Re: help

[Alan DeKok]

adnan deura wrote:
 i am getting help from the website : 
 www.aerospacesoftware.com/radius.html

  Why?  It's *years* out of date.


 i add the user in this way,
  
 johndoe Auth-Type := Local, User-Password == johndoepassword
 Reply-Message = Hello, %u

  Don't do that.  It's wrong.  Do this:

johndoe Cleartext-Password := johndoepassword
Reply-Message = Hello, %u

  See the documentation in 1.1.7 for why.

 AND AFTER THAT
  
 # radiusd -X

  And you haven't included the output.


 BUT THE RESPONSE FROM THE SERVER
...
 rad_recv: Access-Rejected packet

  You're trying to debug the server by looking at the output from the
client.  I fail to understand why anyone thinks this is useful.

 please tell me what to do

  READ the debug output from the server.  It is telling you what is
going wrong, and why.

 should i install an older version ?

  No.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Python and return attributes in `postproxy`

[Alan DeKok]

Mike O'Connor wrote:
 It would seem as if the rlm_python does not provide the returned
 attributes from the proxy, this happens in both a patched version of
 1.1.7 and 2.0.0.

  Yes.  It appears to convert only the request attributes to a python tuple.

  Fixing it shouldn't be hard.  As always, patches are welcome.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with accounting

[liran tal]

Hey Marinko,

On Jan 14, 2008 9:15 AM, Marinko Tarlac [EMAIL PROTECTED] wrote:

 Hi

 We have FreeRadius 1.1.4 and Mikrotik (as a NAS) with MySql as a database.

 Accounting works fine for all users except for one user. Authentication
 works fine and NAS sends updates as I specify for all users and I can't find
 any reason why it doesn't work for specific username.

 In debugging mode (radiusd -X and radiusd -x) I can see updates but MySql
 is empty...



Maybe you should post some debug output when those accounting
updates occur, you might be overlooking something.

It would also be wise to turn on mysql logging and monitor the
queries running (if at all) as they might be badly processed.


Regards,
Liran Tal.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: SQLippool problems (duplicate IPs handed out).

[Dave]

Peter Nixon wrote:

I downloaded and installed ver 2.0.0 and have been fighting with it for
hours.  I was going to move to the rlm_ippool module to fix this, but
using this module or the sqlippool module regardless of what is set in
radgroupreply or radreply I always get the error
rlm_ippool: Could not find Pool-Name attribute.
rlm_sqlippool: Could not find Pool-Name attrubute

I have it set in radgroupreply or radreply as Pool-Name := pool2 for example

I havent really changed much except make the config mods to make 2.0
work with mysql

 Dave

 This is quite possible, as I dont think the MySQL queries currently do the 
 correct locking. If you can fix the problem, please send us a patch.

 -Peter

 On Mon 14 Jan 2008, Dave wrote:
   
 I use the sql IP pool setup with mysql, and been using it fine for a
 while, but I have a problem where if I have an influx of connections at
 one time (30++)  That freeradius will hand out an IP to my NAS, but it
 doesnt get written to the database fast enuff and another thread of
 freeradius hands out the same IP to another user, and logs that entry to
 the radippool table.  So I get users with duplicate IP addresses.. this
 never happens if the connections are coming in slow enough, (1 or 2 at a
 time).

 freeradius 1.1.6 with mysql 5.0.26.

 Here is my sqlippool.conf.
 --
 -- sqlippool {

 ## SQL instance to use (from sql.conf)
 sql-instance-name = sql

 ## Table to keep ippool info
 ippool_table = radippool

 ## lease_duration. fix for lost acc-stop packets
 lease-duration = 3600

 ## Attribute which should be considered unique per NAS
 ## Using NAS-Port gives behaviour similar to rlm_ippool.
 Calling-Station-Id is for NAS that send fixed NAS-Port
  pool-key = %{NAS-Port}
 # pool-key = %{Calling-Station-Id}

 ## Logging configuration.
 sqlippool_log_exists = Existing IP: %{reply:Framed-IP-Address} \
  (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port}
 user %{User-Name})

 sqlippool_log_success = Allocated IP: %{reply:Framed-IP-Address} from
 %{check:Pool-Name} \
  (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port}
 user %{User-Name})

 sqlippool_log_clear = Released IP %{Framed-IP-Address}\
 (did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})

 sqlippool_log_failed = IP Allocation FAILED from %{check:Pool-Name} \
  (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port}
 user %{User-Name})

 sqlippool_log_nopool = No Pool-Name defined \
  (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port}
 user %{User-Name})

 # ## This series of queries allocates an IP address
 # allocate-clear = UPDATE ${ippool_table} \
 #  SET nasipaddress = '', pool_key = 0, callingstationid = '', username
 = '', \
 #  expiry_time = '-00-00 00:00:00' \
 #  WHERE pool_key = '${pool-key}'

 ## This will clear all expired leases for lost acc-stop packets
 allocate-clear = UPDATE radippool \
  SET nasipaddress = '', pool_key = 0, callingstationid = '', username =
 '', \
  expiry_time = '-00-00 00:00:00' \
  WHERE expiry_time = NOW() - INTERVAL 1 SECOND


 # ## The ORDER BY clause of this query tries to allocate the same
 IP-address # ## which user had last session...
  allocate-find = SELECT framedipaddress FROM ${ippool_table} \
   WHERE pool_name = '%{check:Pool-Name}' AND expiry_time  NOW() \
   ORDER BY (username  '%{User-Name}'), (callingstationid 
 '%{Calling-Station-Id}'), expiry_time \
   LIMIT 1 \
   FOR UPDATE

 ## If you prefer to allocate a random IP address every time, use this
 query instead
 #allocate-find = SELECT framedipaddress FROM ${ippool_table} \
 # WHERE pool_name = '%{check:Pool-Name}' AND expiry_time = '-00-00
 00:00:00' \
 # ORDER BY RAND() \
 # LIMIT 1 \
 # FOR UPDATE


 ## If an IP could not be allocated, check to see if the pool exists or not
 ## This allows the module to differentiate between a full pool and no pool
 ## Note: If you are not running redundant pool modules this query may be
 commented
 ## out to save running this query every time an ip is not allocated.
 pool-check = SELECT id FROM ${ippool_table} WHERE
 pool_name='%{check:Pool-Name}' LIMIT 1


 allocate-update = UPDATE ${ippool_table} \
  SET nasipaddress = '%{NAS-IP-Address}', pool_key = '${pool-key}', \
  callingstationid = '%{Calling-Station-Id}', username = '%{User-Name}', \
  expiry_time = NOW() + INTERVAL ${lease-duration} SECOND \
  WHERE framedipaddress = '%I'


 ## This series of queries frees an IP number when an accounting
 ## START record arrives
 start-update = UPDATE ${ippool_table} \
  SET expiry_time = NOW() + INTERVAL ${lease-duration} SECOND \
  WHERE nasipaddress = '%{NAS-IP-Address}' AND  pool_key = '${pool-key}'

 ## This series of queries frees an IP number when an accounting
 ## STOP record arrives
 stop-clear = UPDATE ${ippool_table} \
  SET nasipaddress = '', 

Re: Verifying framed-ip-address using unlang

[Alan DeKok]

Pshem Kowalczyk wrote:
 Is it possible to use unlang to verify whether framed-ip-address is in
 the right range or not?

  Yes and no.  The comparisons are not typed, so everything is a string.

 We would like to use it on our wholesale proxies. Wholesale customers
 of ours are allowed to allocate IPs to their customers, but only from
 certain ranges. Will a normal comparison ( ) work with IP addresses?

  They will work, but they won't do IP-address comparison.

  You can either do string comparisons, which will often do the right
thing, OR regular expressions, which will do the right thing if you
write them carefully.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Problem with accounting

[Marinko Tarlac]

Hi

We have FreeRadius 1.1.4 and Mikrotik (as a NAS) with MySql as a database.
Accounting works fine for all users except for one user. Authentication
works fine and NAS sends updates as I specify for all users and I can't find
any reason why it doesn't work for specific username.

In debugging mode (radiusd -X and radiusd -x) I can see updates but MySql is
empty...
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with accounting

[inverse]

On Jan 14, 2008 9:15 AM, Marinko Tarlac [EMAIL PROTECTED] wrote:
 Hi

 We have FreeRadius 1.1.4 and Mikrotik (as a NAS) with MySql as a database.
 Accounting works fine for all users except for one user. Authentication
 works fine and NAS sends updates as I specify for all users and I can't find
 any reason why it doesn't work for specific username.

 In debugging mode (radiusd -X and radiusd -x) I can see updates but MySql is
 empty...


Hi,
I suggest you try first with the latest freeradius version available.
1.1.4 is not recent and there have been many bugfixes since that.


-- 
In a sea of glass shards, I hear you screaming
--icchan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radsqlrelay v1.7 on freebsd 6.3

[David Wood]

Hi Roy and everyone,

In message [EMAIL PROTECTED], roy 
[EMAIL PROTECTED] writes

Application versions that are being used:
FreeBSD 6.3-PRERELEASE
p5-DBD-Pg-1.49
p5-DBI-1.60.1
postgresql-client-8.1.11
freeradius-devel-2.0.0.p2
radsqlrelay v1.7


FreeRADIUS 2.0.0-pre2 is some way behind the released FreeRADIUS 2.0.0. 
By the time 2.0.0-pre2 got committed to the FreeBSD ports tree, we were 
very close to the 2.0.0 release.


FreeBSD PR ports/119582 contains what should become the net/freeradius2 
port for the 2.0.0 release version.


http://www.freebsd.org/cgi/query-pr.cgi?pr=119582



However, radsqlrelay is version 1.7 in the released 2.0.0 as well.



I'm no real coder myself, hence, the need to seek direction. Any
necessary change on the script that I need to make?


struct flock has different parameters in FreeBSD's C library - or, more 
accurately, the same parameters in a different order - see man 2 fcntl



In /usr/local/bin/radsqlrelay read down a few lines further than you 
were looking into sub setlock. Back up the file, then change the my 
$packed line to:


my $packed = pack($FLOCK_STRUCT, $start, $len, 0, F_WRLCK, SEEK_SET);

That should be all on one line; it's the same parameters in a different 
order.



Then go up to the my $FLOCK_STRUCT line and make the corresponding 
change:


my $FLOCK_STRUCT = 'l2is2';



This is *completely* untested - but looks to be more in line with the 
FreeBSD man page. If it works, I'll add a rather tidier patch to the 
port in due course - one that updates the comments as well.


If this doesn't work, it needs further investigation.



Best wishes,




David
--
David Wood
[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Verifying framed-ip-address using unlang

[Arran Cudbard-Bell]

Alan DeKok wrote:

Pshem Kowalczyk wrote:

Is it possible to use unlang to verify whether framed-ip-address is in
the right range or not?


  Yes and no.  The comparisons are not typed, so everything is a string.


We would like to use it on our wholesale proxies. Wholesale customers
of ours are allowed to allocate IPs to their customers, but only from
certain ranges. Will a normal comparison ( ) work with IP addresses?


  They will work, but they won't do IP-address comparison.

  You can either do string comparisons, which will often do the right
thing, OR regular expressions, which will do the right thing if you
write them carefully.


Sub Captures of regular expressions map onto variables %{1}-%{8}, so you 
can extract the individual octets of the IP address. So if you wanted to 
check multiple ranges, best thing is to extract the octets of the IP 
address and then do the comparison with normal  =  operators.


  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + portuguese characters in Active Directory

[nikitha george]

Alan,
I tried with 2.0 release, still i am not able  to get the user
authenticated. I am seeing the freeradius which logs the user name as some
different character instead of cató.

Any other idea? Or did u guys ever tried with this kind of characters in
user name?

Thanks,
Sumithra


On 1/12/08, nikitha george [EMAIL PROTECTED] wrote:

 Okay. Currently I am running with 1.1.6, will upgrade to 2.0 and try it.

 Thanks for your information.
 Regards,
 Nikitha


 On 1/11/08, Alan DeKok [EMAIL PROTECTED] wrote:
 
  nikitha george wrote:
   I am creating a user account in AD with portuguese character and have
   the freeradius configured properly.
 
  1.1.x does not support UTF-8 that well.  Version 2.0.0 should be much
  better.  Please try that.
 
  Alan DeKok.
  -
  List info/subscribe/unsubscribe? See
  http://www.freeradius.org/list/users.html
 


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radsqlrelay v1.7 on freebsd 6.3

[roy]

Hi David,

On Mon, 2008-01-14 at 09:28 +, David Wood wrote:
 FreeRADIUS 2.0.0-pre2 is some way behind the released FreeRADIUS 2.0.0. 
 By the time 2.0.0-pre2 got committed to the FreeBSD ports tree, we were 
 very close to the 2.0.0 release.
 
 FreeBSD PR ports/119582 contains what should become the net/freeradius2 
 port for the 2.0.0 release version.
 
 http://www.freebsd.org/cgi/query-pr.cgi?pr=119582
 
 However, radsqlrelay is version 1.7 in the released 2.0.0 as well.
 
 I'm no real coder myself, hence, the need to seek direction. Any
 necessary change on the script that I need to make?
 
 struct flock has different parameters in FreeBSD's C library - or, more 
 accurately, the same parameters in a different order - see man 2 fcntl
 
 
 In /usr/local/bin/radsqlrelay read down a few lines further than you 
 were looking into sub setlock. Back up the file, then change the my 
 $packed line to:
 
 my $packed = pack($FLOCK_STRUCT, $start, $len, 0, F_WRLCK, SEEK_SET);
 
 That should be all on one line; it's the same parameters in a different 
 order.
 
 
 Then go up to the my $FLOCK_STRUCT line and make the corresponding 
 change:
 
 my $FLOCK_STRUCT = 'l2is2';
 
 This is *completely* untested - but looks to be more in line with the 
 FreeBSD man page. If it works, I'll add a rather tidier patch to the 
 port in due course - one that updates the comments as well.
 
 If this doesn't work, it needs further investigation.

Thanks for the quick reply.

Made these changes:
line 53  my $FLOCK_STRUCT = 'l2is2';
line 62  my $packed = pack($FLOCK_STRUCT, $start, $len, 0, F_WRLCK,
SEEK_SET);

Still returns:
error: Couldn't lock /home/radius/sql-relay.work: Invalid argument

BR,

roy

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

help again

[adnan deura]

if the website is old where should i go buddy
 
http://www.aerospacesoftware.com/radius.html
 
?
_
Express yourself instantly with MSN Messenger! Download today it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: help again

[tnt]

Read the instructions in users file.

Ivan Kalik
Kalik Informatika ISP


Dana 14/1/2008, adnan deura [EMAIL PROTECTED] piše:

if the website is old where should i go buddy
 
http://www.aerospacesoftware.com/radius.html
 
?
_
Express yourself instantly with MSN Messenger! Download today it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

help help help

[adnan deura]

 
hello everybody
 
i am given the task of installing freeradius 1.1.7 on fedora core 7 for my 
computer networking course's final project.
 
my sir has a very little idea of freeRADIUS ., what should i do to get a good 
grade .
 
i have installed ,configured( i think so ),and added a user in the 'user' file 
and it all works well . i do not know what to do next please tell me that what 
i can i do next or at least tell me what to do on google.
 
how is a user going to access the radius server on my machine ,
and what are the things i can do with this tool to show to my lecturer,
and what things are that i can do to avail the full features of freeRADIUS 1.1.7
 
 
waiting for your reply
 
thanks in advance.
 
_
Express yourself instantly with MSN Messenger! Download today it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: help help help

[David Wood]

Hi there,

In message [EMAIL PROTECTED], adnan deura 
[EMAIL PROTECTED] writes

i am given the task of installing freeradius 1.1.7 on fedora core 7 for my
computer networking course's final project.


The documentation is out there - but we're not here to do your project 
for you.


There's plenty of documentation in the files shipped with the server, 
there's more in the wiki, and, of course, there's the archives of this 
mailing list - which are all available on the web.


Read the RADIUS RFCs. See if you can find a wireless access point that 
will do WPA Enterprise (many fairly cheap units will), and set up 
FreeRADIUS in that setup using different EAP types.



There's much, much more that you can do - but that should get you 
started!




Best wishes,




David
--
David Wood
[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: help help help

[liran tal]

Hey Adnan,

On Jan 14, 2008 12:25 PM, adnan deura [EMAIL PROTECTED] wrote:


 hello everybody

 i am given the task of installing freeradius 1.1.7 on fedora core 7 for my
 computer networking course's final project.


Well that's nice to hear.


 my sir has a very little idea of freeRADIUS ., what should i do to get a
 good grade .


Being a good student is a start but there are other ways which
we won't cover here.

i have installed ,configured( i think so ),and added a user in the 'user'
 file and it all works well . i do not know what to do next please tell me
 that what i can i do next or at least tell me what to do on google.


Don't you have a project outline?
In anycase the wiki is a good place to start: http://wiki.freeradius.org

how is a user going to access the radius server on my machine ,
 and what are the things i can do with this tool to show to my lecturer,
 and what things are that i can do to avail the full features of freeRADIUS
 1.1.7


It is probably better if you read up on some documentation explaining
what a RADIUS server does, what is it's role in the network and how it
operates.

Basically, you should also consider adding a NAS to your network
configuration
so that you can actually do some authentication and possibly accounting.
Otherwise you can just use the radclient as a proof-of-concept show-case.


Regards,
Liran Tal.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

R: help help help

[Francesco Cristofori]

I think you're asking us to do the homework for you ;-)
 
Take a look on google for radius architecture and read radius rfcs .
After reading it should be clear what radius can and cannot do.
 
Regards,
Francesco. 




Da: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Per conto di adnan deura
Inviato: lunedì 14 gennaio 2008 12.26
A: freeradius-users@lists.freeradius.org
Oggetto: help help help


 
hello everybody
 
i am given the task of installing freeradius 1.1.7 on fedora core 7 for 
my computer networking course's final project.
 
my sir has a very little idea of freeRADIUS ., what should i do to get 
a good grade .
 
i have installed ,configured( i think so ),and added a user in the 
'user' file and it all works well . i do not know what to do next please tell 
me that what i can i do next or at least tell me what to do on google.
 
how is a user going to access the radius server on my machine ,
and what are the things i can do with this tool to show to my lecturer,
and what things are that i can do to avail the full features of 
freeRADIUS 1.1.7
 
 
waiting for your reply
 
thanks in advance.
 




Express yourself instantly with MSN Messenger! MSN Messenger 
http://clk.atdmt.com/AVE/go/onm00200471ave/direct/01/  

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: help

[A . L . M . Buxey]

Hi,

 i have to install freeRADIUS 1.1.7 on fedora core 7 ,but i am unable to add 
 users to the 'users' file .

why? 2.0.0 is out now

 i am getting help from the website :  www.aerospacesoftware.com/radius.html

way way way out of date and it doesnt follow current best practice either.

 johndoe Auth-Type := Local, User-Password == johndoepassword
 Reply-Message = Hello, %u
 AND AFTER THAT 

johndoe Cleartext-Password := passwordhere
Reply-Message = hello, %u

 please tell me what to do 

basically ignore the output from the client - it cant tell you THAT much.
instead, look at the output from the server - which is plenty if you
use 'radiusd -X'

 should i install an older version ?

no. the opposite. install a newer version

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with accounting

[tnt]

Can you post the debug for Accounting Start packets for that user and one
that is being recorded.

Ivan Kalik
Kalik Informatika ISP


Dana 14/1/2008, Marinko Tarlac [EMAIL PROTECTED] piše:

Hi

We have FreeRadius 1.1.4 and Mikrotik (as a NAS) with MySql as a database.
Accounting works fine for all users except for one user. Authentication
works fine and NAS sends updates as I specify for all users and I can't find
any reason why it doesn't work for specific username.

In debugging mode (radiusd -X and radiusd -x) I can see updates but MySql is
empty...



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: help again

[A . L . M . Buxey]

Hi,
 if the website is old where should i go buddy
  
 http://www.aerospacesoftware.com/radius.html

theres a bunch of docs that come in the freeradius tar archive
(they'll end up in /usr/local/share/doc/freeradius or wherever
you're chosen path during configure ; make ; make install

theres also

http://deployingradius.com/

and

wiki.freeradius.org

both are top google hits

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + portuguese characters in Active Directory

[Alan DeKok]

nikitha george wrote:
 Alan,
 I tried with 2.0 release, still i am not able  to get the user
 authenticated. I am seeing the freeradius which logs the user name as
 some different character instead of cató.
 
 Any other idea? Or did u guys ever tried with this kind of characters in
 user name?

  I don't try it that often, but I haven tried it in the past.

  Perhaps you could say *where* this is happening.  i.e. include a debug
log, as suggested in the FAQ, README, INSTALL, etc.  There may be places
in the server which haven't been updated to handle UTF-8.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: seg fault

[Joe Vieira]

  Since we have no idea what the problem is, the answer is likely no.

totally fair =)

  If malloc() is core dumping, then something else is going wrong.  i.e.
some other part of the server is over-writing memory.

when you say the server i assume you mean freeradius not another app.??

  I would try 2.0.  Large amounts of code have been re-written or
updated.  It may not be perfect, but there are good odds that this
problem won't re-appear.

that's what i'll do then.

thanks for the help,
Joe

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: SQLippool problems (duplicate IPs handed out).

[Alan DeKok]

Dave wrote:
 I use the sql IP pool setup with mysql, and been using it fine for a
 while, but I have a problem where if I have an influx of connections at
 one time (30++)  That freeradius will hand out an IP to my NAS, but it
 doesnt get written to the database fast enuff and another thread of
 freeradius hands out the same IP to another user, and logs that entry to
 the radippool table.  So I get users with duplicate IP addresses.. 

  From my reading of the code, it's because the SQL IPPool module does
multiple queries *outside* of a transaction.  The SQL code in rlm_sql
does one transaction per query, but that's not what you want.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

seg fault

[Joe Vieira]

I've been trying to pin down a rather elusive segfault for over 2 months now.  
and i finally got it to happen inside of gdb.

this is freeradius 1.1.6, on rhel5 x86-64

if this problem is fixed in 2.0 or 1.1.7 please let me know.

Starting program: /usr/sbin/radiusd -X
[Thread debugging using libthread_db enabled]
[New Thread 46912543318400 (LWP 8450)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 46912543318400 (LWP 8450)]
0x2c1666d5 in _int_malloc () from /lib64/libc.so.6
* 1 Thread 46912543318400 (LWP 8450)  0x2c1666d5 in _int_malloc ()
   from /lib64/libc.so.6

Thread 1 (Thread 46912543318400 (LWP 8450)):
#0  0x2c1666d5 in _int_malloc () from /lib64/libc.so.6
No symbol table info available.
#1  0x2c167d4d in malloc () from /lib64/libc.so.6
No symbol table info available.
#2  0x2be05102 in CRYPTO_malloc () from /lib64/libcrypto.so.6
No symbol table info available.
#3  0x2be2a6b7 in BN_free () from /lib64/libcrypto.so.6
No symbol table info available.
#4  0x2be2a808 in bn_expand2 () from /lib64/libcrypto.so.6
No symbol table info available.
#5  0x2be2abd5 in BN_bin2bn () from /lib64/libcrypto.so.6
No symbol table info available.
#6  0x2be36ea0 in RSA_PKCS1_SSLeay () from /lib64/libcrypto.so.6
No symbol table info available.
#7  0x2bb7cc62 in ssl3_get_client_key_exchange ()
   from /lib64/libssl.so.6
No symbol table info available.
#8  0x2bb7ecaf in ssl3_accept () from /lib64/libssl.so.6
No symbol table info available.
#9  0x2bb854c3 in ssl3_read_bytes () from /lib64/libssl.so.6
No symbol table info available.
#10 0x2bb82431 in ssl3_renegotiate_check () from /lib64/libssl.so.6
No symbol table info available.
#11 0x2e1d77da in tls_handshake_recv (ssn=0x58718240) at tls.c:173
err = value optimized out
#12 0x2e1d6ad5 in eaptls_process (handler=0x59e07860)
at eap_tls.c:638
tls_session = (tls_session_t *) 0x58718240
tlspacket = (EAPTLS_PACKET *) 0x5860bc80
status = EAPTLS_LENGTH_INCLUDED
#13 0x2ebe642b in eappeap_authenticate (arg=0x584e9ac0,
handler=0x59e07860) at rlm_eap_peap.c:169
rcode = value optimized out
status = value optimized out
tls_session = (tls_session_t *) 0x58718240
#14 0x2dfcf1c6 in eaptype_call (atype=0x584e7d50,
handler=0x59e07860) at eap.c:167
rcode = value optimized out
#15 0x2dfcf30a in eaptype_select (inst=0x584d23d0,
handler=0x59e07860) at eap.c:361
default_eap_type = value optimized out
eaptype = (eaptype_t *) 0x59d5feb8
vp = value optimized out
namebuf = [EMAIL PROTECTED]
eaptype_name = 0x2e1d7d26 peap
#16 0x2dfcdffb in eap_authenticate (instance=0x584d23d0,
request=0x58609f90) at rlm_eap.c:261
inst = (rlm_eap_t *) 0x2c442960
handler = (EAP_HANDLER *) 0x59e07860
eap_packet = (eap_packet_t *) 0x0
rcode = value optimized out
#17 0x55563682 in modcall (component=0, c=0x584cfe30,
request=0x58609f90) at modcall.c:236
myresult = 0
#18 0x55563c71 in call_one (component=-1404819104, p=0x80,
request=0x5860b0e0, priority=0x2c442ad0, result=0x40)
at modcall.c:269
r = value optimized out
#19 0x5556384c in modcall (component=0, c=0x584cfe80,
request=0x58609f90) at modcall.c:324
g = (modgroup *) 0x584cfe80
myresult = 0
#20 0xb763 in rad_check_password (request=0x58609f90)
at auth.c:380
dval = (DICT_VALUE *) 0x0
auth_type_pair = value optimized out
cur_config_item = value optimized out
password_pair = (VALUE_PAIR *) 0x0
auth_item = value optimized out
string = [EMAIL 
PROTECTED]:XUU\000\000LíVUUU\000\0008ö\a\000\000\000\000\000uest 
521P\031OXUU\000\000ç6VUUU\000\000\220\237`XUU\000\000\000\020\000\000\002\000\000\000\200áz­ª*\000\000\000\000\000\000\000\000ÿÿö\003\000\000\030\000\000\000P(OXUU\000\000Ä\\oÑÿ\177\000\000À\\oÑÿ\177\000\000\001\000\000\000\000\000\000\000\220\237`XUU\000\000P\031OXUU\000\000qVUUU\000\000P(OXUU\000\000P\031OXUU\000\000Ä\\oÑÿ\177\000\000...
auth_type = 6
result = value optimized out
auth_type_count = 1
#21 0xbc8a in rad_authenticate (request=0x58609f90)
at auth.c:675
check_item = value optimized out
vp = (VALUE_PAIR *) 0x5860b0e0
namepair = (VALUE_PAIR *) 0x586c89d0
check_item = value optimized out
reply_item = value optimized out
auth_item = (VALUE_PAIR *) 0x0
module_msg = value optimized out
tmp = (VALUE_PAIR *) 0x0
result = 3
r = value optimized out
umsg = 

Problem with rlm_perl module

[serelk]

  Hello All
I have spent few days trying to build freeradius  with rlm_perl module on
Solaris 10.
Using both last versio 2.0.0 and 1.1.7 I'm getting vary similar problem.
Does anybody get it running ?

recvfrom0x4814
/usr/local/lib/perl5/5.8.8/sun4-solaris/CORE/libperl.a(pp_sys.o)
socketpair  0x4a10
/usr/local/lib/perl5/5.8.8/sun4-solaris/CORE/libperl.a(util.o)
socketpair  0x6be4
/usr/local/lib/perl5/5.8.8/sun4-solaris/CORE/libperl.a(pp_sys.o)
getservent  0xdfbc
/usr/local/lib/perl5/5.8.8/sun4-solaris/CORE/libperl.a(pp_sys.o)
connect 0x7108
/usr/local/lib/perl5/5.8.8/sun4-solaris/CORE/libperl.a(pp_sys.o)
setservent  0xe2e4
/usr/local/lib/perl5/5.8.8/sun4-solaris/CORE/libperl.a(pp_sys.o)
getnetbyaddr0xd9b8
/usr/local/lib/perl5/5.8.8/sun4-solaris/CORE/libperl.a(pp_sys.o)
getprotoent 0xdc90
/usr/local/lib/perl5/5.8.8/sun4-solaris/CORE/libperl.a(pp_sys.o)
getnetbyname0xd93c
/usr/local/lib/perl5/5.8.8/sun4-solaris/CORE/libperl.a(pp_sys.o)
setnetent   0xe214
/usr/local/lib/perl5/5.8.8/sun4-solaris/CORE/libperl.a(pp_sys.o)
getservbyport   0xdfac
/usr/local/lib/perl5/5.8.8/sun4-solaris/CORE/libperl.a(pp_sys.o)
getprotobynumber0xdc80
/usr/local/lib/perl5/5.8.8/sun4-solaris/CORE/libperl.a(pp_sys.o)
endservent  0xe460
/usr/local/lib/perl5/5.8.8/sun4-solaris/CORE/libperl.a(pp_sys.o)
getprotobyname  0xdc38
/usr/local/lib/perl5/5.8.8/sun4-solaris/CORE/libperl.a(pp_sys.o)
setprotoent 0xe27c
/usr/local/lib/perl5/5.8.8/sun4-solaris/CORE/libperl.a(pp_sys.o)
endprotoent 0xe3f4
/usr/local/lib/perl5/5.8.8/sun4-solaris/CORE/libperl.a(pp_sys.o)
__muldi30x5bbc
/usr/local/lib/perl5/5.8.8/sun4-solaris/CORE/libperl.a(perlio.o)
__divdi30x5bb0
/usr/local/lib/perl5/5.8.8/sun4-solaris/CORE/libperl.a(perlio.o)
__floatdidf 0x597c
/usr/local/lib/perl5/5.8.8/sun4-solaris/CORE/libperl.a(pp_sys.o)
__floatdidf 0x5bbc
/usr/local/lib/perl5/5.8.8/sun4-solaris/CORE/libperl.a(pp_sys.o)
__floatdidf 0x5cd8
/usr/local/lib/perl5/5.8.8/sun4-solaris/CORE/libperl.a(pp_sys.o)
__floatdidf 0x8320
/usr/local/lib/perl5/5.8.8/sun4-solaris/CORE/libperl.a(pp_sys.o)
__floatdidf 0x8eec
/usr/local/lib/perl5/5.8.8/sun4-solaris/CORE/libperl.a(pp_sys.o)
ld: fatal: relocations remain against allocatable but non-writable sections
collect2: ld returned 1 exit status
gmake[6]: *** [rlm_perl.la] Error 1
gmake[6]: Leaving directory `/opt/OPEN-Ldap/freeradius-server-2.0.0
/src/modules/rlm_perl'
gmake[5]: *** [common] Error 2
gmake[5]: Leaving directory `/opt/OPEN-Ldap/freeradius-server-2.0.0
/src/modules'
gmake[4]: *** [all] Error 2
gmake[4]: Leaving directory `/opt/OPEN-Ldap/freeradius-server-2.0.0
/src/modules'
gmake[3]: *** [common] Error 2
gmake[3]: Leaving directory `/opt/OPEN-Ldap/freeradius-server-2.0.0/src'
gmake[2]: *** [all] Error 2
gmake[2]: Leaving directory `/opt/OPEN-Ldap/freeradius-server-2.0.0/src'
gmake[1]: *** [common] Error 2
gmake[1]: Leaving directory `/opt/OPEN-Ldap/freeradius-server-2.0.0'
make: *** [all] Error 2

Br
Serelk
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

help

[adnan deura]

 
 
please send me db_mysql.sql file
_
Express yourself instantly with MSN Messenger! Download today it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: help

[tnt]

1. it's included with the server

2. Google freeradius mysql ddl script

Ivan Kalik
Kalik Informatika ISP


Dana 14/1/2008, adnan deura [EMAIL PROTECTED] piše:

 
 
please send me db_mysql.sql file
_
Express yourself instantly with MSN Messenger! Download today it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Sample configurations file for Windows XP -PEAP(FreeRadius 2.0)

[nicknie]

Hi All,

   I'm new to FreeRadius and want to test WIndoes PEAP with FreeRadius 2.0. The 
network diagram is:
   Windows XPAP(with 802.1x proxy)192.168.1.10FreeRadius 
2.0(192.168.1.100)
   I want to have Windows XP station username/password in a file in Linux 
server. 
  Anybody has a sample configuration file?


Thanks
Nick Nie
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Sample configurations file for Windows XP -PEAP(FreeRadius 2.0)

[Alan DeKok]

nicknie wrote:
I'm new to FreeRadius and want to test WIndoes PEAP with FreeRadius
 2.0. The network diagram is:
Windows XPAP(with 802.1x proxy)192.168.1.10FreeRadius
 2.0(192.168.1.100)
I want to have Windows XP station username/password in a file in
 Linux server.
   Anybody has a sample configuration file?

  The server comes with configuration files that *work*.

  In 2.0, add a user  password to the users file (see the FAQ).
Un-check the validate server certificate on the Windows workstation.
  Start the server in debugging mode, as root.  If FreeRADIUS was
installed correctly, PEAP should JUST WORK.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Hello, and a question.

[David W Bell]

Hi there.

Have used freeRADIUS in the past to authenticate dial-up/ADSL users, but 
now have a different implementation problem that requires some input 
from this list.


I am working on a Single Sign-On solution to try and give users in the 
organisation that I work for, a single username and password.


I am planning on using LDAP for the backend store, as a lot of our 
equipment can be configured to use LDAP natively.


However we also have a lot of routers and other network kit that either 
talks RADIUS or TACACS+ (or both)


I would like to keep things as simple as possible, so my question is.

Can freeRADIUS provide everything that TACACS+ can so that I need only 
install/configure freeRADIUS.


Thanks in advance

David W Bell
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

help

[adnan deura]

after all the installations and configurations what can i do with freeRadius as 
a student , i mean what to show to my teacher
_
Express yourself instantly with MSN Messenger! Download today it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Hello, and a question.

[Arran Cudbard-Bell]

David W Bell wrote:

Hi there.

Have used freeRADIUS in the past to authenticate dial-up/ADSL users, 
but now have a different implementation problem that requires some 
input from this list.


I am working on a Single Sign-On solution to try and give users in the 
organisation that I work for, a single username and password.


I am planning on using LDAP for the backend store, as a lot of our 
equipment can be configured to use LDAP natively.


However we also have a lot of routers and other network kit that 
either talks RADIUS or TACACS+ (or both)


I would like to keep things as simple as possible, so my question is.

Can freeRADIUS provide everything that TACACS+ can so that I need only 
install/configure freeRADIUS.
This really depends on the network kit and the Vendor that produced it. 
Cisco claim that many of the features of TACACS+ can be replicated using 
Cisco VSA strings. The wiki has bits and pieces for Cisco 
http://wiki.freeradius.org/Cisco#Cisco_VSAs.


HP  Have limited support for RADIUS; You can be an operator or manager 
 But you can't really have fine grained control over what commands 
those users can issue.


Bottom line is TACACS+ generally has better support in terms of fine 
grained access control, but TACACS+ server implementations do not have 
the flexibility and range of features FreeRADIUS does.


Thanks in advance

David W Bell
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html



--
Arran Cudbard-Bell ([EMAIL PROTECTED])
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08 
University Of Sussex, Brighton

EXT:01273 873900 | INT: 3900

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Hello, and a question.

[David W Bell]

Can freeRADIUS provide everything that TACACS+ can so that I need 
only install/configure freeRADIUS.
This really depends on the network kit and the Vendor that produced 
it. Cisco claim that many of the features of TACACS+ can be replicated 
using Cisco VSA strings. The wiki has bits and pieces for Cisco 
http://wiki.freeradius.org/Cisco#Cisco_VSAs.


HP  Have limited support for RADIUS; You can be an operator or manager 
 But you can't really have fine grained control over what commands 
those users can issue.


Bottom line is TACACS+ generally has better support in terms of fine 
grained access control, but TACACS+ server implementations do not have 
the flexibility and range of features FreeRADIUS does.




Much of the kit we are using IS Cisco.

So I am guessing I would be best to allow RADIUS  TAC+ to interface 
with LDAP.


Thanks for that :)

David
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: help

[tnt]

Output from radiusd -X. It will show server configuration and processing
of the access and accounting requests. If you are using MySQL you can
also show the content of radacct table that will contain accounting data.

Ivan Kalik
Kalik Informatika ISP


Dana 14/1/2008, adnan deura [EMAIL PROTECTED] piše:

after all the installations and configurations what can i do with freeRadius 
as a student , i mean what to show to my teacher
_
Express yourself instantly with MSN Messenger! Download today it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

me for help

[adnan deura]

 
i get the following output
 
after configuring mysql 
 
the file is attached please help
_
Express yourself instantly with MSN Messenger! Download today it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

error file of radiusd -X after mysql configuration.odt
Description: Zip compressed data
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Hello, and a question.

[Alan DeKok]

David W Bell wrote:
 Can freeRADIUS provide everything that TACACS+ can so that I need only
 install/configure freeRADIUS.

  No, but patches are always welcome. :)

  It's probably not that much work to turn FreeRADIUS into a TACACS+
server, too.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: me for help

[tnt]

rlm_sql (sql): Could not link driver rlm_sql_mysql: rlm_sql_mysql.so: cannot 
open shared object file: No such file or directory
rlm_sql (sql): Make sure it (and all its dependent libraries!) are in the 
search path of your system's ld

Instructions in the debug are quite clear.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: seg fault

[Joe Vieira]

no - i'd read that as some other part of your 64bit x86 box is trashing
the memory.

hmm, the box itself is totally stable, nothing else has been an issue...

hyperthreading on?

no they are true dualcore Xeon's w/ no hyperthreading.

Joe

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: seg fault

[A . L . M . Buxey]

Hi,

   If malloc() is core dumping, then something else is going wrong.  i.e.
 some other part of the server is over-writing memory.
 
 when you say the server i assume you mean freeradius not another app.??

no - i'd read that as some other part of your 64bit x86 box is trashing
the memory.

hyperthreading on?

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Attribute Called-Station-Id not working

[PD]

Hi there,

Currently we running FR for our hotspot with multipe Chillispot NAS.

We also create demo accounts for each nas, means demo1 should only work
for nas1 and demo2 should only work for nas2.

For the above purpose, we put attribute Called-Station-Id for each demo
account within radcheck table.

The problem found, the account demo1 still be able to use at nas2 vice
versa.

Here is our radcheck table:
mysql select * from radcheck where username='demo';
++---+---++---+
| id | UserName  | Attribute | op | Value |
++---+---++---+
| 40 | demo  | Auth-Type | := | Local |
| 41 | demo  | Password  | == | password  |
| 42 | demo  | Called-Station-Id | := | 00-1A-70-XX-XX-XX |
++---+---++---+
3 rows in set (0.00 sec)

We put NAS mac address for Called-Station-Id since radacct also record
the above mac address at column Called-Station-Id.

Perhaps, we miss something at somewhere...

Any suggestion are welcome.

Regards

Paul

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Group Membership query??

[Marc LEURENT]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Good evening,
I'm sending a group membership query from openser to freeradius...
I would like to send a group membership query, but it's a group
authorize query that is received...

Any idea?
Thanks!!!

See output below:

Going to the next request
Sending Access-Reject of id 62 to 172.24.4.1 port 35340
Waking up in 1 seconds...
rad_recv: Access-Request packet from host 172.24.4.1:35344, id=62,
length=75
User-Name = [EMAIL PROTECTED]
Sip-Group = suspended
Service-Type = Voice
NAS-Port = 0
NAS-IP-Address = 172.24.4.1
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
  modcall[authorize]: module preprocess returns ok for request 5
radius_xlat:
'/var/log/freeradius/radacct/172.24.4.1/auth-detail-20080114'
rlm_detail:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/172.24.4.1/auth-detail-20080114
  modcall[authorize]: module auth_log returns ok for request 5
  modcall[authorize]: module chap returns noop for request 5
  modcall[authorize]: module mschap returns noop for request 5
  modcall[authorize]: module digest returns noop for request 5
rlm_realm: Looking up realm sip.bob.net for User-Name =
[EMAIL PROTECTED]
rlm_realm: No such realm sip.bob.net
  modcall[authorize]: module suffix returns noop for request 5
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module eap returns noop for request 5
radius_xlat:  '[EMAIL PROTECTED]'
rlm_sql (sql): sql_set_user escaped user -- '[EMAIL PROTECTED]'
radius_xlat:  'SELECT id, UserName, Attribute, Value, op  
FROM radcheck   WHERE Username =
'[EMAIL PROTECTED]'   ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 0
radius_xlat:  'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op

FROM radgroupcheck,usergroup WHERE usergroup.Username =
'[EMAIL PROTECTED]' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat:  'SELECT id, UserName, Attribute, Value, op  
FROM radreply   WHERE Username =
'[EMAIL PROTECTED]'   ORDER BY id'
radius_xlat:  'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op

FROM radgroupreply,usergroup WHERE usergroup.Username =
'[EMAIL PROTECTED]' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 0
  modcall[authorize]: module sql returns ok for request 5
rlm_python [freeradius-cdrtool]: entering the authorization phase ...
rlm_python [freeradius-cdrtool]: ignoring unsupported method.
  modcall[authorize]: module python returns ok for request 5
modcall: leaving group authorize (returns ok) for request 5
auth: type Local
auth: No User-Password or CHAP-Password attribute in the request
auth: Failed to validate the user.
Login incorrect: [EMAIL PROTECTED]/no User-Password attribute]
(from client private port 0)
Delaying request 5 for 1 seconds
Finished request 5
Going to the next request
- --- Walking the entire request list ---
Waking up in 1 seconds...
- --- Walking the entire request list ---







 sql: group_membership_query = SELECT GroupName FROM usergroup WHERE
UserName='%{SQL-User-Name}'

 sql: authorize_check_query = SELECT id, UserName, Attribute, Value,
op   FROM radcheck   WHERE Username =
'%{SQL-User-Name}'   ORDER BY id
 sql: authorize_reply_query = SELECT id, UserName, Attribute, Value,
op   FROM radreply   WHERE Username =
'%{SQL-User-Name}'   ORDER BY id
 sql: authorize_group_check_query = SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.V
alue,radgroupcheck.op  FROM radgroupcheck,usergroup WHERE
usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id
 sql: authorize_group_reply_query = SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.V
alue,radgroupreply.op  FROM radgroupreply,usergroup WHERE
usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHi6GcN4+o+2LtdFwRAo6dAKDcrKrHkCQbAZVG760/THgVbvjAiQCgmEmi
xhAa8CvRnHNc5E9wKRj7wjA=
=K+hh
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: LDAP Groups and EAP

[Brian Wilson]

I tried updating to version 2.0.  I like the debug interface much better, it 
makes it alot easier to read.  Nice job!

Unfortunately, this upgrade introduced a new issue for me.  When doing group 
ldap searches, it looks like the Ldap-UserDN variable doesn't get populated.  
The server successfully binds and finds the user, but in the expand section:

rlm_ldap: ldap_release_conn: Release Id: 0
expand: 
(|(objectClass=GroupOfNames)(member=%{Ldap-UserDN}))(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDN})))-(|(objectClass=GroupOfNames)(member=))((objectClass=GrouOfUniqueNames)(uniquemember=)))

It then fails to find the ldap group, because of the member= and uniquemember= 
are blank.  A few lines below that, though, it comes up with the correct full 
DN search:

rlm_ldap: performing search in cn=somegroup,ou=something,ou=something with 
filter 
(|(objectClass=GroupOfNames)(member=))((objectClass=GrouOfUniqueNames)(uniquemember=)))
rlm_ldap: object not found or got ambigous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing serach in cn=xxx,ou=something,ou=something with filter 
(objectclass=*)
rlm_ldap::ldap_groupcmp: ldap_get_values failed

I tried using my old config from 1.1, as well as re-writing it, as well as 
using the new and old ldap.attrmap.  This is verified to work in version 1.1 
for me.

This is against eDirectory, configured with the --with-edir option




- Original Message 
From: Alan DeKok [EMAIL PROTECTED]
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Saturday, January 12, 2008 3:40:39 AM
Subject: Re: LDAP Groups and EAP

Brian Wilson wrote:
  I am running Freeradius 1.1.0

  Please upgrade to at least 1.1.7.  It solves a lot of security issues,
*and* helps with the problem you're seeing, too.

When I try to authenticate, the radius server receives about 7
 Access-requests.

  That's the way EAP works.

Notice that there is no additional call to ldap_group between the
 authorize and the resulting failure in the files module.

  The *inner* tunnel session doesn't match a huntgroup.

  Is there something i'm missing in the configuration file?

  I would suggest trying 2.0.  The new virtual server feature should
make this configuration much simpler.  The new unlang feature should
also simplify the writing of policies.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


  

Never miss a thing.  Make Yahoo your home page. 
http://www.yahoo.com/r/hs-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Mysql error

[Pablo Lucchetti]

Hi,

I'm working with Freeradius in production enviroment (start up), at this 
time is working with only two users, they can connect whitout problems 
and all seems to work fine but looking into radius.log i found this 
messages:


radius:/usr/local/var/log/radius# tail radius.log -f
Mon Jan 14 16:01:37 2008 : Error: rlm_sql (sql): Couldn't insert SQL 
accounting ALIVE record - Unknown column 'XAscendSessionSvrKey' in 
'field list'

Mon Jan 14 16:01:37 2008 : Error: rlm_sql_mysql: Cannot store result
Mon Jan 14 16:01:37 2008 : Error: rlm_sql_mysql: MySQL error 'Unknown 
column 'XAscendSessionSvrKey' in 'field list''

Mon Jan 14 16:01:37 2008 : Error: rlm_sql_mysql: Cannot store result
Mon Jan 14 16:01:37 2008 : Error: rlm_sql_mysql: MySQL error 'Unknown 
column 'XAscendSessionSvrKey' in 'field list''
Mon Jan 14 16:01:38 2008 : Error: rlm_sql (sql): Couldn't insert SQL 
accounting ALIVE record - Unknown column 'XAscendSessionSvrKey' in 
'field list'

Mon Jan 14 16:01:38 2008 : Error: rlm_sql_mysql: Cannot store result
Mon Jan 14 16:01:38 2008 : Error: rlm_sql_mysql: MySQL error 'Unknown 
column 'XAscendSessionSvrKey' in 'field list''

Mon Jan 14 16:01:38 2008 : Error: rlm_sql_mysql: Cannot store result
Mon Jan 14 16:01:38 2008 : Error: rlm_sql_mysql: MySQL error 'Unknown 
column 'XAscendSessionSvrKey' in 'field list''


Any help please?

Thanks in advance,
Pablo
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Mysql error

[A . L . M . Buxey]

Hi,
 Hi,

 I'm working with Freeradius in production enviroment (start up), at this 
 time is working with only two users, they can connect whitout problems and 
 all seems to work fine but looking into radius.log i found this messages:

you dont state what platform you are using or what version of freeradius

however, your mysql SHOULD have such a column in that table (its in the
supplied schema) - the error you are getting is the accounting packets
which cannot be stored as you are asking for that column...check
the sql/mysql/dialup.conf

sql/mysql/schema.sql:  xascendsessionsvrkey varchar(10) default NULL,


the stuff is in the supplied schema!

sql/mysql/dialup.conf: acctstartdelay,   xascendsessionsvrkey) \
^
here is the call as part of an UPDATE

check case sensitivity

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Mysql error

[Pablo Lucchetti]

I'm using freeradius 2.0.0 on Debian Etch, I think the problem is case 
sensitivity as you mentioned because in schema.sql is un lower case and 
in dialup.conf also.




[EMAIL PROTECTED] wrote:

Hi,

Hi,

I'm working with Freeradius in production enviroment (start up), at this 
time is working with only two users, they can connect whitout problems and 
all seems to work fine but looking into radius.log i found this messages:


you dont state what platform you are using or what version of freeradius

however, your mysql SHOULD have such a column in that table (its in the
supplied schema) - the error you are getting is the accounting packets
which cannot be stored as you are asking for that column...check
the sql/mysql/dialup.conf

sql/mysql/schema.sql:  xascendsessionsvrkey varchar(10) default NULL,


the stuff is in the supplied schema!

sql/mysql/dialup.conf: acctstartdelay,   xascendsessionsvrkey) \
^
here is the call as part of an UPDATE

check case sensitivity

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

__ Información de NOD32, revisión 2790 (20080114) __

Este mensaje ha sido analizado con  NOD32 antivirus system
http://www.nod32.com




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Verifying framed-ip-address using unlang

[Pshem Kowalczyk]

Thx for your input. I guess I'll have to experiment a bit :-)

kind regards
Pshem

On 14/01/2008, Arran Cudbard-Bell [EMAIL PROTECTED] wrote:
 Alan DeKok wrote:
  Pshem Kowalczyk wrote:
  Is it possible to use unlang to verify whether framed-ip-address is in
  the right range or not?
 
Yes and no.  The comparisons are not typed, so everything is a string.
 
  We would like to use it on our wholesale proxies. Wholesale customers
  of ours are allowed to allocate IPs to their customers, but only from
  certain ranges. Will a normal comparison ( ) work with IP addresses?
 
They will work, but they won't do IP-address comparison.
 
You can either do string comparisons, which will often do the right
  thing, OR regular expressions, which will do the right thing if you
  write them carefully.

 Sub Captures of regular expressions map onto variables %{1}-%{8}, so you
 can extract the individual octets of the IP address. So if you wanted to
 check multiple ranges, best thing is to extract the octets of the IP
 address and then do the comparison with normal  =  operators.
 
Alan DeKok.
  -
  List info/subscribe/unsubscribe? See 
  http://www.freeradius.org/list/users.html

 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Mysql error

[Marinko Tarlac]

Add that column in your radacct table. I had the same problem and it is 
solved (upgrade to 1.1.7 from  1.1.4 )... Check mysql sample file in sql 
dir.  


[EMAIL PROTECTED] wrote:

Hi,
  

Hi,

I'm working with Freeradius in production enviroment (start up), at this 
time is working with only two users, they can connect whitout problems and 
all seems to work fine but looking into radius.log i found this messages:



you dont state what platform you are using or what version of freeradius

however, your mysql SHOULD have such a column in that table (its in the
supplied schema) - the error you are getting is the accounting packets
which cannot be stored as you are asking for that column...check
the sql/mysql/dialup.conf

sql/mysql/schema.sql:  xascendsessionsvrkey varchar(10) default NULL,


the stuff is in the supplied schema!

sql/mysql/dialup.conf: acctstartdelay,   xascendsessionsvrkey) \
^
here is the call as part of an UPDATE

check case sensitivity

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

  


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Mysql error

[Pablo Lucchetti]

in lower case really?

Marinko Tarlac wrote:
Add that column in your radacct table. I had the same problem and it is 
solved (upgrade to 1.1.7 from  1.1.4 )... Check mysql sample file in sql 
dir. 
[EMAIL PROTECTED] wrote:

Hi,
 

Hi,

I'm working with Freeradius in production enviroment (start up), at 
this time is working with only two users, they can connect whitout 
problems and all seems to work fine but looking into radius.log i 
found this messages:



you dont state what platform you are using or what version of freeradius

however, your mysql SHOULD have such a column in that table (its in the
supplied schema) - the error you are getting is the accounting packets
which cannot be stored as you are asking for that column...check
the sql/mysql/dialup.conf

sql/mysql/schema.sql:  xascendsessionsvrkey varchar(10) default NULL,


the stuff is in the supplied schema!

sql/mysql/dialup.conf: acctstartdelay,   
xascendsessionsvrkey) \

^
here is the call as part of an UPDATE

check case sensitivity

alan
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


  


-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


__ Información de NOD32, revisión 2790 (20080114) __

Este mensaje ha sido analizado con  NOD32 antivirus system
http://www.nod32.com




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Mysql error

[Marinko Tarlac]

I didn't try lowercase but XAscendSessionSvrKey - varchar(10) works fine :)

Pablo Lucchetti wrote:

in lower case really?

Marinko Tarlac wrote:
Add that column in your radacct table. I had the same problem and it 
is solved (upgrade to 1.1.7 from  1.1.4 )... Check mysql sample file 
in sql dir. [EMAIL PROTECTED] wrote:

Hi,
 

Hi,

I'm working with Freeradius in production enviroment (start up), at 
this time is working with only two users, they can connect whitout 
problems and all seems to work fine but looking into radius.log i 
found this messages:



you dont state what platform you are using or what version of 
freeradius


however, your mysql SHOULD have such a column in that table (its in the
supplied schema) - the error you are getting is the accounting packets
which cannot be stored as you are asking for that column...check
the sql/mysql/dialup.conf

sql/mysql/schema.sql:  xascendsessionsvrkey varchar(10) default NULL,


the stuff is in the supplied schema!

sql/mysql/dialup.conf: acctstartdelay,   
xascendsessionsvrkey) \

^
here is the call as part of an UPDATE

check case sensitivity

alan
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


  


-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


__ Información de NOD32, revisión 2790 (20080114) __

Este mensaje ha sido analizado con  NOD32 antivirus system
http://www.nod32.com




-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

authentication winxp over LAN throw switch cisco3560 not working

[hamid benane]

 
hello everybody, 
i try many time to resolve this pb but i dont found the solution.
my configuration is:
freeradius-1.1.1 on fedora6+ nas switch cisco3560+ and wind xp client.
On wireless, my configuration work, when i use NAS AP of cisco1200.
But when i use my configuration to authenticate xp on lan network only: its not 
work. 
 
i saw on debug -X -A, that freeradius receive ACCES_REQUEST but when he send 
ACCES_CHALLENGE he cannot.
on trame analysis on freerdaius, i saw that he cannot send on the port that the 
switch tel him to send.
 
i m blocked on this step, and i cannot found the solution.
 
on my configuration, i use users:  users  password only
i havent active directory. on my switch, i dont make vlan.
 
can some one help me.
 
thanks for all
_
Découvrez de nouvelles façons de rester en contact grâce à Windows Live! 
Visitez la Cité @ Live dès aujourd’hui!
http://www.tonadresselive.ca/?icid=LIVEIDFRCA006-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Attribute Called-Station-Id not working

[PD]

Dear Alan,

Thx for yr quick reply...

We are still using an old attributes with reasons... we need to deactive
and activate user account without touch his/her password. We did it
within just play around at Auth-Type value = Local/Reject

Thx for your advice for my case regarding the above subject, I will try
it at my office this morning; of course with still using an old
attributes.

Regards

Paul
On 1/14/2008, Alan DeKok [EMAIL PROTECTED] wrote:

PD wrote:
 For the above purpose, we put attribute Called-Station-Id for each demo
 account within radcheck table.

 The problem found, the account demo1 still be able to use at nas2 vice
 versa.

  Please read doc/rlm_sql.

 Here is our radcheck table:
 mysql select * from radcheck where username='demo';
 ++---+---++---+
 | id | UserName  | Attribute | op | Value |
 ++---+---++---+
 | 40 | demo  | Auth-Type | := | Local |

  Don't use Auth-Type.  i.e. DELETE that row.

 | 41 | demo  | Password  | == | password  |

  Change these fields to Cleartext-Password := password

 | 42 | demo  | Called-Station-Id | := | 00-1A-70-XX-XX-XX |

  Read doc/rlm_sql.  This operator *sets* the value.  It doesn't
*compare* the value.  You want ==

 Perhaps, we miss something at somewhere...

  The operators are documented in doc/rlm_sql.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Attribute Called-Station-Id not working (SOLVED)

[PD]

Dear All,

Just as an acknowledge that Alan sugestion working fine.
we just change an OP from := to ==

For the old attributes.. we still used them but we also changes the OP.
An Auth-Type using == and Password using :=

The other attributes we uses...
Expiration with OP ==
Login Time with OP ==
Max-All-Session with OP :=

Please let me know if we use an incorrect OP.

Also... since Alan advice us not to use the old attributes, is there any
other replacement attribute for our needs ?

Paul

On 1/15/2008, PD [EMAIL PROTECTED] wrote:

Dear Alan,

Thx for yr quick reply...

We are still using an old attributes with reasons... we need to deactive
and activate user account without touch his/her password. We did it
within just play around at Auth-Type value = Local/Reject

Thx for your advice for my case regarding the above subject, I will try
it at my office this morning; of course with still using an old
attributes.

Regards

Paul
On 1/14/2008, Alan DeKok [EMAIL PROTECTED] wrote:

PD wrote:
 For the above purpose, we put attribute Called-Station-Id for each demo
 account within radcheck table.

 The problem found, the account demo1 still be able to use at nas2 vice
 versa.

  Please read doc/rlm_sql.

 Here is our radcheck table:
 mysql select * from radcheck where username='demo';
 ++---+---++---+
 | id | UserName  | Attribute | op | Value |
 ++---+---++---+
 | 40 | demo  | Auth-Type | := | Local |

  Don't use Auth-Type.  i.e. DELETE that row.

 | 41 | demo  | Password  | == | password  |

  Change these fields to Cleartext-Password := password

 | 42 | demo  | Called-Station-Id | := | 00-1A-70-XX-XX-XX |

  Read doc/rlm_sql.  This operator *sets* the value.  It doesn't
*compare* the value.  You want ==

 Perhaps, we miss something at somewhere...

  The operators are documented in doc/rlm_sql.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radgroupreply do not read (read_grous directive)

[tnt]

Did you put something in usergroup table to link users and groups?

Ivan Kalik
Kalik Informatika ISP


Dana 14/1/2008, Arlinelson Fernandes dos Santos [EMAIL PROTECTED]
piše:

Hi,I am usind freeradius 2.0 an need to load radcheck, radreply,
radgroupcheck and radgroupreply tables. But radcheck and radreply work. To load
radgroupcheck e need to set Fall-Through = Yes, but radgroupreply don't work. 
The
read_groups directive is 'Yes' but not appers in the radius debug mode.How
can I do freeradius load radgroupreply? I have the Simultaneous-Use attribut in
this table, I need to use this attribute to all users. Someone
please? 



--
Acelerador POP
Acelere a sua conex#227;o discada em até 19 x. Use o Acelerador POP. É 
grátis, pegue já o seu.
http://www.pop.com.br/acelerador



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Python and return attributes in `postproxy`

[Mike O'Connor]

Alan DeKok wrote:

Mike O'Connor wrote:
  

It would seem as if the rlm_python does not provide the returned
attributes from the proxy, this happens in both a patched version of
1.1.7 and 2.0.0.



  Yes.  It appears to convert only the request attributes to a python tuple.

  Fixing it shouldn't be hard.  As always, patches are welcome.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  

Hi Alan

Is there an example of how this is done in another rlm_ module which 
works in a similar way as the rlm_python code ?



Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radgroupreply do not read (read_grous directive)

[Arlinelson Fernandes dos Santos]

Yes! I did. And I put attributes into all tables ckeck and reply. Did you put something in usergroup table to link users and groups? 
Ivan Kalik Kalik Informatika ISP   Dana 14/1/2008,
Arlinelson Fernandes dos Santos  pie:  Hi,I am
usind freeradius 2.0 an need to load radcheck, radreply, radgroupcheck
and radgroupreply tables. But radcheck and radreply work. To load
radgroupcheck e need to set Fall-Through = Yes, but radgroupreply don't work.
The read_groups directive is 'Yes' but not appers in the radius debug
mode.How can I do freeradius load radgroupreply? I have the
Simultaneous-Use attribut in this table, I need to use this attribute to
all users. Someone please?
-- Acelerador POP Acelere a sua conexo discada em at
19 x. Use o Acelerador POP.  grtis, pegue j o seu.
http://www.pop.com.br/acelerador-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



--
Acelerador POP
Acelere a sua conexo discada em at 19 x. Use o Acelerador POP.  grtis, pegue j o seu.
http://www.pop.com.br/acelerador
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html