Re: cisco freeradius problems
Edgars Makņa wrote: a) not possible b) with client you mean cisco or end user? RADIUS client. c) not possible shrug Then I guess the problem isn't happening. When you said that it doesn't work with one IP, but does work with the other, that means that the shared secrets are wrong. They're wrong on the Cisco end, or in FreeRADIUS. There isn't much else that can cause those problems. This isn't magic. There are always a very small number of causes for such problems. a) it's magic (transient memory fault, etc.) b) someone mis-typed a shared secret Which one is more likely? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cisco freeradius problems
Edgars Makņa wrote: No, shared secret was not wrong, for this case i used special secret, on both hosts in configuration - 1 From one works, from other no. Nothing more was changed. (a) the shared secret is wrong (b) the client is buggy (c) the client really is sending a garbage password Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius going to sleep?
Now it works again with num_sql_socks=30. To make it work, I increased the number of connections on the mysql server via set global max_connections =200; (I have more than one sql-module and each one starts its own connections) It seems, freeradius comes into trouble, when the number of connections allowed by mysql is exceeded. I did not notice that in former versions of freeradius. Hope this information helps to find the real cause for freeradius going to sleep. Norbert Wegener Norbert Wegener schrieb: Alan DeKok wrote: .. Any other suggestions? Not right now. If you're willing to do a binary search in CVS to see *when* it started breaking... but that's a lot of work. Without changing versions of mysql or freeradius I think I already found out, that num_sql_socks seems to have a significant influence on the behaviour. With a value of 5, freeradius now is already running for some hours. A value of 20 stops it from working normally within two hours. Maybe I can find out more. Norbert Wegener Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Norbert Wegener Siemens AG Siemens IT Solutions and Services SBS GO GIO NW PSU2 Kruppstr. 16 D-46128 Essen, Germany Phone : +49 (0) 201 816-3116 Fax. : +49 (0) 201 816-5581284 mailto:[EMAIL PROTECTED] Siemens Aktiengesellschaft: Vorsitzender des Aufsichtsrats: Gerhard Cromme Vorstand: Peter Löscher, Vorsitzender; Johannes Feldmayer, Heinrich Hiesinger, Joe Kaeser, Rudi Lamprecht, Eduardo Montes, Jürgen Radomski, Erich R. Reinhardt, Hermann Requardt, Uriel J. Sharef, Klaus Wucherer Sitz der Gesellschaft: Berlin und München; Registergericht: Berlin Charlottenburg, HRB 12300, München, HRB 6684 WEEE-Reg.-Nr. DE 23691322 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS is not available
where to find the rpm or source, and how to configure pptpd and freeradius to work with nas? On Nov 8, 2007 1:48 AM, [EMAIL PROTECTED] wrote: NAS -Network Access Server It's a client (router, switch, AP, ...) sending radius requests to the server. You can preaty safely say that NAS is important for freeradius to find out disconnected people?:-) Connected ones too. Ivan Kalik Kalik Informatika ISP Dana 7/11/2007, hadi golestani [EMAIL PROTECTED] piše: Hi, I've a freeRadius that is configured to work with pptpd and it's working great, but when I've installed daloradius to generate some reports, dalo told me that there's no NAS configured ! so what's this NAS and is the NAS important for freeradius to find out disconnected people? tnx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cisco freeradius problems
Nobbody changed that secret. it's same for both hosts. cisco iso is an almost freshest version. Ok, will try to dig in the cisco-nas mailing list Alan DeKok wrote: Edgars Makņa wrote: a) not possible b) with client you mean cisco or end user? RADIUS client. c) not possible shrug Then I guess the problem isn't happening. When you said that it doesn't work with one IP, but does work with the other, that means that the shared secrets are wrong. They're wrong on the Cisco end, or in FreeRADIUS. There isn't much else that can cause those problems. This isn't magic. There are always a very small number of causes for such problems. a) it's magic (transient memory fault, etc.) b) someone mis-typed a shared secret Which one is more likely? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap instead of /users file
Hello. I red that ldap can`t be used with eap-tls method to auth., but just what i wanna do is use LDAP instead of /raddb/users file . for example attribute VLAN ID etc. Is it possible? if yes, where i find some information about it? becouse everywhere is howto authentication, authorization using LDAP but i think its big different in radius configuration when i wanna use LDAP only instead of users file. THX for any information.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap instead of /users file
O/H stefek143 έγραψε: Hello. I red that ldap can`t be used with eap-tls method to auth., but just what i wanna do is use LDAP instead of /raddb/users file . for example attribute VLAN ID etc. Is it possible? if yes, where i find some information about it? becouse everywhere is howto authentication, authorization using LDAP but i think its big different in radius configuration when i wanna use LDAP only instead of users file. You just perform only authorization from ldap and not authentication (authentication is done with eap_tls and client certificate authentication). THX for any information. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras - Network Operations Center National Technical University of Athens http://kkalev.wordpress.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS is not available
pptpd (VPN server) *is* a network access server (NAS) - a server that users use to access the network. Are you sure you don't need to learn some basic things before you start fiddling with this? Ivan Kalik Kalik Informatika ISP Dana 8/11/2007, hadi golestani [EMAIL PROTECTED] piše: where to find the rpm or source, and how to configure pptpd and freeradius to work with nas? On Nov 8, 2007 1:48 AM, [EMAIL PROTECTED] wrote: NAS -Network Access Server It's a client (router, switch, AP, ...) sending radius requests to the server. You can preaty safely say that NAS is important for freeradius to find out disconnected people?:-) Connected ones too. Ivan Kalik Kalik Informatika ISP Dana 7/11/2007, hadi golestani [EMAIL PROTECTED] pie: Hi, I've a freeRadius that is configured to work with pptpd and it's working great, but when I've installed daloradius to generate some reports, dalo told me that there's no NAS configured ! so what's this NAS and is the NAS important for freeradius to find out disconnected people? tnx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cisco freeradius problems
a) not possible b) with client you mean cisco or end user? c) not possible Alan DeKok wrote: Edgars Makņa wrote: No, shared secret was not wrong, for this case i used special secret, on both hosts in configuration - 1 From one works, from other no. Nothing more was changed. (a) the shared secret is wrong (b) the client is buggy (c) the client really is sending a garbage password Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cisco freeradius problems
No, shared secret was not wrong, for this case i used special secret, on both hosts in configuration - 1 From one works, from other no. Nothing more was changed. Alan DeKok wrote: Edgars Makņa wrote: Hello I have interesting problems with freeradius authentication. NAS - cisco 2801 radius - freeradius running on freebsd with mysql db. I had a lot of such errors in radius.log: Auth: Login incorrect (rlm_pap: CRYPT password check failed): [1-102/D\014\003\222\374\267z\013y\005\200\354S\373\344] (from client plaza port 0) In debug output i get unprintable characters. Then the shared secret is wrong. In the same time authentication was working fine from other hosts, for example smtp server. The shared secret is different for each host. Problem was solved in interesting way, on cisco i specified radius source interface. Which changes the IP address seen by the server, meaning it uses a different shared secret. It was working fine until mysql server crashed and i got same garbage in authentication. I removed source radius interface from cisco configuration and everything started to work fine again. Any ideas? You mistyped something in MySQL, started RADIUS, noticed a problem, and then re-started both MySQL and RADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius going to sleep?
Norbert Wegener wrote:
Now it works again with num_sql_socks=30.
To make it work, I increased the number of connections on the mysql
server via
set global max_connections =200;
(I have more than one sql-module and each one starts its own connections)
The only other change I see in the SQL module is rlm_sql.c:
@@ -555,7 +556,7 @@
/*
* Get the list of groups this user is a member of
*/
- if (sql_get_grouplist(inst, sqlsocket, req, group_list)) {
+ if (sql_get_grouplist(inst, sqlsocket, req, group_list) 0) {
radlog(L_ERR, rlm_sql (%s): Error getting group membership,
inst-config-xlat_name);
/* Remove the username we (maybe) added above */
@@ -605,7 +606,7 @@
/*
* Get the list of groups this user is a member of
*/
- if (sql_get_grouplist(inst, sqlsocket, request, group_list)) {
+ if (sql_get_grouplist(inst, sqlsocket, request, group_list) 0) {
radlog(L_ERR, rlm_sql (%s): Error retrieving group list,
inst-config-xlat_name);
return -1;
It seems, freeradius comes into trouble, when the number of connections
allowed by mysql is exceeded.
That sounds like it's not properly handling errors returned from the
SQL libraries.
I did not notice that in former versions of freeradius.
Hope this information helps to find the real cause for freeradius going
to sleep.
I don't see much in rlm_sql that could cause this problem. I don't
see how changes to the server core can affect the SQL module.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
I want to be able to specify which Wireless Access Points certain users can gain access from. Is there an attribute that I can set so that a user can only be authenticated if the request comes from a predetermined NAS or group of NASs? thnx. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can FAQ 6.10 please be fixed?
Hi, http://wiki.freeradius.org/index.php/FAQ#How_do_I_check_the_configuration_before_sending_a_HUP_to_the_server.3F well, any talking of HUP'ing right now is bad joojoo. I've just checked and you can do something like radiusd -X -p 1890 -i 127.0.0.1 which will work fine - perhaps we should cook up another method of checking the config is sane - using this sort of method for now. several people have requested a 'check the config' option - a new version of the -C option - i'm not sure what exact state the parser is in...or if it would be easier to use another utility - eg radiusd-chkconfig - which is solely primed for running through the config files and checking it all works but then not firing up - it just gives an exit code. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
limiting Authentication based on the NAS
Sorry, First posting contained no subject header. This is a repost. I want to be able to specify which Wireless Access Points certain users can gain access from. Is there an attribute that I can set so that a user can only be authenticated if the request comes from a predetermined NAS or group of NASs? thnx. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: limiting Authentication based on the NAS
On Thu, 2007-11-08 at 07:40 -0500, Terry Pelley wrote:
Sorry, First posting contained no subject header.
This is a repost.
I want to be able to specify which Wireless Access Points certain
users can gain access from.
Is there an attribute that I can set so that a user can only be
authenticated if the request comes from a predetermined NAS or group
of NASs?
Not a specific attribute, but there are lots of variations on techniques
that can do this. Most basic:
1. Put WAPs into huntgroups
2. In the users file, do:
# let user1 in group1
user1 Huntgroup-Name == group1
Fall-Through = No
# user2 in group2
user2 Huntgroup-Name == group2
Fall-Through = No
# default deny
DEFAULT Auth-Type := Reject
Slightly more complex:
1. Put the WAPs into huntgroups
2. Put the users into groups (see rlm_passwd for file-based, or use
SQL/LDAP)
3. In the users file:
# users in ug1 can access WAPs in wapg1
DEFAULT Huntgroup-Name == wapg1, {My,SQL,LDAP}-Group == ug1
Fall-Through = No
There are many more variations using SQL and LDAP.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and cisco 3550 dynamic vlan assignment issue(authentication is working)
This is the catch, I swear we tried at some point, apparently, we were missing something else at that time. Now everything worked out now. Thanks all for reply. Have a nice day. Regards, shiling On Nov 7, 2007 4:49 PM, [EMAIL PROTECTED] wrote: Hi, userx Cleartext-Password := hello Service-Type = Framed-User, Tunnel-Type = VLAN, Tunnel-Medium-Type = 802, Tunnel-Private-Group-ID = 552 Tunnel-Medium-Type = IEEE-802, where did you get just '802' from? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Some users can't login after upgrade!
The configuration I had was FreeRADIUS 1.1.4 running on NetBSD_3.0 (STABLE) authenticating to Novell eDirectory using LDAP. All was fine... I upgraded to FreeRADIUS 1.1.7 and all seemed OK, until two of my users found they can no longer login to the Cisco VPN3000 which uses this RADIUS. The log files simply show: Tue Nov 6 15:06:40 2007 : Auth: Login incorrect: [user] (from client vpn3000 port 13712 cli X.X.X.X) We also use RADIUS with EZProxy. I used a spare EZProxy test box and asked the user to login using that, failed with 1.1.7 RADIUS, changed it to use a spare 1.1.4 server and they could login! User names are alphabetic only and less than 8 characters, passwords are alpha-numeric only and 8 characters. I am reasonably new to RADIUS and cannot figure out why these two users are being singled out! I thought at first it might be because we have edir_account_policy_check=yes and that given the ChangeLog for 1.1.7 says Added more eDirectory support., and the two users possibly have extra attributes as they are sysadmins, that something was being checked that was not with 1.1.4 and that was preventing login. However later in radiusd.conf in the post-auth section the LDAP server entries are commented out. and it says: # Un-comment the following if you have set # 'edir_account_policy_check = yes' in the ldap module sub-section of # the 'modules' section. So does this mean this feature is not in operation? Has anyone any ideas where I should start looking? Thanks. --- Barry Dean Networks Team University of Liverpool - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can FAQ 6.10 please be fixed?
Jens Dreger wrote: Ok, maybe i should rephrase my question: I'm not so much interested in the HUP part, but the check-config part. I'm perfectly happy with stopping and starting the radius-server IF I can make sure it will succeed with the new config. It is easy to do a bad job of that. It is very difficult to do a *good* job. I'm only changing the users file and have no database connections at all so this should be doable. A tool like radiusd-chkconfig (like bind offers) would probably be the right thing. Yes. ...or hit a used port by accident. This script is just no elegant solution. I guess I'll just have to keep two servers running on different IPs and check if the test-server crashes with the new users file before restarting the main server. I'll see what I can do. But it will be in CVS head (i.e. 2.0), and not in 1.1.x. I tried to change the Wiki entry but apparently I don't have permission to do so. Sign up for an account. It's not open because of the massive volume of spammers who were attacking it. I tried. 'Create Account' just gives me a login screen with no way to to create an account. Am I missing something? No idea. Peter Nixon runs that server, so email him. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Restricting user by realm
Hi, I have Freeradius 1.1.6 running on FreeBSD. I authenticate users from a users file, not from a database. I have three default realms setup in the realms file and at the top of the users file like so: DEFAULT Realm == jellico.net Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-IP-Netmask = 255.255.255.255, Framed-Routing = None, Framed-Compression = None, Framed-MTU = 1500, Fall-Through = 1 DEFAULT Realm == jellico.com Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-IP-Netmask = 255.255.255.255, Framed-Routing = None, Framed-Compression = None, Framed-MTU = 1500, Fall-Through = 1 Then a list of users follows. Here's one example: lisa Auth-Type = Local, Password == xxx Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-IP-Netmask = 255.255.255.255, Framed-Routing = None, Framed-Compression = None, Framed-MTU = 1500, Slipstream-Auth = true The way things are setup now, any user can log in with any of the realms I have defined. For example, I (username lisa) could login as [EMAIL PROTECTED] and then turn around and login as [EMAIL PROTECTED]My boss would like me to restrict this so that (for example) lisa could log in as [EMAIL PROTECTED] but not [EMAIL PROTECTED] With my setup, can I do this easily (or at all)? If this is possible, please give me some idea of how to go about doing this. Thanks, Lisa Casey - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Some users can't login after upgrade!
Dean, Barry wrote: We also use RADIUS with EZProxy. I used a spare EZProxy test box and asked the user to login using that, failed with 1.1.7 RADIUS, changed it to use a spare 1.1.4 server and they could login! Can you post the output of debugging mode for 1.1.4 where it works, and 1.1.7 where it doesn't, all for the same user? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
cant connect with ntradping
Hi, i'm trying to ntradping my radius server but this is what radius log
shows
Thu Nov 8 14:10:39 2007 : Auth: rlm_unix: [root]: invalid password
Thu Nov 8 14:10:39 2007 : Auth: Login incorrect: [root/ \...(:;] (from
client testesomente port 0)
i understand that this root password is the linux root password from my
server, but it keeps saying that this is incorrect. and at the radius.conf i
setted port to be 1812 and its saying port 0.
this is what freeradius -X shows:
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/sbin/checkrad
main: proxy_requests = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
Using deprecated clients file. Support for this will go away soon.
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = /etc/passwd
unix: shadow = /etc/shadow
unix: group = /etc/group
unix: radwtmp = /var/log/freeradius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = md5
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = Password:
gtc: auth_type = PAP
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = /etc/freeradius/huntgroups
preprocess: hints = /etc/freeradius/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = /etc/freeradius/users
files: acctusersfile = /etc/freeradius/acct_users
files: preproxy_usersfile = /etc/freeradius/preproxy_users
files: compat = no
Module: Instantiated files (files)
Module: Loaded SQL
sql: driver = rlm_sql_mysql
sql: server = localhost
sql: port =
sql: login = root
sql: password = #s3nh4$r00t%
sql: radius_db = radius
sql: nas_table = nas
sql: sqltrace = no
sql: sqltracefile = /var/log/freeradius/sqltrace.sql
sql: readclients = no
sql: deletestalesessions = yes
sql: num_sql_socks = 5
sql: sql_user_name = %{User-Name}
sql: default_user_profile =
sql: query_on_not_found = no
sql: authorize_check_query = SELECT id, UserName, Attribute, Value,
op FROM radcheck WHERE Username =
'%{SQL-User-Name}' ORDER BY id
sql: authorize_reply_query = SELECT id, UserName, Attribute, Value,
op FROM radreply WHERE Username =
'%{SQL-User-Name}' ORDER BY id
sql: authorize_group_check_query = SELECT radgroupcheck.id,
radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,
radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username =
'%{SQL-User-Name}' AND usergroup.GroupName = radgroupcheck.GroupName ORDER
BY radgroupcheck.id
sql: authorize_group_reply_query = SELECT radgroupreply.id,
radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,
radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username =
'%{SQL-User-Name}' AND usergroup.GroupName = radgroupreply.GroupName ORDER
BY radgroupreply.id
sql: accounting_onoff_query = UPDATE radacct SET AcctStopTime='%S',
AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime),
AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay =
'%{Acct-Delay-Time}' WHERE AcctSessionTime=0 AND AcctStopTime=0 AND
NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime = '%S'
sql: accounting_update_query = UPDATE radacct SET
FramedIPAddress =
Re: Restricting user by realm
Hi Alan, use the realms as check items for example lisa Realm == jellico.com Auth-Type := Local, Cleartext-Password := xxx Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-IP-Netmask = 255.255.255.255, Framed-Routing = None, Framed-Compression = None, Framed-MTU = 1500, Slipstream-Auth = true lisa Realm == jellico.net Auth-Type := Reject, Cleartext-Password := xxx alan Very good. I wondered if that could be done that way, but wasn't sure. Thanks. Lisa - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Restricting user by realm
Hi, DEFAULT Realm == jellico.net Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-IP-Netmask = 255.255.255.255, Framed-Routing = None, Framed-Compression = None, Framed-MTU = 1500, Fall-Through = 1 DEFAULT Realm == jellico.com Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-IP-Netmask = 255.255.255.255, Framed-Routing = None, Framed-Compression = None, Framed-MTU = 1500, Fall-Through = 1 Then a list of users follows. Here's one example: lisa Auth-Type = Local, Password == xxx Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-IP-Netmask = 255.255.255.255, Framed-Routing = None, Framed-Compression = None, Framed-MTU = 1500, Slipstream-Auth = true The way things are setup now, any user can log in with any of the realms I have defined. For example, I (username lisa) could login as [EMAIL PROTECTED] and then turn around and login as [EMAIL PROTECTED]My boss would like me to restrict this so that (for example) lisa could log in as [EMAIL PROTECTED] but not [EMAIL PROTECTED] With my setup, can I do this easily (or at all)? If this is possible, please give me some idea of how to go about doing this. use the realms as check items for example lisa Realm == jellico.com Auth-Type := Local, Cleartext-Password := xxx Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-IP-Netmask = 255.255.255.255, Framed-Routing = None, Framed-Compression = None, Framed-MTU = 1500, Slipstream-Auth = true lisa Realm == jellico.net Auth-Type := Reject, Cleartext-Password := xxx alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Restricting user by realm
On Thursday 08 November 2007 11:19:48 Lisa Casey wrote: The way things are setup now, any user can log in with any of the realms I have defined. For example, I (username lisa) could login as [EMAIL PROTECTED] and then turn around and login as [EMAIL PROTECTED]My boss would like me to restrict this so that (for example) lisa could log in as [EMAIL PROTECTED] but not [EMAIL PROTECTED] Just add a check item to the user entry and it will only allow them from that realm. Since you are using 1.1.6, don't use Auth-Type and start using Cleartext-Password with the := operator. lisa Cleartext-Password := xxx, Realm == jellico.com ... Or if you want to reject from a specific realm, just use this before your real user entry: lisa Realm == realmY, Auth-Type := Reject Kevin Bonner signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: acct_users config
And what would you like to configure there? Ivan Kalik Kalik Informatika ISP Dana 8/11/2007, Lin Bin-ABL045 [EMAIL PROTECTED] piše: Hi there, can anybody share experience in how to config the acct_users file? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
acct_users config
Hi there, can anybody share experience in how to config the acct_users file? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Received conflicting packet
Norbert Wegener wrote: With my actual freeradius cvs I have some messages like this ones: | 2007-11-08 11:37:07 | radiusd[17266]: Received conflicting packet from client 119.25.50.234 port 33496 - ID: 37 due to unfinished request 140423. Giving up on old request. | The server didn't respond to a request, so the client timed out, and re-used the src ip, port, and RADIUS Id. This usually means that the server is very slow, and stuck somewhere. What causes those messages? I suppose, it might be serious? It likely indicates an underlying problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Restricting user by realm
To add on this, also have all the common attributes in a single default entry: DEFAULT Service-Type = Framed-User Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-IP-Netmask = 255.255.255.255, Framed-Routing = None, Framed-Compression = None, Framed-MTU = 1500, Fall-Through = 1 User entries can then become one-liners, like in Kevin's example, and you don't even need those DEFAULT entries for realms. Ivan Kalik Kalik Informatika ISP Dana 8/11/2007, Kevin Bonner [EMAIL PROTECTED] piše: On Thursday 08 November 2007 11:19:48 Lisa Casey wrote: The way things are setup now, any user can log in with any of the realms I have defined. For example, I (username lisa) could login as [EMAIL PROTECTED] and then turn around and login as [EMAIL PROTECTED]My boss would like me to restrict this so that (for example) lisa could log in as [EMAIL PROTECTED] but not [EMAIL PROTECTED] Just add a check item to the user entry and it will only allow them from that realm. Since you are using 1.1.6, don't use Auth-Type and start using Cleartext-Password with the := operator. lisa Cleartext-Password := xxx, Realm == jellico.com ... Or if you want to reject from a specific realm, just use this before your real user entry: lisa Realm == realmY, Auth-Type := Reject Kevin Bonner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Received conflicting packet
With my actual freeradius cvs I have some messages like this ones: | 2007-11-08 11:37:07 | radiusd[17266]: Received conflicting packet from client 119.25.50.234 port 33496 - ID: 37 due to unfinished request 140423. Giving up on old request. | | 2007-11-08 11:37:07 | radiusd[17266]: Received conflicting packet from client 119.25.50.234 port 33512 - ID: 205 due to unfinished request 140435. Giving up on old request. | | 2007-11-08 19:04:11 | radiusd[22818]: Received conflicting packet from client 119.25.50.234 port 36363 - ID: 181 due to unfinished request 50778. Giving up on old request. | | 2007-11-08 19:04:17 | radiusd[22818]: Received conflicting packet from client 119.25.50.234 port 36363 - ID: 181 due to unfinished request 50779. Giving up on old request. | | 2007-11-08 19:04:28 | radiusd[22818]: Received conflicting packet from client 119.25.50.234 port 36363 - ID: 64 due to unfinished request 50783. Giving up on old request. | What causes those messages? I suppose, it might be serious? Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cant connect with ntradping
This is (only) the server startup debug. You need to send also the debug
when request from ntradping is processed (you can skip the server
startup bit for that).
Port 0 is NAS-Port that ntradping is sending in the request.
Ivan Kalik
Kalik Informatika ISP
Dana 8/11/2007, Murilo Bernardes [EMAIL PROTECTED] piše:
Hi, i'm trying to ntradping my radius server but this is what radius log
shows
Thu Nov 8 14:10:39 2007 : Auth: rlm_unix: [root]: invalid password
Thu Nov 8 14:10:39 2007 : Auth: Login incorrect: [root/ \...(:;] (from
client testesomente port 0)
i understand that this root password is the linux root password from my
server, but it keeps saying that this is incorrect. and at the radius.conf i
setted port to be 1812 and its saying port 0.
this is what freeradius -X shows:
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/sbin/checkrad
main: proxy_requests = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
Using deprecated clients file. Support for this will go away soon.
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = /etc/passwd
unix: shadow = /etc/shadow
unix: group = /etc/group
unix: radwtmp = /var/log/freeradius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = md5
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = Password:
gtc: auth_type = PAP
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = /etc/freeradius/huntgroups
preprocess: hints = /etc/freeradius/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = /etc/freeradius/users
files: acctusersfile = /etc/freeradius/acct_users
files: preproxy_usersfile = /etc/freeradius/preproxy_users
files: compat = no
Module: Instantiated files (files)
Module: Loaded SQL
sql: driver = rlm_sql_mysql
sql: server = localhost
sql: port =
sql: login = root
sql: password = #s3nh4$r00t%
sql: radius_db = radius
sql: nas_table = nas
sql: sqltrace = no
sql: sqltracefile = /var/log/freeradius/sqltrace.sql
sql: readclients = no
sql: deletestalesessions = yes
sql: num_sql_socks = 5
sql: sql_user_name = %{User-Name}
sql: default_user_profile =
sql: query_on_not_found = no
sql: authorize_check_query = SELECT id, UserName, Attribute, Value,
op FROM radcheck WHERE Username =
'%{SQL-User-Name}' ORDER BY id
sql: authorize_reply_query = SELECT id, UserName, Attribute, Value,
op FROM radreply WHERE Username =
'%{SQL-User-Name}' ORDER BY id
sql: authorize_group_check_query = SELECT radgroupcheck.id,
radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,
radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username =
'%{SQL-User-Name}' AND usergroup.GroupName = radgroupcheck.GroupName ORDER
BY radgroupcheck.id
sql: authorize_group_reply_query = SELECT radgroupreply.id,
radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,
radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username =
'%{SQL-User-Name}' AND usergroup.GroupName = radgroupreply.GroupName ORDER
BY radgroupreply.id
sql: accounting_onoff_query = UPDATE radacct SET AcctStopTime='%S',
using ldap for general attributes
Hi, So I have a plan to use ldap to generally set attributes and use those attributes to set multiple specific attributes in radius. example: ldap server - radius - VPN vpngroup - vpn filter and vpn tunnel and dhcp scope - vpn does that make sense to do in the users file? could someone give me a general example of how they would try to do it? I was thinking in the ldap mapping file of adding a check item vpngroup (or whatever) and then using the users file to match off of that to set a reply of what i am looking for Joe Vieira UNIX Systems Administrator Clark University - ITS - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Startup problem with ldap
Hi Phil, Alan I've tries to start nscd and that seems to resolve the problem. I'd would like to thanks you for all your answers. Regards, Massimo Meregalli Are you running nscd? If not, I suggest trying it. That way, the NSS ldap lookups will happen in the nscd process, and libc should detect that nscd is running and connect to the unix socket before even *thinking* about loading the libraries from nssswitch.conf It is possible that using the LDAP APIs in a certain way is the trigger, which is why other applications seem fine. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to return Reply-Message when user submitted wrong password
Hi, Is there a way to reply with a intuitive Reply-Message (for e.g., 'Wrong Password') when the user tries to authenticate with a wrong password? My current configuration is using rlm_pap and rlm_sql for authorization and authentication. FreeRADIUS version is 1.1.7. Thanks in advance! -- Best Regards, SC - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to return Reply-Message when user submitted wrong password
Lee Sing Chyun wrote: Hi, Is there a way to reply with a intuitive Reply-Message (for e.g., 'Wrong Password') when the user tries to authenticate with a wrong password? My current configuration is using rlm_pap and rlm_sql for authorization and authentication. FreeRADIUS version is 1.1.7. Thanks in advance! -- Best Regards, SC Be careful with this, do you REALLY want to tell a possible attacker what they are doing wrong? Also many clients will completely ignore the reply message anyway... HTH Patric -- Q: I want to be a sysadmin. What should I do? A: Seek professional help. -- Get a free email address with REAL anti-spam protection. http://www.bluebottle.com/tag/1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to return Reply-Message when user submitted wrong password
On Nov 9, 2007 2:11 PM, Patric [EMAIL PROTECTED] wrote:
Lee Sing Chyun wrote:
Hi,
Is there a way to reply with a intuitive Reply-Message (for e.g., 'Wrong
Password') when the user tries to authenticate with a wrong password?
My current configuration is using rlm_pap and rlm_sql for authorization
and authentication. FreeRADIUS version is 1.1.7.
Thanks in advance!
--
Best Regards,
SC
Be careful with this, do you REALLY want to tell a possible attacker
what they are doing wrong? Also many clients will completely ignore the
reply message anyway...
HTH
Patric http://www.freeradius.org/list/users.html
Hi Patric,
Thanks for your timely warning! :-)
The reason I wanted to set the Reply-Message with intuitive messages is
because I have modified sql.conf to log the Reply-Message into radpostauth
table:
postauth_query = INSERT into ${postauth_table} (user, pass, reply, date,
reason) values ('%{User-Name}', '%{User-Password:-Chap-Password}',
'%{reply:Packet-Type}', NOW(), '%{reply:Reply-Message}')
The above worked fine for these scenarios:
- Failed Simultaneous-Use checks : Reply-Message was You are already logged
in - access denied.
- Failed Login-Time checks: Reply-Message was You are calling outside your
allowed timespan
- Failed Expiration checks: Reply-Message was Password Has Expired
But in the scenario of wrong passwords, I notice the Reply-Message was
empty. Hence, I'm looking for ways to log down wrong passwords reasons
into the radpostauth table.
--
Best Regards,
SC
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius 1.1.7 no DB handles
I have searched now for several weeks, but do not find a solution:
Installed freeradius 1.1.7 on suse
configured mysql on the same server
I can start radiusd fine, I can login into nas, but I want accounting put
into mysql and that just does not work.
My DB-tables are empty, just accounting should be put into it. I do not need
anything in usergroup for accounting etc, or do I?
radiusd -X | grep sql :
Config: including file: /usr/local/etc/raddb/sql.conf
sql: driver = rlm_sql_mysql
sql: server = localhost
sql: port =
sql: login = root
sql: password =
sql: radius_db = radiusLOG
sql: nas_table = nas
sql: sqltrace = no
sql: sqltracefile = /rzf/protokolle/radiusd/sqltrace.sql
sql: readclients = no
sql: deletestalesessions = yes
sql: num_sql_socks = 5
sql: sql_user_name = %{User-Name}
sql: default_user_profile =
sql: query_on_not_found = no
sql: authorize_check_query = SELECT id, UserName, Attribute, Value, op
FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER
BY id
sql: authorize_reply_query = SELECT id, UserName, Attribute, Value, op
FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER
BY id
sql: authorize_group_check_query = SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = '%{SQL-User-Name}'
AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id
sql: authorize_group_reply_query = SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = '%{SQL-User-Name}'
AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id
sql: accounting_onoff_query = UPDATE radacct SET AcctStopTime='%S',
AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime),
AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay =
'%{Acct-Delay-Time}' WHERE AcctSessionTime=0 AND AcctStopTime=0 AND
NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime = '%S'
sql: accounting_update_query =UPDATE radacct SET
FramedIPAddress = '%{Framed-IP-Address}', AcctSessionTime =
'%{Acct-Session-Time}', AcctInputOctets =
'%{Acct-Input-Gigawords:-0}' 32 |
'%{Acct-Input-Octets:-0}', AcctOutputOctets=
'%{Acct-Output-Gigawords:-0}' 32 |
'%{Acct-Output-Octets:-0}' WHERE AcctSessionId =
'%{Acct-Session-Id}' AND UserName= '%{SQL-User-Name}'
AND NASIPAddress= '%{NAS-IP-Address}'
sql: accounting_update_query_alt =INSERT INTO radacct
(AcctSessionId,AcctUniqueId, UserName, Realm,
NASIPAddress, NASPortId, NASPortType, AcctStartTime,
AcctSessionTime, AcctAuthentic,ConnectInfo_start,
AcctInputOctets, AcctOutputOctets, CalledStationId,
CallingStationId, ServiceType, FramedProtocol,
FramedIPAddress, AcctStartDelay, XAscendSessionSvrKey)
VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}',
'%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S',
INTERVAL (%{Acct-Session-Time:-0} +
%{Acct-Delay-Time:-0}) SECOND),
'%{Acct-Session-Time}', '%{Acct-Authentic}', '',
'%{Acct-Input-Gigawords:
-0}' 32 | '%{Acct-Input-Octets:-0}',
'%{Acct-Output-Gigawords:-0}' 32 |
'%{Acct-Output-Octets:-0}', '%{Called-Station-Id}',
'%{Calling-Station-Id}', '%{Service-Type}',
'%{Framed-Protocol}', '%{Framed-IP-Address}', '0',
'%{X-Ascend-Session-Svr-Key}')
sql: accounting_start_query =INSERT INTO radacct
(AcctSessionId,AcctUniqueId, UserName, Realm,
NASIPAddress, NASPortId, NASPortType, AcctStartTime,
AcctStopTime, AcctSessionTime, AcctAuthentic,
ConnectInfo_start, ConnectInfo_stop, AcctInputOctets,
AcctOutputOctets, CalledStationId, CallingStationId,
AcctTerminateCause, ServiceType, FramedProtocol,
FramedIPAddress, AcctStartDelay, AcctStopDelay,
XAscendSessionSvrKey) VALUES ('%{Acct-Session-Id}',
'%{Acct-Unique-Session-Id}', '%{SQL-User-Name}',
'%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',
'%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}',
'%{Connect-Info}', '', '0', '0',
'%{Called-Station-Id}',
