Re: help

[Alan DeKok]

John Wan wrote:
> Does the NAS documentation mean the documentation of my wireless access
> point? 

  Yes.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Accounting in MySQL

[satish patel]

Dear 

 What NAS device are u using ? when user authenticate from radius 
thn nas send acct-start packet to radius if your NAS not sending start 
accounting packet to freeradius then radius not start accounting 

 I have cisco Router for NAS 

aaa accounting start-stop radius  <--- commnad i m useing plz see my document 
there is some more help regrading NAS


Satish Patel

"DESEtech - German P. Santillan" <[EMAIL PROTECTED]> wrote: v\:* 
{behavior:url(#default#VML);} o\:* {behavior:url(#default#VML);} w\:* 
{behavior:url(#default#VML);} .shape {behavior:url(#default#VML);}  
   No, I don´t have connection problems, I have actually my FreeRADIUS 
users in the “radcheck” and “radreply” tables, and working fine, but accounting 
do not.
   
  Germán P. Santillán
  Administrador de Redes
  Jefe del Dpto. Técnico
  DESETech Argentina S.A.
  San Martín 133 - CP: B8000FIC
  Bahía Blanca - Argentina
  Tel/Fax: +54 (291) 456-5642
  [EMAIL PROTECTED]
  http://www.desetech.com.ar
   
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of satish 
patel
 Sent: Tuesday, January 23, 2007 4:56 AM
 To: FreeRadius users mailing list
 Subject: Re: Accounting in MySQL
  
  
   
  Dear 
 
   First check your radiusd -X debug log and find mysql connectivity 
debug if there any problem regarding connection ???  then check radius.conf 
file there is accounting option and put sql key word in it and u can also find 
some document on my website
 
 http://geocities.com/satish_patel_2000_2000/
 
 Satish Patel
 
 "DESEtech - German P. Santillan" <[EMAIL PROTECTED]> wrote:
  I actually have my Users DB in MySQL Server and my FreeRADIUS use the
 "radcheck" and "radreply" tables to read (SELECT) records, in my
 radiusd.conf I have...
 
 authorize {
 sql
 }
 accounting {
 sql
 }
 
 But I don´t hace records in radacct Table. What is the problem?
 
 Thanks in advance and sorry for my English
 
 Germán P. Santillán
 Administrador de Redes
 Jefe del Dpto. Técnico
 DESETech Argentina S.A.
 San Martín 133 - CP: B8000FIC
 Bahía Blanca - Argentina
 Tel/Fax: +54 (291) 456-5642
 [EMAIL PROTECTED]
 http://www.desetech.com.ar
 
 
 
 
 - 
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
   

-
  
  Here’s a new way to find what you're looking for - Yahoo! Answers 


-
  
  Here’s a new way to find what you're looking for - Yahoo! Answers 
  
  
  - 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
 Here’s a new way to find what you're looking for - Yahoo! Answers 

-
 Here’s a new way to find what you're looking for - Yahoo! Answers - 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

rlm_perl DEBUG log with garbage output

[Rohaizam Abu Bakar]

Hi,..

running xlat within rlm_perl..  giving correct result.. but what concern me is 
that.. in debug log.. there are garbage output as below:-


radius_xlat:  '.*'
radius_xlat: Running registered xlat function of module y5perl for string 
'%{User-Name}:%{NAS-Identifier}'
radius_xlat:  'bacang:JARINGWiF'
rlm_perl: Len is 4 , out is NULL?8???Ù¿¿?49(hÕ¿¿?? freespace is 254
radius_xlat:  'NULL'


calling from :-

attr_rewrite wifi {
##some code
replacewith = %{y5perl:%{User-Name}:%{NAS-Identifier}}

}

preacct
{
y5perl
wifi
files
}

sub xlat {
# some code
# return NULL or "somevalue"
return ($value);
} - 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Small problem with authentication

[Mark Jones]

just a local volume on debian linuxat home at the moment so I can't 
login and check
- Original Message - 
From: "Dennis Skinner" <[EMAIL PROTECTED]>

To: "FreeRadius users mailing list" 
Sent: Wednesday, January 24, 2007 4:49 PM
Subject: Re: Small problem with authentication



Mark Jones wrote:

 WHY is the detail module failing to acquire the file lock?  Is the
disk full?  Is the CPU busy?


I assume it is to do with radrelay.


Just a thought What file system are you using on the volume where
the detail records are being stored?  Locking on NFS volumes can cause
problems if not done correctly.

--
Dennis Skinner
Systems Administrator
BlueFrog Internet
http://www.bluefrog.com
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html




--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.17.8/649 - Release Date: 1/23/2007 
8:40 PM





- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

2GB problems

[Tas Dionisakos]

I have setup a captive portal with mysql,chilli, and freeradius.

My portal allows users access base on data use (quota), I am using the 
rlm_sqlcounter (from freeradius 1.1.4) to measure the usage on login.


The problem Im having is that if I assign a quota more than 2gb 
freeradius sees the bytes in a negative value for some reason, I have 
attached rad logs.


This is the line I dont understand (rlm_sqlcounter: Rejected user will, 
check_item=-1149239296, counter=0). Yet in mysql its fine!


Any help with this will be greatly appreciated!


rad_recv: Access-Request packet from host 127.0.0.1:32772, id=0, length=195
User-Name = "will"
User-Password = "pass"
NAS-IP-Address = 0.0.0.0
Service-Type = Login-User
Framed-IP-Address = 192.168.182.3
Calling-Station-Id = "00-16-CB-BE-3A-41"
Called-Station-Id = "00-14-5E-18-83-D9"
NAS-Identifier = "nas01"
Acct-Session-Id = "45b7e66b0001"
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Message-Authenticator = 0x0444eede46ea26a2629277905eb408f7
WISPr-Logoff-URL = "http://192.168.182.1:3990/logoff";
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "will", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
radius_xlat: 'will'
rlm_sql (sql): sql_set_user escaped user --> 'will'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck 
WHERE Username = 'will' ORDER BY id'

rlm_sql (sql): Reserving sql socket id: 4
radius_xlat: 'SELECT 
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op 
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'will' AND 
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply 
WHERE Username = 'will' ORDER BY id'
radius_xlat: 'SELECT 
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op 
FROM radgroupreply,usergroup WHERE usergroup.Username = 'will' AND 
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'

rlm_sql (sql): Released sql socket id: 4
modcall[authorize]: module "sql" returns ok for request 0
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
modcall[authorize]: module "noresetcounter" returns noop for request 0
rlm_sqlcounter: Entering module authorize code
sqlcounter_expand: 'SELECT SUM(AcctOutputOctets) FROM radacct where 
UserName='%{User-Name}''
radius_xlat: 'SELECT SUM(AcctOutputOctets) FROM radacct where 
UserName='will''
sqlcounter_expand: '%{sql:SELECT SUM(AcctOutputOctets) FROM radacct 
where UserName='will'}'
radius_xlat: Running registered xlat function of module sql for string 
'SELECT SUM(AcctOutputOctets) FROM radacct where UserName='will''

rlm_sql (sql): - sql_xlat
radius_xlat: 'will'
rlm_sql (sql): sql_set_user escaped user --> 'will'
radius_xlat: 'SELECT SUM(AcctOutputOctets) FROM radacct where 
UserName='will''

rlm_sql (sql): Reserving sql socket id: 3
rlm_sql (sql): row[0] returned NULL
rlm_sql (sql): Released sql socket id: 3
radius_xlat: ''
rlm_sqlcounter: (Check item - counter) is less than zero
rlm_sqlcounter: Rejected user will, check_item=-1149239296, counter=0
modcall[authorize]: module "mb" returns reject for request 0
modcall: leaving group authorize (returns reject) for request 0

--
*
Tas Dionisakos
IT Manager
St Mary’s College and Newman College
The University of Melbourne
T: 03 9342 1708
M: 0439 655 565
E: [EMAIL PROTECTED]
C: (0o ()() o0)
*

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Setting a realm in the User-Name based on Client-IP-Address

[Kevin Bonner]

On Wednesday 24 January 2007 16:59, Jason E. Murray wrote:
> My question is there a better way to do this, this seems a bit kludgy.
>
> Using FreeRadius 1.1.4
>
> Thanks in advance,

Use the hints file like below, then configure freeradius as if the realm were 
included in the original request.

== hints ==
DEFAULT User-Name !~ "@", Client-IP-Address == A.B.C.D
User-Name := "[EMAIL PROTECTED]"
== hints ==

Kevin Bonner


pgpt7dICXx56J.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: help

[John Wan]

Hi Alan,

Thanks for your help again.

Does the NAS documentation mean the documentation of my wireless access
point? 

Thanks

Regards

John
  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Alan DeKok
Sent: Monday, 22 January 2007 5:57 PM
To: FreeRadius users mailing list
Subject: Re: help

John Wan wrote:
>
> I have followed all the instructions from http://deployingradius.com. 
> I do not know why I have had the CHAP authentication.

  See the NAS documentation.

> I would like to use MS-CHAP authentication instead of CHAP, and do you

> have any tipps for me for this kind of setup (MS-CHAP)?

  See the NAS documentation.

  The choice of CHAP or MS-CHAP is not under control of the RADIUS
server.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html



--
___

 

Notice from Melbourne Business School Ltd 


The information contained in this e-mail is confidential, and is intended for
the named person's use only.  It may contain proprietary or legally privileged
information. If you have received this email in error, please notify the
sender and delete it immediately.  You must not, directly or indirectly, use,
disclose, distribute, print, or copy any part of this message if you are not
the intended recipient

Internet communications are not secure. You should scan this message and any
attachments for viruses. Melbourne Business School does not accept any
liability for loss or damage which may result from receipt of this message or
any attachments.

__ 



 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Setting a realm in the User-Name based on Client-IP-Address

[Jason E. Murray]

I have quite a few people on campus who authenticate to various systems
without using a realm in their username.  With our current radius server
there is a option in the clients file where you specify a Default-Realm
per client.  When an authentication request comes in from this client
the @realm is automatically tacked onto the User-Name attribute then
proxying is done based [EMAIL PROTECTED] combination.

I need to replicate this behavior in FreeRadius.


In the users file I have: 

DEFAULT Client-IP-Address == 127.0.0.1, User-Name !~ "[EMAIL PROTECTED]", 
Proxy-To-Realm := "rts"
Fall-Through = Yes

In the preproxy_users file I have:

DEFAULT Client-IP-Address == 127.0.0.1, User-Name !~ "[EMAIL PROTECTED]"
User-Name := "[EMAIL PROTECTED]"

Both of these lines check to see if the @realm is missing and the
Client-IP-Address is 127.0.0.1 the proxy and rewrite accordingly.

My question is there a better way to do this, this seems a bit kludgy.


Using FreeRadius 1.1.4

Thanks in advance,
-- 
Jason E. Murray - [EMAIL PROTECTED]
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Small problem with authentication

[Dennis Skinner]

Mark Jones wrote:
>>  WHY is the detail module failing to acquire the file lock?  Is the
>> disk full?  Is the CPU busy?
> 
> I assume it is to do with radrelay.

Just a thought What file system are you using on the volume where
the detail records are being stored?  Locking on NFS volumes can cause
problems if not done correctly.

-- 
Dennis Skinner
Systems Administrator
BlueFrog Internet
http://www.bluefrog.com
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Small problem with authentication

[Mark Jones]

I am not trying to be unhelpful.
We have two new servers that we installed last fall and both are doing the 
exact same thing.I can give you as much info as you ask for.


The only programs that access the detail file is radius and radrelay. I will 
attempt to catch it doing it while in debug mode to see if anymore info is 
available. Is there something you can suggest that I look at or any 
information that would be helpful to you?
- Original Message - 
From: "Alan DeKok" <[EMAIL PROTECTED]>

To: "FreeRadius users mailing list" 
Sent: Wednesday, January 24, 2007 2:44 PM
Subject: Re: Small problem with authentication



Mark Jones wrote:

 Again, what ELSE is going on in the system?

This is a dedicated box to just radius.
Load never exceeds 0.15
disk usage is less then 20 % on all volumes


 OK...


 WHY is the detail module failing to acquire the file lock?  Is the
disk full?  Is the CPU busy?


I assume it is to do with radrelay.


 That's just pointedly unhelpful.  radrelay is the only other program
locking the detail file, so it's not rocket science to come up with that
statement.

 I'll say this:  I've never seen the problem before.  It MUST be
something special on your system.  I don't know what it is.

 Alan DeKok.
--
 http://deployingradius.com   - The web site of the book
 http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html




--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.17.8/649 - Release Date: 1/23/2007 
8:40 PM





- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: SSL locking code

[Alan DeKok]

King, Michael wrote:
> I build a server from the January 16th snapshot.
> 
> It would seem this problem has NOT resurfaced.   I will be adding more
> load to it later today to see if anything happens, but it's been up for
> about 48 hours now, where as the 1.1.x release trains would exhibit the
> behavior after about 20 seconds.

  Ok, that says it's the SSL locking code.  

> I've also figured out some more background info.  I use a centrally
> managed AP solution, and when I make a change, such as change a RADIUS
> server, it forces all the clients to re-auth simultaneously.  So the
> load spikes up to 1000-1500 clients authing simultaneously, and then
> goes back to my normal 10-20 a second.

  Yeah, that would make a difference.

> Would this fix show up in the 1.1.x train, or is it slated for 2.0?  And
> not to be too needy, but when could I hope to see this?  (Weeks,
> months?)

  Maybe weeks.  I'll see if a patch is easy, and mail it to the list for
testing.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Small problem with authentication

[Alan DeKok]

Mark Jones wrote:
>>  Again, what ELSE is going on in the system?
> This is a dedicated box to just radius.
> Load never exceeds 0.15
> disk usage is less then 20 % on all volumes

  OK...

>>  WHY is the detail module failing to acquire the file lock?  Is the
>> disk full?  Is the CPU busy?
> 
> I assume it is to do with radrelay.

  That's just pointedly unhelpful.  radrelay is the only other program
locking the detail file, so it's not rocket science to come up with that
statement.

  I'll say this:  I've never seen the problem before.  It MUST be
something special on your system.  I don't know what it is.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: SSL locking code

[King, Michael]

 
Just want to report back.

I build a server from the January 16th snapshot.

It would seem this problem has NOT resurfaced.   I will be adding more
load to it later today to see if anything happens, but it's been up for
about 48 hours now, where as the 1.1.x release trains would exhibit the
behavior after about 20 seconds.

I've also figured out some more background info.  I use a centrally
managed AP solution, and when I make a change, such as change a RADIUS
server, it forces all the clients to re-auth simultaneously.  So the
load spikes up to 1000-1500 clients authing simultaneously, and then
goes back to my normal 10-20 a second.

Would this fix show up in the 1.1.x train, or is it slated for 2.0?  And
not to be too needy, but when could I hope to see this?  (Weeks,
months?)

Mike

> -Original Message-
> From: 
> [EMAIL PROTECTED]
> g 
> [mailto:[EMAIL PROTECTED]
> adius.org] On Behalf Of Alan DeKok
> Sent: Tuesday, January 09, 2007 8:56 PM
> To: FreeRadius users mailing list
> Subject: Re: SSL locking code
> 
> King, Michael wrote:
> >> -Original Message-
> >>   OK.  I don't have good net connectivity right now, or 
> access to a 
> >> machine to do real development, so this fix didn't make it into 
> >> 1.1.4.
> > 
> > Would this change be in the CVS head?
> 
>   Yes.
> 
>   Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: The EAP Saga begins.

[Evan Vittitow]

rad_recv: Access-Request packet from host 192.168.0.250:1175, id=66,
length=149
User-Name = "kurama"
Cisco-AVPair = "ssid=Pukey"
NAS-IP-Address = 192.168.0.250
Called-Station-Id = "004096285ceb"
Calling-Station-Id = "00095b679ccf"
NAS-Identifier = "AP340-285ceb"
NAS-Port = 38
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Service-Type = Login-User
EAP-Message = 0x024e000b016b7572616d61
Message-Authenticator = 0xa9ef47a3079c2a10a405828572e5931a
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 28
  modcall[authorize]: module "preprocess" returns ok for request 28
rlm_ldap: - authorize
rlm_ldap: performing user authorization for kurama
radius_xlat:  '(uid=kurama)'
radius_xlat:  'dc=pukey'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=pukey, with filter (uid=kurama)
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as User-Password, value supersecret & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusFilterId as Filter-Id, value
Enterasys:version=1:policy=Enterprise User & op=11
rlm_ldap: user kurama authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 28
  modcall[authorize]: module "chap" returns noop for request 28
  modcall[authorize]: module "mschap" returns noop for request 28
rlm_realm: No '@' in User-Name = "kurama", looking up realm NULL
rlm_realm: Found realm "NULL"
rlm_realm: Adding Stripped-User-Name = "kurama"
rlm_realm: Proxying request from user kurama to realm NULL
rlm_realm: Adding Realm = "NULL"
rlm_realm: Authentication realm is LOCAL.
  modcall[authorize]: module "suffix" returns noop for request 28
  rlm_eap: EAP packet type response id 78 length 11
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 28
  modcall[authorize]: module "files" returns notfound for request 28
modcall: leaving group authorize (returns updated) for request 28
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 28
  rlm_eap: EAP Identity
  rlm_eap: processing type tls
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
  modcall[authenticate]: module "eap" returns handled for request 28
modcall: leaving group authenticate (returns handled) for request 28
Sending Access-Challenge of id 66 to 192.168.0.250 port 1175
Filter-Id = "Enterasys:version=1:policy=Enterprise User"
EAP-Message = 0x014f00061920
Message-Authenticator = 0x
State = 0x6da2542209613e6e277dfd56deb50f0c
Finished request 28
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 28 ID 66 with timestamp 45b79890
Nothing to do.  Sleeping until we see a request.

This uid does exist and has the NT and LM password attributes.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Small problem with authentication

[Mark Jones]

- Original Message - 
From: "Alan DeKok" <[EMAIL PROTECTED]>

To: "FreeRadius users mailing list" 
Sent: Wednesday, January 24, 2007 10:08 AM
Subject: Re: Small problem with authentication



Mark Jones wrote:

Here are more entries from yesterdays logs. i don't think its a
quinsidensce


 Again, what ELSE is going on in the system?

This is a dedicated box to just radius.
Load never exceeds 0.15
disk usage is less then 20 % on all volumes



 WHY is the detail module failing to acquire the file lock?  Is the
disk full?  Is the CPU busy?


I assume it is to do with radrelay.



 Alan DeKok.
--
 http://deployingradius.com   - The web site of the book
 http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html




--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.17.8/649 - Release Date: 1/23/2007 
8:40 PM





- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Accounting in MySQL

[DESEtech - German P. Santillan]

No, I don´t have connection problems, I have actually my FreeRADIUS users in
the “radcheck” and “radreply” tables, and working fine, but accounting do
not.

 

Germán P. Santillán

Administrador de Redes

Jefe del Dpto. Técnico

DESETech Argentina S.A.

San Martín 133 - CP: B8000FIC

Bahía Blanca - Argentina

Tel/Fax: +54 (291) 456-5642

[EMAIL PROTECTED]

http://www.desetech.com.ar

 

From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
.org] On Behalf Of satish patel
Sent: Tuesday, January 23, 2007 4:56 AM
To: FreeRadius users mailing list
Subject: Re: Accounting in MySQL

 

Dear 

  First check your radiusd -X debug log and find mysql connectivity
debug if there any problem regarding connection ???  then check radius.conf
file there is accounting option and put sql key word in it and u can also
find some document on my website

http://geocities.com/satish_patel_2000_2000/

Satish Patel

"DESEtech - German P. Santillan" <[EMAIL PROTECTED]> wrote:

I actually have my Users DB in MySQL Server and my FreeRADIUS use the
"radcheck" and "radreply" tables to read (SELECT) records, in my
radiusd.conf I have...

authorize {
sql
}
accounting {
sql
}

But I don´t hace records in radacct Table. What is the problem?

Thanks in advance and sorry for my English

Germán P. Santillán
Administrador de Redes
Jefe del Dpto. Técnico
DESETech Argentina S.A.
San Martín 133 - CP: B8000FIC
Bahía Blanca - Argentina
Tel/Fax: +54 (291) 456-5642
[EMAIL PROTECTED]
http://www.desetech.com.ar




- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

 

  _  

Here’s a new way to find what you're looking for - Yahoo!

Answers 

  

  _  

Here’s a new way to find what you're looking for - Yahoo!

Answers 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: RADIUS will no longer start! - SOLVED

[Michelle Gates]

Thanks for your help Alan. I figured it out - someone had created a blank
entry into our clients.conf file.

*sigh*

Thanks for your help!!!

-michelle.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
On Behalf Of Alan DeKok
Sent: 24-Jan-07 4:22 PM
To: FreeRadius users mailing list
Subject: Re: RADIUS will no longer start!

Michelle Gates wrote:
> Our RADIUS server has been up and running fine for 127 days now. Suddenly
> today it no longer runs. I tried to put it into debug mode and got the
> following output:

> read_config_files:  reading clients
> /opt/freeradius/etc/raddb/radiusd.conf[751]: Missing client name

  Look at line 751 of clients.conf.  It's not formatted correctly.

> Can anyone shed any light on this? Unfortunately for me, one of our
> developers was working on our production server but *claims* not to have
> changed anything of any consequence...

  The error message above would tend to disagree with him.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


-- 
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.17.8/649 - Release Date: 1/23/2007
8:40 PM


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: RADIUS will no longer start!

[Kevin Bonner]

On Wednesday 24 January 2007 10:02, Michelle Gates wrote:
> read_config_files:  reading clients
> /opt/freeradius/etc/raddb/radiusd.conf[751]: Missing client name
>
> -
>
> Can anyone shed any light on this? Unfortunately for me, one of our
> developers was working on our production server but *claims* not to have
> changed anything of any consequence...
>
> I'm really unsure of where this is coming from! Has anyone seen this error
> before or could anyone at least point me in the right direction?

Since you have multiple people poking around on a production config, you are 
using some sort of revision control... right?  ;-)

I tried to reproduce the error locally and here is what I've done to cause the 
same error message to show up.

== clients.conf ==
client {
secret  = testing
shortname   = testing
nastype = other
}
== clients.conf ==

[EMAIL PROTECTED] raddb.dial]# /usr/sbin/radiusd -X
...
read_config_files:  reading clients
/etc/raddb/radiusd.conf[327]: Missing client name

To fix the issue, find the broken client entry and either comment it out or 
restore it with the correct client IP.

Kevin Bonner


pgpZXQWGiPdYS.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: RADIUS will no longer start!

[Zoltan Ori]

On Wednesday 24 January 2007 10:02, Michelle Gates wrote:
> read_config_files:  reading clients
> /opt/freeradius/etc/raddb/radiusd.conf[751]: Missing client name

You should not have anything in the clients file all clients should be in 
clients.conf.

Zoltan Ori

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: RADIUS will no longer start!

[Guilherme Franco]

Michelle,

Seems like someone took off your NASes either from your naslist or
clients.conf files, in your raddb dir.

In those files you need at least an entry like this (for clients.conf):

client 10.10.10.1 {
   secret  = secret123
}

Where 10.10.10.1 would be your NAS address and secret123 your secret.

By your debug, it seems that you're using the naslist file. As naslist
in deprecated, please use the clients.conf instead.

Hope this helps.

Guilherme


On 1/24/07, Michelle Gates <[EMAIL PROTECTED]> wrote:



All,

Our RADIUS server has been up and running fine for 127 days now. Suddenly
today it no longer runs. I tried to put it into debug mode and got the
following output:



[EMAIL PROTECTED] ~]# /opt/freeradius/sbin/radiusd -X
Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /opt/freeradius/etc/raddb/proxy.conf
Config:   including file: /opt/freeradius/etc/raddb/trs_proxy.conf
Config:   including file: /opt/freeradius/etc/raddb/clients.conf
Config:   including file: /opt/freeradius/etc/raddb/trs_clients.conf
Config:   including file: /opt/freeradius/etc/raddb/snmp.conf
Config:   including file: /opt/freeradius/etc/raddb/sqlcounter.conf
Config:   including file: /opt/freeradius/etc/raddb/eap.conf
Config:   including file: /opt/freeradius/etc/raddb/sql.conf
main: prefix = "/opt/freeradius"
main: localstatedir = "/opt/freeradius/var"
main: logdir = "/opt/freeradius/var/log/radius"
main: libdir = "/opt/freeradius/lib"
main: radacctdir = "/opt/freeradius/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/opt/freeradius/var/log/radius/radius.log"
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = no
main: pidfile = "/opt/freeradius/var/run/radiusd/radiusd.pid"
main: user = "trustive"
main: group = "trustive"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/opt/freeradius/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
/opt/freeradius/etc/raddb/radiusd.conf[751]: Missing client name

-

Can anyone shed any light on this? Unfortunately for me, one of our
developers was working on our production server but *claims* not to have
changed anything of any consequence...

I'm really unsure of where this is coming from! Has anyone seen this error
before or could anyone at least point me in the right direction?

Best regards,

-michelle.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: RADIUS will no longer start!

[Norbert Wegener]

Michelle Gates schrieb:

All,

Our RADIUS server has been up and running fine for 127 days now. Suddenly
today it no longer runs. I tried to put it into debug mode and got the
following output:



[EMAIL PROTECTED] ~]# /opt/freeradius/sbin/radiusd -X
Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /opt/freeradius/etc/raddb/proxy.conf
Config:   including file: /opt/freeradius/etc/raddb/trs_proxy.conf
Config:   including file: /opt/freeradius/etc/raddb/clients.conf
Config:   including file: /opt/freeradius/etc/raddb/trs_clients.conf
Config:   including file: /opt/freeradius/etc/raddb/snmp.conf
Config:   including file: /opt/freeradius/etc/raddb/sqlcounter.conf
Config:   including file: /opt/freeradius/etc/raddb/eap.conf
Config:   including file: /opt/freeradius/etc/raddb/sql.conf
 main: prefix = "/opt/freeradius"
 main: localstatedir = "/opt/freeradius/var"
 main: logdir = "/opt/freeradius/var/log/radius"
 main: libdir = "/opt/freeradius/lib"
 main: radacctdir = "/opt/freeradius/var/log/radius/radacct"
 main: hostname_lookups = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = "/opt/freeradius/var/log/radius/radius.log"
 main: log_auth = yes
 main: log_auth_badpass = yes
 main: log_auth_goodpass = no
 main: pidfile = "/opt/freeradius/var/run/radiusd/radiusd.pid"
 main: user = "trustive"
 main: group = "trustive"
 main: usercollide = no
 main: lower_user = "no"
 main: lower_pass = "no"
 main: nospace_user = "no"
 main: nospace_pass = "no"
 main: checkrad = "/opt/freeradius/sbin/checkrad"
 main: proxy_requests = yes
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: post_proxy_authorize = no
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
/opt/freeradius/etc/raddb/radiusd.conf[751]: Missing client name
  
The 751 maybe disleading, as you may not neccessarily find relevant 
information at line 751 in radiusd.conf.

The server is

reading clients

and doing this, it complains about

Missing client name


You should have a look at clients.conf.

Norbert Wegener


-

Can anyone shed any light on this? Unfortunately for me, one of our
developers was working on our production server but *claims* not to have
changed anything of any consequence...

I'm really unsure of where this is coming from! Has anyone seen this error
before or could anyone at least point me in the right direction?

Best regards,

-michelle.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: RADIUS will no longer start!

[Stefan Winter]

Hi,

> read_config_files:  reading clients
> /opt/freeradius/etc/raddb/radiusd.conf[751]: Missing client name

look at line 751 of the radiusd.conf file, or in clients.conf. Is the entry 
syntactically correct? If it is a DNS hostname, does it resolve to an IP 
address correctly?

Greetings,

Stefan Winter

-- 
Stefan WINTER

RESTENA Foundation - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche
R&D Engineer

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
email: [EMAIL PROTECTED]     Tel.:     +352 424409-1
http://www.restena.lu               Fax:      +352 422473


pgp9NWN4FCS5i.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: RADIUS will no longer start!

[Alan DeKok]

Michelle Gates wrote:
> Our RADIUS server has been up and running fine for 127 days now. Suddenly
> today it no longer runs. I tried to put it into debug mode and got the
> following output:

> read_config_files:  reading clients
> /opt/freeradius/etc/raddb/radiusd.conf[751]: Missing client name

  Look at line 751 of clients.conf.  It's not formatted correctly.

> Can anyone shed any light on this? Unfortunately for me, one of our
> developers was working on our production server but *claims* not to have
> changed anything of any consequence...

  The error message above would tend to disagree with him.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Small problem with authentication

[Alan DeKok]

Mark Jones wrote:
> Here are more entries from yesterdays logs. i don't think its a
> quinsidensce

  Again, what ELSE is going on in the system?

  WHY is the detail module failing to acquire the file lock?  Is the
disk full?  Is the CPU busy?

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RADIUS will no longer start!

[Michelle Gates]

All,

Our RADIUS server has been up and running fine for 127 days now. Suddenly
today it no longer runs. I tried to put it into debug mode and got the
following output:



[EMAIL PROTECTED] ~]# /opt/freeradius/sbin/radiusd -X
Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /opt/freeradius/etc/raddb/proxy.conf
Config:   including file: /opt/freeradius/etc/raddb/trs_proxy.conf
Config:   including file: /opt/freeradius/etc/raddb/clients.conf
Config:   including file: /opt/freeradius/etc/raddb/trs_clients.conf
Config:   including file: /opt/freeradius/etc/raddb/snmp.conf
Config:   including file: /opt/freeradius/etc/raddb/sqlcounter.conf
Config:   including file: /opt/freeradius/etc/raddb/eap.conf
Config:   including file: /opt/freeradius/etc/raddb/sql.conf
 main: prefix = "/opt/freeradius"
 main: localstatedir = "/opt/freeradius/var"
 main: logdir = "/opt/freeradius/var/log/radius"
 main: libdir = "/opt/freeradius/lib"
 main: radacctdir = "/opt/freeradius/var/log/radius/radacct"
 main: hostname_lookups = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = "/opt/freeradius/var/log/radius/radius.log"
 main: log_auth = yes
 main: log_auth_badpass = yes
 main: log_auth_goodpass = no
 main: pidfile = "/opt/freeradius/var/run/radiusd/radiusd.pid"
 main: user = "trustive"
 main: group = "trustive"
 main: usercollide = no
 main: lower_user = "no"
 main: lower_pass = "no"
 main: nospace_user = "no"
 main: nospace_pass = "no"
 main: checkrad = "/opt/freeradius/sbin/checkrad"
 main: proxy_requests = yes
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: post_proxy_authorize = no
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
/opt/freeradius/etc/raddb/radiusd.conf[751]: Missing client name

-

Can anyone shed any light on this? Unfortunately for me, one of our
developers was working on our production server but *claims* not to have
changed anything of any consequence...

I'm really unsure of where this is coming from! Has anyone seen this error
before or could anyone at least point me in the right direction?

Best regards,

-michelle.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Log notfound users

[Guilherme Franco]

Hello,

In authorize section I have the following:

sql {
   notfound = reject
}

In post-auth:

Post-Auth-Type REJECT {
   sql
   attr_filter.access_reject
   }

Both works correctly but I would like to log notfound users into radpostauth
table as well, just like in post-auth.

How may I do this, please?

Thank you.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Small problem with authentication

[Mark Jones]

Here are more entries from yesterdays logs. i don't think its a quinsidensce




Jan 23 08:26:45 radius freeradius[28054]: rlm_unix: [mjones]: invalid 
password
Jan 23 08:26:45 radius freeradius[28054]: Login incorrect: [mjones/mjones] 
(from client 216.8.137.103 port 0)
Jan 23 08:26:46 radius freeradius[28056]: rlm_detail: Failed to aquire 
filelock for /usr/local/var/log/radius/radacct/detail-combined, giving up

--
Jan 23 09:49:46 radius freeradius[2289]: Login incorrect: [mjones/mjones] 
(from client 216.8.137.103 port 0)
Jan 23 09:49:48 radius freeradius[2292]: rlm_detail: Failed to aquire 
filelock for /usr/local/var/log/radius/radacct/detail-combined, giving up

--
Jan 23 10:32:46 radius freeradius[6262]: rlm_unix: [mjones]: invalid 
password
Jan 23 10:32:46 radius freeradius[6262]: Login incorrect: [mjones/x] 
(from client 216.8.137.103 port 0)
Jan 23 10:32:46 radius freeradius[6260]: Login incorrect: [kjrumble/xx] 
(from client 216.8.136.106 port 0 cli 
ip:64.230.198.9:64.230.196.49:524c:393b:68f7:4f83:108974)
Jan 23 10:32:47 radius freeradius[6261]: rlm_detail: Failed to aquire 
filelock for /usr/local/var/log/radius/radacct/detail-combined, giving up

--
Jan 23 14:10:47 radius freeradius[23198]: rlm_unix: [mjones]: invalid 
password
Jan 23 14:10:47 radius freeradius[23198]: Login incorrect: [mjones/x] 
(from client 216.8.137.103 port 0)
Jan 23 14:10:48 radius freeradius[23199]: rlm_detail: Failed to aquire 
filelock for /usr/local/var/log/radius/radacct/detail-combined, giving up

--
Jan 23 14:42:47 radius freeradius[29576]: rlm_unix: [mjones]: invalid 
password
Jan 23 14:42:47 radius freeradius[29576]: Login incorrect: [mjones/xx] 
(from client 216.8.137.103 port 0)
Jan 23 14:42:49 radius freeradius[29577]: rlm_detail: Failed to aquire 
filelock for /usr/local/var/log/radius/radacct/detail-combined, giving up

--
Jan 23 14:51:47 radius freeradius[29575]: Login incorrect: [mjones/xx] 
(from client 216.8.137.103 port 0)
Jan 23 14:51:47 radius freeradius[29574]: rlm_detail: Failed to aquire 
filelock for /usr/local/var/log/radius/radacct/detail-combined, giving up

--
Jan 23 23:09:49 radius freeradius[9667]: rlm_unix: [mjones]: invalid 
password
Jan 23 23:09:49 radius freeradius[9667]: Login incorrect: [mjones/xx] 
(from client 216.8.137.103 port 0)
Jan 23 23:09:49 radius freeradius[9666]: rlm_detail: Failed to aquire 
filelock for /usr/local/var/log/radius/radacct/detail-combined, giving up

--
Jan 24 03:05:50 radius freeradius[9664]: rlm_unix: [mjones]: invalid 
password
Jan 24 03:05:50 radius freeradius[9664]: Login incorrect: [mjones/xx] 
(from client 216.8.137.103 port 0)
Jan 24 03:05:52 radius freeradius[9666]: rlm_detail: Failed to aquire 
filelock for /usr/local/var/log/radius/radacct/detail-combined, giving up

--
Jan 24 04:48:51 radius freeradius[9664]: rlm_unix: [mjones]: invalid 
password
Jan 24 04:48:51 radius freeradius[9664]: Login incorrect: [mjones/x] 
(from client 216.8.137.103 port 0)
Jan 24 04:48:53 radius freeradius[9662]: rlm_detail: Failed to aquire 
filelock for /usr/local/var/log/radius/radacct/detail-combined, giving up
- Original Message - 
From: "Alan DeKok" <[EMAIL PROTECTED]>

To: "FreeRadius users mailing list" 
Sent: Wednesday, January 24, 2007 2:35 AM
Subject: Re: Small problem with authentication



Mark Jones wrote:

That is an exccert from our log this morning. Two users were denied
access even though they supplied the correct username and password. This
happens all the time exactly a few seconds prior to the filelock error.
The file lock error is being generated because I use radrelay. I am
running version 1.14.


 The thing I don't understand is that the two messages are unrelated.
The detail module isn't the unix module.  Accounting is not
authentication...

 If the messages appear close together a lot, that is suspicious.  But
I would think it's because of some *other* issue that's affecting both
authentication & accounting, like the CPU load spiking on the machine.

 Alan DeKok.
--
 http://deployingradius.com   - The web site of the book
 http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html




--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.17.8/648 - Release Date: 1/23/2007 
11:04 AM





- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxying based on SSID

[Alan DeKok]

Lai Fu Keung wrote:
> 1. Check the realm, which will set to DEFAULT, as the domain is unknown. The 
> username is NOT stripped in the DEFAULT realm.

  Then add a LOCAL realm of that domain.  If that's impossible, use
the "hints" file to match the [EMAIL PROTECTED] by hand.

> 2. Then check the SSID inside FILE. Set the proxy-to-realm to local realm. 
> The proxy is cancelled. But the username is still NOT stripped.

  You can always add the Stripped-User-Name by hand, using the "hints" file.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Setting check pairs in script when using exec

[Patric]

Hi guys,

This is my previous mail phrased differently, as after further 
investigation I found what Im supposed to be asking.


Up till now have been using sql to authenticate, and am trying to change 
to my own script and mysql db.


In radiusd.conf I have :

modules {
  exec exec-radauth {
  wait = yes
  program = "/path/to/script.php -- %{User-Name} %{Password}"
  input_pairs = request
  output_pairs = reply
}

authorize {
  exec-radauth
}

This all works perfectly when I include "files" in the authorize section 
and place the following in the users file :


DEFAULT Auth-Type = Accept

But if I exclude "files" from the authorize section I get :

auth: No authenticate method (Auth-Type) configuration found for the 
request: Rejecting the user

auth: Failed to validate the user.

So now I know that I need to set the Auth-Type check pair in my external 
authentication script, but am not sure how to accomplish this.


Can anyone point me in the right direction with this problem?

radiusd: FreeRADIUS Version 1.1.3, for host i686-redhat-linux-gnu, built 
on Sep 20 2006 at 14:13:13


Thanks in advance
Patric

--
Looking For the Right College?
Let us help find the best online criminal justice program for you!
http://tags.bluebottle.com/fc/MhtYWUjFdpo7ZzqpDkaZhGRgrChcJrdZy3oBy/

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Auth Type when running exec script to authenticate

[Patric]

Hi all,

Up till now have been using sql to authenticate, and am trying to change 
to my own script and mysql db.


In radiusd.conf I have :

modules {
   exec exec-radauth {
   wait = yes
   program = "/path/to/script.php -- %{User-Name} %{Password}"
   input_pairs = request
   output_pairs = reply
}

authorize {
   exec-radauth
}

This all works perfectly when I include "files" in the authorize section 
and place the following in the users file :


DEFAULT Auth-Type = Accept

But if I exclude "files" from the authorize section I get :

auth: No authenticate method (Auth-Type) configuration found for the 
request: Rejecting the user

auth: Failed to validate the user.

Can anyone point me in the right direction with this problem?

radiusd: FreeRADIUS Version 1.1.3, for host i686-redhat-linux-gnu, built 
on Sep 20 2006 at 14:13:13


Thanks in advance
Patric

--
Click for free info on adult education and start making $150k/ year
http://tags.bluebottle.com/fc/CAaCMPJnSlqlx5S4A8vYLM5adNYw4Lck/

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: The EAP Saga begins.

[Evan Vittitow]

I keep getting this.
I have been following documentation.
>
> A username and password, and optionally the CA cert so they can
> "trust" the radius server cert.
> - List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> rlm_eap: SSL error error:0B080074:x509 certificate
> routines:X509_check_private_key:key values mismatch
> rlm_eap_tls: Error reading private key file
>
http://wiki.freeradius.org/WPA_HOWTO#Script_Listings This is my
documentation.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Proxying based on SSID

[Ana Gallardo Gómez]

I think you have to use the attribute "Stripped-User-Name" to authenticate the 
user.> Date: Wed, 24 Jan 2007 14:21:59 +0800> From: [EMAIL PROTECTED]> To: 
freeradius-users@lists.freeradius.org> Subject: Proxying based on SSID> > Hi,> 
> Sorry if the questions have been asked. I have done a lot of searches,> but 
could not find the answer.> > Normally, I proxy a PEAP request whenever the 
realm is unknown to us> (i.e. using the DEFAULT realm without stripping user 
name). However, for> some SSIDs, I want requests to be handled locally with 
ldap, independent> of what the realm is (and with the user name stripped). What 
I did is to> find those SSIDs in "Called-Station-ID" and> set proxy-to-realm to 
a local realm.> > But the problem (I guess) is that when freeradius processes 
the realm> file, the user name is not stripped. When later on processed by the> 
local realm, the request fails because the user name still contains the> 
domain.> > Any suggestions to solve it is appreciated. Thanks in advance.> > 
Best Regards,> Lai> > Users> => DEFAULT NAS-Port-Type == "Wireless-802.11", 
Called-Station-Id =~> "MY-SSID$", St> rip-User-Name := Yes, Autz-Type := 
usePlainTextPwd, Proxy-to-realm :=> "hku.hk"> > DEFAULT NAS-Port-Type == 
"Wireless-802.11", Autz-Type := usePlainTextPwd> > Radiusd -X> => 
rad_recv: Access-Request packet from host 17.18.28.26:20002, id=136,> 
length=152> NAS-Port-Id = "2098/1"> Calling-Station-Id = 
"00-18-DE-83-3E-1B"> Called-Station-Id = "00-16-E0-FD-47-40:VIP-peap">  
   Service-Type = Framed-User> EAP-Message = 
0x02010012017063637732406173642e636f6d> User-Name = "[EMAIL 
PROTECTED]"> NAS-Port-Type = Wireless-802.11> NAS-Identifier = 
"3Com"> NAS-IP-Address = 17.18.28.26> Message-Authenticator = 
0x46e6da4a3ad7d253157a9f21a110807b>   Processing the authorize section of 
radiusd.conf> modcall: entering group authorize for request 0>   
modcall[authorize]: module "preprocess" returns ok for request 0> 
rlm_realm: Looking up realm "asd.com" for User-Name = "[EMAIL PROTECTED]"> 
rlm_realm: Found realm "DEFAULT"> rlm_realm: Proxying request from user 
pcw2 to realm DEFAULT> rlm_realm: Adding Realm = "DEFAULT"> rlm_realm: 
Preparing to proxy authentication request to realm> "DEFAULT">   
modcall[authorize]: module "suffix" returns updated for request 0>   
modcall[authorize]: module "chap" returns noop for request 0>   
modcall[authorize]: module "mschap" returns noop for request 0> users: 
Matched entry DEFAULT at line 171> users: Matched entry DEFAULT at line 
244>   modcall[authorize]: module "files" returns ok for request 0>   rlm_eap: 
EAP packet type response id 1 length 18>   rlm_eap: No EAP Start, assuming it's 
an on-going EAP conversation>   modcall[authorize]: module "eap" returns 
updated for request 0> modcall: leaving group authorize (returns updated) for 
request 0>   Found Autz-Type usePlainTextPwd>   Processing the authorize 
section of radiusd.conf> modcall: entering group usePlainTextPwd for request 0> 
modcall: entering group redundant  for request 0> rlm_ldap: - authorize> 
rlm_ldap: performing user authorization for [EMAIL PROTECTED]> radius_xlat:  
'(&([EMAIL PROTECTED])))'> radius_xlat:  'ou=ldap,o=hku,c=hk'> rlm_ldap: 
ldap_get_conn: Checking Id: 0> rlm_ldap: ldap_get_conn: Got Id: 0> rlm_ldap: 
attempting LDAP reconnection> rlm_ldap: (re)connect to ldap1.hku.hk:389, 
authentication 0> rlm_ldap: starting TLS> rlm_ldap: bind as 
cn=net,o=hku,c=hk/M134aNaa to ldap1.hku.hk:389> rlm_ldap: waiting for bind 
result ...> rlm_ldap: Bind was successful> rlm_ldap: performing search in 
ou=ldap,o=hku,c=hk, with filter> (&([EMAIL PROTECTED]))> rlm_ldap: object not 
found or got ambiguous search result> rlm_ldap: search failed> rlm_ldap: 
ldap_release_conn: Release Id: 0>   modcall[authorize]: module "withNTPwd" 
returns notfound for request 0> modcall: leaving group redundant  (returns 
notfound) for request 0> modcall: leaving group usePlainTextPwd (returns 
notfound) for request 0>   WARNING: You set Proxy-To-Realm = hku.hk, but it is 
a LOCAL realm!> Cancelling>  invalid proxy request.>   rad_check_password:  
Found Auth-Type EAP> auth: type "EAP">   Processing the authenticate section of 
radiusd.conf> modcall: entering group authenticate for request 0>   rlm_eap: 
EAP Identity>   rlm_eap: processing type tls>   rlm_eap_tls: Initiate>   
rlm_eap_tls: Start returned 1>   modcall[authenticate]: module "eap" returns 
handled for request 0> modcall: leaving group authenticate (returns handled) 
for request 0>  WARNING: Cancelling proxy to Realm hku.hk, as the realm is 
local.> Sending Access-Challenge of id 136 to 17.18.28.26 port 20002> 
Framed-IP-Address = 255.255.255.254> Framed-MTU = 576> 
Service-Type = Framed-User> EAP-Message = 0x010200061920> 
Message-Authenticator = 0x> State

Re: Mac OS X EAP-TLS with wrong usename kills freeradius when check_cert_cn is set

[Miika Räisänen]

On 1/24/07, Alan DeKok <[EMAIL PROTECTED]> wrote:

Miika Räisänen wrote:
> and gdb after core dump:
> http://cc.oulu.fi/~mraisane/tmp/gdb-radiusd.1st-patch.log

  Please try the following patch.  I believe it will fix the problem.

  If so, I'll commit it to CVS.

  Alan DeKok.


It worked. Thanks.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Proxying based on SSID

[Lai Fu Keung]

The "Called-Station-Id" has the SSID included, in addition to the MAC
address.

 

Called-Station-Id = "00-16-E0-FD-47-40:VIP-peap"

 

Lai

 

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Santiago Balaguer Garcia
Sent: Wednesday, January 24, 2007 4:11 PM
To: freeradius-users@lists.freeradius.org
Subject: Re: Proxying based on SSID

 

  I think both are wrong because you must distinguish amog the different
SSIDs that an AP broadcast. It sometimes happens the wireless MAC are
the same for all SSIDs. Only some devices (such as Mikrotik) let change
the MAC for each ESSID.

   Another thing is you have to differenciate the ESSID in your user
manager. A solutions can be via VLAN's and your user manager chooses the
ESSID by the VLAN adding a posible prefix to the username.

  I use Mikrotik device which distinguish the ESSID via MAC and I can
add the prefix because each ESSID have its own login page.





From:  Alan DeKok <[EMAIL PROTECTED]>
Reply-To:  FreeRadius users mailing list

To:  FreeRadius users mailing list

Subject:  Re: Proxying based on SSID
Date:  Wed, 24 Jan 2007 08:18:02 +0100
>Lai Fu Keung wrote:
> > Normally, I proxy a PEAP request whenever the realm is
unknown to us
> > (i.e. using the DEFAULT realm without stripping user name).
However, for
> > some SSIDs, I want requests to be handled locally with ldap,
independent
> > of what the realm is (and with the user name stripped). What
I did is to
> > find those SSIDs in "Called-Station-ID" and
> > set proxy-to-realm to a local realm.
>
>   OK...
>
>  > But the problem (I guess) is that when freeradius processes
the realm
> > file, the user name is not stripped. When later on processed
by the
> > local realm, the request fails because the user name still
contains the
> > domain.
>
>   The problem is that the realms file *isn't* being processed.
That's
>why the user names aren't stripped.
>
>   You can always put the check for SSID *after* the check for
the
>realms.  In that case, the usernames will be stripped, and the
SSID
>check can cancel any proxying, just like you do now.
>
>   Alan DeKok.
>--
>   http://deployingradius.com   - The web site of the book
>   http://deployingradius.com/blog/ - The blog
>-
>List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html






Recibe ofertas de empleo adaptadas a tu perfil. Introduce tu CV en MSN
Empleo.   

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Proxying based on SSID

[Lai Fu Keung]

>You can always put the check for SSID *after* the check for the
>realms.  In that case, the usernames will be stripped, and the SSID
>check can cancel any proxying, just like you do now.

Sorry Alan, I couldn't get you here.
 
Currently, the process (with the problem) is:
 
1. Check the realm, which will set to DEFAULT, as the domain is unknown. The 
username is NOT stripped in the DEFAULT realm.
 
2. Then check the SSID inside FILE. Set the proxy-to-realm to local realm. The 
proxy is cancelled. But the username is still NOT stripped.
 
Where should I put the "check for SSID *after* the check for the realms" as you 
suggest?
 
Lai

 




From: [EMAIL PROTECTED] on behalf of Alan DeKok
Sent: Wed 1/24/2007 3:18 PM
To: FreeRadius users mailing list
Subject: Re: Proxying based on SSID



Lai Fu Keung wrote:
> Normally, I proxy a PEAP request whenever the realm is unknown to us
> (i.e. using the DEFAULT realm without stripping user name). However, for
> some SSIDs, I want requests to be handled locally with ldap, independent
> of what the realm is (and with the user name stripped). What I did is to
> find those SSIDs in "Called-Station-ID" and
> set proxy-to-realm to a local realm.

  OK...

 > But the problem (I guess) is that when freeradius processes the realm
> file, the user name is not stripped. When later on processed by the
> local realm, the request fails because the user name still contains the
> domain.

  The problem is that the realms file *isn't* being processed.  That's
why the user names aren't stripped.

  You can always put the check for SSID *after* the check for the
realms.  In that case, the usernames will be stripped, and the SSID
check can cancel any proxying, just like you do now.

  Alan DeKok.
--
  http://deployingradius.com - The web 
site of the book
  http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


<>- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: a freeradious/wireless solution for a school

[A . L . M . Buxey]

Hi,
> Please elaborate on how the system can be circumvented?

FakeAP spring to mind instantly. as does any of the other man-in-middle
attacks. a quick google will bring up many methods of doing such attacks.

basically, I set up an a software AP with same SSID. I have same login
page - even the same signed certificate if you've been so good as to
buy a commercial one - and take the users credentials when they login.
I then pull down by AP and use the credentials to login. Trivial 
stuff.  if you use WEP I can do a similar thing to get the 3rd party
to send me enough WEP traffic (failures of course) to get the key using 
the modern crackers. 5 minutes of fun...and then use that WEP for my gateway.
(same isnt true - yet - for WPA-PSK - but like WEP those passphrases
need to be disemminated.  All this falls in the same 'security' bucket
(or bin) as MAC authentication, hiding the SSID etc.

but since most public sites use these systems its goota be okay. yes? ;-)

alan
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: CA Chain

[Reimer Karlsen-Masur, DFN-CERT]

Jeffrey Sewell wrote:
> Than you.
> 
> So if I understand this correctly, radiusd is not looking for a
> directory with checksum'd certificates, just one file with all the
> certficates in it?

Both is possible.

CA_path = ${raddbdir}/certs/trustedCAs/

with c_rehash generated fingerprint symlinks for a directory of trusted CA
certificates for EAP-TLS (with client authentication by client certificates).

Or

CA_file = ${raddbdir}/certs/trustedCAs.pem

a file with possibly multiple PEM formatted CA certificates for EAP-TLS
(with client authentication by client certificates).

My point was that the chain of the radius-server-certificate is actually to
be *added* to the file with the radius-server-certificate itself.

And that if you want to do plain EAP- *T* TLS and only EAP-TTLS to be
carefull to leave CA_file and CA_path nulled/empty.

I remember that the inline documentation of the eap.conf file suggests to
put the CA certificate issuing the radius-servers server-certificate into
the CA_file which could open up unwanted EAP-TLS client authentication by
client certificates if this CA issued client certificates.

If you configure radiusd to do EAP-TLS also make sure to use the check_crl =
yes option and have up-to-date CRLs available in the CA_path. Make sure
c_rehash is building the fingerprint symlinks here as well.

To automatically freshen/download CRLs by e.g. cron there is a neat script
with some build-in CRL checking etc available at
http://dist.eugridpma.info/distribution/util/fetch-crl/

HTH

-- 
Kind Regards

Reimer Karlsen-Masur
--
Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), DFN-CERT Services GmbH
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737

14. DFN-CERT Workshop und Tutorien, CCH Hamburg, 7.-8. Februar 2007
Infos/Anmeldung unter: https://www.dfn-cert.de/events/ws/2007/


smime.p7s
Description: S/MIME Cryptographic Signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Mac OS X EAP-TLS with wrong usename kills freeradius when check_cert_cn is set

[Alan DeKok]

Miika Räisänen wrote:
> and gdb after core dump:
> http://cc.oulu.fi/~mraisane/tmp/gdb-radiusd.1st-patch.log

  Please try the following patch.  I believe it will fix the problem.

  If so, I'll commit it to CVS.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
? eap.patch
? radeapclient
Index: libeap/tls.c
===
RCS file: /source/radiusd/src/modules/rlm_eap/libeap/tls.c,v
retrieving revision 1.1.2.3
diff -u -r1.1.2.3 tls.c
--- libeap/tls.c27 Apr 2006 18:53:23 -  1.1.2.3
+++ libeap/tls.c24 Jan 2007 09:00:27 -
@@ -92,7 +92,7 @@
 /*
  * Print out some text describing the error.
  */
-static void int_ssl_check(SSL *s, int ret, const char *text)
+static int int_ssl_check(SSL *s, int ret, const char *text)
 {
int e;
 
@@ -117,7 +117,7 @@
case SSL_ERROR_WANT_WRITE:
case SSL_ERROR_WANT_X509_LOOKUP:
case SSL_ERROR_ZERO_RETURN:
-   return;
+   break;
 
/*
 *  These seem to be indications of a genuine
@@ -127,14 +127,12 @@
case SSL_ERROR_SYSCALL:
radlog(L_ERR, "rlm_eap_tls: %s failed in a system call (%d), 
TLS session fails.",
   text, ret);
-   SSL_set_app_data(s, (char *)1);
-   return;
+   return 0;
 
case SSL_ERROR_SSL:
radlog(L_ERR, "rlm_eap_tls: %s failed inside of TLS (%d), TLS 
session fails.",
   text, ret);
-   SSL_set_app_data(s, (char *)1);
-   return;
+   return 0;
 
default:
/*
@@ -144,8 +142,10 @@
 *  the code needs updating here.
 */
radlog(L_ERR, "rlm_eap_tls: FATAL SSL error . %d\n", e);
-   break;
+   return 0;
}
+
+   return 1;
 }
 
 /*
@@ -170,8 +170,8 @@
   sizeof(ssn->clean_out.data));
if (err > 0) {
ssn->clean_out.used = err;
-   } else {
-   int_ssl_check(ssn->ssl, err, "SSL_read");
+   } else if (!int_ssl_check(ssn->ssl, err, "SSL_read")) {
+   return 0;
}
 
/* Some Extra STATE information for easy debugging */
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxying based on SSID

[Santiago Balaguer García]

  I think both are wrong because you must distinguish amog the different SSIDs that an AP broadcast. It sometimes happens the wireless MAC are the same for all SSIDs. Only some devices (such as Mikrotik) let change the MAC for each ESSID.
   Another thing is you have to differenciate the ESSID in your user manager. A solutions can be via VLAN's and your user manager chooses the ESSID by the VLAN adding a posible prefix to the username.
  I use Mikrotik device which distinguish the ESSID via MAC and I can add the prefix because each ESSID have its own login page.




From:  Alan DeKok <[EMAIL PROTECTED]>Reply-To:  FreeRadius users mailing list To:  FreeRadius users mailing list Subject:  Re: Proxying based on SSIDDate:  Wed, 24 Jan 2007 08:18:02 +0100>Lai Fu Keung wrote:> > Normally, I proxy a PEAP request whenever the realm is unknown to us> > (i.e. using the DEFAULT realm without stripping user name). However, for> > some SSIDs, I want requests to be handled locally with ldap, independent> > of what the realm is (and with the user name stripped). What I did is to> > find those SSIDs in "Called-Station-ID" and> > set proxy-to-realm to a local 
realm.>>   OK...>>  > But the problem (I guess) is that when freeradius processes the realm> > file, the user name is not stripped. When later on processed by the> > local realm, the request fails because the user name still contains the> > domain.>>   The problem is that the realms file *isn't* being processed.  That's>why the user names aren't stripped.>>   You can always put the check for SSID *after* the check for the>realms.  In that case, the usernames will be stripped, and the SSID>check can cancel any proxying, just like you do now.>>   Alan DeKok.>-->   http://deployingradius.com   - The web site of the book>   
http://deployingradius.com/blog/ - The blog>->List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.htmlRecibe ofertas de empleo adaptadas a tu perfil. Introduce tu CV en MSN Empleo. 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Small problem with authentication

[Alan DeKok]

Mark Jones wrote:
> That is an exccert from our log this morning. Two users were denied
> access even though they supplied the correct username and password. This
> happens all the time exactly a few seconds prior to the filelock error.
> The file lock error is being generated because I use radrelay. I am
> running version 1.14.

  The thing I don't understand is that the two messages are unrelated.
The detail module isn't the unix module.  Accounting is not
authentication...

  If the messages appear close together a lot, that is suspicious.  But
I would think it's because of some *other* issue that's affecting both
authentication & accounting, like the CPU load spiking on the machine.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Splitting the password field in freeRADIUS

[Alan DeKok]

Drumm, Daniel wrote:

> Is it possible to front end this type of server with FreeRADIUS, so that
> NAS-Clients can send a tokencode prepended to, say, a Kerberos password
> - and have the FreeRADIUS server forward the first 6 digits of the field
> to the RSA server for tokencode validation - and the remaining charcters
> to another RADIUS server, one that front-ends a Kerberos system? Only
> when both fields return true is the authentication true.

  Yes, if you write a script to do this.  But it won't be stable.

  FreeRADIUS isn't set up to proxy one request to multiple places.  In
general, it's not a good idea.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: post-proxy section and local proxy

[Alan DeKok]

Markus Krause wrote:
>>   Maybe try the postauth section?  That's really for handling replies
>> from the current server to the NAS.
> hmm, that sounds interesting, but i could not find any information
> (which i could unterstand) on how to do that. would that mean to write a
> module of my own? maybe in pearl?
> 
> Could you please give a small example on how to replace reply attribute?

  The attr_filter module can do this, perhaps.  In the CVS head it can.

  Or, you can use the Perl module.  See the example.pl (I think) file
for what to do.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html