Re: Rule for don't log specific user session.
Hello Rafael,
It should be possible in Freeradius 2 and using unlang language:
if (User-Name != "test-user") {
sql_log
}
Regards,
Vincent M.
Rafael Medici <[EMAIL PROTECTED]> a écrit :
Hello,
Is there a way to don't log nothing for a specific user, creating a
rule in sql_log?
You will probably ask me why!
Because i have a plugin running on nagios, that checks for
authentication with a specific user ex: "testuser" every 5 minutes,
and at the end of the day my database grows with useless
information. We are a global hotspot provider, so this check running
on nagios is performed in 10.000 hotspots, to test for
authentication, so you could imagine that this "testuser" generates
infinite registers.
I think put some kind of trigger to do that, will probably slow down
my server performance, because we have a huge users database.
I'm running freeradius(1.1.7) + postgre.
Regards,
Rafael Medici
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
Hi, I have two radius server since three years ago. They are my two production AAA servers and can authenticate until 300.000 accounts. So my RADIUS database (PostgreSQL) grew up enough and I realize that my SQL queries slow down. I know that I have four table with almost 500.000 registers each one. Any suggestion for improving the throughput and accelerating the queries? Thanks, Santiago _ La vida de los famosos al desnudo en MSN Entretenimiento http://entretenimiento.es.msn.com/- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Database performance (was Re: )
Santiago Balaguer García wrote: > I have two radius server since three years ago. They are my two > production AAA servers and can authenticate until 300.000 accounts. So > my RADIUS database (PostgreSQL) grew up enough and I realize that my SQL > queries slow down. I know that I have four table with almost 500.000 > registers each one. > > Any suggestion for improving the throughput and accelerating the queries? Index the tables. Increasing database performance is usually documented on the database web site. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: virtual server configuration
[EMAIL PROTECTED] wrote:
> I was stuck for a long while. I created two modules, eap_main and
> eap_gtc. My server1 and server2 virtual servers referred to each one
> respectively. The server would start, but authentication would fail:
>
> auth: type "EAP"
> WARNING: Unknown value specified for Auth-Type.
Ah. That's arguably a bug.
> The problem was solved when I changed my authenticate sections, adding:
> Auth-Type EAP {
> eap_main
> }
>
> the default authenticate just had an unqualified 'eap' line. I'm not
> sure why it's required after I virtualize.
Bug. I've fixed it in CVS head, and it will be fixed in 2.0.3.
> I'm still having trouble with the eap_gtc section, because when I remove
> TLS or empty it or try to return reject, the server won't start. Is
> removing the section the right way to not support an eap type on one
> virtual server?
Yes. Could you post the error?
> Thanks for the reply. It was helpful.
I' not *always* blunt with people.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RADIUS database growing up
Hi, I have two radius server since three years ago. They are my two production AAA servers and can authenticate until 300.000 accounts. So my RADIUS database (PostgreSQL) grew up enough and I realize that my SQL queries slow down. I know that I have four table with almost 500.000 registers each one.Any suggestion for improving the throughput and accelerating the queries? Thanks, Santiago Sigue los principales acontecimientos deportivos en directo. MSN Motor _ Tecnología, moda, motor, viajes,…suscríbete a nuestros boletines para estar siempre a la última http://newsletters.msn.com/hm/maintenanceeses.asp?L=ES&C=ES&P=WCMaintenance&Brand=WL&RU=http%3a%2f%2fmail.live.com- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I will be giving a talk at Networkshop36 in April
I will be giving a talk in Glasgow in April. http://www.ja.net/services/events/2008/networkshop-36.html On Wednesday: 15.00 The evolution of Free RADIUS and future developments Alan DeKok, FreeRADIUS If anyone on this list is planning on attending, look for me, or send me email. I'll also be showing up early (likely Monday), so I may have some time in advance to meet people. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Database performance (was Re: )
Hi, > > Any suggestion for improving the throughput and accelerating the queries? > > Index the tables. > > Increasing database performance is usually documented on the database > web site. depending on version of PostGreSQL you may also need to 'vacuum' the database to clean up nodes etc - once again, check the database documentation site. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rule for don't log specific user session.
Vincent Magnin wrote:
Hello Rafael,
It should be possible in Freeradius 2 and using unlang language:
if (User-Name != "test-user") {
sql_log
}
In previous versions, you can use Acct-Type:
preacct {
files
}
accounting {
Acct-Type SQL-LOG {
sqllog
}
}
...then in "acct_users":
nagios
Fall-Through = Np
DEFAULT Acct-Type := SQL-LOG
Regards,
Vincent M.
Rafael Medici <[EMAIL PROTECTED]> a écrit :
Hello,
Is there a way to don't log nothing for a specific user, creating a
rule in sql_log?
You will probably ask me why!
Because i have a plugin running on nagios, that checks for
authentication with a specific user ex: "testuser" every 5 minutes,
and at the end of the day my database grows with useless information.
We are a global hotspot provider, so this check running on nagios is
performed in 10.000 hotspots, to test for authentication, so you could
imagine that this "testuser" generates infinite registers.
I think put some kind of trigger to do that, will probably slow down
my server performance, because we have a huge users database.
I'm running freeradius(1.1.7) + postgre.
Regards,
Rafael Medici
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Viewing all Radius acct attributes
Rashmi Bajaj wrote: Hi, I am using the freeradius to receive radius acct logs from another remote radius server. The purpose is to use the radwho output. How do I make the radwho output to show all the attributes that it receives? Currently the output shows: Login, Name, What, TTY, When, From (NAS IP address), location (Framed IP address). But my input radius account parameters include many more. radwho reads the radutmp file, which only stores those fields. What needs to be changed in the conf files, so I see all the attributes as a result of radwho? Nothing - it can't be done. If you want all the attributes, use a "detail" module and look at the text files. Or, use SQL and modify the queries & SQL schema to include any extra (the default schema doesn't include everything) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help with complex redundant LDAP setup
I have an LDAP setup with multiple module statements pointing to the
same LDAP server, but at different OU's (referred to as sites) to get
around issues due to the large tree size present. This is currently
working with the following setup
radiusd.conf:
modules {
ldap srv1-sitea {
..
set_auth_type = yes
}
ldap srv1-siteb {
..
set_auth_type = yes
}
}
sites-available/default:
authorize {
srv1-sitea
srv1-siteb
}
authenticate {
Auth-Type srv1-sitea {
srv1-sitea
}
Auth-Type srv1-siteb {
srv1-siteb
}
}
Now my goal is to make this a redundant configuration. I have
duplicated my modules config, changing "srv1" to "srv2" and changing the
IP address of the LDAP server. The rest of the configuration is what is
fuzzy for me. I assume that my authorize section would be:
authorize {
redundant {
srv1-sitea
srv2-sitea
}
redundant {
srv1-siteb
srv2-siteb
}
Now the authentication part is where is becomes complicated. I don't
even know where to begin with this. I tried this based on some old
configs I had used in the past, but this failed miserably:
authenticate {
Auth-Type ldap {
group {
srv1-sitea {
reject = 1
ok = return
}
srv2-siteb {
reject = return
ok = return
}
}
}
I read the "configurable failover" docs, but it is still not clear to me
what I would need to do in this situation.
I am sure there is probably an easy way to accomplish this so that for
each OU ("site") it uses both LDAP servers ("srv1","srv2") in a
redundant fashion, but how to do it is something I am having a heck of a
time figuring out.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can freeRadius do that?
Hi, I just want to know if freeradius server can do what I want to deploy in my environnement. I want to deploy freeradius to taking care of security and authorization for my wireless network. What I want to do is like many hotel in my country. The user open is laptop with wireless capability, is automaticly connected to the wireless network but if he want to use the internet connection, when he first run is browser, he's automaticly redirect to an authentification page that ask him a username and a password. So is it freeradius who's handle this or another software or combination of software. Like a freeradius server and a proxy or freeradius with third party software. Can someone help me with my interrogation. Thanks a lot Guillaume Chartrand Technicien informatique Cégep régional de Lanaudière Centre administratif, Repentigny (450) 470-0911 poste 7218 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Database performance (was Re: )
I usually execute VACUMM. But the time of the queries does not decrease. PostgreSQL 7.4> Date: Tue, 11 Mar 2008 10:39:47 +> From: [EMAIL PROTECTED]> To: freeradius-users@lists.freeradius.org> Subject: Re: Database performance (was Re: )> > Hi,> > > > Any suggestion for improving the throughput and accelerating the queries?> > > > Index the tables.> > > > Increasing database performance is usually documented on the database> > web site.> > depending on version of PostGreSQL you may also need to 'vacuum' the database> to clean up nodes etc - once again, check the database documentation site.> > alan> -> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Tecnología, moda, motor, viajes,…suscríbete a nuestros boletines para estar siempre a la última Guapos y guapas, clips musicales y estrenos de cine. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can freeRadius do that?
Guillaume Chartrand wrote: ... What I want to do is like > many hotel in my country. The user open is laptop with wireless > capability, is automaticly connected to the wireless network but if he > want to use the internet connection, when he first run is browser, he’s > automaticly redirect to an authentification page that ask him a username > and a password. So is it freeradius who’s handle this or another > software or combination of software. Like a freeradius server and a > proxy or freeradius with third party software. See Chillispot or CoovaChilli. What you want is a "captive portal". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with complex redundant LDAP setup
Capelle, Mark (PCMC-GB) wrote:
> Now the authentication part is where is becomes complicated.
Nope. Just list "srv1-sitea" and "srv1-siteb" in the authenticate
section. If the server is up (and was used) for the authorize query, it
had better be up for the authentication portion.
> I am sure there is probably an easy way to accomplish this so that for
> each OU ("site") it uses both LDAP servers ("srv1","srv2") in a
> redundant fashion, but how to do it is something I am having a heck of a
> time figuring out.
You do not want to do redundancy AND redundancy. That's redundant.
Just do one level of redundancy, in the "authorize" section. The
correct module will then be picked for the "authenticate" section.
There's no need to set up another level of redundancy.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can freeRadius do that?
I'm using freeradius, with CoovaChilli, and a Squid Proxy (to reduce internet traffic). Works a charm Tim Alan DeKok wrote: Guillaume Chartrand wrote: ... What I want to do is like many hotel in my country. The user open is laptop with wireless capability, is automaticly connected to the wireless network but if he want to use the internet connection, when he first run is browser, he’s automaticly redirect to an authentification page that ask him a username and a password. So is it freeradius who’s handle this or another software or combination of software. Like a freeradius server and a proxy or freeradius with third party software. See Chillispot or CoovaChilli. What you want is a "captive portal". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Can freeRadius do that?
>>>-Message d'origine- >>>De : [EMAIL PROTECTED] [mailto:freeradius-users->>>[EMAIL PROTECTED] De la >>>part de Tim White >>>Envoyé : 11 mars 2008 15:09 >>>À : FreeRadius users mailing list >>>Objet : Re: Can freeRadius do that? >>> >>>I'm using freeradius, with CoovaChilli, and a Squid Proxy (to reduce >>>internet traffic). Wich AP do you use. Do you know if Cisco AP or D-Link AP is supported by CoovaChilli without modifying firmware APs. Guillaume Thank >>>Works a charm >>> >>>Tim Alan DeKok wrote: > Guillaume Chartrand wrote: > ... What I want to do is like > >> many hotel in my country. The user open is laptop with wireless >> capability, is automaticly connected to the wireless network but if he >> want to use the internet connection, when he first run is browser, he's >> automaticly redirect to an authentification page that ask him a username >> and a password. So is it freeradius who's handle this or another >> software or combination of software. Like a freeradius server and a >> proxy or freeradius with third party software. >> > > See Chillispot or CoovaChilli. What you want is a "captive portal". > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can freeRadius do that?
Guillaume Chartrand a écrit : Hi, I just want to know if freeradius server can do what I want to deploy in my environnement. I want to deploy freeradius to taking care of security and authorization for my wireless network. What I want to do is like many hotel in my country. The user open is laptop with wireless capability, is automaticly connected to the wireless network but if he want to use the internet connection, when he first run is browser, he's automaticly redirect to an authentification page that ask him a username and a password. So is it freeradius who's handle this or another software or combination of software. Like a freeradius server and a proxy or freeradius with third party software. Can someone help me with my interrogation. Thanks a lot For me what you describe is an open wireless network with a transparent proxy that aythenticate users on its default redirection page. This authentication could and should be made with freeradius in order to have fine grained accouting. Solution could be something like squid + radius_authenticator + freeradius. I think you can use apache-mod-proxy and PAM, so that you can avoid the use of squid but I'm not sure about it. Guillaume Chartrand Technicien informatique Cégep régional de Lanaudière Centre administratif, Repentigny (450) 470-0911 poste 7218 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Rule for don't log specific user session.
With this it wouldn't be that hard to separate the information for a
specific subscriber or group into a separate log file would it.
Assuming that the two log options are appropriately configured:
Fr 2.x
if( User-Name != "test-user" {
# will (Group-Name != 'test-group" ) { work?
User_log
}
else {
Test_log
}
Or FR 1.x
preacct {
files
}
accounting {
Acct-Type SQL-LOG {
User_log
}
Acct-Type TEST-LOG {
Test_log
}
}
...then in "acct_users":
Test-user Acct-Type := TEST-LOG
Fall-Through = No
DEFAULT Acct-Type := SQL-LOG
Is there an equivalent way to do this using sql? Ie radreply/radgroupreply?
Also, will this take care of both accounting log info and authentication log
info?
Ben Wiechman
Network Admin
Wisper High Speed Internet
[EMAIL PROTECTED]
> -Original Message-
> From: freeradius-users-bounces+ben=wisper-
> [EMAIL PROTECTED] [mailto:freeradius-users-
> [EMAIL PROTECTED] On Behalf Of Phil
> Mayers
> Sent: Tuesday, March 11, 2008 6:13 AM
> To: FreeRadius users mailing list
> Subject: Re: Rule for don't log specific user session.
>
> Vincent Magnin wrote:
> > Hello Rafael,
> >
> > It should be possible in Freeradius 2 and using unlang language:
> >
> >
> > if (User-Name != "test-user") {
> >sql_log
> > }
>
> In previous versions, you can use Acct-Type:
>
> preacct {
>files
> }
> accounting {
>Acct-Type SQL-LOG {
> sqllog
>}
> }
>
> ...then in "acct_users":
>
> nagios
> Fall-Through = Np
>
> DEFAULT Acct-Type := SQL-LOG
>
> >
> > Regards,
> >
> > Vincent M.
> >
> > Rafael Medici <[EMAIL PROTECTED]> a écrit :
> >
> >> Hello,
> >>
> >> Is there a way to don't log nothing for a specific user, creating a
> >> rule in sql_log?
> >>
> >> You will probably ask me why!
> >>
> >> Because i have a plugin running on nagios, that checks for
> >> authentication with a specific user ex: "testuser" every 5 minutes,
> >> and at the end of the day my database grows with useless information.
> >> We are a global hotspot provider, so this check running on nagios is
> >> performed in 10.000 hotspots, to test for authentication, so you could
> >> imagine that this "testuser" generates infinite registers.
> >>
> >>
> >> I think put some kind of trigger to do that, will probably slow down
> >> my server performance, because we have a huge users database.
> >>
> >> I'm running freeradius(1.1.7) + postgre.
> >>
> >>
> >> Regards,
> >>
> >> Rafael Medici
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius2.0.2+ mysql +dailupadmin help!
hi I have successful compiled and can run radiusd -X but the problem is
I want to use dailup_admin to configure freeradius.
I have mysql install and running the database is running, dialupadmin is
working but I don't think radiusd is reading the database and i am not
seeing it load the mysql drivers how do I know that its loading the
drivers or if it detected mysql when I compiled it?
thank you for your support
radius:/etc/raddb# radiusd -X > /root/radius
radius:/etc/raddb# cat /root/radius
FreeRADIUS Version 2.0.2, for host i686-pc-linux-gnu, built on Mar 7
2008 at 20:59:43
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including configuration file /usr/local/etc/raddb/snmp.conf
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/sql.conf
including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf
including configuration file /usr/local/etc/raddb/sql/mysql/counter.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
including dictionary file /usr/local/etc/raddb/dictionary
main {
prefix = "/usr/local"
localstatedir = "/usr/local/var"
logdir = "/usr/local/var/log/radius"
libdir = "/usr/local/lib"
radacctdir = "/usr/local/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_check = "none"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: Instantiating modules
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = yes
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: Loading Virtual Servers
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = "/usr/local/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
rlm_eap: Ignoring EAP-Type/tls because we do not have OpenSSL support.
rlm_eap: Ignoring EAP-Type/ttls because we do not have OpenSSL support.
rlm_eap: Ignoring
Re: FreeRadius2.0.2+ mysql +dailupadmin help!
Did you configure sql.conf? Did you uncomment sql entries in
radiusd.conf? Did you read:
http://wiki.freeradius.org/SQL_HOWTO
Ivan Kalik
Kalik Informatika ISP
Dana 11/3/2008, "Lance Buttars" <[EMAIL PROTECTED]> piše:
>hi I have successful compiled and can run radiusd -X but the problem is
>I want to use dailup_admin to configure freeradius.
>
>I have mysql install and running the database is running, dialupadmin is
>working but I don't think radiusd is reading the database and i am not
>seeing it load the mysql drivers how do I know that its loading the
>drivers or if it detected mysql when I compiled it?
>
>thank you for your support
>
>
>radius:/etc/raddb# radiusd -X > /root/radius
>
>radius:/etc/raddb# cat /root/radius
>FreeRADIUS Version 2.0.2, for host i686-pc-linux-gnu, built on Mar 7
>2008 at 20:59:43
>Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
>There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
>PARTICULAR PURPOSE.
>You may redistribute copies of FreeRADIUS under the terms of the
>GNU General Public License.
>Starting - reading configuration files ...
>including configuration file /usr/local/etc/raddb/radiusd.conf
>including configuration file /usr/local/etc/raddb/proxy.conf
>including configuration file /usr/local/etc/raddb/clients.conf
>including configuration file /usr/local/etc/raddb/snmp.conf
>including configuration file /usr/local/etc/raddb/eap.conf
>including configuration file /usr/local/etc/raddb/sql.conf
>including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf
>including configuration file /usr/local/etc/raddb/sql/mysql/counter.conf
>including configuration file /usr/local/etc/raddb/policy.conf
>including files in directory /usr/local/etc/raddb/sites-enabled/
>including configuration file /usr/local/etc/raddb/sites-enabled/default
>including dictionary file /usr/local/etc/raddb/dictionary
>main {
> prefix = "/usr/local"
> localstatedir = "/usr/local/var"
> logdir = "/usr/local/var/log/radius"
> libdir = "/usr/local/lib"
> radacctdir = "/usr/local/var/log/radius/radacct"
> hostname_lookups = no
> max_request_time = 30
> cleanup_delay = 5
> max_requests = 1024
> allow_core_dumps = no
> pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
> checkrad = "/usr/local/sbin/checkrad"
> debug_level = 0
> proxy_requests = yes
>security {
> max_attributes = 200
> reject_delay = 1
> status_server = yes
>}
>}
>client localhost {
> ipaddr = 127.0.0.1
> require_message_authenticator = no
> secret = "testing123"
> nastype = "other"
>}
>radiusd: Loading Realms and Home Servers
>proxy server {
> retry_delay = 5
> retry_count = 3
> default_fallback = no
> dead_time = 120
> wake_all_if_all_dead = no
>}
>home_server localhost {
> ipaddr = 127.0.0.1
> port = 1812
> type = "auth"
> secret = "testing123"
> response_window = 20
> max_outstanding = 65536
> zombie_period = 40
> status_check = "status-server"
> ping_check = "none"
> ping_interval = 30
> check_interval = 30
> num_answers_to_alive = 3
> num_pings_to_alive = 3
> revive_interval = 120
> status_check_timeout = 4
>}
>home_server_pool my_auth_failover {
> type = fail-over
> home_server = localhost
>}
>realm example.com {
> auth_pool = my_auth_failover
>}
>realm LOCAL {
>}
>radiusd: Instantiating modules
>instantiate {
>Module: Linked to module rlm_exec
>Module: Instantiating exec
> exec {
> wait = yes
> input_pairs = "request"
> shell_escape = yes
> }
>Module: Linked to module rlm_expr
>Module: Instantiating expr
>Module: Linked to module rlm_expiration
>Module: Instantiating expiration
> expiration {
> reply-message = "Password Has Expired "
> }
>Module: Linked to module rlm_logintime
>Module: Instantiating logintime
> logintime {
> reply-message = "You are calling outside your allowed timespan "
> minimum-timeout = 60
> }
>}
>radiusd: Loading Virtual Servers
>server {
>modules {
>Module: Checking authenticate {...} for more modules to load
>Module: Linked to module rlm_pap
>Module: Instantiating pap
> pap {
> encryption_scheme = "auto"
> auto_header = no
> }
>Module: Linked to module rlm_chap
>Module: Instantiating chap
>Module: Linked to module rlm_mschap
>Module: Instantiating mschap
> mschap {
> use_mppe = yes
> require_encryption = no
> require_strong = no
> with_ntdomain_hack = no
> }
>Module: Linked to module rlm_unix
>Module: Instantiating unix
> unix {
> radwtmp = "/usr/local/var/log/radius/radwtmp"
> }
>Module: Linked to module rlm_eap
>Module: Instantiating eap
> eap {
> default_eap_type = "md5"
> timer_expire = 60
> ignore_unknown_eap_types = no
> cisco_accounting_username_bug = no
> }
>
RE: I will be giving a talk at Networkshop36 in April
Alan, Hi! Maybe im not in ur area to attend..and maybe Im far away from you by days... But at the end..I want to thank you from deep of deepest of my heart for your efforts and everyone efforts in FreeRadius. Its making administrators life easier. You deserve the best. Im on FreeRadius since 1 year and 7 months...Its great...and feeding my family :) Thank you and thanks for all the poeple who support it. Sultan.> Date: Tue, 11 Mar 2008 11:31:25 +0100> From: [EMAIL PROTECTED]> To: freeradius-users@lists.freeradius.org> Subject: I will be giving a talk at Networkshop36 in April> > I will be giving a talk in Glasgow in April.> > http://www.ja.net/services/events/2008/networkshop-36.html> > On Wednesday:> > 15.00 The evolution of Free RADIUS and future developments> Alan DeKok, FreeRADIUS> > If anyone on this list is planning on attending, look for me, or send> me email. I'll also be showing up early (likely Monday), so I may have> some time in advance to meet people.> > Alan DeKok.> - _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
virtual server configuration
Pardon the non-threaded replies. I'll have to find a client that works
with the list.
>> I'm still having trouble with the eap_gtc section, because when I remove
>> TLS or empty it or try to return reject, the server won't start. Is
>> removing the section the right way to not support an eap type on one
>> virtual server?
>
> Yes. Could you post the error?
I should have done that.
When TLS is empty (i.e. TLS {}):
rlm_eap: SSL error error:0200100E:system library:fopen:Bad address
rlm_eap_tls: Error reading certificate file (null)
rlm_eap: Failed to initialize type tls
When TLS is removed:
rlm_eap: Unable to load EAP-Type/ttls, as EAP-Type/TLS is required
first.
Or, if TTLS is also removed:
rlm_eap: Unable to load EAP-Type/peap, as EAP-Type/TLS is required
first.
This makes sense, as I'll need my server cert for PEAP. If those certs
have to be defined in the TLS block, what is the right way to disable
TLS in this case, but still have PEAP working? I tried deleting the
CA_file, so I wouldn't be able to verify user certs, but it's required.
Anyway, I don't want to offer TLS and fail it, I want to NAK it on
server2.
--
[EMAIL PROTECTED]
--
http://www.fastmail.fm - Does exactly what it says on the tin
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: virtual server configuration
[EMAIL PROTECTED] wrote:
> When TLS is empty (i.e. TLS {}):
Huh? Why would you leave it empty?
If you're not going to use TLS, delete the whole section. It's just
like any other module.
> When TLS is removed:
>
> rlm_eap: Unable to load EAP-Type/ttls, as EAP-Type/TLS is required
> first.
If you're not going to use TTLS, delete that section, too.
> Or, if TTLS is also removed:
>
> rlm_eap: Unable to load EAP-Type/peap, as EAP-Type/TLS is required
> first.
>
> This makes sense, as I'll need my server cert for PEAP. If those certs
> have to be defined in the TLS block, what is the right way to disable
> TLS in this case, but still have PEAP working?
Don't issue client certificates. EAP-TLS won't work.
> I tried deleting the
> CA_file, so I wouldn't be able to verify user certs, but it's required.
> Anyway, I don't want to offer TLS and fail it, I want to NAK it on
> server2.
This is explained in the comments in eap.conf, above the "ttls" and
"peap" sections.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
