Dialupadmin Problems
Hello, I am having problems getting dialupadmin to work on FreeBSD 6.1. If I go to any of the pages (eg add user) I just get a blank screen.. Also, if anyone could point me in the direction of where I can find some information on what needs to go into the tables in a postgres database for RADIUS users, I would be greatful. Thanks smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dialupadmin Problems
All the detailed info about setting up dialup admin is found in the howto file..it even explains how to import the sql files for your chosen database. On 10/10/06, Andy Dixon [EMAIL PROTECTED] wrote: Hello, I am having problems getting dialupadmin to work on FreeBSD 6.1. If I go to any of the pages (eg add user) I just get a blank screen.. Also, if anyone could point me in the direction of where I can find some information on what needs to go into the tables in a postgres database for RADIUS users, I would be greatful. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- With Regards Ali Jawad - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
disable FreeRadius checking of client certs
Is it possible to disable FreeRadius's checking of client certificates using EAP-TLS-PEAP? Certs can be quick a bother and a huge maintenance over-head. Thanks. FreeRadius 1.1.3 Travis J. WeaverSoftware EngineerOberon, Inc.1315 S. Allen St.Suite 405State College, PA 16801phone: (814)867-2312 ext. 210fax: (814)867-2314http://www.oberonwireless.com[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RHEL4 and Oracle Instant Client
Has anyone gotten the source RPM's from RHEL4 to build with the oracle module using the Oracle instant client? It keeps giving me the following error no matter what I try: checking for oci.h... yes checking for oracle_init in -loracleclient... no configure: warning: oracle libraries not found. Use --with-oracle-lib-dir=path. configure: warning: sql submodule 'oracle' disabled Thanks, Brian Dourty System Administrator - Team Lead IAT Services University of Missouri - Columbia 573-882-1035 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: disable FreeRadius checking of client certs
devel [EMAIL PROTECTED] wrote: Is it possible to disable FreeRadius's checking of client certificates using EAP-TLS-PEAP? Certs can be quick a bother and a huge maintenance over-head. Thanks. Huh? Client certs are used for PEAP only when you deploy client certs to the end-user machines. Once they're deployed, they should really be checked. Perhasp you can explain why you've deployed client certs, but now don't want to use them. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: disable FreeRadius checking of client certs
Well, I have not issued certs to clients. Some of my clients have the option to log in with a username OR a cert. However, there are a few random Linksys cards (I guess I should have mentioned this was for Wifi/WPA) that I MUST provide a username and a cert. If there are no certs on the client machine, Linksys fills the cert in with Trust Any, so I assume it may be attempting with a blank? cert or another cert on the machine, such as VeriSign or the like.So this client is attempting to authenticate, I believe, with other certs on its machine because the radius log looks like below: Tue Oct 10 11:16:16 2006 : Error: TLS_accept:error in SSLv3 read client certificate A Tue Oct 10 11:16:16 2006 : Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Tue Oct 10 11:16:16 2006 : Error: TLS Alert read:fatal:unknown CA Tue Oct 10 11:16:16 2006 : Error: TLS_accept:failed in SSLv3 read client certificate A Tue Oct 10 11:16:16 2006 : Error: rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca Tue Oct 10 11:16:16 2006 : Error: rlm_eap_tls: SSL_read failed inside of TLS (-1), TLS session fails. Tue Oct 10 11:16:16 2006 : Error: rlm_eap: SSL error error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure Tue Oct 10 11:16:16 2006 : Error: rlm_eap_tls: BIO_read failed in a system call (-1), TLS session fails. I am not a FreeRadius expert so I may be misinterpreting the logs. Thanks. Travis - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: devel [EMAIL PROTECTED]; FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, October 10, 2006 10:27 AM Subject: Re: disable FreeRadius checking of client certs devel [EMAIL PROTECTED] wrote: Is it possible to disable FreeRadius's checking of client certificates using EAP-TLS-PEAP? Certs can be quick a bother and a huge maintenance over-head. Thanks. Huh? Client certs are used for PEAP only when you deploy client certs to the end-user machines. Once they're deployed, they should really be checked. Perhasp you can explain why you've deployed client certs, but now don't want to use them. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL Accounting oddness
Ive just setup a new freeradius
server using the exact same config files from our other radius server.
We are using a different MySQL database
for the second freeradius server so we have changed the database name in
sql.conf to reflect this.
Authentication is working fine and its
authenticating from the database.
However accounting information is not
being entered into the radacct table, its currently empty but we are getting
accounting packets back.
I run freeradius in debug mode and found
the following sql accounting queries that dont look right:
sql: accounting_update_query_alt =
INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm,
NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctSessionTime,
AcctAuthentic, ConnectInfo_start, AcctInputOctets, AcctOutputOctets,
CalledStationId, CallingStationId, ServiceType, FramedProtocol,
FramedIPAddress, AcctStartDelay) values('%{Acct-Session-Id}',
'%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}',
'%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S',INTERVAL
(%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND),
'%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Acct-Input-Octets}',
'%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}',
'%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0')
sql: accounting_start_query =
INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm,
NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime,
AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop,
AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId,
AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress,
AcctStartDelay, AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',
'%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}', '%{Connect-Info}', '',
'0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '',
'%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}',
'%{Acct-Delay-Time}', '0')
Surely the values should be replaced by
the actual information it should be entering into the table?
If thats the case thats why
the radacct table is empty, MySQL wont insert the data showing there and
must be erroring.
Anyone got any ideas?
Thanks
John
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.0.407 / Virus Database: 268.13.1/469 - Release Date: 09/10/2006
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: disable FreeRadius checking of client certs
devel [EMAIL PROTECTED] wrote: Well, I have not issued certs to clients. Some of my clients have the option to log in with a username OR a cert. However, there are a few random Linksys cards (I guess I should have mentioned this was for Wifi/WPA) that I MUST provide a username and a cert. Ok... If there are no certs on the client machine, Linksys fills the cert in with Trust Any, so I assume it may be attempting with a blank? cert or another cert on the machine, such as VeriSign or the like.So this client is attempting to authenticate, I believe, with other certs on its machine because the radius log looks like below: Then your solution would be to actually install a client cert on those machines. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
cisco-accounting do not work. what i miss?
Hello to all!
I have a problem with the accounting.
I have FreeRADIUS Version 1.0.1
I think i have all I need to make the accounting but do not work. When I use
the: Radius Test Client, all is OK, i can see the log in mysql
table(radacct)and in detail log file, but in the NAS donĀ“t work.
The authentication and authorization work ok. The Ip is assigned from the
Radius. Also the postauth logs in mysql, works ok.
-My cisco configuration
aaa group server radius pal
server A.B.C.D auth-port 1645 acct-port 1646
!
aaa authentication ppp default group pal
aaa authorization network default group pal
aaa accounting delay-start
aaa accounting update newinfo
aaa accounting network default start-stop group pal
interface Virtual-Template2
ip unnumbered ATM2/0
ppp authentication pap
radius-server configure-nas
radius-server host A.B.C.D auth-port 1645 acct-port 1646
radius-server retransmit 2
radius-server timeout 20
radius-server key
my RADIUS configuration
radiusd.conf:
accounting {
detail
radutmp
pool
sql}
---
Any idea, where is the problem?
I do not know, what is it happens
Thanks for all
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: disable FreeRadius checking of client certs
Thanks guys for your post. First off, I have tried using the WinXP supplicant and I have no problems authenticating with the Linksys wifi cards. I just wish the Linksys utility was like Cisco where I can tell it do provide either/or username/cert. The Cisco cards have no problem with this as where using the Linksys with its utility does not provide me with what I want. No big deal. Using the Linksys client utitliy, a username, password, and certificate must be provided (the certificate is a combo box so I can't even leave it blank). I have always preferred to use the utility that came with wifi cards for configuration. They typically provide more information and are more user friendly than the Windows supplicant. This problem does pertain to the Linksys software more than FreeRadius. I was just hoping there was a way in the FreeRadius config files to help solve the problem Travis - Original Message - From: Artur Hecker [EMAIL PROTECTED] To: devel [EMAIL PROTECTED]; FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, October 10, 2006 12:42 PM Subject: Re: disable FreeRadius checking of client certs Hi Travis Excuse me for top-posting, but just as Alan I'm a bit surprised by your post. If your authentication system is based on certificates, you need certificates and you really should not say anything like certificates bother me since that is the only expression of your trust, so without that verification no authentication will ever be reasonable or complete. If it is not, you do not have certificates. Allowing both for the same client (same machine) is discouraged. Personally I am not familar with a supplicant which tries one and then another for the same username. Thus, per user if you are using EAP-PEAP-MSCHAPv2 (passwords), then you are not using EAP-TLS. And vice versa. The good news is: the authentication method has strictly nothing to do with the WiFi card; it is completely virtualized, in software. EAP is only a transporter protocol, it does not say how to authenticate, it only says how to transport data. Thus, if EAP is supported by the card, then *every* EAP method is supported. That's magic about 802.1X and that's why it's supported in the operating system rather than being supported by a network card. Now if you are saying that you use a special Linksys 802.1X client, then I would first suggest that you use the standard WinXP client. Sorry, but the Linksys client is fairly unknown. Practically, it's difficult to guess from what you provided, but I think that you do use the WinXP supplicant (i.e. 802.1X client - I do not know of any linksys supplicant) and that you probably want to use EAP-PEAP-MSCHAPv2. That involves one server certificate (obviously one common trust anker - a self signed CA certificate) and some username/passwords on clients. What probably happened is that in the two cases where the Linksys card is used, you did not correctly configure EAP-PEAP (called Protected EAP in WinXP or similar), but you let it be Smartcard or Certificate. Thus, the card tries to do TLS with some available pub/priv key combination, but Freeradius rejects it. Reconfigure the WinXP supplicant to do EAP-PEAP and it will ask you for passwords. Do not forget to deploy the server certificate on user machines... Well, I have not issued certs to clients. Some of my clients have the option to log in with a username OR a cert. However, there are a few random Linksys cards (I guess I should have mentioned this was for Wifi/WPA) that I MUST provide a username and a cert. Strictly speaking, every EAP session will take a Username and the AAA server will derive from it the authentication method to use. When used in EAP-TLS, Windows XP typically fills it out with the CN from the certificate (if available) but that is of course insufficient and it would be more correct to give an identifier and then to start a TLS authentication session for that id. (How exactly the username compares to the certified information is an open question, since the username can be altered by different means). If there are no certs on the client machine, Linksys fills the cert in with Trust Any, so I assume it may be attempting with a blank? cert or another cert on the machine, such as VeriSign or the like.So this client is attempting to authenticate, I believe, with other certs on its machine because the radius log looks like below: hmmm??? you can't just use any certificate for authentication. What you need is a pair: certificate/private key. Nobody except Verisign has their private key. The only option for your Linksys 802.1X client would be to spontaneously create a CA and to issue one user certificate for EAP authentication signed by the latter. That can be done by XP, but there is no interest in doing so. I would suggest you deploy passwords on
Re: RHEL4 and Oracle Instant Client
Hi, You have to download it from oracle and then set all the needed paths, like LD_LIBRARY_PATH and ORA_HOME, pointing to the place where you descompressed oraclient. After that you need to recompile the rlm_oracle module under freeradiusxxx/src/modules/. Cheers On 10/10/06, Dourty, Brian R. (IATS) [EMAIL PROTECTED] wrote: Has anyone gotten the source RPM's from RHEL4 to build with the oracle module using the Oracle instant client? It keeps giving me the following error no matter what I try: checking for oci.h... yes checking for oracle_init in -loracleclient... no configure: warning: oracle libraries not found. Use --with-oracle-lib-dir=path. configure: warning: sql submodule 'oracle' disabled Thanks, Brian Dourty System Administrator - Team Lead IAT Services University of Missouri - Columbia 573-882-1035 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Guilherme de Oliveira Franco Damovo - Brasil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Windows Vista doing PEAP
Ok...
It segfaulted again.
I'm trying to follow the directions in the doc/bugs folder.
It says to compile with --enable-developer.
In the debian rules file, it has
stamp-build: stamp-patch
dh_testdir
# dh_testroot
./configure \
$(confflags) \
--config-cache \
--prefix=/usr \
--exec-prefix=/usr \
--mandir=$(mandir) \
--sysconfdir=/etc \
--libdir=$(libdir) \
--datadir=/usr/share \
--localstatedir=/var \
--with-raddbdir=$(raddbdir) \
--with-logdir=/var/log/$(package) \
--with-system-libtool --disable-ltdl-install \
--with-large-files --with-udpfromto --with-edir \
--enable-strict-dependencies \
--enable-developer \
${buildssl}
I'm assuming it built it that way.
Anways, here's what I got following those direcitons (Which is what
leads me to think the symbols go stripped)
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1077729984 (LWP 14568)]
0x4018675b in strlen () from /lib/tls/libc.so.6
* 1 Thread 1077729984 (LWP 14568) 0x4018675b in strlen () from
/lib/tls/libc.so.6
Thread 1 (Thread 1077729984 (LWP 14568)):
#0 0x4018675b in strlen () from /lib/tls/libc.so.6
No symbol table info available.
#1 0x4015a064 in vfprintf () from /lib/tls/libc.so.6
No symbol table info available.
#2 0x40178161 in vsnprintf () from /lib/tls/libc.so.6
No symbol table info available.
#3 0x08051805 in vradlog ()
No symbol table info available.
#4 0x08051a4f in log_debug ()
No symbol table info available.
#5 0x40403a08 in eap_compose () from
/usr/lib/freeradius/rlm_eap-1.1.3.so
No symbol table info available.
#6 0x40402cbc in ?? () from /usr/lib/freeradius/rlm_eap-1.1.3.so
No symbol table info available.
#7 0x08165ec0 in ?? ()
No symbol table info available.
#8 0x404053b5 in ?? () from /usr/lib/freeradius/rlm_eap-1.1.3.so
No symbol table info available.
#9 0x0155 in ?? ()
No symbol table info available.
#10 0x40059714 in ?? () from /usr/lib/freeradius/libradius-1.1.3.so
No symbol table info available.
#11 0x4005a424 in ?? () from /usr/lib/freeradius/libradius-1.1.3.so
No symbol table info available.
#12 0x4005addc in ?? () from /usr/lib/freeradius/libradius-1.1.3.so
No symbol table info available.
#13 0x in ?? ()
No symbol table info available.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
On Behalf Of Alan DeKok
Sent: Friday, October 06, 2006 4:37 PM
To: FreeRadius users mailing list
Subject: Re: Windows Vista doing PEAP
King, Michael [EMAIL PROTECTED] wrote:
Not to rude, have you had a chance to poke that Patch again?
Reload it from the same URL as last time.
If it still crashes, see doc/bugs. I don't see how it can crash at
all, so the crash looks like a symptom of another issue.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AD Group based ldap auth
I'm trying to get group based authentication working using LDAP against
AD. Right now I'm getting a failure related to the group search filter.
What filter should I be using?
groupmembership_filter =
(|((objectClass=group)(member=%{Ldap-UserDn}))((objectClass=top)(uniq
uemember=%{Ldap-UserDn})))
Looking at the howto here
http://lists.cistron.nl/pipermail/freeradius-users/2005-November/048536.
html got me part of the way. Anyone out there doing group based auth
against AD mind sharing their config?
Thanks,
Brian Dourty
System Administrator - Team Lead
IAT Services
University of Missouri - Columbia
573-882-1035
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Support for Sub-TLVs within VSA TLVs
Hi All, I am trying to make a dictionary for Wimax attributes(defined by Wimax forum/NWG). Few of the attributes they defined have sub-attributes. Format for one such attribute is given below: RadiusType = 26 Length Value Wimax Type = 10 Length Sub-type = 1 or 2 or 3 --Length --Value Does Freeradius have support for Sub-TLVs inside VSA TLVs today? If yes, can someone please give me an example of one such entry in dictionary. If Freeradius does not currently support sub-attributes, is there a plan to support this in future? Thanks in advance Santosh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-TLS Certificate problems.
Got it up and running. Partially your help, and partially me going and forcefully breaking something to see what errors cropped up. Renamed the original PEM directory in OpenSSL and all sorts of errors popped up that led me to the discovery it was still using the DemoCA's CA to make the client and server certs, and not the CA created by the script. I've since got that fixed and it all works perfect now. Best way to fix a noncritial is to break it and see what goes really wrong! ;) Thanks, Brian. -Original Message- From: [EMAIL PROTECTED] [mailto:freeradius-users- [EMAIL PROTECTED] On Behalf Of Jason- Wittlin-Cohen Sent: Monday, October 09, 2006 1:45 PM To: freeradius-users@lists.freeradius.org Subject: RE: EAP-TLS Certificate problems. Date: Mon, 9 Oct 2006 11:26:51 -0400 From: Brian vb [EMAIL PROTECTED] Subject: RE: EAP-TLS Certificate problems. To: 'FreeRadius users mailing list' freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=us-ascii Recreated certs, same issue came with the Issuer field. XPExtensions are used. Password is the same in this file an what Freeradius has just changed to protect it. Here is the batch file I'm using to create the certs. I don't see anything amiss between it and the page you sent.. any ideas? PATH=C:\openssl\bin;C:\ssl1;%path% export LD_LIBRARY_PATH=C:\openssl\lib CD\SSL1 REM CA Creation C:\openssl\bin\openssl req -new -x509 -keyout newreq.pem -out newreq.pem -days 730 -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved C:\openssl\bin\openssl pkcs12 -export -in newreq.pem -out root.p12 - cacerts -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved C:\openssl\bin\openssl pkcs12 -in root.p12 -out root.pem -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved C:\openssl\bin\openssl x509 -inform PEM -outform DER -in root.pem -out root.der I'm not sure what you're doing here. First, C:\openssl\bin\openssl req -new -x509 -keyout newreq.pem -out newreq.pem -days 730 -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved You're outputting the private key and public key to the same file. I'm not sure if this will include both in the same file, or only create one. Regardless, it's not what you want to do. Give the files unique names. The clients and server need the public key and only the certificate signing machine needs the private key. You don't want to combine the keys. To create a CA: openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 365 -config openssl.cnf Also, why are you creating a p12 file for the CA? You certainly don't want to hand out the private key to clients, and for certificate signing, you only need the private key which can be stored in cakey.pem for example. Clients should be given cacert.pem or cacert.der depending on the format you use. The p12 format should only be used for client certs because those need to combine private key + certificate (at least for the MS supplicant). REM Client cert Create C:\openssl\bin\openssl req -new -keyout newreq.pem -out newreq.pem -days 730 -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved Again, -keyout is used to creaate the private key, and -out to create the certificate signing request which is then passed on to the CA later. You're using the same filename, so I have no idea what's happening. Either you have a certificate signing request and no key, or a key without a signing request. Either way, it won't work. You need to do something like this: openssl req -new -keyout client_key.pem \ -out client_req.pem -days 730 -config ./openssl.cnf Notice that the key and the signing request are given different names. C:\openssl\bin\openssl ca -policy policy_anything -out newcert.pem - passin pass:PassCodeRemoved -key PassCodeRemoved -extensions xpclient_ext - extfile xpexts -infiles newreq.pem C:\openssl\bin\openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out cert-clt.p12 -clcerts -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved C:\openssl\bin\openssl pkcs12 -in cert-clt.p12 -out cert-clt.pem -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved C:\openssl\bin\openssl x509 -inform PEM -outform DER -in cert-clt.pem - out cert-clt.der So, you convert from a PEM certificate and PEM key, to a P12 cert+key, to a PEM cert+key to DER cert+key. Why? The P12 cert+key will work fine. REM Server Cert Create C:\openssl\bin\openssl req -new -keyout newreq.pem -out newreq.pem -days 730 -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved Again, the key and certificate signing request must be given different names or else your setup will fail. C:\openssl\bin\openssl ca -policy policy_anything -out newcert.pem - passin pass:PassCodeRemoved -key PassCodeRemoved -extensions xpserver_ext - extfile
Re: Adding proxying to our EAP setup
Dave Mussulman wrote: The catch I ran into involved the mschap section not authenticating off the User-Password in the users file if I had ntlm_auth line configured. This is my test system, and I don't have samba/winbindd configured so those attempts always failed, but it never seemed to fall back to figuring out itself. That made troubleshooting difficult when I couldn't get the simple users file entry to work. Commenting out the ntlm_auth line did the trick. I haven't changed anything on our production servers, but it must do things differently as we have ntlm_auth configured and authenticating from the AD or a sql database with local passwords. Maybe FreeRADIUS handles different ntlm_auth failures differently (cannot bind versus bad user password?) You need something like this: alocaluser User-Password := astring, MS-CHAP-Use-NTLM-Auth := 0 ...which lets you use ntlm_auth for some users, but override it on a case-by-case basis. Until the upstream server gets the functionality I'm looking for, there were a few possible future issues I wanted to document before I lost them. If I set copy_request_to_tunnel in peap to yes, my NAS-IP-Address == 127.0.0.1 trick doesn't work. I was also concerned that proxying Hmm. Yes, that would occur, and in many cases copy_request_to_tunnel is highly desirable. Not sure how to handle that. seems to keep the NAS-IP-Address set to 127.0.0.1, and I didn't know if the upstream provider would be concerned about that. I put a setting in the preproxy_users file to set that to an allowed NAS IP, but didn't get to fully test/confirm that worked. Yes again. Hmm. Not really optimal - the ideal situation would be copy_request_to_tunnel to give the original NAS IPs/ports/etc. to the upstream server, but as you say that breaks the match for the inner eap. I guess inner/outer should really be a FreeRadius internal attribute. From the look of the code however, fake requests will have Client-IP-Address set to 127.0.0.1 by the preprocess module, and that's a FreeRadius internal/not-on-the-wire attribute - you should be able to replace matching on NAS-IP-Address with Client-IP-Address and set copy_request_to_tunnel and all would be well Thanks again for the help, and great product! Dave - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mac auth help please
Hello guys, Im on FreeBSD6.1-R, freeradius, mysql4.1, and using chillispot to authentication users. its wired network not a wireless. The problem is some users are using phone adapters such like motorola or cisco on my network so instead of plugin the cat5 (ethernet) cable to thier laptop they are plugin the cable to the phone adapter. the adapter is not working ofcourse because its expecting an internet.. in the time that chillispot will expect the adapter to authenticate which adapter will not So I have been advised to add the MAC adress to some allow list.. Is there a any way, that I can make 1 MAC adress only to not authenticate ? and keep the rest of the network authenticate using chillispot? Thank you. Marwan Sultan _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Decisionmaking in FreeRADIUS Check/Reply Items
Hello list,
I am trying to use the 'files' module of Freeradius to do
decisionmaking, based on information pulled in from the sql module,
and the sqlcounter thing.
First off, is this the right way of doing this? I want to assign users
a different Pool-Name for each assigned speed, and send
Max-Download-Speed and Max-Upload-Speed vendor-specific variables to
the client on each request.
My actual problem relates to the following errors, pulled from radiusd -X:
Module: Loaded files
files: usersfile = /etc/raddb/users
files: acctusersfile = /etc/raddb/acct_users
files: preproxy_usersfile = /etc/raddb/preproxy_users
files: compat = no
[/etc/raddb/users]:214 WARNING! Check item Pool-Name ?found in reply
item list for user DEFAULT. ?This attribute MUST go on the first
line with the other check items
[/etc/raddb/users]:214 WARNING! Check item Max-Download-Rate ?found
in reply item list for user DEFAULT. ?This attribute MUST go on the
first line with the other check items
[/etc/raddb/users]:214 WARNING! Check item Max-Upload-Rate ?found in
reply item list for user DEFAULT. ?This attribute MUST go on the
first line with the other check items
[/etc/raddb/users]:220 WARNING! Check item Pool-Name ?found in reply
item list for user DEFAULT. ?This attribute MUST go on the first
line with the other check items
[/etc/raddb/users]:220 WARNING! Check item Max-Download-Rate ?found
in reply item list for user DEFAULT. ?This attribute MUST go on the
first line with the other check items
[/etc/raddb/users]:220 WARNING! Check item Max-Upload-Rate ?found in
reply item list for user DEFAULT. ?This attribute MUST go on the
first line with the other check items
[/etc/raddb/users]:226 WARNING! Check item Pool-Name ?found in reply
item list for user DEFAULT. ?This attribute MUST go on the first
line with the other check items
[/etc/raddb/users]:226 WARNING! Check item Max-Download-Rate ?found
in reply item list for user DEFAULT. ?This attribute MUST go on the
first line with the other check items
[/etc/raddb/users]:226 WARNING! Check item Max-Upload-Rate ?found in
reply item list for user DEFAULT. ?This attribute MUST go on the
first line with the other check items
[/etc/raddb/users]:232 WARNING! Check item Pool-Name ?found in reply
item list for user DEFAULT. ?This attribute MUST go on the first
line with the other check items
[/etc/raddb/users]:232 WARNING! Check item Max-Download-Rate ?found
in reply item list for user DEFAULT. ?This attribute MUST go on the
first line with the other check items
[/etc/raddb/users]:232 WARNING! Check item Max-Upload-Rate ?found in
reply item list for user DEFAULT. ?This attribute MUST go on the
first line with the other check items
Module: Instantiated files (files)
radiusd.conf: files modules aren't allowed in 'post-auth' sections
-- they have no such method.
radiusd.conf[327] Failed to parse post-auth section.
[EMAIL PROTECTED] [/etc/raddb]#
The offending rules are in users:
DEFAULT User-Bytes-Used 21474836480 , Group == 512k
# user gets high speed service if under 20gb
Pool-Name := 512k_high,
Max-Download-Rate := 524288,
Max-Upload-Rate := 262144
DEFAULT User-Bytes-Used 21474836480 , Group == 512k
# user gets low speed service if under 20gb
Pool-Name := 512k_low,
Max-Download-Rate := 262144,
Max-Upload-Rate := 131072
DEFAULT User-Bytes-Used 53687091200 , Group == 10m
# user gets high speed service if under 50gb
Pool-Name := 10m_high,
Max-Download-Rate := 10485760,
Max-Upload-Rate := 10485760
DEFAULT User-Bytes-Used 53687091200 , Group == 10m
# user gets low speed service if over 50gb
Pool-Name := 10m_low,
Max-Download-Rate := 1048576,
Max-Upload-Rate := 1048576
But... but... the bottom 3 attributes *aren't* check attributes! I
want to *set* them! Or am I getting entirely the wrong end of the
stick here?
Can somebody point out how these rules are meant to be arranged, and
perhaps how I could do this in sql? It's all quite confusing.
# radiusd.conf - important bits ##
sqlcounter monthlybytecounter {
counter-name = User-Bytes-Used
check-name = Max-User-Bytes
sqlmod-inst = sql
key = User-Name
reset = monthly
# this query is awesome in every way.
# it selects the traffic used by the user since they
last paid for their subscription
# and adds up the input and output bytes together to
get a composite usage figure.
query = SELECT SUM(AcctInputOcte..
}
instantiate {
monthlybytecounter
}
authorize {
preprocess
sql
}
authenticate {
pap
}
preacct {
preprocess
# acct_unique
}
accounting {
#acct_unique
#detail
radutmp # ?
512k_high
512k_low
Accounting-Response Log ??
Hi,I have two radius servers. (Freeradius and Juniper SBR).Freeradius server be a radius proxy to proxy all auth/acct requests to Juniper SBR.Then I sometimes found there are some accounting-stop request don't arrival to Juniper SBR. Because Freeradius server and Juniper SBR is in the different subnet and through firewall.I think this problem may cause by firewall.In the radius accounting communication model there should have request and response. Is freeradius log the accounting-response result ?How to enable it ?I want to this log to identify the problem.Thanks.Rio Yang - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
