maybe a transient issue? Yes, it seems to work now. thanks Luca - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP + SQL
"Velikanov" <[EMAIL PROTECTED]> wrote: > Say, please, is it possible to use EAP-MD5(or other type of EAP) with SQL > backend database. Yes. Just put a user & clear-text password into SQL, and configure SQL. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radclient not able to send salted encrypted VSA's?
Birchmeier Raphael <[EMAIL PROTECTED]> wrote: > Juniper states it's possbile in CoA messages. Ok... HOW? As I said, the algorithm for the encryption is documented as working only for reply packets. It's nice that Juniper has extended this to work elsewhere, but if we don't know how they've extended it, we can't implement the algorithm. > Can somehow the same SW parts as for radius-reply > being used for radclient? Huh? What does that mean? All of the RADIUS code is in libradius, which is used both by the server, and by radclient. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Link MAC adress to user after 1st login
"Jurgen van Vliet" <[EMAIL PROTECTED]> wrote: > At the 1st login of a client, the MAC adress is put into the database > At all next logins, if the MAC adress of that client does not match the > allready recorded MAC adress the login gets rejected. Run a script at first login to put the MAC address into the DB. > I presume the MAC adress of the client requesting authentication is a > variable in freeradius ? Usually Calling-Station-Id. > My question is how/where do I put the check if the MAC allready is registred > and if the current MAC matches the registred one ? See the documentation for rlm_sql. It includes examples. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: XT Radius to Free Radius
relists <[EMAIL PROTECTED]> wrote:
> The external script in XT Radius checks the username and password
> against a postgres database and if username and password match it
> returns the details for that user e.g. IP address, Framed-Address etc etc.
>
> We are using the default xradiusd.conf file with the port number
> changed to 1645. We have changed the users file to the following:
>
> DEFAULT Auth-Type := External
> Exec-Program = "/etc/raddb/checkpassword.pl %u
> %{User-Password}"
You should use "Auth-Type := Accept" here. That should work.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA/RADIUS Problems
Alexandros Gougousoudis <[EMAIL PROTECTED]> wrote: > Thats true, but as a beginner it is not clear what is important to set > up. Most people simply want to connect their notebook over WLAN to their > network, other go more into detail with LDAP, SQL whatever. That really is the fundamental problem, and one I've seen a lot. Everyone wants documentation for how to configure the server for their system. They'd rather not read through documentation for how to configure *other* peoples systems. And they'd rather not read through general documentation saying how the server works, and what each module does. I plan on addressing at least some of that with my book. > As you and others reply on questions of people on the list is very > often like "tell us in detail what you want to do..." is not what > many people seek, I think most expect to be told what is important > and what they should do. Yes, and many questions are "How do I configure the server to do stuff?" That's a useless question, and guaranteed to not solve the problem. > P.S: I look for a good book, covering all about radius and especially > FR. As an overview and as a reference. I'm writing one. I've got about 60 pages of good content, and 50 pages of rough notes. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Cisco VoIP
"Geoffrey Cauchi" <[EMAIL PROTECTED]> wrote: > Can anyone provide a sample config of the AV Pairs required by a cisco VoIP > gateway to accept a user? See the NAS documentation. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Enable Syslog
fvt3 <[EMAIL PROTECTED]> wrote: > Can we send radius log to a syslog? If so, how can I > accomplish this. I am using the latest freeradius > version.. It doesn't really work in 1.1.3. It will work in 2.0 Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql connection with SSL
Fabio Pedretti <[EMAIL PROTECTED]> wrote: > Have things progressed since then? No. As always, patches are welcome. Or, you can try hiring a consultant to get it done. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Link MAC adress to user after 1st login
Yves ruff wrote: > Jurgen van Vliet wrote: >> Hi people, > > hi, > >> At the 1st login of a client, the MAC adress is put into the database >> At all next logins, if the MAC adress of that client does not match the >> allready recorded MAC adress the login gets rejected. >> > <> > > Imho, linking user and hardware is not a good idea: what if a user get > an new network card, a new pc ? > Actually, that's something I would also like to know how to do best. We have a similar situation here, but instead of MAC addresses we would need to record the NAS-Port-Id sent by the NAS. The NAS is the access controller for ADSL from a large telecomm here in São Paulo. Does somebody have a good sugestion on how to record such an info (MAC in Jurgen's case, NAS-Port-Id in my case) at the first access, and verify it in the following times? Thank you, Marcos Roberto Greiner -- --- | Marcos Roberto Greiner| | | | Os otimistas acham que estamos no melhor dos mundos | | Os pessimistas tem medo de que isto seja verdade | | Murphy| --- | [EMAIL PROTECTED] | --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wiki problems
Luca Corti <[EMAIL PROTECTED]> wrote: > The wiki main page is empty and it seems there is no content at all in > the Wiki. Looks fine from here. Maybe a transient issue? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and accounting -- radrelay?
Thanks for the great work, Alan. I've built the latest CVS head and am able to manipulate the attributes in %RAD_REQUEST with rlm_perl. However, I notice that radrelay has been deprecated and the functionality moved into radiusd. How am I to run simultaneous instances of radiusd on the same host - 1 to listen to type 'acct' and 1 to listen to type 'detail'? I apologize if I'm missing something simple. Also, when I try to run 'radiusd -n radrelay', I get an Abort with the following radius.log entries: Wed Sep 6 11:31:19 2006 : Info: FreeRADIUS Version 2.0.0-pre0, for host i686-pc-linux-gnu, built on Sep 6 2006 at 10:15:27 Wed Sep 6 11:31:19 2006 : Info: Starting - reading configuration files ... Wed Sep 6 11:31:19 2006 : Error: Assertion failed in listen.c, line 1996 [EMAIL PROTECTED]:/usr/local/var/log/radius# radiusd -v radiusd: FreeRADIUS Version 2.0.0-pre0, for host i686-pc-linux-gnu, built on Sep 6 2006 at 10:15:27 Thanks. -jc Alan DeKok wrote: Justin Church <[EMAIL PROTECTED]> wrote: Is this in the CVS head, yet? Yes. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WPA with Chillispot in proxy mode, problem
Hi all,
I'm trying to use FreeRADIUS with WPA and Chillispot in proxy mode.
When I try to login, chillispot give me this error:
radius.c: 1602: Received unknown radius packet 11!
chilli.c:3751: radius_proxy_ind() failed!
This is the log of freeradius:
---
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = "/usr/local"
main: localstatedir = "/usr/local/var"
main: logdir = "/usr/local/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir = "/usr/local/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/usr/local/var/log/radius/radius.log"
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded LDAP
ldap: server = "localhost"
ldap: port = 389
ldap: net_timeout = 1
ldap: timeout = 4
ldap: timelimit = 3
ldap: identity = "cn=Manager,dc=mydomain,dc=it"
ldap: tls_mode = no
ldap: start_tls = no
ldap: tls_cacertfile = "(null)"
ldap: tls_cacertdir = "(null)"
ldap: tls_certfile = "(null)"
ldap: tls_keyfile = "(null)"
ldap: tls_randfile = "(null)"
ldap: tls_require_cert = "allow"
ldap: password = "aPassword"
ldap: basedn = "ou=myDepartment,dc=mydomain,dc=it"
ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
ldap: base_filter = "(objectclass=radiusprofile)"
ldap: default_profile = "(null)"
ldap: profile_attribute = "(null)"
ldap: password_header = "(null)"
ldap: password_attribute = "userPassword"
ldap: access_attr = "userPassword"
ldap: groupname_attribute = "cn"
ldap: groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
ldap: groupmembership_attribute = "radiusGroupName"
ldap: dictionary_mapping = "/usr/local/etc/raddb/ldap.attrmap"
ldap: ldap_debug = 0
ldap: ldap_connections_number = 5
ldap: compare_check_items = no
ldap: access_attr_used_for_allow = yes
ldap: do_xlat = yes
ldap: set_auth_type = yes
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from file
/usr/local/etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP userPassword mapped to RADIUS User-Password
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP acctFlags
Re: 1.1.3 on Solaris 10 (sparc)
Thanks to Lin, Mercel, and Rob for your input. I am not sure about Mercel's comment on value of AR, this has been set to false in the Makefile at libltdl/ directory (where it actually fails). The question is what value should it be ? Also, Rob - when I put the /usr/ccs/bin/ on top of my PATH, it picks a make that gives me error as "make: Fatal error in reader: Makefile, line 41: Unexpected end of line seen". Wheras my earlier picks on make file from /usr/local/bin - did not give me this error. Following is the various command output FYI. Also - I could you please explain a little more on where to put this get -R/path/to/dep alongside the -L linker flags (an example would be appreciated). Is it needed to add on the Makefile on ./libltdl/ directory ? Thanks for your help. Rafi # /usr/local/bin/make -vGNU Make 3.80Copyright (C) 2002 Free Software Foundation, Inc.This is free software; see the source for copying conditions.There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.# /usr/ccs/bin/make -vmake: Warning: Ignoring DistributedMake -v optionmake: Fatal error in reader: Makefile, line 41: Unexpected end of line seen Here is my PATH (after I added /usr/ccs/bin - as suggested by Rob) # echo $PATH/usr/ccs/bin:/usr/sbin:/usr/bin:/usr/sfw/bin/:/usr/local/bin On 9/6/06, Rob Shepherd <[EMAIL PROTECTED]> wrote: [EMAIL PROTECTED] wrote:> Lin Richardson wrote: >> You should post this to thet userlist (I am cc'ing them on this>> reply). Perhaps someone there has seen the "false cru" error before... I'm no compiler guru, but google tells me that libtool may be to >> blame. I don't acutally show libtool installed on my box and don't>> know much about it.> I'm no compiler guru either, but the system appears to be missing 'ar'> (I thought I remembered 'ar' being called with options 'cru' before, and > the config.log confirms this:)For solaris...Add /usr/ccs/bin to the top of your path.In addition, as mentioned in this thread. The preferable way ofsatisfying run time lib dependencies on solaris is by get -R/path/to/dep alongside the -L linker flags.Rob--Rob Shepherd | Computer and Network Engineer | Technium CAST | LL57 4HJ[EMAIL PROTECTED] | 01248 675024 | 07776 210516 -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html-- Rafiqul Ahsan630-717-1698(h) 2120 Periwinkle Ln 630-689-1457(h)Naperville, IL 60540847-812-6176(c) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Wiki problems
The wiki main page is empty and it seems there is no content at all in the Wiki. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Failed Logins
How can I get you more information?
It seems to take about 12 hours to happen.
I did have this in the message log about 1 hour before hand, but I think
it's unrelated
Sep 6 09:09:19 radius1 kernel: audit(1157548159.246:31): avc: denied
{ search } for pid=2699 comm="winbindd" name="lib" dev=dm-0 ino=589826
scontext=user
_u:system_r:winbind_t tcontext=system_u:object_r:var_lib_t tclass=dir
Sep 6 09:09:19 radius1 kernel: audit(1157548159.246:32): avc: denied
{ getattr } for pid=2699 comm="winbindd" name="samba" dev=dm-0
ino=589961 scontext=u
ser_u:system_r:winbind_t tcontext=system_u:object_r:var_lib_t tclass=dir
I've had this happen on two different boxes, on two different
distributions. The Certs I'm using are from two different Paid CA's.
(One is Geotrust, the other is IPSCA)
Neither server has had a cert before.
So...
Should all the machines be named the same, and have the same cert?
(This is what the last email has let me to, but I wouldn't think this is
the way you would setup Radius)
> -Original Message-
> From:
> [EMAIL PROTECTED]
> g
> [mailto:[EMAIL PROTECTED]
> adius.org] On Behalf Of Alan DeKok
> Sent: Tuesday, September 05, 2006 3:52 PM
> To: FreeRadius users mailing list
> Subject: Re: Failed Logins
>
> "King, Michael" <[EMAIL PROTECTED]> wrote:
> > 24 hrs later, Different radius server. (on a different box,
> this one
> > is
> > RedHat) FreeRadius 1.1.3
> > Same problem, throwing the same Error.
>
> This may be related:
>
> https://www.aet.tu-cottbus.de/pipermail/postfix_tls/2002/000353.html
>
> ...
> It ends up that my IMAP server and postfix were using two
> different self-signed certs that had identical common names.
> As soon as I began to use the same cert for both servers, the
> mozilla/netscape problem went away.
>
> Alan DeKok.
> --
> http://deployingradius.com - The web site of the book
> http://deployingradius.com/blog/ - The blog
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: WPA/RADIUS Problems
> -Original Message- > 3. debian source package builds on unstable without problem > here. And it provides a minimal intrusive way of enabling ssl > and postgres related stuff. Just to follow up. It appears that in FreeRadius 1.1.3, if you follow the directions in the WIKI http://wiki.freeradius.org/index.php/Build#Building_Debian_packages That you will get a working PEAP/TTLS EAP It has the necessary sections included. You can view what is done in the Debian/rules file - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP + SQL
Good day. Say, please, is it possible to use EAP-MD5(or other type of EAP) with SQL backend database. Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Link MAC adress to user after 1st login
Jurgen van Vliet wrote: Hi people, hi, At the 1st login of a client, the MAC adress is put into the database At all next logins, if the MAC adress of that client does not match the allready recorded MAC adress the login gets rejected. <> Imho, linking user and hardware is not a good idea: what if a user get an new network card, a new pc ? -- yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radclient not able to send salted encrypted VSA's?
Hi Alan, thanks a lot for your response! Juniper states it's possbile in CoA messages. However with hidden commands the requirement for encrypted VSA's can be disabled on the BRAS. But of course this is not what I want outside a lab-enviroment. Can somehow the same SW parts as for radius-reply being used for radclient? Thanks, Raphael --- Alan DeKok <[EMAIL PROTECTED]> wrote: > Birchmeier Raphael <[EMAIL PROTECTED]> wrote: > > I'm using freeradius version 1.3. I need to send > CoA > > requests to a Juniper-ERX containing salted VSA > > "ERX-LI-Action=enable". > > Does Juniper document that as being possible? > > > If someone could help extending radclient or tell > me > > another way how to send salted CoA requests I'd > > appreciate. > > The algorithm used for encrypting the salted > attributes requires > that they only be sent in reply packets. > > Alan DeKok. > -- > http://deployingradius.com - The web site of > the book > http://deployingradius.com/blog/ - The blog > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.1.3 on Solaris 10 (sparc)
[EMAIL PROTECTED] wrote: Lin Richardson wrote: You should post this to thet userlist (I am cc'ing them on this reply). Perhaps someone there has seen the "false cru" error before... I'm no compiler guru, but google tells me that libtool may be to blame. I don't acutally show libtool installed on my box and don't know much about it. I'm no compiler guru either, but the system appears to be missing 'ar' (I thought I remembered 'ar' being called with options 'cru' before, and the config.log confirms this:) For solaris... Add /usr/ccs/bin to the top of your path. In addition, as mentioned in this thread. The preferable way of satisfying run time lib dependencies on solaris is by get -R/path/to/dep alongside the -L linker flags. Rob -- Rob Shepherd | Computer and Network Engineer | Technium CAST | LL57 4HJ [EMAIL PROTECTED] | 01248 675024 | 07776 210516 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Link MAC adress to user after 1st login
Hi people, Im wondering if the following is possible with freeradius: At the 1st login of a client, the MAC adress is put into the database At all next logins, if the MAC adress of that client does not match the allready recorded MAC adress the login gets rejected. I presume the MAC adress of the client requesting authentication is a variable in freeradius ? If so, I allready use a stored procedure in mysql as post_auth, I can easy write the mac into the DB. My question is how/where do I put the check if the MAC allready is registred and if the current MAC matches the registred one ? Thank you in advance for thinking with me. Jurgen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Help about this error
Thanks James, it is working now. Elie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Wakefield Sent: Wednesday, September 06, 2006 11:31 AM To: FreeRadius users mailing list Subject: Re: Help about this error Elie Hani wrote: > > Radgroupreply: > idgroupname attribute op value > 1 Dialin Framed-Protocol == PPP > 6 Dialin Service-Type:= Framed-User > 8 Dialin Auth-Type := Local > 9 Dialin Pool-Name := main_pool > 10Dialin Reply-Message = Access > Hi Elie, Try putting rows with ids 1, 6, 8, and 9 in radgroupcheck rather than radgroupreply. Cheers, -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA/RADIUS Problems
Hi, I won't comment on the relative merits of "I don't know how, but it works for me in my little universe" vs "Lots of reading, complex, perhaps trial-and-error-prone configuration but immensly versatile" styles different people obiously think differently about., On 9/6/06, Alexandros Gougousoudis <[EMAIL PROTECTED]> wrote: > The server includes a "debian" directory, whixch is used to build >debian packages. > > I tried that with source-install of the deb, but compilation fails on sarge and unstable, bug list is full on debian.org, so I'am not the only one who had this problem. I think at least the eap module relies on some lib which is not GPL and not included into Debian and they try to move around it. But FR without EAP is at least for me useless. I did not try the debian dir of the official tar of freeradius.org, I But that is going just too far, let me set the record straight: 1. Building packages with eap on pre-sarge and later on for released sarge used to be a bit awkward but doable and has improved much over time. 2. debian maintainers of freeradius imho do a great job in providing working and policy conformant packages. 3. debian source package builds on unstable without problem here. And it provides a minimal intrusive way of enabling ssl and postgres related stuff. 4. Although not the way intended by debian in general, the upstream tarball contains a debian dir (as noted), which, at least, leads to compiling, package building with the proper tools (just tested). Sorry, I didn't check functionality , but I suppose there won't be any problerms until shown otherwise. And you suggested compilation errors, which doesn't hold true. 5. http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=freeradius does only list 1 minor bug (which might be considered whishlist) and 4 wishlist bugs, ancient or left there for reference purposes. 6. Technically, the needed libssl-dev is part of debian, but because of alleged license problems (which this list and many other searchable places contain lots of information about) freeradius in debian is not linked against it. Ok, enough for now. :) regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
XT Radius to Free Radius
Hi
I am currently trying to migrate XT Radius to Freeradius and running
into a few problems when trying to run an External Script.
The external script in XT Radius checks the username and password
against a postgres database and if username and password match it
returns the details for that user e.g. IP address, Framed-Address etc etc.
We are using the default xradiusd.conf file with the port number
changed to 1645. We have changed the users file to the following:
DEFAULT Auth-Type := External
Exec-Program = "/etc/raddb/checkpassword.pl %u
%{User-Password}"
If we run the scipt manually it works as expected with IP address etc
etc returned. These details are stored in our postgres database.
We are using the Ntradping tool as suggested by the radius book.
When we startup radius using radiusd -X we get the following errors.
Does anyone have any ideas what we are doing wrong? Thanks in advance.
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = "/usr"
main: localstatedir = "/var"
main: logdir = "/var/log/radius"
main: libdir = "/usr/lib"
main: radacctdir = "/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 1645
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: user = "radiusd"
main: group = "radiusd"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "/etc/shadow"
unix: group = "(null)"
unix: radwtmp = "/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "md5"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/etc/raddb/huntgroups"
preprocess: hints = "/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/etc/raddb/users"
files: acctusersfile = "/etc/raddb/acct_users"
files: preproxy_usersfile = "/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/
Re: Help about this error
Elie Hani wrote: Radgroupreply: id groupname attribute op value 1 Dialin Framed-Protocol == PPP 6 Dialin Service-Type:= Framed-User 8 Dialin Auth-Type := Local 9 Dialin Pool-Name := main_pool 10 Dialin Reply-Message = Access Hi Elie, Try putting rows with ids 1, 6, 8, and 9 in radgroupcheck rather than radgroupreply. Cheers, -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA/RADIUS Problems
Hi Alan, Alan DeKok schrieb: They (and the main web page) point to EAP howto's on the main web site, which include screenshots for configuring Windows for wireless, Thats true, but as a beginner it is not clear what is important to set up. Most people simply want to connect their notebook over WLAN to their network, other go more into detail with LDAP, SQL whatever. Knowledge about EAP-PEAP, EAP-TLS, MSCHAPv2 is still not developed. As you and others reply on questions of people on the list is very often like "tell us in detail what you want to do..." is not what many people seek, I think most expect to be told what is important and what they should do. As always in IT-Business, the customer doesn't know what he needs, but it must be nice and fancy when it is ready. :-)) FR is a great program, thanks a lot to all who work on this! The server includes a "debian" directory, whixch is used to build debian packages. I tried that with source-install of the deb, but compilation fails on sarge and unstable, bug list is full on debian.org, so I'am not the only one who had this problem. I think at least the eap module relies on some lib which is not GPL and not included into Debian and they try to move around it. But FR without EAP is at least for me useless. I did not try the debian dir of the official tar of freeradius.org, I will do that soon, because Suse 10.1 sucks. cu Alex P.S: I look for a good book, covering all about radius and especially FR. As an overview and as a reference. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Help about this error
Hi;
This is the output for the tables.
racdcheck:
id usernameattribute op value enabled
26 tonyb User-Password == tonyb T
27 guest User-Password == guest T
Radgroupcheck:
id groupname attribute op value
9 Dialin NAS-IP-Address == x.x.x.x
Radgroupreply:
id groupname attribute op value
1 Dialin Framed-Protocol == PPP
6 Dialin Service-Type:= Framed-User
8 Dialin Auth-Type := Local
9 Dialin Pool-Name := main_pool
10 Dialin Reply-Message = Access
Radreply:
id usernameattribute op value
9 tonyb Fall-Throuh = Yes
Usergroup:
id usernamegroupname
24 guest Dialin
I'm using postgresql, and I need the SQL authentication.
Thanks in advance.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of James Wakefield
Sent: Wednesday, September 06, 2006 9:33 AM
To: FreeRadius users mailing list
Subject: Re: Help about this error
Hi Elie,
Are you using SQL auth.? If so, is your radgroupcheck table small
enough that you could paste us a select * from it?
On Wed, 2006-09-06 at 10:16 +0200, Elie Hani wrote:
> Hi;
>
> Can anyone help me about this error? How can I slove it.
> I think I've missed something in the tables in the database.
>
> rlm_ippool: Could not find Pool-Name attribute.
> modcall[post-auth]: module "main_pool" returns noop for request 2
> rlm_ippool: Could not find Pool-Name attribute.
> modcall[post-auth]: module "real" returns noop for request 2
> radius_xlat: '/var/log/radius/radacct/127.0.0.1/auth-detail-20060906'
> rlm_detail:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
> expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20060906
> modcall[post-auth]: module "auth_log" returns ok for request 2
>
>
> Thanks
> Elie
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
James Wakefield,
Unix Administrator, Information Technology Services Division
Deakin University, Geelong, Victoria 3217 Australia.
Phone: 03 5227 8690 International: +61 3 5227 8690
Fax: 03 5227 8866 International: +61 3 5227 8866
E-mail: [EMAIL PROTECTED]
Website: http://www.deakin.edu.au
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius + Cisco VoIP
Hi I'm using free radius 1.1.3, with postgres on fedora core 5. I am trying to authenticate a user's request coming in from a Cisco VoIP gateway. The radius server accepts the request, and sends an accept to the gateway, but since it is VoIP, it is expecting h323 AV Pairs. Can anyone provide a sample config of the AV Pairs required by a cisco VoIP gateway to accept a user? Thanks Gef - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help about this error
Hi Elie,
Are you using SQL auth.? If so, is your radgroupcheck table small
enough that you could paste us a select * from it?
On Wed, 2006-09-06 at 10:16 +0200, Elie Hani wrote:
> Hi;
>
> Can anyone help me about this error? How can I slove it.
> I think I've missed something in the tables in the database.
>
> rlm_ippool: Could not find Pool-Name attribute.
> modcall[post-auth]: module "main_pool" returns noop for request 2
> rlm_ippool: Could not find Pool-Name attribute.
> modcall[post-auth]: module "real" returns noop for request 2
> radius_xlat: '/var/log/radius/radacct/127.0.0.1/auth-detail-20060906'
> rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
> expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20060906
> modcall[post-auth]: module "auth_log" returns ok for request 2
>
>
> Thanks
> Elie
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
James Wakefield,
Unix Administrator, Information Technology Services Division
Deakin University, Geelong, Victoria 3217 Australia.
Phone: 03 5227 8690 International: +61 3 5227 8690
Fax: 03 5227 8866 International: +61 3 5227 8866
E-mail: [EMAIL PROTECTED]
Website: http://www.deakin.edu.au
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to restrict pppoe users on nas-port-id
Use the check-item variable to restrict port id's Gef -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] rg] On Behalf Of [EMAIL PROTECTED] Sent: 05 September 2006 21:04 To: freeradius-users@lists.freeradius.org Subject: How to restrict pppoe users on nas-port-id I'm using FreeRADIUS Version 1.0.4 with Dialup_admin and mysql and I would like to know if anyone can direct me in the right place to find out how to restrict pppoe users from logging in from multiple NAS port IDs. I would like to restrict them to logging on to only a specific set of port IDs that comes from a database. Any help will be appreciated. -Eugenevdm - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help about this error
Hi;
Can anyone help me about this error? How can I slove it.
I think I've missed something in the tables in the database.
rlm_ippool: Could not find Pool-Name attribute.
modcall[post-auth]: module "main_pool" returns noop for request 2
rlm_ippool: Could not find Pool-Name attribute.
modcall[post-auth]: module "real" returns noop for request 2
radius_xlat: '/var/log/radius/radacct/127.0.0.1/auth-detail-20060906'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20060906
modcall[post-auth]: module "auth_log" returns ok for request 2
Thanks
Elie
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
