Re: Problems using EAP-TLS with freeradius version 2
@Arran Cudbard-Bell / Is the prefix and suffix to the regular expression string. Any characters after the / suffix are used as modifiers. FreeRadius only supports the i modifier to make matches case insensitive. resolves to a literal back-slash. Regular expressions use the \ char as an escape char so it needs to be escaped with itself. FR also uses \ as an escape char so it has to be escaped with itself too. Hence the \ - \\ - \ This regular expression was written to stop *stupid* *stupid* *stupid* students from breaking authentication by entering something in the domain field. They kept entering sussex.ac.uk and [EMAIL PROTECTED] in the User Box in the windows supplicant, which resulted in. ... The regexp parses these as : %{1} = user %{2} = domain or %{1} = user %{2} = Thanks again for the detailed comment, it saved me a lot of time and I will try to get more familiar with that kind of regular expressions. I will take your first solution, the domain was only excluded to see that the test certificates work which could bee generated with the Makefile provided in the FreeRadius Source. Now where the test certificates are working (on Win XP AND Windows Mobile) I will have to investigate again in my old certificates, because my one are only working with Windows XP supplicant and wpa_supplicant using Linux. The Windows Mobile supplicant cannot use them correctly although the certificates are the same one. Very strange! Yesterday evening I found the solution, why my certificates doesn't work with the Windows Mobile supplicant although the Windows XP supplicant does: I'm using TinyCA to create and mange my certificates. By default the certificates are generates with a Keylength of 4096 using RSA encryption and SHA-1 as Signature Algorithm. When I took a look into the Makefile which generates the test certificates in the freeradius source a Keylength of only 2048 is used and MD5 as Signature Algorithm, so the devil must be in there somewhere. And indeed, it doesn't matter, which Algorithm you are using for signing (MD5 or SHA-1) but the Keylength seems to be very important for Windows Mobile devices. All certificates I generated with a Keylength of 2048 are working fine, all certificates wit a Keylength of 4096 doesn't work on the Mobile device (although they work fine on a Windows XP system). In short: The build in supplicant of the Windows Mobile devices (I tested one with Windows Mobile 2003SE and one with Windows Mobile 6 Professional) doesn't like certificates with a Keylength of 4096!!! Thanks again for all help I got here on the mailing list, the next days/weeks I'm going to write some HOWTO for Mobile Devices in order to give something back to you :-) @Alan DeKok Wont it be better, to change the signing process in te provided Makefile so that a client certificate is signed by the ca certificate instead from the server certificate? When using TinyCA every certificate is signed from the ca certificate, too. I know both will work, if you specify the correct ca-cert in eap.conf, but changing that point would make the process (in my opinion) more consistent: You have to install the ca certificate and the client certificate on the client-computer, why should client cert by signed from the server cert? When I looked around in Web previous to find some god HOWTO's about setting up Freeradius using EAP-TLS I always found it that way, that the ca cert signs all other certs and by the way, the HOWTO in the freeradius Wiki (EAPTLS.pdf) explains it that way, too ;-) Best regards Stefan Puch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP session matching the State variable.
With 2.0.0 sometimes I get this error message, that I have not seen before: rlm_eap: No EAP session matching the State variable. rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request rlm_eap: Failed in handler ++[eap] returns invalid auth: Failed to validate the user. Found Post-Auth-Type Reject +- entering group REJECT This does not sound good, as there is no real load on the server and the same client will be authenticated some time later without configurational changes. If neccessary, I can provide the long log. Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem when removing Auth-Type := Ldap in users file
I have not found my way out yet. How does the ldap module in authorize section to set Auth-Type attribute to ldap? Read the comments in ldap section. You *will* find answers in there. There is a setting that controls whether Auth-Type ldap will be set if the password is found in the directory. Read the section and you will find it. I am not going to post that information here as well. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems using EAP-TLS with freeradius version 2
You have to install the ca certificate and the client certificate on the client-computer, why should client cert by signed from the server cert? Because the idea is to authenticate those users to *that* server, not to *every* server that got the certificate from that CA. With your approach the user would be admitted to some other network if their server was issued a certificate by the same CA. If you are using commercial certificates there might be thousands of servers with certificates issued by the same CA. And the user will be able to get onto all of them (if they use EAP-TLS). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Newslists
Alan, Thanks once again for your realistic comments (Sarcastic none the less). I will find alternative support as this user list is totally none the less.. Regards Keith Dovale -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Friday, February 08, 2008 11:52 AM To: FreeRadius users mailing list Subject: Re: Newslists Keith Dovale - HostworX.co.za wrote: No not at all, and I don’t expect it. It sounds like you did... hence the complaint about no answer. But at least someone like yourself, who seems to be the guru on freeradius, could at least reply So you did expect a reply... with a constructive answer rather than replying with sarcastic comments. Reality isn't sarcasm. My question is where did I announce I don’t read the documentation that is the first thing I went to. I have gone through the read me's, faq's etc and have followed their directions regarding this, it’s the debug that is giving the error. And responding with weird checks, that is exactly why I posted here as there is no google results / faqs, etc that answer my question. You posted an edited piece of the debug log. If you knew how to configure it and read the debug log, it would be appropriate to edit the debug log. Since you don't know how to configure it, your edits very likely removed all information that could be used to help you. Hence the comments about reality. If you want people to help you, make it easy for them to help you. Making it hard to help you, and then complaining about the lack of free support is ... unproductive. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radsqlrelay - and default config
Hi, Or, delete the sql_log queries, and use the ones from rlm_sql that are known to work. yes.i was thinking about why we have the stuff defined twice. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP MSCHAP Problem
Hello, we have a strange problem with the PEAP MSCHAP authentication truh WLAN. We use freeradius 1.1.7 on debian etch. 1. If we auth a ActiveDirectory User with automatic sending of username and password to our wlan everthing is OK. No lan-cabel is connected. In my case the Username is DOMAIN\\GroozMarc. 2. If we auth the same user with a lan-cabel connected. the auth fails. In this case the Username is DOMAIN\\groozmarc 3. If we auth the user without automatic sending of username and password and enter DOMAIN\\groozmarc and have lan connected everthing fine. Her is an output from case 2: rad_recv: Access-Request packet from host x , id=11, length=303 User-Name = DOMAIN\\groozmarc Calling-Station-Id = x Called-Station-Id = x NAS-Port = 2 NAS-IP-Address = x NAS-Identifier = x Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 27 EAP-Message = 0x020a006a1900170301005fca5e86c4de36db061ffe1fc7f358599fa78cd53e221d2899 73525b8ed1328424653bad8e457757c9ae67d167a60b6 0585b1c37d22ed1377e9ed39b37901e7cf213d6a306ef154326ca0f6c2aad68111681c24 4b1523668e9effcfd97e1a216 State = 0xc1c18b62ee37419ada28a725693523d4 Message-Authenticator = 0x8dd2ca9d8fc2a09f7dcaef11b100f2c6 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 39 modcall[authorize]: module preprocess returns ok for request 39 modcall[authorize]: module chap returns noop for request 39 modcall[authorize]: module mschap returns noop for request 39 rlm_realm: No '@' in User-Name = DOMAIN\groozmarc, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 39 rlm_eap: EAP packet type response id 10 length 106 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 39 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 171 modcall[authorize]: module files returns ok for request 39 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. modcall[authorize]: module pap returns noop for request 39 modcall: leaving group authorize (returns updated) for request 39 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 39 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x020a00531a020a004e310d11f40d775fc5fcb45ad88a7c443583b8 28c2bcb15e3c9ddaba50c2e6933328d1849c510dc9251 000524547494f49542d41414348454e5c47726f6f7a4d617263 PEAP: Setting User-Name to DOMAIN\groozmarc PEAP: Adding old state with 6a 6f PEAP: Sending tunneled request EAP-Message = 0x020a00531a020a004e310d11f40d775fc5fcb45ad88a7c443583b8 28c2bcb15e3c9ddaba50c2e6933328d1849c510dc9251 000524547494f49542d41414348454e5c47726f6f7a4d617263 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = DOMAIN\\groozmarc State = 0x6a6f2590246560c8fdcd054d188cbb3f Processing the authorize section of radiusd.conf modcall: entering group authorize for request 39 modcall[authorize]: module preprocess returns ok for request 39 modcall[authorize]: module chap returns noop for request 39 modcall[authorize]: module mschap returns noop for request 39 rlm_realm: No '@' in User-Name = DOMAIN\groozmarc, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 39 rlm_eap: EAP packet type response id 10 length 83 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 39 users: Matched entry DEFAULT at line 152 modcall[authorize]: module files returns ok for request 39 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. modcall[authorize]: module pap returns noop for request 39 modcall: leaving group authorize (returns updated) for request 39 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 39 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the
Re: no start of radiusd after reboot : mysql connection error
I'm sorry to bother you with debug log files, but I really dont' see what to do... before the log... I summarize my problem : After reboot, freeradius does'nt start, and says this is because it could'nt reach the mysql database. But it doesn't even tries to contact it (networkingly-speaking : tcpdump sees nothing). Just after reboot, if root runs /etc/init.d/radiusd start, freeradius starts OK, and contacts correctly the database. If I add a ping database.domain.com in the /etc/init.d/radiusd just before starting radiusd, it works, even at boot time !! (but it's really a dirty and ugly a solution, so I cant' resolv myself to such an issue !!!) I've tried to wait 5 minutes to see if there is some retry time, but noting happens, since radiusd is just not running so here is my debug file (only the mysql part) if someone can help me, it would be nice (or I'll have to go back to my dirty-ugly issue.I d'ont want to !) Module: Loaded SQL sql: driver = rlm_sql_mysql sql: server = 192.168.1.1 sql: port = sql: login = radius sql: password = radius sql: radius_db = radius sql: nas_table = nas sql: sqltrace = yes -- I don't see nothing sql: sqltracefile = /var/log/radius/sqltrace.sql sql: readclients = yes sql: deletestalesessions = yes sql: num_sql_socks = 5 sql: sql_user_name = %{User-Name} sql: default_user_profile = sql: query_on_not_found = no sql: authorize_check_query = SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = '%{SQL-User -Name}' ORDER BY id sql: authorize_reply_query = SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = '%{SQL-User -Name}' ORDER BY id sql: authorize_group_check_query = SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgro upcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupcheck.GroupNam e ORDER BY radgroupcheck.id sql: authorize_group_reply_query = SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgro upreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupreply.GroupNam e ORDER BY radgroupreply.id sql: accounting_onoff_query = UPDATE radacct SET AcctStopTime='%S', AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTi me), AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}' WHERE AcctSessionTime=0 AND AcctStopTime=0 AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime = '%S' sql: accounting_update_query = UPDATE radacct SET FramedIPAddress = '%{Framed-IP-Address}', AcctSessionTime = '%{ Acct-Session-Time}', AcctInputOctets = '%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress= '%{NAS-IP-Address}' sql: accounting_update_query_alt = INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPor tType, AcctStartTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingSta tionId, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL- User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S',INTERVAL (%{Acct-Session-Time:-0} + %{Ac ct-Delay-Time:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called -Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0') sql: accounting_start_query = INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType , AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) val ues('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port- Type}', '%S', '0', '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{S ervice-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0') sql: accounting_start_query_alt = UPDATE radacct SET AcctStartTime = '%S', AcctStartDelay = '%{Acct-Delay-Time}', ConnectInfo_start = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}' sql: accounting_stop_query = UPDATE radacct SET AcctStopTime =
How to change the key on ippool
Hi! I have a problem with my dialup users with a dynamic pool of ip addresses. My RAS provider don't send me the right Port-id nor Cisco-NAS-Port (always send me a 0 value for all users). I use ippool module to assign dynamic ip addresses. Then I have to change the key on my pool configuration. By default is: key = %{NAS-IP-Address} %{NAS-Port} I have changed to that: key = %{NAS-IP-Address} %{Acct-Session-Id} Question: Is it the right choice? or Should I use key = %{NAS-IP-Address} %{Acct-Unique-Session-Id}? Do I have to change something else? After that, (I am not sure if this is working well), rlm_ippool_tool doesn't show me how the pool are (how many ip addresses are assigned). Could I do something about it to show me the ip addresses assigned? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reject user from SQL-DB
JB wrote: Return: attr = 'Auth-Type' op = ':=' value = 'Reject' Of course! How embarrassing. ;-) I actually tried that before but during the reply-items-query which has no effect. Returning Auth-Type := Reject from the check-items-query does the trick. Makes sense, doesn't it? Ok, now I'm returning Auth-Type := Reject from my check-items-query and I hoped to be able to send a little more in depth information along the way in the Reply-Message attribute, but unfortunately this info gets lost. It seems that I have to fill this attribute in the reply-items-query. Does this mean the reply-items-query has to trigger the same functions as the check-items-query again to find out what the reason for the reject was? Or do I have to fill a temporary table with the reply message in the check-items-query which gets then returned in the reply-items-query? Hmm. I guess you're doing something like: authorize_check_query = select myproc('%{SQL-User-Name}','...etc...') ...and are trying to avoid re-calling the same (or another) function in the reply query. What you could do is place a local attribute in the check items, then copy it to the reply items in an unlang section: i.e. return 2 rows from the stored proc: attr| op |value ---++-- My-Reply | := | some message Auth-Type | := | Reject in /etc/raddb/dictionary: ATTRIBUTE My-Reply 3000 string and have: authorize { sql } post-auth { Post-Auth-Type Reject { if (control:My-Reply) { update reply { Reply-Message = %{control:My-Reply} } } } } ...be aware however that almost *nothing* pays any attention to Reply-Message :o( - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radsqlrelay - and default config
[EMAIL PROTECTED] wrote: now - whilst radsqlrelay is recommended for those whose accounting DB systems cannot keep up with the real flow of packets - and we recommend it - its not productive to have imho a broken default config. the issues which i can see from this are the following (1) the queries are configured in two places. This is bad. It's much better to update rlm_sql to have a query_filename configuration. If it exists, then queries are logged to the file, and the databases are *not* used. That's probably less than 100 lines of code. so what I'd propose is we get a few folk who are successfully using this function, get their radiusd.conf entries, and have 2 sections for uncommenting - one for postgres and one for mysql. Or, delete the sql_log queries, and use the ones from rlm_sql that are known to work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP session matching the State variable.
Norbert Wegener wrote: With 2.0.0 sometimes I get this error message, that I have not seen before: Much of the EAP code was edited in 2.0. It was extensively tested, but apparently there are still issues. That's what happens when changing working code, I guess... rlm_eap: No EAP session matching the State variable. Is this happening inside of a PEAP tunnel? rlm_eap: Either EAP-request timed out OR EAP-response to an unknown ... This does not sound good, as there is no real load on the server and the same client will be authenticated some time later without configurational changes. If neccessary, I can provide the long log. That would help... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Newslists
Keith Dovale - HostworX.co.za wrote: No not at all, and I don’t expect it. It sounds like you did... hence the complaint about no answer. But at least someone like yourself, who seems to be the guru on freeradius, could at least reply So you did expect a reply... with a constructive answer rather than replying with sarcastic comments. Reality isn't sarcasm. My question is where did I announce I don’t read the documentation that is the first thing I went to. I have gone through the read me's, faq's etc and have followed their directions regarding this, it’s the debug that is giving the error. And responding with weird checks, that is exactly why I posted here as there is no google results / faqs, etc that answer my question. You posted an edited piece of the debug log. If you knew how to configure it and read the debug log, it would be appropriate to edit the debug log. Since you don't know how to configure it, your edits very likely removed all information that could be used to help you. Hence the comments about reality. If you want people to help you, make it easy for them to help you. Making it hard to help you, and then complaining about the lack of free support is ... unproductive. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Newslists
No not at all, and I don’t expect it. But at least someone like yourself, who seems to be the guru on freeradius, could at least reply with a constructive answer rather than replying with sarcastic comments. My question is where did I announce I don’t read the documentation that is the first thing I went to. I have gone through the read me's, faq's etc and have followed their directions regarding this, it’s the debug that is giving the error. And responding with weird checks, that is exactly why I posted here as there is no google results / faqs, etc that answer my question. Regards Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Friday, February 08, 2008 9:44 AM To: FreeRadius users mailing list Subject: Re: Newslists Keith Dovale - HostworX.co.za wrote: My Honest opinion of this news list / user group is that it is not helpful at all, it seems if you are not in the click, no one helps, does anyone moderate this or not ? I have posted twice now and no one replies… Is there a contractual obligation requiring people to support you? In any case, you haven't followed the instructions in the FAQ, README, INSTALL, etc. You've already announced that you don't read the documentation people write, so why would anyone write more on this list? Regards Keith *From:* Keith Dovale - HostworX.co.za [mailto:[EMAIL PROTECTED] *Sent:* Thursday, February 07, 2008 9:08 PM *To:* ' *Subject:* attr rewrite issue Hi Guys, some help please . I am trying to do a attr rewrite to change an Attribute value then do a check based on the attribute that is changed, if the check fails do another attrib rewrite to the next value and do another check, until either the check fails or passes. There is basically only 4 checks in the group statement in the authorise section which do Attrib rewrite Do check (If it fails do) Attrib rewrite Do check (If it fails do) Attrib check Do rewrite (If it fails do) Attrib check Do rewrite Reject Pass When it runs it checks the reply packet for an attribute Configuration-Token which is defined in the radgroupreply for the users but it seems it cannot find it and gives an error. As below rlm_sqlcounter: (Check item - counter) is less than zero rlm_sqlcounter: Rejected user keith, check_item=0, counter=0 modcall[authorize]: module MonthlyUnShaped returns reject for request 2 radius_xlat: 'UNSHAPED_NORMAL' rlm_attr_rewrite: No match found for attribute Configuration-Token with value 'SHAPED_NORMAL' radius_xlat: 'UNSHAPED_NORMAL' radius_xlat: 'SHAPED_NORMAL' rlm_attr_rewrite: Changed value for attribute Configuration-Token from 'UNSHAPED_NORMAL' to 'SHAPED_NORMAL' rlm_attr_rewrite: Could not find value pair for attribute Configuration-Token modcall[authorize]: module AttrRewrite_MonthlyBlendedShaped returns ok for request 2 can anyone help - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems using EAP-TLS with freeradius version 2
You have to install the ca certificate and the client certificate on the client-computer, why should client cert by signed from the server cert? Because the idea is to authenticate those users to *that* server, not to *every* server that got the certificate from that CA. With your approach the user would be admitted to some other network if their server was issued a certificate by the same CA. If you are using commercial certificates there might be thousands of servers with certificates issued by the same CA. And the user will be able to get onto all of them (if they use EAP-TLS). Thanks for the clarification, this is a good argument! In my case there is (and will be) only one server with uses the CA so it makes no difference, but in many other cases, you are right, signing with the CA is not what you really want. Thanks again and best wishes Stefan Puch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: no start of radiusd after reboot : mysql connection error
Jeffrey Hutzelman a écrit : Wed Feb 6 16:17:49 2008 : Error: rlm_sql_mysql: Mysql error 'Can't connect to MySQL server on '192.168.1.1' (113)' Errno 113 is EHOSTUNREACH. Either there is no route to the MySQL server, or it locally-connected and not answering ARP's, or something is filtering the traffic. Check your routing table and the filters on both machines and any network devices you might have between them. -- Jeffrey T. Hutzelman (N3NHS) [EMAIL PROTECTED] Carnegie Mellon University - Pittsburgh, PA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html The thing is that just after boot, when launched as root with /etc/init.d/radiusd start, it works ! But I tested something interesting : I added a ping test in the /etc/init.d/radiusd script : case $1 in start) echo test : ping BDD to see if connection is available ping -c 2 bdd.domain.com echo test result : $? echo -n $Starting RADIUS server: daemon $RADIUSD -y ... And it worked ! (so network is ok, since the DNS resolution works...) But without a ping, nothing comes in tcpdump on the BDD server. So, its like I had to wake up the network functions for freeradius before being able to talk to the database host. I must precise that a lot of other network services are launched - and work fine - on the freeradius host before freeradius (dhcp, sendmail, etc). So any new idea ? Thank you very much for your precious help ! Laetitia - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unlang in auth-type sections
Arran Cudbard-Bell wrote: But it appears the eap module releases the tunneled reply into the current reply list, then everything skips to post-auth. Hmm... yes. The intent of the authenticate section was to run *one* module, not to do more than that. The comments in raddb/sites-enabled/default explain that unlang rules *should* be run in the post-auth section, not the authenticate section. # # Allow EAP authentication. Auth-Type EAP { eap I suppost that the rule of call one thing in the authenticate section could be extended to allow unlang inside of an Auth-Type section. Is this intentional ? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Newslists
Constructive answer like always is to analyze what you want to achieve with freeradius. Rethink the configuration, read the documentation for you setup needs and ask straight-forward question. You cannot just post the debug output and hope that someone can understand what you actually need. Try to elaborate your setup, the steps you have already done and of course the debugging output. Alan will probably give you simple answer like yes/no and point to the right direction. But again - you cannot expect someone to do the installation and setup for you ! People are usually paid for that ! Although Alan might be sarcastic, he has never let anyone down who was willing to learn and accept the mistakes ( including myself ). Regards, E:S -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Keith Dovale - HostworX.co.za Sent: Freitag, 08. Februar 2008 10:46 To: 'FreeRadius users mailing list' Subject: RE: Newslists No not at all, and I don’t expect it. But at least someone like yourself, who seems to be the guru on freeradius, could at least reply with a constructive answer rather than replying with sarcastic comments. My question is where did I announce I don’t read the documentation that is the first thing I went to. I have gone through the read me's, faq's etc and have followed their directions regarding this, it’s the debug that is giving the error. And responding with weird checks, that is exactly why I posted here as there is no google results / faqs, etc that answer my question. Regards Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Friday, February 08, 2008 9:44 AM To: FreeRadius users mailing list Subject: Re: Newslists Keith Dovale - HostworX.co.za wrote: My Honest opinion of this news list / user group is that it is not helpful at all, it seems if you are not in the click, no one helps, does anyone moderate this or not ? I have posted twice now and no one replies… Is there a contractual obligation requiring people to support you? In any case, you haven't followed the instructions in the FAQ, README, INSTALL, etc. You've already announced that you don't read the documentation people write, so why would anyone write more on this list? Regards Keith *From:* Keith Dovale - HostworX.co.za [mailto:[EMAIL PROTECTED] *Sent:* Thursday, February 07, 2008 9:08 PM *To:* ' *Subject:* attr rewrite issue Hi Guys, some help please . I am trying to do a attr rewrite to change an Attribute value then do a check based on the attribute that is changed, if the check fails do another attrib rewrite to the next value and do another check, until either the check fails or passes. There is basically only 4 checks in the group statement in the authorise section which do Attrib rewrite Do check (If it fails do) Attrib rewrite Do check (If it fails do) Attrib check Do rewrite (If it fails do) Attrib check Do rewrite Reject Pass When it runs it checks the reply packet for an attribute Configuration-Token which is defined in the radgroupreply for the users but it seems it cannot find it and gives an error. As below rlm_sqlcounter: (Check item - counter) is less than zero rlm_sqlcounter: Rejected user keith, check_item=0, counter=0 modcall[authorize]: module MonthlyUnShaped returns reject for request 2 radius_xlat: 'UNSHAPED_NORMAL' rlm_attr_rewrite: No match found for attribute Configuration-Token with value 'SHAPED_NORMAL' radius_xlat: 'UNSHAPED_NORMAL' radius_xlat: 'SHAPED_NORMAL' rlm_attr_rewrite: Changed value for attribute Configuration-Token from 'UNSHAPED_NORMAL' to 'SHAPED_NORMAL' rlm_attr_rewrite: Could not find value pair for attribute Configuration-Token modcall[authorize]: module AttrRewrite_MonthlyBlendedShaped returns ok for request 2 can anyone help - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radsqlrelay - and default config
hi, I've been looking at the current state of the default (commented out ready for use) radsqlrelay commands in radiusd.conf . for a quick reminder they look like this: # sql_log { # path = ${radacctdir}/sql-relay # acct_table = radacct # postauth_table = radpostauth # sql_user_name = %{%{User-Name}:-DEFAULT} # # Start = INSERT INTO ${acct_table} (AcctSessionId, UserName, \ #NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \ #AcctSessionTime, AcctTerminateCause) VALUES \ #('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \ #'%{Framed-IP-Address}', '%S', '0', '0', ''); # Stop = INSERT INTO ${acct_table} (AcctSessionId, UserName, \ #NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \ #AcctSessionTime, AcctTerminateCause) VALUES \ #('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \ #'%{Framed-IP-Address}', '0', '%S', '%{Acct-Session-Time}', \ #'%{Acct-Terminate-Cause}'); # Alive = INSERT INTO ${acct_table} (AcctSessionId, UserName, \ #NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \ #AcctSessionTime, AcctTerminateCause) VALUES \ #('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \ #'%{Framed-IP-Address}', '0', '0', '%{Acct-Session-Time}',''); # # Post-Auth = INSERT INTO ${postauth_table} \ #(username, pass, reply, authdate) VALUES \ #('%{User-Name}', '%{User-Password:-Chap-Password}', \ #'%{reply:Packet-Type}', '%S'); # } now - whilst radsqlrelay is recommended for those whose accounting DB systems cannot keep up with the real flow of packets - and we recommend it - its not productive to have imho a broken default config. the issues which i can see from this are the following 1) with a default postgres install, those '0' dates are not going to work with the supplied schema for PGSQL - in fact it takes a bit of breaking postgres for such values to work. the simple change is to have a null entry. 2) likewise for MySQL - '-00-00 00:00:00' is iirc the correct way of doing it 3) BOTH mysql and postgres (i havent done any looking into oracle) will have issues with the radacct entries - for each of them has another index in the radacct table which cannot be null and must be unique - mysql acctuniqueid varchar(32) NOT NULL default '' KEY acctuniqueid (acctuniqueid) postgres AcctUniqueIdVARCHAR(32) NOT NULL such a value is not being provided in the field. which means when the user finally runs radsqlrelay they will be faced with issues. as far as i can see, radpostauth will work fine. so what I'd propose is we get a few folk who are successfully using this function, get their radiusd.conf entries, and have 2 sections for uncommenting - one for postgres and one for mysql. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP session matching the State variable.
The complete log is at http:// www.wegener-net.de/freeradius/ (url destroyed) In line 116518 a client gets a reject, in 119715 the same client an accept. Norbert Wegener Alan DeKok wrote: Norbert Wegener wrote: With 2.0.0 sometimes I get this error message, that I have not seen before: Much of the EAP code was edited in 2.0. It was extensively tested, but apparently there are still issues. That's what happens when changing working code, I guess... rlm_eap: No EAP session matching the State variable. Is this happening inside of a PEAP tunnel? rlm_eap: Either EAP-request timed out OR EAP-response to an unknown ... This does not sound good, as there is no real load on the server and the same client will be authenticated some time later without configurational changes. If neccessary, I can provide the long log. That would help... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: no start of radiusd after reboot : mysql connection error
mailinglists wrote: After reboot, freeradius does'nt start, and says this is because it could'nt reach the mysql database. But it doesn't even tries to contact it (networkingly-speaking : tcpdump sees nothing). Just after reboot, if root runs /etc/init.d/radiusd start, freeradius starts OK, and contacts correctly the database. If I add a ping database.domain.com in the /etc/init.d/radiusd just before starting radiusd, it works, even at boot time !! (but it's really a dirty and ugly a solution, so I cant' resolv myself to such an issue !!!) It looks to me like it's a networking issue on that machine. The ping shouldn't effect anything... but it does. FreeRADIUS is at the mercy of the networking stack the MySQL libraries. I don't think there's anything that can be done in FreeRADIUS to fix that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
help in basic configuration in connection mysql with freeradius
hi, I am trying to use mysql database with free radius 2.0.0 for the first time. I am using centOS 4.5 and mysql 4.1.2.The authentication works fine if I am using the unix username and password. I modified some configurations in radiusd.conf and sql.conf but it doesn't work. Please tell me the most basic steps to configure freeradius with mysql. Here is the log file while running in debugging mode: [EMAIL PROTECTED] ~]# radiusd -X FreeRADIUS Version 2.0.0, for host i686-pc-linux-gnu, built on Jan 29 2008 at 12:25:11 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including configuration file /usr/local/etc/raddb/snmp.conf including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/sql.conf including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf including configuration file /usr/local/etc/raddb/sql/mysql/counter.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/default including dictionary file /usr/local/etc/raddb/dictionary main { prefix = /usr/local localstatedir = /usr/local/var logdir = /usr/local/var/log/radius libdir = /usr/local/lib radacctdir = /usr/local/var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = /usr/local/var/run/radiusd/radiusd.pid user = root checkrad = /usr/local/sbin/checkrad debug_level = 0 proxy_requests = no log { syslog_facility = daemon stripped_names = no file = /usr/local/var/log/radius/radius.log auth = yes auth_badpass = yes auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = johnson123 nastype = other } radiusd: Loading Realms and Home Servers proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = auth secret = johnson123 response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = status-server ping_check = none ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: Instantiating modules instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = request shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = Password Has Expired } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = You are calling outside your allowed timespan minimum-timeout = 60 } } radiusd: Loading Virtual Servers server { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = auto auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = NULL } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = md5 timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to
Re: radius stops authenticating users
Those are accounting requests. They have nothing to do with logins. Ivan Kalik Kalik Informatika ISP Dana 8/2/2008, Andrew D Kirch [EMAIL PROTECTED] piše: The top login attempt doesn't work, and the bottom one does. Restarting radius doesn't fix the problem, but rebooting the server it's running on does. This is the 1.1.7 package for Debian Linux, the NAS is a Cisco AS5300. Below is the output from freeradius -X for a working and a failed login session for the same user. Further debug logs avaialable upon request. Thanks in advance for your help. modcall: entering group preacct for request 14 modcall[preacct]: module preprocess returns noop for request 14 rlm_acct_unique: Hashing 'NAS-Port = 1,Client-IP-Address = 208.64.35.3,NAS-IP-Address = 208.64.35.3,Acct-Session-Id = 000E79BC,User-Name = [EMAIL PROTECTED]' rlm_acct_unique: Acct-Unique-Session-ID = c27a6dc7ba7ef40a. modcall[preacct]: module acct_unique returns ok for request 14 rlm_realm: Looking up realm k-inc.com for User-Name = [EMAIL PROTECTED] rlm_realm: No such realm k-inc.com modcall[preacct]: module suffix returns noop for request 14 modcall[preacct]: module files returns noop for request 14 modcall: leaving group preacct (returns ok) for request 14 Processing the accounting section of radiusd.conf modcall: entering group accounting for request 14 radius_xlat: '/var/log/freeradius/radacct/208.64.35.3/detail-20080208' rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/freeradius/radacct/208.64.35.3/detail-20080208 modcall[accounting]: module detail returns ok for request 14 modcall[accounting]: module unix returns ok for request 14 radius_xlat: '/var/log/freeradius/radutmp' radius_xlat: '[EMAIL PROTECTED]' modcall[accounting]: module radutmp returns ok for request 14 rlm_ippool: Searching for an entry for nas/port: 208.64.35.3/1 rlm_ippool: Deallocated entry for ip/port: 208.64.35.241/1 rlm_ippool: num: 0 modcall[accounting]: module main_pool returns ok for request 14 modcall: leaving group accounting (returns ok) for request 14 Sending Accounting-Response of id 47 to 208.64.35.3 port 1646 Finished request 14 Processing the preacct section of radiusd.conf modcall: entering group preacct for request 4 modcall[preacct]: module preprocess returns noop for request 4 rlm_acct_unique: Hashing 'NAS-Port = 1,Client-IP-Address = 208.64.35.3,NAS-IP-Address = 208.64.35.3,Acct-Session-Id = 000E79BC,User-Name = [EMAIL PROTECTED]' rlm_acct_unique: Acct-Unique-Session-ID = c27a6dc7ba7ef40a. modcall[preacct]: module acct_unique returns ok for request 4 rlm_realm: Looking up realm k-inc.com for User-Name = [EMAIL PROTECTED] rlm_realm: No such realm k-inc.com modcall[preacct]: module suffix returns noop for request 4 modcall[preacct]: module files returns noop for request 4 modcall: leaving group preacct (returns ok) for request 4 Processing the accounting section of radiusd.conf modcall: entering group accounting for request 4 radius_xlat: '/var/log/freeradius/radacct/208.64.35.3/detail-20080208' rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/freeradius/radacct/208.64.35.3/detail-20080208 modcall[accounting]: module detail returns ok for request 4 modcall[accounting]: module unix returns ok for request 4 radius_xlat: '/var/log/freeradius/radutmp' radius_xlat: '[EMAIL PROTECTED]' modcall[accounting]: module radutmp returns ok for request 4 rlm_ippool: This is not an Accounting-Stop. Return NOOP. modcall[accounting]: module main_pool returns noop for request 4 modcall: leaving group accounting (returns ok) for request 4 Sending Accounting-Response of id 41 to 208.64.35.3 port 1646 Finished request 4 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help in basic configuration in connection mysql with freeradius
On Friday 08 February 2008 16:18:25 johnson elangbam wrote: hi, I am trying to use mysql database with free radius 2.0.0 for the first time. I am using centOS 4.5 and mysql 4.1.2.The authentication works fine if I am using the unix username and password. I modified some configurations in radiusd.conf and sql.conf but it doesn't work. Please tell me the most basic steps to configure freeradius with mysql. http://wiki.freeradius.org/SQL_HOWTO -- Iñaki Baz Castillo [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Newslists
hi, spending more time posting pseudo-insults and complaints to people posting bahaviour RATHER than the config/file-debug etc as requested aint going to help anyone. sure, some sarcastic comments arent necessary, but the basic method of using this list doesnt change. as previously mentioned, this list is occupied by folk doing lots of other PAID work. none of us are paid for getting peoples configs working (and trust me, various commercial enterprised have come online solely through free help from this list). thus, we request some bare minimum details to help. the other possibility is you are a trail-blazer. in which case noone can help you with your requirements. at least then if you do figure it out, you too can post to other people in the future to make snide remarks at their ineptitude (which you feel is happening now) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Newslists
/radacct//auth-detail-20080208.log' Fri Feb 8 17:27:26 2008 : Debug: rlm_detail: ../var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d.log expands to ../var/log/radius/radacct//auth-detail-20080208.log Fri Feb 8 17:27:26 2008 : Debug: modsingle[authorize]: returned from auth_log (rlm_detail) for request 3 Fri Feb 8 17:27:26 2008 : Debug: modcall[authorize]: module auth_log returns ok for request 3 Fri Feb 8 17:27:26 2008 : Debug: modsingle[authorize]: calling hxdsl (rlm_realm) for request 3 Fri Feb 8 17:27:26 2008 : Debug: rlm_realm: Looking up realm hxdsl for User-Name = [EMAIL PROTECTED] Fri Feb 8 17:27:26 2008 : Debug: rlm_realm: Found realm HXdsl Fri Feb 8 17:27:26 2008 : Debug: rlm_realm: Adding Stripped-User-Name = test Fri Feb 8 17:27:26 2008 : Debug: rlm_realm: Proxying request from user test to realm HXdsl Fri Feb 8 17:27:26 2008 : Debug: rlm_realm: Adding Realm = HXdsl Fri Feb 8 17:27:26 2008 : Debug: rlm_realm: Authentication realm is LOCAL. Fri Feb 8 17:27:26 2008 : Debug: modsingle[authorize]: returned from hxdsl (rlm_realm) for request 3 Fri Feb 8 17:27:26 2008 : Debug: modcall[authorize]: module hxdsl returns noop for request 3 Fri Feb 8 17:27:26 2008 : Debug: modsingle[authorize]: calling sql (rlm_sql) for request 3 Fri Feb 8 17:27:26 2008 : Debug: radius_xlat: '[EMAIL PROTECTED]' Fri Feb 8 17:27:26 2008 : Debug: rlm_sql (sql): sql_set_user escaped user -- '[EMAIL PROTECTED]' Fri Feb 8 17:27:26 2008 : Debug: radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' Fri Feb 8 17:27:26 2008 : Debug: rlm_sql (sql): Reserving sql socket id: 5 Fri Feb 8 17:27:26 2008 : Debug: radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' Fri Feb 8 17:27:26 2008 : Debug: radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' Fri Feb 8 17:27:26 2008 : Debug: radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' Fri Feb 8 17:27:26 2008 : Debug: rlm_sql (sql): Released sql socket id: 5 Fri Feb 8 17:27:26 2008 : Debug: modsingle[authorize]: returned from sql (rlm_sql) for request 3 Fri Feb 8 17:27:26 2008 : Debug: modcall[authorize]: module sql returns ok for request 3 Fri Feb 8 17:27:26 2008 : Debug: modcall: entering group for request 3 Fri Feb 8 17:27:26 2008 : Debug: modsingle[authorize]: calling AttrRewrite_MonthlyBlendedUnshaped (rlm_attr_rewrite) for request 3 Fri Feb 8 17:27:26 2008 : Debug: radius_xlat: 'UNSHAPED_NORMAL' Fri Feb 8 17:27:26 2008 : Debug: rlm_attr_rewrite: Added attribute Configuration-Token with value 'UNSHAPED_NORMAL' Fri Feb 8 17:27:26 2008 : Debug: modsingle[authorize]: returned from AttrRewrite_MonthlyBlendedUnshaped (rlm_attr_rewrite) for request 3 Fri Feb 8 17:27:26 2008 : Debug: modcall[authorize]: module AttrRewrite_MonthlyBlendedUnshaped returns ok for request 3 Fri Feb 8 17:27:26 2008 : Debug: modsingle[authorize]: calling MonthlyUnShaped (rlm_sqlcounter) for request 3 Fri Feb 8 17:27:26 2008 : Debug: rlm_sqlcounter: Entering module authorize code Fri Feb 8 17:27:26 2008 : Debug: sqlcounter_expand: 'SELECT IF((SELECT (sum(AcctInputOctets) + SUM(AcctOutputOctets))/1024 from radacct WHERE UserName='%{User-Name}' AND Class REGEXP '^NU' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '1201816800'),(SELECT (sum(AcctInputOctets) + SUM(AcctOutputOctets))/1024 from radacct WHERE UserName='%{User-Name}' AND Class REGEXP '^NU' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '1201816800'),0)' Fri Feb 8 17:27:26 2008 : Debug: radius_xlat: 'SELECT IF((SELECT (sum(AcctInputOctets) + SUM(AcctOutputOctets))/1024 from radacct WHERE UserName='[EMAIL PROTECTED]' AND Class REGEXP '^NU' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '1201816800'),(SELECT (sum(AcctInputOctets) + SUM(AcctOutputOctets))/1024 from radacct WHERE UserName='[EMAIL PROTECTED]' AND Class REGEXP '^NU' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '1201816800'),0)' Fri Feb 8 17:27:26 2008 : Debug: sqlcounter_expand: '%{sql:SELECT IF((SELECT (sum(AcctInputOctets) + SUM(AcctOutputOctets))/1024 from radacct WHERE UserName='[EMAIL PROTECTED]' AND Class REGEXP '^NU' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '1201816800'),(SELECT (sum(AcctInputOctets) + SUM(AcctOutputOctets))/1024 from radacct WHERE UserName='[EMAIL PROTECTED]' AND Class REGEXP '^NU' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '1201816800'),0)}' Fri Feb 8 17:27
Re: EAP session matching the State variable.
Norbert Wegener wrote: That is, what I got as information about the processor: cat /proc/cpuinfo ... model name : Intel(R) Celeron(R) CPU 2.40GHz Doesn't sound like a 64-bit machine. Dang... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP session matching the State variable.
Alan DeKok wrote: Norbert Wegener wrote: The complete log is at http:// www.wegener-net.de/freeradius/ (url destroyed) In line 116518 a client gets a reject, in 119715 the same client an accept. ... State = 0x00030d00 ... It's a 64-bit machine... I'll be damned if I can figure out why the State attribute is (almost) all zeros. I have no access to that machine and didn't expect processor information to be relevant: That is, what I got as information about the processor: cat /proc/cpuinfo processor : 0 vendor_id : GenuineIntel cpu family : 15 model : 2 model name : Intel(R) Celeron(R) CPU 2.40GHz stepping: 9 cpu MHz : 2405.622 cache size : 128 KB fdiv_bug: no hlt_bug : no f00f_bug: no coma_bug: no fpu : yes fpu_exception : yes cpuid level : 2 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe up cid xtpr bogomips: 4815.15 I updated the code in rlm_eap to fix one problem, and apparently created another... All I can guess is that the code generating 32-bit random numbers somehow has them promoted to 64-bit numbers, and then the lower 32-bits get ignored... I think I have access to a 64-bit machine where I can get take a look at this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Acct-Status-Type FAILED for SQL backend, are SQL actions customizable now?
Hi, as user of OpenSer I do radius accounting using MySQL backend. For non established calls (busy, not found, cancelled...) OpenSer generates: Acct-Status-Type 15 RFC2866 says: 15 Reserved for Failed But FreeRadius doesn't support FAILED action using SQL accounting (that would be accounting_failed_query, but requires source patching). I read a thread [1] about this exactly issue in which Alan DeKok says: On the good side, we plan on making some changes to the SQL module that make the patch unnecessary, but will still have the functionality you want. So the actions would be customizable via editing sql.conf file, with no need of patching code. This thread is from November 2006, is it already implemented? in that case, which versions do include it? what about Debian packages? Thanks a lot for any response. [1] http://www.openser.org/pipermail/devel/2006-November/004375.html -- Iñaki Baz Castillo [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: weird error
Joe Vieira wrote: I am consistently getting a segfault (~every 45minutes or so) from line 1319 of rlm_ldap.c , gdb debugging shows me that vals[0] is not a valid memory location. (always 0xb00020e0) Try running it without the LDAP module. If it works, then the ldap module, or the LDAP libraries it uses aren't 64-bit clean. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Newslists
Keith Dovale - HostworX.co.za wrote: All I can say is, if you spent as much time helping people as you did coming up with crap comments the world would be a better place. I have been subscribed to this news list for a short while now, and you of all people continually give people sarcastic comments.. Get a Life... Hmm... I've spent nearly 10 years on this list helping people. I've told you multiple times what you need to do for anyone to help you. Yet... you haven't done anything. You have spent more time giving me crap comments, than one decent one saying exactly what you would expect or need to look at this issue to resolve it. You constantly have some crap comment to make, Like I said before I will find out from another source. You have been told multiple times that we need the entire debug log. Yet you still refuse to post it. Instead of coming out with what you require you make these little noises about how pathetic the poster is and shirk them off. You obviously have SDS... Er... no. You've been told multiple times. Apparently you haven't read the instructions, or you haven't understood them, or you don't intend to follow them. If you can't be bothered to follow the simplest of instructions, there's little anyone can do to help you. Alan Dekok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: no start of radiusd after reboot : mysql connection error
Hi, I add the following line to the /etc/init.d/radiusd : start) # Palliatif au pb du non-demarrage de radiusd apres reboot # cf freeradius-users@lists.freeradius.org thread no start of radiusd after reboot : mysql connection error ping -c 1 ntp.domain.com echo -n $Starting RADIUS server: ... hmmm, such a wierd setting requirement hints at the actual network interface needing a little more time until it is alive. this may point the finger away from the server and onto the network switch/router that it is connected to instead so you have eg 'spanning-tree portfast' configured on the port that the server is connected to? if not, you will have to wait up to 30 seconds after the network interface comes up before you are able to send/receive network packets. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to change the key on ippool
Luis Galan wrote: I have changed to that: key = %{NAS-IP-Address} %{Acct-Session-Id} Question: Is it the right choice? or Should I use key = %{NAS-IP-Address} %{Acct-Unique-Session-Id}? Do I have to change something else? No. You want something that is unique to each client. The Acct-Session-Id attribute is unique to each *session*, which is completely different. Try Calling-Station-Id, if that's available. It's usually the MAC address... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: weird error
Is anyone else running freeradius 2.0.1 on rhel5 x86-64? I am consistently getting a segfault (~every 45minutes or so) from line 1319 of rlm_ldap.c , gdb debugging shows me that vals[0] is not a valid memory location. (always 0xb00020e0) this occurs on two physically different servers (different make and model as well) this only seems to occur when the server is run THREADED, when i run in `radiusd -X` it DOES NOT segfault. however in `radiusd -f` (threaded debug) it DOES segfault attached seems to be the request that is causing a segfault (threaded debug mode) as well as a backtrace and some other gdb info. rad_recv: Access-Request packet from host 10.5.5.3 port 32770, id=198, length=192 Fri Feb 8 08:55:09 2008 : Debug: Waking up in 0.9 seconds. Fri Feb 8 08:55:09 2008 : Debug: Thread 8 got semaphore Fri Feb 8 08:55:09 2008 : Debug: Thread 8 handling request 1112, (139 handled so far) User-Name = STUDENTS\\kcook Calling-Station-Id = 00-90-96-C7-15-7C Called-Station-Id = 00-19-07-06-68-40:ClarkWiFi NAS-Port = 29 NAS-IP-Address = 10.5.5.3 NAS-Identifier = WISM1-8B Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 177 EAP-Message = 0x023e00130153545544454e54535c6b636f6f6b Message-Authenticator = 0xa49c3013a1518db03e9dd79520678670 Fri Feb 8 08:55:09 2008 : Debug: +- entering group authorize Fri Feb 8 08:55:09 2008 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 1112 Fri Feb 8 08:55:09 2008 : Debug: hints: Matched DEFAULT at 65 Fri Feb 8 08:55:09 2008 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for reques t 1112 Fri Feb 8 08:55:09 2008 : Debug: ++[preprocess] returns ok Fri Feb 8 08:55:09 2008 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 1112 Fri Feb 8 08:55:09 2008 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 1112 Fri Feb 8 08:55:09 2008 : Debug: ++[mschap] returns noop Fri Feb 8 08:55:09 2008 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 1112 Fri Feb 8 08:55:09 2008 : Debug: rlm_eap: EAP packet type response id 62 length 19 Fri Feb 8 08:55:09 2008 : Debug: rlm_eap: No EAP Start, assuming it's an on-going EAP conversation Fri Feb 8 08:55:09 2008 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 1112 Fri Feb 8 08:55:09 2008 : Debug: ++[eap] returns updated Fri Feb 8 08:55:09 2008 : Debug: modsingle[authorize]: calling files (rlm_files) for request 1112 Fri Feb 8 08:55:09 2008 : Debug: users: Matched entry DEFAULT at line 17 Fri Feb 8 08:55:09 2008 : Debug: rlm_ldap: Entering ldap_groupcmp() Fri Feb 8 08:55:09 2008 : Debug: expand: ou=Users, dc=clarku, dc=edu - ou=Users, dc=clarku, dc=edu Fri Feb 8 08:55:09 2008 : Debug: radius_xlat: Running registered xlat function of module mschap for string 'U ser-Name' Fri Feb 8 08:55:09 2008 : Debug: expand: (uid=%{mschap:User-Name}) - (uid=kcook) Fri Feb 8 08:55:09 2008 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Fri Feb 8 08:55:09 2008 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Fri Feb 8 08:55:09 2008 : Debug: rlm_ldap: performing search in ou=Users, dc=clarku, dc=edu , with filter (ui d=kcook) Fri Feb 8 08:55:09 2008 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Fri Feb 8 08:55:09 2008 : Debug: radius_xlat: Running registered xlat function of module mschap for string 'U ser-Name' Fri Feb 8 08:55:09 2008 : Debug: expand: ((objectClass=posixGroup)(memberUid=%{mschap:User-Name})) - ((objectClass=posixGroup)(memberUid=kcook)) Fri Feb 8 08:55:09 2008 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Fri Feb 8 08:55:09 2008 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Fri Feb 8 08:55:09 2008 : Debug: rlm_ldap: performing search in cn=Administrators,ou=Groups,dc=clarku,dc=edu, with filter ((objectClass=posixGroup)(memberUid=kcook)) Fri Feb 8 08:55:09 2008 : Debug: rlm_ldap: object not found or got ambiguous search result Fri Feb 8 08:55:09 2008 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Fri Feb 8 08:55:09 2008 : Debug: rlm_ldap::ldap_groupcmp: Group cn=Administrators,ou=Groups,dc=clarku,dc=edu not found or user is not a member. Fri Feb 8 08:55:09 2008 : Debug: rlm_ldap: Entering ldap_groupcmp() Fri Feb 8 08:55:09 2008 : Debug: expand: ou=Users, dc=clarku, dc=edu - ou=Users, dc=clarku, dc=edu Fri Feb 8 08:55:09 2008 : Debug: radius_xlat: Running registered xlat function of module mschap for string 'U ser-Name' Fri Feb 8 08:55:09 2008 : Debug: expand: ((objectClass=posixGroup)(memberUid=%{mschap:User-Name})) - ((objectClass=posixGroup)(memberUid=kcook)) Fri Feb 8 08:55:09 2008 : Debug: rlm_ldap:
Re: weird error
if that's the case, why do you think it seems to work fine single threaded? shrug I dunno... =( i am adding a ton of debugging stuff to the function so hopefully it might give some more insight... joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: weird error
1319 of rlm_ldap.c , gdb debugging shows me that vals[0] is not a valid memory location. (always 0xb00020e0) Try running it without the LDAP module. If it works, then the ldap module, or the LDAP libraries it uses aren't 64-bit clean. if that's the case, why do you think it seems to work fine single threaded? Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: weird error
I am consistently getting a segfault (~every 45minutes or so) from line 1319 of rlm_ldap.c , gdb debugging shows me that vals[0] is not a valid memory location. (always 0xb00020e0) Try running it without the LDAP module. If it works, then the ldap module, or the LDAP libraries it uses aren't 64-bit clean. i'm linked against redhat's 64bit ldap libraries, which function well in every test i can think to throw at them - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius stops authenticating users
The top login attempt doesn't work, and the bottom one does. Restarting radius doesn't fix the problem, but rebooting the server it's running on does. This is the 1.1.7 package for Debian Linux, the NAS is a Cisco AS5300. Below is the output from freeradius -X for a working and a failed login session for the same user. Further debug logs avaialable upon request. Thanks in advance for your help. modcall: entering group preacct for request 14 modcall[preacct]: module preprocess returns noop for request 14 rlm_acct_unique: Hashing 'NAS-Port = 1,Client-IP-Address = 208.64.35.3,NAS-IP-Address = 208.64.35.3,Acct-Session-Id = 000E79BC,User-Name = [EMAIL PROTECTED]' rlm_acct_unique: Acct-Unique-Session-ID = c27a6dc7ba7ef40a. modcall[preacct]: module acct_unique returns ok for request 14 rlm_realm: Looking up realm k-inc.com for User-Name = [EMAIL PROTECTED] rlm_realm: No such realm k-inc.com modcall[preacct]: module suffix returns noop for request 14 modcall[preacct]: module files returns noop for request 14 modcall: leaving group preacct (returns ok) for request 14 Processing the accounting section of radiusd.conf modcall: entering group accounting for request 14 radius_xlat: '/var/log/freeradius/radacct/208.64.35.3/detail-20080208' rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/freeradius/radacct/208.64.35.3/detail-20080208 modcall[accounting]: module detail returns ok for request 14 modcall[accounting]: module unix returns ok for request 14 radius_xlat: '/var/log/freeradius/radutmp' radius_xlat: '[EMAIL PROTECTED]' modcall[accounting]: module radutmp returns ok for request 14 rlm_ippool: Searching for an entry for nas/port: 208.64.35.3/1 rlm_ippool: Deallocated entry for ip/port: 208.64.35.241/1 rlm_ippool: num: 0 modcall[accounting]: module main_pool returns ok for request 14 modcall: leaving group accounting (returns ok) for request 14 Sending Accounting-Response of id 47 to 208.64.35.3 port 1646 Finished request 14 Processing the preacct section of radiusd.conf modcall: entering group preacct for request 4 modcall[preacct]: module preprocess returns noop for request 4 rlm_acct_unique: Hashing 'NAS-Port = 1,Client-IP-Address = 208.64.35.3,NAS-IP-Address = 208.64.35.3,Acct-Session-Id = 000E79BC,User-Name = [EMAIL PROTECTED]' rlm_acct_unique: Acct-Unique-Session-ID = c27a6dc7ba7ef40a. modcall[preacct]: module acct_unique returns ok for request 4 rlm_realm: Looking up realm k-inc.com for User-Name = [EMAIL PROTECTED] rlm_realm: No such realm k-inc.com modcall[preacct]: module suffix returns noop for request 4 modcall[preacct]: module files returns noop for request 4 modcall: leaving group preacct (returns ok) for request 4 Processing the accounting section of radiusd.conf modcall: entering group accounting for request 4 radius_xlat: '/var/log/freeradius/radacct/208.64.35.3/detail-20080208' rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/freeradius/radacct/208.64.35.3/detail-20080208 modcall[accounting]: module detail returns ok for request 4 modcall[accounting]: module unix returns ok for request 4 radius_xlat: '/var/log/freeradius/radutmp' radius_xlat: '[EMAIL PROTECTED]' modcall[accounting]: module radutmp returns ok for request 4 rlm_ippool: This is not an Accounting-Stop. Return NOOP. modcall[accounting]: module main_pool returns noop for request 4 modcall: leaving group accounting (returns ok) for request 4 Sending Accounting-Response of id 41 to 208.64.35.3 port 1646 Finished request 4 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Freeradius2 and proxing
I do not receive any comment about my supplied patch. I will try to explain my issue better: Freeradius 2.0.1 (or latest CVS): src/modules/rlm_realm/rlm_realm.c: /* * Allow DEFAULT realms unless told not to. */ realm = realm_find(realmname); if (!realm) { DEBUG2(rlm_realm: No such realm \%s\, (realmname == NULL) ? NULL : realmname); return 0; } if (inst-ignore_default (strcmp(realm-name, DEFAULT)) == 0) { DEBUG2(rlm_realm: Found DEFAULT, but skipping due to config.); return 0; } realname contains the realm (suffix/ntdomain authorize). If the 'realname' is not defined in proxy.conf and if a DEFAULT realm is defined in proxy.conf; realm_find returns NULL. Thus, the correct debug message is shown: lm_realm: No such realm example.com But, DEFAULT realm is not handled (- return 0). From my point of view, something is missing here to handle the DEFAULT realm. Regards, Vincent Magnin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP session matching the State variable.
model name : Intel(R) Celeron(R) CPU 2.40GHz Doesn't sound like a 64-bit machine. Dang... they did make the celeron d line that had a 2.4 that was 64 bitlike around 2006 or so i think... so it could be still.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MLPPP - Maybe off topic
Hi Apologises if this isn’t really a Freeradius question, although maybe someone on the list has encountered the issue we have and may have a solution. We are trying to bond 2 DSL lines for a customer who has 2 phone lines and 2 DSL circuits in his office. For some reason it is not working as we would expect. My understanding is that both DSL circuits have to connect using the same username/password and we have to add: Cisco-Avpair = preauth:ppp-multilink=1 To the users Radius profile. Although both DSL routers connect it gives some very strange routing issues. And things that web pages can’t be viewed. We are terminating DSL on a Cisco 7304 over L2TP. We know the Cisco does MLPPP and we can see it does bond some connections for some reason, no idea why, but we see them. Am I doing some wrong? Thanks in advance. Tony No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.19.21/1265 - Release Date: 07/02/2008 11:17 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help in basic configuration in connection mysql with freeradius
johnson elangbam wrote: hi, I am trying to use mysql database with free radius 2.0.0 for the first time. I am using centOS 4.5 and mysql 4.1.2.The authentication works fine if I am using the unix username and password. I modified some configurations in radiusd.conf and sql.conf but it doesn't work. Please tell me the most basic steps to configure freeradius with mysql. Here is the log file while running in debugging mode: Which contains nothing about SQL. You need to un-comment the uses of SQL in the configuration files. See radiusd.conf, sites-enabled/default, etc. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help in basic configuration in connection mysql with freeradius
Hi, hi, I am trying to use mysql database with free radius 2.0.0 for the first time. I am using centOS 4.5 and mysql 4.1.2.The authentication works fine if I am using the unix username and password. I modified some configurations in radiusd.conf and sql.conf but it doesn't work. Please tell me the most basic steps to configure freeradius with mysql. Here is the log file while running in debugging mode: home-built with no sign of SQL activity in the log file. so. did the server build with mysql support? what errors were thrown during the ./configure stage? eg ./configure --with-whatever-arguments | grep WARNING you will need mysql-devel package installed to build mysql support into the system alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: weird error
Joe Vieira wrote: if that's the case, why do you think it seems to work fine single threaded? shrug I dunno... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MLPPP - Maybe off topic
No, this is a Cisco question. Debug ppp negotiation and multilink events on the recieving router. And don't bother posting the debug here. Ivan Kalik Kalik Informatika ISP Dana 8/2/2008, Tony Spencer [EMAIL PROTECTED] piše: Hi Apologises if this isn#65533;t really a Freeradius question, although maybe someone on the list has encountered the issue we have and may have a solution. We are trying to bond 2 DSL lines for a customer who has 2 phone lines and 2 DSL circuits in his office. For some reason it is not working as we would expect. My understanding is that both DSL circuits have to connect using the same username/password and we have to add: Cisco-Avpair = preauth:ppp-multilink=1 To the users Radius profile. Although both DSL routers connect it gives some very strange routing issues. And things that web pages can#65533;t be viewed. We are terminating DSL on a Cisco 7304 over L2TP. We know the Cisco does MLPPP and we can see it does bond some connections for some reason, no idea why, but we see them. Am I doing some wrong? Thanks in advance. Tony No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.19.21/1265 - Release Date: 07/02/2008 11:17 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using freeradius integrated with Active Directory to autenticatecisco passwords
Hi Ivan! How do I get router to send mschap request instead of PAP? Best Regards, Fernando 2008/2/1, Ivan Kalik [EMAIL PROTECTED]: rad_recv: Access-Request packet from host 10.131.23.252:1645, id=84, length=79 NAS-IP-Address = 10.131.23.252 NAS-Port = 11 NAS-Port-Type = Virtual User-Name = jonny Calling-Station-Id = 10.131.23.253 User-Password = xx This is a PAP request. ntlm_auth will work on mschap requests. Get router to send mschap requests. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using freeradius integrated with Active Directory toautenticatecisco passwords
Depends on the router. You will have to read router documentation. For Cisco it's ppp authentication mschap on the interface. User's machine trying to connect will also need to support mschap. Ivan Kalik Kalik Informatika ISP Dana 8/2/2008, Fernando Coelho [EMAIL PROTECTED] piše: Hi Ivan! How do I get router to send mschap request instead of PAP? Best Regards, Fernando 2008/2/1, Ivan Kalik [EMAIL PROTECTED]: rad_recv: Access-Request packet from host 10.131.23.252:1645, id=84, length=79 NAS-IP-Address = 10.131.23.252 NAS-Port = 11 NAS-Port-Type = Virtual User-Name = jonny Calling-Station-Id = 10.131.23.253 User-Password = xx This is a PAP request. ntlm_auth will work on mschap requests. Get router to send mschap requests. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Freeradius2 and proxing
Hi, I do not receive any comment about my supplied patch. I will try to explain my issue better: I understood what you stated - and the patch does appear to handle the 'old style' 1.1.x DEFAULT handle properly. ..the old system could just be given a DEFAULT and stuff would go to it . i'm not sure if theres another quirky thing somewhere else..but your patch does seem to do what it claims :-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using freeradius integrated with Active Directory toautenticatecisco passwords
Hi, Thank you all. But how do I do this? Does any one has a tutorial about it? add the required parts to the radius config files to enable krb5 (direct password check) against the AD - you will also need to ensure your kerberos environment is sane and works eg run the command kinit your_user_id on the command line to validate that your machine can get a kerberos ticket the bits you need to add to the radius config are: krb5 { } to the module stanza (radiusd.conf) and Auth-Type krb5 { krb5 } to the authenticate stanza (radiusd.conf in 1.1.x and sites-enabled/default in radiusd 2.x ) you MAY need to set Auth-Type = krb5 for the required user or NAS setting depending on your config! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Acct-Status-Type FAILED for SQL backend, are SQL actions customizable now?
Iñaki Baz Castillo wrote: RFC2866 says: 15 Reserved for Failed But FreeRadius doesn't support FAILED action using SQL accounting (that would be accounting_failed_query, but requires source patching). Yup. No one in the world except OpenSER uses failed. This thread is from November 2006, is it already implemented? in that case, which versions do include it? what about Debian packages? It's not included. As always, patches are welcome... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP session matching the State variable.
Norbert Wegener wrote: The complete log is at http:// www.wegener-net.de/freeradius/ (url destroyed) In line 116518 a client gets a reject, in 119715 the same client an accept. ... State = 0x00030d00 ... ... All I can guess is that the code generating 32-bit random numbers somehow has them promoted to 64-bit numbers, and then the lower 32-bits get ignored... the ISAAC (random number generator) libraries do use registers to hold the numbers while it is generating them. registers on a 64 machines are 64 bit right? Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: weird error
Joe Vieira wrote: Joe Vieira wrote: if that's the case, why do you think it seems to work fine single threaded? shrug I dunno... so, even tho LDAP_DEPRECATED was set as a cflag in rlm_ldap/configure.in, it never shows up as a gcc option durring compilation for some reason... so i defined it in rlm_ldap.c because it is ABSOLUTELY required on 64bit systems, because of missing prototypes for ldap libraries .. which basically will ruin your day.. else you can get into a situation where the compiler assumed the function (in this case ldap_get_values) returns an int (32bit), but it actually returns a pointer (64bit on 64 bit systems) which can then get truncated (which is likely why it always looked the same, because the part that stayed after the truncation was the same...) good debian wiki article about implicit pointer conversion http://wiki.debian.org/ImplicitPointerConversions #define LDAP_DEPRECATED 1 added as the first line in rlm_ldap.c ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using freeradius integrated with Active Directory toautenticatecisco passwords
Thank you all. But how do I do this? Does any one has a tutorial about it? Best regards, 2008/2/4, Jeffrey Hutzelman [EMAIL PROTECTED]: --On Saturday, February 02, 2008 06:50:32 PM + Markus Moeller [EMAIL PROTECTED] wrote: You can use pam with a pam_krb5 module to authenticate users to AD. Alternately, there is a perfectly good rlm_krb5 in FreeRADIUS. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: weird error
Joe Vieira wrote: if that's the case, why do you think it seems to work fine single threaded? shrug I dunno... So, more or less at this point threading seems to ruin this somehow. which is really weird. this same server was running freeradius 1.1.6, then i installed the new version, which basically goes to shit on the machine...i assume there was a lot of rewriting that occurred between these two versions, was threading re-written? or the rlm_ldap threading functions?? thanks joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP session matching the State variable.
Norbert Wegener wrote: The complete log is at http:// www.wegener-net.de/freeradius/ (url destroyed) In line 116518 a client gets a reject, in 119715 the same client an accept. ... State = 0x00030d00 ... It's a 64-bit machine... I'll be damned if I can figure out why the State attribute is (almost) all zeros. I updated the code in rlm_eap to fix one problem, and apparently created another... All I can guess is that the code generating 32-bit random numbers somehow has them promoted to 64-bit numbers, and then the lower 32-bits get ignored... I think I have access to a 64-bit machine where I can get take a look at this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP session matching the State variable.
Joe Vieira wrote: the ISAAC (random number generator) libraries do use registers to hold the numbers while it is generating them. registers on a 64 machines are 64 bit right? That may be it. If you can delete the register references in src/lib/isaac.c re-test, it would help. A simple check is that the State attribute looks like random garbage, rather than being mostly zeros. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Newslists
I posted this all before, I just trimmed the debug file down to where the error was... The attrib rewrite section ... attr_rewrite AttrRewrite_MonthlyBlendedUnshaped { attribute = Configuration-Token searchin = reply searchfor = LOCAL_LIMITED replacewith = UNSHAPED_NORMAL ignore_case = yes new_attribute = yes max_matches = 1 append = no } attr_rewrite AttrRewrite_MonthlyBlendedShaped { attribute = Configuration-Token searchin = reply searchfor = UNSHAPED_NORMAL replacewith = SHAPED_NORMAL ignore_case = yes new_attribute = no max_matches = 1 append = no } attr_rewrite AttrRewrite_MonthlyLocal { attribute = Configuration-Token searchin = reply searchfor = SHAPED_NORMAL replacewith = LOCAL_NORMAL ignore_case = yes new_attribute = no max_matches = 1 append = no } attr_rewrite AttrRewrite_Limited { attribute = Configuration-Token searchin = reply searchfor = LOCAL_NORMAL replacewith = LOCAL_LIMITED ignore_case = yes new_attribute = no max_matches = 1 append = no } The authorize section authorize { auth_log # digest hxdsl sql group { AttrRewrite_MonthlyBlendedUnshaped MonthlyUnShaped { reject = 1 ok = return } AttrRewrite_MonthlyBlendedShaped MonthlyShaped { reject = 1 ok = return } AttrRewrite_MonthlyLocal MonthlyLocal { reject = 1 ok = return } AttrRewrite_Limited } pap } -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, February 08, 2008 4:39 PM To: FreeRadius users mailing list Subject: Re: Newslists Hi, But when it checks for the attribute in the reply packet, it says it can't find it, but it still does the attrib-rewrite changes the values and then moans it couldn’t find the value pair. This is obviously not normal in my opinion, and thus I asked about a specific problem. I only attached the debug portion as it is specific to the problem. post the relevant part of your config file? We arent seeing the whole picture. when you take a car to the garage, the mechanic hears your story AND sees the car. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: no start of radiusd after reboot : mysql connection error
Alan DeKok a écrit : mailinglists wrote: After reboot, freeradius does'nt start, and says this is because it could'nt reach the mysql database. But it doesn't even tries to contact it (networkingly-speaking : tcpdump sees nothing). Just after reboot, if root runs /etc/init.d/radiusd start, freeradius starts OK, and contacts correctly the database. If I add a ping database.domain.com in the /etc/init.d/radiusd just before starting radiusd, it works, even at boot time !! (but it's really a dirty and ugly a solution, so I cant' resolv myself to such an issue !!!) It looks to me like it's a networking issue on that machine. The ping shouldn't effect anything... but it does. FreeRADIUS is at the mercy of the networking stack the MySQL libraries. I don't think there's anything that can be done in FreeRADIUS to fix that OK, I'm not expert enough in networking to debug that. So I come back to my dirty solution. I add the following line to the /etc/init.d/radiusd : start) # Palliatif au pb du non-demarrage de radiusd apres reboot # cf freeradius-users@lists.freeradius.org thread no start of radiusd after reboot : mysql connection error ping -c 1 ntp.domain.com echo -n $Starting RADIUS server: ... And it works... Thank you for your help, bye Laetitia - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Newslists
I did explain what I was trying to do with the failover and the attr_rewrite function, what more can a person say about the attrib rewrite, other than the attribute rewrite is supposed to check for an attribute in a packet in this case the reply packet, if it finds the attribute, change it and basically carry on But when it checks for the attribute in the reply packet, it says it can't find it, but it still does the attrib-rewrite changes the values and then moans it couldn’t find the value pair. This is obviously not normal in my opinion, and thus I asked about a specific problem. I only attached the debug portion as it is specific to the problem. When you take your car to the garage for a brake problem, you don’t explain how the engine, fan, wheels, boot opener works, you say the car does not stop when I push the breaks. If the mechanic asks for more info then you tell him. rlm_attr_rewrite: No match found for attribute Configuration-Token with value 'SHAPED_NORMAL' radius_xlat: 'UNSHAPED_NORMAL' radius_xlat: 'SHAPED_NORMAL' rlm_attr_rewrite: Changed value for attribute Configuration-Token from 'UNSHAPED_NORMAL' to 'SHAPED_NORMAL' rlm_attr_rewrite: Could not find value pair for attribute Configuration-Token Regards Keith Dovale -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edvin Seferovic Sent: Friday, February 08, 2008 12:14 PM To: 'FreeRadius users mailing list' Subject: RE: Newslists Constructive answer like always is to analyze what you want to achieve with freeradius. Rethink the configuration, read the documentation for you setup needs and ask straight-forward question. You cannot just post the debug output and hope that someone can understand what you actually need. Try to elaborate your setup, the steps you have already done and of course the debugging output. Alan will probably give you simple answer like yes/no and point to the right direction. But again - you cannot expect someone to do the installation and setup for you ! People are usually paid for that ! Although Alan might be sarcastic, he has never let anyone down who was willing to learn and accept the mistakes ( including myself ). Regards, E:S -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Keith Dovale - HostworX.co.za Sent: Freitag, 08. Februar 2008 10:46 To: 'FreeRadius users mailing list' Subject: RE: Newslists No not at all, and I don’t expect it. But at least someone like yourself, who seems to be the guru on freeradius, could at least reply with a constructive answer rather than replying with sarcastic comments. My question is where did I announce I don’t read the documentation that is the first thing I went to. I have gone through the read me's, faq's etc and have followed their directions regarding this, it’s the debug that is giving the error. And responding with weird checks, that is exactly why I posted here as there is no google results / faqs, etc that answer my question. Regards Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Friday, February 08, 2008 9:44 AM To: FreeRadius users mailing list Subject: Re: Newslists Keith Dovale - HostworX.co.za wrote: My Honest opinion of this news list / user group is that it is not helpful at all, it seems if you are not in the click, no one helps, does anyone moderate this or not ? I have posted twice now and no one replies… Is there a contractual obligation requiring people to support you? In any case, you haven't followed the instructions in the FAQ, README, INSTALL, etc. You've already announced that you don't read the documentation people write, so why would anyone write more on this list? Regards Keith *From:* Keith Dovale - HostworX.co.za [mailto:[EMAIL PROTECTED] *Sent:* Thursday, February 07, 2008 9:08 PM *To:* ' *Subject:* attr rewrite issue Hi Guys, some help please . I am trying to do a attr rewrite to change an Attribute value then do a check based on the attribute that is changed, if the check fails do another attrib rewrite to the next value and do another check, until either the check fails or passes. There is basically only 4 checks in the group statement in the authorise section which do Attrib rewrite Do check (If it fails do) Attrib rewrite Do check (If it fails do) Attrib check Do rewrite (If it fails do) Attrib check Do rewrite Reject Pass When it runs it checks the reply packet for an attribute Configuration-Token which is defined in the radgroupreply for the users but it seems it cannot find it and gives an error. As below rlm_sqlcounter: (Check item - counter) is less than zero rlm_sqlcounter: Rejected user keith, check_item=0, counter=0 modcall[authorize]: module
Re: Using freeradius integrated with Active Directory toautenticatecisco passwords
--On Friday, February 08, 2008 08:19:32 PM + [EMAIL PROTECTED] wrote: you MAY need to set Auth-Type = krb5 for the required user or NAS setting depending on your config! You will almost certainly have to do something -- there is no way for the rlm_krb5 module to know that you want to use it for veryifying passwords; that's not something that can be inferred from the request. If all of your clients will be using plain passwords which you want to verify against Kerberos, and you won't be supporting EAP clients, then you can probably get away with something simple like adding the following to the users file: DEFAULT Auth-Type := krb5 Fall-Through = No Note that this violates the general advice of never setting Auth-Type, explicitly; this is necessary because rlm_krb5 does not provide any authorize handling and will not set Auth-Type automatically like many other modules do. If you are trying to support EAP or do something else complicated, then setting Auth-Type explicitly like this will probably break it, unless you are very careful to do so only under circumstances where it is the right thing to do. I'm afraid I can't provide help with that; it's rather complex and really the right thing to do is update rlm_krb5 so it works automatically like everything else. Perhaps someday I'll do that; I doubt the original author of that module cares any longer. -- Jeffrey T. Hutzelman (N3NHS) [EMAIL PROTECTED] Carnegie Mellon University - Pittsburgh, PA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reject user from SQL-DB
Phil Mayers (08.02.2008 12:03): Ok, now I'm returning Auth-Type := Reject from my check-items-query and I hoped to be able to send a little more in depth information along the way in the Reply-Message attribute, but unfortunately this info gets lost. It seems that I have to fill this attribute in the reply-items-query. Does this mean the reply-items-query has to trigger the same functions as the check-items-query again to find out what the reason for the reject was? Or do I have to fill a temporary table with the reply message in the check-items-query which gets then returned in the reply-items-query? Hmm. I guess you're doing something like: authorize_check_query = select myproc('%{SQL-User- Name}','...etc...') ...and are trying to avoid re-calling the same (or another) function in the reply query. That's the problem. How will the reply query be aware that the user has already be rejected without using additional queries? I tried calling the check query with %{control:My-Reply} or % {control:Auth-Type} as attributes but those are empty though set in the check query. What you could do is place a local attribute in the check items, then copy it to the reply items in an unlang section: i.e. return 2 rows from the stored proc: attr| op |value ---++-- My-Reply | := | some message Auth-Type | := | Reject in /etc/raddb/dictionary: ATTRIBUTE My-Reply 3000 string and have: authorize { sql } post-auth { Post-Auth-Type Reject { if (control:My-Reply) { update reply { Reply-Message = %{control:My-Reply} } } } } Thanks Phil, that was it! Now I'm getting the right Reply-Message. Actually, if (control:My-Reply) must be if (%{control:My-Reply}) to check if it's empty. JB - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Check for LDAP source in users?
I have an LDAP server with sets of users. The only thing that seperate the different groups of users is the DN itself, group1 of users are located under ou=group1,o=bla,c=no, group2 of users are locate under ou=group2,o=bla,c=no and so forth. I want to send different attributes for the different groups. There are no groupMemberShip or groupName attributes available that I can trust, I just want to check if the DN contains the string ou=group1,o=bla,c=no or ou=group2,o=bla,c=no etc. I have tried setting up two LDAP entries (ldap1 and ldap2), each with the above DNs as basedn, but is there a way to create DEFAULT-entrie in the users file that will check which the user mathes? Suggestions? Thanks alot. -- Kolbjørn Barmen UNINETT Driftsenter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius origin country
Hi, Greetings, I wish to post the below question: What is the origin country name of FreeRadius? Thank you. Kind Regards, Kishore The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Newslists
Keith Dovale - HostworX.co.za wrote: what more can a person say about the attrib rewrite, other than the attribute rewrite is supposed to check for an attribute in a packet in this case the reply packet, if it finds the attribute, change it and basically carry on While that is possible, it's not evident from the debug log you posted. But when it checks for the attribute in the reply packet, it says it can't find it, but it still does the attrib-rewrite changes the values and then moans it couldn’t find the value pair. This is obviously not normal in my opinion, and thus I asked about a specific problem. I only attached the debug portion as it is specific to the problem. See my previous response. When you take your car to the garage for a brake problem, you don’t explain how the engine, fan, wheels, boot opener works, you say the car does not stop when I push the breaks. If the mechanic asks for more info then you tell him. Mechanics are used to people claiming all sorts of interesting problems with there cars that are unrelated to what is *really* broken. C: My car won't start! The starter motor is broken! M: Is there gas in the car? C: Err... no. M: Right then... here's the bill. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Newslists
Hi, But when it checks for the attribute in the reply packet, it says it can't find it, but it still does the attrib-rewrite changes the values and then moans it couldn’t find the value pair. This is obviously not normal in my opinion, and thus I asked about a specific problem. I only attached the debug portion as it is specific to the problem. post the relevant part of your config file? We arent seeing the whole picture. when you take a car to the garage, the mechanic hears your story AND sees the car. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Newslists
Dear GOD, I am quite prepared to pay someone to resolve my problems if necessary, however the point of this news list is supposed to be people helping people, learn from others who have been there etc, and not being a bill gates society. All I can say is, if you spent as much time helping people as you did coming up with crap comments the world would be a better place. I have been subscribed to this news list for a short while now, and you of all people continually give people sarcastic comments.. Get a Life... You have spent more time giving me crap comments, than one decent one saying exactly what you would expect or need to look at this issue to resolve it. You constantly have some crap comment to make, Like I said before I will find out from another source. Instead of coming out with what you require you make these little noises about how pathetic the poster is and shirk them off. You obviously have SDS... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Friday, February 08, 2008 4:07 PM To: FreeRadius users mailing list Subject: Re: Newslists Keith Dovale - HostworX.co.za wrote: what more can a person say about the attrib rewrite, other than the attribute rewrite is supposed to check for an attribute in a packet in this case the reply packet, if it finds the attribute, change it and basically carry on While that is possible, it's not evident from the debug log you posted. But when it checks for the attribute in the reply packet, it says it can't find it, but it still does the attrib-rewrite changes the values and then moans it couldn’t find the value pair. This is obviously not normal in my opinion, and thus I asked about a specific problem. I only attached the debug portion as it is specific to the problem. See my previous response. When you take your car to the garage for a brake problem, you don’t explain how the engine, fan, wheels, boot opener works, you say the car does not stop when I push the breaks. If the mechanic asks for more info then you tell him. Mechanics are used to people claiming all sorts of interesting problems with there cars that are unrelated to what is *really* broken. C: My car won't start! The starter motor is broken! M: Is there gas in the car? C: Err... no. M: Right then... here's the bill. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: weird error
seemingly thus far... Joe Vieira UNIX Systems Administrator Clark University - ITS [EMAIL PROTECTED] wrote: Hi, else you can get into a situation where the compiler assumed the function (in this case ldap_get_values) returns an int (32bit), but it actually returns a pointer (64bit on 64 bit systems) which can then get truncated (which is likely why it always looked the same, because the part that stayed after the truncation was the same...) good debian wiki article about implicit pointer conversion http://wiki.debian.org/ImplicitPointerConversions #define LDAP_DEPRECATED 1 added as the first line in rlm_ldap.c ... fixed the issue? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: weird error
Hi, else you can get into a situation where the compiler assumed the function (in this case ldap_get_values) returns an int (32bit), but it actually returns a pointer (64bit on 64 bit systems) which can then get truncated (which is likely why it always looked the same, because the part that stayed after the truncation was the same...) good debian wiki article about implicit pointer conversion http://wiki.debian.org/ImplicitPointerConversions #define LDAP_DEPRECATED 1 added as the first line in rlm_ldap.c ... fixed the issue? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: weird error
Joe Vieira wrote: so, even tho LDAP_DEPRECATED was set as a cflag in rlm_ldap/configure.in, it never shows up as a gcc option durring compilation for some reason... Ah. The configure script hadn't been re-generated. Oops... I've committed the updated configure script. Hopefully the problem has been solved. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Newslists
Keith Dovale - HostworX.co.za wrote: Ok you asked for the debug log here it is. The extra '-x' (which prints the time) is unnecessary, and makes it harder to read the output. Still.. Fri Feb 8 17:24:47 2008 : Debug: attr_rewrite: attribute = Configuration-Token Fri Feb 8 17:24:47 2008 : Debug: attr_rewrite: searchfor = UNSHAPED_NORMAL Fri Feb 8 17:24:47 2008 : Debug: attr_rewrite: searchin = reply Fri Feb 8 17:24:47 2008 : Debug: attr_rewrite: replacewith = SHAPED_NORMAL Fri Feb 8 17:24:47 2008 : Debug: attr_rewrite: append = no Fri Feb 8 17:24:47 2008 : Debug: attr_rewrite: ignore_case = yes Fri Feb 8 17:24:47 2008 : Debug: attr_rewrite: new_attribute = no Fri Feb 8 17:24:47 2008 : Debug: attr_rewrite: max_matches = 1 Fri Feb 8 17:24:47 2008 : Debug: Module: Instantiated attr_rewrite (AttrRewrite_MonthlyBlendedShaped) One instance of attr_rewrite... Fri Feb 8 17:27:26 2008 : Debug: modsingle[authorize]: calling AttrRewrite_MonthlyBlendedShaped (rlm_attr_rewrite) for request 3 Fri Feb 8 17:27:26 2008 : Debug: radius_xlat: 'UNSHAPED_NORMAL' Fri Feb 8 17:27:26 2008 : Debug: rlm_attr_rewrite: No match found for attribute Configuration-Token with value 'SHAPED_NORMAL' Fri Feb 8 17:27:26 2008 : Debug: radius_xlat: 'UNSHAPED_NORMAL' Fri Feb 8 17:27:26 2008 : Debug: radius_xlat: 'SHAPED_NORMAL' Fri Feb 8 17:27:26 2008 : Debug: rlm_attr_rewrite: Changed value for attribute Configuration-Token from 'UNSHAPED_NORMAL' to 'SHAPED_NORMAL' Fri Feb 8 17:27:26 2008 : Debug: rlm_attr_rewrite: Could not find value pair for attribute Configuration-Token Fri Feb 8 17:27:26 2008 : Debug: modsingle[authorize]: returned from AttrRewrite_MonthlyBlendedShaped (rlm_attr_rewrite) for request 3 The thing about the attr_rewrite module is that it looks at ALL attributes in the list. In this case, you have two Configuration-Tokens. One has value SHAPED_NORMAL, and the other UNSHAPED_NORMAL. It doesn't match the first, but it does match the second. After that, it says it couldn't find any more. There is a bug. The first no match found line prints the value of the attribute that didn't match, NOT the value it was looking for. Carefully reading the debug output makes this clear: - it says no match - it says changed value from UNSHAPED_NORMAL - returns from module AttrRewrite_MonthlyBlendedShaped i.e. the FIRST line is wrong. You were getting confused because you have *other* attr_rewrite modules which re-write SHAPED_NORMAL. So reading the debug log here, it looked like it was trying to re-write SHAPED_NORMAL. But it wasn't, because it was NOT running the AttrRewrite_MonthlyLocal module. The only issue I see is that one debug line is wrong, and therefore confusing. Is there anything else? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MLPPP - Maybe off topic
Tony Spencer wrote: We are trying to bond 2 DSL lines for a customer who has 2 phone lines and 2 DSL circuits in his office. You may also need to set the standard RADIUS attributes for doing multilink. See the Cisco docs for more information. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html