Re: Redundant waits for minutes to failover
Stefan A. wrote: I'm using 'redundant' to failover from SQL to Filebased Authentication At the time, my MySQL Server is gone, FR is waiting for minutes to go on to the next step... It's likely DNS. Accounting went throug the redeundant directly into the file... Without waisting time. Maybe because it already did DNS lookups, and those queries were cached. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help on Free Radius.
Hi Alan, Although, i worked as the configuration on your website but free radius still not work. Beside it, i also edited the users file in /etc/raddb with auth-type is ntlm_auth. Then I run radius with debugging mode and it showed: auth type is system and authentication process failed. Could you please tell me how to configure the users file in /etc/raddb? Thanks. --- On Mon, 8/11/08, Alan DeKok [EMAIL PROTECTED] wrote: From: Alan DeKok [EMAIL PROTECTED] Subject: Re: Need help on Free Radius. To: [EMAIL PROTECTED], FreeRadius users mailing list freeradius-users@lists.freeradius.org Date: Monday, August 11, 2008, 1:48 AM no name wrote: I have an Active Directory on window 2k3 and I want to use the free radius on Linux machine for authenticating users domain. I tried to configure free radius with ntlm_auth for working auth but it not work. Although on free radius i can auth successful for domain user by command: ntlm_auth --domain=ABC --username=test --- result: auth sucess (...), but on the auth client when i checked with the wrong name/pass it still showed message auth sucess after that this user/pass cannot login to device on domain. Can anybody help me on this and share me how to configure freeradius for authenticating domain uses? Follow the instructions on my web site: http://deployingradius.com/documents/configuration/active_directory.html And read the FAQ for it doesn't work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help on Free Radius.
Le Sang wrote: Although, i worked as the configuration on your website but free radius still not work. Beside it, i also edited the users file in /etc/raddb with auth-type is ntlm_auth. Then I run radius with debugging mode and it showed: auth type is system and authentication process failed. If it's doing that, it's because you are NOT following the instructions. Go back and read the instructions for editing the users file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help on Free Radius.
Hi Alan, I did like you wrote on your website but this problem still happened. And I did not see how you work with users file. (because i found building free radius by 4 files: eap, radiusd.conf, users, clients) Would you like tell me how to configure the users file and anything if i missed in the configuration? Thanks. --- On Mon, 8/11/08, Alan DeKok [EMAIL PROTECTED] wrote: From: Alan DeKok [EMAIL PROTECTED] Subject: Re: Need help on Free Radius. To: [EMAIL PROTECTED], FreeRadius users mailing list freeradius-users@lists.freeradius.org Date: Monday, August 11, 2008, 1:48 AM no name wrote: I have an Active Directory on window 2k3 and I want to use the free radius on Linux machine for authenticating users domain. I tried to configure free radius with ntlm_auth for working auth but it not work. Although on free radius i can auth successful for domain user by command: ntlm_auth --domain=ABC --username=test --- result: auth sucess (...), but on the auth client when i checked with the wrong name/pass it still showed message auth sucess after that this user/pass cannot login to device on domain. Can anybody help me on this and share me how to configure freeradius for authenticating domain uses? Follow the instructions on my web site: http://deployingradius.com/documents/configuration/active_directory.html And read the FAQ for it doesn't work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Juniper and Nortel user access [SEC=UNCLASSIFIED]
UNCLASSIFIED -Original Message- From: [EMAIL PROTECTED] eradius.org [mailto:freeradius-users- [EMAIL PROTECTED] On Behalf Of Ivan . Sent: Monday, 11 August 2008 13:58 To: FreeRadius users mailing list Subject: Re: Juniper and Nortel user access [SEC=UNCLASSIFIED] Hi Frank Another question if thats cool? how do you manage user access, as from what I can see the passwords are in clear text in the conf file? And as such the freeradius admin who adds the users will also add the passwords, or am I missing something? I am coming from a Cisco ACS background. Having users and password in the users file is generally only used for testing. In production, the users file is mainly used to test group memberships, both user and client, and assign attributes based on those memberships. The actual authentication is done using a password file, ldap directory or SQL queries. Which of these you use is up to you. In my deployment, I use an openldap server, which holds Unix, Netview, dokuwiki and radius Users. Radius users have the radiusprofile objectclass which allows me to specify the radiusGroupName attribute, which specifies what devices the user can access, and what access level. For example a user may have in LDAP: radiusGroupName: passport_service radiusGroupName: juniper_RO In the raddb/users file a rule may be: DEFAULT Huntgroup-Name == juniper, Ldap-Group == juniper_RO Service-Type := NAS-Prompt-User This ties a group of devices to a group of users. In freeradius, a device can belong to only one huntgroup, whereas users can be in many groups. In any case, to address your initial concern, using ldap or sql allows you to use whatever machanism you like for account maintenance, completely independent of the radius server and it's requirements. You have a bit of a learning curve ahead of you, but it is worth it. Use the -X switch on the server to see what it is doing, and make small changes each time so you know where to look when you break it. Regards, Frank Ranner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help on Free Radius.
no name wrote: I did like you wrote on your website but this problem still happened. The problem occurs only if you don't follow the instructions. And I did not see how you work with users file. (because i found building free radius by 4 files: eap, radiusd.conf, users, clients) Would you like tell me how to configure the users file and anything if i missed in the configuration? The instructions say to put the test entry that forces Auth-Type := ntlm_auth at the TOP of the users file. The only way to get the messages you saw is: a) You didn't edit the users file. b) You put the entry at the BOTTOM of the users file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PPTP forward port per user
Sascha Kiefer wrote: Hi, i would like to be able to forward an internal ports of users through the VPN. The idea is that a user picks 2-3 ports (or maybe just one) tcp port out of a given port-pool, and when he connects to the VPN, this portforwarding is established for him. Any idea how to do this? I'm using pptpd with freeradius + mysql. Any unused attribute + radattrs.so pppd's plugin + ip-up script with corresponding iptables. -- With best regards, Evgeniy Kozhuhovskiy, Leader of Services team, Minsk State Phony Network, RUE Beltelecom. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help on Free Radius.
Hi Alan, Yes. I edited the users files and checked on local auth was successfully. But now I want to use the free radius for authenticating user on domain controller (AD on window server 2003) and it did not work. Could you please tell me how to configure free radius authentication for domain users. Thanks. --- On Mon, 8/11/08, Alan DeKok [EMAIL PROTECTED] wrote: From: Alan DeKok [EMAIL PROTECTED] Subject: Re: Need help on Free Radius. To: [EMAIL PROTECTED], FreeRadius users mailing list freeradius-users@lists.freeradius.org Date: Monday, August 11, 2008, 3:47 AM no name wrote: I did like you wrote on your website but this problem still happened. The problem occurs only if you don't follow the instructions. And I did not see how you work with users file. (because i found building free radius by 4 files: eap, radiusd.conf, users, clients) Would you like tell me how to configure the users file and anything if i missed in the configuration? The instructions say to put the test entry that forces Auth-Type := ntlm_auth at the TOP of the users file. The only way to get the messages you saw is: a) You didn't edit the users file. b) You put the entry at the BOTTOM of the users file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Best config practices?
I'm setting up a new freeradius setup using many different authorization
modules. Mostly ldap and sql modules. For authentication I'm hoping to use
the default and as few custom as possible but I have to use some of the ldap
backends for authentication as well. (simple bind)
I wonder what are the best configuration practices. I've heard Alan DeKok
many times;
http://deployingradius.com/documents/configuration/setup.html. So I want to
change the default config as little as possible.
I was thinking to start adding a few custom files to include in the default
config.
$raddb/custom_mods.conf : the custom ldap and sql module definitions
$raddb/custom_auth.conf : custom authentication entries
$raddb/custom_autz.conf : custom authorization entries
I'm using realms to link the different authorization modules. If I'm correct
I need to add every realm to the proxy.conf file and set it to LOCAL. Is
this really needed?
realm test.com {
type= radius
authhost= LOCAL
accthost= LOCAL
}
Finally I need to add the realms to users file
DEFAULT Realm == test.com, Autz-Type := test.com
(Auth-Type should be figured out by freeradius)
Is this the best way to setup a decent configuration? I'd like to skip the
proxy.conf configuration since it's saying the same for all realms. Anyone
some suggestions?
Rg,
Arnaud Loonstra
--
View this message in context:
http://www.nabble.com/Best-config-practices--tp18922693p18922693.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help on Free Radius.
no name wrote: Yes. I edited the users files and checked on local auth was successfully. But now I want to use the free radius for authenticating user on domain controller (AD on window server 2003) and it did not work. See the FAQ for it doesn't work. Could you please tell me how to configure free radius authentication for domain users. My web page explains how. The FAQ explains how to ask questions on this list. Saying repeatedly it doesn't work is useless. It wastes your time, and ours. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Best config practices?
sphaero wrote: I was thinking to start adding a few custom files to include in the default config. $raddb/custom_mods.conf : the custom ldap and sql module definitions $raddb/custom_auth.conf : custom authentication entries $raddb/custom_autz.conf : custom authorization entries In 2.0.5, the raddb/modules directory can hold modules. The raddb/sites-enabled/ directory holds custom virtual servers. I'm using realms to link the different authorization modules. I'm not sure what that means.. If I'm correct I need to add every realm to the proxy.conf file and set it to LOCAL. Is this really needed? You need to add realms to proxy.conf. See the default proxy.conf, realm LOCAL for an example of configuring a local realm. Finally I need to add the realms to users file DEFAULT Realm == test.com, Autz-Type := test.com That will work. But in 2.0.5, I would suggest *not* using Autz-Type. The new virtual server functionality is much more powerful. Still... if this works for you, there's no harm in using it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Best config practices?
Stefan Winter-4 wrote: Well, if you have LOCAL for *every* realm, my suggestion would be not not call any realm module at all. Then the proxy.conf file is ignored and you can leave it untouched. Then, obviously using Realm == test.com in the users file should be replaced. You can do it by DEFAULT User-Name =~ [EMAIL PROTECTED], Autz-Type := test.com HTH, Stefan Winter That's handy suggestion. But what if want to proxy certain realms to other radius servers. I would still need to use the proxy.conf file. I might set realm DEFAULT in proxy.conf and DEFAULT Realm == DEFAULT, User-Name =~ [EMAIL PROTECTED], Autz-Type := test.com and I'm back in business :) Thanks, Arnaud -- View this message in context: http://www.nabble.com/Best-config-practices--tp18922693p18923309.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[OT] radius, pam and ts
Hi, to everyone. I know this is an OT post but i don't know where post. I have a freeradius server that's work fine. I have a tslp that's work fine (with passwd user) (it's and ubuntu 8.04 with ltsp correctly installed) Now I want use freeradius to autenticate user in tslp desktop. So, I think to install http://freeradius.org/pam_radius_auth but no request is sent to freeradius server. The questions: 1. where install pam_radius_auth? In /etc or in /opt/ltsp/i386/etc? 2. how to configure for ltsp? Thanks in advance v. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius SNMP support
Hi Maxim, Alan and all, In message [EMAIL PROTECTED], Alan DeKok [EMAIL PROTECTED] writes Maxim Sirenko wrote: Why in freebsd ports freeradius with SNMP support uses ucd-snmp but not net-snmp port? Because the code in FreeRADIUS was written before net-snmp existed, and the code hasn't been updated. I do read this list. However, when there's a FreeBSD problem, it can be worth checking the FreeBSD PRs as well. http://www.freebsd.org/cgi/query-pr.cgi?pr=115758 contains a full explanation of the current situation - though the title is somewhat cryptic, even if it was in English. Without UCD SNMP compatibility support in FreeBSD's Net SNMP port, the only option for FreeRADIUS built with SNMP support has to depend on UCD SNMP. The now obsolete FreeRADIUS SNMP code isn't that great - it's not 64 bit clean and it relies on the obsolete SMUX protocol. The new implementation that will appear in 2.0.6 is much better. See the latest version from git for new SNMP support. Hopefully it won't be too long until 2.0.6 is released; when it is released I'll update the net/freeradius2 port for the new SNMP support. As soon as I get time, I'll retrieve the current version of FreeRADIUS 2 from git, and get on with the necessary work in anticipation of 2.0.6 being released. Best wishes, David (FreeBSD net/freeradius and net/freeradius2 ports maintainer) -- David Wood [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Best config practices?
Ok,
To finalise for the archive:
In the freeradius config directory I create the following 3 files:
custom-mods.conf, custom-autz.conf, custom-auth.conf
custommods.conf:
ldap bla1 {
server = 10.48.65.1
port = 636
basedn = o=bla1
filter = (cn=%{Stripped-User-Name:-%{User-Name}})
access_attr = cn
tls_require_cert = never
set_auth_type = yes
}
ldap bla2 {
server = 10.60.65.1
port = 636
basedn = o=bla2
filter = (cn=%{Stripped-User-Name:-%{User-Name}})
access_attr = cn
tls_require_cert = never
set_auth_type = yes
}
sql bla3 {
driver = rlm_sql_unixodbc
# Connect info
server = mssql
login = login_User
password = passs
radius_db = database
acct_table1 = radacct
acct_table2 = radacct
authcheck_table = table_user
authreply_table = table_user
groupcheck_table = radgroupcheck
groupreply_table = radgroupreply
usergroup_table = usergroup
deletestalesessions = yes
# Print all SQL statements when in debug mode (-x)
sqltrace = no
sqltracefile = ${logdir}/sqltrace.sql
# number of sql connections to make to server
num_sql_socks = 5
sql_user_name = %{Stripped-User-Name:-%{User-Name:-none}}
# Custom query die attributen klaar zet!
authorize_check_query = SELECT UserID,Username,'SHA-Password' AS
Attribute, Password, ':=' AS Op FROM ${authcheck_table} WHERE Username =
'%{SQL-User-Name}' ORDER BY UserID
authorize_reply_query = SELECT UserID,Username from {authreply_table}
WHERE Username = '%{SQL-User-Name}' ORDER BY UserID
}
custom-autz.conf:
Autz-Type bla1 {
bla1
}
Autz-Type bla2 {
bla2
}
Autz-Type bla3 {
bla3
}
custom-auth.conf:
Auth-Type bla1 {
bla1
}
Auth-Type bla2 {
bla2
}
add in proxy.conf :
realm DEFAULT {
type= radius
authhost= LOCAL
accthost= LOCAL
}
and finally in users:
DEFAULT Realm == DEFAULT, User-Name =~ [EMAIL PROTECTED], Autz-Type := bla1
DEFAULT Realm == DEFAULT, User-Name =~ [EMAIL PROTECTED], Autz-Type := bla2
DEFAULT Realm == DEFAULT, User-Name =~ [EMAIL PROTECTED], Autz-Type := bla3
that's it. This is for the 1.1 series. 2.0 could be done differently.
Correct?
Rg,
Arnaud
--
View this message in context:
http://www.nabble.com/Best-config-practices--tp18922693p18924526.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting
Phil Mayers wrote: Your NAS needs to support interim accounting. Thanks for your help. After your recommendation I did some reading and came across this: http://www.netexpertise.eu/en/freeradius/daily-accounting.html We are using Cisco WiSMs, which don't seem to support the command aaa accounting update periodic 180 (After aaa the only available option is auth). I can't find anything useful on Google. Can anyone verify if this is type of setup is possible with WiSMs? The author of the article refers to a Cisco router which I took to mean WiSMs as I do not believe our routers here have anything to do with the AAA process. Cheers, Jonathan Jonathan Gazeley Systems Support Specialist ResNet | Wireless VPN Team Information Services University of Bristol - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Why do I need to force Auth-Type?
In a previous post PAP what password encryption is used? I managed to get
authentication working with a msssql backend however I need to force
Auth-Type := PAP. I read it's bad practice to force the Auth-Type so I was
wondering what I could do to let freeradius figure the authentication
itself.
This is all done on freeradius 1.1.6 (OSS 10.3)
I've setup an sql module:
sql mssql {
driver = rlm_sql_unixodbc
# Connect info
server = test
login = Radius_User
password = blabla
radius_db = V2
# niet gebruikt wel geset!
acct_table1 = radacct
acct_table2 = radacct
authcheck_table = user
authreply_table = user
# niet gebruikt wel geset!
groupcheck_table = radgroupcheck
groupreply_table = radgroupreply
usergroup_table = usergroup
# Remove stale session if checkrad does not see a double login
deletestalesessions = yes
# Print all SQL statements when in debug mode (-x)
sqltrace = no
sqltracefile = ${logdir}/sqltrace.sql
# number of sql connections to make to server
num_sql_socks = 5
sql_user_name = %{Stripped-User-Name:-%{User-Name:-none}}
# Custom query die attributen klaar zet!
authorize_check_query = SELECT UserID,Usernaam,'SHA-Password' AS
Attribute, Wachtwoord, ':=' AS Op FROM ${authcheck_table} WHERE Usernaam =
'%{SQL-User-Name}' ORDER BY UserID
authorize_reply_query = SELECT UserID,Usernaam from {authreply_table}
WHERE Usernaam = '%{SQL-User-Name}' ORDER BY UserID
}
You can see I'm using a custom SQL query to get the right attributes. I can
only compare username and password in this database. I actually don't need
any groupcheck's etc.
I've setup its authorize entry:
Autz-Type mssql {
mssql
}
and finally in users file:
DEFAULT Realm == mssql.nl, Autz-Type := mssql
This setup doesn't work:
modcall: entering group authorize for request 1
modcall[authorize]: module preprocess returns ok for request 1
modcall[authorize]: module chap returns noop for request 1
modcall[authorize]: module mschap returns noop for request 1
rlm_realm: Looking up realm mssql.nl for User-Name = [EMAIL PROTECTED]
rlm_realm: Found realm DEFAULT
rlm_realm: Adding Stripped-User-Name = lsa
rlm_realm: Proxying request from user lsa to realm DEFAULT
rlm_realm: Adding Realm = DEFAULT
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module suffix returns noop for request 1
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 1
users: Matched entry DEFAULT at line 153
modcall[authorize]: module files returns ok for request 1
rlm_pap: WARNING! No known good password found for the user.
Authentication may fail because of this.
modcall[authorize]: module pap returns noop for request 1
modcall: leaving group authorize (returns ok) for request 1
Found Autz-Type mssql
Processing the authorize section of radiusd.conf
modcall: entering group mssql for request 1
radius_xlat: 'lsa'
rlm_sql (mssql): sql_set_user escaped user -- 'lsa'
radius_xlat: 'SELECT UserID,Usernaam,'SHA-Password' AS Attribute,
Wachtwoord, ':=' AS Op FROM bas_user WHERE Usernaam = 'lsa' ORDER BY UserID'
rlm_sql (mssql): Reserving sql socket id: 3
radius_xlat: ''
radius_xlat: 'SELECT UserID,Usernaam from {authreply_table} WHERE Usernaam
= 'lsa' ORDER BY UserID'
rlm_sql_getvpdata: database query error
radius_xlat: ''
rlm_sql (mssql): Released sql socket id: 3
modcall[authorize]: module mssql returns ok for request 1
modcall: leaving group mssql (returns ok) for request 1
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Delaying request 1 for 1 seconds
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 223 to 127.0.0.1 port 32770
Waking up in 4 seconds...
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=223, length=20
If I add Auth-Type in users file it works:
DEFAULT Realm == mssql.nl, Autz-Type := mssql, Auth-Type := PAP
Rg,
Arnaud Loonstra
--
View this message in context:
http://www.nabble.com/Why-do-I-need-to-force-Auth-Type--tp18925418p18925418.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SOLVED - Re: xp sp3 and freeradius 2.0.5
Hello. Thanks to all for your accurate replies, Lech was right, the problem with 4500 is the handshake (dis)function, it works like a charm!!, so does cisco gear too!!, both with the same setup at FR 2.0.5 and with all clients, XP SP2/SP3, Vista, Win2KX. BUT, 5500 is not working, the characteristics of this switch are: 5500G-EI - 3CR17254-91 os 3.02.04s168 bootrom v 4.0.3 This firmware versión is the latest available as today, and doesn't have the option to disable handshake, so it doesn't work at all, for any soul out there trying to make this switch work, help me out to ask 3COM to correct their software and allow to disable handshake as 4500's do.. Best regards, to all of you, this software and this list rocks!!! Oxiel El Vie 08 Ago 2008, Lech Karol Pawłaszek escribió: Arran Cudbard-Bell wrote: I let the client to stay on VLAN1, not moving to other vlan, the same behavior, the PC gets ACCESS-ACCEPT but then it tries again, until the exclamation icon appears, no ping to the client at all. What can it be ?, what i'm doing wrong ? is the problem XP SP3 ?, or is 3COM 5500G-EI ? Didn't we have exactly the same problem on the list, like a week ago ? You have upgraded to the latest firmware for your 3COM switch right ? Yup. It's me who had this problem. Actually my switches are from 4500 family and Oxiel's are 5500 however those families are kind of similar. Oxiel: use the newest available firmware for your switches (the one from 12th of May) - namely 3.03.1. Then disable handshake (dis)funcion. 5500 system-view [5500] undo dot1x handshake enable And - because I've found another bug - you'll have to use port based authentication method instead of the default mac based [5500] dot1x port-method portbased If you will have any further questions - feel free to ask. Kind regards, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SOLVED - Re: xp sp3 and freeradius 2.0.5
On 2008-08-11 15:10, Oxiel Contreras wrote: Hello. Hello, Thanks to all for your accurate replies, Lech was right, the problem with 4500 is the handshake (dis)function, it works like a charm!!, so does cisco gear too!!, both with the same setup at FR 2.0.5 and with all clients, XP SP2/SP3, Vista, Win2KX. BUT, 5500 is not working, the characteristics of this switch are: 5500G-EI - 3CR17254-91 os 3.02.04s168 bootrom v 4.0.3 This firmware versión is the latest available as today, No, it is not: http://www.3com.com/products/en_US/result.jsp?selected=6sort=effdtsku=3CR17250-91order=desc FilenameRelease DateVersion File Size s4c03_03_01s168.exe 01 Apr 2008 3.03.01 12.77 MB 3CR17254-91 is only a chassis. Best regards, Krzysztof Olędzki - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem with fall-through
Hello All We are using version 2.0.5 with a mysql backend. 99.9% of the radius service is working as expected :-) However I'm trying to also use the users file so I can give some default answers back to a particular NAS, I have set fall-through = No but it still falls through to the sql server and provides the sql info back too, if the user is not also in the sql table it only provides the correct info. from my users file DEFAULT Client-IP-Address =~ 82.1x.x.130\$, Auth-Type := Accept Tunnel-Type = L2TP, Tunnel-Medium-Type = IP, Service-Type := Framed-User, Tunnel-Password := radadmin, Tunnel-Server-Endpoint := 82.x.x.253, # Tunnel-Client-Auth-ID := , Fall-Through = No Should it fall through to the sql module even with fall-through set at no or have I misunderstood it. Thanks Wayne - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
registered to wrong realm
Everything works down to the Configuring Freeradius to use ntlm_auth for MS-CHAP. I am using the doc at http://deployingradius.com/documents/configuration/active_directory.html When I try to connect through modem bank, I get this rlm_realm: Looking up realm umpublishing.org for User-Name = [EMAIL PROTECTED] rlm_realm: No such realm umpublishing.org When I registered my linux server with AD using the net join -U administrator command, it came back successful but said it was using Short name UMPH - is there any way to force it to use the umpublishing.org realm? I don't remember the exact message, is it ok to run this command again so I can write down exactly what it said? Should I UNjoin myself first :-)? I thought at the time that it was fine, since the Windows login screen has UMPH in the pulldown for network logins, but our AD admin said the AD domain and the AD realm are both umpublishing.org, and the UMPH is a holdover from the old days. Thanks in advance for any help~ Cindy Yoho - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with fall-through
Wayne Lee wrote:
Hello All
We are using version 2.0.5 with a mysql backend. 99.9% of the radius
service is working as expected :-)
However I'm trying to also use the users file so I can give some
default answers back to a particular NAS, I have set fall-through =
No but it still falls through to the sql server and provides the sql
info back too, if the user is not also in the sql table it only
provides the correct info.
from my users file
DEFAULT Client-IP-Address =~ 82.1x.x.130\$, Auth-Type := Accept
Tunnel-Type = L2TP,
Tunnel-Medium-Type = IP,
Service-Type := Framed-User,
Tunnel-Password := radadmin,
Tunnel-Server-Endpoint := 82.x.x.253,
# Tunnel-Client-Auth-ID := ,
Fall-Through = No
Should it fall through to the sql module even with fall-through set at
no or have I misunderstood it.
Fall-Through is local to the users file.
You can use unlang/module return codes e.g.:
authorize {
redundant {
files
sql
}
}
...see doc/configurable-failover and man unlang
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl not working as expected on 2.0.5
Greetings, I'm busy trying out Freeradius 2.0.5 before upgrading from 1.1.0, and so far everything looks good. I would like to try out rlm_perl since it presents some interesting possibilities, but am having a spot of bother. I followed the howto here: http://wiki.freeradius.org/Rlm_perl rlm_perl isn't event loaded/instantiated unless I add 'perl' to the instantiate section of radiusd.conf. Even if I do, however, I keep getting this error: Parse error (check) for entry DEFAULT: Unknown value Perl for attribute Auth-Type Any pointers on what I'm missing/doing wrong would be appreciated. Thanks Henry Here's the debug: Mon Aug 11 15:58:53 2008 : Info: FreeRADIUS Version 2.0.5, for host i686-pc-linux-gnu, built on Aug 8 2008 at 18:56:21 Mon Aug 11 15:58:53 2008 : Info: Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. Mon Aug 11 15:58:53 2008 : Info: There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A Mon Aug 11 15:58:53 2008 : Info: PARTICULAR PURPOSE. Mon Aug 11 15:58:53 2008 : Info: You may redistribute copies of FreeRADIUS under the terms of the Mon Aug 11 15:58:53 2008 : Info: GNU General Public License v2. Mon Aug 11 15:58:53 2008 : Info: Starting - reading configuration files ... Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/radiusd.conf Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/proxy.conf Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/clients.conf Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/snmp.conf Mon Aug 11 15:58:53 2008 : Debug: including files in directory /usr/local/freeradius-2.0.5/etc/raddb/modules/ Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/modules/policy Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/modules/acct_unique Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/modules/unix Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/modules/chap Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/modules/preprocess Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/modules/expiration Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/modules/mac2vlan Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/modules/mschap Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/modules/ippool Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/modules/files Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/modules/krb5 Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/modules/passwd Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/modules/radutmp Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/modules/attr_rewrite Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/modules/echo Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/modules/etc_group Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/modules/pap Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/modules/realm Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/modules/pam Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/modules/always Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/modules/exec Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/modules/logintime Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/modules/sql_log Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/modules/smbpasswd Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/modules/sradutmp Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/modules/counter Mon Aug 11 15:58:53 2008 : Debug: including configuration file /usr/local/freeradius-2.0.5/etc/raddb/modules/ldap Mon Aug 11 15:58:53 2008 : Debug:
Lost entries from reply with multiple instances of the same attribute
Hi, Some months ago I mentioned a problem observed while sending Access-Accept with multiple Cisco-AVPair=ssid=... entries. Even if fields are correctly retrieved from the LDAP server, only the first occurrence of the attribute is sent in the packet. Can you tell me if recent developments have solved this issue? Thanks. Konstantin _ Konstantin KABASSANOV LIP6/CNRS 104, avenue du Président Kennedy, 75016 Paris, France Phone: +33 (0) 1 44 27 71 26 Fax: +33 (0) 1 44 27 74 95 E-mail: [EMAIL PROTECTED] Web: http://www.kabassanov.com Certificate: http://igc.services.cnrs.fr/CNRS-Standard/recherche.html _ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Multiple NAS
Hi Alan,
How do I create conditional statement to uniquely identify differenent NAS
vendors to use its sql.conf ? Is it something like
if ( NAS-IP-Address = cisco's IP address )
$INCLUDE ${confdir}/sql1.conf
else ( NAS-IP-Address = Asterisk's IP address )
$INCLUDE ${confdire}/sql2.conf
in the radiusd.conf file ?
thanks,
Date: Sat, 9 Aug 2008 10:45:10 +0200 From: [EMAIL PROTECTED] To:
freeradius-users@lists.freeradius.org Subject: Re: Multiple NAS Rana
Dhekial wrote: So the idea is to create multiple tables in the database
where Freeradius is writing and store Cisco's accounting info to say
radacct_1, Asterisk's to radacct_2, OpenSER's to radacct_3 tables. You can
update the table name on the fly. In 2.0.5, set SQL-Table-Name, and then
edit the SQL queries to replace the references to ${acct_table} with
%{%{SQL-Table-Name}:-${acct_table}} Alan DeKok. - List
info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_
Got Game? Win Prizes in the Windows Live Hotmail Mobile Summer Games Trivia
Contest
http://www.gowindowslive.com/summergames?ocid=TXT_TAGHM-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Scour invite from yawar hadi noshahi
Did you hear about Scour? It is the next gen search engine with Google/Yahoo/MSN results and user comments all on one page. Best of all we get rewarded for using it by collecting points with every search, comment and vote. The points are redeemable for Visa gift cards It's like earning credit card or airline points just for searching. Hit the link below to join and we will both get points! http://scour.com/invite/yawar/ I know you'll like it! - yawar hadi noshahi If you would prefer not to receive invitations from ANY Scour members please click here - http://www.scour.com/unsub/e/ZnJlZXJhZGl1cy11c2Vyc0BsaXN0cy5mcmVlcmFkaXVzLm9yZw== Scour, Inc., 15303 Ventura Blvd. Suite 860, Sherman Oaks, CA 91403, USA. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
