Re: rlm_krb5
Can't use that as an argument, mickeysoft strongly recommends to leave it disabled, and i'm not the windows admin. Stieven Struyf M.I.S. Division - System Operations Komatsu Europe International NV Mechelsesteenweg 586 B-1800 Vilvoorde [EMAIL PROTECTED] Tel. +32 (0)2 2552551 "Alan DeKok" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 10/24/2006 05:52 PM Please respond to FreeRadius users mailing list To FreeRadius users mailing list cc Subject Re: rlm_krb5 [EMAIL PROTECTED] wrote: > What other setup can you recommend with minimal account administration? Use ntlm_auth. There are any number of HOWTO's on doing this, including the Wiki and my web site. > Can you argument why (not) to store password with reversible encryption in > AD. Because it doesn't do anything useful. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: ERROR: Tunnel-Password attribute in request: Cannot decrypt it.
B Thompson <[EMAIL PROTECTED]> wrote: > Looking at the timestamps it would seem that this is the packet which > caused the error even though tcpdump shows no Tunnel-Password > attribute was present. So, something is definitely odd here. Is there > any way to verify this is the offending packet other than matching > timestamps? Run the server in debugging mode? Run tcpdump for a long time, and search it's output for Tunnel-Password? The server will get many packets in the same second. Timestamps are useless... Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP: client certificates and double authentication messages
Hi again Flo, remember last TNC in Catania? :-) > I am using freeradius successfully, but I still have some questions. > > Fistly, how can I disable to verify client certificates? > Mon Sep 5 12:17:12 2005 : Error: TLS_accept:error in SSLv3 read > client certificate A This is an "error" reported from openssl. Other than looking ugly, it doesn't do any harm. And since it's not caused by FreeRADIUS, you can't stop it from appearing. It's a case of "never mind". BTW, this question comes up quite frequently on the list; digging in the archives would have done the trick. > Secondly, how comes I always see a successfull authentication twice, > when using eap: > Mon Sep 5 12:17:16 2005 : Auth: Login OK: [unrzwlan5] (from client > localhost port 0) > Mon Sep 5 12:17:16 2005 : Auth: Login OK: [unrzwlan5] (from client > airbrush port 0 cli 00-11-09-0B-01-4D) That's due to the way EAP sessions are handled in FreeRADIUS: there is the RADIUS packet coming from the client, and within it is the content of the TLS tunnel; this inner content is treated as a new packet coming from localhost So, first the TLS tunnel content gets validated, which results in success (the first line above), then this inner packet gets "proxied" back to the outer packet, which sees a Login OK from the inner, which satisfies itself and reports its own success again. Again a case of "never mind". Greetings, Stefan -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche - Ingénieur de recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with freeradius set up
> +--+--+--+++ > > | 1118 | mpearson | Password | | == | > | 1119 | mpearson | Simultaneous-Use | 1 | == | > > +--+--+--+++ > 2 rows in set (0.29 sec) You want to force the user to only have one login session. Then you have to *set* Simultaneous-Use, by using the operator :=. The way it's in the db right now would only match the user if the incoming packet already contained an attribute Simultaneus-Use and if this attribute's value was 1 (because == is a check item, i.e. it compares things in the packet, it doesn't set anything). So, change the operator (BTW: for both entries, IIRC, Password or User-Password should be _set_ with :=). That should work much better. > Also I went down through the debug of radisud and put in the select > statments from I didn't get any results from: That's okay, it's no problem if they are entry. They could cause trouble if they were non-empty and filled with rubbish, that's why I wanted you to check them too. Greetings, Stefan -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche - Ingénieur de recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: ERROR: Tunnel-Password attribute in request: Cannot decrypt it.
On Tue, Oct 24, 2006 at 01:19:29PM -0400, Alan DeKok wrote: > B Thompson <[EMAIL PROTECTED]> wrote: > > Tue Oct 24 14:02:59 2006 : Error: ERROR: Tunnel-Password attribute in > > request: Cannot decrypt it. > > > > Could someone explain a bit more about what this means and whether it is > > likely > > to be a problem with the NAS? > > > > The NAS is sending an attribute it's not supposed to send. Yes, it > would appear to be a problem. > > > Here is the tcpdump print out of the packet which caused the above message > > :- > > Nope. Look at what you posted: there's no Tunnel-Password in it. Looking at the timestamps it would seem that this is the packet which caused the error even though tcpdump shows no Tunnel-Password attribute was present. So, something is definitely odd here. Is there any way to verify this is the offending packet other than matching timestamps? Thanks -- Ben Thompson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Decreasing connection time (Session-Timeout)
However you can instantiate a new sql module in sql.conf:
sql my-sql-acct {
...
Accounting_stop_query =" MY Customized SQL query"
}
Then in you radiusd.conf accounting section:
accounting {
sql
my-sql-acct
}
I tried this and freeRadius hangs at startup and says "my-sql-acct: Unknown
Module". I added everything just like you said...
That's weird... It means that your my-sql-acct module definition wasn't
read or accepted.
You should try to run radiusd with "radiusd -X" and carefully read the
output: this will tell where the problem is.
If you can't find the issue, post the result of your "radiusd -X" (you
could also add your radiusd.conf and sql.conf) and I'll have a look at
it.
Regards,
Thibault
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with freeradius set up
There is an entry for mpearson in my database but not that select statement. What should be in the radgroupreply and the radreply tables? I don't have any data in either of those tables. Thank Mike Alan DeKok wrote: Mike Pearson <[EMAIL PROTECTED]> wrote: My problems is I can't get the users to authenticate, I pasted the output from radtest and radiusd -X. I can provide any more information that my be needed. Ok... radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'mpearson' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): No matching entry in the database for request from user [mpearson] That's the problem. Is there an entry for mpearson? If so, what does it look like? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: ERROR: Tunnel-Password attribute in request: Cannot decrypt it.
B Thompson <[EMAIL PROTECTED]> wrote: > Tue Oct 24 14:02:59 2006 : Error: ERROR: Tunnel-Password attribute in > request: Cannot decrypt it. > > Could someone explain a bit more about what this means and whether it is > likely > to be a problem with the NAS? > The NAS is sending an attribute it's not supposed to send. Yes, it would appear to be a problem. > Here is the tcpdump print out of the packet which caused the above message :- Nope. Look at what you posted: there's no Tunnel-Password in it. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error: ERROR: Tunnel-Password attribute in request: Cannot decrypt it.
Hi
We are seeing a problem with RADIUS accounting from some of our Colubris AP's.
We are getting the following errors in /var/log/radius/radius.log :-
Tue Oct 24 14:02:59 2006 : Error: ERROR: Tunnel-Password attribute in request:
Cannot decrypt it.
Could someone explain a bit more about what this means and whether it is likely
to be a problem with the NAS?
We are running FreeRADIUS 1.0.1.
Here is the tcpdump print out of the packet which caused the above message :-
14:02:59.913634 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 17,
length: 323) nasphysap0.york.ac.uk.32770 > nasaaa2.york.ac.uk.radius-acct: [udp
sum ok] RADIUS, length: 295
Accounting Request (4), id: 0xa7, Authenticator:
7f79db43885d7e9745205662885af3bc
Accounting Session ID Attribute (44), length: 19, Value:
94c34058-0007
0x: 3934 6333 3430 3538 2d30 3030 3030 3030
0x0010: 37
NAS Port Attribute (5), length: 6, Value: 10
0x: 000a
NAS Port Type Attribute (61), length: 6, Value: Wireless - IEEE 802.11
0x: 0013
NAS ID Attribute (32), length: 12, Value: nasphysap0
0x: 6e61 7370 6879 7361 7030
NAS IP Address Attribute (4), length: 6, Value: nasphysap0.york.ac.uk
0x: 9020 c4b8
Framed MTU Attribute (12), length: 6, Value: 1496
0x: 05d8
Username Attribute (1), length: 18, Value: [EMAIL PROTECTED]
0x: 7879 3530 3640 796f 726b 2e61 632e 756b
Calling Station Attribute (31), length: 19, Value: 00:0c:f1:1b:47:7b
0x: 3030 3a30 633a 6631 3a31 623a 3437 3a37
0x0010: 62
Called Station Attribute (30), length: 19, Value: 00:03:52:dc:e5:31
0x: 3030 3a30 333a 3532 3a64 633a 6535 3a33
0x0010: 31
Accounting Status Attribute (40), length: 6, Value: Stop
0x: 0002
Accounting Session Time Attribute (46), length: 6, Value: 18 secs
0x: 0012
Accounting Input Packets Attribute (47), length: 6, Value: 30
0x: 001e
Accounting Output Packets Attribute (48), length: 6, Value: 34
0x: 0022
Accounting Input Octets Attribute (42), length: 6, Value: 2181
0x: 0885
Accounting Output Octets Attribute (43), length: 6, Value: 7541
0x: 1d75
Accounting Termination Cause Attribute (49), length: 6, Value: Lost
Carrier
0x: 0002
Accounting Delay Attribute (41), length: 6, Value: 289:15:29 hours
0x: 000f e3b1
Vendor Specific Attribute (26), length: 58, Value: Vendor: Microsoft
(311)
Vendor Attribute: 17, Length: 52, Value:
.]..D?...D7.?}v.X.xS.)/..7.).Z. .SiG...:
0x: 0137 1134 945d bea2 85ee bfde 443f
0x0010: e6c6 d544 37a6 3f7d 7608 58f1 78cb cca7
0x0020: fd53 0429 2fd8 0437 c529 845a ae20 c653
0x0030: 077f 6947 e27f e8c1
Vendor Specific Attribute (26), length: 58, Value: Vendor: Microsoft
(311)
0x: 0137 1034 9f5b 63ae ecb4 7e23 af47
0x0010: 7be9 c08b 5cbd b35f 7f8d 9b11 1a08 a52f
0x0020: b52c 09c5 f5ca 5e2c 8d53 8390 0d8f 24fb
0x0030: 3e39 1668 6858 af32
0x: 0030 4883 9880 0003 5204 635a 0800 4500 .0H.R.cZ..E.
0x0010: 0143 4000 4011 8fb5 9020 c4b8 9020 [EMAIL
PROTECTED]@.
0x0020: c4fb 8002 0715 012f 922a 04a7 0127 7f79 .../.*...'.y
0x0030: db43 885d 7e97 4520 5662 885a f3bc 2c13 .C.]~.E.Vb.Z..,.
0x0040: 3934 6333 3430 3538 2d30 3030 3030 3030 94c34058-000
0x0050: 3705 0600 0a3d 0600 1320 0c6e 7..=...n
0x0060: 6173 7068 7973 6170 3004 0690 20c4 b80c asphysap0...
0x0070: 0600 0005 d801 1278 7935 3036 4079 6f72 [EMAIL PROTECTED]
0x0080: 6b2e 6163 2e75 6b1f 1330 303a 3063 3a66 k.ac.uk..00:0c:f
0x0090: 313a 3162 3a34 373a 3762 1e13 3030 3a30 1:1b:47:7b..00:0
0x00a0: 333a 3532 3a64 633a 6535 3a33 3128 0600 3:52:dc:e5:31(..
0x00b0: 022e 0600 122f 0600 1e30 ./.0
0x00c0: 0600 222a 0600 0008 852b 0600 001d "*.+
0x00d0: 7531 0600 0229 0600 0fe3 b11a 3a00 u1.)..:.
0x00e0: 0001 3711 3494 5dbe a285 eebf de44 3fe6 ..7.4.]..D?.
0x00f0: c6d5 4437 a63f 7d76 0858 f178 cbcc a7fd ..D7.?}v.X.x
0x0100: 5304 292f d804 37c5 2984 5aae 20c6 5307 S.)/..7.).Z...S.
0x0110: 7f69 47e2 7fe8 c11a 3a00 0001 3710 349f .iG.:...7.4.
0x0120: 5b63 aeec b47e 23af 477b e9c0 8b5c bdb3 [c...~#.G{...\..
0x0130: 5f7f 8d9b 111a 08a5 2fb5 2c09 c5f5 ca5e _.../.,^
0x0140: 2c8d
Re: Problems with freeradius set up
Thanks for the reply Stefan, Here is the output from mysql for the statement below: mysql> SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username -> = 'mpearson' ORDER BY id -> -> ; +--+--+--+++ | id | UserName | Attribute | Value | op | +--+--+--+++ | 1118 | mpearson | Password | | == | | 1119 | mpearson | Simultaneous-Use | 1 | == | +--+--+--+++ 2 rows in set (0.29 sec) Also I went down through the debug of radisud and put in the select statments from I didn't get any results from: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'mpearson' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id and SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'mpearson' ORDER BY id Thanks Mike Stefan Winter wrote: Hi, nicely done problem report! My guess is that your tables contain a check item that is not satisfied by the incoming requests. Could you do a SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'mpearson' ORDER BY id (this is one of the SQL statements in the debug output. It might also help to execute all other statements that appeared in the debug output for the user and post them too) and post it to the list (obfuscate the password of course)? Because rlm_sql (sql): No matching entry in the database for request from user [mpearson] this output looks suspiciously like the user itself was found in the database, but there was more than one line concerning him and not all of those lines containing check items were satisfied. Greetings, Stefan Winter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql.conf problem
Norbert Wegener <[EMAIL PROTECTED]> wrote: > In a certain context I want to accept all incoming requests. Ok... > mysql> select * from radcheck where UserName='0009'; > +-+--+--++--+-+ > | id | UserName | Attribute| op | Value| > validto | > +-+--+--++--+-+ > | 1159463 | 0009 | Hint | += | assignvl | 2006-10-31 > 00:00:00 | > | 2512785 | 0009 | Auth-Type| := | Accept | > NULL| > | 2512786 | 0009 | Idle-Timeout | = | 123 | > NULL| What are you trying to do here? You're setting Hint (which won't work the way you want), and you're doing so only if the packet contains Idle-Timeout, with a value of "123". > radtest 0009 000b5d28f24x4 localhost 1812 testing123 > Sending Access-Request of id 243 to 127.0.0.1 port 1812 ... No Idle-Timeout. So that entry won't match. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with freeradius set up
Mike Pearson <[EMAIL PROTECTED]> wrote: > My problems is I can't get the users to authenticate, I > pasted the output from radtest and radiusd -X. I can provide any more > information that my be needed. Ok... > radius_xlat: 'SELECT > radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op > > FROM radgroupreply,usergroup WHERE usergroup.Username = 'mpearson' AND > usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' > rlm_sql (sql): No matching entry in the database for request from user > [mpearson] That's the problem. Is there an entry for mpearson? If so, what does it look like? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP: client certificates and double authentication messages
Hi, I am using freeradius successfully, but I still have some questions. Fistly, how can I disable to verify client certificates? Mon Sep 5 12:17:12 2005 : Error: TLS_accept:error in SSLv3 read client certificate A I mean I have disabled the comand in the config-file. But still I get the error above. Secondly, how comes I always see a successfull authentication twice, when using eap: Mon Sep 5 12:17:16 2005 : Auth: Login OK: [unrzwlan5] (from client localhost port 0) Mon Sep 5 12:17:16 2005 : Auth: Login OK: [unrzwlan5] (from client airbrush port 0 cli 00-11-09-0B-01-4D) Thanks Florian Prester -- Dipl. Inf. Florian Prester Network Administration Regionales RechenZentrum Erlangen Universitaet Erlangen-Nuernberg Martensstr. 1 91052 Erlangen Germany Tel.: +499131 8527813 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_krb5
[EMAIL PROTECTED] wrote: > What other setup can you recommend with minimal account administration? Use ntlm_auth. There are any number of HOWTO's on doing this, including the Wiki and my web site. > Can you argument why (not) to store password with reversible encryption in > AD. Because it doesn't do anything useful. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius+hpidm+cisco
[EMAIL PROTECTED] wrote: > I hoped that other users on the list are also using idm(as it works as a > plugin for (free)radius). It's a plugin supplied by HP, and is not part of FreeRADIUS. Please ask HP for support. The module is not included with FreeRADIUS, therefore discussions about the module do not belong on this list. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TTLS success
Hi all, I found the issue for below error "EAP-request timed out OR EAP-response to an unknown EAP-request" --- NAS was not responding with the state attribute received from radius server. As soon as we fixed this at NAS, it went through all the steps required to authenticate an user using TTLS-MSCHAPV2. My plaform was Solaris 10, with freeradius version 1.1.3 Thanks all for your valuable input. Rafi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
cvs issue
Hello, I'm only seeing cistron on the cvs: FTP directory /pub/radius/CVS-snapshots/ at ftp.freeradius.org Up to higher level directory 10/23/2006 09:10201,051 radiusd-cistron-1.6-snapshot-20061023.tar.gz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with freeradius set up
Hi, nicely done problem report! My guess is that your tables contain a check item that is not satisfied by the incoming requests. Could you do a SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'mpearson' ORDER BY id (this is one of the SQL statements in the debug output. It might also help to execute all other statements that appeared in the debug output for the user and post them too) and post it to the list (obfuscate the password of course)? Because > rlm_sql (sql): No matching entry in the database for request from user > [mpearson] this output looks suspiciously like the user itself was found in the database, but there was more than one line concerning him and not all of those lines containing check items were satisfied. Greetings, Stefan Winter -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 pgpS5LF1IJNni.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with freeradius set up
I'm new to the list and I'm having problems getting freeradius to
authenticate users. I migrated from an old server running gnu-radius to
a new server running freeradius both servers are using mysql. I made
sure the tables in mysql match what freeradius required, I also made
sure that the database user for freeradius had the same permissions as
gnu-radius. My problems is I can't get the users to authenticate, I
pasted the output from radtest and radiusd -X. I can provide any more
information that my be needed.
Thanks
Mike
Sending Access-Request of id 16 to 127.0.0.1:1645
User-Name = "mpearson"
User-Password = "test"
NAS-IP-Address = ip-208-109-22-193.ip.secureserver.net
NAS-Port = 1645
rad_recv: Access-Reject packet from host 127.0.0.1:1645, id=16, length=20
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = "/usr"
main: localstatedir = "/var"
main: logdir = "/var/log/radius"
main: libdir = "/usr/lib"
main: radacctdir = "/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: user = "radiusd"
main: group = "radiusd"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "/etc/shadow"
unix: group = "(null)"
unix: radwtmp = "/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "md5"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/etc/raddb/huntgroups"
preprocess: hints = "/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded SQL
sql: driver = "rlm_sql_mysql"
sql: server = "localhost"
sql: port = ""
sql: login = "radius"
sql: password = "dialup"
sql: radius_db = "radius"
sql: acct_table = "radacct"
sql: acct_table2 = "radacct"
sql: authcheck_table = "radcheck"
sql: authreply_table = "radreply"
sql: groupcheck_table = "radgroupcheck"
sql: groupreply_table = "radgroupreply"
sql: usergroup_table = "usergroup"
sql: nas_table = "nas"
sql: dict_table = "dictionary"
sql: sqltrace = no
sql: sqltracefile = "/var/log/radius/sqltrace.sql"
sql: readclients = no
sql: deletestalesessions = yes
sql: num_sql_socks = 5
sql: sql_user_name = "%{Us
sql.conf problem
In a certain context I want to accept all incoming requests. FreeRADIUS
is 1.1.3.
I hold the accounts in MySQL.
This is, what I have stored in the database for one account:
mysql> select * from usergroup where UserName='0009';
+-+--+--+-+-+-+
| id | UserName | GroupName| loaddate|
validto | konftyp |
+-+--+--+-+-+-+
| 1160351 | 0009 | sondergeraet | 2006-10-24 09:26:59 |
2006-10-31 00:00:00 | NULL|
+-+--+--+-+-+-+
1 row in set (0.00 sec)
mysql> select * from radcheck where UserName='0009';
+-+--+--++--+-+
| id | UserName | Attribute| op | Value|
validto |
+-+--+--++--+-+
| 1159463 | 0009 | Hint | += | assignvl | 2006-10-31
00:00:00 |
| 2512785 | 0009 | Auth-Type| := | Accept |
NULL|
| 2512786 | 0009 | Idle-Timeout | = | 123 |
NULL|
+-+--+--++--+-+
3 rows in set (0.00 sec)
mysql> select * from radreply where UserName='0009';
++--+--++---++--+-+
| id | UserName | Attribute| op | Value | ra_nasname |
ra_GroupName | validto |
++--+--++---++--+-+
| 6 | 0009 | Idle-Timeout | = | 123 | NULL |
NULL | NULL|
++--+--++---++--+-+
1 row in set (0.00 sec)
authorize_check_query from sql.conf is:
authorize_check_query = "SELECT id, UserName, Attribute, Value, op \
FROM ${authcheck_table} \
WHERE Username = '%{SQL-User-Name}' and ( radcheck.Attribute
!='Hint' ) \
ORDER BY id"
radtest 0009 000b5d28f24x4 localhost 1812 testing123
Sending Access-Request of id 243 to 127.0.0.1 port 1812
User-Name = "0009"
User-Password = "000b5d28f24x4"
NAS-IP-Address = 255.255.255.255
NAS-Port = 1812
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=243, length=20
rad_verify: Received Access-Reject packet from client 127.0.0.1 port
1812 with invalid signature (err=2)! (Shared secret is incorrect.)
Not the shared secret, the password is incorrect.
Nevertheless, I want to ignore this and assign the check-item
Auth-Type:=Accept from radcheck.
radiusd -AX shows me:
...
modcall[authorize]: module "files" returns notfound for request 0
radius_xlat: '0009'
rlm_sql (sql): sql_set_user escaped user --> '0009'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
radcheck WHERE Username = '0009' and (
radcheck.Attribute !='Hint' )ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 3
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.UserName = '0009'
AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY
radgroupcheck.id'
radius_xlat: ''
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE ( usergroup.Username = '0009'
AND usergroup.GroupName = radgroupreply.Value ) or
(usergroup.UserName='0009' and
(radgroupreply.GroupName in (select type from nas where nasname =
'255.255.255.255') and radgroupreply.GroupName='Cisco'
and radgroupreply.Attribute!='Tunnel-Private-Group-ID' )
) ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 3
rlm_sql: check items
Auth-Type := Accept
Idle-Timeout = 123
Hint == "assignvl"
^^ (enabled debugging in rlm_sql.c around line 850)
rlm_sql: reply items
rlm_sql (sql): No matching entry in the database for request from user
[0009]
modcall[authorize]: module "sql" returns notfound for request 0
Why do I get a 'No matching entry in the database for request from user
[0009]',
although the expanded authorize_check_query , copied from above in
mysql direct gives me the following:
mysql> SELECT id, UserName, Attribute, Value, op FROM
radcheck WHERE Username = '0009' and (
radcheck.Attribute !='Hint' )ORDER BY id;
+-+--+--+++
| id | UserName | Attribute| Value | op |
+-+--+--+++
Re: Decreasing connection time (Session-Timeout)
micobros wrote: Using triggers is a good idea too... The problem is that I don't know how to make stored routines. I could learn, but I need this little *demo* station to work for this afternoon :) What db are you using? If you are using postgresql, you can use this as an example: http://lists.cistron.nl/pipermail/freeradius-users/2005-January/040297.html It's not hard. I actually have a stored procedure & trigger in the db which does exactly what you're after (for dialup) which I should be able to post tomorrow. g For now, I'll simply make a little php script executed every 10 minutes to check the radacct table. And subtract the time elapsed from the Session-Timeout attribute... Cheers, mico "The only way to get rid of a temptation is to yield to it." (Oscar Wilde) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Santiago Balaguer García Sent: mardi 24 octobre 2006 9:54 To: freeradius-users@lists.freeradius.org Subject: RE: Decreasing connection time (Session-Timeout) The best way to update your DB with the new session-timeout value is to CREATE A TRIGGER in your database when a STOP request is sent by your NAS. In this STOP request you have all information you need. I supposed your hotspot has activated accounting option. The option of executing an external script when user finalizes not is a very good solution. With the solucion I exposed you have a sincronous DB data. From: "micobros" <[EMAIL PROTECTED]> Reply-To: FreeRadius users mailing list To: "'FreeRadius users mailing list'" Subject: RE: Decreasing connection time (Session-Timeout) Date: Tue, 24 Oct 2006 09:24:33 +0200 In SQLCounter documentation they say "This module NEVER does any database INSERTs or UPDATEs." I can in fact grab the time elapsed and all kind of other information. But my main problem is to update my database with the new time. _ Descubre la descarga digital con MSN Music. Más de un millón de canciones. http://music.msn.es/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hints, Attr_rewrite - Add session timeout with Framed IP
Hello all, Any others suggestions ? I've made a small script into the rlm _sqlippool to add the session time-out attribue... --- Forwarded message follows --- From: Breuer Nicolas <[EMAIL PROTECTED]> To: freeradius-users@lists.freeradius.org Subject:Hints, Attr_rewrite - Add session timeout with Framed IP? Send reply to: [EMAIL PROTECTED] Date sent: Mon, 23 Oct 2006 12:02:03 +0200 Hello I'm looking for a solution to add in the accept packets a session timeout value when framed ip address is assigned in the users file. I tried to add "hints" rules but doesn't seems to work. I also tried to rewrite the packet : not works. Can you help me to do this ? --- End of forwarded message --- WPM$223B.PM$ Description: Mail message body - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Decreasing connection time (Session-Timeout)
Using triggers is a good idea too... The problem is that I don't know how to make stored routines. I could learn, but I need this little *demo* station to work for this afternoon :) For now, I'll simply make a little php script executed every 10 minutes to check the radacct table. And subtract the time elapsed from the Session-Timeout attribute... Cheers, mico "The only way to get rid of a temptation is to yield to it." (Oscar Wilde) > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > On Behalf Of Santiago Balaguer García > Sent: mardi 24 octobre 2006 9:54 > To: freeradius-users@lists.freeradius.org > Subject: RE: Decreasing connection time (Session-Timeout) > > The best way to update your DB with the new session-timeout value is to > CREATE A TRIGGER in your database when a STOP request is sent by your NAS. > In this STOP request you have all information you need. I supposed your > hotspot has activated accounting option. > > The option of executing an external script when user finalizes not is a > very good solution. > With the solucion I exposed you have a sincronous DB data. > > > >From: "micobros" <[EMAIL PROTECTED]> > >Reply-To: FreeRadius users mailing list > > > >To: "'FreeRadius users mailing list'" > > > >Subject: RE: Decreasing connection time (Session-Timeout) > >Date: Tue, 24 Oct 2006 09:24:33 +0200 > > > >In SQLCounter documentation they say "This module NEVER does any database > >INSERTs or UPDATEs." > > > >I can in fact grab the time elapsed and all kind of other information. > But > >my main problem is to update my database with the new time. > > > > _ > Descubre la descarga digital con MSN Music. Más de un millón de canciones. > http://music.msn.es/ > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Decreasing connection time (Session-Timeout)
> However you can instantiate a new sql module in sql.conf:
> sql my-sql-acct {
> ...
> Accounting_stop_query =" MY Customized SQL query"
>
> }
>
> Then in you radiusd.conf accounting section:
> accounting {
> sql
> my-sql-acct
> }
I tried this and freeRadius hangs at startup and says "my-sql-acct: Unknown
Module". I added everything just like you said...
(If I can manage to add this previous section) Modifying directly in
chillispot is maybe a good choice. I'll give it a try...
Cheers,
mico
"The only way to get rid of a temptation is to yield to it."
(Oscar Wilde)
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]
> On Behalf Of Thibault Le Meur
> Sent: mardi 24 octobre 2006 9:56
> To: 'FreeRadius users mailing list'
> Subject: RE : Decreasing connection time (Session-Timeout)
>
>
> > freeRadius than calls accounting_stop_query located in
> > sql.conf and UPDATES the radacct table and its attributes
> > with all these new values.
> >
> > What I'd like to do now is to execute a personalised sql
> > query right after this default accounting_stop_query so that
> > I could save/modify all the info I want.
> >
> > Or maybe is there another way to grab this Acct-Session-Time
> > and User-Name to update the correct user and modify his time left.
> >
> > Any ideas?
>
> I don't know if it's possible to add any number of SQL queries to the sql
> module: I let freeradius gurus the responsability to say...
>
> However you can instantiate a new sql module in sql.conf:
> sql my-sql-acct {
> ...
> Accounting_stop_query =" MY Customized SQL query"
>
> }
>
> Then in you radiusd.conf accounting section:
> accounting {
> sql
> my-sql-acct
> }
>
> You may also want to enable the 'my-sql-acct' only for your ChilliSpot
> NAS.
> You can do so by playing with Acct-Type (see doc/Acct-Type):
> * use acct_users to set Acct-Type:=custom-sql for your NAS-IP-Address
> * use an accounting section as below:
> Accouning {
> sql
> Acct-Type custom-sql {
> my-sql-acct
> }
> }
>
> HTH,
> Thibault
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SNMP with Freeradius - Again
>SNMP/SMUX support should not affect the rlm_sql module in any way. > >See doc/bugs for steps to debug the segfault issue and identify where the >program is actually failing. Good Day. I did all the steps in doc/bugs, and this is the result: [EMAIL PROTECTED] freeradius-1.1.3]# gdb /usr/local/sbin/radiusd GNU gdb Red Hat Linux (6.3.0.0-1.96rh) Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux-gnu"...Using host libthread_db library "/lib/tls/libthread_db.so.1". (gdb) set logging file gdb-radiusd.log (gdb) set logging on Copying output to gdb-radiusd.log. (gdb) run Starting program: /usr/local/sbin/radiusd [Thread debugging using libthread_db enabled] [New Thread -1208568128 (LWP 6866)] Tue Oct 24 09:25:22 2006 : Info: Starting - reading configuration files ... Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -1208568128 (LWP 6866)] 0x0804e816 in cf_expand_variables (cf=0x8065a9e "?", lineno=0x9fd2d38, outercs=0x9fd2d30, output=0xbff15700 "\001", input=0x8061711 "") at conffile.c:233 233 for (parentcs = outercs; (gdb) Is it usefull information? May be i must do something else? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : Decreasing connection time (Session-Timeout)
> freeRadius than calls accounting_stop_query located in
> sql.conf and UPDATES the radacct table and its attributes
> with all these new values.
>
> What I'd like to do now is to execute a personalised sql
> query right after this default accounting_stop_query so that
> I could save/modify all the info I want.
>
> Or maybe is there another way to grab this Acct-Session-Time
> and User-Name to update the correct user and modify his time left.
>
> Any ideas?
I don't know if it's possible to add any number of SQL queries to the sql
module: I let freeradius gurus the responsability to say...
However you can instantiate a new sql module in sql.conf:
sql my-sql-acct {
...
Accounting_stop_query =" MY Customized SQL query"
}
Then in you radiusd.conf accounting section:
accounting {
sql
my-sql-acct
}
You may also want to enable the 'my-sql-acct' only for your ChilliSpot NAS.
You can do so by playing with Acct-Type (see doc/Acct-Type):
* use acct_users to set Acct-Type:=custom-sql for your NAS-IP-Address
* use an accounting section as below:
Accouning {
sql
Acct-Type custom-sql {
my-sql-acct
}
}
HTH,
Thibault
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Decreasing connection time (Session-Timeout)
The best way to update your DB with the new session-timeout value is to CREATE A TRIGGER in your database when a STOP request is sent by your NAS. In this STOP request you have all information you need. I supposed your hotspot has activated accounting option. The option of executing an external script when user finalizes not is a very good solution. With the solucion I exposed you have a sincronous DB data. From: "micobros" <[EMAIL PROTECTED]> Reply-To: FreeRadius users mailing list To: "'FreeRadius users mailing list'" Subject: RE: Decreasing connection time (Session-Timeout) Date: Tue, 24 Oct 2006 09:24:33 +0200 In SQLCounter documentation they say "This module NEVER does any database INSERTs or UPDATEs." I can in fact grab the time elapsed and all kind of other information. But my main problem is to update my database with the new time. _ Descubre la descarga digital con MSN Music. Más de un millón de canciones. http://music.msn.es/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_krb5
[EMAIL PROTECTED] wrote on 10/23/2006 04:51:59 PM: > [EMAIL PROTECTED] wrote: > ... > > Please don't send HTML to the list. i know, but it was related to my question and the info i already gathered. > > > > I am implementing 802.1x on our network. The > > easiest solution to do this is by using "reversible passwords" in > > active directory > > That isn't necessary. > > > Only other way is by using kerberos. > > That's impossible. Kerberos doesn't do MS-CHAP, which is the > authentication protocol used by Windows clients for 802.1x What other setup can you recommend with minimal account administration? Can you argument why (not) to store password with reversible encryption in AD.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius+hpidm+cisco
[EMAIL PROTECTED]
wrote on 10/23/2006 04:55:32 PM:
> [EMAIL PROTECTED] wrote:
> > Just for your info the contents of both hpidm config files:
> >
> > [EMAIL PROTECTED] raddb]# cat hpidm.post-auth.conf
> > Post-Auth-Type REJECT{
> > hpidm
> > }
> > hpidm
> > [EMAIL PROTECTED] raddb]# cat hpidm.modules.conf
> > hpidm{
> > version = 1.0
> > }
>
> This module is not included with the server. Therefore,
it's
> something written locally, and you should asthe person who wrote it
> about any bugs it may have.
i know, but problem only occurs on cisco devices, i doubt that hp will
debug that(i already updated to the latest patchlevel).
I hoped that other users on the list are also using
idm(as it works as a plugin for (free)radius).-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Decreasing connection time (Session-Timeout)
In SQLCounter documentation they say "This module NEVER does any database INSERTs or UPDATEs." I can in fact grab the time elapsed and all kind of other information. But my main problem is to update my database with the new time. I found that chillispot sends to freeRadius this message when a user disconnects: Accounting-Request packet from host 127.0.0.1:1025, id=3, length=177 Acct-Status-Type = Stop User-Name = "mico" Calling-Station-Id = "00-11-00-19-00-00" Called-Station-Id = "00-11-00-65-00-00" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 NAS-Port-Id = "" NAS-IP-Address = 127.0.0.1 NAS-Identifier = "nas01" Framed-IP-Address = 192.168.189.2 Acct-Session-Id = "453dda28" Acct-Input-Octets = 7347 Acct-Output-Octets = 10553 Acct-Input-Gigawords = 0 Acct-Output-Gigawords = 0 Acct-Input-Packets = 38 Acct-Output-Packets = 24 Acct-Session-Time = 121 Acct-Terminate-Cause = User-Request freeRadius than calls accounting_stop_query located in sql.conf and UPDATES the radacct table and its attributes with all these new values. What I'd like to do now is to execute a personalised sql query right after this default accounting_stop_query so that I could save/modify all the info I want. Or maybe is there another way to grab this Acct-Session-Time and User-Name to update the correct user and modify his time left. Any ideas? Cheers, mico "The only way to get rid of a temptation is to yield to it." (Oscar Wilde) > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > On Behalf Of Jonathan De Graeve > Sent: dimanche 22 octobre 2006 17:20 > To: FreeRadius users mailing list > Subject: RE: Decreasing connection time (Session-Timeout) > > > Now, how could I subtract the elapsed time from the original Session- > > Timeout time? So that the user will, at the next login, only have > > 40minutes left. > > > > SQLcounter is the module you need. > > J. > > -- > Jonathan De Graeve > IMELDA vzw > Informatica Dienst > Network System Engineer > [EMAIL PROTECTED] > +32(0)15/50.52.98 > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
