Re: Rule for don't log specific user session.

2008-03-11 Thread Vincent Magnin

Hello Rafael,

It should be possible in Freeradius 2 and using unlang language:


if (User-Name != "test-user") {
   sql_log
}

Regards,

Vincent M.

Rafael Medici <[EMAIL PROTECTED]> a écrit :


Hello,

Is there a way to don't log nothing for a specific user, creating a  
rule in sql_log?


You will probably ask me why!

Because i have a plugin running on nagios, that checks for  
authentication with a specific user ex: "testuser" every 5 minutes,  
and at the end of the day my database grows with useless  
information. We are a global hotspot provider, so this check running  
on nagios is performed in 10.000 hotspots, to test for  
authentication, so you could imagine that this "testuser" generates  
infinite registers.



I think put some kind of trigger to do that, will probably slow down  
my server performance, because we have a huge users database.


I'm running freeradius(1.1.7) + postgre.


Regards,

Rafael Medici


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[no subject]

2008-03-11 Thread Santiago Balaguer García

Hi,
 
  I have two radius server since three years ago. They are my two production 
AAA servers and can authenticate until 300.000 accounts. So my RADIUS database 
(PostgreSQL) grew up enough and I realize that my SQL queries slow down. I know 
that I have four table with almost 500.000 registers each one. 
  
 Any suggestion for improving the throughput and accelerating the queries?
 
  Thanks,
 
 Santiago
_
La vida de los famosos al desnudo en MSN Entretenimiento
http://entretenimiento.es.msn.com/-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Database performance (was Re: )

2008-03-11 Thread Alan DeKok
Santiago Balaguer García wrote:
>   I have two radius server since three years ago. They are my two
> production AAA servers and can authenticate until 300.000 accounts. So
> my RADIUS database (PostgreSQL) grew up enough and I realize that my SQL
> queries slow down. I know that I have four table with almost 500.000
> registers each one.
>  
>  Any suggestion for improving the throughput and accelerating the queries?

  Index the tables.

  Increasing database performance is usually documented on the database
web site.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: virtual server configuration

2008-03-11 Thread Alan DeKok
[EMAIL PROTECTED] wrote:
> I was stuck for a long while. I created two modules, eap_main and
> eap_gtc. My server1 and server2 virtual servers referred to each one
> respectively. The server would start, but authentication would fail:
> 
> auth: type "EAP"
> WARNING: Unknown value specified for Auth-Type.

  Ah.  That's arguably a bug.

> The problem was solved when I changed my authenticate sections, adding:
> Auth-Type EAP {
>   eap_main
> }
>
> the default authenticate just had an unqualified 'eap' line. I'm not
> sure why it's required after I virtualize.

  Bug.  I've fixed it in CVS head, and it will be fixed in 2.0.3.

> I'm still having trouble with the eap_gtc section, because when I remove
> TLS or empty it or try to return reject, the server won't start. Is
> removing the section the right way to not support an eap type on one
> virtual server?

  Yes.  Could you post the error?

> Thanks for the reply. It was helpful.

  I' not *always* blunt with people.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


RADIUS database growing up

2008-03-11 Thread Santiago Balaguer García

Hi,   I have two radius server since three years ago. They are my two 
production AAA servers and can authenticate until 300.000 accounts. So my 
RADIUS database (PostgreSQL) grew up enough and I realize that my SQL queries 
slow down. I know that I have four table with almost 500.000 registers each 
one.Any suggestion for improving the throughput and accelerating the 
queries?   Thanks,  Santiago

Sigue los principales acontecimientos deportivos en directo. MSN Motor 
_
Tecnología, moda, motor, viajes,…suscríbete a nuestros boletines para estar 
siempre a la última
http://newsletters.msn.com/hm/maintenanceeses.asp?L=ES&C=ES&P=WCMaintenance&Brand=WL&RU=http%3a%2f%2fmail.live.com-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

I will be giving a talk at Networkshop36 in April

2008-03-11 Thread Alan DeKok
  I will be giving a talk in Glasgow in April.

http://www.ja.net/services/events/2008/networkshop-36.html

  On Wednesday:

15.00   The evolution of Free RADIUS and future developments
Alan DeKok, FreeRADIUS

  If anyone on this list is planning on attending, look for me, or send
me email.  I'll also be showing up early (likely Monday), so I may have
some time in advance to meet people.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Database performance (was Re: )

2008-03-11 Thread A . L . M . Buxey
Hi,

> >  Any suggestion for improving the throughput and accelerating the queries?
> 
>   Index the tables.
> 
>   Increasing database performance is usually documented on the database
> web site.

depending on version of PostGreSQL you may also need to 'vacuum' the database
to clean up nodes etc - once again, check the database documentation site.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Rule for don't log specific user session.

2008-03-11 Thread Phil Mayers

Vincent Magnin wrote:

Hello Rafael,

It should be possible in Freeradius 2 and using unlang language:


if (User-Name != "test-user") {
   sql_log
}


In previous versions, you can use Acct-Type:

preacct {
  files
}
accounting {
  Acct-Type SQL-LOG {
sqllog
  }
}

...then in "acct_users":

nagios  
Fall-Through = Np

DEFAULT Acct-Type := SQL-LOG



Regards,

Vincent M.

Rafael Medici <[EMAIL PROTECTED]> a écrit :


Hello,

Is there a way to don't log nothing for a specific user, creating a 
rule in sql_log?


You will probably ask me why!

Because i have a plugin running on nagios, that checks for 
authentication with a specific user ex: "testuser" every 5 minutes, 
and at the end of the day my database grows with useless information. 
We are a global hotspot provider, so this check running on nagios is 
performed in 10.000 hotspots, to test for authentication, so you could 
imagine that this "testuser" generates infinite registers.



I think put some kind of trigger to do that, will probably slow down 
my server performance, because we have a huge users database.


I'm running freeradius(1.1.7) + postgre.


Regards,

Rafael Medici


-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Viewing all Radius acct attributes

2008-03-11 Thread Phil Mayers

Rashmi Bajaj wrote:

Hi,
I am using the freeradius to receive radius acct logs from another 
remote radius server. The purpose is to use the radwho output.
How do I make the radwho output to show all the attributes that it 
receives?
Currently the output shows: Login, Name, What, TTY, When, From (NAS IP 
address), location (Framed IP address).

But my input radius account parameters include many more.


radwho reads the radutmp file, which only stores those fields.



What needs to be changed in the conf files, so I see all the attributes 
as a result of radwho?


Nothing - it can't be done.

If you want all the attributes, use a "detail" module and look at the 
text files.


Or, use SQL and modify the queries & SQL schema to include any extra 
(the default schema doesn't include everything)

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Help with complex redundant LDAP setup

2008-03-11 Thread Capelle, Mark (PCMC-GB)
I have an LDAP setup with multiple module statements pointing to the

same LDAP server, but at different OU's (referred to as sites) to get

around issues due to the large tree size present.  This is currently

working with the following setup

 

radiusd.conf:

 

modules {

ldap srv1-sitea {

  ..

  set_auth_type = yes

}

ldap srv1-siteb {

  ..

  set_auth_type = yes

}

}

 

sites-available/default:

 

authorize {

srv1-sitea

srv1-siteb

}

 

authenticate {

Auth-Type srv1-sitea {

srv1-sitea

}

Auth-Type srv1-siteb {

srv1-siteb

}

}

 

Now my goal is to make this a redundant configuration.  I have

duplicated my modules config, changing "srv1" to "srv2" and changing the

IP address of the LDAP server.  The rest of the configuration is what is

fuzzy for me.  I assume that my authorize section would be:

 

 

 

authorize {

redundant {

srv1-sitea

  srv2-sitea

}

redundant {

srv1-siteb

  srv2-siteb

}

 

Now the authentication part is where is becomes complicated.  I don't

even know where to begin with this.  I tried this based on some old

configs I had used in the past, but this failed miserably:

 

authenticate {

   Auth-Type ldap {

group {

srv1-sitea {

reject = 1

  ok = return

  }

srv2-siteb {

reject = return

  ok = return

  }

}

}

 

I read the "configurable failover" docs, but it is still not clear to me

what I would need to do in this situation.

 

I am sure there is probably an easy way to accomplish this so that for

each OU ("site") it uses both LDAP servers ("srv1","srv2") in a

redundant fashion, but how to do it is something I am having a heck of a

time figuring out.

 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Can freeRadius do that?

2008-03-11 Thread Guillaume Chartrand
Hi,

I just want to know if freeradius server can do what I want to deploy in my 
environnement. I want to deploy freeradius to taking care of security and 
authorization for my wireless network. What I want to do is like many hotel in 
my country. The user open is laptop with wireless capability, is automaticly 
connected to the wireless network but if he want to use the internet 
connection, when he first run is browser, he's automaticly redirect to an 
authentification page that ask him a username and a password. So is it 
freeradius who's handle this or another software or combination of software. 
Like a freeradius server and a proxy or freeradius with third party software.

 

Can someone help me with my interrogation.

Thanks a lot

 



Guillaume Chartrand

Technicien informatique

Cégep régional de Lanaudière

Centre administratif, Repentigny

(450) 470-0911 poste 7218

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Database performance (was Re: )

2008-03-11 Thread Santiago Balaguer García

I usually execute VACUMM. But the time of the queries does not decrease.
 
PostgreSQL 7.4> Date: Tue, 11 Mar 2008 10:39:47 +> From: [EMAIL PROTECTED]> 
To: freeradius-users@lists.freeradius.org> Subject: Re: Database performance 
(was Re: )> > Hi,> > > > Any suggestion for improving the throughput and 
accelerating the queries?> > > > Index the tables.> > > > Increasing database 
performance is usually documented on the database> > web site.> > depending on 
version of PostGreSQL you may also need to 'vacuum' the database> to clean up 
nodes etc - once again, check the database documentation site.> > alan> -> List 
info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_
Tecnología, moda, motor, viajes,…suscríbete a nuestros boletines para estar 
siempre a la última
Guapos y guapas, clips musicales y estrenos de cine. -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Can freeRadius do that?

2008-03-11 Thread Alan DeKok
Guillaume Chartrand wrote:
... What I want to do is like
> many hotel in my country. The user open is laptop with wireless
> capability, is automaticly connected to the wireless network but if he
> want to use the internet connection, when he first run is browser, he’s
> automaticly redirect to an authentification page that ask him a username
> and a password. So is it freeradius who’s handle this or another
> software or combination of software. Like a freeradius server and a
> proxy or freeradius with third party software.

  See Chillispot or CoovaChilli.  What you want is a "captive portal".

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Help with complex redundant LDAP setup

2008-03-11 Thread Alan DeKok
Capelle, Mark (PCMC-GB) wrote:
> Now the authentication part is where is becomes complicated.

  Nope.  Just list "srv1-sitea" and "srv1-siteb" in the authenticate
section.  If the server is up (and was used) for the authorize query, it
had better be up for the authentication portion.

> I am sure there is probably an easy way to accomplish this so that for
> each OU ("site") it uses both LDAP servers ("srv1","srv2") in a
> redundant fashion, but how to do it is something I am having a heck of a
> time figuring out.

  You do not want to do redundancy AND redundancy.  That's redundant.

  Just do one level of redundancy, in the "authorize" section.  The
correct module will then be picked for the "authenticate" section.
There's no need to set up another level of redundancy.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Can freeRadius do that?

2008-03-11 Thread Tim White
I'm using freeradius, with CoovaChilli, and a Squid Proxy (to reduce 
internet traffic).


Works a charm

Tim

Alan DeKok wrote:

Guillaume Chartrand wrote:
... What I want to do is like
  

many hotel in my country. The user open is laptop with wireless
capability, is automaticly connected to the wireless network but if he
want to use the internet connection, when he first run is browser, he’s
automaticly redirect to an authentification page that ask him a username
and a password. So is it freeradius who’s handle this or another
software or combination of software. Like a freeradius server and a
proxy or freeradius with third party software.



  See Chillispot or CoovaChilli.  What you want is a "captive portal".

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


RE: Can freeRadius do that?

2008-03-11 Thread Guillaume Chartrand
>>>-Message d'origine-
>>>De : [EMAIL PROTECTED] [mailto:freeradius-users->>>[EMAIL PROTECTED] De la 
>>>part de Tim White
>>>Envoyé : 11 mars 2008 15:09
>>>À : FreeRadius users mailing list
>>>Objet : Re: Can freeRadius do that?
>>>
>>>I'm using freeradius, with CoovaChilli, and a Squid Proxy (to reduce 
>>>internet traffic).

Wich AP do you use. Do you know if Cisco AP or D-Link AP is supported by 
CoovaChilli without modifying firmware APs.

Guillaume
Thank



>>>Works a charm
>>>
>>>Tim

Alan DeKok wrote:
> Guillaume Chartrand wrote:
> ... What I want to do is like
>   
>> many hotel in my country. The user open is laptop with wireless
>> capability, is automaticly connected to the wireless network but if he
>> want to use the internet connection, when he first run is browser, he's
>> automaticly redirect to an authentification page that ask him a username
>> and a password. So is it freeradius who's handle this or another
>> software or combination of software. Like a freeradius server and a
>> proxy or freeradius with third party software.
>> 
>
>   See Chillispot or CoovaChilli.  What you want is a "captive portal".
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>   

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Can freeRadius do that?

2008-03-11 Thread Alexandre Chapellon



Guillaume Chartrand a écrit :


Hi,

I just want to know if freeradius server can do what I want to deploy 
in my environnement. I want to deploy freeradius to taking care of 
security and authorization for my wireless network. What I want to do 
is like many hotel in my country. The user open is laptop with 
wireless capability, is automaticly connected to the wireless network 
but if he want to use the internet connection, when he first run is 
browser, he's automaticly redirect to an authentification page that 
ask him a username and a password. So is it freeradius who's handle 
this or another software or combination of software. Like a freeradius 
server and a proxy or freeradius with third party software.


 


Can someone help me with my interrogation.

Thanks a lot



For me what you describe is an open wireless network with a transparent 
proxy that aythenticate users on its default redirection page. This 
authentication could and should be made with freeradius in order to have 
fine grained accouting.


Solution could be something like squid + radius_authenticator + freeradius.
I think you can use apache-mod-proxy and PAM, so that you can avoid the 
use of squid but I'm not sure about it.


 




Guillaume Chartrand

Technicien informatique

Cégep régional de Lanaudière

Centre administratif, Repentigny

(450) 470-0911 poste 7218



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Rule for don't log specific user session.

2008-03-11 Thread Ben Wiechman
With this it wouldn't be that hard to separate the information for a
specific subscriber or group into a separate log file would it.

Assuming that the two log options are appropriately configured:

Fr 2.x
if( User-Name != "test-user" { 
# will (Group-Name != 'test-group" ) { work?
User_log
}
else {
Test_log
}

Or FR 1.x

preacct {
   files
}
accounting {
   Acct-Type SQL-LOG {
 User_log
   }
   Acct-Type TEST-LOG {
Test_log
   }
}
 
...then in "acct_users":
 
Test-user   Acct-Type := TEST-LOG
Fall-Through = No

DEFAULT Acct-Type := SQL-LOG

Is there an equivalent way to do this using sql? Ie radreply/radgroupreply?
Also, will this take care of both accounting log info and authentication log
info?


Ben Wiechman
Network Admin
Wisper High Speed Internet
[EMAIL PROTECTED]
 

> -Original Message-
> From: freeradius-users-bounces+ben=wisper-
> [EMAIL PROTECTED] [mailto:freeradius-users-
> [EMAIL PROTECTED] On Behalf Of Phil
> Mayers
> Sent: Tuesday, March 11, 2008 6:13 AM
> To: FreeRadius users mailing list
> Subject: Re: Rule for don't log specific user session.
> 
> Vincent Magnin wrote:
> > Hello Rafael,
> >
> > It should be possible in Freeradius 2 and using unlang language:
> >
> >
> > if (User-Name != "test-user") {
> >sql_log
> > }
> 
> In previous versions, you can use Acct-Type:
> 
> preacct {
>files
> }
> accounting {
>Acct-Type SQL-LOG {
>  sqllog
>}
> }
> 
> ...then in "acct_users":
> 
> nagios
>   Fall-Through = Np
> 
> DEFAULT   Acct-Type := SQL-LOG
> 
> >
> > Regards,
> >
> > Vincent M.
> >
> > Rafael Medici <[EMAIL PROTECTED]> a écrit :
> >
> >> Hello,
> >>
> >> Is there a way to don't log nothing for a specific user, creating a
> >> rule in sql_log?
> >>
> >> You will probably ask me why!
> >>
> >> Because i have a plugin running on nagios, that checks for
> >> authentication with a specific user ex: "testuser" every 5 minutes,
> >> and at the end of the day my database grows with useless information.
> >> We are a global hotspot provider, so this check running on nagios is
> >> performed in 10.000 hotspots, to test for authentication, so you could
> >> imagine that this "testuser" generates infinite registers.
> >>
> >>
> >> I think put some kind of trigger to do that, will probably slow down
> >> my server performance, because we have a huge users database.
> >>
> >> I'm running freeradius(1.1.7) + postgre.
> >>
> >>
> >> Regards,
> >>
> >> Rafael Medici
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


FreeRadius2.0.2+ mysql +dailupadmin help!

2008-03-11 Thread Lance Buttars
hi I have successful compiled and can run radiusd -X but the problem is 
I want to use dailup_admin to configure freeradius.


I have mysql install and running the database is running, dialupadmin is 
working but I don't think radiusd is reading the database and i am not 
seeing it load the mysql drivers how do I know that its  loading the 
drivers or if it detected mysql when I compiled it?


thank you for your support


radius:/etc/raddb# radiusd -X > /root/radius

radius:/etc/raddb# cat /root/radius
FreeRADIUS Version 2.0.2, for host i686-pc-linux-gnu, built on Mar  7 
2008 at 20:59:43

Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including configuration file /usr/local/etc/raddb/snmp.conf
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/sql.conf
including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf
including configuration file /usr/local/etc/raddb/sql/mysql/counter.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
including dictionary file /usr/local/etc/raddb/dictionary
main {
  prefix = "/usr/local"
  localstatedir = "/usr/local/var"
  logdir = "/usr/local/var/log/radius"
  libdir = "/usr/local/lib"
  radacctdir = "/usr/local/var/log/radius/radacct"
  hostname_lookups = no
  max_request_time = 30
  cleanup_delay = 5
  max_requests = 1024
  allow_core_dumps = no
  pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
  checkrad = "/usr/local/sbin/checkrad"
  debug_level = 0
  proxy_requests = yes
security {
  max_attributes = 200
  reject_delay = 1
  status_server = yes
}
}
client localhost {
  ipaddr = 127.0.0.1
  require_message_authenticator = no
  secret = "testing123"
  nastype = "other"
}
radiusd:  Loading Realms and Home Servers 
proxy server {
  retry_delay = 5
  retry_count = 3
  default_fallback = no
  dead_time = 120
  wake_all_if_all_dead = no
}
home_server localhost {
  ipaddr = 127.0.0.1
  port = 1812
  type = "auth"
  secret = "testing123"
  response_window = 20
  max_outstanding = 65536
  zombie_period = 40
  status_check = "status-server"
  ping_check = "none"
  ping_interval = 30
  check_interval = 30
  num_answers_to_alive = 3
  num_pings_to_alive = 3
  revive_interval = 120
  status_check_timeout = 4
}
home_server_pool my_auth_failover {
  type = fail-over
  home_server = localhost
}
realm example.com {
  auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd:  Instantiating modules 
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
  wait = yes
  input_pairs = "request"
  shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
  reply-message = "Password Has Expired  "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
  reply-message = "You are calling outside your allowed timespan  "
  minimum-timeout = 60
}
}
radiusd:  Loading Virtual Servers 
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
  encryption_scheme = "auto"
  auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
  use_mppe = yes
  require_encryption = no
  require_strong = no
  with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
  radwtmp = "/usr/local/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
  default_eap_type = "md5"
  timer_expire = 60
  ignore_unknown_eap_types = no
  cisco_accounting_username_bug = no
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
 gtc {
  challenge = "Password: "
  auth_type = "PAP"
 }
rlm_eap: Ignoring EAP-Type/tls because we do not have OpenSSL support.
rlm_eap: Ignoring EAP-Type/ttls because we do not have OpenSSL support.
rlm_eap: Ignoring 

Re: FreeRadius2.0.2+ mysql +dailupadmin help!

2008-03-11 Thread Ivan Kalik
Did you configure sql.conf? Did you uncomment sql entries in
radiusd.conf? Did you read:

http://wiki.freeradius.org/SQL_HOWTO

Ivan Kalik
Kalik Informatika ISP


Dana 11/3/2008, "Lance Buttars" <[EMAIL PROTECTED]> piše:

>hi I have successful compiled and can run radiusd -X but the problem is
>I want to use dailup_admin to configure freeradius.
>
>I have mysql install and running the database is running, dialupadmin is
>working but I don't think radiusd is reading the database and i am not
>seeing it load the mysql drivers how do I know that its  loading the
>drivers or if it detected mysql when I compiled it?
>
>thank you for your support
>
>
>radius:/etc/raddb# radiusd -X > /root/radius
>
>radius:/etc/raddb# cat /root/radius
>FreeRADIUS Version 2.0.2, for host i686-pc-linux-gnu, built on Mar  7
>2008 at 20:59:43
>Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
>There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
>PARTICULAR PURPOSE.
>You may redistribute copies of FreeRADIUS under the terms of the
>GNU General Public License.
>Starting - reading configuration files ...
>including configuration file /usr/local/etc/raddb/radiusd.conf
>including configuration file /usr/local/etc/raddb/proxy.conf
>including configuration file /usr/local/etc/raddb/clients.conf
>including configuration file /usr/local/etc/raddb/snmp.conf
>including configuration file /usr/local/etc/raddb/eap.conf
>including configuration file /usr/local/etc/raddb/sql.conf
>including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf
>including configuration file /usr/local/etc/raddb/sql/mysql/counter.conf
>including configuration file /usr/local/etc/raddb/policy.conf
>including files in directory /usr/local/etc/raddb/sites-enabled/
>including configuration file /usr/local/etc/raddb/sites-enabled/default
>including dictionary file /usr/local/etc/raddb/dictionary
>main {
>   prefix = "/usr/local"
>   localstatedir = "/usr/local/var"
>   logdir = "/usr/local/var/log/radius"
>   libdir = "/usr/local/lib"
>   radacctdir = "/usr/local/var/log/radius/radacct"
>   hostname_lookups = no
>   max_request_time = 30
>   cleanup_delay = 5
>   max_requests = 1024
>   allow_core_dumps = no
>   pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
>   checkrad = "/usr/local/sbin/checkrad"
>   debug_level = 0
>   proxy_requests = yes
>security {
>   max_attributes = 200
>   reject_delay = 1
>   status_server = yes
>}
>}
>client localhost {
>   ipaddr = 127.0.0.1
>   require_message_authenticator = no
>   secret = "testing123"
>   nastype = "other"
>}
>radiusd:  Loading Realms and Home Servers 
>proxy server {
>   retry_delay = 5
>   retry_count = 3
>   default_fallback = no
>   dead_time = 120
>   wake_all_if_all_dead = no
>}
>home_server localhost {
>   ipaddr = 127.0.0.1
>   port = 1812
>   type = "auth"
>   secret = "testing123"
>   response_window = 20
>   max_outstanding = 65536
>   zombie_period = 40
>   status_check = "status-server"
>   ping_check = "none"
>   ping_interval = 30
>   check_interval = 30
>   num_answers_to_alive = 3
>   num_pings_to_alive = 3
>   revive_interval = 120
>   status_check_timeout = 4
>}
>home_server_pool my_auth_failover {
>   type = fail-over
>   home_server = localhost
>}
>realm example.com {
>   auth_pool = my_auth_failover
>}
>realm LOCAL {
>}
>radiusd:  Instantiating modules 
>instantiate {
>Module: Linked to module rlm_exec
>Module: Instantiating exec
> exec {
>   wait = yes
>   input_pairs = "request"
>   shell_escape = yes
> }
>Module: Linked to module rlm_expr
>Module: Instantiating expr
>Module: Linked to module rlm_expiration
>Module: Instantiating expiration
> expiration {
>   reply-message = "Password Has Expired  "
> }
>Module: Linked to module rlm_logintime
>Module: Instantiating logintime
> logintime {
>   reply-message = "You are calling outside your allowed timespan  "
>   minimum-timeout = 60
> }
>}
>radiusd:  Loading Virtual Servers 
>server {
>modules {
>Module: Checking authenticate {...} for more modules to load
>Module: Linked to module rlm_pap
>Module: Instantiating pap
> pap {
>   encryption_scheme = "auto"
>   auto_header = no
> }
>Module: Linked to module rlm_chap
>Module: Instantiating chap
>Module: Linked to module rlm_mschap
>Module: Instantiating mschap
> mschap {
>   use_mppe = yes
>   require_encryption = no
>   require_strong = no
>   with_ntdomain_hack = no
> }
>Module: Linked to module rlm_unix
>Module: Instantiating unix
> unix {
>   radwtmp = "/usr/local/var/log/radius/radwtmp"
> }
>Module: Linked to module rlm_eap
>Module: Instantiating eap
> eap {
>   default_eap_type = "md5"
>   timer_expire = 60
>   ignore_unknown_eap_types = no
>   cisco_accounting_username_bug = no
> }
>

RE: I will be giving a talk at Networkshop36 in April

2008-03-11 Thread Dead Line

Alan,
 
Hi! Maybe im not in ur area to attend..and maybe Im far away from you by days...
But at the end..I want to thank you from deep of deepest of my heart for your 
efforts
and everyone efforts in FreeRadius.
Its making administrators life easier. You deserve the best.
 
Im on FreeRadius since 1 year and 7 months...Its great...and feeding my family 
:)
 
Thank you and thanks for all the poeple who support it.
 
Sultan.> Date: Tue, 11 Mar 2008 11:31:25 +0100> From: [EMAIL PROTECTED]> To: 
freeradius-users@lists.freeradius.org> Subject: I will be giving a talk at 
Networkshop36 in April> > I will be giving a talk in Glasgow in April.> > 
http://www.ja.net/services/events/2008/networkshop-36.html> > On Wednesday:> > 
15.00 The evolution of Free RADIUS and future developments> Alan DeKok, 
FreeRADIUS> > If anyone on this list is planning on attending, look for me, or 
send> me email. I'll also be showing up early (likely Monday), so I may have> 
some time in advance to meet people.> > Alan DeKok.> -
_
Express yourself instantly with MSN Messenger! Download today it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

virtual server configuration

2008-03-11 Thread usawebbox
Pardon the non-threaded replies. I'll have to find a client that works
with the list.

>> I'm still having trouble with the eap_gtc section, because when I remove
>> TLS or empty it or try to return reject, the server won't start. Is
>> removing the section the right way to not support an eap type on one
>> virtual server?
>
>  Yes.  Could you post the error?

I should have done that.

When TLS is empty (i.e. TLS {}):

rlm_eap: SSL error error:0200100E:system library:fopen:Bad address
rlm_eap_tls: Error reading certificate file (null)
rlm_eap: Failed to initialize type tls

When TLS is removed:

rlm_eap: Unable to load EAP-Type/ttls, as EAP-Type/TLS is required
first.

Or, if TTLS is also removed:

rlm_eap: Unable to load EAP-Type/peap, as EAP-Type/TLS is required
first.

This makes sense, as I'll need my server cert for PEAP. If those certs
have to be defined in the TLS block, what is the right way to disable
TLS in this case, but still have PEAP working? I tried deleting the
CA_file, so I wouldn't be able to verify user certs, but it's required.
Anyway, I don't want to offer TLS and fail it, I want to NAK it on
server2.
-- 
  
  [EMAIL PROTECTED]

-- 
http://www.fastmail.fm - Does exactly what it says on the tin

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: virtual server configuration

2008-03-11 Thread Alan DeKok
[EMAIL PROTECTED] wrote:
> When TLS is empty (i.e. TLS {}):

  Huh?  Why would you leave it empty?

  If you're not going to use TLS, delete the whole section.  It's just
like any other module.

> When TLS is removed:
> 
> rlm_eap: Unable to load EAP-Type/ttls, as EAP-Type/TLS is required
> first.

  If you're not going to use TTLS, delete that section, too.

> Or, if TTLS is also removed:
> 
> rlm_eap: Unable to load EAP-Type/peap, as EAP-Type/TLS is required
> first.
> 
> This makes sense, as I'll need my server cert for PEAP. If those certs
> have to be defined in the TLS block, what is the right way to disable
> TLS in this case, but still have PEAP working? 

  Don't issue client certificates.  EAP-TLS won't work.

> I tried deleting the
> CA_file, so I wouldn't be able to verify user certs, but it's required.
> Anyway, I don't want to offer TLS and fail it, I want to NAK it on
> server2.

  This is explained in the comments in eap.conf, above the "ttls" and
"peap" sections.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html