howto get/send the fullname of an user
Hello the list, I'm starting with freeradius. Authentication works fine ! But the informations I get is only the username (le login name in /etc/passwd). How do I get the Fullname ? Or others informations (like mail, home directory, ...) Is it possible ? is it a configuration of the server or a request from the client ? thanks for your help -- Ariel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Server logs say users authenticate, but they don't (Now with more details!)
G'day Ernie, What value are you sending for Service-Type? Best way to check is radiusd -X, and watch for the Access-Accept that freeradius sends, in case your authorization config isn't quite right. Cheers, James. Ernie Dunbar wrote: Okay, after doing these tests, we can see that the Cisco is now accepting the packets. However, the AS5300 is now telling us "no appropriate authorization type for user". Here's the logs from the AS5300 (XX.XX.XX.X is the new server, XX.XX.XX.Y is the backup that was offline for the duration of the test): *Jan 3 16:30:43: RADIUS: Trying next server (XX.XX.XX.X) for id 20 *Jan 3 16:30:43: RADIUS: Retransmit id 20 *Jan 3 16:30:43: RADIUS: Received from id 20 XX.XX.XX.X:1812, Access-Accept, len 20 *Jan 3 16:30:43: RADIUS: saved authorization data for user 616D09DC at 614184A4 *Jan 3 16:30:43: RADIUS: no appropriate authorization type for user. *Jan 3 16:30:43: RADIUS: ustruct sharecount=1 *Jan 3 16:30:43: RADIUS: Initial Transmit Async56 id 21 XX.XX.XX.Y:1645, Access-Request, len 88 *Jan 3 16:30:43: Attribute 4 6 CCF4E9FE *Jan 3 16:30:43: Attribute 5 6 0038 *Jan 3 16:30:43: Attribute 61 6 *Jan 3 16:30:43: Attribute 1 11 72737461 *Jan 3 16:30:43: Attribute 30 9 36383131 *Jan 3 16:30:43: Attribute 2 18 A3B5B2A0 *Jan 3 16:30:43: Attribute 6 6 0002 *Jan 3 16:30:43: Attribute 7 6 0001 *Jan 3 16:30:44: %ISDN-6-DISCONNECT: Interface Serial2:5 disconnected from unknown , call lasted 53 seconds *Jan 3 16:30:44: isdn_Call_disconnect() Hi Ernie, * Run radiusd -X and check that Access-Accept is being sent, and how long after the Access-Request this is. * Verify with tcpdump that the packet is actually getting onto the wire. * Check for iptables rules/access-lists that might be dropping/rejecting the packets. * Make sure your AS5300 and freeradius are configured to use the same port numbers. freeradius shouldn't be seeing the Access-Request if not, but it might be worth a look. Ernie Dunbar wrote: G'day Ernie, Can you sniff on the AS5300 and ensure the Access-Accept packets are arriving before the 3 second (default) timeout? Yes, we tried that. The access-accept packets aren't arriving at all! Does it work if you temporarily disable the Simultaneous-Use check? No, that doesn't work either. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Server logs say users authenticate, but they don't (Now with more details!)
Okay, after doing these tests, we can see that the Cisco is now accepting the packets. However, the AS5300 is now telling us "no appropriate authorization type for user". Here's the logs from the AS5300 (XX.XX.XX.X is the new server, XX.XX.XX.Y is the backup that was offline for the duration of the test): *Jan 3 16:30:43: RADIUS: Trying next server (XX.XX.XX.X) for id 20 *Jan 3 16:30:43: RADIUS: Retransmit id 20 *Jan 3 16:30:43: RADIUS: Received from id 20 XX.XX.XX.X:1812, Access-Accept, len 20 *Jan 3 16:30:43: RADIUS: saved authorization data for user 616D09DC at 614184A4 *Jan 3 16:30:43: RADIUS: no appropriate authorization type for user. *Jan 3 16:30:43: RADIUS: ustruct sharecount=1 *Jan 3 16:30:43: RADIUS: Initial Transmit Async56 id 21 XX.XX.XX.Y:1645, Access-Request, len 88 *Jan 3 16:30:43: Attribute 4 6 CCF4E9FE *Jan 3 16:30:43: Attribute 5 6 0038 *Jan 3 16:30:43: Attribute 61 6 *Jan 3 16:30:43: Attribute 1 11 72737461 *Jan 3 16:30:43: Attribute 30 9 36383131 *Jan 3 16:30:43: Attribute 2 18 A3B5B2A0 *Jan 3 16:30:43: Attribute 6 6 0002 *Jan 3 16:30:43: Attribute 7 6 0001 *Jan 3 16:30:44: %ISDN-6-DISCONNECT: Interface Serial2:5 disconnected from unknown , call lasted 53 seconds *Jan 3 16:30:44: isdn_Call_disconnect() > Hi Ernie, > > * Run radiusd -X and check that Access-Accept is being sent, and how > long after the Access-Request this is. > > * Verify with tcpdump that the packet is actually getting onto the wire. > > * Check for iptables rules/access-lists that might be dropping/rejecting > the packets. > > * Make sure your AS5300 and freeradius are configured to use the same > port numbers. freeradius shouldn't be seeing the Access-Request if not, > but it might be worth a look. > > Ernie Dunbar wrote: >>> G'day Ernie, >>> >>> Can you sniff on the AS5300 and ensure the Access-Accept packets are >>> arriving before the 3 second (default) timeout? >> >> Yes, we tried that. The access-accept packets aren't arriving at all! >> >>> Does it work if you temporarily disable the Simultaneous-Use check? >> >> No, that doesn't work either. >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html > > > -- > James Wakefield, > Unix Administrator, Information Technology Services Division > Deakin University, Geelong, Victoria 3217 Australia. > > Phone: 03 5227 8690 International: +61 3 5227 8690 > Fax: 03 5227 8866 International: +61 3 5227 8866 > E-mail: [EMAIL PROTECTED] > Website: http://www.deakin.edu.au > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re[3]: limiting sessions
Andrew Long <[EMAIL PROTECTED]> wrote: > I tried Session-Timeout but it doesn't seem to do the job. So... is it being sent back to the NAS? If it is, then the NAS is ignoring it. Go ask your NAS manufacturer for a refund, or for a firmware upgrade that implements RADIUS. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[3]: limiting sessions
> Andrew Long <[EMAIL PROTECTED]> wrote: >> I need to boot users at one property after a specified time period. >> We have adjusted the "max-daily-session" to "1800" (30 minutes), >> but users still seem to be staying on. Can someone point me in the >> right direction. The NAS is a Colubris cn3000. > Why use Max-Daily-Session? What's wrong with Session-Timeout? > Alan DeKok. I tried Session-Timeout but it doesn't seem to do the job. A query of radacct yields several users at that property with sessions exceeding the 1800 mark specified for the attribute. Any additional thoughts on how best to limit these sessions? Andrew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR-1.1.3 on solaris10 strange things
Alexander Serkin <[EMAIL PROTECTED]> wrote: > May be someone could give an advice how to debug the problem while the > server will not be in production? Attach to it with gdb, and see what it's doing. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius mac athentication with Tsunami MP.11 5054-R v2.3.0(169)
Cameron Cowie <[EMAIL PROTECTED]> wrote: > But as soon as I ask my tsunami 5054 to authenticate it locks and > refuses to talk to the radius server. Do you have more details than "it doesn't work"? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to NOT expand varaibles in a sql-query
Hello, i need to pass the string '%d %b %Y %T' inside a query to mysql (as a date format). Unfortunately this gets expanded to '07 0 2006 2006-11-07-00.06.18.00' which leads to an sql error and crashes freeradius with a segmentation fault. I found a post from Nicolas Baradakis who advises to double the percentage-signs. I tried this too, but this creates a string like this '%0d %0b %0Y %0T' which again leads to a sql error (but without crash) How can i pass this string literaly without any variable-substitution? I'm running "FreeRADIUS Version 1.0.0" Thanks in advance for your help... Yours Olaf Kolling -- W³Welt Web-Entwicklung Olaf KollingeMail: info#w3welt.de Mörikestraße 67 Tel.: +49 711 9-200 70199 Stuttgart Fax: +49 711 9-201 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Windows-Domain login without local users
> -Original Message- > > machine authentication was the keyword I've searched ... thanks a lot > > somebody knows a good howto for this? > > thanks mIke > To be honest, if you enable use computer account when available in the Windows Zero Config Client, it should just work. If it doesn't work: What Version of FreeRADIUS? What Version of Samba? What Supplicant are you using (XP SP2, Meetinghouse, Funk)? You have configured ntlm_auth, and it works? The computer is joined to the domain? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR-1.1.3 on solaris10 strange things
Alan DeKok wrote: Alexander Serkin <[EMAIL PROTECTED]> wrote: We have strange behaviour on sparc solaris 10 server with fr-1.1.3 installed: without any visible reason the radiusd process goes to almost 100% CPU usage for 3-5 minutes. Then it comes back to normal state again (less than 1% CPU). Yuck. I don't run Solaris, so I can't comment more than that... It looks like a busy loop somewhere, probably in the main socket handling code. We'll run a second instance on another netra soon. May be someone could give an advice how to debug the problem while the server will not be in production? -- Sincerely Yours, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius mac athentication with Tsunami MP.11 5054-R v2.3.0(169)
Hi: I have configured my freeradius server to run on ubuntu and is stable (or so I think). I have ran tests from my workstation to ask for authentication and it serves out brilliantly. But as soon as I ask my tsunami 5054 to authenticate it locks and refuses to talk to the radius server. user files is just mac address. I am not sure where the problem lies, on the radius server or on the tsunami? again any and all help is greatly appreciated entry for clients.conf is simple } client xx.xx.xx.x { secret = xxxpasswordxxx shortname = xxshortbusxx } (mac address) Auth-Type :Local, User-Password := "x" as I said simple, but event the most simplest things come with complications. is there something I am missing on? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Assign IP based on CallingStationID.
I use dafault table-layout. How I understand you just change username authentication to callingstationid authentication inside sql.conf. Thx, it’s really good idea. I think that I could do the same by myself, but it will take a time. Therefore any examples will be very useful. Can you post it here? If It’s too big you can send it to me - “nebula-at-inbox-lv”. >From other side, I need username/password authentication also (for other users) therefore it will be difficult to implement this ( may be I’ll install another freeradius specially for that). In my situation radius for some users check username/password, for other users it should do the next: check username/password/callingstationid (in fact username and password always the same) if callingstationid has specific value (can be dosen specifc callingstationid_s) then replay accept and some specific IP for each specific callingstationid or just assign ip from radius pool. if callingstationid is not in the list of “specific callingstationid” then just replay accept and NAS will assign ip from equipment’s IP pool Main Idea: For now most users has the same username and password and it is not possible to change anything in that. Some callingstationid is not friendly for my network (they should have only http traffic). That’s why I want to assign them IP from specific pool – I going to setup firewall rules for a such IPs. Any idea ? John Longland wrote: > > Yes, I have just done it. > > You need to change the sql-statement in /etc/raddb/sql.conf > > That is the > autorize_check_query.Depending on how you use your tables, the query > that I am using may or may not work. If you want I can give you the > one that works for me if you supply your table-layout. > > JOhn > P.S> The statement I use does NOT check username/password !!! > > -Original Message- > From: > [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > org]On Behalf Of banga > Sent: 08 November 2006 11:37 > To: freeradius-users@lists.freeradius.org > Subject: Assign IP based on CallingStationID. > > > > Hello all. > I use freeradius ver. 1.1.1 + mysql. > I use same login/password for couple of users but they has different > callingstationid. > Is it possible to check callingstationid and asiighn IP based on it? > Do I need to create some additional tables in mysql for that? > > Thx. > > -- > View this message in context: > http://www.nabble.com/Assign-IP-based-on-CallingStationID.-tf2594146.html#a7 > 235317 > Sent from the FreeRadius - User mailing list archive at Nabble.com. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- View this message in context: http://www.nabble.com/Assign-IP-based-on-CallingStationID.-tf2594146.html#a7238235 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Assign IP based on CallingStationID.
Title: RE: Assign IP based on CallingStationID. Yes, I have just done it. You need to change the sql-statement in /etc/raddb/sql.conf That is the autorize_check_query.Depending on how you use your tables, the query that I am using may or may not work. If you want I can give you the one that works for me if you supply your table-layout. JOhn P.S> The statement I use does NOT check username/password !!! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]. org]On Behalf Of banga Sent: 08 November 2006 11:37 To: freeradius-users@lists.freeradius.org Subject: Assign IP based on CallingStationID. Hello all. I use freeradius ver. 1.1.1 + mysql. I use same login/password for couple of users but they has different callingstationid. Is it possible to check callingstationid and asiighn IP based on it? Do I need to create some additional tables in mysql for that? Thx. -- View this message in context: http://www.nabble.com/Assign-IP-based-on-CallingStationID.-tf2594146.html#a7235317 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Assign IP based on CallingStationID.
Hello all. I use freeradius ver. 1.1.1 + mysql. I use same login/password for couple of users but they has different callingstationid. Is it possible to check callingstationid and asiighn IP based on it? Do I need to create some additional tables in mysql for that? Thx. -- View this message in context: http://www.nabble.com/Assign-IP-based-on-CallingStationID.-tf2594146.html#a7235317 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html