Re: Access-Reject in a php script
Patric wrote: > But when you exit(2) in PHP, freeradius thinks that the script failed > and does not respond to the access-request... It delays the Access-Reject. See the debug output. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Number of requests for Free radius
Anoop wrote: ... Please edit your posts to the list. It's useless to include an entire digest message. >I am using free radisu 1.1.7 and eap tls authentication.I would like to > know the maximum number of users/ authentication requests that it can > handle? It depends on CPU, memory, etc. Since we don't know that (and don't have access to your systems), we can't say. Test it and see. That's the only possible answer. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
A question about rlm modules
Hello all I have written an rlm_module. It works fine. Here, we have clients which should be authenticated using CHAP passwords. In the radiusd.conf, I have mentioned my module before the CHAP module in the authentication section. Also, I have found that my module should populate the request->config_items field of the request with the clear text password so that the CHAP module can process the request. I have added the required code to do so, but the CHAP module complains about the size of the password. I want to know, is there something that I have missed? By the way, is the concept right at all? Thanks in advance. Regards Ali Majdzadeh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-Reject in a php script
Alan DeKok wrote: Patric wrote: But when you exit(2) in PHP, freeradius thinks that the script failed and does not respond to the access-request... It delays the Access-Reject. See the debug output. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Ah is that what happens! That delay was causing the access requests time out, and it appeared from the NAS point of view that it was getting no response... Thanks Alan -- Q: I want to be a sysadmin. What should I do? A: Seek professional help. -- Finally - A spam blocker that actually works. http://www.bluebottle.com/tag/4 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: A question about rlm modules
Ali Majdzadeh wrote:> I have written an rlm_module. It works fine. Here, we have clients which > should be authenticated using CHAP passwords. In the radiusd.conf, I > have mentioned my module before the CHAP module in the authentication > section. Also, I have found that my module should populate the > request->config_items field of the request with the clear text password > so that the CHAP module can process the request. I have added the > required code to do so, but the CHAP module complains about the size of > the password. Would it be possible to post the error message? Are you sure that your code correctly creates the clear-text password? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR-2.0.0-pre2 - doubled sql accounting
Tomasz Zieleniewski wrote: > I have the home_server configuration which points to my localhost. Why? > So the scenario is the following that when I receive the Accounting-Request > with the user name of the form [EMAIL PROTECTED] I check the realm for > particular domain > and strip the user name and proxy it again to my home_server localhost - > partcular realm have the pool which points to the localhost home_server > Problem is that there each accounting request is accounted twice. With virtual servers, you can configure different policies for packets received from a real client, and for packets received from localhost. This makes it trivial to avoid any double accounting issue. The only reason you're running into double accounting issues is that you're running packets from both sources through the same policy. Don't do that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Stripping Username (EAP-TLS)
Hi everyone, i am using Freeradius 1.1.7 on Suse Linux Enterprise 10. I try to authenticate user with EAP-TLS. Everything worked fine, until i activated the check of cert_cn. eap.conf: --- # This check is done only if the previous # "check_cert_issuer" is not set, or if # the check succeeds. # check_cert_cn = %{User-Name} --- The problem is, that the username looks like "host/cl6" but the cn is "cl6". How can i strip the username? Thanks for your help. Kind regards Sebastian -- Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! Ideal für Modem und ISDN: http://www.gmx.net/de/go/smartsurfer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sqlippool & debian - sql_get_socket unresolved symbol
Hi all, I know the topic has been discussed about a year ago, but I'd like to know if it's going to be solved. I know that Alan said it's not a FR issue (http://lists.cistron.nl/pipermail/freeradius-users/2006-October/057588. html), but many people says that turning on RTLD_GLOBAL is a security weakness, so perhaps it's overall good to fix the code to make it work even with RTLD_GLOBAL turned off. What do you think? Regards, Francesco. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: A question about rlm modules
Hello Alan Yes, I am sure that the code works correctly, because the CHAP module accepts the clear text password which I have provided in the request->config_items. Below is my code for the authorize section of the module: static int netbill_authorize (void *instance, REQUEST *request) { VALUE_PAIR *password; VALUE_PAIR *clear_text_password; instance = instance; request = request; clear_text_password = pairmake ("User-Password", "123456", T_OP_EQ); pairadd (&request->config_items, clear_text_password); return RLM_MODULE_OK; } And this is the server's log: Thu Oct 25 13:18:42 2007 : Debug: modcall: entering group CHAP for request 1 Thu Oct 25 13:18:42 2007 : Debug: modsingle[authenticate]: calling chap (rlm_chap) for request 1 Thu Oct 25 13:18:42 2007 : Debug: rlm_chap: login attempt by "ali" with CHAP password Thu Oct 25 13:18:42 2007 : Debug: rlm_chap: Using clear text password "123456" for user ali authentication. Thu Oct 25 13:18:42 2007 : Debug: rlm_chap: Password check failed Thu Oct 25 13:18:42 2007 : Debug: modsingle[authenticate]: returned from chap (rlm_chap) for request 1 Thu Oct 25 13:18:42 2007 : Debug: modcall[authenticate]: module "chap" returns reject for request 1 Thu Oct 25 13:18:42 2007 : Debug: modcall: leaving group CHAP (returns reject) for request 1 Thu Oct 25 13:18:42 2007 : Debug: auth: Failed to validate the user. Thanks in advance. 2007/10/25, Alan DeKok <[EMAIL PROTECTED]>: > > Ali Majdzadeh wrote:> I have written an rlm_module. It works fine. Here, > we have clients which > > should be authenticated using CHAP passwords. In the radiusd.conf, I > > have mentioned my module before the CHAP module in the authentication > > section. Also, I have found that my module should populate the > > request->config_items field of the request with the clear text password > > so that the CHAP module can process the request. I have added the > > required code to do so, but the CHAP module complains about the size of > > the password. > > Would it be possible to post the error message? Are you sure that > your code correctly creates the clear-text password? > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Are SHA-256 certificates supported?
Hi, >> I can live with this hack in my test server, but would appreciate it if >> FreeRADIUS added official support for SHA-256 digests. > > I've added the appropriate OpenSSL initialization call to the source. > > Alan DeKok. thank you. The CVS version seems to work with my certificates, and also when using SHA-256 certificate on the server side. regards, - hannu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: A question about rlm modules
Ali Majdzadeh wrote: > Hello Alan > Yes, I am sure that the code works correctly, because the CHAP module > accepts the clear text password which I have provided in the > request->config_items. Below is my code for the authorize section of the > module: That looks OK. > Thu Oct 25 13:18:42 2007 : Debug: rlm_chap: Using clear text password > "123456" for user ali authentication. > Thu Oct 25 13:18:42 2007 : Debug: rlm_chap: Password check failed The password doesn't match what the user entered. There isn't much that can go wrong here. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sqlippool & debian - sql_get_socket unresolved symbol
Francesco Cristofori wrote: > I know that Alan said it's not a FR issue > (http://lists.cistron.nl/pipermail/freeradius-users/2006-October/057588. > html), but many people says that turning on RTLD_GLOBAL is a security > weakness, so perhaps it's overall good to fix the code to make it work > even with RTLD_GLOBAL turned off. Try editing the Makefiles so that rlm_sqlippool links to rlm_sql. Maybe that will solve the problem. Or, statically link the application. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-Reject in a php script
Hi, I have put exit(2) but as Patric said, freeradius thinks that the script failed and does not respond to the access-request. In the client side, there is a server time out...I don't know if that server time out is assumed as an Access-Reject? May be the problem comes from PHP and I could use the UNIX system() function send back the code 2. Please, if you have a better solution, I would be very grateful! Cheers. Khalid Alan DeKok wrote: > > Patric wrote: > >> But when you exit(2) in PHP, freeradius thinks that the script failed > >> and does not respond to the access-request... > > > > It delays the Access-Reject. See the debug output. > > > > Alan DeKok. > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > Ah is that what happens! That delay was causing the access requests time > out, and it appeared from the NAS point of view that it was getting no > response... > > Thanks Alan > > -- > > Q: I want to be a sysadmin. What should I do? > > A: Seek professional help. > > -- > Finally - A spam blocker that actually works. > http://www.bluebottle.com/tag/4 > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-Reject in a php script
manIP wrote: Hi, I have put exit(2) but as Patric said, freeradius thinks that the script failed and does not respond to the access-request. In the client side, there is a server time out...I don't know if that server time out is assumed as an Access-Reject? No it does not assume an access-reject - it registers it as no response, which is undesirable. As Alan said : "It delays the Access-Reject. See the debug output." I tried setting "reject_delay = 0" in the radius.conf but that did not help. May be the problem comes from PHP and I could use the UNIX system() function send back the code 2. I believe that this specific scenario only occurs with PHP as I said before, because of the way it sends its status codes (in the exit call). I don't know how else to do it, which is why I changed the code for my use... -- Q: I want to be a sysadmin. What should I do? A: Seek professional help. -- Free pop3 email with a spam filter. http://www.bluebottle.com/tag/5 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-Reject in a php script
manIP wrote: > I have put exit(2) but as Patric said, freeradius thinks that the script > failed and does not respond to the access-request. In the client side, > there is a server time out...I don't know if that server time out is > assumed as an Access-Reject? Set "reject_delay = 0" in radiusd.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: no DB handles
Hello, I have a clean install of FreeRadius 1.1.7 with MySQL support. I have a database on a separate machine that is used for almost nothing (no traffic). I would think sockets are not an issue. I set the radius database up based on the instructions on this page: http://wiki.freeradius.org/SQL_HOWTO mysql -uroot -p CREATE DATABASE radius; GRANT ALL ON radius.* TO [EMAIL PROTECTED] IDENTIFIED BY "radpass"; exit I then used the freeRadius supplied sqipt "mysql.sql" to create the schema for the database. Next I created a test user as instructed and configured freeRadius to access the remote SQL server database. When I try an authentication test, I receive the "no DB handles" error. As for the indexing suggestion, would I need to look at that on a brand new database with only one user in it? Go easy on me, as I've had to learn all of this from scratch in the last couple days. :-) Thank you. -Doc. -- View this message in context: http://www.nabble.com/no-DB-handles-tf77404.html#a13409021 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: no DB handles
Doc. Caliban wrote: > When I try an authentication test, I receive the "no DB handles" error. What does the full debug log say? Odds are that the DB connection parameters are wrong, and the server cannot open the DB. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: no DB handles
Alan DeKok wrote: What does the full debug log say? Sadly, I've joined this mailing list to ask this question, and ultimately show what an armature I am. I just found out that mysql is only listening to localhost. That's all it's ever been used for. D'oh! (I did not know that was a default setting) Trying to change that now. Hopefully it will all work after that. Thanks, -Doc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
limited hours per user
Hi, I'm using freeRadius with poptop and it's logging all accounting issues well, but how can I add some rules to restrict people , e.g. how to restrict a group of users to only connect 2 hours per day? tnx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Adding users to the mySQL database
The db admin here is telling me that there as to be some standardized way of adding users to the database. I don't know anything about SQL. He is talking about the "ID" field or something like that. What is the standard way of doing this? We have an existing db of all of the user names and passwords, plus a lot of other stuff, that we can pull the user info from to populate the radius database, but he needs to know exactly how it has to be added. Googling in the mean time... -Doc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sqlcounter and user realms
Hello, I'm trying to set rlm_sqlcounter up so that I can check for a monthly use quota. Everything works, except the checks. The NAS present the user names with a realm, which I'm processing (thus, [EMAIL PROTECTED] becomes user.) Using SQL for accounting and such is working marvelous. Now, when I configured/activated rlm_sqlcounter as per the instructions at http://wiki.freeradius.org/Rlm_sqlcounter it will not work because the SQL checks are using the pre-processed user name: SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{%k}' will use '[EMAIL PROTECTED]' instead of just 'user'. My question is, how can I modify this query definition (and the others from sqlcounter.conf) so that they really check against the stripped user name. Thanks a lot, Carlos. -- grah windows just crashed again, unstable crap. Windows isn't unstable, it's just spontaneous. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco NAS Password problem
Hello: I am new to using Freeradius, and I am using Freeradius 1.1.6 that comes with Ubuntu Server 7.10 I have set up Freeradius with MySQL as the backend database. I set up one of my Cisco 3550 switches to use Radius as the login method. This worked fine, authentication was running through freeradius. All of my Cisco switches are running the same IOS version, and all configured similarly (only port information is different). I then added a second switch to the freeradius client configuration (nas table), and encountered a problem. The password was being rejected. So I ran Freeradius -X so I could see what was going on. On the good password attempt (first switch added) I see something like this: rad_recv: Access-Request packet from host 192.168.x.x:1645, id=9, length=80 NAS-IP-Address = 192.168.x.x NAS-Port = 1 NAS-Port-Type = Virtual User-Name = "username" Calling-Station-Id = "192.168.x.y" User-Password = "decodedpassword" On the failed password attempt (second and now third switch in the list) I see something like this: rad_recv: Access-Request packet from host 192.168.x.z:1645, id=1, length=80 NAS-IP-Address = 192.168.x.z NAS-Port = 1 NAS-Port-Type = Virtual User-Name = "username" Calling-Station-Id = "192.168.x.y" User-Password = "r\306\324\333M\014\247\022\363\216K\257`\315#]" The password doesnt appear to get decoded before processing of the auth packet occurs. All of the entries in the nas table include the same NAS type. I've gone thru my configs several times, and I'm not sure what I am missing. Does anyone out there have any ideas? Regards John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco NAS Password problem
On Thursday 25 October 2007 17:26:10 John Morris wrote: > I then added a second switch to the freeradius client configuration (nas > table), and encountered a problem. The password was being rejected. So I > ran Freeradius -X so I could see what was going on. > > On the failed password attempt (second and now third switch in the list) I > see something like this: > > rad_recv: Access-Request packet from host 192.168.x.z:1645, id=1, length=80 > NAS-IP-Address = 192.168.x.z > NAS-Port = 1 > NAS-Port-Type = Virtual > User-Name = "username" > Calling-Station-Id = "192.168.x.y" > User-Password = "r\306\324\333M\014\247\022\363\216K\257`\315#]" Debug output like this usually points to non-matching RADIUS secrets. Check the radius secret in your switch config as well as the secret configured in your nas SQL table. Freeradius only reads the nas table on startup, so if you make changes to that table, you must restart the daemon for those changes to take effect. Kevin Bonner signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cisco NAS Password problem
Debug output like this usually points to non-matching RADIUS secrets. Check the radius secret in your switch config as well as the secret configured in your nas SQL table. Freeradius only reads the nas table on startup, so if you make changes to that table, you must restart the daemon for those changes to take effect. Kevin Bonner Kevin, Thanks for the prompt reply. I went ahead and went to failing switches, cleared the radius-server entries and started from scratch. I had done this before, and it didn't fix the problem. But this time everything is working. It surprises me that the debug output doesn't appear to mention the failure of the NAS secret. I would have thought I would have gotten then that message and that the auth would have stopped there. Regards, John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco NAS Password problem
Is there a way to define NAS info / secrets in a SQL database and have it as part of the standard queries? Am guessing the perl / python options would let you do it from that (pls correct me tho if not right!) but can it just be done without writing code? Tia Andy On 25/10/2007, John Morris <[EMAIL PROTECTED]> wrote: > > Debug output like this usually points to non-matching RADIUS secrets. Check > the radius secret in your switch config as well as the secret configured in > your nas SQL table. Freeradius only reads the nas table on startup, so if > you make changes to that table, you must restart the daemon for those changes > to take effect. > > Kevin Bonner > > Kevin, > > Thanks for the prompt reply. I went ahead and went to failing switches, > cleared the radius-server entries and started from scratch. I had done this > before, and it didn't fix the problem. But this time everything is working. > > It surprises me that the debug output doesn't appear to mention the failure > of the NAS secret. I would have thought I would have gotten then that message > and that the auth would have stopped there. > > Regards, > > John > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NAS in SQL
Andy Billington wrote: > Is there a way to define NAS info / secrets in a SQL database Yes. See the sql.conf file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sqlcounter and user realms
Carlos A. Carnero Delgado wrote: > My question is, how can I modify this query definition (and the others > from sqlcounter.conf) so that they really check against the stripped > user name. Use the Stripped-User-Name attribute. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco NAS Password problem
John Morris wrote: > It surprises me that the debug output doesn't appear to mention the > failure of the NAS secret. It does. There's a big WARNING during the authentication portion. > I would have thought I would have gotten > then that message and that the auth would have stopped there. It can't. A binary password *is* technically valid. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to triger an application after a authentication done
Hi iam trying to make some iptables rules to trigger after authentication done with Radius Server here is my setup userBRAS--Freeradius---Gateway Router(Linux+iptables)--Internet when the user intiate pppoe with BRAS, bras send the request to Radius Radius checks the authentication and send to the user for the authorisation. when use authenticated and authorised. and same time i want to trigger the script to open a Iptable rules and his bandwidth with TC can some one give me suggestion how can i achieve this ? ram - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html