Re: wholesale issue
Dear, i have added this to huntgroups but nothing happened; if i want to use mysql database as a backend is there any way to do that? [EMAIL PROTECTED] wrote: You can use huntgroups: isp1 Realm == isp1realm Calling-Statin-Id = numbe1, Calling Station-Id = number2 Ivan Kalik Kalik Informatika ISP Dana 13/9/2007, Ashraf Al-Basti [EMAIL PROTECTED] piše: Dear All, i want to setup a freeradius as a proxy radius for a wholesale, and want to limit the access by using the calling-station-id; so [EMAIL PROTECTED] can connect only from any calling-station-id that belong to isp1, (ex, 555111, 333222) and [EMAIL PROTECTED] can connect only from any calling-station-id that belong to isp2 i have all the calling station id which belong to the ISPs, but i didnt have the username for every ISP, and want to use the realm instead of the username to do that. can i use the checkval to check for the calling-station-id and realm, or is there anyway to do that? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius doesn't detect EAP when authenticating against MySQL
Ok, I've upgraded to 1.1.7, and I get the auth-type local issue again. The log is up at the same place as before, http://public.growse.com/radiusd.log I'm at a bit of a loss. I can't be the only person who wants to put user credentials for a PEAP setup into a mysql db? modcall[authorize]: module sql returns ok for request 0 users: Matched entry DEFAULT at line 155 modcall[authorize]: module files returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: No User-Password or CHAP-Password attribute in the request] Remove whatever is on line 155 of the users file; it is setting Auth-Type (almost always a bad idea) to Local so FreeRadius thinks it should check the password; which it shouldn't, since this is an EAP conversation. I had the following on line 155, which when commented out, seems to make no difference. DEFAULTAuth-Type = System Fall-Through = 1 Andrew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring FreeRADIUS to use ntlm_auth
[EMAIL PROTECTED] wrote: radtest doesn't do MS-CHAP. The page tries to make this clear. == Sorry ... but I hadn´t understood it (I thought that just radclient doesn´t work). Now I know that radtest too ... radtest is just a shell script wrapper around radclient. You've done rather a lot more than just add ntlm_auth to the authenticate section. This means that the config that previously worked... now doesn't work. == I think this configuration is original (FreeRadius instalation´s). Because, in the previous test this configuration was already there. And the previous test works (Configuring FreeRADIUS to use ntlm_auth)! It's either the original FreeRADIUS config, or the one you modified to get the previous test to work. Which one is it? == I tried to use the working configuration with a real login, but the behavior is the same, it appears the message that you mencioned: rad_check_password: Found Auth-Type System Yes... because your configuration for THIS test is not the same as for the LAST test. Can you help me ? Believe me, I'm trying. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius doesn't detect EAP when authenticating against MySQL
Andrew Rowson wrote: Ok, I've upgraded to 1.1.7, and I get the auth-type local issue again. The log is up at the same place as before, http://public.growse.com/radiusd.log The output is a LOT shorter than your tests with the previous version. I'm at a bit of a loss. I can't be the only person who wants to put user credentials for a PEAP setup into a mysql db? No, but something is forcing Auth-Type := Local. It's either in the SQL DB, or line 155 of the users file. Fix that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius doesn't detect EAP when authenticating against MySQL
Andrew Rowson wrote: I had the following on line 155, which when commented out, seems to make no difference. DEFAULTAuth-Type = System Fall-Through = 1 (1) Start off with the default radiusd.conf in 1.1.7. (2) Change just enough to enable tls and peap (3) run the tests There is NOTHING in the default config that forces Auth-Type := Local. If you see it happening, it's because of some configuration on your system that is NOT normal. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: wholesale issue
Try User-Name =~ '@isp1realm$' instead of Realm. Realm attribute might not work in preprocess as it's not set yet. You can use unlang to check for multiple values in 2.0 but I don't know how to implement this function in SQL in 1.1.x. Ivan Kalik Kalik Informatika ISP Dana 16/9/2007, Ashraf Al-Basti [EMAIL PROTECTED] piše: Dear, i have added this to huntgroups but nothing happened; if i want to use mysql database as a backend is there any way to do that? [EMAIL PROTECTED] wrote: You can use huntgroups: isp1 Realm == isp1realm Calling-Statin-Id = numbe1, Calling Station-Id = number2 Ivan Kalik Kalik Informatika ISP Dana 13/9/2007, Ashraf Al-Basti [EMAIL PROTECTED] piše: Dear All, i want to setup a freeradius as a proxy radius for a wholesale, and want to limit the access by using the calling-station-id; so [EMAIL PROTECTED] can connect only from any calling-station-id that belong to isp1, (ex, 555111, 333222) and [EMAIL PROTECTED] can connect only from any calling-station-id that belong to isp2 i have all the calling station id which belong to the ISPs, but i didnt have the username for every ISP, and want to use the realm instead of the username to do that. can i use the checkval to check for the calling-station-id and realm, or is there anyway to do that? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius doesn't detect EAP when authenticating against MySQL
Comment it out anyway. You are setting Auth-Type Local in SQL database then. If not in radcheck then in radgroupcheck. Ivan Kalik Kalik Informatika ISP Dana 16/9/2007, Andrew Rowson [EMAIL PROTECTED] piše: Ok, I've upgraded to 1.1.7, and I get the auth-type local issue again. The log is up at the same place as before, http://public.growse.com/radiusd.log I'm at a bit of a loss. I can't be the only person who wants to put user credentials for a PEAP setup into a mysql db? modcall[authorize]: module sql returns ok for request 0 users: Matched entry DEFAULT at line 155 modcall[authorize]: module files returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: No User-Password or CHAP-Password attribute in the request] Remove whatever is on line 155 of the users file; it is setting Auth-Type (almost always a bad idea) to Local so FreeRadius thinks it should check the password; which it shouldn't, since this is an EAP conversation. I had the following on line 155, which when commented out, seems to make no difference. DEFAULTAuth-Type = System Fall-Through = 1 Andrew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Possible FreeBSD Jail problem, or other bug in/with FreeRADIUS 2.0.0-pre2
Scott Lambert wrote: I've added some debug prints to lrad_packet_list_socket_add and changed up the printfs in lrad_packet_list_find_byreply. I don't know that they will help. But, just in case The problem is this: In jailed client: radclient: main: radclient_head-request-src_ipaddr.af = 0 radclient: main: client_ipaddr.ipaddr.ip4addr = 0, client_port = 0 lrad_socket: sa-sin_addr = 0 lrad_packet_list_socket_add: src.ss_family == AF_INET lrad_packet_list_socket_add: ps-port = 64551 lrad_packet_list_socket_add: ps-inaddr_any = 0 That should be 1, not 0. Fix that, and everything else will be OK. Don't bother with printing anything in the packet comparison functions, or the hash functions. They're just innocent bystanders. Figure out WHY lrad_packet_list_socket_add() isn't setting ps-inaddr_any to 1. That's the only relevant issue. Everything else is noise. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 2.0.0-pre2 has been released
Jakob Hirsch wrote: Quoting Alan DeKok: Hmm... hadn't thought of doing it that way. It could be possible. Meaning try it and get back to list when you have the results? :) No, as in it's not currently enabled. Allow me to elaborate on that: a global listen section: ... two virtual servers: server foo { client 10.1.0.1 { secret = secret1 The way it's set up right now, the easiest way to do that is to list the clients globally, not inside of a server. So 10.1.0.1 and 10.2.0.1 will both send their requests to the server's address 10.0.0.1, and freeradius will determine by itself (with little performance penalty) the proper virtual server for the requests? That can be done with little amounts of work. It's probably a good idea, too. See updates in CVS in a few days. raddb/sites-available/README. But what happens with requests that could be processed by more than one virtual server? Like, in the example above, if they had both the same client definition (same ip-address, same secret). Random, sequentially selected (e.g. first match wins), config error, doomsday? Right now, you configuration won't work. The listen section is global, and therefore looks for global clients. The clients are buried inside of a server section, so there are *no* known clients. The solution is to put the clients globally, and add a server=foo entry in each of them. That way the listen section can find the clients, and the clients point to the virtual server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Working MAC-auth. in 1.1.7, not working in 2.0pre2 (noob-quiz).
Hi all. Im getting my hands dirty with radius and i really enjoying it to : ). Im totally new at this and im basically trying my way throu, lots of trying and loggreading as you can imagine. I got some things rolling, my firewalls pptp-auths and now my Proxim AP4000 with MAC- addr auth - just to hot. Now i just have to try the 2.0pre-release, to get prepared for the future. I have manually written in my clients and users in the version 2s configs. Everything works except for one small thing; now i can't login. These are the errors; rad_recv: Access-Request packet from host 10.0.5.200 port 6001, id=5, length=151 User-Name = 00-17-f2-ea-b1-3e User-Password = 00-17-f2-ea-b1-3e NAS-IP-Address = 10.0.5.200 Called-Station-Id = 00-20-a6-6f-93-bf:My Wireless Network B Calling-Station-Id = 00-17-f2-ea-b1-3e NAS-Port = 9 NAS-Port-Type = Wireless-802.11 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound rlm_realm: No '@' in User-Name = 00-17-f2-ea-b1-3e, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [00-17-f2-ea-b1-3e/00-17-f2-ea-b1-3e] (from client ap4000-intern port 9 cli 00-17-f2-ea-b1-3e) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - 00-17-f2-ea-b1-3e attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request So, something is wrong with the default PAP-attributes. I look in the attr.access_reject-file and it guides me to the man-page. Unfortually it doesn't help me much, i tried PAP-Message=* ANY but it was a lame try. I haven't found any info about this either on the net (sorry if i missed something too easy). Now im stuck, all help are apreciated. Startup-info: debian:~# /usr/local/sbin/radiusd -v radiusd: FreeRADIUS Version 2.0.0-pre2, for host powerpc-unknown- linux-gnu, built on Sep 15 2007 at 06:11:44 Copyright (C) 2000-2007 The FreeRADIUS server project. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. debian:~# /usr/local/sbin/radiusd -X -f -d /usr/local/etc/raddb FreeRADIUS Version 2.0.0-pre2, for host powerpc-unknown-linux-gnu, built on Sep 15 2007 at 06:11:44 Copyright (C) 2000-2007 The FreeRADIUS server project. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. Config: including file: /usr/local/etc/raddb/radiusd.conf Config: including file: //usr/local/etc/raddb/proxy.conf Config: including file: //usr/local/etc/raddb/clients.conf Config: including file: //usr/local/etc/raddb/snmp.conf Config: including file: //usr/local/etc/raddb/eap.conf Config: including file: //usr/local/etc/raddb/sql.conf Config: including file: //usr/local/etc/raddb/sql/mysql/dialup.conf Config: including file: //usr/local/etc/raddb/sql/mysql/counter.conf Config: including files in directory: //usr/local/etc/raddb/sites- enabled/ Config: including file: //usr/local/etc/raddb/sites-enabled/default Starting - reading configuration files ... read_config_files: reading dictionary main { prefix = /usr/local localstatedir = /var logdir = /var/log/radius libdir = /usr/local/lib radacctdir = /var/log/radius/radacct hostname_lookups = yes max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no log_stripped_names = no log_file = /var/log/radius/radius.log log_auth = yes log_auth_badpass = yes log_auth_goodpass = yes pidfile = /var/run/radiusd/radiusd.pid checkrad = /usr/local/sbin/checkrad debug_level = 0 proxy_requests = yes log { syslog_facility = daemon } proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } home_server localhost { ipaddr = 127.0.0.1 IP address [127.0.0.1] port = 1812 type = auth secret =
Re: Working MAC-auth. in 1.1.7, not working in 2.0pre2 (noob-quiz).
Check what you have written in users file. Nothing matched. Ivan Kalik Kalik Informatika ISP Dana 16/9/2007, Piero Giobbi [EMAIL PROTECTED] piše: Hi all. Im getting my hands dirty with radius and i really enjoying it to : ). Im totally new at this and im basically trying my way throu, lots of trying and loggreading as you can imagine. I got some things rolling, my firewalls pptp-auths and now my Proxim AP4000 with MAC- addr auth - just to hot. Now i just have to try the 2.0pre-release, to get prepared for the future. I have manually written in my clients and users in the version 2s configs. Everything works except for one small thing; now i can't login. These are the errors; rad_recv: Access-Request packet from host 10.0.5.200 port 6001, id=5, length=151 User-Name = 00-17-f2-ea-b1-3e User-Password = 00-17-f2-ea-b1-3e NAS-IP-Address = 10.0.5.200 Called-Station-Id = 00-20-a6-6f-93-bf:My Wireless Network B Calling-Station-Id = 00-17-f2-ea-b1-3e NAS-Port = 9 NAS-Port-Type = Wireless-802.11 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound rlm_realm: No '@' in User-Name = 00-17-f2-ea-b1-3e, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [00-17-f2-ea-b1-3e/00-17-f2-ea-b1-3e] (from client ap4000-intern port 9 cli 00-17-f2-ea-b1-3e) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - 00-17-f2-ea-b1-3e attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request So, something is wrong with the default PAP-attributes. I look in the attr.access_reject-file and it guides me to the man-page. Unfortually it doesn't help me much, i tried PAP-Message=* ANY but it was a lame try. I haven't found any info about this either on the net (sorry if i missed something too easy). Now im stuck, all help are apreciated. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP and realm question.
Realm - since you are not using realms it is as expected. You can forget about that one. EAP - yes, your AP doesn't have EAP (802.1x) enabled. Ivan Kalik Kalik Informatika ISP Dana 16/9/2007, Piero Giobbi [EMAIL PROTECTED] piše: Hi again all, sorry for spamming the list. I have two questions regarding EAP an REALM, realm first. In every request i get: rlm_realm: No '@' in User-Name = 00-17-f2-ea-b1-3e, looking up realm NULL rlm_realm: No such realm NULL I wonder what that mean if/how to turn that off? Or should i even care? EAP: I'm trying to get EAP working with my Proxim AP4000. When i auth. i get (Everything works great thou, but i want the secure line between NAS and server (If i got it right? I don't like clear text.)): rad_recv: Access-Request packet from host 10.0.5.200:6001, id=4, length=151 User-Name = 00-17-f2-ea-b1-3e User-Password = 00-17-f2-ea-b1-3e NAS-IP-Address = 10.0.5.200 Called-Station-Id = 00-20-a6-6f-93-bf:My Wireless Network B Calling-Station-Id = 00-17-f2-ea-b1-3e NAS-Port = 9 NAS-Port-Type = Wireless-802.11 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = 00-17-f2-ea-b1-3e, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry 00-17-f2-ea-b1-3e at line 96 modcall[authorize]: module files returns ok for request 0 modcall[authorize]: module pap returns updated for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type pap auth: type PAP Processing the authenticate section of radiusd.conf modcall: entering group PAP for request 0 rlm_pap: login attempt with password 00-17-f2-ea-b1-3e rlm_pap: Using clear text password 00-17-f2-ea-b1-3e. rlm_pap: User authenticated successfully modcall[authenticate]: module pap returns ok for request 0 modcall: leaving group PAP (returns ok) for request 0 Sending Access-Accept of id 4 to 10.0.5.200 port 6001 Calling-Station-Id == 00-17-f2-ea-b1-3e NAS-IP-Address = 82.182.120.201 Called-Station-Id = 00-20-a6-6f-93-bf:My Wireless Network B NAS-Port = 9 NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Framed-Routing = Broadcast-Listen Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds.. Does that mean that AP4000 doesn't sends a EAP-request or is my config somehow broken? Is there any way to tell? I Tried make my own cerificates with CA.all in the script folder, but i got stuck on one place: error while loading serial number I read somewhere that i could put a file in demoCA-folder with numbers in but that doesn't work, the file serial disappears and the same error comes up. Anyone solved this? Error-message: + openssl ca -policy policy_anything -out newcert.pem -passin pass:whatever -key whatever -extensions xpserver_ext -extfile xpextensions -infiles newreq.pem Using configuration from /usr/local/ssl/openssl.cnf ../demoCA/serial: No such file or directory error while loading serial number 31237:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen('./demoCA/serial','r') 31237:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354: + openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out cert- srv.p12 -clcerts -passin pass:whatever -passout pass:whatever No certificate matches private key + openssl pkcs12 -in cert-srv.p12 -out cert-srv.pem -passin pass:whatever -passout pass:whatever 31239:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:150: + openssl x509 -inform PEM -outform DER -in cert-srv.pem -out cert- srv.der unable to load certificate 31240:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE + echo -e '\n\t\t##\n' Again; Many thx for all help! p Startup info (Yes, i know the EAP WARNINGS but i can't even get an eap-message/error): debian:~# /usr/sbin/radiusd -v radiusd: FreeRADIUS Version 1.1.7, for host powerpc-unknown-linux- gnu, built on Sep 15 2007 at 09:59:30 Copyright (C) 2000-2007 The FreeRADIUS server project. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. debian:~# /usr/sbin/radiusd -X -f -d /etc/raddb/ Starting - reading configuration
Re: Working MAC-auth. in 1.1.7, not working in 2.0pre2 (noob-quiz).
Piero Giobbi wrote: Now i just have to try the 2.0pre-release, to get prepared for the future. I have manually written in my clients and users in the version 2s configs. Everything works except for one small thing; now i can't login. These are the errors; The users file format hasn't changed. Perhaps thinking it changed is causing the problem: 2.0: ++[files] returns noop So nothing matched. So, something is wrong with the default PAP-attributes. Please don't say that. There is no such thing as default PAP attributes. When it all works under 1.1.7: users: Matched entry 00-17-f2-ea-b1-3e at line 96 modcall[authorize]: module files returns ok for request 0 See? The entry matches in 1.1.7, and not in 2.0. You can use the *exact* same users file from 1.1.7 in 2.0. Whatever changes you made to port it to 2.0 are breaking it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius doesn't detect EAP when authenticating against MySQL
[EMAIL PROTECTED] wrote: Comment it out anyway. You are setting Auth-Type Local in SQL database then. If not in radcheck then in radgroupcheck. Ivan Kalik Kalik Informatika ISP I feel really stupid now. It was sitting there in radgroupcheck setting the auth-type to local. ARGH. Ok, regroup. The new output is in the same place as before (http://public.growse.com/radiusd.log) - it sets the auth-type to EAP and seems to issue the attributes (my cisco priv ones are there) ok. My laptop still doesn't get an IP address, but this may now be an issue with the AP. Can I safely now say that freeradius is behaving correctly and the issue is now with the AP, or does the above output still point to a freeradius issue? Thanks for everyone's help so far. Andrew Dana 16/9/2007, Andrew Rowson [EMAIL PROTECTED] piše: Ok, I've upgraded to 1.1.7, and I get the auth-type local issue again. The log is up at the same place as before, http://public.growse.com/radiusd.log I'm at a bit of a loss. I can't be the only person who wants to put user credentials for a PEAP setup into a mysql db? modcall[authorize]: module sql returns ok for request 0 users: Matched entry DEFAULT at line 155 modcall[authorize]: module files returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: No User-Password or CHAP-Password attribute in the request] Remove whatever is on line 155 of the users file; it is setting Auth-Type (almost always a bad idea) to Local so FreeRadius thinks it should check the password; which it shouldn't, since this is an EAP conversation. I had the following on line 155, which when commented out, seems to make no difference. DEFAULTAuth-Type = System Fall-Through = 1 Andrew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius doesn't detect EAP when authenticating against MySQL
Well, AP is not responding. Request is for wireless access and attributes in the reply are for shell access. It might not like that. Ivan Kalik Kalik Informatika ISP Dana 16/9/2007, Andrew Rowson [EMAIL PROTECTED] piše: [EMAIL PROTECTED] wrote: Comment it out anyway. You are setting Auth-Type Local in SQL database then. If not in radcheck then in radgroupcheck. Ivan Kalik Kalik Informatika ISP I feel really stupid now. It was sitting there in radgroupcheck setting the auth-type to local. ARGH. Ok, regroup. The new output is in the same place as before (http://public.growse.com/radiusd.log) - it sets the auth-type to EAP and seems to issue the attributes (my cisco priv ones are there) ok. My laptop still doesn't get an IP address, but this may now be an issue with the AP. Can I safely now say that freeradius is behaving correctly and the issue is now with the AP, or does the above output still point to a freeradius issue? Thanks for everyone's help so far. Andrew Dana 16/9/2007, Andrew Rowson [EMAIL PROTECTED] piše: Ok, I've upgraded to 1.1.7, and I get the auth-type local issue again. The log is up at the same place as before, http://public.growse.com/radiusd.log I'm at a bit of a loss. I can't be the only person who wants to put user credentials for a PEAP setup into a mysql db? modcall[authorize]: module sql returns ok for request 0 users: Matched entry DEFAULT at line 155 modcall[authorize]: module files returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: No User-Password or CHAP-Password attribute in the request] Remove whatever is on line 155 of the users file; it is setting Auth-Type (almost always a bad idea) to Local so FreeRadius thinks it should check the password; which it shouldn't, since this is an EAP conversation. I had the following on line 155, which when commented out, seems to make no difference. DEFAULTAuth-Type = System Fall-Through = 1 Andrew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
Hi, I am new to freeradius and I just had to upgrade one of our servers to RHEL5. As part of this deployment, I have installed freeradius-1.1.3-1.2 and openldap-2.3.27-5. I have looked on the web and talked to some colleagues and this is probably and openldap issue. I am sure it has popped up on this discussion list before. radius is taking up 95% of the CPU. I seem to be getting errors that says that all ldap connections are in use (rlm_ldap) Fri Sep 14 15:39:48 2007 : Error: WARNING: Unresponsive child (id 299209) for request 46 Fri Sep 14 15:39:48 2007 : Error: WARNING: Unresponsive child (id 2981600144) for request 47 Fri Sep 14 15:39:48 2007 : Error: WARNING: Unresponsive child (id 2971110288) for request 48 Fri Sep 14 15:39:48 2007 : Error: rlm_ldap: All ldap connections are in use We did not have any issue with version 2.29 of OpenLdap. Has something major changed? We are gonna downgrade for the time being but if you know of a solution please let me know. cheers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius using 95 % of CPU
Hi, I am new to freeradius and I just had to upgrade one of our servers to RHEL5. As part of this deployment, I have installed freeradius-1.1.3-1.2 and openldap-2.3.27-5. I have looked on the web and talked to some colleagues and this is probably and openldap issue. I am sure it has popped up on this discussion list before. radius is taking up 95% of the CPU. I seem to be getting errors that says that all ldap connections are in use (rlm_ldap) Fri Sep 14 15:39:48 2007 : Error: WARNING: Unresponsive child (id 299209) for request 46 Fri Sep 14 15:39:48 2007 : Error: WARNING: Unresponsive child (id 2981600144) for request 47 Fri Sep 14 15:39:48 2007 : Error: WARNING: Unresponsive child (id 2971110288) for request 48 Fri Sep 14 15:39:48 2007 : Error: rlm_ldap: All ldap connections are in use We did not have any issue with version 2.29 of OpenLdap. Has something major changed? We are gonna downgrade for the time being but if you know of a solution please let me know. cheers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html