Re: NAS with dynamic IP
Alex, Is there a command I can run periodically that would flush the dns cache? I use the NAS table in MySQL rather than clients.conf to register my NAS devices. The only problem with NAS devices on PPOE ADSL links is that a restart of Freeradius server is required in order to pick up the new IP address from DYNDNS.org. Would this problem be solved by a rlm_nsupdate module (scheduled for future release)? I would be willing to donate to the creation of this module. Jack Murgia on 2/26/08 2:31 AM, [EMAIL PROTECTED] at [EMAIL PROTECTED] wrote: > Date: Tue, 26 Feb 2008 10:30:59 +0100 > From: Alan DeKok <[EMAIL PROTECTED]> > Subject: Re: NAS with dynamic IP > To: FreeRadius users mailing list > > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=ISO-8859-1 > > Rui Oliveira wrote: >> If anyone want to do the patch i can help with some donations because i >> will use it a lot :) > > Alternatively, you could define the client as a network (e.g. > 192.168/24). See clients.conf for details. > > Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS with dynamic IP
Alex, Is there a command I can run periodically that would flush the dns cache? I use the proxy.conf file rather than clients.conf to register my NAS devices. The only problem with NAS devices on PPOE ADSL links is that a restart of Freeradius server is required in order to pick up the new IP address from DYNDNS.org. Would this problem be solved by a rlm_nsupdate module (scheduled for future release)? I would be willing to donate to the creation of this module. Jack Murgia on 2/26/08 2:31 AM, [EMAIL PROTECTED] at [EMAIL PROTECTED] wrote: > Date: Tue, 26 Feb 2008 10:30:59 +0100 > From: Alan DeKok <[EMAIL PROTECTED]> > Subject: Re: NAS with dynamic IP > To: FreeRadius users mailing list > > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=ISO-8859-1 > > Rui Oliveira wrote: >> If anyone want to do the patch i can help with some donations because i >> will use it a lot :) > > Alternatively, you could define the client as a network (e.g. > 192.168/24). See clients.conf for details. > > Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius/Netscreen help [SEC=UNCLASSIFIED]
UNCLASSIFIED
> -Original Message-
> From:
> [EMAIL PROTECTED]
eradius.org [mailto:freeradius-users->
[EMAIL PROTECTED] On
> Behalf Of Mario Carassale
> Sent: Saturday, 19 April 2008 00:49
> To: freeradius-users@lists.freeradius.org
> Subject: Freeradius/Netscreen help
>
> Hi All
>
> i am new to this list, so please understand my funny question :-)
>
> I have freeradius running fine and i want to authenticate a netscreen
> firewall against it. My question is, how can i get user privileges
> from the radius when a user logs into the firewall?
>
> If a set on the firewall to get get privilege from the RADIUS server,
> the login fails, i suppose this is due to not admin provileges.
>
> Thank you for all your help.
>
> Mario
>
There are a couple of things you need for netscreens.
1. The netscreen dictionary. You should find one in the nescreen doco,
but failing that here is the one I use:
Start
# -*- text -*-
#
# From:
#
http://www.netscreen.com/support/downloads/4.0_configuring_screenOS_for_
NTdomain_v11.pdf
#
VENDOR Netscreen 3224
BEGIN-VENDORNetscreen
ATTRIBUTE NS-Admin-Privilege 1 integer
ATTRIBUTE NS-VSYS-Name2 string
ATTRIBUTE NS-User-Group 3 string
ATTRIBUTE NS-Primary-DNS 4 ipaddr
ATTRIBUTE NS-Secondary-DNS5 ipaddr
ATTRIBUTE NS-Primary-WINS 6 ipaddr
ATTRIBUTE NS-Secondary-WINS 7 ipaddr
ATTRIBUTE NS-NSM-User-Domain-Name 220 string
ATTRIBUTE NS-NSM-User-Role-Mapping221 string
#
# Values VSYS-Admin and Read-Only-VSYS-Admin require a NS-VSYS-Name #
attribute in the response packet.
#
VALUE NS-Admin-Privilege Root-Admin 1
VALUE NS-Admin-Privilege All-VSYS-Root-Admin 2
VALUE NS-Admin-Privilege VSYS-Admin 3
VALUE NS-Admin-Privilege Read-Only-Admin 4
VALUE NS-Admin-Privilege Read-Only-VSYS-Admin5
END-VENDOR Netscreen
---Finish---
Put the text into dictionary.netscreen and add a line $INCLUDE
dictionary.netscreen
in share/freeradius/dictionary
2. you need to return some attributes depending on the access level.
In raddb/users:
DEFAULT Ldap-Group == `%{Huntgroup-Name}_RWA`
NS-Admin-Privilege := Root-Admin,
NS-NSM-User-Domain-Name = global,
NS-NSM-User-Role-Mapping = "global:Domain Administrator"
DEFAULT Ldap-Group == `%{Huntgroup-Name}_RO`
NS-Admin-Privilege := Read-Only-Admin,
NS-NSM-User-Domain-Name = global,
NS-NSM-User-Role-Mapping = "global:Read-Only Domain
Administrator"
DEFAULT Ldap-Group == `%{Huntgroup-Name}_RDA`
NS-Admin-Privilege := Root-Admin,
NS-NSM-User-Domain-Name = global,
NS-NSM-User-Role-Mapping = "global:Restricted Device
Administrator"
Obviously your check criteria will need to be adjusted toy your
requirements, but the return attributes should get you started. You can
set up all kinds of domains and classes of users in the netscreen, and
match them to users as above.
3. Ensure that the password length is sufficient. There is a defined
minimum length in the netscreen Software. I think it may be 9 chars but
check with your doco.
Hope this helps,
Frank Ranner
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeBSD, FreeRadius, PPPoE server
Thanks... As I can see they use freeNibs. I made my own billing system for Mikrotik and now I want to test it on another platform. See ya in couple days with some results... :) [EMAIL PROTECTED] wrote: Marinko Tarlac schrieb: Hi to all. I know that this is FR mailing list but I'm looking for some material about pppoe server on freebsd and freeradius as a radius server. So, please send me some links for reading.. Thanks Already do not learn it? http://www.google.ru/search?complete=1&hl=ru&lr=&newwindow=1&client=firefox-a&rls=org.mozilla:ru:official&hs=Yxd&sa=X&oi=spell&resnum=0&ct=result&cd=1&q=pppoe+freebsd+freeradius&spell=1 The first link: http://www.iplab-nnz.ru/blog/index.php?op=ViewArticle&articleId=22&blogId=1 It on Russian, but I think you will understand - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: the newbie on radiustesting strikes again
Hi there, n message <[EMAIL PROTECTED]>, Si St <[EMAIL PROTECTED]> writes - Original Message - From: "David Wood" <[EMAIL PROTECTED]> To: "FreeRadius users mailing list" Subject: Re: the newbie on radiustesting strikes again Date: Sun, 20 Apr 2008 01:00:42 +0100 Hi, Ivan has already given you much good advice. I wanted to add a few comments. In message <[EMAIL PROTECTED]>, Si St <[EMAIL PROTECTED]> writes > The Router supports EAP/WPA-Enterprise(has a box for this choice;) > Automatic (WPA or WPA2), TKIP and AES I would be very surprised if the RADIUS functionality on the router supports anything other than the wireless access point. It sounds like you have a consumer level unit - not an enterprise level router/firewall here. You are most probably 100% right In a prevoius mail I told this router to be a DLINK DIR-635 ftp://ftp.dlink.se/Products/dir-products/dir-635/Documentation/DIR-635_m anual_ww.pdf Thanks for that - a quick glance confirms it to be a consumer level unit and the RADIUS functionality is limited to the wireless access point, as I thought. If so, all you can do with RADIUS is to control access to your wireless network - the Authentication and Authorisation of AAA. Most consumer level units do not support Accounting - though some do. If your router doesn't support accounting, there's no point wasting any time setting up accounting in FreeRADIUS! Which will practically mean access to the router only And the router cannot handle Accounting that will mean giving user names and passwords Correct - you can use user names and passwords with PEAP, or digital certificates with EAP-TLS, to access your wireless network rather than the single shared secret (PSK) of WPA-Personal. You will not have the RADIUS functionality of more expensive enterprise level wireless access points, such as the ability to return the VLAN to connect the user to from the RADIUS server. There again, if this is a consumer unit, it probably has no VLAN support anyway. I find only a box for Virtual Server on the router and on Advanced Network only uPnP; not much to go for here. This is consumer gear - I would be very surprised to see any VLAN support. I doubt you have 802.1Q capable switches anyway (though L2 managed 10/100 switches are inexpensive these days). See http://en.wikipedia.org/wiki/VLAN for more on VLANs. If you want better management of DHCP, one possibility is a DHCP server that uses an LDAP backend. You could also use LDAP to store user credentials for FreeRADIUS. However, with the size of your network, the added complexity probably isn't worthwhile. I should just note that Alan's announcement of the DHCP functionality in the CVS HEAD (and presumably 2.0.4 when it is released) will allow you to use FreeRADIUS to hand out IP addresses - though I suspect that the limitations on this experimental module at present will mean that you're better off sticking with your existing DHCP server. Right. But my intentions here were to see what I could achieve choosing the WPA-Enterprise option alternatively to the WPA-Personal (as the checkboxes on the router call it), and thereby maybe apply the FreeRadius. Of course - and that is a valuable aim in itself. Bearing in mind that port 1812 is the only one mentioned (and not 1813), I suspect that your router doesn't support accounting. There's no support for handing out IP addresses via RADIUS attributes either. My question was: Is it really possible for me to do this networking different, and with EAP, and learn something from it? How complicated is this task, and is it possible to do it fairly simple gaining profit from a resultant more secure network? And thus grow in knowledge and experience? What you're looking to do is entirely possible, and is worthwhile and valuable. It's where I started out with FreeRADIUS. You can set up FreeRADIUS to authorise your wireless users by user name and password, using PEAP (if you want to give it its full name, PEAPv0/EAP-MSCHAPv2). This will give you a log of who accessed your wireless network and when, and you have better granularity in the access control (that is, you can change and revoke passwords for each user separately, rather than having a single shared secret). WPA Enterprise is also stronger, because the PMK is generated from the EAP exchange and lasts the lifetime of the session, rather than being a cryptographic hash of the PSK (which lasts until you change the PSK). If you wish, you can also experiment with EAP-TLS, and learn more about running your own PKI. This will teach you loads about digital certificates, certificate authorities and the like. So far I have learned a lot more through this mailinglist concerning my aims than I originally expected. They way my questions are answered forces me to think in the right rational way and professionally simpler. It sounds worthwhile all round, then! Best wishes, David -- David
Re: gdm and radius accounting
sub wrote:
> what I was expecting (but I'm not an expert, it's possible that it's
> not a radius feature and I misunderstood it) is that the client
> periodically sends accounting-request packets ("I'm alive!") to the
> server and so the server updates the sql db.
It would have helped to say that. Instead, you said: "it does
accounting start and stop, but I want it do accounting!"
And due to the way that PAM works, it's impossible to send "alive"
packets. The pam_radius module is called *only* for start/stop. So it
*only* sends start/stop packets.
> I don't want something magic but if the users enters and he has only
> one more minute for his daily session, he we'll be able to be logged
> if he doesn't logoff by hand.
I don't understand that sentence.
I *think* you're trying to ask if the PAM module supports
Session-Timeout. And no, it doesn't, because PAM has no such capability.
> maybe I misundersood how radius accounting works...
Explain what you mean using full sentences. The more explanation the
better. Leaving words out means that it's difficult to understand you.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: gdm and radius accounting
On Sun, Apr 20, 2008 at 8:05 PM, Alan DeKok <[EMAIL PROTECTED]> wrote:
> sub wrote:
>
> > it's ok but what I really need is accounting because I can't wait for
> > the user action to save informations in the db.
>
> This sentence makes no sense.
>
> You want... some kind of accounting which is independent of user login
> and logout? What kind of magic accounting is that?
>
Alan,
what I was expecting (but I'm not an expert, it's possible that it's
not a radius feature and I misunderstood it) is that the client
periodically sends accounting-request packets ("I'm alive!") to the
server and so the server updates the sql db.
I don't want something magic but if the users enters and he has only
one more minute for his daily session, he we'll be able to be logged
if he doesn't logoff by hand.
(...)
>
> Or maybe you're thinking of something else other than accounting?
> Alan DeKok.
>
maybe I misundersood how radius accounting works...
thanks for your help,
sub
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: the newbie on radiustesting strikes again
> - Original Message - > From: "David Wood" <[EMAIL PROTECTED]> > To: "FreeRadius users mailing list" > Subject: Re: the newbie on radiustesting strikes again > Date: Sun, 20 Apr 2008 01:00:42 +0100 > > > Hi, > > Ivan has already given you much good advice. I wanted to add a few comments. > > In message <[EMAIL PROTECTED]>, Si > St <[EMAIL PROTECTED]> writes > > The Router supports EAP/WPA-Enterprise(has a box for this choice;) > > Automatic (WPA or WPA2), TKIP and AES > > I would be very surprised if the RADIUS functionality on the router > supports anything other than the wireless access point. It sounds > like you have a consumer level unit - not an enterprise level > router/firewall here. You are most probably 100% right In a prevoius mail I told this router to be a DLINK DIR-635 ftp://ftp.dlink.se/Products/dir-products/dir-635/Documentation/DIR-635_manual_ww.pdf > > If so, all you can do with RADIUS is to control access to your > wireless network - the Authentication and Authorisation of AAA. > Most consumer level units do not support Accounting - though some > do. If your router doesn't support accounting, there's no point > wasting any time setting up accounting in FreeRADIUS! Which will practically mean access to the router only And the router cannot handle Accounting that will mean giving user names and passwords > > You will not have the RADIUS functionality of more expensive > enterprise level wireless access points, such as the ability to > return the VLAN to connect the user to from the RADIUS server. > There again, if this is a consumer unit, it probably has no VLAN > support anyway. I find only a box for Virtual Server on the router and on Advanced Network only uPnP; not much to go for here. > > > > There will probably for all practical purposes be only wireless > > clients:3 laptops and one workstation,but I have configured 2 IP > > addresses for each laptop, one for their wireless card the other > > address for the wired/cabled card in case they will be needed. > > The access of the clients are controlled allowing only the > > specific MAC addresses of each machine to connect to the > > router.(Routers Netfilter) The machines have also fixed IPs > > reserved. > > I very much doubt that your router can make any use of RADIUS for > handing out IP addresses, especially if the only mention of RADIUS > is in connection with the wireless features. > > Handing out IP addresses via RADIUS is most commonly done with > NASes (dial in servers), VPN servers and CMTS (cable modem > termination systems). > > DHCP is more typical for bridged scenarios such as wireless > networks. Your credentials get you connected to the wireless > network, at which point the computer gets an IP address and related > information (gateway address, DNS server(s), possibly WINS servers) > via DHCP. > > > If you want better management of DHCP, one possibility is a DHCP > server that uses an LDAP backend. You could also use LDAP to store > user credentials for FreeRADIUS. However, with the size of your > network, the added complexity probably isn't worthwhile. Right. But my intentions here were to see what I could achieve choosing the WPA-Enterprise option alternatively to the WPA-Personal (as the checkboxes on the router call it), and thereby maybe apply the FreeRadius. My question was: Is it really possible for me to do this networking different, and with EAP, and learn something from it? How complicated is this task, and is it possible to do it fairly simple gaining profit from a resultant more secure network? And thus grow in knowledge and experience? So far I have learned a lot more through this mailinglist concerning my aims than I originally expected. They way my questions are answered forces me to think in the right rational way and professionally simpler. > > > Start with the simplest possible setup and only add functionality > when you've got the basic stuff working. Keeping the configuration > in a revision control system helps, too, not least when upgrading > the server to a newer version. I use Subversion, but it is probably > best to use what you're most familiar with. Excellent instruction for me, this. > > > FreeRADIUS 2.0.3 will make your task much easier as it will build > the necessary certificates for EAP automatically. PEAP is pretty > easy to get going as there's no need to generate client > certificates. Q: When one of the Win-laptops tries to connect the wireless network it happens it pops up a window asking for certificate. But not all the time. It seems as if there is a box with an entrance for a server certificate in the EAPconfig of that machine. One of the laptops -ASUS- has no entrance whatsoever for EAP extension. The others have. Strange. Any quick comment here? > > Whatever your eventual aims, start by getting your wireless users > on WPA2-Enterprise (or WPA2 / WPA mixed mode if you have any > clients th
Re: gdm and radius accounting
>I tried putting the line in the session section and it really works. >the server received an accounting request of "start" at the user login >and an accounting-request "stop" at logout. >it's ok but what I really need is accounting because I can't wait for >the user action to save informations in the db. > ??? That's how accounting works. You might try returning Acct-Interim-Interval (normal values are between 10 and 30 minutes) to see if you will get updates for longer sessions. If you are thinking of restricting sessions than have a look at Session-Timeout and Idle-Timeout attributes. Again no guarantee that pam module supports them. Ivan Kalik Kalik Informatika iSP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql_mysql: Mysql check_error: 1064 received
Post the whole radiusd -X debug with the request that caused the error and the radippool table. It looks like you are trying to update entries that don't exist. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: gdm and radius accounting
sub wrote: > I tried putting the line in the session section and it really works. > the server received an accounting request of "start" at the user login > and an accounting-request "stop" at logout. So it is receiving accounting packets. That's how accounting works. > it's ok but what I really need is accounting because I can't wait for > the user action to save informations in the db. This sentence makes no sense. You want... some kind of accounting which is independent of user login and logout? What kind of magic accounting is that? > In the page of the project (http://www.freeradius.org/pam_radius_auth/) I see > "This is the PAM to RADIUS authentication module. It allows any > PAM-capable machine to become a RADIUS client for authentication and > accounting requests." > so I think that the pam_radius_auth module shoud support acconting :-p It does. You verified that it does. It sends accounting stop/start messages. That is what accounting *means*. > furthermore at this page we've an example of the pam configuration file. > http://www.freeradius.org/pam_radius_auth/USAGE > > some help? Perhaps you could explain what you mean by "what I really need is accounting"... and why the existing, standards-compliant accounting in the module isn't sufficient for your needs. Or maybe you're thinking of something else other than accounting? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeBSD, FreeRadius, PPPoE server
> Marinko Tarlac schrieb: >> Hi to all. I know that this is FR mailing list but I'm looking for some >> material about pppoe server on freebsd and freeradius as a radius >> server. >> >> So, please send me some links for reading.. >> >> Thanks Already do not learn it? http://www.google.ru/search?complete=1&hl=ru&lr=&newwindow=1&client=firefox-a&rls=org.mozilla:ru:official&hs=Yxd&sa=X&oi=spell&resnum=0&ct=result&cd=1&q=pppoe+freebsd+freeradius&spell=1 The first link: http://www.iplab-nnz.ru/blog/index.php?op=ViewArticle&articleId=22&blogId=1 It on Russian, but I think you will understand - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: gdm and radius accounting
On Sun, Apr 20, 2008 at 6:46 PM, Phil Mayers <[EMAIL PROTECTED]> wrote: > > > I don't know if the pam_radius_auth module does accounting; try adding it > to the "session" config > I tried putting the line in the session section and it really works. the server received an accounting request of "start" at the user login and an accounting-request "stop" at logout. it's ok but what I really need is accounting because I can't wait for the user action to save informations in the db. In the page of the project (http://www.freeradius.org/pam_radius_auth/) I see "This is the PAM to RADIUS authentication module. It allows any PAM-capable machine to become a RADIUS client for authentication and accounting requests." so I think that the pam_radius_auth module shoud support acconting :-p furthermore at this page we've an example of the pam configuration file. http://www.freeradius.org/pam_radius_auth/USAGE some help? sub - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeBSD, FreeRadius, PPPoE server
Marinko Tarlac schrieb: > Hi to all. I know that this is FR mailing list but I'm looking for some > material about pppoe server on freebsd and freeradius as a radius server. > > So, please send me some links for reading.. > > Thanks > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html see: http://www.freeantennas.com/PPPoE-Server-HOWTO.html It is a howto for Linux but you could somehow usr the techniques described there for BSD. We have a setup like this and it is working quite good. Michael. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeBSD, FreeRadius, PPPoE server
Hi to all. I know that this is FR mailing list but I'm looking for some material about pppoe server on freebsd and freeradius as a radius server. So, please send me some links for reading.. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
New functionality in CVS head.
After some oblique hints and private tests, I've committed some interesting new functionality to CVS head. The latest feature extends FreeRADIUS past RADIUS, and *way* past VMPS. In short, it turns FreeRADIUS into a DHCP server. This means that any network needing an *integrated* 802.1x and DHCP solution can use one piece of software: FreeRADIUS. There are some limitations, of course. The code is experimental, and is not included in the default build. (use ./configure --with-dhcp). It has few of the features that a normal DHCP server has. We are looking for migration scripts from legacy servers and database schemas, as there are none right now. The short-term goal is to gain wider testing, and contributions from the community. It has been tested to work with Windows XP, Vista, MAC, Linux, and *BSD. This means that the basic DHCP functionality is there for receiving packets, sending packets, and putting contents into packets. Any other features normally in a DHCP server don't exist. e.g. allocating unused IP's, lease expiry, etc. These features should not be too hard to add, as FreeRADIUS already has multiple "IP allocation" modules for RADIUS packets. That code can be re-targeted for DHCP without too much work. The current code *should* work when the MAC address of the client is known, and a fixed IP is assigned to that MAC. Anything else is at the "to be implemented" stage. Comments, (and patches) are welcome. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: gdm and radius accounting
sub wrote: Hello everybody, I simply and correctly setup my ubuntu linux box to use freeradius authentication; actually the problem is that I'm not able to use radius accounting. I think that I correctly setup my radius server to use sql as accounting mode but the radius server neither receives accounting packets from the client (I see it starting the server with the -XXX option). The only "accounting" thing that it's saving in the sql db is the post auth section that inserts a line for a correct authentication response. on the client side I only modified the pam - gdm configuration file that is #%PAM-1.0 authrequisite pam_nologin.so authsufficient pam_radius_auth.so authrequiredpam_env.so readenv=1 authrequiredpam_env.so readenv=1 envfile=/etc/default/locale @include common-auth authoptionalpam_gnome_keyring.so account requiredpam_radius_auth.so @include common-account session requiredpam_limits.so @include common-session session optionalpam_gnome_keyring.so auto_start @include common-password whitch step have I forgotten? what's wrong? I don't know if the pam_radius_auth module does accounting; try adding it to the "session" config thank you for your help, sub - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
gdm and radius accounting
Hello everybody, I simply and correctly setup my ubuntu linux box to use freeradius authentication; actually the problem is that I'm not able to use radius accounting. I think that I correctly setup my radius server to use sql as accounting mode but the radius server neither receives accounting packets from the client (I see it starting the server with the -XXX option). The only "accounting" thing that it's saving in the sql db is the post auth section that inserts a line for a correct authentication response. on the client side I only modified the pam - gdm configuration file that is #%PAM-1.0 authrequisite pam_nologin.so authsufficient pam_radius_auth.so authrequiredpam_env.so readenv=1 authrequiredpam_env.so readenv=1 envfile=/etc/default/locale @include common-auth authoptionalpam_gnome_keyring.so account requiredpam_radius_auth.so @include common-account session requiredpam_limits.so @include common-session session optionalpam_gnome_keyring.so auto_start @include common-password whitch step have I forgotten? what's wrong? thank you for your help, sub - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sql_mysql: Mysql check_error: 1064 received
Hello all
freeradius-server-2.0.3.tar.gz
rpmbuild -bb freeradius.spec
--with-mysql-lib-dir=/usr/lib/mysql \
--with-mysql-include-dir=/usr/include/mysql \
accounting {
sqlippool
}
post-auth {
sqlippool
}
user file
DEFAULT Pool-Name := dialup_pool1
Fall-Through = Yes
INSERT INTO radgroupcheck (GroupName, Attribute, op, Value)
values("dialup_pool1", "Pool-Name", ":=", "dialup_pool1");
INSERT INTO radippool (pool_name, framedipaddress) VALUES ('dialup_pool1',
'192.168.0.1');
radiusd -X
..
..
rlm_sql_mysql: MYSQL check_error: 1064 received
sqlippool_command: database query error in: 'UPDATE radippool SET
nasipaddress = '', pool_key = 0, callingstationid = '', username = '',
expiry_time IS NULL WHERE expiry_time <= NOW() - INTERVAL 1 SECOND'
..
..
rlm_sql_mysql: MYSQL check_error: 1064 received
sqlippool_command: database query error in: 'UPDATE radippool SET nasipaddress
= '', pool_key = 0, callingstationid = '', username = '', expiry_time IS NULL
WHERE nasipaddress = '127.0.0.1' AND pool_key = '0' AND username = 'test' AND
callingstationid = '123.123.123.138' AND framedipaddress = '200.200.200.173''
..
..
--
Module: Instantiating sqlippool
sqlippool {
sql-instance-name = "sql"
lease-duration = 3600
pool-name = ""
allocate-begin = "START TRANSACTION"
allocate-clear = "UPDATE radippool SET nasipaddress = '', pool_key =
0, callingstationid = '', username = '', expiry_time IS NULL WHERE
expiry_time < = NOW() - INTERVAL 1 SECOND"
allocate-find = "SELECT framedipaddress FROM radippool WHERE
pool_name = '%{control:Pool-Name}' AND expiry_time IS NULL ORDER BY
RAND() LIMIT 1 FOR UPDATE"
allocate-update = "UPDATE radippool SET nasipaddress =
'%{NAS-IP-Address}', pool_key = '%{NAS-Port}', callingstationid =
'%{Calling-Station-Id}', username = '%{User-Name}', expiry_time = NOW() +
INTERVAL 3600 SECOND WHERE framedipaddress = '%I'"
allocate-commit = "COMMIT"
allocate-rollback = "ROLLBACK"
pool-check = "SELECT id FROM radippool WHERE
pool_name='%{control:Pool-Name}' LIMIT 1"
start-begin = "START TRANSACTION"
start-update = "UPDATE radippool SET expiry_time = NOW() + INTERVAL
3600 SECOND WHERE nasipaddress = '%{NAS-IP-Address}' AND pool_key =
'%{NAS-Port}'"
start-commit = "COMMIT"
start-rollback = "ROLLBACK"
alive-begin = "START TRANSACTION"
alive-update = "UPDATE radippool SET expiry_time = NOW() + INTERVAL
3600 SECOND WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key =
'%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid =
'%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IP-Address}'"
alive-commit = "COMMIT"
alive-rollback = "ROLLBACK"
stop-begin = "START TRANSACTION"
stop-clear = "UPDATE radippool SET nasipaddress = '', pool_key = 0,
callingstationid = '', username = '', expiry_time IS NULL WHERE nasipaddress
= '%{Nas-IP-Address}' AND pool_key = '%{NAS-Port}' AND username =
'%{User-Name}' AND callingstationid = '%{Calling-Station-Id}' AND
framedipaddress = '%{Framed-IP-Address}'"
stop-commit = "COMMIT"
stop-rollback = "ROLLBACK"
on-begin = "START TRANSACTION"
on-clear = "UPDATE radippool SET nasipaddress = '', pool_key = 0,
callingstationid = '', username = '', expiry_time IS NULL WHERE nasipaddress
= '%{Nas-IP-Address}'"
on-commit = "COMMIT"
on-rollback = "ROLLBACK"
off-begin = "START TRANSACTION"
off-clear = "UPDATE radippool SET nasipaddress = '', pool_key = 0,
callingstationid = '', username = '', expiry_time IS NULL WHERE nasipaddress
= '%{Nas-IP-Address}'"
off-commit = "COMMIT"
off-rollback = "ROLLBACK"
sqlippool_log_exists = "Existing IP: %{reply:Framed-IP-Address} (did
%{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user
%{User-Name})"
sqlippool_log_success = "Allocated IP: %{reply:Framed-IP-Address} from
%{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port
%{NAS-Port} user %{User-Name})"
sqlippool_log_clear = "Released IP %{Framed-IP-Address} (did
%{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})"
sqlippool_log_failed = "IP Allocation FAILED from
%{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port
%{NAS-Port} user %{User-Name})"
sqlippool_log_nopool = "No Pool-Name defined (did
%{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user
%{User-Name})"
defaultpool = "main_pool"
}
180도 달라진 야후! 메일 - 알아서 척척! 새로운 야후! 메일은 10분에 한번 스스로 새 메시지를 받아온답니다.
http://kr.content.mail.yahoo.com/cgland
-
List in
