Rlm_sqlippool and dialupadmin
Hi,
I am planning to develop a patch for dialupadmin so i can use radippool tablo
for Rlm_sqlippool. I just wanted to be sure what to add to the GUI -
dialupadmin-
1) There must a a new tab to add IP addresses to the radippool table. At
http://wiki.freeradius.org/Rlm_sqlippool IP addresses are added like:
INSERT INTO radippool (pool_name, framedipaddress) VALUES ('main_pool',
'192.168.0.1');
INSERT INTO radippool (pool_name, framedipaddress) VALUES ('main_pool',
'192.168.0.2');
INSERT INTO radippool (pool_name, framedipaddress) VALUES ('main_pool',
'192.168.0.3');
INSERT INTO radippool (pool_name, framedipaddress) VALUES ('main_pool',
'192.168.0.4
2) The code must edit radgroupcheck table (Not radgroupreply since it is a
control attribute not a reply attribute) to add the group to the related pool
(for example main_pool) just like in
http://lists.cistron.nl/pipermail/freeradius-users/2006-October/057508.html
Is there any additional steps that needs to be implemented?
BTW am I right about radgroupcheck is used for Control Attributes but
radgroupreply is used for reply attributes?
Best Regards.
--
Best regards,
Omer mailto:[EMAIL PROTECTED]-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: simple web interface
I use daloradius But it sucks also. Looks nicer and a little bit easier to use. I'm working on my own ... Regards, Sascha -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vittore Zen Sent: Dienstag, 3. Juni 2008 14:26 To: freeradius-users@lists.freeradius.org Subject: simple web interface Hi, anyone have a simple php web mysql users interface? More more more simple that dialup admin. The manager will do: 1. insert/modify a user account 2. give a password 3. setup start-end life (time) of account 4. setup a detail (name) Any? v. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
simple web interface
Hi, anyone have a simple php web mysql users interface? More more more simple that dialup admin. The manager will do: 1. insert/modify a user account 2. give a password 3. setup start-end life (time) of account 4. setup a detail (name) Any? v. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Group Expiration Date
Hi, I was try to find an answer for my question, but without success.. I wanted to ask if it is possible to set expiration date for a group, so all users in this group won't get access after expiration date? Expiration works for single user (as a radcheck table attribute), but when I enter it in radgroupcheck, it doesn't work. Do I make a mistake anywhere, or it is just impossible? There are any other solutions? Please let me know, or send me any link, where I could get those info's. Best regards, CoMeC - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help with FreeRadius + Switch + Mac Based Auth - question
Hi, I'm hopping that you can help me, because i'm trying this for a lot of time I'm testing an SMC6248M switch to check if radius support is fine, so I configured a freeradius server in one fedora 8. I've made some tests adding clients to clients.conf and making requests via radtest to ensure that the radius is well configured, ex: [EMAIL PROTECTED] ~]# radtest 003084-87faf2 * 192.168.1.13 1812 oincoinc Sending Access-Request of id 116 to 192.168.1.13 port 1812 User-Name = 003084-87faf2 User-Password = * NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 Re-sending Access-Request of id 116 to 192.168.1.13 port 1812 User-Name = 003084-87faf2 User-Password = omGtkKyB NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 rad_recv: Access-Reject packet from host 192.168.1.13:1812, id=116, length=20 rad_verify: Received Access-Reject packet from client 192.168.1.13 port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) If i change switch configuration to Auth by Local,RADIUS and then try to access the administration interface with a password that i only have in RADIUS config i get: Username: dmgrilo Password: CLI session with the Tiger Stack 10/100 is opened. To end the CLI session, enter [Exit]. logs show: rad_recv: Access-Request packet from host 192.168.1.251:1815, id=204, length=55 User-Name = dmgrilo User-Password = 12345 NAS-IP-Address = 192.168.1.251 NAS-Identifier = Sending Access-Accept of id 204 to 192.168.1.251 port 1815 which is ok. But now i have a computer in ethernet 1/35 that i want to auth via RADIUS, so i changed the port to dot1x port-control auto and make the interface re-auth, i loose connection to that machine and switch claims that it is not authenticated. So, my question is, in the users from FreeRadius I have the mac-address for the machine and passowrd: # Green 000244-09a361 Auth-Type := Local, User-Password == Tunnel-Medium-Type = IEEE-802, Tunnel-Type = VLAN, Tunnel-Private-Group-ID = 1 So why does the switch don't ask the RADIUS to get access? (nothing appears in logs) I don't want to have supplicants installed in client, because i want to connect phones too, but i guess with auth via MAC-Address it wouldn't need supplicants, right? One important thing is that when i check the show dot1x in the switch it doesn't determine the supplicant mac-address.. i guess it should right? 802.1X is enabled on port 1/35 reauth-enabled: Enable reauth-period: 3600 quiet-period: 60 tx-period: 30 supplicant-timeout: 30 server-timeout: 10 reauth-max: 2 max-req:2 Status Unauthorized Operation mode Single-Host Max count 5 Port-controlAuto Supplicant 00-00-00-00-00-00 Current Identifier 1 Authenticator State Machine State Connecting Reauth Count2 Backend State Machine State Idle Request Count 0 Identifier(Server) 0 Reauthentication State Machine State Initialize So My real (resumed) question: Do I need to have supplicants even so i want to authenticate with the mac-address, or could it be that this switch doesn't support this, and the normal behaviour should be that the switch asks RADIUS to have access showing the machine credentials (MAC Address)!? Tks in Adv. Daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius client with IAS server; Wireshark - Code: Access Reject (3)
Hi! I use FreeRadius as a client to a IAS server. I get connection but as soon as I set the IAS to authenticate on the server, I only get User-Name = DsH several times until timeout: No response from client ID...). When I sniff with Wireshark, I get the error code: Access Reject (3). My test should be quite basic I think, but somehow I fail. My setup is as follows: Computer A: Active Directory Computer B: Windows IAS server (IP 192.168.0.155) Computer C: FreeRadius Client (this is actually a virtual machine) Computer A contains user DsH with pwd RADIUS. I have configured the IAS (2003) to allow everything on Computer B and secret = RADIUS. I logged in as DSH with pwd RADIUS on Computer C, with secret = RADIUS for the FreeRadius client (v.1.1.6). I have tried both radtest and radclient, with -x for debug; radtest DsH 123456 192.168.0.155 10 RADIUS -x = Radclient:: Invalid octet string 123456 for attribute name User-Password echo User-Name = DsH | .../radclient 192.168.0.155:1812 auth RADIUS = User-Name = DsH (several times until timeout: No response from client ID...) Anybody have any idea? I have tried for a while reading the manuals and browsing the forum, but I just don't get it to work! Any tips will be greatly appreciated! Thanks in advance :) /Knarkargott -- View this message in context: http://www.nabble.com/FreeRadius-client-with-IAS-server--Wireshark---Code%3A-Access-Reject-%283%29-tp17622070p17622070.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius client with IAS server; Wireshark - Code: Access Reject (3)
IAS has logs too. Ivan Kalik Kalik Informatika ISP Dana 3/6/2008, Knarkargott [EMAIL PROTECTED] piše: Hi! I use FreeRadius as a client to a IAS server. I get connection but as soon as I set the IAS to authenticate on the server, I only get User-Name = DsH several times until timeout: No response from client ID...). When I sniff with Wireshark, I get the error code: Access Reject (3). My test should be quite basic I think, but somehow I fail. My setup is as follows: Computer A: Active Directory Computer B: Windows IAS server (IP 192.168.0.155) Computer C: FreeRadius Client (this is actually a virtual machine) Computer A contains user DsH with pwd RADIUS. I have configured the IAS (2003) to allow everything on Computer B and secret = RADIUS. I logged in as DSH with pwd RADIUS on Computer C, with secret = RADIUS for the FreeRadius client (v.1.1.6). I have tried both radtest and radclient, with -x for debug; radtest DsH 123456 192.168.0.155 10 RADIUS -x = Radclient:: Invalid octet string 123456 for attribute name User-Password echo User-Name = DsH | .../radclient 192.168.0.155:1812 auth RADIUS = User-Name = DsH (several times until timeout: No response from client ID...) Anybody have any idea? I have tried for a while reading the manuals and browsing the forum, but I just don't get it to work! Any tips will be greatly appreciated! Thanks in advance :) /Knarkargott -- View this message in context: http://www.nabble.com/FreeRadius-client-with-IAS-server--Wireshark---Code%3A-Access-Reject-%283%29-tp17622070p17622070.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius client with IAS server; Wireshark - Code: Access Reject (3)
Ivan Kalik wrote: IAS has logs too. Ivan Kalik Kalik Informatika ISP Dana 3/6/2008, Knarkargott [EMAIL PROTECTED] piše: Sry, here are the logs from the IAS when I run Radclient. When I try Radtest, there is no log in the IAS (since it sais radclient::Invalid octet string..., I suppose the fault is before the message comes to the IAS). Log from IAS: 192.168.0.151,DsH,06/03/2008,15:31:17,IAS,YAMAHA,4108,192.168.0.151,4116,0,4128,DsH,4155,1,4154,Auth DsH,25,311 1 192.168.0.155 05/14/2008 08:48:18 949,4129,ASCOMDEV\DsH,4127,7,4149,Auth 192.168.0.151,4130,AscomDev.local/AscomDev/Users/DsH,4136,1,4142,0 192.168.0.151,DsH,06/03/2008,15:31:17,IAS,YAMAHA,25,311 1 192.168.0.155 05/14/2008 08:48:18 949,4108,192.168.0.151,4116,0,4128,DsH,4155,1,4154,Auth DsH,4129,ASCOMDEV\DsH,4127,7,4149,Auth 192.168.0.151,4130,AscomDev.local/AscomDev/Users/DsH,4136,3,4142,65 -- View this message in context: http://www.nabble.com/FreeRadius-client-with-IAS-server--Wireshark---Code%3A-Access-Reject-%283%29-tp17622070p17623940.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius client with IAS server; Wireshark - Code: AccessReject (3)
This is a list to aid users of freeradius server. Not IAS. I have only one more hint for you: iasparse.exe. No further questions about IAS will be answered. Ivan Kalik Kalik Informatika ISP Dana 3/6/2008, Knarkargott [EMAIL PROTECTED] piše: Ivan Kalik wrote: IAS has logs too. Ivan Kalik Kalik Informatika ISP Dana 3/6/2008, Knarkargott [EMAIL PROTECTED] piĹĄe: Sry, here are the logs from the IAS when I run Radclient. When I try Radtest, there is no log in the IAS (since it sais radclient::Invalid octet string..., I suppose the fault is before the message comes to the IAS). Log from IAS: 192.168.0.151,DsH,06/03/2008,15:31:17,IAS,YAMAHA,4108,192.168.0.151,4116,0,4128,DsH,4155,1,4154,Auth DsH,25,311 1 192.168.0.155 05/14/2008 08:48:18 949,4129,ASCOMDEV\DsH,4127,7,4149,Auth 192.168.0.151,4130,AscomDev.local/AscomDev/Users/DsH,4136,1,4142,0 192.168.0.151,DsH,06/03/2008,15:31:17,IAS,YAMAHA,25,311 1 192.168.0.155 05/14/2008 08:48:18 949,4108,192.168.0.151,4116,0,4128,DsH,4155,1,4154,Auth DsH,4129,ASCOMDEV\DsH,4127,7,4149,Auth 192.168.0.151,4130,AscomDev.local/AscomDev/Users/DsH,4136,3,4142,65 -- View this message in context: http://www.nabble.com/FreeRadius-client-with-IAS-server--Wireshark---Code%3A-Access-Reject-%283%29-tp17622070p17623940.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Group Expiration Date
Is your user inside that group. (usergroup table) CoMeC wrote: Hi, I was try to find an answer for my question, but without success.. I wanted to ask if it is possible to set expiration date for a group, so all users in this group won't get access after expiration date? Expiration works for single user (as a radcheck table attribute), but when I enter it in radgroupcheck, it doesn't work. Do I make a mistake anywhere, or it is just impossible? There are any other solutions? Please let me know, or send me any link, where I could get those info's. Best regards, CoMeC - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Group Expiration Date
Hello, Try adding WISPr-Session-Terminate-Time parameter to radgroupreply. It should work, normally it works with radreply no reason for not working with group reply i think. Hi, I was try to find an answer for my question, but without success.. I wanted to ask if it is possible to set expiration date for a group, so all users in this group won't get access after expiration date? Expiration works for single user (as a radcheck table attribute), but when I enter it in radgroupcheck, it doesn't work. Do I make a mistake anywhere, or it is just impossible? There are any other solutions? Please let me know, or send me any link, where I could get those info's. Best regards, CoMeC - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hints file and Strip-User-Name
Hi.
I'm trying to match a suffix in the username using the hints file and
strip the suffix.
I have the following configured:
raddb/hints:
DEFAULT Suffix == .d, Strip-User-Name = Yes
Hint = Dynamic
raddb/users:
DEFAULT Hint == Dynamic
Framed-IP-Address := 255.255.255.254,
Fall-Through = Yes
userCleartext-Password := password
Service-Type = Framed-User,
Framed-IP-Address = XXX.XXX.XXX.XXX,
Framed-Protocol = PPP,
Framed-Routing = None,
Session-Timeout = 604800,
Idle-Timeout = 86400,
Framed-MTU = 1500,
Framed-Compression = Van-Jacobsen-TCP-IP
When run radiusd -W I can see it enter the preprocess module and match
an entry, but the suffix is not being stripped and entry in users file
not being matched:
Tue Jun 3 12:54:15 2008 : Debug: +- entering group authorize
Tue Jun 3 12:54:15 2008 : Debug: modsingle[authorize]: calling suffix
(rlm_realm) for request 0
Tue Jun 3 12:54:15 2008 : Debug: rlm_realm: No '@' in User-Name =
user.d, looking up realm NULL
Tue Jun 3 12:54:15 2008 : Debug: rlm_realm: No such realm NULL
Tue Jun 3 12:54:15 2008 : Debug: modsingle[authorize]: returned from
suffix (rlm_realm) for request 0
Tue Jun 3 12:54:15 2008 : Debug: ++[suffix] returns noop
Tue Jun 3 12:54:15 2008 : Debug: modsingle[authorize]: calling
preprocess (rlm_preprocess) for request 0
Tue Jun 3 12:54:15 2008 : Debug: hints: Matched DEFAULT at 79
Tue Jun 3 12:54:15 2008 : Debug: modsingle[authorize]: returned from
preprocess (rlm_preprocess) for request 0
Tue Jun 3 12:54:15 2008 : Debug: ++[preprocess] returns ok
Tue Jun 3 12:54:15 2008 : Debug: auth: No authenticate method
(Auth-Type) configuration found for the request: Rejecting the user
Tue Jun 3 12:54:15 2008 : Debug: auth: Failed to validate the user.
Tue Jun 3 12:54:15 2008 : Auth: Login incorrect: [user.d/password]
(from client ERX-LAB port 2152726802 cli #ERX01.OTWODDS#BLC01.OTW23DS
atm 3/1:0.35#)
Tue Jun 3 12:54:15 2008 : Debug: Found Post-Auth-Type Reject
Tue Jun 3 12:54:15 2008 : Debug: +- entering group REJECT
Tue Jun 3 12:54:15 2008 : Debug: modsingle[post-auth]: calling
attr_filter.access_reject (rlm_attr_filter) for request 0
Tue Jun 3 12:54:15 2008 : Debug: expand: %{User-Name} - user.d
Tue Jun 3 12:54:15 2008 : Debug: attr_filter: Matched entry DEFAULT at
line 11
Tue Jun 3 12:54:15 2008 : Debug: modsingle[post-auth]: returned from
attr_filter.access_reject (rlm_attr_filter) for request 0
Tue Jun 3 12:54:15 2008 : Debug: ++[attr_filter.access_reject] returns
updated
Tue Jun 3 12:54:15 2008 : Debug: Delaying reject of request 0 for 1
seconds
Tue Jun 3 12:54:15 2008 : Debug: Going to the next request
Tue Jun 3 12:54:15 2008 : Debug: Waking up in 0.9 seconds.
Tue Jun 3 12:54:16 2008 : Debug: Sending delayed reject for request 0
Tue Jun 3 12:54:16 2008 : Debug: Waking up in 4.9 seconds.
Tue Jun 3 12:54:21 2008 : Debug: Cleaning up request 0 ID 5 with
timestamp +79
Tue Jun 3 12:54:21 2008 : Debug: Ready to process requests.
Any ideas ?
I'm running FreeRADIUS 2.0.3.
Thanx
Paul
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hints file and Strip-User-Name
When run radiusd -W I can see it enter the preprocess module and match an entry, but the suffix is not being stripped and entry in users file not being matched: Not being stripped? You think that's the problem. Tue Jun 3 12:54:15 2008 : Debug: +- entering group authorize Tue Jun 3 12:54:15 2008 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 0 .. Tue Jun 3 12:54:15 2008 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 0 .. Tue Jun 3 12:54:15 2008 : Debug: auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user You haven't hacked away at the default configuration by any chance? Users file entry is not matched because you prevented the server from looking there. Even if you put files back in it still won't work as you have broken every single authentication method. Well done! Now put the configuration back the way it was and watch it work. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Hints file and Strip-User-Name
files is there in authentication { } section.
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
Auth-Type PAP {
pap
}
#
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
Auth-Type CHAP {
chap
}
#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
#
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authorize' section.
# digest
#
# Pluggable Authentication Modules.
# pam
#
# See 'man getpwent' for information on how the 'unix'
# module checks the users password. Note that packets
# containing CHAP-Password attributes CANNOT be authenticated
# against /etc/passwd! See the FAQ for details.
#
# unix
# Uncomment it if you want to use ldap for authentication
#
# Note that this means check plain-text password against
# the ldap database, which means that EAP won't work,
# as it does not supply a plain-text password.
# Auth-Type LDAP {
# ldap
# }
#
# Allow EAP authentication.
eap
files
}
Paul
-Original Message-
From:
[EMAIL PROTECTED]
rg
[mailto:[EMAIL PROTECTED]
radius.org] On Behalf Of Ivan Kalik
Sent: June 3, 2008 2:07 PM
To: FreeRadius users mailing list
Subject: Re: Hints file and Strip-User-Name
When run radiusd -W I can see it enter the preprocess module and match
an entry, but the suffix is not being stripped and entry in users file
not being matched:
Not being stripped? You think that's the problem.
Tue Jun 3 12:54:15 2008 : Debug: +- entering group authorize
Tue Jun 3 12:54:15 2008 : Debug: modsingle[authorize]: calling
suffix
(rlm_realm) for request 0
..
Tue Jun 3 12:54:15 2008 : Debug: modsingle[authorize]: calling
preprocess (rlm_preprocess) for request 0
..
Tue Jun 3 12:54:15 2008 : Debug: auth: No authenticate method
(Auth-Type) configuration found for the request: Rejecting the user
You haven't hacked away at the default configuration by any chance?
Users file entry is not matched because you prevented the server from
looking there. Even if you put files back in it still won't work as
you have broken every single authentication method. Well done! Now put
the configuration back the way it was and watch it work.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Hints file and Strip-User-Name
authenticate{}??? What are they doing there. Files are a part of
authorize{} section.
Ivan Kalik
Kalik Informatika ISP
Dana 3/6/2008, Paul Khavkine [EMAIL PROTECTED] piše:
files is there in authentication { } section.
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
Auth-Type PAP {
pap
}
#
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
Auth-Type CHAP {
chap
}
#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
#
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authorize' section.
# digest
#
# Pluggable Authentication Modules.
# pam
#
# See 'man getpwent' for information on how the 'unix'
# module checks the users password. Note that packets
# containing CHAP-Password attributes CANNOT be authenticated
# against /etc/passwd! See the FAQ for details.
#
# unix
# Uncomment it if you want to use ldap for authentication
#
# Note that this means check plain-text password against
# the ldap database, which means that EAP won't work,
# as it does not supply a plain-text password.
# Auth-Type LDAP {
# ldap
# }
#
# Allow EAP authentication.
eap
files
}
Paul
-Original Message-
From:
[EMAIL PROTECTED]
rg
[mailto:[EMAIL PROTECTED]
radius.org] On Behalf Of Ivan Kalik
Sent: June 3, 2008 2:07 PM
To: FreeRadius users mailing list
Subject: Re: Hints file and Strip-User-Name
When run radiusd -W I can see it enter the preprocess module and match
an entry, but the suffix is not being stripped and entry in users file
not being matched:
Not being stripped? You think that's the problem.
Tue Jun 3 12:54:15 2008 : Debug: +- entering group authorize
Tue Jun 3 12:54:15 2008 : Debug: modsingle[authorize]: calling
suffix
(rlm_realm) for request 0
...
Tue Jun 3 12:54:15 2008 : Debug: modsingle[authorize]: calling
preprocess (rlm_preprocess) for request 0
...
Tue Jun 3 12:54:15 2008 : Debug: auth: No authenticate method
(Auth-Type) configuration found for the request: Rejecting the user
You haven't hacked away at the default configuration by any chance?
Users file entry is not matched because you prevented the server from
looking there. Even if you put files back in it still won't work as
you have broken every single authentication method. Well done! Now put
the configuration back the way it was and watch it work.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Hints file and Strip-User-Name
You are right actually, not having a good day today.
I unbroken my config, found what was originally not working, had to uncomment
the key setting in the files {} configuration block to match
Stripped-User-Name in the users file.
Thanx
Paul
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ivan Kalik
Sent: June 3, 2008 2:47 PM
To: FreeRadius users mailing list
Subject: RE: Hints file and Strip-User-Name
authenticate{}??? What are they doing there. Files are a part of
authorize{} section.
Ivan Kalik
Kalik Informatika ISP
Dana 3/6/2008, Paul Khavkine [EMAIL PROTECTED] piše:
files is there in authentication { } section.
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
Auth-Type PAP {
pap
}
#
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
Auth-Type CHAP {
chap
}
#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
#
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authorize' section.
# digest
#
# Pluggable Authentication Modules.
# pam
#
# See 'man getpwent' for information on how the 'unix'
# module checks the users password. Note that packets
# containing CHAP-Password attributes CANNOT be authenticated
# against /etc/passwd! See the FAQ for details.
#
# unix
# Uncomment it if you want to use ldap for authentication
#
# Note that this means check plain-text password against
# the ldap database, which means that EAP won't work,
# as it does not supply a plain-text password.
# Auth-Type LDAP {
# ldap
# }
#
# Allow EAP authentication.
eap
files
}
Paul
-Original Message-
From:
[EMAIL PROTECTED]
rg
[mailto:[EMAIL PROTECTED]
radius.org] On Behalf Of Ivan Kalik
Sent: June 3, 2008 2:07 PM
To: FreeRadius users mailing list
Subject: Re: Hints file and Strip-User-Name
When run radiusd -W I can see it enter the preprocess module and match
an entry, but the suffix is not being stripped and entry in users file
not being matched:
Not being stripped? You think that's the problem.
Tue Jun 3 12:54:15 2008 : Debug: +- entering group authorize
Tue Jun 3 12:54:15 2008 : Debug: modsingle[authorize]: calling
suffix
(rlm_realm) for request 0
...
Tue Jun 3 12:54:15 2008 : Debug: modsingle[authorize]: calling
preprocess (rlm_preprocess) for request 0
...
Tue Jun 3 12:54:15 2008 : Debug: auth: No authenticate method
(Auth-Type) configuration found for the request: Rejecting the user
You haven't hacked away at the default configuration by any chance?
Users file entry is not matched because you prevented the server from
looking there. Even if you put files back in it still won't work as
you have broken every single authentication method. Well done! Now put
the configuration back the way it was and watch it work.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Logs in radacct
For some ready my accounting information isnt being written at all, even
though I cannot find a difference in the config file with another radius
server I am running. I have included what I believe to be the
appropriate parts or radiuxsd -x below. Seems like the
%{Client-IP-Address} directories are not created, but I dont know why.
I am using radius 1.1.5-1.
thanks,
Dan
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
main: prefix = /usr
main: localstatedir = /var
main: logdir = /var/log/radius
main: libdir = /usr/lib64
main: radacctdir = /var/log/radius/radacct
main: hostname_lookups = no
main: snmp = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /var/log/radius/radius.log
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = /var/run/radiusd/radiusd.pid
main: user = radiusd
main: group = radiusd
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/sbin/checkrad
main: proxy_requests = yes
...(skipping stuff).
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Detail Portion:
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d:%H
detailperm = 0600
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logs in radacct
radius logs what it recieves. If NAS is not sending accounting packets ...
Ivan Kalik
Kalik Informatika ISP
Dana 3/6/2008, Daniel Davidson [EMAIL PROTECTED] piše:
For some ready my accounting information isnt being written at all, even
though I cannot find a difference in the config file with another radius
server I am running. I have included what I believe to be the
appropriate parts or radiuxsd -x below. Seems like the
%{Client-IP-Address} directories are not created, but I dont know why.
I am using radius 1.1.5-1.
thanks,
Dan
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
main: prefix = /usr
main: localstatedir = /var
main: logdir = /var/log/radius
main: libdir = /usr/lib64
main: radacctdir = /var/log/radius/radacct
main: hostname_lookups = no
main: snmp = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /var/log/radius/radius.log
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = /var/run/radiusd/radiusd.pid
main: user = radiusd
main: group = radiusd
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/sbin/checkrad
main: proxy_requests = yes
(skipping stuff).
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Detail Portion:
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d:%H
detailperm = 0600
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
