Re: Quick HOWTO : Ch31 : Centralized Logins Using LDAP and RADIUS - Fails on Fedora 6 + debug info
Might buy that book, thanks for the reply Alan. I have also posted the same q to the the openldap mailing list so I hope to get some info from those people. Its just quite frustrating, the govt has said we can only do it this 1 way (but they themselves have never done it) and I cant find any good docs/ howtos that cover what I need in detail. All the howtos assume ldap communication works flawlessly 1st got but unfortunately its definitely not the situation. Thanks again Alan, going to make a call about the ldap book. On 4/18/07, Alan DeKok <[EMAIL PROTECTED]> wrote: > Jacob Jarick wrote: > > "ldapadd -d9 -x -D "cn=Manager,dc=tfxschool,dc=internal" -W -f > > /etc/openldap/tfxschool.internal.ldif" -> http://pastebin.ca/445899 > >... > > It seems to be similar if not the same problem I am having with FR > > refusing to auth via ldap to our ADS server. I am stuck though I have > > no idea how to resolve this error and unfortunately the howto assumes > > it just works. > > > > Google suggests that it may be the result of my domain string > > dc=tfxschool,dc=interternal, which looks correct to me. Our test > > domain is tfxschool.internal . any help / suggestions/ insight would > > be greatly appreciated. > > This is really an LDAP question. If you can't use LDAP tools to login > to the LDAP server, you won't be able to use the same configuration in > FreeRADIUS. > > Unfortunately, I don't use LDAP, so I can't help you here. The few > times I have used it, I follow the O'Reilly LDAP book, and it works for me. > > Alan DeKok. > -- > http://deployingradius.com - The web site of the book > http://deployingradius.com/blog/ - The blog > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Quick HOWTO : Ch31 : Centralized Logins Using LDAP and RADIUS - Fails on Fedora 6 + debug info
Jacob Jarick wrote: > "ldapadd -d9 -x -D "cn=Manager,dc=tfxschool,dc=internal" -W -f > /etc/openldap/tfxschool.internal.ldif" -> http://pastebin.ca/445899 >... > It seems to be similar if not the same problem I am having with FR > refusing to auth via ldap to our ADS server. I am stuck though I have > no idea how to resolve this error and unfortunately the howto assumes > it just works. > > Google suggests that it may be the result of my domain string > dc=tfxschool,dc=interternal, which looks correct to me. Our test > domain is tfxschool.internal . any help / suggestions/ insight would > be greatly appreciated. This is really an LDAP question. If you can't use LDAP tools to login to the LDAP server, you won't be able to use the same configuration in FreeRADIUS. Unfortunately, I don't use LDAP, so I can't help you here. The few times I have used it, I follow the O'Reilly LDAP book, and it works for me. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Quick HOWTO : Ch31 : Centralized Logins Using LDAP and RADIUS - Fails on Fedora 6 + debug info
Just added debug output to help. Fedora 6, openldap rpms installed via smart package manager. slapd.conf: http://pastebin.ca/445851 tfxschool.internal.lidf: http://pastebin.ca/445852 root.ldif: http://pastebin.ca/445854 ldapusers.ldif: http://pastebin.ca/445855 "ldapadd -d9 -x -D "cn=Manager,dc=tfxschool,dc=internal" -W -f /etc/openldap/tfxschool.internal.ldif" -> http://pastebin.ca/445899 I decided to try setting up openldap in hopes of learning more about my error. I followed this howto http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch31_:_Centralized_Logins_Using_LDAP_and_RADIUS step by step and rechecked all configs etc when I got the following error. [EMAIL PROTECTED] ~]# ldapadd -x -D "cn=Manager,dc=tfxschool,dc=internal" -W -f /etc/openldap/tfxschool.internal.ldif Enter LDAP Password: ldap_bind: Invalid credentials (49) additional info: 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece It seems to be similar if not the same problem I am having with FR refusing to auth via ldap to our ADS server. I am stuck though I have no idea how to resolve this error and unfortunately the howto assumes it just works. Google suggests that it may be the result of my domain string dc=tfxschool,dc=interternal, which looks correct to me. Our test domain is tfxschool.internal . any help / suggestions/ insight would be greatly appreciated. Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Technical support
step 1 for me is to get radius to auth against ADS via ldap (I got ntlm working fine). Unfortunately because this job is contracted by the govt it has to be done their specific way every step which means freeradius HAS TO auth against a 2003 ADS via LDAP. Unfortunately I cannot give out access to my work test pc's due to security restrictions out of my control (I could but then Id be in trouble). What would your asking price be for a working FR 1.1.6 config that can auth against 2003 ADS using LDAP. Regarding VLANS, I need users with a GID of students to be put onto vlan2 and users with GID staff to be put onto vlan3 On 4/18/07, Alex M <[EMAIL PROTECTED]> wrote: > Well we are in New York. So the only way we can help you is to do SSH. > Technically LDAP should work straight forward, unless your DC does not want > to accept connections from remote PC and especially Linux. We don't use > Widows in our company any more, but I can set up DC and see if my radius can > access it and then just send you config file. As to VLANS, im not sure what > u looking for, if you wanna do something like separation of Ethernet chanels > for Ethernet service provider then it should be done by your NAS if that is > supported. I would assume your NAS should be listening for some custom > attribute to assign vlan tag to specific user group. > > -Original Message- > From: > [EMAIL PROTECTED] > .org > [mailto:[EMAIL PROTECTED] > eeradius.org] On Behalf Of Jacob Jarick > Sent: Tuesday, April 17, 2007 10:52 PM > To: FreeRadius users mailing list > Subject: Re: Technical support > > I am In Western Australia Perth. > > Current having major issues with ldap authentication (done correctly > as far as I can tell but I dont get replys from forums / mailing > groups) and once that is sorted I need to figure out vlan assignment > bassed on ou or group. > > On 4/18/07, Alex M <[EMAIL PROTECTED]> wrote: > > What's your location? > > > > > > -Original Message- > > From: > > > [EMAIL PROTECTED] > > .org > > > [mailto:[EMAIL PROTECTED] > > eeradius.org] On Behalf Of Jacob Jarick > > Sent: Tuesday, April 17, 2007 10:25 PM > > To: FreeRadius users mailing list > > Subject: Technical support > > > > Hello, Im looking for a company that can provide professional level of > > technical support. > > > > If any one here can reccomend one I would appreciate it. > > > > I am after technical support, due to lack of good documentation on the > > freeradius project. Most the stuff I need done has only incomplete > > docs. > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Technical support
Well we are in New York. So the only way we can help you is to do SSH. Technically LDAP should work straight forward, unless your DC does not want to accept connections from remote PC and especially Linux. We don't use Widows in our company any more, but I can set up DC and see if my radius can access it and then just send you config file. As to VLANS, im not sure what u looking for, if you wanna do something like separation of Ethernet chanels for Ethernet service provider then it should be done by your NAS if that is supported. I would assume your NAS should be listening for some custom attribute to assign vlan tag to specific user group. -Original Message- From: [EMAIL PROTECTED] .org [mailto:[EMAIL PROTECTED] eeradius.org] On Behalf Of Jacob Jarick Sent: Tuesday, April 17, 2007 10:52 PM To: FreeRadius users mailing list Subject: Re: Technical support I am In Western Australia Perth. Current having major issues with ldap authentication (done correctly as far as I can tell but I dont get replys from forums / mailing groups) and once that is sorted I need to figure out vlan assignment bassed on ou or group. On 4/18/07, Alex M <[EMAIL PROTECTED]> wrote: > What's your location? > > > -Original Message- > From: > [EMAIL PROTECTED] > .org > [mailto:[EMAIL PROTECTED] > eeradius.org] On Behalf Of Jacob Jarick > Sent: Tuesday, April 17, 2007 10:25 PM > To: FreeRadius users mailing list > Subject: Technical support > > Hello, Im looking for a company that can provide professional level of > technical support. > > If any one here can reccomend one I would appreciate it. > > I am after technical support, due to lack of good documentation on the > freeradius project. Most the stuff I need done has only incomplete > docs. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Quick HOWTO : Ch31 : Centralized Logins Using LDAP and RADIUS - Fails on Fedora 6
Fedora 6, openldap rpms installed via smart package manager. slapd.conf: http://pastebin.ca/445851 tfxschool.internal.lidf: http://pastebin.ca/445852 root.ldif: http://pastebin.ca/445854 ldapusers.ldif: http://pastebin.ca/445855 I decided to try setting up openldap in hopes of learning more about my error. I followed this howto http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch31_:_Centralized_Logins_Using_LDAP_and_RADIUS step by step and rechecked all configs etc when I got the following error. [EMAIL PROTECTED] ~]# ldapadd -x -D "cn=Manager,dc=tfxschool,dc=internal" -W -f /etc/openldap/tfxschool.internal.ldif Enter LDAP Password: ldap_bind: Invalid credentials (49) additional info: 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece It seems to be similar if not the same problem I am having with FR refusing to auth via ldap to our ADS server. I am stuck though I have no idea how to resolve this error and unfortunately the howto assumes it just works. Google suggests that it may be the result of my domain string dc=tfxschool,dc=interternal, which looks correct to me. Our test domain is tfxschool.internal . any help / suggestions/ insight would be greatly appreciated. Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Technical support
I am In Western Australia Perth. Current having major issues with ldap authentication (done correctly as far as I can tell but I dont get replys from forums / mailing groups) and once that is sorted I need to figure out vlan assignment bassed on ou or group. On 4/18/07, Alex M <[EMAIL PROTECTED]> wrote: > What's your location? > > > -Original Message- > From: > [EMAIL PROTECTED] > .org > [mailto:[EMAIL PROTECTED] > eeradius.org] On Behalf Of Jacob Jarick > Sent: Tuesday, April 17, 2007 10:25 PM > To: FreeRadius users mailing list > Subject: Technical support > > Hello, Im looking for a company that can provide professional level of > technical support. > > If any one here can reccomend one I would appreciate it. > > I am after technical support, due to lack of good documentation on the > freeradius project. Most the stuff I need done has only incomplete > docs. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Technical support
What's your location? -Original Message- From: [EMAIL PROTECTED] .org [mailto:[EMAIL PROTECTED] eeradius.org] On Behalf Of Jacob Jarick Sent: Tuesday, April 17, 2007 10:25 PM To: FreeRadius users mailing list Subject: Technical support Hello, Im looking for a company that can provide professional level of technical support. If any one here can reccomend one I would appreciate it. I am after technical support, due to lack of good documentation on the freeradius project. Most the stuff I need done has only incomplete docs. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Technical support
Hello, Im looking for a company that can provide professional level of technical support. If any one here can reccomend one I would appreciate it. I am after technical support, due to lack of good documentation on the freeradius project. Most the stuff I need done has only incomplete docs. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fwd: Help stuck on error: rlm_ldap: LDAP login failed: check identity, password settings in ldap section of radiusd.conf
I am still stuck on this problem, HELP PLEASE. I have 4 questions atm, 1 Does the password needs to be encrypted before being pasted to the config file. 2 Is it neccesary to configure the ldap client files. 3 Can you auth against ADS using LDAP without a password ? 4 If radiusd runs a command when auth'ing against ADS what is the command so I might test it. Id really appreciate any info at all, Thanks guys. -- Forwarded message -- From: Jacob Jarick <[EMAIL PROTECTED]> Date: Apr 17, 2007 4:55 PM Subject: Help stuck on error: rlm_ldap: LDAP login failed: check identity, password settings in ldap section of radiusd.conf To: FreeRadius users mailing list radiusd -X -A output: http://pastebin.ca/444201 radiusd.conf: http://pastebin.ca/444205 I am slowly setting up FR to work with ADS, I had ntlm_auth working fine but have been requested to swap to ldap my current freeradius user is \admins\radius\freeradius admins being an orgnisational unit, radius being an ou inside admins. I get this error when freeradius trys to confirm the user/passwd against the ADS. "rlm_ldap: LDAP login failed: check identity, password settings in ldap section of radiusd.conf" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + openldap + WPA, auth fails
Can you post the errors? > > I haven't used 1.0.1 in *years*, so I have no idea what may or may not > work when upgrading from 1.0.1 to 1.1.6. Should have mentioned that that's what RHEL4 ships. -- matthew zeier | Network Engineer | Mozilla Corp. | (650)903-0800 x219 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + openldap + WPA, auth fails
Alan DeKok wrote: > matthew zeier wrote: >> I pasted all of 'radiusd -X' to http://pastebin.mozilla.org/10251. Is >> that enough debug ? > > Yes. > >>> In 1.0.1, where are the passwords obtained from? LDAP? "users" file? >> LDAP. > > The debug output doesn't reference LDAP. i.e. you moved only part of > your configuration from 1.0.1 to 1.1.6. You missed configuring the > "ldap" module, and missed uncommenting it in the "authorize" section of > radiusd.conf. Indeed - I uncommented it from the authorize section and it works now. - mz -- matthew zeier | Network Engineer | Mozilla Corp. | (650)903-0800 x219 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + openldap + WPA, auth fails
matthew zeier wrote: > I pasted all of 'radiusd -X' to http://pastebin.mozilla.org/10251. Is > that enough debug ? Yes. >> In 1.0.1, where are the passwords obtained from? LDAP? "users" file? > > LDAP. The debug output doesn't reference LDAP. i.e. you moved only part of your configuration from 1.0.1 to 1.1.6. You missed configuring the "ldap" module, and missed uncommenting it in the "authorize" section of radiusd.conf. > I said nearly the same config files because 1.1.6 choked on the > 1.0.1 radiusd.conf Can you post the errors? I haven't used 1.0.1 in *years*, so I have no idea what may or may not work when upgrading from 1.0.1 to 1.1.6. > and the only changes I made the to the RHEL > stock 1.0.1 radiusd.conf was for the LDAP settings. So for 1.1.6, I > just added those in there. It looks like you didn't uncomment "ldap", as noted above. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + openldap + WPA, auth fails
Alan DeKok wrote: > matthew zeier wrote: >> With nearly the same config files as I had working on 1.0.1, I'm having >> problems with 1.1.6 authenticating WPA users. > > See "man rlm_pap" in 1.1.6. That might help. > >> If there are other relevant files, let me know. Box is more or less a >> stock RHEL4. > > Debug output? I pasted all of 'radiusd -X' to http://pastebin.mozilla.org/10251. Is that enough debug ? > > In 1.0.1, where are the passwords obtained from? LDAP? "users" file? LDAP. I said nearly the same config files because 1.1.6 choked on the 1.0.1 radiusd.conf file and the only changes I made the to the RHEL stock 1.0.1 radiusd.conf was for the LDAP settings. So for 1.1.6, I just added those in there. If I revert to 1.0.1 (and move back my 1.0.1 radiusd.conf), WPA auth works fine. -- matthew zeier | Network Engineer | Mozilla Corp. | (650)903-0800 x219 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + openldap + WPA, auth fails
matthew zeier wrote: > With nearly the same config files as I had working on 1.0.1, I'm having > problems with 1.1.6 authenticating WPA users. See "man rlm_pap" in 1.1.6. That might help. > If there are other relevant files, let me know. Box is more or less a > stock RHEL4. Debug output? In 1.0.1, where are the passwords obtained from? LDAP? "users" file? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: compiling 1.1.6 on solaris problem
Norbert Wegener wrote: > This leads to a related problem in another context: > /root/freeradius-1.1.6/src/lib/.libs/libradius.so: undefined reference > to [EMAIL PROTECTED]' It looks like libradius is looking for "crypt", for reasons I don't understand. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + 3Com switch 4500
> > Has anyone a sample configuration of 3Com 4500 switch to work with > Freeradius? > I :) I conf. that 3Com few days ago :) with pdf from 3com cd. Any question for that configuration? Br Kamyk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: compiling 1.1.6 on solaris problem
Alan DeKok schrieb: > ... > >> In file included from /root/freeradius-1.1.6/src/include/radiusd.h:31, >> from rlm_dbm_parser.c:52: >> /usr/include/netinet/in.h:302: warning: `INADDR_ANY' redefined >> /root/freeradius-1.1.6/src/include/missing.h:73: warning: this is the >> location of the previous definition >> /usr/include/netinet/in.h:303: warning: `INADDR_LOOPBACK' redefined >> /root/freeradius-1.1.6/src/include/missing.h:77: warning: this is the >> location of the previous definition >> > > The include file order is wrong. I've fixed this in the CVS head, but > in 1.1.6, the best thing to do is: > > $ ./configure --without-rlm_dbm > This leads to a related problem in another context: /root/freeradius-1.1.6/libtool --mode=link gcc -o radeapclient radeapclient.lo libeap/libeap.la -lnsl -lresolv -lsocket -lposix4 -lpthread -lcrypto -lssl -lcrypto^M gcc -o .libs/radeapclient .libs/radeapclient.o libeap/.libs/libeap.so /root/freeradius-1.1.6/src/lib/.libs/libradius.so -lcrypt -lnsl -lresolv -lsocket -lposix4 -lpthread -lssl -lcrypto -Wl,--rpath -Wl,/usr/local/lib^M /root/freeradius-1.1.6/src/lib/.libs/libradius.so: undefined reference to [EMAIL PROTECTED]'^M collect2: ld returned 1 exit status^M gmake[6]: *** [radeapclient] Error 1^M gmake[6]: Leaving directory `/root/freeradius-1.1.6/src/modules/rlm_eap'^M gmake[5]: *** [common] Error 2^M gmake[5]: Leaving directory `/root/freeradius-1.1.6/src/modules'^M gmake[4]: *** [all] Error 2^M gmake[4]: Leaving directory `/root/freeradius-1.1.6/src/modules'^M gmake[3]: *** [common] Error 2^M gmake[3]: Leaving directory `/root/freeradius-1.1.6/src'^M gmake[2]: *** [all] Error 2^M gmake[2]: Leaving directory `/root/freeradius-1.1.6/src'^M gmake[1]: *** [common] Error 2^M gmake[1]: Leaving directory `/root/freeradius-1.1.6'^M make: *** [all] Error 2^M Again, the whole output is at http://www.wegener-net.de/fr Norbert Wegener > Alan DeKok. > -- > http://deployingradius.com - The web site of the book > http://deployingradius.com/blog/ - The blog > - List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: compiling 1.1.6 on solaris problem
[EMAIL PROTECTED] schrieb: > hi, > > do you have OpenSSL installed or using a Solaris derivation? I am not really familiar with Solaris. [EMAIL PROTECTED]:/# openssl version OpenSSL 0.9.7b 10 Apr 2003 Is this information sufficient? Norbert Wegener > alan > - List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR + openldap + WPA, auth fails
With nearly the same config files as I had working on 1.0.1, I'm having problems with 1.1.6 authenticating WPA users. Probably something to do with this: rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for [EMAIL PROTECTED] with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 7 modcall: leaving group MS-CHAP (returns reject) for request 7 eap.conf - http://pastebin.mozilla.org/10218 radiusd.conf - http://pastebin.mozilla.org/10223 If there are other relevant files, let me know. Box is more or less a stock RHEL4. -- matthew zeier | Network Engineer | Mozilla Corp. | (650)903-0800 x219 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault for SNMP query
Kevin Bonner wrote: ... > Tested with the CVS head as of this morning and everything looks good to me, > even the per-client data. I'm hitting a segfault when testing the cases I > listed in bug#150, but I don't think it is related to the SNMP portion of the > code. Segfault info is below. Wierd. It's a little odd for select() to core dump. All I can say is re-build cleanly, and try again... Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql: readclients segmentation fault
Milan Holub wrote: > 1) snmpwalk (read-query) - when reading the NAS entries ... > I get "Segmentation fault":-( > > ==> full -X debug output + valgrind: > http://pastebin.ca/444684 It looks like a NULL de-reference. i.e. a NULL isn't checked before it's de-referenced to look into a structure. It would help to have more symbols, > 2) when receiving HUP signal > ==> full -X debug output + valgrind: > http://pastebin.ca/444717 Similar comments about debugging symbols appear here. If you're doing CVS updates regularly from CVS head, you MUST delete all of the previous rlm_* libaries before installing! The internal server structures are changing hourly, and without a re-compile, the modules will be looking in the wrong place. > PS: I like this http://pastebin.ca - it keeps the mailing lists clean... It does appear extremely useful. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: compiling 1.1.6 on solaris problem
Norbert Wegener wrote: > Setting up 1.1.6 on a Sun with `uname -a` giving > > SunOS sunfire 5.10 Generic_118822-26 sun4u sparc SUNW,Ultra-30 > > configure does not show errors, only warnings. Unfortunately make dies > with: ... > creating rlm_dbm.la ... > In file included from /root/freeradius-1.1.6/src/include/radiusd.h:31, > from rlm_dbm_parser.c:52: > /usr/include/netinet/in.h:302: warning: `INADDR_ANY' redefined > /root/freeradius-1.1.6/src/include/missing.h:73: warning: this is the > location of the previous definition > /usr/include/netinet/in.h:303: warning: `INADDR_LOOPBACK' redefined > /root/freeradius-1.1.6/src/include/missing.h:77: warning: this is the > location of the previous definition The include file order is wrong. I've fixed this in the CVS head, but in 1.1.6, the best thing to do is: $ ./configure --without-rlm_dbm Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: compiling 1.1.6 on solaris problem
hi, do you have OpenSSL installed or using a Solaris derivation? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL Accounting problem with 1.0.3 - The maximum number of threads (32) are active
On Tue 17 Apr 2007, Rick Macdougall wrote: > On 4/17/07, Alan DeKok <[EMAIL PROTECTED]> wrote: > > Rick Macdougall wrote: > > > Hi, > > > > > > We seem to be having the "The maximum number of threads (32) are > > > active" with Freeradius 1.0.3. Version 1.0.1 works just fine. > > > > Upgrade to 1.1.6. It has a whole host of fixes. > > Yah, I've already downloaded it in preparation of doing just that. I kind > of wanted to stick to an RPM release but it looks like that isn't going to > happen. You mean rpms like the ones maintianed by a member of the FreeRADIUS core team (me) available for Fedora and SUSE at: http://software.opensuse.org/download/network:/aaa/ -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FW: Login for any user
inverse wrote: >> Anybody got an idea on how the entry in the users-file has to look like > > something like > DEFAULT Auth-Type := Eap, User-Password == "blah" > > with deafult eap type set to md5. > > I've yet to try it tho, may you report back if it works? This suggestion is wrong on a number of levels: 1. Don't set Auth-Type 2. Don't use == for User-Password; use := and in recent server versions use Cleartext-Password 3. You cannot just "permit" EAP. The client will want the server to complete the challenge-response. The ONLY authentication algorithm that you can "just accept" is PAP. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FW: Login for any user
[EMAIL PROTECTED] wrote: > Auth-Type:= Accept will let everyone in. No. Every EAP method I am aware of will require the successful completion of the challenge-response. Just setting Auth-Type to Accept will break things completely. You *might* possibly be able to use EAP TTLS+PAP and set Auth-Type to Accept on the *inner* PAP method. But that's about it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
compiling 1.1.6 on solaris problem
Setting up 1.1.6 on a Sun with `uname -a` giving SunOS sunfire 5.10 Generic_118822-26 sun4u sparc SUNW,Ultra-30 configure does not show errors, only warnings. Unfortunately make dies with: creating rlm_dbm.la (cd .libs && rm -f rlm_dbm.la && ln -s ../rlm_dbm.la rlm_dbm.la) /root/freeradius-1.1.6/libtool --mode=compile gcc -g -O2 -I/root/freeradius-1.1.6/src/include -DHAVE_NDBM_H -c rlm_dbm_parser.c gcc -g -O2 -I/root/freeradius-1.1.6/src/include -DHAVE_NDBM_H -c rlm_dbm_parser.c -fPIC -DPIC -o .libs/rlm_dbm_parser.o In file included from /root/freeradius-1.1.6/src/include/radiusd.h:31, from rlm_dbm_parser.c:52: /usr/include/netinet/in.h:302: warning: `INADDR_ANY' redefined /root/freeradius-1.1.6/src/include/missing.h:73: warning: this is the location of the previous definition /usr/include/netinet/in.h:303: warning: `INADDR_LOOPBACK' redefined /root/freeradius-1.1.6/src/include/missing.h:77: warning: this is the location of the previous definition rlm_dbm_parser.c: In function `storecontent': rlm_dbm_parser.c:165: warning: assignment discards qualifiers from pointer target type gcc -g -O2 -I/root/freeradius-1.1.6/src/include -DHAVE_NDBM_H -c rlm_dbm_parser.c -o rlm_dbm_parser.o >/dev/null 2>&1 /root/freeradius-1.1.6/libtool --mode=link gcc \ -o rlm_dbm_parser rlm_dbm_parser.lo ../../lib/libradius.la -lnsl -lresolv -lsocket -lposix4 -lpthread gcc -o .libs/rlm_dbm_parser .libs/rlm_dbm_parser.o ../../lib/.libs/libradius.so -lcrypt -lnsl -lresolv -lsocket -lposix4 -lpthread -Wl,--rpath -Wl,/usr/local/lib ../../lib/.libs/libradius.so: undefined reference to [EMAIL PROTECTED]' collect2: ld returned 1 exit status gmake[6]: *** [rlm_dbm_parser] Error 1 gmake[6]: Leaving directory `/root/freeradius-1.1.6/src/modules/rlm_dbm' gmake[5]: *** [common] Error 2 gmake[5]: Leaving directory `/root/freeradius-1.1.6/src/modules' gmake[4]: *** [all] Error 2 gmake[4]: Leaving directory `/root/freeradius-1.1.6/src/modules' gmake[3]: *** [common] Error 2 gmake[3]: Leaving directory `/root/freeradius-1.1.6/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/root/freeradius-1.1.6/src' gmake[1]: *** [common] Error 2 gmake[1]: Leaving directory `/root/freeradius-1.1.6' make: *** [all] Error 2 sh-3.00# exit autoconf --version autoconf (GNU Autoconf) 2.61 [EMAIL PROTECTED]:/root/freeradius-1.1.6# automake --version automake (GNU automake) 1.8 The complete output of configure / make can be found at: http://www.wegener-net.de/fr/ Any idea? Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL Accounting problem with 1.0.3 - The maximum number of threads (32) are active
On 4/17/07, Alan DeKok <[EMAIL PROTECTED]> wrote: Rick Macdougall wrote: > Hi, > > We seem to be having the "The maximum number of threads (32) are active" > with Freeradius 1.0.3. Version 1.0.1 works just fine. Upgrade to 1.1.6. It has a whole host of fixes. Yah, I've already downloaded it in preparation of doing just that. I kind of wanted to stick to an RPM release but it looks like that isn't going to happen. Thanks, Rick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: some issues in sqlippool, branch_1_1
On Tue 17 Apr 2007, Alexander V. Klepikov wrote: > Hello! > > 1. During setup of rlm_sqlippool module, I found some compatibility issues > with PostgreSQL server. I remind that rlm_sqlippool uses transactions. In > that case all of queries and commands including "BEGIN", "COMMIT" and > "ROLLBACK" in PostgreSQL must ends with ";" or query will fail. I have > this issue (is it an issue?) on PostgreSQL 7.3.15 but it should be true > for 8.x versions too. I think it should be documented. Hi Alexander I will check out your patch tomorrow. I do recommend that you consider running CVS head (which will soon be FreeRADIUS 2.0) as I have done a fair amount of new development rlm_sqlippool which is not backported to branch_1_1 I run multiple instances of rlm_sqlippool with cvs head in production on postgresql-8.1.4 Thanks for your input Regards -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL Accounting problem with 1.0.3 - The maximum number of threads (32) are active
Hi, We seem to be having the "The maximum number of threads (32) are active" with Freeradius 1.0.3. Version 1.0.1 works just fine. I tried to do a valgrind with - but when radiusd displays that message, you can no longer kill it. I have the debug output from the - and it shows the accounting processes running, adding info and completing but the thread doesn't seem to release. Example Tue Apr 17 09:49:57 2007 : Debug: rlm_sql (sql1): Reserving sql socket id: 6 Tue Apr 17 09:49:57 2007 : Debug: rlm_sql (sql1): Released sql socket id: 6 Tue Apr 17 09:49:57 2007 : Debug: modsingle[accounting]: returned from sql1 (rlm_sql) for request 48 Tue Apr 17 09:49:57 2007 : Debug: modcall[accounting]: module "sql1" returns ok for request 48 So it appears to be a problem with the mysql driver rather than a problem with a slow database query. Anything else I can provide ? Centos 4.3 Linux version 2.6.9-42.0.10.ELsmp 512 meg of ram Conntecting to a remote DB server over a dedicated gig network running MySQL 5.x Intel(R) Pentium(R) 4 CPU 3.20GHz with hyperthreading enabled. Regards, Rick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault for SNMP query
On Monday 16 April 2007 07:52:43 Alan DeKok wrote:
> Kevin Bonner wrote:
> > Try http://bugs.freeradius.org/show_bug.cgi?id=150
> >
> > I doubt that patch will still apply cleanly due to the many recent
> > changes. I'll see if I can test the CVS head later today and submit a
> > newer patch.
>
> Please try the latest CVS. I've added a patch based on yours.
>
> Alan DeKok.
Tested with the CVS head as of this morning and everything looks good to me,
even the per-client data. I'm hitting a segfault when testing the cases I
listed in bug#150, but I don't think it is related to the SNMP portion of the
code. Segfault info is below.
Kevin Bonner
== cut ==
(gdb) bt
#0 0x00fe97a2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2
#1 0x002fca0d in ___newselect_nocancel () from /lib/tls/libc.so.6
#2 0x004ecbb6 in main (argc=2, argv=0xbfe06fc4) at radiusd.c:575
(gdb) up
#1 0x002fca0d in ___newselect_nocancel () from /lib/tls/libc.so.6
(gdb) up
#2 0x004ecbb6 in main (argc=2, argv=0xbfe06fc4) at radiusd.c:575
575 status = select(max_fd + 1, &readfds, NULL, NULL,
ptv);
(gdb) list
570 #else
571 DEBUG2("Waking up in %d seconds...",
572(int) tv.tv_sec);
573 #endif
574 }
575 status = select(max_fd + 1, &readfds, NULL, NULL,
ptv);
576 if (status == -1) {
577 /*
578 * On interrupts, we clean up the request
579 * list. We then continue with the loop,
(gdb) print ptv
$1 = (struct timeval *) 0x0
(gdb) print &readfds
$2 = (fd_set *) 0xbfe05ea0
(gdb) print max_fd
$3 = 10
== cut ==
pgpSJjuzOV29P.pgp
Description: PGP signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FW: Login for any user
Auth-Type:= Accept will let everyone in. Ivan Kalik Kalik Informatika ISP Dana 17/4/2007, "inverse" <[EMAIL PROTECTED]> piše: >> Anybody got an idea on how the entry in the users-file has to look like > >something like >DEFAULT Auth-Type := Eap, User-Password == "blah" > >with deafult eap type set to md5. > >I've yet to try it tho, may you report back if it works? >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: FW: Login for any user
I've managed to reach my goal with the following entry in the users-file: >> DEFAULT Auth-Type := Local, User-Password == "something" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Compression = Van-Jabobsen-TCP-IP, Cisco-AVPair = 'ip:addr-pool=somepool' >> regards Christoph --- Ing. Christoph Galuschka TIWAG-Tiroler Wasserkraft AG ITT LAN/WAN - VPN-/Firewallsysteme Eduard-Wallnöfer-Platz 2 6010 Innsbruck T: +43 (0)50607 21832 F: +43 (0)50607 41832 www.tiroler-wasserkraft.at Ti.econet: Hotline: +43 (0)50607 21405 eMail: [EMAIL PROTECTED] www.tieconet.at --- -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] rg [mailto:[EMAIL PROTECTED] radius.org]Im Auftrag von inverse Gesendet: Dienstag, 17. April 2007 15:49 An: FreeRadius users mailing list Betreff: Re: FW: Login for any user > Anybody got an idea on how the entry in the users-file has to look like something like DEFAULT Auth-Type := Eap, User-Password == "blah" with deafult eap type set to md5. I've yet to try it tho, may you report back if it works? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
some issues in sqlippool, branch_1_1
Hello!
1. During setup of rlm_sqlippool module, I found some compatibility issues
with PostgreSQL server. I remind that rlm_sqlippool uses transactions. In
that case all of queries and commands including "BEGIN", "COMMIT" and
"ROLLBACK" in PostgreSQL must ends with ";" or query will fail. I have this
issue (is it an issue?) on PostgreSQL 7.3.15 but it should be true for 8.x
versions too. I think it should be documented.
2. In sqlippool.conf %{reply:Pool-Name} is used, but in documentation said
that Pool-Name is check attribute. In my tests reply:Pool-Name was empty
string, so I replaced it with Pool-Name.
3. In doc/examples/postgresql.sql in radippool table definition some fields
are defined as NOT NULL (and vice versa), which should not be - it causes
problems when one add IP-addresses to radippool.
4. In src/include/modpriv.h , src/modules/rlm_eap/rlm_eap.h ,
src/modules/rlm_sql/rlm_sql.h I replaced
#include "ltdl.h"
with
#include "../../libltdl/ltdl.h"
to compile FreeRadius. My OS is FreeBSD 6.2-RELEASE, GNU Make 3.81
Patch for items 2 and 3 attached.
With best regards, Alexander V. Klepikov. E-mail: [EMAIL PROTECTED]
--- doc/examples/postgresql.sql 5 Jan 2007 15:27:05 - 1.1.2.8
+++ doc/examples/postgresql.sql 17 Apr 2007 13:37:56 -
@@ -199,13 +199,13 @@
CREATE TABLE radippool (
id BIGSERIAL PRIMARY KEY,
pool_name text NOT NULL,
- FramedIPAddress INET,
- NASIPAddresstext NOT NULL,
+ FramedIPAddress INET NOT NULL,
+ NASIPAddresstext,
CalledStationId VARCHAR(64),
- CallingStationIdtext NOT NULL DEFAULT ''::text,
- expiry_time TIMESTAMP(0) without time zone NOT NULL,
+ CallingStationIdtext DEFAULT ''::text,
+ expiry_time TIMESTAMP(0) without time zone NOT NULL DEFAULT
now(),
usernametext DEFAULT ''::text,
- pool_keyVARCHAR(30) NOT NULL
+ pool_keyVARCHAR(30)
);
--
--- raddb/sqlippool.conf17 Aug 2006 14:20:52 - 1.1.2.3
+++ raddb/sqlippool.conf17 Apr 2007 13:27:08 -
@@ -26,7 +26,7 @@
# like Cisco internal pools do - it _trys_ to allocate the same IP-address
# which user had last session...
allocate-find = "SELECT framedipaddress FROM radippool \
- WHERE pool_name = '%{reply:Pool-Name}' AND expiry_time < 'now'::timestamp(0)
\
+ WHERE pool_name = '%{Pool-Name}' AND expiry_time < 'now'::timestamp(0) \
ORDER BY pool_name, (username <> '%{User-Name}'), (callingstationid <>
'%{Calling-Station-Id}'), expiry_time \
LIMIT 1 \
FOR UPDATE"
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: FW: Login for any user
Hello, well so far it seems to works partly as I get the following error: >> auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_eap: EAP-Message not found rlm_eap: Malformed EAP Message >> Currently working on that. regards Christoph --- Ing. Christoph Galuschka TIWAG-Tiroler Wasserkraft AG ITT LAN/WAN - VPN-/Firewallsysteme Eduard-Wallnöfer-Platz 2 6010 Innsbruck T: +43 (0)50607 21832 F: +43 (0)50607 41832 www.tiroler-wasserkraft.at Ti.econet: Hotline: +43 (0)50607 21405 eMail: [EMAIL PROTECTED] www.tieconet.at --- -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] rg [mailto:[EMAIL PROTECTED] radius.org]Im Auftrag von inverse Gesendet: Dienstag, 17. April 2007 15:49 An: FreeRadius users mailing list Betreff: Re: FW: Login for any user > Anybody got an idea on how the entry in the users-file has to look like something like DEFAULT Auth-Type := Eap, User-Password == "blah" with deafult eap type set to md5. I've yet to try it tho, may you report back if it works? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL Accounting problem with 1.0.3 - The maximum number of threads (32) are active
Rick Macdougall wrote: > Hi, > > We seem to be having the "The maximum number of threads (32) are active" > with Freeradius 1.0.3. Version 1.0.1 works just fine. Upgrade to 1.1.6. It has a whole host of fixes. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql: readclients segmentation fault
Hi Alan, On Tue, Apr 17, 2007 at 11:45:28AM +0200, Alan DeKok wrote: > *Please* run the server under valgrind to find the source of these > problems. ==> finally I managed to compile valgrind and can give you thus its output... I did fresh cvs checkout and then created a debian package on woody(export LDFLAGS='-lz'; dpkg-buildpackage -b -uc -d). Point 2) I've also compiled&tested on debian testing with the same result. After cvs commits from this morning I'm getting segmentation faults in following cases: 1) snmpwalk (read-query) - when reading the NAS entries `/usr/local/bin/valgrind --tool=memcheck --leak-check=full freeradius -X &> /devel/freeradius/debug/fr_snmp_walk_1.txt` when running `snmpwalk -Cc -v 1 -m /devel/freeradius/cvs/radiusd/mibs/RADIUS-AUTH-SERVER-MIB.txt -c verysecret localhost radiusAuth` I get "Segmentation fault":-( ==> full -X debug output + valgrind: http://pastebin.ca/444684 2) when receiving HUP signal ==> full -X debug output + valgrind: http://pastebin.ca/444717 3) snmpset (write-query) - similar to 2) ==> similar output as in 2) 4) on any incoming radius request (when the corresponding NAS is stored in mysql nas table) ==> full -X debug output + valgrind: http://pastebin.ca/444719 Am I doing something wrong? Nobody else experience similar behaviour? Please advise. PS: I like this http://pastebin.ca - it keeps the mailing lists clean... Milan Holub holub (at) thenet (dot) ch -- TheNet-Internet Services AG, im Bernertechnopark, Morgenstr. 129 CH-3018, Bern, Switzerland 031 998 4333, Fax 031 998 4330 http://www.thenet.ch http://wlan.thenet.ch -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FW: Login for any user
> Anybody got an idea on how the entry in the users-file has to look like something like DEFAULT Auth-Type := Eap, User-Password == "blah" with deafult eap type set to md5. I've yet to try it tho, may you report back if it works? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unsubscribe
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FW: Login for any user
Hello, well I guess I can't do that with MySQL-Queries. Anybody got an idea on how the entry in the users-file has to look like. thanks and regards Chris -Ursprüngliche Nachricht- Von: Galuschka Christoph Gesendet: Dienstag, 17. April 2007 14:04 An: 'freeradius-users@lists.freeradius.org' Betreff: Login for any user Hello, I would like to create a login user on my database backend which allows everybody - regardless of username - to login as long as the password is correct. Is there a way to create such a user? thanks and regards Christoph --- Ing. Christoph Galuschka TIWAG-Tiroler Wasserkraft AG ITT LAN/WAN - VPN-/Firewallsysteme Eduard-Wallnöfer-Platz 2 6010 Innsbruck T: +43 (0)50607 21832 F: +43 (0)50607 41832 www.tiroler-wasserkraft.at Ti.econet: Hotline: +43 (0)50607 21405 eMail: [EMAIL PROTECTED] www.tieconet.at --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: FW: Login for any user
Galuschka Christoph wrote: > I've managed to reach my goal with the following entry in the users-file: > DEFAULT Auth-Type := Local, User-Password == "something" Don't set Auth-Type = Local. PLEASE. Instead: DEFAULT Cleartext-Password := "something" ... And make sure you have "pap" listed last in the "authorize" section. This is the default in 1.1.6. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM Radius Authentication
daniel wrote: > Has anyone had any luck compiling pam_radius_auth on ubuntu? $ apt-get install libpam0g-dev $ cd pam_radius $ make > Does the pam module support accounting packets (ie. send accounting packet to > radius when user logs on?) Yes. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius accounting
[EMAIL PROTECTED] wrote:
> So i put this to acct_users:
>
> DEFAULT Acct-Session-Id =~ "^.*(NC|JSAM|WSAM).*"
> My-ST == `%{1}`
Please read "man users". You are putting the attribute in the reply
list. You are using "==", which is a comparison operator, rather than "='.
> i see that rad_xlat gives the correct value to My-ST but i cant use it
> in the sql statement.
> Its empty.
>
> acct_users: Matched entry DEFAULT at line 23
> radius_xlat: 'WSAM'
>
> How can i define new Attributes? And use them in sql.conf
Read doc/variables.txt
If you fix the operator to '=', you can probably reference it in the
SQL statement as %{reply:My-ST}.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Login for any user
Hello, I would like to create a login user on my database backend which allows everybody - regardless of username - to login as long as the password is correct. Is there a way to create such a user? thanks and regards Christoph --- Ing. Christoph Galuschka TIWAG-Tiroler Wasserkraft AG ITT LAN/WAN - VPN-/Firewallsysteme Eduard-Wallnöfer-Platz 2 6010 Innsbruck T: +43 (0)50607 21832 F: +43 (0)50607 41832 www.tiroler-wasserkraft.at Ti.econet: Hotline: +43 (0)50607 21405 eMail: [EMAIL PROTECTED] www.tieconet.at --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius accounting
Hy all,
i use freeradius 1.1.3
here is my problem:
i use radiusaccounting into a mysql database.
I want to extract information out of the accounting packet and insert it
into the sql database:
My Acct-Session-Id looks like this.
Acct-Session-Id = "domain\\user"Thu Mar 1 14:29:58 2007"NC"
the last field, here NC is one of this NC|WSAM|JSAM
So i put this to acct_users:
DEFAULT Acct-Session-Id =~ "^.*(NC|JSAM|WSAM).*"
My-ST == `%{1}`
My-ST is defined in dictionary
ATTRIBUTE My-ST 3004string
i see that rad_xlat gives the correct value to My-ST but i cant use it in
the sql statement.
Its empty.
acct_users: Matched entry DEFAULT at line 23
radius_xlat: 'WSAM'
How can i define new Attributes? And use them in sql.conf
Thanks a lot-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM Radius Authentication
Has anyone had any luck compiling pam_radius_auth on ubuntu? On Mon, 16 Apr 2007 15:13:49 +0200, Alan DeKok <[EMAIL PROTECTED]> wrote: > daniel wrote: >> I am trying to set up unix authentication using radius. >> Does the pam module support the maximum session times. > > No, because PAM has no provisions for enforcing maximum session times. This is ok, I can write a script that runs every minute that just logs the user off based on the results of an sql query of the radius database. Does the pam module support accounting packets (ie. send accounting packet to radius when user logs on?) > > The setrlimit function call can enforce CPU time restrictions, but > that is *not* clock time. > > Alan DeKok. > -- > http://deployingradius.com - The web site of the book > http://deployingradius.com/blog/ - The blog > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Client-Ip-Address attribute in preprocess files
Alan DeKok wrote: >> the issue is that now Packet-Src-Ip-Address Always matches ! Everywhere. > > Should be fixed. > > Alan DeKok. > -- > http://deployingradius.com - The web site of the book > http://deployingradius.com/blog/ - The blog > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks :) BTW I can't seem to reproduce Milans client issues running cvs head on Darwin. -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication Authorisation & Accounting Officer Infrastructure Services | ENG1 FF08 EXT:3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Client-Ip-Address attribute in preprocess files
> the issue is that now Packet-Src-Ip-Address Always matches ! Everywhere. Should be fixed. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql: readclients segmentation fault
Milan Holub wrote: > Oh and I forgot: when I move definition of localhost from clients.conf > to nas table I'm getting segmentation fault also when sending test > requests from localhost as well. *Please* run the server under valgrind to find the source of these problems. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : FreeRadius + Freetds + unixodbc
hello, i want testing my Freeradius with mssql. so by starting radiusd -X i have this error: rlm_sql (sql): Driver rlm_sql_unixodbc (module rlm_sql_unixodbc) loaded and linked rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_unixodbc #0 rlm_sql_unixodbc: SQL down 08S01 [unixODBC][FreeTDS][SQL Server]Server is unavailable or does not exist. rlm_sql_unixodbc: Connection failed rlm_sql (sql): Failed to connect DB handle #0 rlm_sql (sql): starting 1 rlm_sql (sql): starting 2 rlm_sql (sql): starting 3 rlm_sql (sql): starting 4 rlm_sql (sql): Failed to connect to any SQL server. tipps or help please ? regards. - Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help stuck on error: rlm_ldap: LDAP login failed: check identity, password settings in ldap section of radiusd.conf
radiusd -X -A output: http://pastebin.ca/444201 radiusd.conf: http://pastebin.ca/444205 I am slowly setting up FR to work with ADS, I had ntlm_auth working fine but have been requested to swap to ldap my current freeradius user is \admins\radius\freeradius admins being an orgnisational unit, radius being an ou inside admins. I get this error when freeradius trys to confirm the user/passwd against the ADS. "rlm_ldap: LDAP login failed: check identity, password settings in ldap section of radiusd.conf" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault for SNMP query
Milan Holub wrote: > ==> well, I've done the tests with 32 reHUPs and I'm getting > segmentation fault during the promised cleanup: > ...when 32nd HUP received: Ok... after some work with valgrind, the problem should be fixed. The server shouldn't use more memory after a HUP, and it shouldn't crash, either. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql: readclients segmentation fault
Hi all, On Mon, Apr 16, 2007 at 04:40:18PM +0200, Alan DeKok wrote: > You're using SNMP. You ran into an assertion. Try "cvs update". ==> I did cvs update this morning. I don't think it's an assertion(no clean exit on assertion but segmentation fault). I synchronized the radclient binary + dictionaries on remote NAS with the freeradius built. Unfortunately problem persists. Oh and I forgot: when I move definition of localhost from clients.conf to nas table I'm getting segmentation fault also when sending test requests from localhost as well. Anyone else experience similar behaviour? Milan Holub holub (at) thenet (dot) ch -- TheNet-Internet Services AG, im Bernertechnopark, Morgenstr. 129 CH-3018, Bern, Switzerland 031 998 4333, Fax 031 998 4330 http://www.thenet.ch http://wlan.thenet.ch -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + AD + Vlans + LDAP help
radiusd -X -A output: http://pastebin.ca/444201 radiusd.conf: http://pastebin.ca/444205 After re-reading http://wiki.freeradius.org/index.php/Rlm_ldap I enabled ldap debug and re-aranged the ldap config like so: before: identity = cn=freeradius,ou=admins,ou=radius,dc=tfxschool,dc=internal password = frpass after: identity = "cn=freeradius,ou=admins,ou=radius,dc=tfxschool" password = frpass It didnt seem to make any difference unfortunately. On 4/17/07, Alan DeKok <[EMAIL PROTECTED]> wrote: > Jacob Jarick wrote: > > Im currently trying to configure freeradius to authenticate via a > > win2k3 server, check the users group and then return a confirmation/ > > denial + vlan id for the cisco WAP to process. > > > > Questions: > > > > 1: Is ldap the only way of retreiving the users group/s > > If the users and groups are in LDAP, yes. > > > 2 - Can I talk directly to the ADS using the ldap client (or however > > its done) instead of setting up a linux openldap server. > > Yes. Just point the ldap module to active directory. > > Alan DeKok. > -- > http://deployingradius.com - The web site of the book > http://deployingradius.com/blog/ - The blog > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + AD + Vlans + LDAP help
radiusd -X -A output: http://pastebin.ca/444162 radiusd.conf: http://pastebin.ca/444163 I just figured out that ou != groups. So my current freeradius user is \admins\radius\freeradius admins being an orgnisational unit, radius being an ou inside admins. I get this error when freeradius trys to confirm the user/passwd against the ADS. "rlm_ldap: LDAP login failed: check identity, password settings in ldap section of radiusd.conf" On 4/17/07, Alan DeKok <[EMAIL PROTECTED]> wrote: > Jacob Jarick wrote: > > Im currently trying to configure freeradius to authenticate via a > > win2k3 server, check the users group and then return a confirmation/ > > denial + vlan id for the cisco WAP to process. > > > > Questions: > > > > 1: Is ldap the only way of retreiving the users group/s > > If the users and groups are in LDAP, yes. > > > 2 - Can I talk directly to the ADS using the ldap client (or however > > its done) instead of setting up a linux openldap server. > > Yes. Just point the ldap module to active directory. > > Alan DeKok. > -- > http://deployingradius.com - The web site of the book > http://deployingradius.com/blog/ - The blog > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault for SNMP query
Hi Alan, On Mon, Apr 16, 2007 at 04:39:16PM +0200, Alan DeKok wrote: > Try 32 HUPs. The memory will increase, but won't grow after that. > > At some point in the future, it can be fixed to do more cleanups after > HUP. ==> well, I've done the tests with 32 reHUPs and I'm getting segmentation fault during the promised cleanup: ...when 32nd HUP received: >>>BEGIN DEBUG Program received signal SIGSEGV, Segmentation fault. 0x4029ca3b in free () from /lib/libc.so.6 (gdb) bt #0 0x4029ca3b in free () from /lib/libc.so.6 #1 0x0804f05e in cf_pair_free () #2 0x0804f0c5 in cf_section_free () #3 0x0804f1f7 in cf_section_free () #4 0x08055b34 in read_mainconfig () #5 0x08058f5e in main () #6 0x4024714f in __libc_start_main () from /lib/libc.so.6 >>>END DEBUG Milan Holub holub (at) thenet (dot) ch -- TheNet-Internet Services AG, im Bernertechnopark, Morgenstr. 129 CH-3018, Bern, Switzerland 031 998 4333, Fax 031 998 4330 http://www.thenet.ch http://wlan.thenet.ch -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault for SNMP query
Hi Alan, On Mon, Apr 16, 2007 at 04:49:37PM +0200, Alan DeKok wrote: > Ok, try now. After some fighting with getting SNMPD to work, I can > now see the counters incrementing when I query it via snmpwalk. ==> I can confirm with latest cvs head snmp is working after reload(either via HUP or snmp-write) ==> that's great! Thanks a lot, Alan. Milan Holub holub (at) thenet (dot) ch -- TheNet-Internet Services AG, im Bernertechnopark, Morgenstr. 129 CH-3018, Bern, Switzerland 031 998 4333, Fax 031 998 4330 http://www.thenet.ch http://wlan.thenet.ch -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
