RE: randomly crashing
Saw this happen again last night. Last log entries I have are: Thu Sep 20 19:06:24 2007 : Error: TLS_accept:error in SSLv3 read client certificate A Thu Sep 20 19:06:24 2007 : Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Thu Sep 20 19:06:25 2007 : Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Thu Sep 20 19:06:25 2007 : Auth: Login OK: [n2i7w] (from client localhost port 16689 cli 00-16-6F-07- 3F-71) Thu Sep 20 19:06:37 2007 : Auth: Login OK: [nagios] (from client nagios port 0) Thu Sep 20 19:06:49 2007 : Error: Discarding duplicate request from client hh2380:20006 - ID: 133 due to unfinished request 922 After the error it crashed. Not sure why I'm seeing this. Any thoughts are welcome!? thanks Matt [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Ashfield Sent: Tuesday, September 18, 2007 9:49 AM To: [EMAIL PROTECTED]; freeradius-users@lists.freeradius.org Subject: RE: randomly crashing version of FR? modules or backend auth system used? Using FR 1.1.5 and using mod_auth_ldap for auth - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP (PEAP) MS-CHAPv2b how to
Alan DeKok ha scritto: riky.none wrote: I configure freeradius on basic autentication mode (using file /etc/freeradius/users) paperino Auth-Type := Local, User-Password == paperino topolino Auth-Type := EAP, User-Password == topolino (1) DO NOT SET AUTH-TYPE (2) Use Cleartext-Password := ... NOT User-Password == rlm_eap: No such EAP type peap Read eap.conf. I want use autentication without certificate If you're using PEAP, you need a server certificate. HOW TO configuration WIFI (cliente xp) and freeradius using EAP/PEAP ??? See the Wiki. This is covered there. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html . not hangry Alan I feel really stupid now... i insert in users file: myuser Cleartext-Password := somepass run freeradius -X /etc/freeradius/users[219]: Parse error (check) for entry myuser: Unknown attribute Cleartext-Password eap config is not easy to read (for newbie) There is one basic howto to configure freeradius using TTLS??? in wiki i not find one basic howto EAP-TTSL - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP (PEAP) MS-CHAPv2b how to
Hi, I feel really stupid now... i insert in users file: myuser Cleartext-Password := somepass run freeradius -X /etc/freeradius/users[219]: Parse error (check) for entry myuser: Unknown attribute Cleartext-Password sounds like you are running an ol dversion. you will not get full support from most folk unless you are running a recent release - eg 1.1.6/1.1.7 or 2.0pre2 alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP (PEAP) MS-CHAPv2b how to
riky.none wrote: run freeradius -X /etc/freeradius/users[219]: Parse error (check) for entry myuser: Unknown attribute Cleartext-Password You aren't using the latest version. Why not? eap config is not easy to read (for newbie) Do you have a question about something? There is one basic howto to configure freeradius using TTLS??? 1) Configure EAP-TLS 2) uncomment the ttls section in eap.conf. in wiki i not find one basic howto EAP-TTSL There is very little effort needed to get EAP-TTLS to work. In 2.0-pre2, all you have to do is start the server as root. PEAP will work, EAP-TLS will work, and EAP-TTLS will work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: randomly crashing
Matt Ashfield wrote: Saw this happen again last night. Last log entries I have are: Thu Sep 20 19:06:24 2007 : Error: TLS_accept:error in SSLv3 read client certificate A Thu Sep 20 19:06:24 2007 : Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) This message isn't in 1.1.7. Please take a serious look at upgrading. Thu Sep 20 19:06:49 2007 : Error: Discarding duplicate request from client hh2380:20006 - ID: 133 due to unfinished request 922 The DB you're using is slow. That's a problem. After the error it crashed. Not sure why I'm seeing this. Any thoughts are welcome!? doc/bugs. But first, upgrade. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM authenticacion and groups
2007/9/19, [EMAIL PROTECTED] [EMAIL PROTECTED]: Groups are a part of authorization so there is no conflict with any authentication method. You can use ldap (Ldap-Group), sql(Sql-Group), unix (Group) ... Ivan Kalik Kalik Informatika ISP Dana 19/9/2007, Diego Woitasen [EMAIL PROTECTED] piše: 2007/9/19, Alan DeKok [EMAIL PROTECTED]: Diego Woitasen wrote: That entry/configuration I read the FAQ and I can't see nothing interesting. The question is, radius uses nsswitch to check group membership using PAM authenticacion? Q: Hi I tried to do stuff, but it didn't work. Why? A: WTF? It's difficult to help you if you don't say what you expected to happen, AND what actually happened. It's frustrating to have people post configurations and ask why doesn't this work? The documentation and FAQ cover how to ask questions on the list, and what information we need to help you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I think the question is simple to give more detail. I rewrite the question: Can I use PAM for authentication and LDAP for group checking? or PAM for authentication and group checking with nsswitch? -- --- Diego Woitasen --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ok. I have enabled LDAP in authorize and authentication section. If I set Ldap-Group == xxx in a users file entry radiusd only try with LDAP authentication, and not with PAM (I saw this with radiusd -f -X). With the following entry, radiusd try LDAP for authenticacion and authorization: DEFAULT Ldap-Group == xnetadmin Service-Type = Login-User, Cisco-AVPair = shell:priv-lvl=15, Fall-Through = 0 With this, PAM authenticacion is working fine, but I haven't got LDAP authozation obviusly: DEFAULT Auth-type = PAM Service-Type = Login-User, Cisco-AVPair = shell:priv-lvl=15, Fall-Through = 0 And finally, this doesn't work neither: DEFAULT Auth-type = PAM, Ldap-Group == xnetadmin Service-Type = Login-User, Cisco-AVPair = shell:priv-lvl=15, Fall-Through = 0 I don't find where is the trick. The documentation doesn't say anything about this kind of configuration of I can't find it. regards, diegows -- --- Diego Woitasen --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RFC 3579 and Access-Accepts
Stefan, the message included seems to me an EAP Success message (Code 0x03) and in no way an EAP Message/EAP Request/Notification (would be 0x01yy02). I do not see the problem at a first glance - am I mistaken? Artur On 19 Sep 2007, at 13:11, Stefan Winter wrote: Hello, it seems that FreeRADIUS is sending an EAP-Message fragment along with its Access-Accepts, as in: Packet-Type = Access-Accept Wed Sep 19 11:59:25 2007 MS-MPPE-Recv-Key = stuff MS-MPPE-Send-Key = morestuff EAP-Message = 0x03070004 Message-Authenticator = 0x593773a711f50bd8b4ce98434a7e1590 User-Name = [EMAIL PROTECTED] Proxy-State = 0x323039 Whereas RFC 3579 , chapter 2.6.5 says: An EAP-Message/EAP-Request/Notification SHOULD NOT be included within an Access-Accept or Access-Reject packet. This is now the second RADIUS implementation I see that behaves like that - is there a reason for the EAP-Message and something wrong with 3579, or is that SHOULD NOT just ignored by most? Greetings, Stefan Winter -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.luFax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unresponsive Child Crashing Server 1.1.6
I am having a problem where my Freeradius service is crashing several
times a day. It will follow an alert in the log with Unresponsive Child
which I know is usually doe to a slow back end authentication method
(usually SQL). Well I am using Kerberos as the back end and every time
I debug the Kerberos server responds very quickly. I have no
programming or database queries to slow things down. Even stranger is
that this is a beta server and the load on it is really very light.
Last three days however have lots of problems:
Tue Sep 18 00:37:03 2007 : Error: WARNING: Unresponsive child (id
1210108256) for request 487
Tue Sep 18 07:27:18 2007 : Error: WARNING: Unresponsive child (id
1210108256) for request 672
Tue Sep 18 10:46:27 2007 : Error: WARNING: Unresponsive child (id
1189128544) for request 173
Tue Sep 18 12:07:55 2007 : Error: WARNING: Unresponsive child (id
1231087968) for request 127
Tue Sep 18 12:55:55 2007 : Error: WARNING: Unresponsive child (id
1210108256) for request 72
Tue Sep 18 14:59:33 2007 : Error: WARNING: Unresponsive child (id
1220598112) for request 86
Tue Sep 18 15:53:20 2007 : Error: WARNING: Unresponsive child (id
1220598112) for request 102
Tue Sep 18 17:04:41 2007 : Error: WARNING: Unresponsive child (id
1220598112) for request 104
Tue Sep 18 21:06:26 2007 : Error: WARNING: Unresponsive child (id
1189128544) for request 305
Wed Sep 19 07:51:26 2007 : Error: WARNING: Unresponsive child (id
1231087968) for request 502
Wed Sep 19 12:26:59 2007 : Error: WARNING: Unresponsive child (id
1231087968) for request 80
Wed Sep 19 14:24:48 2007 : Error: WARNING: Unresponsive child (id
1101056352) for request 76
Wed Sep 19 16:31:49 2007 : Error: WARNING: Unresponsive child (id
1356966240) for request 282
Thu Sep 20 12:47:59 2007 : Error: WARNING: Unresponsive child (id
1252067680) for request 368
Thu Sep 20 16:35:10 2007 : Error: WARNING: Unresponsive child (id
1252067680) for request 336
Thu Sep 20 20:55:50 2007 : Error: WARNING: Unresponsive child (id
1084229984) for request 256
Fri Sep 21 01:37:58 2007 : Error: WARNING: Unresponsive child (id
1325496672) for request 503
Fri Sep 21 10:13:03 2007 : Error: WARNING: Unresponsive child (id
1398925664) for request 766
Running in debug has not really shown anything as it has not shown that
error or crashed, so I am unsure of how to proceed.
Attached is my radiusd.conf:
=
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
user = radius ## Determined by sytem administrator
group = radius ## Determined by sytem administrator
max_request_time = 3 #changed from default of 30
delete_blocked_requests = no
cleanup_delay = 3
max_requests = 75 # recommends 256 per client
listen {
ipaddr = *
port = 1812
type = auth
}
listen {
ipaddr = *
port = 1813
type = acct
}
listen {
ipaddr = *
port = 1645
type = auth
}
listen {
ipaddr = *
port = 1646
type = acct
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions= yes
log_stripped_names = no
log_auth = yes
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 50 #Default of 200 to high
reject_delay = 0
status_server = no
}
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp= no
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 32
max_servers = 64
min_spare_servers = 8
max_spare_servers = 32
max_requests_per_server = 500
}
modules {
krb5 {
keytab = /etc/keytab.radius.wallace
service_principal = host
}
pap {
auto_header = yes
}
$INCLUDE ${confdir}/eap.conf
realm suffix {
format = suffix
delimiter = @
ignore_default = no
ignore_null = no
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
preproxy_usersfile = ${confdir}/preproxy_users
compat = no
}
detail {
Re: EAP (PEAP) MS-CHAPv2b how to
Alan DeKok ha scritto: riky.none wrote: run freeradius -X /etc/freeradius/users[219]: Parse error (check) for entry myuser: Unknown attribute Cleartext-Password eap config is not easy to read (for newbie) Do you have a question about something? There is one basic howto to configure freeradius using TTLS??? 1) Configure EAP-TLS 2) uncomment the ttls section in eap.conf. in wiki i not find one basic howto EAP-TTSL There is very little effort needed to get EAP-TTLS to work. In 2.0-pre2, all you have to do is start the server as root. PEAP will work, EAP-TLS will work, and EAP-TTLS will work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html . ubuntu freeradius deb: FreeRADIUS Version 1.1.3, for host i486-pc-linux-gnu, built on Mar 30 2007 at 22:44:3 i will install the 2.0 pre for testing(i m play with freeradius ) grazie p.s. you are very patient with newbie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Possible FreeBSD Jail problem, or other bug in/with FreeRADIUS 2.0.0-pre2
I just wanted to ping the list just in case my last message had been caught in a spam filter or otherwise missed. I'm not trying to be pushy, just don't want to get into a situation where everyone is waiting on a response from everyone else. Just want to make sure I'm the only one waiting. :-) I have no expectation that anybody owes me a response. If I need to look deeper into the problem on my own, I will be happy to do so. If I have, once again, picked on a piece of the code that has no bearing in my issue, please don't be afraid to tell me I am being stupid. If I need to switch this to the -devel list, I can subscribe and repost it there. This may have gone a bit off charter for the -users list. On Tue, Sep 18, 2007 at 05:17:27PM -0500, Scott Lambert wrote: On Tue, Sep 18, 2007 at 09:54:33AM +0200, Alan DeKok wrote: Scott Lambert wrote: lrad_packet_list_socket_add() is called with a pointer to the radius request packet list structure and the socket file descriptor of the socket which has been created with the call to socket() and bound to an IP and port by bind() during the prior call to lrad_socket(). Is that correct? Yes. In the jail, it asks to bind to 0.0.0.0, but the socket *actually* binds to the jail IP. This is why the inaddr_any check doesn't match. So, should we be looking for != in the above if() from lrad_packet_list_socket_add()? ... no. The issue is that when udpfromto is used, we have: a) socket binds to 0.0.0.0 (really, outside of the jail) b) the server doesn't know which IP is used to send a packet c) the server DOES know which IP the response is sent to Since the received IP doesn't match the source IP, there's a little bit of tweaking that has to be done to match the response to an outstanding request. That's what that check is for. I am sorry for being so dense. I think I can see that I was wrong before. However, what I see, though experimentation and lots of printfs, is that sockfd is bind()ing with a specified IP of 0.0.0.0. bind() takes care of fixing that up for processes in the jail and when bind returns, the socket is *actually* bound to the jail's IP address. Without the jail the socket would have remainded bound to 0.0.0.0. Then lrad_packet_list_socket_add() determines what IP we bound to from the *actual* information in the sockaddr_in structure to which sockfd points. That is the ps-ipaddr.ipaddr.ip4addr.s_addr inside lrad_packet_list_socket_add(). In the jail that is actually the jail's IP address. That's all well and good. However, perhaps the problem comes when we get to recv_one_packet() in radclient.c and unconditionally set reply-dst_ipaddr = client_ipaddr which is apparantly due to udpfromto issues. /* * udpfromto issues. We may have bound to *, * and we want to find the replies that are sent to * (say) 127.0.0.1. */ reply-dst_ipaddr = client_ipaddr; Commenting that line out makes my jail work. On my systems, reply-dst_ipaddr == client_ipaddr except when Packet-Src-IP-Address is NOT specified within the jail. When Packet-Src-IP-Address is NOT specified within the jail: radclient: recv_one_packet: client_ipaddr.ipaddr.ip4addr = 0 radclient: recv_one_packet: reply-dst_ipaddr.ipaddr.ip4addr = 460364101 By leaving reply-dst_ipaddr alone, lrad_packet_list_find_byreply is able to match the ps-ipaddr with the reply-dst_ipaddr even though ps-inaddr_any = 0. I don't know the circumstances in which reply-dst_ipaddr != client_ipaddr in such a way that it would be necessary to force them ==. Are those circumstances mutually exclusive of the jail circumstances? Could this be the correct location for a fix? -- Scott LambertKC5MLE Unix SysAdmin [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Possible FreeBSD Jail problem, or other bug in/with FreeRADIUS 2.0.0-pre2
Scott Lambert wrote: If I need to look deeper into the problem on my own, I will be happy to do so. If I have, once again, picked on a piece of the code that has no bearing in my issue, please don't be afraid to tell me I am being stupid. I don't think I have any issues doing that... ... That's all well and good. However, perhaps the problem comes when we get to recv_one_packet() in radclient.c and unconditionally set reply-dst_ipaddr = client_ipaddr which is apparantly due to udpfromto issues. /* * udpfromto issues. We may have bound to *, * and we want to find the replies that are sent to * (say) 127.0.0.1. */ reply-dst_ipaddr = client_ipaddr; Commenting that line out makes my jail work. OK, I see why that works for radclient. I recall, though, that the original issue you ran into was with proxying. Do you still have an issue with that, or does this one-line fix address everything? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM authenticacion and groups
Diego Woitasen wrote: And finally, this doesn't work neither: DEFAULT Auth-type = PAM, Ldap-Group == xnetadmin Service-Type = Login-User, Cisco-AVPair = shell:priv-lvl=15, Fall-Through = 0 I don't see why that wouldn't work. Again, what does the debug log say? You ARE running the server in debugging mode, as suggested in the FAQ, README, INSTALL... etc. Is there any other documentation we need to update in order to convince people to run in debugging mode? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM authenticacion and groups
With the following entry, radiusd try LDAP for authenticacion and authorization: DEFAULT Ldap-Group == xnetadmin Service-Type = Login-User, Cisco-AVPair = shell:priv-lvl=15, Fall-Through = 0 With this, PAM authenticacion is working fine, but I haven't got LDAP authozation obviusly: DEFAULT Auth-type = PAM Service-Type = Login-User, Cisco-AVPair = shell:priv-lvl=15, Fall-Through = 0 And finally, this doesn't work neither: DEFAULT Auth-type = PAM, Ldap-Group == xnetadmin Service-Type = Login-User, Cisco-AVPair = shell:priv-lvl=15, Fall-Through = 0 Post radiusd -X for the request and let's see why this doesn't work neither. Hard to help without that. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Possible FreeBSD Jail problem, or other bug in/with FreeRADIUS 2.0.0-pre2
On Fri, Sep 21, 2007 at 05:02:43PM +0200, Alan DeKok wrote: Scott Lambert wrote: If I need to look deeper into the problem on my own, I will be happy to do so. If I have, once again, picked on a piece of the code that has no bearing in my issue, please don't be afraid to tell me I am being stupid. I don't think I have any issues doing that... :-) ... That's all well and good. However, perhaps the problem comes when we get to recv_one_packet() in radclient.c and unconditionally set reply-dst_ipaddr = client_ipaddr which is apparantly due to udpfromto issues. /* * udpfromto issues. We may have bound to *, * and we want to find the replies that are sent to * (say) 127.0.0.1. */ reply-dst_ipaddr = client_ipaddr; Commenting that line out makes my jail work. OK, I see why that works for radclient. I recall, though, that the original issue you ran into was with proxying. Do you still have an issue with that, or does this one-line fix address everything? I've been expecting that there would be a similar chunk of code in the server that I could go find if you thought I was on the right track. I have not had sufficient confidence in my code reading to trust my changes to the now semi-production server. I would not expect that code in radclient.c could fix radiusd. I've been wrong before. I've been using radclient to debug because you indicated that it used the same library for matching up packets. If the above is legitimately the bug I was looking for, I'll have to solve the proxy issue seperately, but with a better idea of what I am looking for. I will do my homework, look for a similar line in the daemon code, and get back to you, hopefully tonight or tomorrow. -- Scott LambertKC5MLE Unix SysAdmin [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: data limit in Mikrotik with Freeradius and Mysql
Hi iam trying to achive the same any inputs ram On 9/20/07, ravi sawant [EMAIL PROTECTED] wrote: Hi Does anyone have solution for limiting users with data traffic. I have working setup of Mikrotik with freeradius and mysql. Have searched on net and found one solution but I can put limit to max 4 GB data. After 4 GB the counter resets to 0. I know the reason of that. It's b'coz of the values stored in protocol are 32 bits only. Awaiting your reply. Thanks Regards, Ravin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: data limit in Mikrotik with Freeradius and Mysql
On Fri, 2007-09-21 at 22:18 +0530, ram wrote: Hi iam trying to achive the same any inputs ram Have you tried using ; Acct-Input-Gigawords and Acct-Output-Gigawords instead of ; Acct-Input-Octets and Acct-Output-Octets in the counter calculations ? On 9/20/07, ravi sawant [EMAIL PROTECTED] wrote: Hi Does anyone have solution for limiting users with data traffic. I have working setup of Mikrotik with freeradius and mysql. Have searched on net and found one solution but I can put limit to max 4 GB data. After 4 GB the counter resets to 0. I know the reason of that. It's b'coz of the values stored in protocol are 32 bits only. Awaiting your reply. Thanks Regards, Ravin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sending Cisco AV Pairs per realm
Look at the acct_users file, you can define what to do when receiving START, STOP and ALIVE packets. You can call external script if you like. All you need to do is echo correctly formated string and access server will receive it. If you want to put something additional to database, you can do that too. Also, another way is to use post_auth hook and run external script from there. If you are going to run external scripts, all needed data is inside ENV variable, including realm, username etc. All this is also stated in documentation. Igor - Original Message - From: Dan Goscomb [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: 18 September, 2007 11:22 Subject: Re: Sending Cisco AV Pairs per realm Here is a short example that should work for you using the hints file: #hints DEFAULT User-Name =~ @dsl.realm Hint = DSL #/hints #users DEFAULT Hint == DSL Cisco-AVPair += ... #/users Thanks Kevin This looks great, however the caveat is that we're using MySQL and not the users file; I can't for the life of me work out how to get that data in to the tables! Any hints would be appreciated. Cheers Dan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ NOD32 2540 (20070919) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Possible FreeBSD Jail problem, or other bug in/with FreeRADIUS 2.0.0-pre2
Scott Lambert wrote: I've been expecting that there would be a similar chunk of code in the server that I could go find if you thought I was on the right track. Unfortunately, there isn't. I would not expect that code in radclient.c could fix radiusd. I've been wrong before. It won't. I've been using radclient to debug because you indicated that it used the same library for matching up packets. If the above is legitimately the bug I was looking for, I'll have to solve the proxy issue seperately, but with a better idea of what I am looking for. Or, simply tell the server to listen on the jail IP address. That will solve the problem, without code changes. One patch which *would* help is the ability to set the source IP address for proxying. It's likely not difficult to do, but the code hasn't been written yet. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
