sole remaining configure error [utmpx]
Well, I'm on the way to building my first freeradius server and have one remaining configure error. Can anyone tell me about this one, how to fix it and will it break anything? Test build is being done on Ubuntu 6.06 dapper. Below is the config.log --Andrew configure:750: checking for gcc configure:863: checking whether the C compiler (gcc ) works configure:879: gcc -o conftestconftest.c 1>&5 configure:905: checking whether the C compiler (gcc ) is a cross-compiler configure:910: checking whether we are using GNU C configure:938: checking whether gcc accepts -g configure:971: checking how to run the C preprocessor configure:1051: checking for AIX configure:1077: checking whether gcc needs -traditional configure:1123: checking whether we are using SUNPro C configure:1143: checking for ranlib configure:1178: checking whether byte ordering is bigendian configure:1271: checking for gmake configure:1302: checking for make configure:1422: checking for lt_dlinit in -lltdl configure:1546: checking for Cygwin environment configure:1579: checking for mingw32 environment configure:1683: checking host system type configure:1704: checking build system type configure:1733: checking for ld used by GCC configure:1801: checking if the linker (/usr/bin/ld) is GNU ld configure:1818: checking for /usr/bin/ld option to reload object files configure:1830: checking for BSD-compatible nm configure:1868: checking whether ln -s works configure:1889: checking how to recognise dependant libraries configure:2072: checking for object suffix configure:2098: checking for executable suffix configure:2139: checking command to parse /usr/bin/nm -B output configure:2322: checking for dlfcn.h configure:2500: checking for ranlib configure:2567: checking for strip configure:2812: checking for objdir configure:2843: checking for gcc option to produce PIC configure:2995: checking if gcc PIC flag -fPIC works configure:3065: checking if gcc static flag -static works configure:3111: checking if gcc supports -c -o file.o configure:3159: checking if gcc supports -c -o file.lo configure:3235: checking if gcc supports -fno-rtti -fno-exceptions configure:3248: gcc -c -g -O2 -fno-rtti -fno-exceptions -c conftest.c conftest.c 1>&5 cc1: warning: command line option "-fno-rtti" is valid for C++/ObjC++ but not for C cc1: warning: command line option "-fno-rtti" is valid for C++/ObjC++ but not for C configure:3279: checking whether the linker (/usr/bin/ld) supports shared libraries configure:3967: checking how to hardcode library paths into programs configure:3999: checking whether stripping libraries is possible configure:4017: checking dynamic linker characteristics configure:4418: checking if libtool supports shared libraries configure:4426: checking whether to build shared libraries configure:4453: checking whether to build static libraries configure:4496: checking for shl_load configure:4542: checking for shl_load in -ldld configure:4580: checking for dlopen configure:4626: checking for dlopen in -ldl configure:4777: checking whether a program can dlopen itself configure:4871: checking whether a statically linked program can dlopen itself configure:4993: checking whether -lc should be explicitly linked in configure:5656: checking logdir configure:5678: checking radacctdir configure:5700: checking raddbdir configure:5923: checking for perl configure:5962: checking for snmpget configure:6001: checking for snmpwalk configure:6040: checking for rusers configure:6076: checking for working aclocal configure:6089: checking for working autoconf configure:6102: checking for working autoheader configure:6118: checking for locate configure:6153: checking for dirname configure:6188: checking for grep configure:6232: checking for pthread.h configure:6271: checking for pthread_create in -lpthread configure:6364: checking for library containing sem_init configure:6428: checking for getsockname in -lsocket configure:6476: checking for inet_aton in -lresolv configure:6524: checking for inet_ntoa in -lnsl configure:6577: checking for DH_new in -lcrypto configure:6687: checking for dirent.h that defines DIR configure:6725: checking for opendir in -ldir configure:6808: checking for ANSI C header files configure:6912: checking whether time.h and sys/time.h may both be included configure:6947: checking for sys/wait.h that is POSIX.1 compatible configure:7024: checking for unistd.h configure:7024: checking for crypt.h configure:7024: checking for errno.h configure:7024: checking for resource.h configure:7024: checking for getopt.h configure:7024: checking for malloc.h configure:7024: checking for utmp.h configure:7024: checking for utmpx.h configure:7024: checking for signal.h configure:7024: checking for sys/select.h configure:7024: checking for syslog.h configure:7024: checking for inttypes.h configure:7024: checking for stdint.h configure:7024: checking for stdio.h configure:7024: checking for netdb.h configure:7024: checking for semaphore.h configure
configure options
Hello, wouldn't it be useful to publish all configure options ( like modules options ) in WIKI ? I am trying to build debian packages for my machines with only those modules I need. And at the moment I don't have a clue how to deactivate the modules I don't need. Regards, E:S - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQLcounter patch - Addition of reply-attribute
I just made a patch against 1.1.3 for the SQLcounter module. This patch allows to set the reply-name variable in the sqlcounter.conf file per instance. In this way the default behaviour of Session-Timeout can be overridden by your own reply-attribute. The system will set the session-timeout attribute if you omit the reply-name var in your config for backwards compatibility. I'm planning the following additions: The ability to override the reject behaviour with an accept but adding attributes. For example: if the user has reached his volume limit, accept the user but add speed-limitation attributes. --- rlm_sqlcounter.c.orig 2006-10-21 23:18:04.147404980 +0200 +++ rlm_sqlcounter.c2006-10-21 23:01:30.190552948 +0200 @@ -65,17 +65,19 @@ * be used as the instance handle. */ typedef struct rlm_sqlcounter_t { - char *counter_name; /* Daily-Session-Time */ - char *check_name; /* Max-Daily-Session */ - char *key_name; /* User-Name */ + char *counter_name; /* Daily-Session-Time */ + char *check_name; /* Max-Daily-Session */ + char *key_name; /* User-Name */ + char *reply_name; /* Authorized Reply, defaults to Session-Timeout */ char *sqlmod_inst; /* instance of SQL module to use, usually just 'sql' */ char *query;/* SQL query to retrieve current session time */ - char *reset;/* daily, weekly, monthly, never or user defined */ + char *reset;/* daily, weekly, monthly, never or user defined */ char *allowed_chars;/* safe characters list for SQL queries */ time_t reset_time; time_t last_reset; int key_attr; /* attribute number for key field */ int dict_attr; /* attribute number for the counter. */ + int reply_attr;/* attribute number for the authorized OK reply, defaults to Session-Timeout */ } rlm_sqlcounter_t; /* @@ -91,6 +93,7 @@ { "counter-name", PW_TYPE_STRING_PTR, offsetof(rlm_sqlcounter_t,counter_name), NULL, NULL }, { "check-name", PW_TYPE_STRING_PTR, offsetof(rlm_sqlcounter_t,check_name), NULL, NULL }, { "key", PW_TYPE_STRING_PTR, offsetof(rlm_sqlcounter_t,key_name), NULL, NULL }, + { "reply-name", PW_TYPE_STRING_PTR, offsetof(rlm_sqlcounter_t,reply_name), NULL, NULL }, { "sqlmod-inst", PW_TYPE_STRING_PTR, offsetof(rlm_sqlcounter_t,sqlmod_inst), NULL, NULL }, { "query", PW_TYPE_STRING_PTR, offsetof(rlm_sqlcounter_t,query), NULL, NULL }, { "reset", PW_TYPE_STRING_PTR, offsetof(rlm_sqlcounter_t,reset), NULL, NULL }, @@ -480,6 +483,27 @@ data->key_attr = dattr->attr; /* +* Discover the attribute number of the reply. +* If not set, set it to Session-Timeout +* for backward compatibility +*/ + if (data->reply_name == NULL) { + DEBUG2("rlm_sqlcounter: 'reply' set to Session-Timeout for counter name %s",data->counter_name); + data->reply_attr = PW_SESSION_TIMEOUT; + } + else { + dattr = dict_attrbyname(data->reply_name); + if (dattr == NULL) { + radlog(L_ERR, "rlm_sqlcounter: No such attribute %s", + data->reply_name); + return -1; + } + data->reply_attr = dattr->attr; +DEBUG2("rlm_sqlcounter: Reply attribute %s is number %d", +data->reply_name, dattr->attr); + } + + /* * Check the "sqlmod-inst" option. */ if (data->sqlmod_inst == NULL) { @@ -666,11 +690,12 @@ res += check_vp->lvalue; } - if ((reply_item = pairfind(request->reply->vps, PW_SESSION_TIMEOUT)) != NULL) { + /* if ((reply_item = pairfind(request->reply->vps, PW_SESSION_TIMEOUT)) != NULL) { */ + if ((reply_item = pairfind(request->reply->vps, data->reply_attr)) != NULL) { if (reply_item->lvalue > res) reply_item->lvalue = res; } else { - if ((reply_item = paircreate(PW_SESSION_TIMEOUT, PW_TYPE_INTEGER)) == NULL) { + if ((reply_item = paircreate(data->reply_attr, PW_TYPE_INTEGER)) == NULL) { radlog(L_ERR|L_CONS, "no memory"); return RLM_MODULE_NOOP; } @@ -682,8 +707,8 @@ DEBUG2("rlm_sqlcounter: Authorized user %s, check_item=%d, counter=%d", key_vp->strvalue,check_vp->lvalue,counter); - DEBUG2("rlm_sqlcounter: Sent Reply-Item for user %s, Type=Session-Timeout, value=%d", - key_vp->strvalue,reply_item->lvalue); + DEBUG2("rlm_sqlcounter: Sent Reply-Item for user %s, Type=%d, value=%d", + key_vp->strvalue,data->reply_attr,rep
Re: EAP-TTLS problem at phase 1
Hello Hoercher, Please see below answers/questions (in red):ok, i played around a bit and found EAP-TTLS working with noparticular problems.On 10/21/06, Rafiqul Ahsan < [EMAIL PROTECTED]> wrote:> "testuser" User-Password := "testuser"looks ok, but I'm not absolutely sure about the quotation marks forthe username, they are not needed in any case. testuser User-Password :="testuser" I will try with only above entry in users file > the error was about no matching "anonymous_identity", and thats why I had to> have a DEFAULT entry after this with Auth-Type :=EAP. As you didn't show that error one cannot check for it's real cause.Everything else correctly configured you don't need that setting (andit might be actually wrong depending on circumstances). OK, I found some positings about username_identity_check disabling for user "anonymous"...here it is Quote I guess since somebody implemented this check, there must be some broken NASes out there... andthe attached patch fixes this situation. If user sets "username_identity_check = no" in eap section it will disable this check. The default for this setting is "yes". Unquote So, now I have added this patch to files eap.c, rlm_eap.h, and rlm_eap.c, compiled. I will test it this on monday.I am expecting this patch will lead to pass this anonymous user check phase in radius server.I will post you the result on that. Please let me know if you are aware of this. > Do you suggest any particular format of my users file ? Please note, the> phase 1 user identity is "anonymous_identity", and phase 2 user/passwd is > "testuser/testuser".I did take note. So, take an unaltered users file and just add yourline as mentioned above.Something I found in your previous post led to an failure here. Usephase2="autheap=MSCHAPV2" instead ofphase2="auth=MSCHAPV2" Not sure where we configure this phase2="autheap=MSCHAPV2" ? Are we at phase 2 yet ? I thought we have not passed the phase 1..can you pls clarify ? > modcall: entering group authenticate for request 1^M> rlm_eap: Either EAP-request timed out OR EAP-response to an unknown > EAP-request^MThat does look strange (and might indicate your real problem), if itstill persists with the suggested changes it might be useful to digfurther into that. Perhaps you could add another -x to the freeradius invocation to get timestamps on the logfile. I will test with the above patch - and see if we can pass the anonymous identity check problem. If persists - I will recompile with original files mentioned above, and test again to give you the full debug logs. Thanks Rafi regardsK. Hoercher-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS problem at phase 1
Hi, ok, i played around a bit and found EAP-TTLS working with no particular problems. On 10/21/06, Rafiqul Ahsan <[EMAIL PROTECTED]> wrote: "testuser" User-Password := "testuser" looks ok, but I'm not absolutely sure about the quotation marks for the username, they are not needed in any case. the error was about no matching "anonymous_identity", and thats why I had to have a DEFAULT entry after this with Auth-Type :=EAP. As you didn't show that error one cannot check for it's real cause. Everything else correctly configured you don't need that setting (and it might be actually wrong depending on circumstances). Do you suggest any particular format of my users file ? Please note, the phase 1 user identity is "anonymous_identity", and phase 2 user/passwd is "testuser/testuser". I did take note. So, take an unaltered users file and just add your line as mentioned above. Something I found in your previous post led to an failure here. Use phase2="autheap=MSCHAPV2" instead of phase2="auth=MSCHAPV2" modcall: entering group authenticate for request 1^M rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request^M That does look strange (and might indicate your real problem), if it still persists with the suggested changes it might be useful to dig further into that. Perhaps you could add another -x to the freeradius invocation to get timestamps on the logfile. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS problem at phase 1
Dear Hoercher, Thank you for your email. I noticed that too, however it didn't seem working and it stopped with error even before that with the following users entry : "testuser" User-Password := "testuser" the error was about no matching "anonymous_identity", and thats why I had to have a DEFAULT entry after this with Auth-Type :=EAP. Do you suggest any particular format of my users file ? Please note, the phase 1 user identity is "anonymous_identity", and phase 2 user/passwd is "testuser/testuser". Below is my full debug out put. Please advise further ... Rafi # ./radiusd -X -A -f -s^MStarting - reading configuration files ...^Mreread_config: reading radiusd.conf^MConfig: including file: /usr/local/etc/raddb/proxy.conf^MConfig: including file: /usr/local/etc/raddb/clients.conf^M Config: including file: /usr/local/etc/raddb/snmp.conf^MConfig: including file: /usr/local/etc/raddb/eap.conf^MConfig: including file: /usr/local/etc/raddb/sql.conf^M main: prefix = "/usr/local"^M main: localstatedir = "/usr/local/var"^M main: logdir = "/usr/local/var/log/radius"^M main: libdir = "/usr/local/lib"^M main: radacctdir = "/usr/local/var/log/radius/radacct"^M main: hostname_lookups = no^M main: max_request_time = 30^M main: cleanup_delay = 4^M main: max_requests = 1024^M main: delete_blocked_requests = 0^M main: port = 0^M main: allow_core_dumps = no^M main: log_stripped_names = yes^M main: log_file = "/usr/local/var/log/radius/radius.log"^M main: log_auth = yes^M main: log_auth_badpass = yes^M main: log_auth_goodpass = yes^M main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"^M main: user = "(null)"^M main: group = "(null)"^M main: usercollide = no^M main: lower_user = "no"^M main: lower_pass = "no"^M main: nospace_user = "no"^M main: nospace_pass = "no"^M main: checkrad = "/usr/local/sbin/checkrad"^M main: proxy_requests = yes^M proxy: retry_delay = 5^M proxy: retry_count = 3^M proxy: synchronous = no^M proxy: default_fallback = yes^M proxy: dead_time = 120^M proxy: post_proxy_authorize = no^M proxy: wake_all_if_all_dead = no^M security: max_attributes = 20^M security: reject_delay = 2^M security: status_server = no^M main: debug_level = 0^Mread_config_files: reading dictionary^Mread_config_files: reading naslist^MUsing deprecated naslist file. Support for this will go away soon.^Mread_config_files: reading clients^M read_config_files: reading realms^Mradiusd: entering modules setup^MModule: Library search path is /usr/local/lib^MModule: Loaded expr ^MModule: Instantiated expr (expr) ^MModule: Loaded PAP ^M pap: encryption_scheme = "crypt"^MModule: Instantiated pap (pap) ^MModule: Loaded DIGEST ^MModule: Instantiated digest (digest) ^MModule: Loaded eap ^M eap: default_eap_type = "ttls"^M eap: timer_expire = 60^M eap: ignore_unknown_eap_types = no^M eap: cisco_accounting_username_bug = no^Mrlm_eap: Loaded and initialized type md5^Mrlm_eap: Loaded and initialized type leap^M gtc: challenge = "Password: "^M gtc: auth_type = "PAP"^Mrlm_eap: Loaded and initialized type gtc^M tls: rsa_key_exchange = yes^M tls: dh_key_exchange = no^M tls: rsa_key_length = 1024^M tls: dh_key_length = 1024^M tls: verify_depth = 2^M tls: CA_path = "(null)"^M tls: pem_file_type = yes^M tls: private_key_file = "/etc/freeradius/etc/certs/key2.pem"^M tls: certificate_file = "/etc/freeradius/etc/certs/cert2.pem"^M tls: CA_file = "/etc/freeradius/etc/certs/cacert.pem"^M tls: private_key_password = "wimax i2 test certs"^M tls: dh_file = "/etc/freeradius/etc/certs/dh"^M tls: random_file = "/etc/freeradius/etc/certs/random"^M tls: fragment_size = 1024^M tls: include_length = yes^M tls: check_crl = no^M tls: check_cert_cn = "%{User-Name}"^M tls: cipher_list = "(null)"^M tls: check_cert_issuer = "(null)"^M rlm_eap_tls: Loading the certificate file as a chain^Mrlm_eap: Loaded and initialized type tls^M ttls: default_eap_type = "mschapv2"^M ttls: copy_request_to_tunnel = no^M ttls: use_tunneled_reply = no^M rlm_eap: Loaded and initialized type ttls^M peap: default_eap_type = "mschapv2"^M peap: copy_request_to_tunnel = no^M peap: use_tunneled_reply = no^M peap: proxy_tunneled_request_as_eap = yes^M rlm_eap: Loaded and initialized type peap^M mschapv2: with_ntdomain_hack = no^Mrlm_eap: Loaded and initialized type mschapv2^MModule: Instantiated eap (eap) ^MModule: Loaded MS-CHAP ^M mschap: use_mppe = yes^M mschap: require_encryption = no^M mschap: require_strong = yes^M mschap: with_ntdomain_hack = no^M mschap: passwd = "(null)"^M mschap: ntlm_auth = "(null)"^MModule: Instantiated mschap (mschap) ^M Module: Loaded preprocess ^M preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"^M preprocess: hints = "/usr/local/etc/raddb/hints"^M preprocess: with_ascend_hack = no^M preprocess: ascend_channels_per_line = 23^M preprocess: with_ntdomain_hack = no^M preprocess: with_specialix_jetstream_hack = no^M preprocess: with_cisco_vsa_hack = no^M preprocess: with_alvarion_vsa_hack = no^MModule: Instantiated
Re: how to force "Accept" and override default and null proxy realms?
Mike wrote: I would like to always send an Accept unconditionally if the User-Name is test[0-9], but proxy request to default or null realm for all other user names. I tried a configuration with authorize { files suffix } the "suffix" will match on default and null realms. I currently have a line in users file that looks like this: DEFAULT User-Name =~ "test[0-9]", Auth-Type: Accept however regardless of which user makes the request, even the "test" user (which does match), the request is still proxied. If I change "Auth-Type: Reject", then the test user is always rejected, but I am looking for the opposite behavior. see doc/configurable_failover which describes a way to control how modules fall through. Note that simply returning Accept does not work for most Auth-Types e.g. CHAP, MS-CHAP, EAP. It only really works for PAP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radutmp and/or SQL Accounting
Actually, is anyone able to confirm if the accounting is actually dependant on my hardware? because i'm thinking the RADIUS on my Access Point doesn't support the accounting functions. On 21/10/2006, at 8:01 PM, Matt Harlum wrote: Hey guys, I've got my radiusd setup to work from an SQL Database for WPA Enterprise encryption, However i cannot get radutmp or SQL accounting to work, i'm running it on OSX 10.4.8 My Radiusd.conf is attached - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS problem at phase 1
Hi, as mentioned in various places in the documentation and countless times on this list: On 10/21/06, Rafiqul Ahsan <[EMAIL PROTECTED]> wrote: Here is my users file : "testuser" Auth-Type := EAP, User-Password := "testuser" DEFAULT Auth-Type := EAP Dont't set Auth-Type Here is the radius log (only shown the failed part) rlm_fastusers: checking defaults^M fastusers: Matched DEFAULT at 6^M modcall[authorize]: module "fastusers" returns updated for request 1^M modcall: leaving group authorize (returns updated) for request 1^M rad_check_password: Found Auth-Type EAP^M auth: type "EAP"^M Processing the authenticate section of radiusd.conf^M modcall: entering group authenticate for request 1^M rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request^M rlm_eap: Failed in handler^M modcall[authenticate]: module "eap" returns invalid for request 1^M modcall: leaving group authenticate (returns invalid) for request 1^M Thats pretty much non-informative. In case, the above fix does not yet yield the desired results, provide the full debug output. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html