Re: yet ANOTHER EAP-TTLS/PAP with OpenLDAP problem ...
On Fri, 28 Mar 2008, Ivan Kalik wrote:
You have obviously ignored the warnings about storing User-Password
attribute:
No, I don't believe that I can be said to have ignored it at all.
In fact, I'm under the impresseion that I made very clear in my earlier
message that I'm not ignoring this warning. I may not be doing the right
thing to deal correctly with what causes it, but that's another matter
entirely, and why I am putting myself at the mercy of experts for help.
I wrote:
The text "User-Password" appears in exactly the following places in my
raddb directory (not counting comment lines):
./attrs.pre-proxy: User-Password =* ANY,
./sql/mysql/dialup.conf:
'%{%{User-Password}:-%{Chap-Password}}', \
./sql/postgresql/dialup.conf: VALUES ('%{User-Name}',
'%{%{User-Password}:-Chap-Password}', '%{reply:Packet-Type}', NOW())"
These files are as shipped with FreeRADIUS-2.0.3. I'm trying to get
this done with minimal change to the default configuration, since it
appears that's what is expected. Which of the above needs to change?
(attrs.pre-proxy?)
... So server translates User-Password to Cleartext-Password and the
check fails since the password is encrypted.
Understood, yes.
Configure ldap section to use SSHA-Password as password attribute instead.
That's what I believed I HAD done with the following, from the diff of
my radiusd.conf file against the default radiusd.conf that ships with
2.0.3, orignally included after the signature in my first message:
@@ -820,7 +825,8 @@
# Novell may require TLS encrypted sessions before returning
# the user's password.
#
- # password_attribute = userPassword
+ password_attribute = userPassword
+password_radius_attribute = "SSHA-Password"
If the above is not the correct way to accomplish what I am trying to
do, I would be very grateful if someone would point me in the right
direction to find what is the correct way.
The radtest test against a user in the LDAP data succeeds. How do I get
from here to having successful authentication through TTLS against the
same LDAP data, without the above warning?
radtest j_doe '*SANITIZED*' localhost:1814 1 testing123
User-Name = "j_doe"
User-Password = "*SANITIZED*"
NAS-IP-Address = 192.168.7.47
NAS-Port = 1
Older versions of radtest would report receiving "Access-Accept", while
this one silently exists. However, radiusd in this case says:
Ready to process requests.
User-Name = "j_doe"
User-Password = "*SANITIZED*"
NAS-IP-Address = 192.168.7.47
NAS-Port = 1
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "j_doe", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for j_doe
expand: %{Stripped-User-Name} ->
expand: %{User-Name} -> j_doe
expand: (&(cn=%{%{Stripped-User-Name}:-%{User-Name}})(search filter
trimmed for brevity)) -> (&(cn=j_doe)(search filter trimmed for brevity))
expand: ou=people,dc=concordia,dc=ca -> ou=people,dc=concordia,dc=ca
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost boris:389, authentication 0
rlm_ldap: bind as cn=iits_neg,ou=AdminRoles,dc=concordia,dc=ca/*SANITIZED* to
localhost boris:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=people,dc=concordia,dc=ca, with filter
(&(cn=j_doe)(search filter trimmed for brevity))
rlm_ldap: Added User-Password = {SSHA}*SANITIZED*QDmffXBQkU42Wt9x*SANITIZED*==
in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user j_doe authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
rad_check_password: Found Auth-Type auth: type "PAP"
+- entering group PAP
rlm_pap: login attempt with password "*SANITIZED*"
rlm_pap: Using SSHA encryption.
rlm_pap: Normalizing SSHA1-Password from base64 encoding
rlm_pap: User authenticated successfully
++[pap] returns ok
Login OK: [j_doe/*SANITIZED*] (from client localhost port 1)
Finished request 0.
Going to the next request
Thanks for following up, and for any additional help ...
--
--
Sylvain Robitaille [EMAIL PROTECTED]
Systems and Network analyst Concordia University
Instructional & Information TechnologyMontreal, Quebec, Canada
--
Re: Freeradius and poprelayd - any ideas please (fwd)
That worked perfectly... I have added both the setting of the address when someone logs in, and again removing the address when someone logs out. -- Bill [EMAIL PROTECTED] http://www.brunton.net http://www.video-records.com http://www.icu.net KA0SEP NNN0HQA/OK ATP CFII BE200 BE300 BE300F BE1900 BE2000 BE2000S CE500 SIC CE525 HS125 LR45 LRJET The Internet... The place to be! -- Forwarded message -- Date: Fri, 28 Mar 2008 10:40:46 -0500 (CDT) From: Bill Brunton <[EMAIL PROTECTED]> Reply-To: FreeRadius users mailing list To: FreeRadius users mailing list Subject: Re: Freeradius and poprelayd - any ideas please Thank you... I will look into that. On Fri, 28 Mar 2008, Richard Siddall wrote: Date: Fri, 28 Mar 2008 08:33:36 -0400 From: Richard Siddall <[EMAIL PROTECTED]> Reply-To: FreeRadius users mailing list To: FreeRadius users mailing list Subject: Re: Freeradius and poprelayd - any ideas please Bill Brunton wrote: > So - if I could have freeradius add the IP to the popip database when > they > log in, it would make everyone much happier, especially me. > > I think it should be an easy thing to do... > I think we did something like that in the lab about 6 years ago and never deployed it. IIRC, we ran a command line script out of acct_users (see /etc/raddb/acct_users; look for Exec-Program). I believe the pop-before-relay server we were using had a command line interface to let us update the database, and I think we set the expiration time to about 15 minutes. Regards, Richard Siddall - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Bill [EMAIL PROTECTED] http: //www.brunton.net http: //www.video-records.com http: //www.icu.net KA0SEP NNN0HQA/OK ATP CFII BE200 BE300 BE300F BE1900 BE2000 BE2000S CE500 SIC CE525 HS125 LR45 LRJET The Internet... The place to be! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Prepaid Cards Setup
Ok thanks! -Original Message- From: [EMAIL PROTECTED] .org [mailto:[EMAIL PROTECTED] eeradius.org] On Behalf Of Ivan Kalik Sent: Friday, March 28, 2008 5:50 PM To: FreeRadius users mailing list Subject: Re: Prepaid Cards Setup expiration date - Expiration attribute time limiting - counter or sqlcounter; examples in radiusd.conf and Wiki Ivan Kalik Kalik Informatika ISP Dana 28/3/2008, "Alex M" <[EMAIL PROTECTED]> piše: >Hey all, I think it was asked once but I can't find anything in archives. > >How can I setup prepaid cards scenario? Basically I want my users to allow >to get access lets say for 30 min in total and then I also want to have >expiration date on the account. Can some help me on setting this thing up? >Is there any module that I have to install? Tnx for help! > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
1.1.x branch versus the 2.x branch
Greetings, just a simple question for the developers: Why is the 1.1.x version still around? I ask because I'm working on porting submissions for MacPorts and the maintainers are asking-- 1) why the change in name to freeradius-server and, 2) should the 2.x replace the 1.1.x version all together, or is there reason to keep a port of 1.1.x around? Thanks for your insights! ___ James H. Graham II, Creative Director • Spark Media Group 6511 Allegheny Avenue • Takoma Park, MD 20912-4737 Tel: 301.270.4810 • Fax: 301.270.4812 • www.sparkmediagroup.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Prepaid Cards Setup
expiration date - Expiration attribute time limiting - counter or sqlcounter; examples in radiusd.conf and Wiki Ivan Kalik Kalik Informatika ISP Dana 28/3/2008, "Alex M" <[EMAIL PROTECTED]> piše: >Hey all, I think it was asked once but I can't find anything in archives. > >How can I setup prepaid cards scenario? Basically I want my users to allow >to get access lets say for 30 min in total and then I also want to have >expiration date on the account. Can some help me on setting this thing up? >Is there any module that I have to install? Tnx for help! > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: yet ANOTHER EAP-TTLS/PAP with OpenLDAP problem ...
>rlm_ldap: Added User-Password = {SSHA}*SANITIZED*e2E52K+sO/SC+wvE*SANITIZED*==
>in check items
You have obviously ignored the warnings about storing User-Password
attribute:
!!!
!!! Replacing User-Password in config items with Cleartext-Password. !!!
!!!
!!! Please update your configuration so that the "known good" !!!
!!! clear text password is in Cleartext-Password, and not in
User-Password. !!!
!!!
Should they be more obvious? So server translates User-Password to
Cleartext-Password and the check fails since the password is encrypted.
Configure ldap section to use SSHA-Password as password attribute instead.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Prepaid Cards Setup
Hey all, I think it was asked once but I can't find anything in archives. How can I setup prepaid cards scenario? Basically I want my users to allow to get access lets say for 30 min in total and then I also want to have expiration date on the account. Can some help me on setting this thing up? Is there any module that I have to install? Tnx for help! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
compile error
I tried to compile freeradius-1.1.7 and freeradius-server-2.0.3, but encountered the following error. Could someone help? Kevin SZ [EMAIL PROTECTED] ~]$ more /etc/redhat-release Red Hat Enterprise Linux ES release 4 (Nahant Update 4) [EMAIL PROTECTED] ~]$ ient.lo libeap/libeap.la -lnsl -lresolv -lpthread -lcrypto -lssl -lcrypto gcc -o .libs/radeapclient .libs/radeapclient.o libeap/.libs/libeap.so /home/szhang/freeradius-1.1.7/src/lib/.libs/libradius.so -lcrypt -lnsl -lresolv -lpthread -lssl -lcrypto libeap/.libs/libeap.so: undefined reference to `EVP_MD_size' collect2: ld returned 1 exit status gmake[6]: *** [radeapclient] Error 1 gmake[6]: Leaving directory `/home/szhang/freeradius-1.1.7/src/modules/rlm_eap' gmake[5]: *** [common] Error 2 gmake[5]: Leaving directory `/home/szhang/freeradius-1.1.7/src/modules' gmake[4]: *** [all] Error 2 gmake[4]: Leaving directory `/home/szhang/freeradius-1.1.7/src/modules' gmake[3]: *** [common] Error 2 gmake[3]: Leaving directory `/home/szhang/freeradius-1.1.7/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/home/szhang/freeradius-1.1.7/src' gmake[1]: *** [common] Error 2 gmake[1]: Leaving directory `/home/szhang/freeradius-1.1.7' make: *** [all] Error 2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
yet ANOTHER EAP-TTLS/PAP with OpenLDAP problem ...
I've been working on this for a while, and have yet to find a way to
configure this correctly, despite lots of reading through the mailing
list archives, documentation included with FreeRADIUS, and third-party
documentation. In fact, I've been trying to get this working for
years with older versions of FreeRADIUS, and have succeeded only with
FreeRADIUS<=1.1.6, using configurations that readers of this list are
repeatedly told not to use (such as setting Auth-Type in the users file).
[ASIDE]
With the older versions of FreeRADIUS we're having performance problems
with the authentication. Research on this list has uncovered no end
of responses that such problems are normally caused by the back-end,
not radiusd, but our backend (OpenLDAP) responds to an identical query
as that sent by radius in approximately 6ms (7ms when it's slow), yet
radiusd is still not responding after 30 seconds. We have thousands
of users trying to use our service simultaneously, through hundreds
of wireless access points.
I would be willing to accept that the configuration I'm using (setting
Auth-Type in users) causes radiusd to perform poorly, but that this
isn't radiusd's "fault", since it's an un-advised configuration,
but I just don't see that the problem we're seeing there is because
the backend is slow to respond.
Regardless of the cause here, I decided to upgrade to FreeRADIUS-2.0.3,
hoping that a) I could get that configured according in a recommended
way to accomplish what I want, and b) that this would result in better
performance than we're seeing now. Getting TTLS/PAP/OpenLDAP working
correctly with FreeRADIUS-2.0.3 is the problem I'd like to solve from
this message.
[/ASIDE]
Converting from a working, though technically incorrect configuration to a
"correct" configuration hasn't been particularly easy, but I believe I've
accomplished that, with very little change to the default configurations
(unified context diffs of my configurations against the defaults are
appended below my signature for completeness).
What I have seems to pass tests that have been recommended as "get these
working before moving on", but I can't seem to figure out how to get
from here to being able to unleash my access points on this and have
successful authentications. I see (from -X output) that the TTLS tunnel
is successfully built (that seems to be several steps), a query against
LDAP for authorization (and to retrieve the user's encypted password)
succeeds, but when the request finally gets to the authentication,
radiusd reports:
...
rlm_ldap: performing user authorization for j_doe
expand: %{Stripped-User-Name} ->
expand: %{User-Name} -> j_doe
expand: (&(cn=%{%{Stripped-User-Name}:-%{User-Name}})(search filter trimmed
for brevity)) -> (&(cn=j_doe)(search filter trimmed for brevity))
expand: ou=people,dc=concordia,dc=ca -> ou=people,dc=concordia,dc=ca
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,dc=concordia,dc=ca, with filter
(&(cn=j_doe)(search filter trimmed for brevity))
rlm_ldap: Added User-Password = {SSHA}*SANITIZED*e2E52K+sO/SC+wvE*SANITIZED*==
in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user j_doe authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
WARNING: You set Proxy-To-Realm = LOCAL, but it is a LOCAL realm! Cancelling
invalid proxy request.
!!!
!!!Replacing User-Password in config items with Cleartext-Password. !!!
!!!
!!! Please update your configuration so that the "known good" !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!
auth: type Local
auth: user supplied User-Password does NOT match local User-Password
auth: Failed to validate the user.
Login incorrect: [j_doe/*SANITIZED*] (from client wireless-mcconnell port 0)
TTLS: Got tunneled Access-Reject
rlm_eap: Handler failed in EAP/ttls
rlm_eap: RT Modif EAP-Type = 0 EAP-LENGTH = 0
rlm_eap: Failed in EAP select
++[eap] returns invalid
auth: Failed to validate the user.
Login incorrect: [j_doe/] (from client wireless-mcconnell
port 5800234 cli 0019.d290.6e22)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> j_doe
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 8 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
...
Now, of the above, beside the fact that the authentication failed when
I b
Re: Freeradius and poprelayd - any ideas please
Thank you... I will look into that. On Fri, 28 Mar 2008, Richard Siddall wrote: Date: Fri, 28 Mar 2008 08:33:36 -0400 From: Richard Siddall <[EMAIL PROTECTED]> Reply-To: FreeRadius users mailing list To: FreeRadius users mailing list Subject: Re: Freeradius and poprelayd - any ideas please Bill Brunton wrote: So - if I could have freeradius add the IP to the popip database when they log in, it would make everyone much happier, especially me. I think it should be an easy thing to do... I think we did something like that in the lab about 6 years ago and never deployed it. IIRC, we ran a command line script out of acct_users (see /etc/raddb/acct_users; look for Exec-Program). I believe the pop-before-relay server we were using had a command line interface to let us update the database, and I think we set the expiration time to about 15 minutes. Regards, Richard Siddall - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Bill [EMAIL PROTECTED] http://www.brunton.net http://www.video-records.com http://www.icu.net KA0SEP NNN0HQA/OK ATP CFII BE200 BE300 BE300F BE1900 BE2000 BE2000S CE500 SIC CE525 HS125 LR45 LRJET The Internet... The place to be! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and poprelayd - any ideas please
Yes - I am already using poprelayd and I can set the IP timeout to any value I want. Thank you for telling me that it is not the best way, but that does not answer my question. How can I do it? On Fri, 28 Mar 2008, Ivan Kalik wrote: Date: Fri, 28 Mar 2008 10:44:14 +0100 From: Ivan Kalik <[EMAIL PROTECTED]> Reply-To: FreeRadius users mailing list To: FreeRadius users mailing list Subject: Re: Freeradius and poprelayd - any ideas please pop-before-smtp is a module that you install on your mail server so it *always* connects to pop server before connecting to the smtp server. Put it in Google and have a look. AFAIK logged IPs have a timeout of a few minutes. Putting IPs in the database when users connect is not the best solution. If they go surfing before checking e-mail, IP entry will expire - and you are back where you started from. Ivan Kalik Kalik Informatika ISP Dana 28/3/2008, "Bill Brunton" <[EMAIL PROTECTED]> pi?e: Well - it seems that many customers have trouble with Outlook and Outlook Express.. If they have an email in the outbox, say they compose offline and connect to send it, it tries to send it before checking email... In other words no POP before SMTP. If Outlook does not send successfully - then it does not check for new email either. So I get a lot of "I can't send or receive email" complaints. I have SMTP AUTH set up too but you know how users are - when it does not work they go in and try to fix it before asking for help and SMTP AUTH is found to be disabled or has the wrong info set up. So - if I could have freeradius add the IP to the popip database when they log in, it would make everyone much happier, especially me. I think it should be an easy thing to do... On Fri, 28 Mar 2008, Ivan Kalik wrote: Date: Fri, 28 Mar 2008 01:08:12 +0100 From: Ivan Kalik <[EMAIL PROTECTED]> Reply-To: FreeRadius users mailing list To: FreeRadius users mailing list Subject: Re: Freeradius and poprelayd - any ideas please Do you need freeradius at all? This is normally done with pop before smtp. You contact the pop server, it logs the IP and then you can send. Ivan Kalik Kalik Informatika ISP Dana 27/3/2008, "Bill Brunton" <[EMAIL PROTECTED]> pi?e: I am using Freeradius 1.1.3 on Centos 5. I have been trying to figure out how to add the IP address of each authenticated user to the popip database maintained by poprelayd. It is easy to add an ip address to the popip database with the command: /usr/sbin/poprelayd -a How do I incorporate that as post processing step, module etc in freeradius? Any ideas or suggestions? Thank you -- Bill [EMAIL PROTECTED] http://www.brunton.net http://www.video-records.com http://www.icu.net KA0SEP NNN0HQA/OK ATP CFII BE200 BE300 BE300F BE1900 BE2000 BE2000S CE500 SIC CE525 HS125 LR45 LRJET The Internet... The place to be! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Bill [EMAIL PROTECTED] http://www.brunton.net http://www.video-records.com http://www.icu.net KA0SEP NNN0HQA/OK ATP CFII BE200 BE300 BE300F BE1900 BE2000 BE2000S CE500 SIC CE525 HS125 LR45 LRJET The Internet... The place to be! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Bill [EMAIL PROTECTED] http://www.brunton.net http://www.video-records.com http://www.icu.net KA0SEP NNN0HQA/OK ATP CFII BE200 BE300 BE300F BE1900 BE2000 BE2000S CE500 SIC CE525 HS125 LR45 LRJET The Internet... The place to be! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how-to freeradius + aes
[EMAIL PROTECTED] wrote: Hi, I'm try to configure a freeradius with wpa2, and I would like to make all the client configuration in the AP, without make configuration in the machine. What configuration I have to use? FreeRADIUS doesnt care or know about WPA v's WPA2 - this is a client to access point issue. the only way tio get WPA2 instead of WPA is to configure the client to use that method of talking across the wifi medium. certainly this WILL involve installing a KB patch or 2 if this is WinXP client Yep you'll need KB917021 That's the WPA2 patch with the security fixes... The original one had parking issues. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how-to freeradius + aes
Hi, > I'm try to configure a freeradius with wpa2, and I would like to make all > the client configuration in the AP, without make configuration in the > machine. > What configuration I have to use? FreeRADIUS doesnt care or know about WPA v's WPA2 - this is a client to access point issue. the only way tio get WPA2 instead of WPA is to configure the client to use that method of talking across the wifi medium. certainly this WILL involve installing a KB patch or 2 if this is WinXP client alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how-to freeradius + aes
I'm try to configure a freeradius with wpa2, and I would like to make all the client configuration in the AP, without make configuration in the machine. What configuration I have to use? thanks for the patience. mateus Alan DeKok wrote: Mateus Lpi wrote: I'm looking for a how-to to configure a freeradius+aes What is that? under linux (debian). At moment I just found a ttls guide, that's not my intention. TTLS is an EAP authentication protocol. AES is a cryptographic stream cipher. They are two very different things. Perhaps you could explain what you mean. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how-to freeradius + aes
Mateus Lpi wrote: > I'm looking for a how-to to configure a freeradius+aes What is that? > under linux (debian). > At moment I just found a ttls guide, that's not my > intention. TTLS is an EAP authentication protocol. AES is a cryptographic stream cipher. They are two very different things. Perhaps you could explain what you mean. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and poprelayd - any ideas please
Bill Brunton wrote: So - if I could have freeradius add the IP to the popip database when they log in, it would make everyone much happier, especially me. I think it should be an easy thing to do... I think we did something like that in the lab about 6 years ago and never deployed it. IIRC, we ran a command line script out of acct_users (see /etc/raddb/acct_users; look for Exec-Program). I believe the pop-before-relay server we were using had a command line interface to let us update the database, and I think we set the expiration time to about 15 minutes. Regards, Richard Siddall - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how-to freeradius + aes
hi, I'm looking for a how-to to configure a freeradius+aes under linux (debian). At moment I just found a ttls guide, that's not my intention. thanks. Mateus Abra sua conta no Yahoo! Mail, o único sem limite de espaço para armazenamento! http://br.mail.yahoo.com/ Abra sua conta no Yahoo! Mail, o único sem limite de espaço para armazenamento! http://br.mail.yahoo.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.0.2 Radius stop work with Error...
banga wrote: > Looks that this setting is better for server, but server again fails after 5 > hour of work with the same error : > “Error: ]event.c:1946] Failed to insert event” Try 2.0.3. It looks like the timer on your system doesn't have adequate resolution. (i.e. it's returning the same time for multiple calls). I've committed a fix in 2.0.3 that will avoid this issue. > 2) I use –X like solution, it’s work just fine. > Then I start radius without –X I see only one process. Is it ok? Yes. > How I > understand it should be at least 30 process because of “start_servers = 30”. The "-X" means "don't start multiple servers". So... it doesn't start multiple servers. > 3) > What do you mean then you write “OR the time on your system stays the > same...” > How the time can stays the same ? Because of the way the OS implements the "get current time" function. > 4) What is incorrect ?? > root@:/etc/raddb# check-radiusd-config Don't run that program. It has been replaced with the "-C" command-line option. See "man radiusd". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: safe_characters in freeradius 2.0.3
Dmitry A. Sysoev wrote: > Please, help. In what file it is necessary to make > changes that variable Event-Timestamp was transferred > without double quote - "? While the unique reason on which > I do not pass it to version 2.0.3 It looks like an issue in src/lib/print.c. I've committed a fix to CVS head. You can grab that, and the problem should be fixed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.0.2 Radius stop work with Error...
Alan DeKok-4 wrote:
>
>> Wed Mar 12 18:08:34 2008 : Error: ]event.c:1946] Failed to insert event
>
> That message should only come if the server runs out of memory, OR the
> time on your system stays the same...
>
>
>> Did anybody now how I can fix that?
>>
>> The only one way to make radius working is start radius with -X (???).
>
> Hmm... I don't see why that would help.
>
>
>> I use next settings:
> ...
>> Wed Mar 12 05:45:14 2008 : Debug: max_requests_per_server = 8192
>
> Set this to zero.
>
>
Hello.
1)
max_requests_per_server = 0
Looks that this setting is better for server, but server again fails after 5
hour of work with the same error :
“Error: ]event.c:1946] Failed to insert event”
]event.c:1946] means [event.c:1946] ? :) .
Server has 2 Gb RAM and I’m sure that it’s not “out of memory”.
May be there some sysctl setting can help server allocate memory a bit
better, but 2 Gb looks quite enough.
2) I use –X like solution, it’s work just fine.
Then I start radius without –X I see only one process. Is it ok? How I
understand it should be at least 30 process because of “start_servers = 30”.
I’m I wrong?
3)
What do you mean then you write “OR the time on your system stays the
same...”
How the time can stays the same ?
4) What is incorrect ??
root@:/etc/raddb# check-radiusd-config
radiusd: The options -i and -p cannot be used individually.
root@:/etc/raddb#
#
listen {
ipaddr = *
port = 1813
type = acct
}
Lokks like this should be ok for radius (I use it only for accounting).
With Regards,
Banga
--
View this message in context:
http://www.nabble.com/2.0.2-Radius-stop-work-with-Error...-tp16046484p16349004.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: safe_characters in freeradius 2.0.3
Have you tried using %S instead of Event-Timestamp. That's used in mysql schema. Ivan Kalik Kalik Informatika ISP Dana 28/3/2008, "Dmitry A. Sysoev" <[EMAIL PROTECTED]> piše: >Please, help. In what file it is necessary to make >changes that variable Event-Timestamp was transferred >without double quote - "? While the unique reason on which >I do not pass it to version 2.0.3 > >-Original Message- >From: Dmitry A. Sysoev [mailto:[EMAIL PROTECTED] >Sent: Friday, March 28, 2008 8:10 AM >To: 'FreeRadius users mailing list' >Subject: RE: safe_characters in freeradius 2.0.3 > >As I should act, that all worked for me, as well as in 1.1.7? > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On >Behalf Of Ivan Kalik >Sent: Thursday, March 27, 2008 11:52 PM >To: FreeRadius users mailing list >Subject: Re: safe_characters in freeradius 2.0.3 > >>And what is the =22?? > >ASCII for double quote - ". > >Ivan Kalik >Kalik Informatika ISP > >- >List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and poprelayd - any ideas please
pop-before-smtp is a module that you install on your mail server so it *always* connects to pop server before connecting to the smtp server. Put it in Google and have a look. AFAIK logged IPs have a timeout of a few minutes. Putting IPs in the database when users connect is not the best solution. If they go surfing before checking e-mail, IP entry will expire - and you are back where you started from. Ivan Kalik Kalik Informatika ISP Dana 28/3/2008, "Bill Brunton" <[EMAIL PROTECTED]> piše: > > > > >Well - it seems that many customers have trouble with Outlook and Outlook >Express.. If they have an email in the outbox, say they compose offline >and connect to send it, it tries to send it before checking email... In >other words no POP before SMTP. If Outlook does not send successfully - >then it does not check for new email either. So I get a lot of "I can't >send or receive email" complaints. > >I have SMTP AUTH set up too but you know how users are - when it does not >work they go in and try to fix it before asking for help and SMTP AUTH is >found to be disabled or has the wrong info set up. > >So - if I could have freeradius add the IP to the popip database when they >log in, it would make everyone much happier, especially me. > >I think it should be an easy thing to do... > > >On Fri, 28 Mar 2008, Ivan Kalik wrote: > >> Date: Fri, 28 Mar 2008 01:08:12 +0100 >> From: Ivan Kalik <[EMAIL PROTECTED]> >> Reply-To: FreeRadius users mailing list >> >> To: FreeRadius users mailing list >> Subject: Re: Freeradius and poprelayd - any ideas please >> >> Do you need freeradius at all? This is normally done with pop before >> smtp. You contact the pop server, it logs the IP and then you can send. >> >> Ivan Kalik >> Kalik Informatika ISP >> >> >> Dana 27/3/2008, "Bill Brunton" <[EMAIL PROTECTED]> pi?e: >> >>> >>> >>> I am using Freeradius 1.1.3 on Centos 5. >>> >>> I have been trying to figure out how to add the IP address of each >>> authenticated user to the popip database maintained by poprelayd. It is >>> easy to add an ip address to the popip database with the command: >>> >>> /usr/sbin/poprelayd -a >>> >>> How do I incorporate that as post processing step, module etc in >>> freeradius? >>> >>> Any ideas or suggestions? >>> >>> Thank you >>> >>> -- >>> Bill >>> [EMAIL PROTECTED] >>> http://www.brunton.net >>> http://www.video-records.com >>> http://www.icu.net >>> KA0SEP NNN0HQA/OK >>> ATP CFII BE200 BE300 BE300F BE1900 BE2000 BE2000S CE500 SIC CE525 HS125 >>> LR45 LRJET >>> >>> The Internet... The place to be! >>> >>> - >>> List info/subscribe/unsubscribe? See >>> http://www.freeradius.org/list/usershtml >>> >>> >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > >-- >Bill >[EMAIL PROTECTED] >http://www.brunton.net >http://www.video-records.com >http://www.icu.net >KA0SEP NNN0HQA/OK >ATP CFII BE200 BE300 BE300F BE1900 BE2000 BE2000S CE500 SIC CE525 HS125 LR45 >LRJET > >The Internet... The place to be! > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: safe_characters in freeradius 2.0.3
Please, help. In what file it is necessary to make changes that variable Event-Timestamp was transferred without double quote - "? While the unique reason on which I do not pass it to version 2.0.3 -Original Message- From: Dmitry A. Sysoev [mailto:[EMAIL PROTECTED] Sent: Friday, March 28, 2008 8:10 AM To: 'FreeRadius users mailing list' Subject: RE: safe_characters in freeradius 2.0.3 As I should act, that all worked for me, as well as in 1.1.7? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ivan Kalik Sent: Thursday, March 27, 2008 11:52 PM To: FreeRadius users mailing list Subject: Re: safe_characters in freeradius 2.0.3 >And what is the =22?? ASCII for double quote - ". Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
