Re: Pam radius authentication
First of all, thank you for your reply. Until now, you are the only one. Now, let's take it step by step: This is a part of INSTALL: ** Redhat Linux 5.0 ** make. Copy 'pam_radius_auth.so' to /lib/security/pam_radius_auth.so In the per-application configuration (/etc/pam.d/application) add: auth sufficient /lib/security/pam_radius_auth.so AFTER auth required /lib/security/pam_securetty.so and BEFORE auth required /lib/security/pam_unix_auth.so i.e. auth required /lib/security/pam_securetty.so auth sufficient /lib/security/pam_radius_auth.so auth required /lib/security/pam_unix_auth.so My linux is RedHat 9, so this part pertains to my machine : Redhat Linux 5.0 make. Copy 'pam_radius_auth.so' to /lib/security/pam_radius_auth.so - already did... In the per-application configuration (/etc/pam.d/application) add: - I want to use pam radius to authenticate ssh logins, so (/etc/pam.d/application) becomes /etc/pam.d/sshd auth required pam_securetty.so auth sufficient pam_radius_auth.so debug auth required /lib/security/pam_unix_auth.so -this part from INSTALL is identical to my /etc/pam.d/sshd...all of this modules deal with authentication (auth). pam_securetty verifies if root can login through tty by reading /etc/securetty. required means that this step is mandatory and that after this verification, the next authentication method will take place. this is where pam_radius_auth comes. the messages are exchanged as explained in my my previuos e-mail. sufficient means that if this authentication succeeds, the following authentication methods will not be checked...in other terms: auth required /lib/security/pam_unix_auth.so will be passed. I don't understand why you are saying that you are invoking pam_radius_auth in the wrong place and for the wrong reason...please, be more specific and if you know the right configuration, enlight me! Again, any help would be appreciated! Hi, anyone??? pls!!! no suggestions at all ? :( I'd read the INSTALL doc that coems as part of the pam_radius tool. - cat /etc/pam.d/sshd #%PAM-1.0 auth required pam_securetty.so auth sufficient pam_radius_auth.so debug auth required /lib/security/pam_unix_auth.so accountrequired pam_radius_auth.so debug password required pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth sessionrequired pam_limits.so sessionoptional pam_console.so no. your invoking pam_radius_auth in the wrong place and for the wrong reason. again the INSTALL is your friend. your radius configuration appears to be correct alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlippool + MySQL
Hi Jan and Roberto
We ARE doing serious work on sqlippool but it is all with Postgresql. As Jan
says someone with a little MySQL knowledge shoudn't have problems making
those queries work with MySQL. Once you have them working please send them to
my so I can include them in cvs.
Cheers
Peter
On Tue 17 Oct 2006 00:58, Jan Mulders wrote:
Someone needs to do some serious work on sqlippool. I'd do so, but
currently I have no need for SQL-assigned IPs, as I only have one
RADIUS server - and if it fails over, the least thing I have to worry
about is current IP assignments.
I recommend finding someone who is adept at *SQL and buy them a pizza.
Then ask them to 'translate' those queries for you.
Jan
On 16/10/06, Roberto Gonzalez Azevedo [EMAIL PROTECTED] wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Does somebody knows how to configure sqlippool with MySQL ?
The sqlippool.conf example is for pgsql. And for MySQL ?
Here is my sqlippool.conf, corrected for MySQL:
sqlippool sqlippool {
#
# SQL connection information
#
sql-instance-name = sql
# lease_duration. fix for lost acc-stop packets
lease-duration = 3600
# Attribute which should be considered unique per NAS
pool-key = %{Acct-Session-Id}
pool-name = mypool
# pool-key = %{Calling-Station-Id}
#
# This series of queries allocates an IP address
#
allocate-clear = UPDATE radippool \
SET NASIPAddress = '', pool_key = 0, CallingStationId = '', \
expiry_time = NOW() - INTERVAL 1 SECOND \
WHERE pool_key = '${pool-key}'
# note the ORDER BY clause of next query, it'll try to allocate IPs
# like Cisco internal pools do - it _trys_ to allocate the same
IP-address # which user had last session...
allocate-find = SELECT FramedIPAddress FROM radippool \
WHERE pool_name = '%{reply:Pool-Name}' AND expiry_time NOW() \
ORDER BY pool_name, (UserName '%{User-Name}'), (CallingStationId
'%{Calling-Station-Id}'), expiry_time \
LIMIT 1 \
FOR UPDATE
allocate-update = UPDATE radippool \
SET NASIPAddress = '%{NAS-IP-Address}', pool_key = '${pool-key}', \
CallingStationId = '%{Calling-Station-Id}', UserName = '%{User-Name}',
\ expiry_time = NOW() + INTERVAL ${lease-duration} SECOND \
WHERE FramedIPAddress = '%{Framed-IP-Address}'
#
# This series of queries frees an IP number when an accounting
# START record arrives
#
start-update = UPDATE radippool \
SET expiry_time = NOW() + INTERVAL %J SECOND \
WHERE NASIPAddress = '%n' AND pool_key = '${pool-key}' AND pool_name =
'%P'
#
# This series of queries frees an IP number when an accounting
# STOP record arrives
#
stop-clear = UPDATE radippool \
SET NASIPAddress = '', pool_key = 0, CallingStationId = '', \
expiry_time = NOW() - INTERVAL 1 SECOND \
WHERE NASIPAddress = '%{NAS-IP-Address}' AND pool_key = '${pool-key}'
AND UserName = '%{User-Name}' \
AND CallingStationId = '%{Calling-Station-Id}' AND FramedIPAddress =
'%{Framed-IP-Address}'
#
# This series of queries frees an IP number when an accounting
# ALIVE record arrives
#
alive-update = UPDATE radippool \
SET expiry_time = NOW() + INTERVAL ${lease-duration} SECOND \
WHERE NASIPAddress = '%{Nas-IP-Address}' AND pool_key = '${pool-key}'
AND UserName = '%{User-Name}' \
AND CallingStationId = '%{Calling-Station-Id}' AND FramedIPAddress =
'%{Framed-IP-Address}'
#
# This series of queries frees the IP numbers allocate to a
# NAS when an accounting ON record arrives
#
on-clear = UPDATE radippool \
SET NASIPAddress = '', pool_key = 0, CallingStationId = '', \
expiry_time = NOW() - INTERVAL 1 SECOND \
WHERE NASIPAddress = '%{NAS-IP-Address}' AND UserName = '%{User-Name}'
\ AND CallingStationId = '%{Calling-Station-Id}' AND FramedIPAddress =
'%{Framed-IP-Address}'
#
# This series of queries frees the IP numbers allocate to a
# NAS when an accounting OFF record arrives
#
off-clear = UPDATE radippool \
SET NASIPAddress = '', pool_key = 0, CallingStationId = '', \
expiry_time = NOW() - INTERVAL 1 SECOND \
WHERE NASIPAddress = '%{NAS-IP-Address}' AND UserName = '%{User-Name}'
\ AND CallingStationId = '%{Calling-Station-Id}' AND FramedIPAddress =
'%{Framed-IP-Address}'
}
Here is the radiusd -X:
...
Mon Oct 16 17:50:50 2006 : Debug: Processing the post-auth section of
radiusd.conf
Mon Oct 16 17:50:50 2006 : Debug: modcall: entering group post-auth for
request 0
Mon Oct 16 17:50:50 2006 : Debug: modsingle[post-auth]: calling
sqlippool (rlm_sqlippool) for request 0
Mon Oct 16 17:50:50 2006 : Debug: rlm_sqlippool: Framed-IP-Address
already exists
Mon Oct 16 17:50:50 2006 : Debug: modsingle[post-auth]: returned from
sqlippool (rlm_sqlippool) for request 0
Mon Oct 16 17:50:50 2006 : Debug: modcall[post-auth]: module
sqlippool
core dump with freeradius-1.1.3-mysql
Hello, i 've been encountering core dumps with freeradius-1.1.3 in the
mysql module.
Information:
OS: SunOS radius 5.8 Generic_108528-29 sun4u sparc SUNW,UltraAX-i2
After code dump: Radius process still exists but won't handle requests
GDB:
#0 0xfdfc89e4 in mysql_errno () from
/opt/csw/mysql4/lib/mysql/libmysqlclient_r.so.14
#1 0xfe150e38 in sql_query () from
/usr/local/freeradius-1.1.3/lib/rlm_sql_mysql-1.1.3.so
#2 0xfe176fc0 in rlm_sql_query () from
/usr/local/freeradius-1.1.3/lib/rlm_sql-1.1.3.so
#3 0xfe174fe8 in rlm_sql_accounting () from
/usr/local/freeradius-1.1.3/lib/rlm_sql-1.1.3.so
#4 0x22568 in module_post_auth ()
#5 0x23088 in modcall ()
#6 0x2262c in module_post_auth ()
#7 0x227ec in module_post_auth ()
#8 0x22fbc in modcall ()
#9 0x210c8 in find_module_instance ()
#10 0x21fd0 in module_accounting ()
#11 0x139d8 in rad_accounting ()
#12 0x2c008 in session_zap ()
#13 0xfe175ed0 in rlm_sql_checksimul () from
/usr/local/freeradius-1.1.3/lib/rlm_sql-1.1.3.so
#14 0x22568 in module_post_auth ()
#15 0x23088 in modcall ()
#16 0x2262c in module_post_auth ()
#17 0x227ec in module_post_auth ()
#18 0x22fbc in modcall ()
#19 0x210c8 in find_module_instance ()
#20 0x22078 in module_checksimul ()
#21 0x155f8 in rad_authenticate ()
#22 0x284f4 in rad_respond ()
#23 0x2cf88 in rad_check_ts ()
As can be seen, i m using the thread safe mysql libraries.
PKGINST: CSWmysql4rt
NAME: mysql4rt - run-time libraries for mysql4
CATEGORY: system
ARCH: sparc
VERSION: 4.1.21,REV=2006.07.29
Lines in source file:
/src/freeradius-1.1.3/src/modules/rlm_sql/drivers/rlm_sql_mysql/sql_mysql.c
static int sql_query(SQLSOCK * sqlsocket, SQL_CONFIG *config, char
*querystr)
{
[..]
mysql_query(mysql_sock-sock, querystr);
return sql_check_error(mysql_errno(mysql_sock-sock));
}
Log file:
Tue Oct 17 11:11:51 2006 : Error: Discarding duplicate request from
client adsl.ira:1645 - ID: 141 due to unfinished request 482895
Tue Oct 17 11:11:51 2006 : Auth: Login OK: [r-165dim-athin] (from client
cas1.att port 20211 cli )
Tue Oct 17 11:11:52 2006 : Error: Discarding duplicate request from
client adsl.ira:1645 - ID: 144 due to unfinished request 482980
Tue Oct 17 11:11:52 2006 : Info: rlm_sql (radacct): There are no DB
handles to use! skipped 0, tried to connect 0
Tue Oct 17 11:11:52 2006 : Info: rlm_sql (radacct): There are no DB
handles to use! skipped 0, tried to connect 0
Tue Oct 17 11:11:52 2006 : Info: rlm_sql (radacct): There are no DB
handles to use! skipped 0, tried to connect 0
Tue Oct 17 11:11:52 2006 : Auth: Login incorrect: [sch.gr] (from client
adsl.ach port 581 cli atm 2)
Tue Oct 17 11:11:52 2006 : Auth: Login OK: [r-gym-amaliad] (from client
cas.ilei port 20026 cli XXX)
Tue Oct 17 11:11:52 2006 : Auth: Login OK: [r-gym-saval] (from client
cas.ilei port 20111 cli XXX)
Tue Oct 17 11:11:52 2006 : Auth: Login OK: [digital] (from client
cas1.att port 20629 cli XX)
Tue Oct 17 11:11:52 2006 : Info: rlm_sql (radacct): There are no DB
handles to use! skipped 0, tried to connect 0
Tue Oct 17 11:11:53 2006 : Auth: Login OK: [EMAIL PROTECTED] (from
client adsl.ach port 382 cli atm 2)
Tue Oct 17 11:11:53 2006 : Info: rlm_sql (radacct): There are no DB
handles to use! skipped 0, tried to connect 0
Tue Oct 17 11:11:53 2006 : Auth: Login OK: [distrat] (from client
cas.ait port 20006 cli XX)
Tue Oct 17 11:11:53 2006 : Error: Discarding duplicate request from
client adsl.att:1645 - ID: 182 due to unfinished request 482899
Tue Oct 17 11:11:53 2006 : Auth: Login OK: [digital] (from client
cas1.att port 20725 cli XX)
Tue Oct 17 11:11:53 2006 : Error: Discarding duplicate request from
client adsl.ira:1645 - ID: 142 due to unfinished request 482907
Tue Oct 17 11:11:53 2006 : Info: rlm_sql (radacct): There are no DB
handles to use! skipped 0, tried to connect 0
Tue Oct 17 11:11:53 2006 : Info: rlm_sql (radacct): There are no DB
handles to use! skipped 0, tried to connect 0
Tue Oct 17 11:11:53 2006 : Info: rlm_sql (radacct): There are no DB
handles to use! skipped 0, tried to connect 0
Tue Oct 17 11:11:53 2006 : Info: rlm_sql (radacct): There are no DB
handles to use! skipped 0, tried to connect 0
Tue Oct 17 11:11:53 2006 : Info: rlm_sql (radacct): There are no DB
handles to use! skipped 0, tried to connect 0
Tue Oct 17 11:11:53 2006 : Info: rlm_sql (radacct): There are no DB
handles to use! skipped 0, tried to connect 0
Tue Oct 17 11:11:53 2006 : Info: rlm_sql (radacct): There are no DB
handles to use! skipped 0, tried to connect 0
Tue Oct 17 11:11:53 2006 : Auth: Login OK: [EMAIL PROTECTED] (from
client adsl.ira port 1039 cli atm 10)
Tue Oct 17 11:11:53 2006 : Info: rlm_sql (radacct): There are no DB
handles to use! skipped 0, tried to connect 0
Tue Oct 17 11:11:53 2006 : Info: rlm_sql (radacct): There are no DB
handles to use! skipped 0, tried to connect 0
Tue Oct 17 11:11:53 2006 : Info: rlm_sql (radacct): There are no
Unresponsive child problem
Hi, We use Freeradius to authenticate users on our Wireless Network with EAP-TTLS/PAP. Users credentials are stored in an Openldap directory. We use a FreeBSD 6.1 for both Openldap (version 2.3.21) and Freeradius (version 1.1.3) servers. Here's the problem : Sometimes Freeradius seems to freeze, by the way nobody can authenticate. When the problem happens we always get this kind of logs : -- Mon Oct 16 14:37:55 2006 : Error: WARNING: Unresponsive child (id 138254336) for request 193144 Mon Oct 16 14:37:56 2006 : Auth: Login OK: [anonymous] (from client wds1 port 81519 cli 0012.f085.47b6) Mon Oct 16 14:37:56 2006 : Auth: Login incorrect (rlm_ldap: User not found): [mitschi] (from client localhost port 226570 cli 0016.cbf6.f173) Mon Oct 16 14:37:56 2006 : Error: rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request Mon Oct 16 14:37:56 2006 : Auth: Login incorrect: [anonymous] (from client wds3 port 385187 cli 0013.027d.7685) Mon Oct 16 14:37:57 2006 : Info: rlm_radutmp: Login entry for NAS sceco-ap10 port 5125 duplicate Mon Oct 16 14:37:57 2006 : Error: WARNING: Unresponsive child (id 142451200) for request 193148 Mon Oct 16 14:37:57 2006 : Auth: Login incorrect: [anonymous] (from client wds4 port 226570 cli 0016.cbf6.f173) Mon Oct 16 14:37:57 2006 : Error: WARNING: Unresponsive child (id 141391360) for request 193161 Mon Oct 16 14:37:58 2006 : Error: WARNING: Unresponsive child (id 136836608) for request 193160 Mon Oct 16 14:37:58 2006 : Error: WARNING: Unresponsive child (id 142492672) for request 193168 Mon Oct 16 14:37:58 2006 : Error: TLS Alert write:fatal:bad record mac Mon Oct 16 14:37:58 2006 : Error: TLS_accept:error in SSLv3 read certificate verify A Mon Oct 16 14:37:58 2006 : Error: rlm_eap: SSL error error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac Mon Oct 16 14:37:58 2006 : Error: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. Mon Oct 16 14:37:58 2006 : Error: WARNING: Unresponsive child (id 143504384) for request 193170 Mon Oct 16 14:37:58 2006 : Error: WARNING: Unresponsive child (id 136609280) for request 193169 Mon Oct 16 14:37:58 2006 : Error: TLS Alert write:fatal:bad record mac Mon Oct 16 14:37:58 2006 : Error: TLS_accept:error in SSLv3 read certificate verify A Mon Oct 16 14:37:58 2006 : Error: rlm_eap: SSL error error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac Mon Oct 16 14:37:58 2006 : Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Mon Oct 16 14:37:58 2006 : Error: rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request Mon Oct 16 14:37:58 2006 : Error: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. Mon Oct 16 14:37:58 2006 : Auth: Login incorrect: [anonymous] (from client wds1 port 81519 cli 0012.f085.47b6) Mon Oct 16 14:37:59 2006 : Error: Discarding duplicate request from client wds3:1645 - ID: 60 due to unfinished request 193267 Mon Oct 16 14:38:00 2006 : Error: rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request Mon Oct 16 14:38:00 2006 : Auth: Login incorrect: [anonymous] (from client wds3 port 385200 cli 0016.6f1d.95ab) Mon Oct 16 14:38:00 2006 : Error: WARNING: Unresponsive child (id 138869248) for request 193183 Mon Oct 16 14:38:00 2006 : Error: rlm_radutmp: Logout for NAS eost-ap8 port 30871, but no Login record Mon Oct 16 14:38:00 2006 : Error: rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request Mon Oct 16 14:38:00 2006 : Auth: Login incorrect: [anonymous] (from client wds4 port 226570 cli 0016.cbf6.f173) Mon Oct 16 14:38:00 2006 : Error: rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request Mon Oct 16 14:38:00 2006 : Auth: Login incorrect: [anonymous] (from client wds4 port 226571 cli 0012.f084.8584) Mon Oct 16 14:38:01 2006 : Info: rlm_radutmp: Login entry for NAS atrium-ap4 port 2330 duplicate Mon Oct 16 14:38:01 2006 : Error: WARNING: Unresponsive child (id 143503360) for request 193188 Mon Oct 16 14:38:02 2006 : Error: WARNING: Unresponsive child (id 141392384) for request 193192 Mon Oct 16 14:38:03 2006 : Error: WARNING: Unresponsive child (id 138870272) for request 193201 Mon Oct 16 14:38:03 2006 : Error: WARNING: Unresponsive child (id 138002944) for request 193191 Mon Oct 16 14:38:03 2006 : Error: WARNING: Unresponsive child (id 141391872) for request 193194 Mon Oct 16 14:38:03 2006 : Error: WARNING: Unresponsive child (id 138741248) for request 193193 Mon Oct 16 14:38:03 2006 : Error: TLS_accept:error in SSLv3 read client certificate A Mon Oct 16 14:38:03 2006 : Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Mon Oct 16 14:38:05 2006 : Error: TLS_accept:error in SSLv3 read client certificate A Mon Oct 16 14:38:05 2006 : Error:
Re: Inserting and/or replacing reply attributes on a proxy request
Jarrod Sayers [EMAIL PROTECTED] wrote: Picture Cisco Aironet 1200's with multiple SSID's, all pointing back to a single instance of FreeRADIUS. The access point is relying on the RADIUS reply to determine if the user should be moved to another SSID and without it, assumes the one they are attempting to connect to is correct. See the Calling-Station-Id attribute. As per the RFC's, it should contain MAC:SSID. Rather than accepting the user then trying to reject them some time later, just look at the SSID they're using. If it isn't correct, reject them. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco AP, FreeRADIUS and Fedora Directory Server
=?ISO-8859-2?Q?Mustafa_=AAenay?= [EMAIL PROTECTED] wrote: Same password works when binding to LDAP server from different client applications, sucha as GQ. So I'm pretty sure that password is correct. That doesn't matter. Read ALL OF THE DEBUGGING LOG. IT WILL TELL YOU WHAT IS GOING ON. If you DO NOT read it, you WILL NOT solve the problem. I'm not sure that how will RADIUS server know to check password against LDAP server while EAP is in place? It doesn't. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Inserting attributes into the check table from Perl?
Jan Mulders [EMAIL PROTECTED] wrote: How do I write to the Check table from perl? Is it possible? It's fixed in the CVS head. Is there a way of invoking ip_pools from perl? No. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: variable escaping ins sql.conf
Norbert Wegener [EMAIL PROTECTED] wrote: and radius -AX tells me: WARNING: Unknown variable '%y': See 'doc/variables.txt' How would I escape that kind of variable to pass it to the sql query? %% Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [sec: unclas] Huntgroupname checkitem in LDAP
Van: freeradius-users-
[EMAIL PROTECTED]
[mailto:freeradius-users-
[EMAIL PROTECTED] Namens
Ranner,
Frank MR
Verzonden: dinsdag 17 oktober 2006 4:17
Aan: FreeRadius users mailing list
Onderwerp: RE: [sec: unclas] Huntgroupname checkitem in LDAP
DEFAULT Ldap-Group == `%{Huntgroup-Name}`
Access-Level := RW,
Service-Type = Administrative-User,
Cisco-AVPair := shell:priv-lvl=15,
Passport-Command-Impact = configuration
Although this approach Works if you just want to add attributes for a
certain huntgroup if a user is member of it.
My problem is, I have 2 user databases, one being SQL the other being
LDAP/AD
I want to be able to specify to which NASses the LDAP/AD user has access
too.
If it were only LDAP/AD users, everything would work like this:
DEFAULT Ldap-Group == `%{Huntgroup-Name}`
Fall-Through = no
DEFAULT Auth-Type := REJECT
In this way, every user that is not a member of a specific Group that
matches a Huntgroup name is denied access.
But I still have the SQL users and the above rules breaks them.
So I changed it to this:
DEFAULT SQL-Group == `%{Huntgroup-Name}`
Fall-Through = no
DEFAULT Ldap-Group == `%{Huntgroup-Name}`
Fall-Through = no
DEFAULT Auth-Type := REJECT
In this way, I need to change my SQL users setup from instead having the
Huntgroup-Name in SQL as a checkitem (radgroupcheck) to add every SQL
user to a SQL-group having the same name as the huntgroup.
This behaviour works but is not really desirable.
After searching and experimenting the trick to NOT break EAP/LDAP/SQL
but still having everything working like I wanted it to be was just as
follows:
DEFAULT Ldap-Group == `%{Huntgroup-Name}`
Fall-Through = no
DEFAULT Auth-Type = LOCAL
Fall-Through = Yes
This configuration allows for the default SQL behaviour to stay the
same, having EAP AND locking Ldap users to the NASes controlled by there
groupmembership. Since I spent a long time figuring this out I wanted to
share this to the list.
My current setup has SQL users + Complete Active Directory integration
(having EAP=NTLM) + LDAP(PAP/etc...)
Kind Regards,
J.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with proxy configuration
Prabhdeep Singh [EMAIL PROTECTED] wrote: I am able to authenticate against myPartnerRealm and default relam, but when I submit request for myCustomRealm, the server seems to go in a loop and marks the myCustomRealm as dead with the following error. marking authentication server localhost:1812 for realm myCustomRealm dead I also get the following warning message WARNING: Possible DoS attack from host 127.0.0.1: Too many attributes in request (received 201, max 200 are allowed). It looks like you've configured the server to proxy to itself. Why? I read in one of the post that proxying to same server (localhost) is not allowed , but i need this feature as I do not want to strip certain Realms. Proxying requests to the same server is useless. No, you do not need this feature. There are other ways of configuring the server to do what you want. Perhaps you could try explaining what you want to do, rather than trying to make something work, when you've been told it's impossible. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SNMP with Freeradius
Good Day. I want to use SNMP with Freeradius. I have: 1.FreeRADIUS Version 1.1.3, for host, configured with option '-with-snmp' In src/include/autoconf.h I see: /* Include SNMP subagent */ /* #undef WITH_SNMP */ #define HAVE_UCD_SNMP_ASN1_SNMP_SNMPIMPL_H 1 /* #undef HAVE_ASN1_SNMP_SNMPIMPL_H */ /* #undef HAVE_LIBSNMP */ 2.Red Hat Linux v.3.3; 2.6.9-34.EL 3.net-snmp-5.1.2-11.EL4.6 configured with option '--with-mib-modules=host agentx smux ucd-snmp/lmSensors' radiusd.conf, snmp.conf, snmpd.conf - where configured as in docs and in http://wiki.freeradius.org/SNMP_HOWTO when I run /usr/local/sbin/radiusd -X there are no strings with smux, as shown in wiki Where is my mistake? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA authentication works only with MacOS clients
It works!Thanks.Josh Shamir - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unresponsive child problem
Christophe Saillard [EMAIL PROTECTED] wrote: Sometimes Freeradius seems to freeze, by the way nobody can authenticate. Because the back-end DB is slow, most likely. When the problem happens we always get this kind of logs : Run it in debugging mode to see what's happening. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlippool + MySQL
Hi Peter,
Regarding this post, the problem with Oracle and sqlippool still exists.
I've altered the postgresql inet to varchar and it works. But in
oracle, with varchar it does not works (the query return exactly the
same result in oracle's sqlplus as in postgresql, but freeradius keeps
saying sqlippool_query1: row[0] returned NULL
rlm_sqlippool: ip=[] len=0
radius_xlat: 'COMMIT'
rlm_sqlippool: IP number could not be allocated.
).
So this proves that it's not an issue with the queries (at least for oracle).
Cheers.
On 10/17/06, Peter Nixon [EMAIL PROTECTED] wrote:
Hi Jan and Roberto
We ARE doing serious work on sqlippool but it is all with Postgresql. As Jan
says someone with a little MySQL knowledge shoudn't have problems making
those queries work with MySQL. Once you have them working please send them to
my so I can include them in cvs.
Cheers
Peter
On Tue 17 Oct 2006 00:58, Jan Mulders wrote:
Someone needs to do some serious work on sqlippool. I'd do so, but
currently I have no need for SQL-assigned IPs, as I only have one
RADIUS server - and if it fails over, the least thing I have to worry
about is current IP assignments.
I recommend finding someone who is adept at *SQL and buy them a pizza.
Then ask them to 'translate' those queries for you.
Jan
On 16/10/06, Roberto Gonzalez Azevedo [EMAIL PROTECTED] wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Does somebody knows how to configure sqlippool with MySQL ?
The sqlippool.conf example is for pgsql. And for MySQL ?
Here is my sqlippool.conf, corrected for MySQL:
sqlippool sqlippool {
#
# SQL connection information
#
sql-instance-name = sql
# lease_duration. fix for lost acc-stop packets
lease-duration = 3600
# Attribute which should be considered unique per NAS
pool-key = %{Acct-Session-Id}
pool-name = mypool
# pool-key = %{Calling-Station-Id}
#
# This series of queries allocates an IP address
#
allocate-clear = UPDATE radippool \
SET NASIPAddress = '', pool_key = 0, CallingStationId = '', \
expiry_time = NOW() - INTERVAL 1 SECOND \
WHERE pool_key = '${pool-key}'
# note the ORDER BY clause of next query, it'll try to allocate IPs
# like Cisco internal pools do - it _trys_ to allocate the same
IP-address # which user had last session...
allocate-find = SELECT FramedIPAddress FROM radippool \
WHERE pool_name = '%{reply:Pool-Name}' AND expiry_time NOW() \
ORDER BY pool_name, (UserName '%{User-Name}'), (CallingStationId
'%{Calling-Station-Id}'), expiry_time \
LIMIT 1 \
FOR UPDATE
allocate-update = UPDATE radippool \
SET NASIPAddress = '%{NAS-IP-Address}', pool_key = '${pool-key}', \
CallingStationId = '%{Calling-Station-Id}', UserName = '%{User-Name}',
\ expiry_time = NOW() + INTERVAL ${lease-duration} SECOND \
WHERE FramedIPAddress = '%{Framed-IP-Address}'
#
# This series of queries frees an IP number when an accounting
# START record arrives
#
start-update = UPDATE radippool \
SET expiry_time = NOW() + INTERVAL %J SECOND \
WHERE NASIPAddress = '%n' AND pool_key = '${pool-key}' AND pool_name =
'%P'
#
# This series of queries frees an IP number when an accounting
# STOP record arrives
#
stop-clear = UPDATE radippool \
SET NASIPAddress = '', pool_key = 0, CallingStationId = '', \
expiry_time = NOW() - INTERVAL 1 SECOND \
WHERE NASIPAddress = '%{NAS-IP-Address}' AND pool_key = '${pool-key}'
AND UserName = '%{User-Name}' \
AND CallingStationId = '%{Calling-Station-Id}' AND FramedIPAddress =
'%{Framed-IP-Address}'
#
# This series of queries frees an IP number when an accounting
# ALIVE record arrives
#
alive-update = UPDATE radippool \
SET expiry_time = NOW() + INTERVAL ${lease-duration} SECOND \
WHERE NASIPAddress = '%{Nas-IP-Address}' AND pool_key = '${pool-key}'
AND UserName = '%{User-Name}' \
AND CallingStationId = '%{Calling-Station-Id}' AND FramedIPAddress =
'%{Framed-IP-Address}'
#
# This series of queries frees the IP numbers allocate to a
# NAS when an accounting ON record arrives
#
on-clear = UPDATE radippool \
SET NASIPAddress = '', pool_key = 0, CallingStationId = '', \
expiry_time = NOW() - INTERVAL 1 SECOND \
WHERE NASIPAddress = '%{NAS-IP-Address}' AND UserName = '%{User-Name}'
\ AND CallingStationId = '%{Calling-Station-Id}' AND FramedIPAddress =
'%{Framed-IP-Address}'
#
# This series of queries frees the IP numbers allocate to a
# NAS when an accounting OFF record arrives
#
off-clear = UPDATE radippool \
SET NASIPAddress = '', pool_key = 0, CallingStationId = '', \
expiry_time = NOW() - INTERVAL 1 SECOND \
WHERE NASIPAddress = '%{NAS-IP-Address}' AND UserName = '%{User-Name}'
\ AND CallingStationId = '%{Calling-Station-Id}' AND FramedIPAddress =
'%{Framed-IP-Address}'
}
Here is the radiusd -X:
RE: SNMP with Freeradius
Hi When you configure free radius with option 3.net-snmp-5.1.2-11.EL4.6 configured with option '--with-mib-modules=host agentx smux ucd-snmp/lmSensors' See the output , verify whether it asks for some snmp files, if it says like snmp.c --- no That might be the culprit Regards Ravi -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ius.org] On Behalf Of Velikanov Sent: Tuesday, October 17, 2006 3:43 PM To: freeradius-users@lists.freeradius.org Subject: SNMP with Freeradius Good Day. I want to use SNMP with Freeradius. I have: 1.FreeRADIUS Version 1.1.3, for host, configured with option '-with-snmp' In src/include/autoconf.h I see: /* Include SNMP subagent */ /* #undef WITH_SNMP */ #define HAVE_UCD_SNMP_ASN1_SNMP_SNMPIMPL_H 1 /* #undef HAVE_ASN1_SNMP_SNMPIMPL_H */ /* #undef HAVE_LIBSNMP */ 2.Red Hat Linux v.3.3; 2.6.9-34.EL 3.net-snmp-5.1.2-11.EL4.6 configured with option '--with-mib-modules=host agentx smux ucd-snmp/lmSensors' radiusd.conf, snmp.conf, snmpd.conf - where configured as in docs and in http://wiki.freeradius.org/SNMP_HOWTO when I run /usr/local/sbin/radiusd -X there are no strings with smux, as shown in wiki Where is my mistake? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Tech Mahindra, formerly Mahindra-British Telecom. Disclaimer: This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review at a href=http://www.techmahindra.com/Disclaimer.html;http://www.techmahindra.com/Disclaimer.html/a externally and a href=http://tim.techmahindra.com/Disclaimer.html;http://tim.techmahindra.com/Disclaimer.html/a internally within Tech Mahindra. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Module detach function behavior
Hi all, I'd like to know the behavior of the detach module function. That is what happens when some threads are running and using an instance of a module and that the server must be stopped or reloaded ? Does FreeRADIUS waits for threads to terminate their job before calling the module detach function or are they killed before they have terminated ? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SNMP with Freeradius
On Tuesday 17 October 2006 06:12, Velikanov wrote: /* #undef WITH_SNMP */ This means the snmp libraries weren't found. For RHEL 3.3, install the net-snmp-devel RPM and build FreeRADIUS again, or check your build output for errors. Kevin Bonner pgp0IwdD8LIQa.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IPPOOL only give me two ip´s. HELP
Hello to all! I have a problem about the ippool. My pool only give me two ip´s.(More than one user have the same ip) I use freeradius version 1.0.1 in Red Hat EL4 with mysql I see in other messagess this problem and someone says that the problem comes to NAS-port. My Radius always give me the same port. I change the format of the port in the Cisco: Data format(bits): slot(4), module(1), port(3), vpi(8), vci(16) and now the port change from 0 to 538837024 (but always the same). In the Access-Request the NAS send the NAS-port ,the NAS-IP-Address and NAS-Identifier ---radiusd -X --- rad_recv: Access-Request packet from host 212.230.0.207:1645, id=52, length=132 Framed-Protocol = PPP User-Name = user1 User-Password = x NAS-Port-Type = Virtual Cisco-NAS-Port = 2/0/0/30.32 NAS-Port = 538837024 Service-Type = Framed-User NAS-IP-Address = 212.230.0.207 Acct-Session-Id = 2/0/0/30.32_020033AD NAS-Identifier = ATM_sp_mad_C03 Login OK: [user1/xx] (from client ATM_sp_mad_C03 port 538837024) Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 7 rlm_ippool: Searching for an entry for nas/port: 212.230.0.207/538837024 rlm_ippool: Searching for an entry for nas/port: 212.230.0.207/538837024 rlm_ippool: Allocating ip to nas/port: 212.230.0.207/538837024 rlm_ippool: num: 1 rlm_ippool: Allocated ip 192.168.1.232 to client on nas 212.230.0.207,port 538837024 modcall[post-auth]: module dynamic returns ok for request 7 --- How can I do that the NAS send a diferent port for each user? Is this posible? Are there some option in the configuration file of the radius? Now, all the requests has the same NAS-port Also, i read that i can modify the file rlm_ippool with other attibute, but i dont know a lot of programming and i need other solution. Please, help me, I don´t Know what can I do more. Thank you for all Regards Paloma - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pam radius authentication
Hi, I don't understand why you are saying that you are invoking pam_radius_auth in the wrong place and for the wrong reason...please, be more specific and if you know the right configuration, enlight me! #%PAM-1.0 auth required pam_securetty.so auth sufficient pam_radius_auth.so debug auth required /lib/security/pam_unix_auth.so accountrequired pam_radius_auth.so debug explain alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Securew2
Hi All, We had a mess up with our DNS provider, moved it to our own hosted DNS. :) the DNS has been messed up severely. though the WHOIS still is correct. See above. the software has been sold to a new owner Vista needs a good supplicant. Nope, but thanks for the compliment... I think.. ;) bought out by a competitor and removed from the market. though this would be interesting regarding its licence Nope... new version coming soon and they pulled old version prematurely In the pipeline. Regards, Tom Rixom -Oorspronkelijk bericht- Van: freeradius-users-bounces+tom.rixom=alfa- [EMAIL PROTECTED] [mailto:freeradius-users- [EMAIL PROTECTED] Namens [EMAIL PROTECTED] Verzonden: donderdag 12 oktober 2006 17:21 Aan: FreeRadius users mailing list Onderwerp: Re: Securew2 Hi, Hi to all, anybody know what's happening to securew2 site? It is down from a few of week ago. Does it disappeared? some of us have noticed and wondered the same thing. I've resorted to currently hosting the file for local downloads and will continue to do so until I know whats up. (there are many other sites where is can be publically downloaded!) speculation: the DNS has been messed up severely. though the WHOIS still is correct. the software has been sold to a new owner Vista needs a good supplicant. bought out by a competitor and removed from the market. though this would be interesting regarding its licence new version coming soon and they pulled old version prematurely alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pam radius authentication
Hi! if you are reffering to this line: account required pam_radius_auth.so debug than here is the explanation: The pam configuration can be: ... auth sufficient /lib/security/pam_radius_auth.so [options] ... accountsufficient /lib/security/pam_radius_auth.so (this is taken from http://www.freeradius.org/pam_radius_auth/USAGE) On the other hand, I don't care if I don't use this module for accounting. As a matter of fact, I tried in many configurations, even without using it for accounting. The main concern is to succed in authetincating the users!!! if anyone can help me accomplish that, I would be happy and I will not mind about accounting... Hi, I don't understand why you are saying that you are invoking pam_radius_auth in the wrong place and for the wrong reason...please, be more specific and if you know the right configuration, enlight me! #%PAM-1.0 auth required pam_securetty.so auth sufficient pam_radius_auth.so debug auth required /lib/security/pam_unix_auth.so accountrequired pam_radius_auth.so debug explain alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MySQL failover
Sorry for all my questions lately. I think I have my setup almost
complete. I am now stuck on the DB failover. I have read through the
documents located here: http://wiki.freeradius.org/Fail-over but am
still stuck.
I have two mysql servers. If I shutdown mysql on sql1, it fails over
to sql2 instantly. However, if i pull the ethernet plug on sql,1
freeradius appears to just be sitting and waiting to connect to sql1.
This is what the console outputs:
rlm_sql (sql1): Reserving sql socket id: 0
If I kill radius and start it up with sql1 disconnected it will
failover instantly to sql2. Once I connect and then disconnect sql1
it starts hanging again.
Has anyone else experienced this? Below are some snippets from my
radius.conf:
$INCLUDE ${confdir}/sql1.conf
$INCLUDE ${confdir}/sql2.conf
sql sql1 {
}
sql sql2 {
}
always handled {
rcode = handled
}
authorize {
suffix
preprocess
group {
sql1 {
fail = 1
notfound = 1
noop = 2
ok = return
updated = 3
reject = return
userlock = 4
invalid = 5
handled = 6
}
sql2 {
fail = 1
notfound = return
noop = 2
ok = return
updated = 3
reject = return
userlock = 4
invalid = 5
handled = 6
}
}
--
Brad McAllister
[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with proxy configuration
Hi Alan, Thanks for the response. It looks like you've configured the server to proxy to itself. Why? I do understand your technical objection of doing what I am doing, but I have a valid application reson, which is that I support multiple realms on this particular radius server. For some realms, I want the UserName to strip the Realm name (nostrip) and for some I don't Is there any other way to achieve the same than not using striop and nostrip flag in proxy.conf Thanks again for your comments. Prabh -- MyBlog: http://things-on-my-mind.blogspot.com/Get your news at www.DailyHeadlines.NET - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with proxy configuration
Prabhdeep Singh wrote:
I do understand your technical objection of doing what I am doing, but
I have a valid application reson, which is that I support multiple
realms on this particular radius server.
For some realms, I want the UserName to strip the Realm name (nostrip)
and for some I don't
Is there any other way to achieve the same than not using striop and
nostrip flag in proxy.conf
Read before you edit. From my default proxy.conf file:
#
# This is a local realm. The requests are NOT proxied,
# but instead are authenticated by the RADIUS server itself.
#
# You don't need a secret if BOTH 'authhost' and 'accthost' are
# set to LOCAL.
#
#realm bla.com {
# type= radius
# authhost= LOCAL
# accthost= LOCAL
#}
LOCAL is a special word and does not equal localhost or your fqdn.
--
Dennis Skinner
Systems Administrator
BlueFrog Internet
http://www.bluefrog.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with proxy configuration
On a side note... if you don't want to use CVS to track config changes as Alan suggests, you should at least make a backup copy of the original configs that shipped with the tarball (with all their handy inline documentation) to refer to when you get stuck. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Rewrite Attribute when proxy the specific realm
Hi,I have tried attr_rewrite function to rewrite attribute value on specific attribute successfully.But now, I want to rewrite to attribute that proxy to specific realm.For example, When the AUTH proxy the realm abc.com.I wanna to rewrite the attribute NAS-Identifier value into new one.Could somebody know to how configure it?Thanks.Rio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
