Re: Version 2.0 is a lot closer to reality...
Arran Cudbard-Bell wrote: > Assertion failed in event.c, line 669 ... > Happens after all the home servers have been marked as dead, and you > have an incoming request... though could be when it's firing off a ping > check event. > Either way it's repeatable, and *only* happens when all home servers are > dead. OK. I've gone over the code again, and fixed up a few corner cases of the state machine. That test case now works for me. > Also little one with access-reject when home server fails to respond. > Not sent through access reject filter, though that's probably because it > never passes through post-auth. That will be fixed on another commit. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: returning VSA from exec-prog-wait
Murray Hooper wrote: > Can I return VSA(106) from a script called from exec-prog-wait? I am trying > to "echo H323-redirect-number=" but the NAS does not see this as VSA 106 If you run the serber in debugging mode, as suggested in the FAQ, README, and INSTALL, you will see the results of exec-program-wait, and what the server is doing with it. I never understand why people look at the NAS to see what the server is doing. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with mschap, ntlm_auth and a conditional syntax
Lukasz Lacinski wrote: > Alan DeKok wrote: >> I've committed a fix to CVS head. Please re-test. >> > OK. I'm going to test it as soon as possible. > It means when SIGSEGV will not be so fast ;-) Some of the data structures in the server have changed, which means you need to be sure that the server is using the *new* structures. i.e. remove all 2.0-pre0 modules && binaries before installing a new one. In order to get debugging symbols, see doc/bugs. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with mschap, ntlm_auth and a conditional syntax
Alan DeKok wrote: > I've committed a fix to CVS head. Please re-test. > OK. I'm going to test it as soon as possible. It means when SIGSEGV will not be so fast ;-) Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 10.0.0.2 port 1645, id=160, length=166 User-Name = "[EMAIL PROTECTED]" Framed-MTU = 1400 Called-Station-Id = "0014.1bb6.da30" Calling-Station-Id = "0002.b306.4cf1" Service-Type = Login-User Message-Authenticator = 0x1b86f1e76d4be2fa3bb2c0c5daf968d6 EAP-Message = 0x0202001d01757a79737a6b6f646e696b406c6174696e2e70637a2e706c NAS-Port-Type = Wireless-802.11 NAS-Port = 863 NAS-Port-Id = "863" NAS-IP-Address = 10.0.0.2 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 Program received signal SIGSEGV, Segmentation fault. 0xb7c13c26 in ?? () (gdb) where #0 0xb7c13c26 in ?? () #1 0x801228a0 in ?? () #2 0x in ?? () (gdb) Lukasz Lacinski - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: add realm to user based on NAS-IP
Alexander Papenburg wrote: >> You should also comment out any rlm_realm instances in the authorize section. >> > > The Problem is, suffix is already commented out in authorize section. > IMHO the user [EMAIL PROTECTED] (see 1st try) won't work either. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > rlm_realm instances do much the same job as the Proxy-To-Realm reply item, just they also handle splitting the username into it's component parts. Usually you would use one or the other, but not both. Erm I thought your original question was, "how do I proxy a user to a realm based on the NAS-IP-Address and how do I rewrite that username with that realm name" If thats the case ... why are you using [EMAIL PROTECTED] as your test user??? --- Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: add realm to user based on NAS-IP
> > You should also comment out any rlm_realm instances in the authorize section. The Problem is, suffix is already commented out in authorize section. IMHO the user [EMAIL PROTECTED] (see 1st try) won't work either. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
returning VSA from exec-prog-wait
Can I return VSA(106) from a script called from exec-prog-wait? I am trying to "echo H323-redirect-number=" but the NAS does not see this as VSA 106 Thanks murray - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.0 is a lot closer to reality...
Arran Cudbard-Bell wrote: ... > Assertion failed in event.c, line 669 Hmm... OK. > Happens after all the home servers have been marked as dead, and you > have an incoming request... though could be when it's firing off a ping > check event. > Either way it's repeatable, and *only* happens when all home servers are > dead. It's a good test case. > Also little one with access-reject when home server fails to respond. > Not sent through access reject filter, though that's probably because it > never passes through post-auth. Yes. It should really run "post-proxy-type = FAIL", or something like that, followed by the access reject filter. Right now, the goal is to add the new features, make them stable, and then touch it up around the edges. > and finally, how do you define a binding for the snmp module it's > on, but I never explicitly bound it to anywhere :| snmp.conf FreeRADIUS connects to the SNMP daemon, and there's little else to configure. > unlike auth/acct that are bound with listen sections. Seems like there > may be a need for a small extension to listen sections > to allow type snmp . No. FreeRADIUS isn't an SNMP server. It *registers* itself with an SNMP server, and the SNMP server calls FreeRADIUS whenever something needs to get done. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: double free or corruption errors with 2.0.0-pre0
ChristosH wrote: > Alan, you said 1.1.6 will be addressing this specific issue, or is it > something I should continue looking into? There is a known double free in 1.1.5 that will be fixed in 1.1.6. That should be released this week. > Do you have a schedule posted for 2.0.0. Soon. At this point, many of the fixes needed for 2.0 are in, so it should be very, very, soon. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.0 is a lot closer to reality...
Arran Cudbard-Bell wrote: > Kevin Bonner wrote: > >> On Tuesday 10 April 2007 13:51:29 Arran Cudbard-Bell wrote: >> >> >>> and finally, how do you define a binding for the snmp module it's >>> on, but I never explicitly bound it to anywhere :| >>> unlike auth/acct that are bound with listen sections. Seems like there >>> may be a need for a small extension to listen sections >>> to allow type snmp . >>> >>> >> Arran, >> >> http://wiki.freeradius.org/SNMP_HOWTO >> >> That page should give some base info on setting up SNMP support. >> >> Kevin Bonner >> >> >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > Yuhu, but doesn't explain how to bind the snmp port to a specific ip > address on a multi homed server ;-) > > --- > Arran > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > Oh wait, snmp module connects to another snmp server ... oops. My bad, never played with it before :) Thanks, Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.0 is a lot closer to reality...
Kevin Bonner wrote: > On Tuesday 10 April 2007 13:51:29 Arran Cudbard-Bell wrote: > >> and finally, how do you define a binding for the snmp module it's >> on, but I never explicitly bound it to anywhere :| >> unlike auth/acct that are bound with listen sections. Seems like there >> may be a need for a small extension to listen sections >> to allow type snmp . >> > > Arran, > > http://wiki.freeradius.org/SNMP_HOWTO > > That page should give some base info on setting up SNMP support. > > Kevin Bonner > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Yuhu, but doesn't explain how to bind the snmp port to a specific ip address on a multi homed server ;-) --- Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.0 is a lot closer to reality...
On Tuesday 10 April 2007 13:51:29 Arran Cudbard-Bell wrote: > and finally, how do you define a binding for the snmp module it's > on, but I never explicitly bound it to anywhere :| > unlike auth/acct that are bound with listen sections. Seems like there > may be a need for a small extension to listen sections > to allow type snmp . Arran, http://wiki.freeradius.org/SNMP_HOWTO That page should give some base info on setting up SNMP support. Kevin Bonner pgp4G1jfBRBqQ.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: add realm to user based on NAS-IP
Alexander Papenburg wrote: > Hi Arran, hi Alexander and hi Freeradius-List, > > I ran into problems regarding to the Proxy-to-realm thing... :( > > My Setup: > > 10.0.0.1 A cisco Router > 10.0.1.20 My Terminal > 192.168.0.1 Radius (Home Server) > 192.168.0.2 Radius (Proxy) > > > At first a successful login with username [EMAIL PROTECTED]: > > --snip1-- > User-Name = "[EMAIL PROTECTED]" > Reply-Message = "Password: " > User-Password = "testtest" > NAS-Port = 2 > NAS-Port-Id = "tty2" > NAS-Port-Type = Virtual > Calling-Station-Id = "10.0.1.20" > NAS-IP-Address = 10.0.0.1 > Tue Apr 10 19:41:10 2007 : Debug: Processing the authorize section of > radiusd.conf > Tue Apr 10 19:41:10 2007 : Debug: modcall: entering group authorize for > request 0 > Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: calling > preprocess (rlm_preprocess) for request 0 > Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: returned from > preprocess (rlm_preprocess) for request 0 > Tue Apr 10 19:41:10 2007 : Debug: modcall[authorize]: module > "preprocess" returns ok for request 0 > Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: calling chap > (rlm_chap) for request 0 > Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: returned from > chap (rlm_chap) for request 0 > Tue Apr 10 19:41:10 2007 : Debug: modcall[authorize]: module "chap" > returns noop for request 0 > Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: calling mschap > (rlm_mschap) for request 0 > Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: returned from > mschap (rlm_mschap) for request 0 > Tue Apr 10 19:41:10 2007 : Debug: modcall[authorize]: module "mschap" > returns noop for request 0 > Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: calling suffix > (rlm_realm) for request 0 > Tue Apr 10 19:41:10 2007 : Debug: rlm_realm: Looking up realm > "realm" for User-Name = "[EMAIL PROTECTED]" > Tue Apr 10 19:41:10 2007 : Debug: rlm_realm: Found realm "realm" > Tue Apr 10 19:41:10 2007 : Debug: rlm_realm: Proxying request from > user abc to realm realm > Tue Apr 10 19:41:10 2007 : Debug: rlm_realm: Adding Realm = "realm" > Tue Apr 10 19:41:10 2007 : Debug: rlm_realm: Preparing to proxy > authentication request to realm "realm" > Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: returned from > suffix (rlm_realm) for request 0 > Tue Apr 10 19:41:10 2007 : Debug: modcall[authorize]: module "suffix" > returns updated for request 0 > Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: calling eap > (rlm_eap) for request 0 > Tue Apr 10 19:41:10 2007 : Debug: rlm_eap: No EAP-Message, not doing EAP > Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: returned from > eap (rlm_eap) for request 0 > Tue Apr 10 19:41:10 2007 : Debug: modcall[authorize]: module "eap" > returns noop for request 0 > Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: calling files > (rlm_files) for request 0 > Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: returned from > files (rlm_files) for request 0 > Tue Apr 10 19:41:10 2007 : Debug: modcall[authorize]: module "files" > returns notfound for request 0 > Tue Apr 10 19:41:10 2007 : Debug: modcall: leaving group authorize > (returns updated) for request 0 > Tue Apr 10 19:41:10 2007 : Debug: proxy: creating 688187c3:1812 > Tue Apr 10 19:41:10 2007 : Debug: proxy: allocating 688187c3:1812 0 > Sending Access-Request of id 0 to 192.168.0.1 port 1812 > User-Name = "[EMAIL PROTECTED]" > Reply-Message = "Password: " > User-Password = "testtest" > NAS-Port = 2 > NAS-Port-Id = "tty2" > NAS-Port-Type = Virtual > Calling-Station-Id = "10.0.1.20" > NAS-IP-Address = 10.0.0.1 > Proxy-State = 0x3836 > Tue Apr 10 19:41:10 2007 : Debug: Thread 1 waiting to be assigned a request > rad_recv: Access-Accept packet from host 192.168.0.1:1812, id=0, length=24 > Tue Apr 10 19:41:10 2007 : Debug: proxy: de-allocating 688187c3:1812 0 > Tue Apr 10 19:41:10 2007 : Debug: rl_next: returning NULL > Tue Apr 10 19:41:10 2007 : Debug: Thread 2 got semaphore > Tue Apr 10 19:41:10 2007 : Debug: Thread 2 handling request 0, (1 > handled so far) > Proxy-State = 0x3836 > Tue Apr 10 19:41:10 2007 : Debug: Processing the post-proxy section of > radiusd.conf > Tue Apr 10 19:41:10 2007 : Debug: modcall: entering group post-proxy for > request 0 > Tue Apr 10 19:41:10 2007 : Debug: modsingle[post-proxy]: calling eap > (rlm_eap) for request 0 > Tue Apr 10 19:41:10 2007 : Debug: modsingle[post-proxy]: returned from > eap (rlm_eap) for request 0 > Tue Apr 10 19:41:10 2007 : Debug: modcall[post-proxy]: module "eap" > returns noop for request 0 > Tue Apr 10 19:41:10 2007 : Debug: modcall: leaving group post-proxy > (returns noop) for request 0 > Tue Apr 10 19:41:10 2007 : Debug: authorize:
Re: 1.1.5 double free or corruption
Roberto Greiner wrote: > > > MALLOC_CHECK_=0 > > Now, is that done in the configure (./configure --MALLOC_CHECK_=0), at the make (MALLOC_CHECK_=0) or at the runtime? -- View this message in context: http://www.nabble.com/1.1.5-double-free-or-corruption-tf3378130.html#a9925976 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.1.5 double free or corruption
ChristosH wrote: > I'm getting a similar error, except mine's 0x09fc4f10. > Apparently this has to do with the Perl library (and means we'll have to > recompile) but I have no idea how to upgrade that. > I'm on CentOS 4.4 and have run the auto-updater, am on the CentOS Plus > repository and have MySQL installed. > > Thor Spruyt wrote: > >> *** glibc detected *** double free or corruption (fasttop): 0x098a55d8 *** >> Aborted >> >> > > I'm getting the same problem here. I installed the new Debian Etch (released yesterday), and FreeRadius gave me the same message. As a temporary 'fix', until 1.1.6 (or 2.0) comes out, you can suppress glibc's double check (which is causing that problem) adding the following to the environment variables: MALLOC_CHECK_=0 How you do that, of course, changes depending if you are using bash, csh, etc. Note: beware that there is a _ AFTER the CHECK word! I got the information on this in the following page: http://download.fedora.redhat.com/pub/fedora/linux/core/3/i386/os/RELEASE-NOTES-en.html Just search for glibc on that page. Roberto -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: add realm to user based on NAS-IP
Hi Arran, hi Alexander and hi Freeradius-List, I ran into problems regarding to the Proxy-to-realm thing... :( My Setup: 10.0.0.1 A cisco Router 10.0.1.20 My Terminal 192.168.0.1 Radius (Home Server) 192.168.0.2 Radius (Proxy) At first a successful login with username [EMAIL PROTECTED]: --snip1-- User-Name = "[EMAIL PROTECTED]" Reply-Message = "Password: " User-Password = "testtest" NAS-Port = 2 NAS-Port-Id = "tty2" NAS-Port-Type = Virtual Calling-Station-Id = "10.0.1.20" NAS-IP-Address = 10.0.0.1 Tue Apr 10 19:41:10 2007 : Debug: Processing the authorize section of radiusd.conf Tue Apr 10 19:41:10 2007 : Debug: modcall: entering group authorize for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modcall[authorize]: module "preprocess" returns ok for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modcall[authorize]: module "chap" returns noop for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modcall[authorize]: module "mschap" returns noop for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 0 Tue Apr 10 19:41:10 2007 : Debug: rlm_realm: Looking up realm "realm" for User-Name = "[EMAIL PROTECTED]" Tue Apr 10 19:41:10 2007 : Debug: rlm_realm: Found realm "realm" Tue Apr 10 19:41:10 2007 : Debug: rlm_realm: Proxying request from user abc to realm realm Tue Apr 10 19:41:10 2007 : Debug: rlm_realm: Adding Realm = "realm" Tue Apr 10 19:41:10 2007 : Debug: rlm_realm: Preparing to proxy authentication request to realm "realm" Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modcall[authorize]: module "suffix" returns updated for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 0 Tue Apr 10 19:41:10 2007 : Debug: rlm_eap: No EAP-Message, not doing EAP Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modcall[authorize]: module "eap" returns noop for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: calling files (rlm_files) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modcall[authorize]: module "files" returns notfound for request 0 Tue Apr 10 19:41:10 2007 : Debug: modcall: leaving group authorize (returns updated) for request 0 Tue Apr 10 19:41:10 2007 : Debug: proxy: creating 688187c3:1812 Tue Apr 10 19:41:10 2007 : Debug: proxy: allocating 688187c3:1812 0 Sending Access-Request of id 0 to 192.168.0.1 port 1812 User-Name = "[EMAIL PROTECTED]" Reply-Message = "Password: " User-Password = "testtest" NAS-Port = 2 NAS-Port-Id = "tty2" NAS-Port-Type = Virtual Calling-Station-Id = "10.0.1.20" NAS-IP-Address = 10.0.0.1 Proxy-State = 0x3836 Tue Apr 10 19:41:10 2007 : Debug: Thread 1 waiting to be assigned a request rad_recv: Access-Accept packet from host 192.168.0.1:1812, id=0, length=24 Tue Apr 10 19:41:10 2007 : Debug: proxy: de-allocating 688187c3:1812 0 Tue Apr 10 19:41:10 2007 : Debug: rl_next: returning NULL Tue Apr 10 19:41:10 2007 : Debug: Thread 2 got semaphore Tue Apr 10 19:41:10 2007 : Debug: Thread 2 handling request 0, (1 handled so far) Proxy-State = 0x3836 Tue Apr 10 19:41:10 2007 : Debug: Processing the post-proxy section of radiusd.conf Tue Apr 10 19:41:10 2007 : Debug: modcall: entering group post-proxy for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[post-proxy]: calling eap (rlm_eap) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[post-proxy]: returned from eap (rlm_eap) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modcall[post-proxy]: module "eap" returns noop for request 0 Tue Apr 10 19:41:10 2007 : Debug: modcall: leaving group post-proxy (returns noop) for request 0 Tue Apr 10 19:41:10 2007 : Debug: authorize: Skipping authorize in post-proxy stage Tue Apr 10 19:41:10 2007 : Debug: rad_check_password: Found Auth-Type Tue Apr 10 19:41:10 2007 : Debug: rad_check_password: Auth-Type = Accept, accepting the user Sending Access-Accept of
Re: freeradius with samba domain and port-access (Christian)
"Thanks for help. I think so too, but I have no idea how or even if it is possible. The WXPSP2 Client with user authentication is not able to authanticate against the freeradius. There is not even a request arriving on the freeradius. If I toggle to "Identify with ComputerInformation if possible" there is at least a request arriving at the radiusserver. It takes some time, but it works. After the Authentication with computer Information, its not possible to authenticate a second time with the user information. How do i have to configure the client correctly to realize userauthentication? Or do I need to reconfigure the server?" I know it sounds stupid, but you have set up the correct radius type for port based authentication ? There's two on the HP procurves, Radius-CHAP Radius-EAP Do show authentication Via the CLI and it should give you something looking like this. * *Status and Counters - Authentication Information Login Attempts : 3 Respect Privilege : Enabled | Login Login Enable Enable Access Task | PrimarySecondary PrimarySecondary --- + -- -- -- -- Console | Radius Local Radius Local Telnet | Local None Local None Port-Access | EapRadius Webui| Local None Local None SSH | Radius Local Radius Local Web-Auth | ChapRadius MAC-Auth| ChapRadius Need to make sure Port-Access is set to EapRadius, else the switch won't pass the eap messages through correctly. If it's on Chap use config aaa authentication port-access eap-radius write mem --- Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.0 is a lot closer to reality...
Alan DeKok wrote: Got another one for you :P rlm_detail: /usr/local/freeradius/var/log//%Y%m%d/pre-proxy-detail expands to /usr/local/freeradius/var/log//20070410/pre-proxy-detail radius_xlat: 'Tue Apr 10 18:34:28 2007' modcall[pre-proxy]: module "pre_proxy_log" returns ok for request 31 modcall: group pre-proxy returns updated for request 31 Sending Access-Request of id 166 to 194.83.56.233 port 1812 Service-Type := Authenticate-Only User-Name = "[EMAIL PROTECTED]" NAS-IP-Address = 139.184.8.1 Proxy-State = 0x3135 Proxying request 31 to realm jrs, home server 194.83.56.233 port 1812 Sending Access-Request of id 166 to 194.83.56.233 port 1812 Service-Type := Authenticate-Only User-Name = "[EMAIL PROTECTED]" NAS-IP-Address = 139.184.8.1 Proxy-State = 0x3135 Going to the next request Cleaning up request 27 ID 11 with timestamp +641 Cleaning up request 28 ID 12 with timestamp +642 Sending Access-Request of id 188 to 194.83.56.249 port 1812 User-Name := "[EMAIL PROTECTED]" User-Password := "just_testing" Service-Type := Authenticate-Only Message-Authenticator := 0x NAS-Identifier := "Ping! Are you alive?" Sending Access-Request of id 81 to 194.82.174.185 port 1812 User-Name := "[EMAIL PROTECTED]" User-Password := "just_testing" Service-Type := Authenticate-Only Message-Authenticator := 0x NAS-Identifier := "Ping! Are you alive?" Cleaning up request 29 ID 13 with timestamp +643 Waking up in 1 seconds... rad_recv: Access-Request packet from host 81.6.252.244 port 3363, id=15, length=72 FAILURE: Home server 194.83.56.233 port 1812 is dead. Failed to find live home server for request 31 There was no response configured: rejecting request 31 Sending Access-Reject of id 15 to 81.6.252.244 port 3363 Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-Id = "134" Service-Type = Framed-User Finished request 31 state 5 Waking up in 1 seconds... Cleaning up request 30 ID 14 with timestamp +644 Waking up in 2 seconds... No response to ping 32 from home server 194.83.56.249 port 1812 Cleaning up request 32 with timestamp +647 No response to ping 33 from home server 194.82.174.185 port 1812 Cleaning up request 33 with timestamp +648 Waking up in 12 seconds... Assertion failed in event.c, line 669 Abort *process death* Happens after all the home servers have been marked as dead, and you have an incoming request... though could be when it's firing off a ping check event. Either way it's repeatable, and *only* happens when all home servers are dead. Also little one with access-reject when home server fails to respond. Not sent through access reject filter, though that's probably because it never passes through post-auth. Sending Access-Request of id 14 to 139.184.14.181 port 1812 User-Name = "[EMAIL PROTECTED]" User-Password = "poptart1" Service-Type = Framed-User NAS-IP-Address = 139.184.8.1 rad_recv: Access-Reject packet from host 139.184.14.181:1812, id=14, length=67 Reply-Message = "Please use [EMAIL PROTECTED] as your user ID" Sending Access-Request of id 15 to 139.184.14.181 port 1812 User-Name = "[EMAIL PROTECTED]" User-Password = "poptart1" Service-Type = Framed-User NAS-IP-Address = 139.184.8.1 Re-sending Access-Request of id 15 to 139.184.14.181 port 1812 User-Name = "[EMAIL PROTECTED]" User-Password = "poptart1" Service-Type = Framed-User NAS-IP-Address = 139.184.8.1 rad_recv: Access-Reject packet from host 139.184.14.181:1812, id=15, length=43 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "134" Service-Type = Framed-User and finally, how do you define a binding for the snmp module it's on, but I never explicitly bound it to anywhere :| unlike auth/acct that are bound with listen sections. Seems like there may be a need for a small extension to listen sections to allow type snmp . Sorry for breaking it again :( --- Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: double free or corruption errors with 2.0.0-pre0
I think you need to step back and relax, Mat. If a developer can't get the situation reproduced or even debug info on it, they'll be helpless. Do also realize this is an open source free utility that doesn't come with any guaranteed support. Was this a problem for you in 1.1.4? I know for me it wasn't (and because of that I've rolled back), but I also know that it started popping up when I decided to compile on new AMD Opteron based systems (1.1.5 worked on my Intel servers just fine, oddly enough, with the EXACT same OS setup and config of 1.1.5 copied over through VMWare!) Alan, you said 1.1.6 will be addressing this specific issue, or is it something I should continue looking into? Do you have a schedule posted for 2.0.0. -- View this message in context: http://www.nabble.com/double-free-or-corruption-errors-with-2.0.0-pre0-tf3538902.html#a9924881 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.1.5 double free or corruption
I'm getting a similar error, except mine's 0x09fc4f10. Apparently this has to do with the Perl library (and means we'll have to recompile) but I have no idea how to upgrade that. I'm on CentOS 4.4 and have run the auto-updater, am on the CentOS Plus repository and have MySQL installed. Thor Spruyt wrote: > > > *** glibc detected *** double free or corruption (fasttop): 0x098a55d8 *** > Aborted > -- View this message in context: http://www.nabble.com/1.1.5-double-free-or-corruption-tf3378130.html#a9924121 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: two database
http://wiki.freeradius.org/Rlm_sql - Original Message - From: Nirmal To: FreeRadius users mailing list Sent: Monday, April 09, 2007 1:53 PM Subject: Re: two database can i use two sql database in sql.conf for free radius version 0.9 ? currently i m using freeradius 0.9 + MySQL 3.23 + PPPoE on linux (NAS) authentication and accounting is happening in one database. i have a very large user database and i want to assign roaming profile to my users, in that case users will be authenticated from database1 which is having authentication information (radcheck, radgroupcheck,radreply) of all users and accounting will be done in database2 (radacct table). how to specify two database in sql.conf ? as there is only one line radius_db. :( i did not find more help in docs of freeradius-1.1.5 !! Please help Nirmal Patel +91-9323704733 Alan DeKok <[EMAIL PROTECTED]> wrote: Nirmal wrote: > Hi i m using freeradius 0.9 Why? > is it possible to select two sql databases in sql.conf ? Yes. > how ? See the documentation in the recent versions. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- 8:00? 8:25? 8:40? Find a flick in no time with theYahoo! Search movie showtime shortcut. -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with samba domain and port-access (Christian)
The Windows clients can be configured to log on with machine credentials. For this, they will need accounts in AD. This has been tested to work with FreeRADIUS for a while. I haven't done it myself, but search the net & docs. It does work. Once that happens, the switch thinks that the machine is authenticated, and may not re-do authentication for the user. There's very little you can do in this case. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Newbie Question
Excuse the greenness of question. Is there a 'how-to' on authreply_table? I am just starting with freeradius + mysql and want to get freeradius to do a db dip and respond with required plus a couple extra fields of data to the NAS. Appreciated murray - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with samba domain and port-access (Christian)
Christian Hohmann wrote: >> Now the Problem: Some workstations are added to a samba managed domain and can only login on the samba service. >> It seems to me, that the winxpsp2 supplicant first wants to authenticate at >> the samba server. But the switch doesn?t allow the connection, because the >> port is closed until the eap-authentication is handled. >The machines also need to log in using EAP. >Alan DeKok. Thanks for help. I think so too, but I have no idea how or even if it is possible. The WXPSP2 Client with user authentication is not able to authanticate against the freeradius. There is not even a request arriving on the freeradius. If I toggle to "Identify with ComputerInformation if possible" there is at least a request arriving at the radiusserver. It takes some time, but it works. After the Authentication with computer Information, its not possible to authenticate a second time with the user information. How do i have to configure the client correctly to realize userauthentication? Or do I need to reconfigure the server? Regards - Christian ___ SMS schreiben mit WEB.DE FreeMail - einfach, schnell und kostenguenstig. Jetzt gleich testen! http://f.web.de/?mc=021192 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.0 is a lot closer to reality...
Arran Cudbard-Bell wrote: ... > FAILURE: Home server 194.83.56.249 port 1812 is dead. > RETRY: Proxying request 13 to different home server 194.82.174.185 port 1812 ... > Didn't do that before :S Yup. $ cvs update $ make :) Also, if you have SNMP enabled, it now prints out that it's listening on the SNMP socket... Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.0 is a lot closer to reality...
Arran Cudbard-Bell wrote: > Alan DeKok wrote: > >> Alan DeKok wrote: >> >> >>> I've just committed massive changes to the server core. The "diff" is >>> about 3k lines, and doesn't include deleted or added files. >>> >>> >> More code changes today: >> >> Multiple requests are proxied to a home server. If the home server is >> marked dead while the NAS is retransmitting the packets, the current >> code (1.x) keeps sending the retransmissions to the dead home server. >> >> In the CVS head, it now discovers that the home server is dead, and >> picks a live one from the appropriate server_pool. When coupled with >> the support for checking if a dead home server has come back to life, >> the server should be MUCH more robust in the event of home server failure. >> >> i.e. With the current code, many proxied requests can get rejected, >> even if there is a home server for the realm that is live. With the new >> code, all possible efforts are made to minimize the number of requests >> that get rejected. >> >> No other server can do better than this. >> >> Alan DeKok. >> -- >> http://deployingradius.com - The web site of the book >> http://deployingradius.com/blog/ - The blog >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> >> > > It seems to be occuring when the freeradius switches from the dead home_server to another in the pool. Repeatable, happens on every transition to new proxy server. Looks like a pretty generic memory allocation error, but I can provide platform / library information if it'll help. When it works it'll be awesome :D --- Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.0 is a lot closer to reality...
Alan DeKok wrote: > Alan DeKok wrote: > >> I've just committed massive changes to the server core. The "diff" is >> about 3k lines, and doesn't include deleted or added files. >> > > More code changes today: > > Multiple requests are proxied to a home server. If the home server is > marked dead while the NAS is retransmitting the packets, the current > code (1.x) keeps sending the retransmissions to the dead home server. > > In the CVS head, it now discovers that the home server is dead, and > picks a live one from the appropriate server_pool. When coupled with > the support for checking if a dead home server has come back to life, > the server should be MUCH more robust in the event of home server failure. > > i.e. With the current code, many proxied requests can get rejected, > even if there is a home server for the realm that is live. With the new > code, all possible efforts are made to minimize the number of requests > that get rejected. > > No other server can do better than this. > > Alan DeKok. > -- > http://deployingradius.com - The web site of the book > http://deployingradius.com/blog/ - The blog > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > attr_filter: Matched entry jrs at line 74 modcall[pre-proxy]: module "attr_filter.pre-proxy" returns updated for request 13 radius_xlat: '/usr/local/freeradius/var/log//20070410/pre-proxy-detail' rlm_detail: /usr/local/freeradius/var/log//%Y%m%d/pre-proxy-detail expands to /usr/local/freeradius/var/log//20070410/pre-proxy-detail radius_xlat: 'Tue Apr 10 14:06:34 2007' modcall[pre-proxy]: module "pre_proxy_log" returns ok for request 13 modcall: group pre-proxy returns updated for request 13 Sending Access-Request of id 122 to 194.83.56.249 port 1812 Service-Type := Authenticate-Only User-Name = "[EMAIL PROTECTED]" NAS-IP-Address = 139.184.8.1 Proxy-State = 0x313239 Proxying request 13 to realm jrs, home server 194.83.56.249 port 1812 Sending Access-Request of id 122 to 194.83.56.249 port 1812 Service-Type := Authenticate-Only User-Name = "[EMAIL PROTECTED]" NAS-IP-Address = 139.184.8.1 Proxy-State = 0x313239 Going to the next request Cleaning up request 9 ID 125 with timestamp +60 Cleaning up request 10 ID 126 with timestamp +61 Cleaning up request 11 ID 127 with timestamp +62 Waking up in 1 seconds... rad_recv: Access-Request packet from host 81.6.252.244 port 3341, id=129, length=72 Sending duplicate proxied request to home server 194.83.56.249 port 1812 - ID: 122 Sending Access-Request of id 122 to 194.83.56.249 port 1812 Service-Type := Authenticate-Only User-Name = "[EMAIL PROTECTED]" NAS-IP-Address = 139.184.8.1 Proxy-State = 0x313239 Waking up in 1 seconds... Cleaning up request 12 ID 128 with timestamp +63 Waking up in 15 seconds... rad_recv: Access-Request packet from host 81.6.252.244 port 3341, id=129, length=72 Sending duplicate proxied request to home server 194.83.56.249 port 1812 - ID: 122 Sending Access-Request of id 122 to 194.83.56.249 port 1812 Service-Type := Authenticate-Only User-Name = "[EMAIL PROTECTED]" NAS-IP-Address = 139.184.8.1 Proxy-State = 0x313239 Waking up in 13 seconds... rad_recv: Access-Request packet from host 81.6.252.244 port 3341, id=129, length=72 Sending duplicate proxied request to home server 194.83.56.249 port 1812 - ID: 122 Sending Access-Request of id 122 to 194.83.56.249 port 1812 Service-Type := Authenticate-Only User-Name = "[EMAIL PROTECTED]" NAS-IP-Address = 139.184.8.1 Proxy-State = 0x313239 Waking up in 10 seconds... rad_recv: Access-Request packet from host 81.6.252.244 port 3341, id=129, length=72 FAILURE: Home server 194.83.56.249 port 1812 is dead. RETRY: Proxying request 13 to different home server 194.82.174.185 port 1812 Sending Access-Request of id 8 to 194.82.174.185 port 1812 Service-Type := Authenticate-Only User-Name = "[EMAIL PROTECTED]" NAS-IP-Address = 139.184.8.1 Proxy-State = 0x313239 Waking up in 7 seconds... rad_recv: Access-Request packet from host 81.6.252.244 port 3341, id=129, length=72 RETRY: Proxying request 13 to different home server 194.82.174.185 port 1812 Sending Access-Request of id 179 to 194.82.174.185 port 1812 Service-Type := Authenticate-Only User-Name = "[EMAIL PROTECTED]" NAS-IP-Address = 139.184.8.1 Proxy-State = 0x313239 Waking up in 4 seconds... rad_recv: Access-Request packet from host 81.6.252.244 port 3341, id=129, length=72 radiusd(24731) malloc: *** Deallocation of a pointer not malloced: 0x5d4e80; This could b
Re: Alternate proxying methods.
Arran Cudbard-Bell wrote: > Ah but this would send all the accounting data out to the jrs proxies, > for which jrs might not look on us > too kindly for . Only a relatively small amount of accounting data would > actually need to go off site... > for users from other institutions using our wireless AP's but > authenticating back at there home institutions. > > The advantage of using a 'replicate-to-realm' like feature is that you > can filter the data being replicated, and direct it > to the proper home servers. You can configure the detail module in an "Acct-Type" section, and control which packets get logged. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.0 is a lot closer to reality...
Alan DeKok wrote: > I've just committed massive changes to the server core. The "diff" is > about 3k lines, and doesn't include deleted or added files. More code changes today: Multiple requests are proxied to a home server. If the home server is marked dead while the NAS is retransmitting the packets, the current code (1.x) keeps sending the retransmissions to the dead home server. In the CVS head, it now discovers that the home server is dead, and picks a live one from the appropriate server_pool. When coupled with the support for checking if a dead home server has come back to life, the server should be MUCH more robust in the event of home server failure. i.e. With the current code, many proxied requests can get rejected, even if there is a home server for the realm that is live. With the new code, all possible efforts are made to minimize the number of requests that get rejected. No other server can do better than this. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with mschap, ntlm_auth and a conditional syntax
Lukasz Lacinski wrote: > Below is my previous e-mail, but with output from freeradius in format easier > to read. > > I use ntlm_auth in mschapv2 (freeradius 20070409) by the following line in > radiusd.conf: > ntlm_auth = "/usr/local/eduroam/progs/ntlm/ntlm_auth.pl --request-nt-key > --username=%{Stripped-User-Name:-%{User-Name:-None}} > --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" I've committed a fix to CVS head. Please re-test. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Alternate proxying methods.
> > There was an implementation of it in 0.1 or 0.2, but it was removed > because is caused a great many problems in the server core. > > I had a feeling it might be that, it seems it would break with the rather linear flow of freeradius. >> I had assumed that it would copy the incoming packet to the realm specified >> but also continue processing locally. This would really only be of use >> for accounting packets. >> > > Yes. The suggestion now is to use "radrelay". It's more work, but it > does the same thing. > *looks at man page* yes that'd do it ! Ah but this would send all the accounting data out to the jrs proxies, for which jrs might not look on us too kindly for . Only a relatively small amount of accounting data would actually need to go off site... for users from other institutions using our wireless AP's but authenticating back at there home institutions. The advantage of using a 'replicate-to-realm' like feature is that you can filter the data being replicated, and direct it to the proper home servers. I was considering setting up an exec instance pointing to a shell script which would forward the data via radclient. > I *think* in 2.0 we can get radrelay to duplicate the functionality of > Replicate-To-Realm without too much effort, but I'll have to spend some > more time looking into it. > Yeah that would be cool, then you could synchronize all your accounting data with multiple off/on-site radius servers. Especially good for people relying on flat files as opposed to SQL databases. >> Yes so the actual function is fine, it's just the terminology. A more >> accurate name might be 'Assign-To-Realm', and then once it's been >> 'assigned' the internet logic of the realm >> will decide where it's actually proxied to. >> *internal logic I swear my spell checker hates me. Thanks, Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius mssql problem
Dear I have many time posted question about freeradius mssql but i didnt get any satisfied ans i am again going to explain my problem i have freeradius version 1.1.0 with runing mssql windows and problem is acct-stop packet i have cisco NAS vpdn configuration users login and start recored is updated but some time when everything runing and my radius goes down due to power failure but my sql on UPS now when i restart my radius and i run radutmp there is list of users but in cisco router there is no one users now user try to login they got error max 1 login i got it this is the error of radutmp now i delete this file and users again able to login but some users stop account not updated so i got this error Mon Mar 12 14:55:43 2007 : Error: rlm_sql (sql): Couldn't insert SQL accounting STOP record - 0 Mon Mar 12 14:55:48 2007 : Error: rlm_sql_unixodbc: '22007 [unixODBC][FreeTDS][SQL Server]Syntax error converting datetime from character string.i?' Mon Mar 12 14:55:48 2007 : Error: rlm_sql (sql): Couldn't insert SQL accounting STOP record - 0 Mon Mar 12 14:55:53 2007 : Error: rlm_sql_unixodbc: '22007 [unixODBC][FreeTDS][SQL Server]Syntax error converting datetime from character string.' Mon Mar 12 14:55:53 2007 : Error: rlm_sql (sql): Couldn't insert SQL accounting STOP record - 0 is there any solution about this type of error $ cat ~/satish/url.txt System administrator ( Data Center ) please visit this site http://linux.tulipit.com - Check out what you're missing if you're not on Yahoo! Messenger - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with samba domain and port-access
Christian Hohmann wrote: > Now the Problem: Some workstations are added to a samba managed domain and can only login on the samba service. > It seems to me, that the winxpsp2 supplicant first wants to authenticate at > the samba server. But the switch doesn�t allow the connection, because the > port is closed until the eap-authentication is handled. The machines also need to log in using EAP. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradiusd segfaulting on HUP (check_crl enabled)
Hi, I'll describe the problem as it appears from my side: radiusd server with EAP-TLS and certificate revocation list implenented, the server also logs to a remote mysql server. The CRL is updated at least twice a day, so the requirement is to reload the list with a minimum downtime. As a side note, the large number of mysql connections and max requests you see is there for a stress test, which isn't being performed right now. Sending a SIGHUP invariably segfaults the radiusd process (using debug_level=2 improves things a little when running in debug mode, otherwise radiusd won't even attempt to reload the clients). This test has been run as follows (secrets removed): eap.conf configured as: #password not displayed here private_key_file = ${raddbdir}/certs/newkey.pem certificate_file = ${raddbdir}/certs/newserv.pem CA_file = ${raddbdir}/certs/crl/root.pem CA_path = ${raddbdir}/certs/crl dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random check_cert_cn = %{User-Name} check_crl = yes latest (today's freeradius-server-snapshot-20070410) freeradius CVS snapshot compiled against the latest openssl shared libraries as you can see below: [EMAIL PROTECTED] freeradius-server-snapshot-20070410]# openssl version OpenSSL 0.9.8e 23 Feb 2007 [EMAIL PROTECTED] freeradius-server-snapshot-20070410]# vi /usr/local/etc/raddb/radiusd.conf #added the debug_level=2 line... #let's rock: #note similar segfaults occur when using other freradius versions, like those officially available to RHEL4 and 5 distros (RHAS4 and 5 too...) #Output follows: [EMAIL PROTECTED] freeradius-server-snapshot-20070410]# radiusd -X & [1] 17825 [EMAIL PROTECTED] freeradius-server-snapshot-20070410]# Config: including file: /usr/local/etc/raddb/radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf Config: including file: /usr/local/etc/raddb/sql/mysql-dialup.conf FreeRADIUS Version 2.0.0-pre0, for host i686-pc-linux-gnu, built on Apr 10 2007 at 11:00:16 Starting - reading configuration files ... read_config_files: reading dictionary main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 65536 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "root" main: group = "root" main: checkrad = "/usr/local/sbin/checkrad" main: debug_level = 2 main: proxy_requests = no log: syslog_facility = "daemon" proxy server: retry_delay = 5 proxy server: retry_count = 3 proxy server: default_fallback = yes proxy server: dead_time = 120 proxy server: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = yes realm LOCAL: ldflag = fail_over realm .**: nostrip realm .**: ldflag = fail_over realm ..**: nostrip realm ..**: ldflag = fail_over realm ..**: nostrip realm ..**: ldflag = fail_over main: port = 1812 listen: type = "auth" listen: ipaddr = * listen: port = 0 listen: type = "acct" listen: ipaddr = * listen: port = 0 client 127.0.0.1: secret = "testing123" client 127.0.0.1: shortname = "localhost" client 127.0.0.1: nastype = "other" LIST OF OTHER CLIENTS AND SECRETS REMOVED radiusd: entering modules setup Module: Library search path is /usr/local/lib modules: Not loading pre-proxy{} section modules: Not loading post-proxy{} section Module: Loaded exec exec: wait = yes exec: input_pairs = "request" exec: shell_escape = yes rlm_exec: wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded expiration expiration: reply-message = "Password Has Expired " Module: Instantiated expiration (expiration) Module: Loaded logintime logintime: reply-message = "You are calling outside your allowed timespan " logintime: minimum-timeout = 60 Module: Instantiated logintime (logintime) Module: Loaded PAP pap: encryption_scheme = "auto" pap: auto_header = no Modul
RE: Very Newbie question
Something like that. You can check what are you receiveing as Calling-Station-Id for the second group in debug mode (radiusd -X). Normally it is a phone number or MAC address. And watch out for the syntax: Calling-Station-Id should be check item so it should go on the first line. Syntax is: Usernamecheck1, check 2, ..., checklast ***no comma at the end of this line reply1, reply2, ..., replylast ***no comma at the end of this line This should work without setting Auth-Type as well. Server can find the correct one on it's own. Ivan Kalik Kalik Informatika ISP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Antuan Avdioukhine Sent: 10 April 2007 09:10 To: FreeRadius users mailing list Subject: Re: Very Newbie question On Mon, Mar 26, 2007 at 09:23:49PM +0100, [EMAIL PROTECTED] wrote: Did I understand you correctly? After discovering documentstion and reading this mailing list I gueas that you meas something like this: For 2nd category I'm using entries in 'users' file something about: internalAuth-type := Local, Calling-Station-Id == 'async/1234', ... For 3rd category I'm usin traditional entries like: user1 Auth-Type := Local, User-Password == 'blabla', ... Am I right? > Best (read: simplest) thing to do is NOT to let second group use any > username and password. Have them all use the same one (for instance > username: local; password: local). Then just add Calling-Station-Id as > a check item for that user. If you need to limit the number of such > users on-line you can set Simultaneous-Use to 10 or 100 or whatever > number, and only so many will be able to connect at the same time. > > Ivan Kalik > Kalik Informatika ISP > > > Dana 26/3/2007, "Antuan Avdioukhine" <[EMAIL PROTECTED]> pi?e: > > >Greetings! > > > >I'm very newbie in FreeRadius software. Now I have to setup > >FreeRadius server for dialup users billing. We have three categories > >of dialup > >users: > > > >1. Traditional users, who authenticates itselves with login and > >password; some of them must have fixed IP. > > > >2. Internal telephony network users, who have no registered login > >name (may authenticate with any login/password pairs); server must > >check caller-id of such users (which is subsituted to fixed one usind > >our phone station magic) as a part of authorization procedure. > >Accounting will be performed as an payed telephone call, no radius > >accounting will be performed. > > > >3. Small group of users (about 10 ones) which passes by accounting > >schemes (admninistrators). > > > >For authentication, authorization and accounting of first category > >users custlom rlm by billing software vendor will be used. > > > >For third category users I'm planning to use users.conf. > > > >Now -- two questions. > > > >1. Which authorization method should I use for second category users? > >Obviously I should use rlm_perl, but it seems to me quite unpractical > >to use perl for just compare one attribute with single string > >constant. > > > >2. Second category users call most frequently, while third category > >users call very rarelly (about 2-3 calls per week). Is it significant > >during FR setup? -- Antuan Avdioukhine (DEKA-RIPE). Convey Plus Telecommunications St.Petersburg, Russia. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.446 / Virus Database: 269.0.0/750 - Release Date: 2007-04-06 21:30 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius with samba domain and port-access
Dear List-Members, Im trying to setup a port access control using freeradius, but I cant succeed so far. Im looking for a solution fitting the following points: Port authentication trough an hp switch, dynamic vlan assignment by the freeradius server. I solved the problem for clients that have a local account. The freeradius deals with peap + mschapv2 and the passwords are located in the users file. Later the smbpasswd file should be used. The Switch is configured for port-access-authentication and the ports are closed until the supplicant has authenticated correctly. The winxpsp2 clients are configured to use their login names and password for authentication. Now the Problem: Some workstations are added to a samba managed domain and can only login on the samba service. It seems to me, that the winxpsp2 supplicant first wants to authenticate at the samba server. But the switch doesnt allow the connection, because the port is closed until the eap-authentication is handled. I really hope that you can give me a hint. Regards - Christian ___ SMS schreiben mit WEB.DE FreeMail - einfach, schnell und kostenguenstig. Jetzt gleich testen! http://f.web.de/?mc=021192 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Very Newbie question
On Mon, Mar 26, 2007 at 09:23:49PM +0100, [EMAIL PROTECTED] wrote: Did I understand you correctly? After discovering documentstion and reading this mailing list I gueas that you meas something like this: For 2nd category I'm using entries in 'users' file something about: internalAuth-type := Local, Calling-Station-Id == 'async/1234', ... For 3rd category I'm usin traditional entries like: user1 Auth-Type := Local, User-Password == 'blabla', ... Am I right? > Best (read: simplest) thing to do is NOT to let second group use any > username and password. Have them all use the same one (for instance > username: local; password: local). Then just add Calling-Station-Id as a > check item for that user. If you need to limit the number of such users > on-line you can set Simultaneous-Use to 10 or 100 or whatever number, > and only so many will be able to connect at the same time. > > Ivan Kalik > Kalik Informatika ISP > > > Dana 26/3/2007, "Antuan Avdioukhine" <[EMAIL PROTECTED]> pi?e: > > >Greetings! > > > >I'm very newbie in FreeRadius software. Now I have to setup FreeRadius > >server for dialup users billing. We have three categories of dialup > >users: > > > >1. Traditional users, who authenticates itselves with login and > >password; some of them must have fixed IP. > > > >2. Internal telephony network users, who have no registered login name > >(may authenticate with any login/password pairs); server must check > >caller-id of such users (which is subsituted to fixed one usind our > >phone station magic) as a part of authorization procedure. Accounting > >will be performed as an payed telephone call, no radius accounting will > >be performed. > > > >3. Small group of users (about 10 ones) which passes by accounting > >schemes (admninistrators). > > > >For authentication, authorization and accounting of first category users > >custlom rlm by billing software vendor will be used. > > > >For third category users I'm planning to use users.conf. > > > >Now -- two questions. > > > >1. Which authorization method should I use for second category users? > >Obviously I should use rlm_perl, but it seems to me quite unpractical to > >use perl for just compare one attribute with single string constant. > > > >2. Second category users call most frequently, while third category > >users call very rarelly (about 2-3 calls per week). Is it significant > >during FR setup? -- Antuan Avdioukhine (DEKA-RIPE). Convey Plus Telecommunications St.Petersburg, Russia. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html