Re: Freeradius-Users Digest, Vol 25, Issue 106
Hi all I am doing eap-tls with fr 1.1.6 I am not getting anything in the log file.I am able to authenticate and connect. Wat are the config to be done for getting log Regards Anoop - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP access configuration
Hello all,
I have a scenario where a first radius server (R1) proxies the
authentication request to another radius server (R2). Later, when the
user is authenticated, R1 must access to a LDAP server to recover some
network parameters, such as session-timeout or framed-ip-address, and
enforce them in the Access Point (AP). Currently, R1 is configured to
access to the LDAP server using the user name as filter (filter =
(uid=%{Stripped-User-Name:-%{User-Name}}) in radiusd.conf). My
question is, it is possible to configure this filter to use a radius
attribute received in the response from R2? I mean, R2 returns in the
response an attribute called attr1=val1, and then R1 must use this
attribute to search in the LDAP server (¿filter=(uid=%{attr1}) or
something similar?)
Internet
/
User AP -- R1 R2
\
LDAP
User AP R1 LDAP R2
(authn req.)
-
(authn response + attr1=val1)
(search uid=attr1)
--
(network params)
--
(params)
(Success)
Thanks in advance.
--
-
Manuel Sanchez Cuenca
Departamento de Ingenieria de la Informacion y las Comunicaciones
Facultad de Informatica. Universidad de Murcia
Campus de Espinardo - 30080 Murcia (SPAIN)
Tel.: +34-968-364644Fax: +34-968-364151
email: [EMAIL PROTECTED] | [EMAIL PROTECTED]
url: http://libra.inf.um.es/~lolo
--
-
Manuel Sanchez Cuenca
Departamento de Ingenieria de la Informacion y las Comunicaciones
Facultad de Informatica. Universidad de Murcia
Campus de Espinardo - 30080 Murcia (SPAIN)
Tel.: +34-968-364644Fax: +34-968-364151
email: [EMAIL PROTECTED] | [EMAIL PROTECTED]
url: http://libra.inf.um.es/~lolo
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting-Response with invalid signature
Hi All, I got the following message from my radius.log. Wed May 23 16:39:11 2007 : Error: Received Accounting-Response packet from 172.16.1.1:1813 with invalid signature (err=2)! (Shared secret is incorrect.) Wed May 23 16:39:11 2007 : Error: Reply from home server 172.16.1.1:1813 - ID: 180 arrived too late for request 2515449. Try increasing 'retry_delay' or 'max_request_time' It caused some problem on accounting record . The secret between NAS and RADIUS are the same. But the log tell me the secret is incorrect at Accounting-Response. Do anybody know what's the main cause and how to fix it ? PS. NAS and Radius are in the same subnet without any firewall. [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Different behavior when run with -X and not
)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = /usr/local/freeradius-1.1.6/etc/raddb/users
files: acctusersfile = /usr/local/freeradius-1.1.6/etc/raddb/acct_users
files: preproxy_usersfile =
/usr/local/freeradius-1.1.6/etc/raddb/preproxy_users
files: compat = no
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
/usr/local/freeradius-1.1.6/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = /usr/local/freeradius-1.1.6/var/log/radius/radutmp
radutmp: username = %{User-Name}
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
rad_recv: Accounting-Request packet from host 10.1.2.182:1813, id=91,
length=198
NAS-IP-Address = 10.1.2.182
NAS-Port-Type = Async
User-Name = 111
Called-Station-Id = 0227130985
Calling-Station-Id = 886227130985
Acct-Status-Type = Start
Service-Type = Dialout-Framed-User
h323-gw-id = 111
h323-conf-id = 3023024-20070523144854
h323-call-origin = answer
h323-call-type = VOIP
h323-setup-time = 06:48:54.912 UTC Wed May 23 2007
Acct-Session-Id = 0024
Acct-Delay-Time = 0
Processing the preacct section of radiusd.conf
modcall: entering group preacct for request 0
modcall[preacct]: module preprocess returns noop for request 0
rlm_acct_unique: WARNING: Attribute NAS-Port was not found in request,
unique ID MAY be inconsistent
rlm_acct_unique: Hashing ',Client-IP-Address = 10.1.2.182,NAS-IP-Address
= 10.1.2.182,Acct-Session-Id = 0024,User-Name = 111'
rlm_acct_unique: Acct-Unique-Session-ID = f5de261a872f9626.
modcall[preacct]: module acct_unique returns ok for request 0
rlm_realm: No '@' in User-Name = 111, looking up realm NULL
rlm_realm: No such realm NULL
modcall[preacct]: module suffix returns noop for request 0
acct_users: Matched entry DEFAULT at line 19
modcall[preacct]: module files returns ok for request 0
modcall: leaving group preacct (returns ok) for request 0
Processing the accounting section of radiusd.conf
modcall: entering group accounting for request 0
radius_xlat:
'/usr/local/freeradius-1.1.6/var/log/radius/radacct/10.1.2.182/detail-20070523'
rlm_detail:
/usr/local/freeradius-1.1.6/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to
/usr/local/freeradius-1.1.6/var/log/radius/radacct/10.1.2.182/detail-20070523
modcall[accounting]: module detail returns ok for request 0
modcall[accounting]: module unix returns noop for request 0
radius_xlat: '/usr/local/freeradius-1.1.6/var/log/radius/radutmp'
radius_xlat: '111'
rlm_radutmp: No NAS-Port seen. Cannot do anything.
rlm_radumtp: WARNING: checkrad will probably not work!
modcall[accounting]: module radutmp returns noop for request 0
modcall: leaving group accounting (returns ok) for request 0
Exec-Program output:
Exec-Program: returned: 0
Sending Accounting-Response of id 91 to 10.1.2.182 port 1813
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.1.2.182:1816, id=92, length=106
NAS-IP-Address = 10.1.2.182
NAS-Port-Type = Async
Service-Type = Authenticate-Only
User-Name = A001
h323-conf-id = 3023024-20070523144854
Calling-Station-Id = 886227130985
User-Password = 111
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module preprocess returns ok for request 1
modcall[authorize]: module chap returns noop for request 1
modcall[authorize]: module mschap returns noop for request 1
rlm_realm: No '@' in User-Name = A001, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 1
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 1
users: Matched entry DEFAULT at line 53
modcall[authorize]: module files returns ok for request 1
rlm_pap: Found existing Auth-Type, not changing it.
modcall[authorize]: module pap returns noop for request 1
modcall: leaving group authorize (returns ok) for request 1
rad_check_password: Found Auth-Type Accept
Re: Accounting-Response with invalid signature
Hi Rio, what type of NAS are you using? I've experienced similar behaviour with nocat software. The problem was that the NAS did not generate correct packet signature according to rfc. I have a simple patch to freeradius to bypass checking of signature of accounting packets. Although the correct way is to fix your NAS to create the signature according to rfc. Anyway I can send you the patch for testing if needed. Regards Milan Holub holub (at) thenet (dot) ch -- TheNet-Internet Services AG, im Bernertechnopark, Morgenstr. 129 CH-3018, Bern, Switzerland 031 998 4333, Fax 031 998 4330 http://www.thenet.ch http://wlan.thenet.ch -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius on openSuse Error
I am currently running freeradius on openSuse 10.2 and when I do a tail -f on my log file I c the ff error messsage : Error: Exec-Program: FAILED to execute /usr/local/bin/mtacnt: No such file or directory What i find strange is that it seems like mtacnt is not installed on my system which I find strange because when I took a look at my other radius box which is running fc5 the cmd mtacnt is available. Can any1 help REgards Sq - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with logging detail-log to syslog
Hello,
I want to log all the freeradius (v 1.1.3) logs to syslog (syslog-ng).
I 've already added this to my syslog-ng.conf :
filter f_radiusd { match (radiusd); };
destination radiuslogs { file(var/log/radiusd.log); };
log { source (src); filter(f_daemon); filter(f_radiusd);
destination(radiuslogs);};
And I changed/added this in my radiusd.conf :
logdir = syslog
log_destination = syslog
So far so good: when I restart syslog-ng and radiusd, radiusd is logging
to /var/log/radiusd.log via syslog. But I also want to have the
detail-logs, which are normaly in the raddact directory, working in
syslog... Now I see this error in /var/log/radiusd.log :
rlm_detail: Failed to create directory syslog/radacct: No such file or
directory
So the rlm_detail part doesn't understands the 'logdir = syslog' option
in radiusd.conf I guess? How can I fix this?
Thanks in advance
Mark van Herpen
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting-Response with invalid signature
Hi Milan, Sorry~ I don't describ my architecture more detail. NAS (Aptilo) --- FreeRADIUS --- JuniperSBR (Funk) (FreeRadius proxy to JuniperSBR) The error message occurred between FreeRADIUS and JuniperSBR. In my thinking, there is no secret error in Accounting-Request why I got the secret error in Accounting-Response. Rio 2007/5/23, Milan Holub [EMAIL PROTECTED]: Hi Rio, what type of NAS are you using? I've experienced similar behaviour with nocat software. The problem was that the NAS did not generate correct packet signature according to rfc. I have a simple patch to freeradius to bypass checking of signature of accounting packets. Although the correct way is to fix your NAS to create the signature according to rfc. Anyway I can send you the patch for testing if needed. Regards Milan Holub holub (at) thenet (dot) ch -- TheNet-Internet Services AG, im Bernertechnopark, Morgenstr. 129 CH-3018, Bern, Switzerland 031 998 4333, Fax 031 998 4330 http://www.thenet.ch http://wlan.thenet.ch -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem connecting to a router via RADIUS Server authentication
Hi all: I have configured the radius server . I have a linksys router with wireless security as RADIUS enabled and laptop that connects to the linksys router. whenever i try connecting to the router i get the folloing message on the machine wiht the radius server. the clients.conf has the secret key as testing123 . In which other file do i have to put the same key. Cleaning up request 4 ID 0 with timestamp 46543306 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 192.168.6.15:2050, id=0, length=129 Received packet from 192.168.6.15 with invalid Message-Authenticator! (Shared secret is incorrect.) Dropping packet without response. Cud someone throw light on this issue Thank you Prajakta Choudhari __ Yahoo! India Answers: Share what you know. Learn something new http://in.answers.yahoo.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius on openSuse Error
On Wed 23 May 2007, Siqhamo Sifo wrote: I am currently running freeradius on openSuse 10.2 and when I do a tail -f on my log file I c the ff error messsage : Error: Exec-Program: FAILED to execute /usr/local/bin/mtacnt: No such file or directory What i find strange is that it seems like mtacnt is not installed on my system which I find strange because when I took a look at my other radius box which is running fc5 the cmd mtacnt is available. What is /usr/local/bin/mtacnt ? It does not ship with SUSE or FC. (If it did it would not live under /usr/local) Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Very critical: Memory leak in freeradius-1.1.6
On 5/23/07, nikitha george [EMAIL PROTECTED] wrote: Please find the valgrind output below. It shows so much memory is still reachable. I guess we are not cleaning up the all the expired cached session at regular interval. ==21844== 7,456 bytes in 29 blocks are still reachable in loss record 33 of 44 ==21844==at 0x48054FB: realloc (vg_replace_malloc.c:306) ==21844==by 0x351D54: (within /lib/libcrypto.so.0.9.8b) ==21844==by 0x352486: CRYPTO_realloc (in /lib/libcrypto.so.0.9.8b) ==21844==by 0x3A4776: lh_insert (in /lib/libcrypto.so.0.9.8b) ==21844==by 0x355527: OBJ_NAME_add (in /lib/libcrypto.so.0.9.8b) ==21844==by 0x3AC41C: EVP_add_digest (in /lib/libcrypto.so.0.9.8b) ==21844==by 0x486EF91: SSL_library_init (in /lib/libssl.so.0.9.8b) ==21844==by 0x4BAAE03: eaptls_attach (rlm_eap_tls.c:287) ==21844==by 0x4B95230: eaptype_load (eap.c:122) ==21844==by 0x4B93D1B: eap_instantiate (rlm_eap.c:145) ==21844==by 0xCCBE: find_module_instance (modules.c:358) ==21844==by 0xDCBD: do_compile_modsingle (modcall.c:1005) ==21844== ==21844== ==21844== 10,692 bytes in 33 blocks are still reachable in loss record 34 of 44 ==21844==at 0x4805400: malloc (vg_replace_malloc.c:149) ==21844==by 0x4830106: pairmake (valuepair.c:1049) ==21844==by 0x4830A58: pairread (valuepair.c:1244) ==21844==by 0x4830C15: userparse (valuepair.c:1296) ==21844==by 0x9BAB: pairlist_read (files.c:200) ==21844==by 0x4BBB5FF: preprocess_instantiate (rlm_preprocess.c:493) ==21844==by 0xCCBE: find_module_instance (modules.c:358) ==21844==by 0xDCBD: do_compile_modsingle (modcall.c:1005) ==21844==by 0xD34C: setup_modules (modules.c:580) ==21844==by 0x10A35: main (radiusd.c:965) ==21844== ==21844== ==21844== 13,325 bytes in 21 blocks are still reachable in loss record 35 of 44 ==21844==at 0x480473F: calloc (vg_replace_malloc.c:279) ==21844==by 0x4FE8F57A: _dl_new_object (in /lib/ld-2.5.so) ==21844==by 0x4FE8B0E0: _dl_map_object_from_fd (in /lib/ld-2.5.so) ==21844==by 0x4FE8D403: _dl_map_object (in /lib/ld-2.5.so) ==21844==by 0x4FE96668: dl_open_worker (in /lib/ld-2.5.so) ==21844==by 0x4FE92C05: _dl_catch_error (in /lib/ld-2.5.so) ==21844==by 0x4FE96191: _dl_open (in /lib/ld-2.5.so) ==21844==by 0x419BCD0C: dlopen_doit (in /lib/libdl-2.5.so) ==21844==by 0x4FE92C05: _dl_catch_error (in /lib/ld-2.5.so) ==21844==by 0x419BD38B: _dlerror_run (in /lib/libdl-2.5.so) ==21844==by 0x419BCC43: dlopen@@GLIBC_2.1 (in /lib/libdl-2.5.so) ==21844==by 0x48392A9: sys_dl_open (ltdl.c:958) ==21844== ==21844== ==21844== 15,808 bytes in 670 blocks are still reachable in loss record 36 of 44 ==21844==at 0x4805400: malloc (vg_replace_malloc.c:149) ==21844==by 0x418C001F: strdup (in /lib/libc-2.5.so) ==21844==by 0x79D7: cf_section_read (conffile.c:207) ==21844==by 0x8094: conf_read (conffile.c:917) ==21844==by 0xB55D: read_radius_conf_file (mainconfig.c:1264) ==21844==by 0xB6A5: read_mainconfig (mainconfig.c:1309) ==21844==by 0x109F2: main (radiusd.c:941) ==21844== ==21844== ==21844== 26,768 bytes in 336 blocks are still reachable in loss record 37 of 44 ==21844==at 0x4805400: malloc (vg_replace_malloc.c:149) ==21844==by 0x4B944E1: eap_compose (eap.c:395) ==21844==by 0x4B93AC8: eap_authenticate (rlm_eap.c:341) ==21844==by 0xE3C7: modcall (modcall.c:236) ==21844==by 0xEA6B: call_one (modcall.c:269) ==21844==by 0xE5B9: modcall (modcall.c:324) ==21844==by 0xC63D: indexed_modcall (modules.c:469) ==21844==by 0x5213: rad_check_password (auth.c:380) ==21844==by 0x579A: rad_authenticate (auth.c:675) ==21844==by 0xFC66: rad_respond (radiusd.c:1675) ==21844==by 0x116B1: main (radiusd.c:1440) ==21844== ==21844== ==21844== 49,152 bytes in 4 blocks are still reachable in loss record 38 of 44 ==21844==at 0x4805400: malloc (vg_replace_malloc.c:149) ==21844==by 0x4825B3F: lrad_hash_table_insert (hash.c:375) ==21844==by 0x4822AAF: dict_addattr (dict.c:478) ==21844==by 0x482316B: my_dict_init (dict.c:744) ==21844==by 0x4822F71: my_dict_init (dict.c:1050) ==21844==by 0x4822F71: my_dict_init (dict.c:1050) ==21844==by 0x4823DC5: dict_init (dict.c:1258) ==21844==by 0xB5AF: read_radius_conf_file (mainconfig.c:1276) ==21844==by 0xB6A5: read_mainconfig (mainconfig.c:1309) ==21844==by 0x109F2: main (radiusd.c:941) ==21844== ==21844== ==21844== 64,892 bytes in 1,704 blocks are still reachable in loss record 39 of 44 ==21844==at 0x4805400: malloc (vg_replace_malloc.c:149) ==21844==by 0x153DC: rad_malloc (util.c:308) ==21844==by 0x79AE: cf_section_read (conffile.c:203) ==21844==by 0x8094: conf_read (conffile.c:917) ==21844==by 0xB55D: read_radius_conf_file (mainconfig.c:1264) ==21844==by 0xB6A5: read_mainconfig (mainconfig.c:1309) ==21844==by 0x109F2: main (radiusd.c:941) ==21844== ==21844== ==21844== 136,877 bytes in 5,331 blocks are still
Re: Problem with logging detail-log to syslog
Hi Mark, Wednesday, May 23, 2007, 2:47:10 PM, you wrote: logdir = syslog [...] rlm_detail: Failed to create directory syslog/radacct: No such file or directory LOGDIR means... log dir : regards, Claudiu Filip - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem connecting to a router via RADIUS Server authentication
Hi prajakta,
Be sure you have in clients.conf something like:
client 192.168.6.15 {
secret = working789
shortname = mylinksys
nastype = other
}
Restart radiusd if you changed something here.
Then http://192.168.6.15 to configure your linksys and in the radius
section set the radius password/shared secret to working789
Use your own password instead of wokring789
Regards,
Claudiu Filip
@: [EMAIL PROTECTED]
Http://www.globtel.ro
T:+40344880100
F:+40344880113
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Problem connecting to a router via RADIUS Server authentication
Make sure you have the same shared secret configured on your linksys
router and in your clients.conf looks like this:
# Linksys
client 192.168.6.15 {
secret = whatever
shortname = myRouter
nastype = other
}
replace whatever with the secret key.
-Ursprüngliche Nachricht-
Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von prajakta
choudhari
Gesendet: Mittwoch, 23. Mai 2007 14:34
An: freeradius-users@lists.freeradius.org
Betreff: Problem connecting to a router via RADIUS Server authentication
Hi all:
I have configured the radius server . I have a
linksys router with wireless security as RADIUS
enabled and laptop that connects to the linksys
router.
whenever i try connecting to the router i get the
folloing message on the machine wiht the radius
server.
the clients.conf has the secret key as testing123 . In
which other file do i have to put the same key.
Cleaning up request 4 ID 0 with timestamp 46543306
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host
192.168.6.15:2050, id=0, length=129
Received packet from 192.168.6.15 with invalid
Message-Authenticator! (Shared secret is incorrect.)
Dropping packet without
response.
Cud someone throw light on this issue
Thank you
Prajakta Choudhari
__
Yahoo! India Answers: Share what you know. Learn something new
http://in.answers.yahoo.com/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with logging detail-log to syslog
Claudiu,
I know what logdir means :)
But according to the Syslog_Howto from the wiki,
http://wiki.freeradius.org/Syslog_HOWTO :
Modify /etc/raddb/radiusd.conf:
logdir = syslog
log_destination = syslog
Because of the logdir entry above, you must locate all references to
${logdir}, comment the line out and replace it with an absolute path.
There must be better ways to do this, but it isn't immediatedly obvious.
So, I didn't find out that logdir part myself. The wiki also mentions
that I have to replace all ${logdir} values with an absolute path. But I
don't want that, because syslog has to take care that part.
Grtz,
Mark van Herpen
Claudiu Filip wrote:
Hi Mark,
Wednesday, May 23, 2007, 2:47:10 PM, you wrote:
logdir = syslog
[...]
rlm_detail: Failed to create directory syslog/radacct: No such file or
directory
LOGDIR means... log dir :
regards,
Claudiu Filip
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: Problem with logging detail-log to syslog
Hi Mark,
it seems that you forgot a line with
radacctdir = ${logdir}/radacct
if you have no line with radacctdir, then add one with the correct
path.
best regards,
Claudiu Filip
@: [EMAIL PROTECTED]
Http://www.globtel.ro
T:+40344880100
F:+40344880113
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with logging detail-log to syslog
Claudiu, I've got that line in my config, with the exact same path.. Grtz, Mark - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting-Response with invalid signature
On 23/05/07, Rio Yang [EMAIL PROTECTED] wrote: NAS (Aptilo) --- FreeRADIUS --- JuniperSBR (Funk) (FreeRadius proxy to JuniperSBR) The error message occurred between FreeRADIUS and JuniperSBR. But then you need to set the same shared secret on the FreeRadius server and the JuniperSBR, nothing to do with the NAS. Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius as a middleware between multiple ldap/ADS-s ervers and CMS
Hello, I have got a very general question. I have got a moodle-CMS in the internet. For single-sign-in I made a ldap-authentification between our ADS in school and moodle. So every teacher and student can log into moodle with his windows-domain-password. Now other schools are also interested in single-sign-in to our moodle. Unfortunately only one ldap-connecting is accepted by moodle at one time. So I'm looking for a middleware. On one side the middleware has to handle multiple ldap/ADS-servers and on the other side the middleware has to talk to moodle with one host-address, one port and one shared key. Will radius be my friend? The radius-connector does exist in moodle. Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
strange thing happening with rlm_perl
hi,
i'm using fr 1.1.2 and perl 5.8.4, and wrote a simple perl script to
return 2 random lns's for a given huntgroup.
$ uname -a
Linux radius1_staging 2.6.8-x4100-1 #1 SMP Wed Jun 7 08:58:42 BST
2006 x86_64 GNU/Linux
this is what i have in users, right at the top:
#
[EMAIL PROTECTED] Huntgroup-Name == testhuntgroup
Framed-Protocol = PPP,
Service-Type = Dialout-Framed-User
DEFAULT Auth-Type = Perl
Fall-Through = 1
DEFAULT Huntgroup-Name == othergroup, Suffix == @foo
...
#
i have radiusd.conf setup as per http://wiki.freeradius.org/Rlm_perl
and the following group in authorize:
group {
ldap {
fail = return
notfound = return
}
files {
ok = 1
}
perl {
ok =1
}
auth_log
ok = return
}
my perl simply slurps a file with the several lns parameters and
returns 2 randomly chosen ones through %RAD_REPLY:
sub authorize {
# boring file reading and random op...
my ( $ip1, $password1, $pref1 ) = @{ $lns[$lns1] };
$RAD_REPLY{'Tunnel-Server-Endpoint:1'} = $ip1;
$RAD_REPLY{'Tunnel-Type:1'} = L2TP;
$RAD_REPLY{'Tunnel-Medium-Type:1'} = IP;
$RAD_REPLY{'Tunnel-Password:1'} = $password1;
$RAD_REPLY{'Tunnel-Assignment-Id:1'}= 1;
$RAD_REPLY{'Tunnel-Preference:1'} = $pref1;
my ( $ip2, $password2, $pref2 ) = @{ $lns[$lns2] };
$RAD_REPLY{'Tunnel-Server-Endpoint:2'} = $ip2;
$RAD_REPLY{'Tunnel-Type:2'} = L2TP;
$RAD_REPLY{'Tunnel-Medium-Type:2'} = IP;
$RAD_REPLY{'Tunnel-Password:2'} = $password2;
$RAD_REPLY{'Tunnel-Assignment-Id:2'}= 2;
$RAD_REPLY{'Tunnel-Preference:2'} = $pref2;
return RLM_MODULE_UPDATED;
}
what i'm seeing in the respose are mixed av pairs, and the connection
fails (i assume because the data for each tunnel is incomplete). here
is what i see in the logs and the response sent:
rlm_perl: Added pair Tunnel-Assignment-Id = 2
rlm_perl: Added pair Tunnel-Medium-Type = IP
rlm_perl: Added pair Tunnel-Type = L2TP
rlm_perl: Added pair Tunnel-Server-Endpoint = x.x.x.x
rlm_perl: Added pair Tunnel-Password = foo
rlm_perl: Added pair Tunnel-Assignment-Id = 1
rlm_perl: Added pair Service-Type = Dialout-Framed-User
rlm_perl: Added pair Tunnel-Medium-Type = IP
rlm_perl: Added pair Tunnel-Server-Endpoint = y.y.y.y
rlm_perl: Added pair Framed-Protocol = PPP
rlm_perl: Added pair Tunnel-Type = L2TP
rlm_perl: Added pair Tunnel-Preference = 1
rlm_perl: Added pair Tunnel-Password = bar
rlm_perl: Added pair Tunnel-Preference = 50
here it seems to be ignoring the :1 and :2 for each tunnel. this then
results in the following reply, with values from borh tunnels mixed:
Sending Access-Accept of id 234 to t.t.t.t port 9208
Framed-Protocol = PPP
Service-Type = Dialout-Framed-User
Tunnel-Assignment-Id:2 = 2
Tunnel-Medium-Type:1 = IP
Tunnel-Type:1 = L2TP
Tunnel-Server-Endpoint:2 = x.x.x.x
Tunnel-Password:2 = foo
Tunnel-Preference:2 = 1
am i doing something wrong, and if so, what? any help much appreciated.
thanks in advance,
pedro
--
This email and any attachments may be confidential and/or legally privileged.
If you have received this e-mail and you are not a named addressee, please
inform the sender of this email by sending a return email to the address above
and then delete the e-mail and your response from your system. If you are not a
named addressee you must not use, disclose, distribute, copy, print or rely on
this e-mail. Any views or opinions presented are solely those of the author.
Any statements made, or intentions expressed in this communication may not
necessarily reflect the view of Easynet. No content herein will bind Easynet or
any associated company unless confirmed by the execution of a formal contract
by Easynet. Any figures or amounts given in this email are quotations only and
are subject to change. Although Easynet routinely screens for viruses,
addressees should scan this e-mail and any attachments for viruses. Easynet
makes no representation or warranty as to the absence of virus!
es in this e-mail or any attachments. Please note that to ensure regulatory
compliance and for the protection of our customers and business, we may monitor
and read e-mails sent to and from our server(s).
Easynet Limited a company incorporated and existing under the laws of England
and Wales, with company number 2954343 and having its registered office at
44-46 Whitfield Street London, W1T 2RJ.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Grouping users and clients
Hi all. We have a set of Cisco routers and a pool of users in an LDAP directory. At this time routers are configured to request authentication to FreeRadius, which binds to LDAP and grants access to user on successfully binding. We need to create groups of routers and groups of users, granting accesso to certain groups of routers only to certain groups of users. Can we do that using FreeRadius? Thank you, G.L. -- www.aldu.net/~heruan [EMAIL PROTECTED] smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dictionary handling
Hi, since I just begun to use freeradius in production I found some strangeness. The default configuration is to include all dictionaries but I wonder how they are evaluated? I have a Cisco NAS which sends (at least I think) VSA records and so I configured the Cisco VSA hack. For accounting reasons I'm interested in Cisco-PreSession-Time which is 198. In the detail log I found X-Ascend-PreSession-Time instead of Cisco-PreSession-Time though. If I grep through the dictionaries I found: dictionary.alvarion:ATTRIBUTE Alvariaon-VSA-198 198 string dictionary.aptis:ATTRIBUTE CVX-PreSession-Time 198 integer dictionary.ascend:ATTRIBUTE Ascend-PreSession-Time 198 integer dictionary.ascend:ATTRIBUTE X-Ascend-PreSession-Time 198 integer dictionary.cisco:ATTRIBUTE Cisco-PreSession-Time 198 integer dictionary.epygi:ATTRIBUTE Epygi-OutRTP_PacketSize 198 integer dictionary.lucent:ATTRIBUTE Lucent-PreSession-Time 198 integer So I find it strange that freeradius logs X-Ascend-PreSession-Time at all since it's not the first match and not the last one. In addition I wonder if it makes sense that dictionary.ascend has two definitions for 198. I was under the impression that the correct dictionary would be chosen by the vendor ID (9 in case of Cisco). So any idea why freeradius logs Ascend attributes then? Thanks, Wolfgang - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Grouping users and clients
O/H Giovanni Lovato έγραψε: Hi all. We have a set of Cisco routers and a pool of users in an LDAP directory. At this time routers are configured to request authentication to FreeRadius, which binds to LDAP and grants access to user on successfully binding. We need to create groups of routers and groups of users, granting accesso to certain groups of routers only to certain groups of users. Can we do that using FreeRadius? groups of routers = huntgroups ldap module provides functionality for group handling. Thank you, G.L. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras - Network Operations Center National Technical University of Athens http://kkalev.wordpress.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting-Response with invalid signature
I have checked all secrets and they are the same. Not all Accounting-Response with invalid signature. This error message occurred in sometime. It's a very strange. Rio 2007/5/23, Alex French [EMAIL PROTECTED]: On 23/05/07, Rio Yang [EMAIL PROTECTED] wrote: NAS (Aptilo) --- FreeRADIUS --- JuniperSBR (Funk) (FreeRadius proxy to JuniperSBR) The error message occurred between FreeRADIUS and JuniperSBR. But then you need to set the same shared secret on the FreeRadius server and the JuniperSBR, nothing to do with the NAS. Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
log file for free radius 1.1.6 eap-tls authentication
Hi I am using free raidus 1.1.6 with eap-tls authentication.The whole set up is working fine. But i am not getting any logs .like user login ok..login filef etc Pls giude me How will i get logs and wat configurtion i need to do in the configuration files. Regards Anoop ** DISCLAIMER ** Information contained and transmitted by this E-MAIL is proprietary to Sify Limited and is intended for use only by the individual or entity to which it is addressed, and may contain information that is privileged, confidential or exempt from disclosure under applicable law. If this is a forwarded message, the content of this E-MAIL may not have been sent with the authority of the Company. If you are not the intended recipient, an agent of the intended recipient or a person responsible for delivering the information to the named recipient, you are notified that any use, distribution, transmission, printing, copying or dissemination of this information in any way or in any manner is strictly prohibited. If you have received this communication in error, please delete this mail notify us immediately at [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
