Re: 2.0.5 on Solaris with openssl 0.9.8h
Rafiqul Ahsan wrote: > I am facing some challenges on building Freeradius 2.0.5 (Solaris OS) > with openssl version 0.9.8h. The Solaris 10 come with prebuilt openssl > version, and found at /usr/sfw/bin/openssl, version 0.9.7d. Prior to > building freeradius I built newer version openssl (v.0.9.8h) located > in /usr/local/ssl. here are the two openssl version now I have in my > Solaris. Why not just install the OpenSSL from sunfreeware? They have a package pre-built... > When I built Freeradius 2.0.5 (I simply executed three comands, > ./configure make and make install) , I was expecting that it would > build with my desired openssl version. Why? How does it know what you desire? Did you configure the linker to prefer one version over the other? Did you configure the C "include" references to prefer one over the other? > this. I sent openssl community this question, they wanted me to verify > whether I actualy built the freeradius with this new openssl version. Well... of course. > I am not able to understand what library it is actually built with, > because I could not figure out from build log, nor the configure. But > if I use the configure options as below, I see a rolling error (that > telling me that I must not have built the freeradius with openssl > 0.9.8h ?) : No idea. ... > Text relocation remains referenced > against symbol offset in file >0x0 > /usr/local/ssl/lib/libssl.a(ssl_lib.o) That's a fairly useless error. Are you sure that the libssl.a file is really a library, and not something else? Alan DEKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: oracle support
Just don't answer that stupid question! :p Alexandre Chapellon a écrit : > Hello, > > I can see that oracle can be used to store accounting data ippool and > others stuff like this but nothing about authenticating request with > users and password stored in oracle database. how can i manage to do > this? > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
oracle support
Hello, I can see that oracle can be used to store accounting data ippool and others stuff like this but nothing about authenticating request with users and password stored in oracle database. how can i manage to do this? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error compiling FreeRadius-2.0.5
Hi I have Red Hat Linux release 8.0 and i am trying to install free radius 2.0.5 fresh getting the following errors while doing a make after the ./configure any inpur with be greatly appreciated rm -f .libs/radiusd.nm .libs/radiusd.nmS .libs/radiusd.nmT creating .libs/radiusdS.c (cd .libs && gcc -g -O2 -c -fno-builtin -fno-rtti -fno-exceptions "radiusdS.c") rm -f .libs/radiusdS.c .libs/radiusd.nm .libs/radiusd.nmS .libs/radiusd.nmT gcc .libs/radiusdS.o -o .libs/radiusd .libs/acct.o .libs/auth.o .libs/client.o .libs/conffile.o .libs/crypt.o .libs/exec.o .libs/files.o .libs/listen.o .libs/log.o .libs/mainconfig.o .libs/modules.o .libs/modcall.o .libs/radiusd.o .libs/radius_snmp.o .libs/session.o .libs/smux.o .libs/threads.o .libs/util.o .libs/valuepair.o .libs/version.o .libs/xlat.o .libs/event.o .libs/realms.o .libs/evaluate.o .libs/vmps.o .libs/detail.o -Wl,--export-dynamic /freeradius-server-2.0.5/src/lib/.libs/libfreeradius-radius.so -lnsl -lresolv -lpthread -lcrypt /usr/lib/libltdl.so -ldl -Wl,--rpath -Wl,/usr/local/lib .libs/threads.o: In function `setup_ssl_mutexes': /freeradius-server-2.0.5/src/main/threads.c:217: undefined reference to `OpenSSL_add_all_algorithms' /freeradius-server-2.0.5/src/main/threads.c:220: undefined reference to `CRYPTO_num_locks' /freeradius-server-2.0.5/src/main/threads.c:226: undefined reference to `CRYPTO_num_locks' /freeradius-server-2.0.5/src/main/threads.c:230: undefined reference to `CRYPTO_set_id_callback' /freeradius-server-2.0.5/src/main/threads.c:231: undefined reference to `CRYPTO_set_locking_callback' .libs/threads.o: In function `request_handler_thread': /freeradius-server-2.0.5/src/main/threads.c:497: undefined reference to `ERR_remove_state' collect2: ld returned 1 exit status gmake[4]: *** [radiusd] Error 1 gmake[4]: Leaving directory `/freeradius-server-2.0.5/src/main' gmake[3]: *** [common] Error 2 gmake[3]: Leaving directory `/freeradius-server-2.0.5/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/freeradius-server-2.0.5/src' gmake[1]: *** [common] Error 2 gmake[1]: Leaving directory `/freeradius-server-2.0.5' make: *** [all] Error 2 Thanks much, Ums - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cleartext Password not clear
It said to DOUBLECHECK it. On Aug 12, 2008, at 1:30 PM, Stéven Le Bras wrote: I have already check this and it's ok. If i use the chilli interface i can logon with any problem but i want to know if it's possible to force a clear read 2008/8/12 Chris <[EMAIL PROTECTED]> Read the debug output. On Aug 12, 2008, at 1:10 PM, Stéven Le Bras wrote: WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stéven - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple Attribute checks with sql module
Hello List, I want to set up freeradius as a proxy for cisco management and dot1x. The attribute to check is NAS-Port-Type. If it's "Ethernet" it's a dot1x request and has to be proxied by one realm configured in proxy.conf. Else it has to be proxied to another realm also configured in proxy.conf for one-time-password authentication. Further if a specific NAS requests, the request should be accepted by the proxy itself. I got this already working with the users file looking like DEFAULT NAS-Port-Type==Ethernet,NAS-IP-Address==1.1.1.1,Auth-Type:=Accept DEFAULT NAS-Port-Type==Ethernet,Proxy-To-Realm:=Realm1 DEFAULT NAS-IP-Address==1.1.1.1,Auth-Type:=Accept DEFAULT Proxy-To-Realm:=Realm2 But I doesn't get this working using the sql module. My database structure looks like mysql> select * from radcheck; ++--+---++---+ | id | UserName | Attribute | op | Value | ++--+---++---+ | 2 | testuser | Password | == | test | | 4 | DEFAULT | NAS-Port-Type | =* | | ++--+---++---+ 2 rows in set (0.00 sec) mysql> select * from usergroup; ++--++ | id | UserName | GroupName | ++--++ | 2 | DEFAULT | ProxyMgt | | 3 | DEFAULT | ProxyDOT1x | ++--++ 1 row in set (0.00 sec) mysql> select * from radgroupcheck; +++++--+ | id | GroupName | Attribute | op | Value| +++++--+ | 4 | ProxyMgt | NAS-Port-Type | == | Virtual | | 5 | ProxyMgt | Proxy-To-Realm | := | Mgt | | 6 | ProxyDOT1x | NAS-Port-Type | == | Ethernet | | 7 | ProxyDOT1x | Proxy-To-Realm | := | PortSec | +++++--+ 4 rows in set (0.00 sec) mysql> select * from radgroupreply; Empty set (0.00 sec) With this sql configuration, the server proxy management requests but not dot1x requests. In debug it says "No matching entry in the database for request from user". Despite the acceptance of specific NAS requests. The reason I want to realize this configuration with the sql module is, that changes are possible without HUP the process. I've read the documentation which is available for the sql module but the examples described there are not that complex to help with my problem. Can anyone help me to realize the above mentioned configuration of the users file with the sql module? Thanks in advance Cheers Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: clients.conf - identifying a "client" - sql/ldap
Hi all,
Received no responses to the post below.
Any ideas would be greatly appreciated!
Thanks,
Johan Meiring
Cape PC Services CC / Amobia Communications
Tel: (021) 883-8271 / (0861) AMOBIA
Fax: (021) 886-7782 / (0861) AMOFAX
> -Original Message-
> From: Johan Meiring [mailto:[EMAIL PROTECTED]
> Sent: 28 July 2008 11:55 AM
> To: 'freeradius-users@lists.freeradius.org'
> Subject: clients.conf - identifying a "client" - sql/ldap
>
>
> Hi,
>
> I have the following setup.
>
> Various clients (chillispot) behind broadband (read: dynamic
> IP) connections.
> Basically I am selling AAA services.
>
> I would like to authotize a nas to use my services in the
> first place by using the NAS-Identifier and the radius secret.
>
> Both the NAS SQL table and the clients.conf file seem to
> identify the client by IP address.
>
> As my clients can be from ANY address, it seems that the only
> way is to create an entry in clients.conf is as follows:
>
> client 0.0.0.0/0 {
> shortname = myclient
> secret = abcde
> }
>
> This now implies again that all clients have to have the same secret.
>
> I am using the perl modules, but according to another post
> you cannot use perl as replacement for clients.conf.
> Also the sql nas table simply mimics the clients. (I.e.
> still uses IP address to find entry).
>
> Is there any way to handle clients with dynamic IPs, and use
> the NAS-Identifier and radius secret to allow/disallow the NAS?
>
> Thanks!
>
> Cheers,
>
> Johan Meiring
> Cape PC Services CC / Amobia Communications
> Tel: (021) 883-8271 / (0861) AMOBIA
> Fax: (021) 886-7782 / (0861) AMOFAX
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Prefix/Suffix not working (FR 2.0.5, CentOS 5, System Auth)
I tried this with no change, both with using the hints file and without.
-SW
Ivan Kalik writes:
>
> You need to add User-Name := Stripped-User-Name to your users file entry
> in order to replace it with stripped value.
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
> Dana 12/8/2008, "Steve Weaver" <[EMAIL PROTECTED]> pi¹e:
>
> >I'm having a strange problem I hope you can help me figure out. We're
> >finally moving from an ancient Livingston RADIUS to FreeRADIUS.
> >
> >I compiled and installed version 2.0.5 on a freshly installed CentOS 5
> >box, read all the documentation I could find, installed our old users
> >file and adapted it until it now (mostly) works correctly.
> >
> >System info:
> >
> ># radiusd -v
> >radiusd: FreeRADIUS Version 2.0.5, for host i686-redhat-linux-gnu,
> >built on Aug 5 2008 at 15:40:15
> >
> ># uname -a
> >Linux .***.com 2.6.18-92.1.6.el5 #1 SMP Wed Jun 25 13:49:24 EDT
> >2008 i686 i686 i386 GNU/Linux
> >
> >The problem I'm having is that we have a lot of legacy users still
> >logging in with "Pusername" for PPP connections. I've tried to set it
> >up in both the users file and the hints file (separately) and get the
> >same result. No matter what I do, it tries to authenticate (System
> >auth type) the username "Pusername" instead of "username".
> >
> >If I add a user named "Pusername" everything works correctly. It hits
> >the right default entry and authenticates fine, so it's just not
> >stripping off the "P" when authenticating. I have also tried suffixes
> >(".ppp") to test if it was just the prefix that wasn't working. Same
> >problem.
> >
> >We're not using any realms, proxying, LDAP, SQL, etc at this time.
> >Just a very simple single RADIUS server reading from a users file and
> >authenticating against the system password file.
> >
> >I first tried to set it up in the users file. I commented out
> >everything in the hints file. Here's what the DEFAULT entry looks like
> >in the users file:
> >
> >DEFAULT Auth-Type := System, Prefix == "P"
> >User-Service-Type = Framed-User,
> >Session-Timeout = 36000,
> >Idle-Timeout = 600,
> >Port-Limit = 1,
> >Framed-Protocol = PPP,
> >Framed-Address = 255.255.255.254,
> >Framed-Netmask = 255.255.255.255,
> >Framed-Routing = None,
> >Framed-MTU = 1500,
> >Framed-Compression = Van-Jacobsen-TCP-IP
> >
> >I attempt to authenticate:
> >
> ># radtest Psweaver localhost 0 testing123
> >Sending Access-Request of id 43 to 127.0.0.1 port 1645
> >User-Name = "Psweaver"
> >User-Password = ""
> >NAS-IP-Address = 127.0.0.1
> >NAS-Port = 0
> >rad_recv: Access-Reject packet from host 127.0.0.1 port 1645, id=43,
> >length=20
> >
> >Things are working otherwise; without the "P" it works fine:
> >
> ># radtest sweaver localhost 0 testing123
> >Sending Access-Request of id 223 to 127.0.0.1 port 1645
> >User-Name = "sweaver"
> >User-Password = ""
> >NAS-IP-Address = 127.0.0.1
> >NAS-Port = 0
> >rad_recv: Access-Accept packet from host 127.0.0.1 port 1645, id=223,
> >length=56
> >Session-Timeout = 36000
> >Idle-Timeout = 600
> >Port-Limit = 1
> >Service-Type = Login-User
> >Login-IP-Host = ***.***.***.***
> >Login-Service = Rlogin
> >
> >With the "P", here's the output of radiusd -X
> >
> >rad_recv: Access-Request packet from host 127.0.0.1 port 35915, id=175,
> >length=6
> >0
> >User-Name = "Psweaver"
> >User-Password = ""
> >NAS-IP-Address = 127.0.0.1
> >NAS-Port = 0
> >+- entering group authorize
> >++[preprocess] returns ok
> >expand:
> > /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
> >-> /var/log/radius/radacct/127.0.0.1/auth-detail-20080812
> >rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
> >expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20080812
> >expand: %t -> Tue Aug 12 10:10:44 2008
> >++[auth_log] returns ok
> >++[chap] returns noop
> >++[mschap] returns noop
>
Re: Cleartext Password not clear
I have already check this and it's ok. If i use the chilli interface i can logon with any problem but i want to know if it's possible to force a clear read 2008/8/12 Chris <[EMAIL PROTECTED]> > Read the debug output. > > On Aug 12, 2008, at 1:10 PM, Stéven Le Bras wrote: > > WARNING: Unprintable characters in the password. Double-check the >> shared secret on the server and the NAS! >> > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Stéven - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cleartext Password not clear
Read the debug output. On Aug 12, 2008, at 1:10 PM, Stéven Le Bras wrote: WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cleartext Password not clear
Hi there, I'm attempting to log in chillispot with freeradius but when I send the couple username / password with a cleartext password in user-password to freeradius through chillispot, radiusd respond : rad_recv: Access-Request packet from host 127.0.0.1 port 36710, id=47, length=263 ChilliSpot-Version = "1.0.12" User-Name = "testuser" User-Password = "\177\326=\343\017\021e\247B4ޣ\202<6\001" NAS-IP-Address = 10.1.0.1 Service-Type = Login-User Framed-IP-Address = 10.1.0.4 Calling-Station-Id = "00-13-CE-8C-0F-AF" Called-Station-Id = "00-09-6B-D8-9A-C6" NAS-Identifier = "nas01" Acct-Session-Id = "48a18af50001" NAS-Port-Type = Wireless-802.11 NAS-Port = 1 WISPr-Location-ID = "isocc=,cc=,ac=,network=SYS_TECH," WISPr-Location-Name = "HotSpot" WISPr-Logoff-URL = "http://10.1.0.1:3990/logoff"; Message-Authenticator = 0x8bd17fcc4a6acc6cac5026615e4545b5 [...] auth: type Local auth: user supplied User-Password does NOT match local User-Password auth: Failed to validate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Found Post-Auth-Type Reject (the password is "plop") but i want that freeradius can read the password without transform it. Is it possible or do you think it could be chillispot that transform it ? Thank's -- Stéven - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
What is the certificate that I installed on the notebook?
/certs/ in the folder many licences, what is that I installed on the notebook and as set? thanks!!! -- -- Silvero Martin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
2.0.5 on Solaris with openssl 0.9.8h
Alan, and all , I am facing some challenges on building Freeradius 2.0.5 (Solaris OS) with openssl version 0.9.8h. The Solaris 10 come with prebuilt openssl version, and found at /usr/sfw/bin/openssl, version 0.9.7d. Prior to building freeradius I built newer version openssl (v.0.9.8h) located in /usr/local/ssl. here are the two openssl version now I have in my Solaris. bash-3.00# openssl version OpenSSL 0.9.8h 28 May 2008 bash-3.00# /usr/sfw/bin/openssl version OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29) When I built Freeradius 2.0.5 (I simply executed three comands, ./configure make and make install) , I was expecting that it would build with my desired openssl version. Aparantly, I found that certain has algorithm (sha256) is not supporting when I work with freeradius (I mean with SSL version that it was built with). However openssl version 0.9.8h should support this. I sent openssl community this question, they wanted me to verify whether I actualy built the freeradius with this new openssl version. I am not able to understand what library it is actually built with, because I could not figure out from build log, nor the configure. But if I use the configure options as below, I see a rolling error (that telling me that I must not have built the freeradius with openssl 0.9.8h ?) : ... (see portion of my out when I executed make, after ./configure ./configure \ --prefix=/usr/local/freeradius \ --with-openssl=yes \ --with-openssl-dir=/usr/local/ssl \ --with-openssl-includes=/usr/local/ssl/include \ --with-openssl-libraries=/usr/local/ssl/lib ) RB5 -c peap.c -o peap.o >/dev/null 2>&1 /export/home/dev/freeradius-server-2.0.5/libtool --mode=link gcc -release 2.0.5 \ -module -export-dynamic -o rlm_eap_peap.la \ -rpath /usr/local/lib rlm_eap_peap.lo peap.lo rlm_eap_peap.c peap.c /export/home/dev/f radius-server-2.0.5/src/lib/libfreeradius-radius.la ../../libeap/libfreeradius-eap.la usr/local/ssl/lib -lcrypto -lssl -lcrypto -ldl -lnsl -lresolv -lsocket -lposix4 -lpth d gcc -shared -Wl,-h -Wl,rlm_eap_peap-2.0.5.so -o .libs/rlm_eap_peap-2.0.5.so .libs/rlm p_peap.o .libs/peap.o -R/export/home/dev/freeradius-server-2.0.5/src/lib/.libs -R/exp /home/dev/freeradius-server-2.0.5/src/modules/rlm_eap/libeap/.libs -R/usr/local/lib -L port/home/dev/freeradius-server-2.0.5/src/lib/.libs /export/home/dev/freeradius-server 0.5/src/lib/.libs/libfreeradius-radius.so ../../libeap/.libs/libfreeradius-eap.so -L/u local/ssl/lib -lssl -lcrypto -ldl -lnsl -lresolv -lsocket -lposix4 -lpthread -lc Text relocation remains referenced against symbol offset in file 0x0 /usr/local/ssl/lib/libssl.a(ssl_lib.o) 0x4 /usr/local/ssl/lib/libssl.a(ssl_lib.o) 0x8 /usr/local/ssl/lib/libssl.a(ssl_lib.o) 0xc /usr/local/ssl/lib/libssl.a(ssl_lib.o) 0x10 /usr/local/ssl/lib/libssl.a(ssl_lib.o) 0x14 /usr/local/ssl/lib/libssl.a(ssl_lib.o) 0x18 /usr/local/ssl/lib/libssl.a(ssl_lib.o) 0x1c /usr/local/ssl/lib/libssl.a(ssl_lib.o) 0x20 /usr/local/ssl/lib/libssl.a(ssl_lib.o) 0x24 /usr/local/ssl/lib/libssl.a(ssl_lib.o) 0x28 /usr/local/ssl/lib/libssl.a(ssl_lib.o) 0x2c /usr/local/ssl/lib/libssl.a(ssl_lib.o) 0x30 /usr/local/ssl/lib/libssl.a(ssl_lib.o) 0x34 /usr/local/ssl/lib/libssl.a(ssl_lib.o) 0x38 /usr/local/ssl/lib/libssl.a(ssl_lib.o) 0x3c /usr/local/ssl/lib/libssl.a(ssl_lib.o) 0x40 /usr/local/ssl/lib/libssl.a(ssl_lib.o) On 8/7/08, Rafiqul Ahsan <[EMAIL PROTECTED]> wrote: > I changed the Makefile for random file creation step (as a fix for my > earlier posted error)... > > This is what I found at Makefile : > > random: >@if [ -e /dev/urandom ] ; then \ >dd if=/dev/urandom of=./random count=10 >/dev/null 2>&1; \ >else \ >date > ./random; \ >fi > > I Changed to ... > > random > date > ./random; > > That solved my earlier problem, and now my server is listening. > > Thanks, > Rafi > > > > > > > > On 8/7/08, Rafiqul Ahsan <[EMAIL PROTECTED]> wrote: > > I see below error when I execute bootstrap > > > > bash-3.00# /usr/local/etc/raddb/certs/bootstrap > > ... > > make: Nothing to be done for `ca'. > > make: Nothing to be done for `server'. > > make: `dh' is up to date. > > /bin/sh: test: argument expected > > make: *** [random] Error 1 > > > > On 8/7/08, Alan DeKok <[EMAIL PROTECTED]> wrote: > > > Rafiqul Ahsan wrote: > > > > Thanks, I was able to build freeradius 2.0.5 on Solaris 10. However, > > > > server is not running,
Re: Prefix/Suffix not working (FR 2.0.5, CentOS 5, System Auth)
You need to add User-Name := Stripped-User-Name to your users file entry
in order to replace it with stripped value.
Ivan Kalik
Kalik Informatika ISP
Dana 12/8/2008, "Steve Weaver" <[EMAIL PROTECTED]> piše:
>I'm having a strange problem I hope you can help me figure out. We're
>finally moving from an ancient Livingston RADIUS to FreeRADIUS.
>
>I compiled and installed version 2.0.5 on a freshly installed CentOS 5
>box, read all the documentation I could find, installed our old users
>file and adapted it until it now (mostly) works correctly.
>
>System info:
>
># radiusd -v
>radiusd: FreeRADIUS Version 2.0.5, for host i686-redhat-linux-gnu,
>built on Aug 5 2008 at 15:40:15
>
># uname -a
>Linux .***.com 2.6.18-92.1.6.el5 #1 SMP Wed Jun 25 13:49:24 EDT
>2008 i686 i686 i386 GNU/Linux
>
>The problem I'm having is that we have a lot of legacy users still
>logging in with "Pusername" for PPP connections. I've tried to set it
>up in both the users file and the hints file (separately) and get the
>same result. No matter what I do, it tries to authenticate (System
>auth type) the username "Pusername" instead of "username".
>
>If I add a user named "Pusername" everything works correctly. It hits
>the right default entry and authenticates fine, so it's just not
>stripping off the "P" when authenticating. I have also tried suffixes
>(".ppp") to test if it was just the prefix that wasn't working. Same
>problem.
>
>We're not using any realms, proxying, LDAP, SQL, etc at this time.
>Just a very simple single RADIUS server reading from a users file and
>authenticating against the system password file.
>
>I first tried to set it up in the users file. I commented out
>everything in the hints file. Here's what the DEFAULT entry looks like
>in the users file:
>
>DEFAULT Auth-Type := System, Prefix == "P"
>User-Service-Type = Framed-User,
>Session-Timeout = 36000,
>Idle-Timeout = 600,
>Port-Limit = 1,
>Framed-Protocol = PPP,
>Framed-Address = 255.255.255.254,
>Framed-Netmask = 255.255.255.255,
>Framed-Routing = None,
>Framed-MTU = 1500,
>Framed-Compression = Van-Jacobsen-TCP-IP
>
>I attempt to authenticate:
>
># radtest Psweaver localhost 0 testing123
>Sending Access-Request of id 43 to 127.0.0.1 port 1645
>User-Name = "Psweaver"
>User-Password = ""
>NAS-IP-Address = 127.0.0.1
>NAS-Port = 0
>rad_recv: Access-Reject packet from host 127.0.0.1 port 1645, id=43,
>length=20
>
>Things are working otherwise; without the "P" it works fine:
>
># radtest sweaver localhost 0 testing123
>Sending Access-Request of id 223 to 127.0.0.1 port 1645
>User-Name = "sweaver"
>User-Password = ""
>NAS-IP-Address = 127.0.0.1
>NAS-Port = 0
>rad_recv: Access-Accept packet from host 127.0.0.1 port 1645, id=223,
>length=56
>Session-Timeout = 36000
>Idle-Timeout = 600
>Port-Limit = 1
>Service-Type = Login-User
>Login-IP-Host = ***.***.***.***
>Login-Service = Rlogin
>
>With the "P", here's the output of radiusd -X
>
>rad_recv: Access-Request packet from host 127.0.0.1 port 35915, id=175,
>length=6
>0
>User-Name = "Psweaver"
>User-Password = ""
>NAS-IP-Address = 127.0.0.1
>NAS-Port = 0
>+- entering group authorize
>++[preprocess] returns ok
>expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
>-> /var/log/radius/radacct/127.0.0.1/auth-detail-20080812
>rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
>expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20080812
>expand: %t -> Tue Aug 12 10:10:44 2008
>++[auth_log] returns ok
>++[chap] returns noop
>++[mschap] returns noop
>rlm_realm: No '@' in User-Name = "Psweaver", looking up realm NULL
>rlm_realm: No such realm "NULL"
>++[suffix] returns noop
> rlm_eap: No EAP-Message, not doing EAP
>++[eap] returns noop
>++[unix] returns notfound
>users: Matched entry DEFAULT at line 3526
>++[files] returns ok
>++[expiration] returns noop
>++[logintime] returns noop
>rlm_pap: WARNING! No "known good" password found for the user.
>Authentication may fail because of this.
>++[pap] returns noop
> rad_check_password: Found Auth-Type System
>auth: type "System"
>+- e
Prefix/Suffix not working (FR 2.0.5, CentOS 5, System Auth)
I'm having a strange problem I hope you can help me figure out. We're
finally moving from an ancient Livingston RADIUS to FreeRADIUS.
I compiled and installed version 2.0.5 on a freshly installed CentOS 5
box, read all the documentation I could find, installed our old users
file and adapted it until it now (mostly) works correctly.
System info:
# radiusd -v
radiusd: FreeRADIUS Version 2.0.5, for host i686-redhat-linux-gnu,
built on Aug 5 2008 at 15:40:15
# uname -a
Linux .***.com 2.6.18-92.1.6.el5 #1 SMP Wed Jun 25 13:49:24 EDT
2008 i686 i686 i386 GNU/Linux
The problem I'm having is that we have a lot of legacy users still
logging in with "Pusername" for PPP connections. I've tried to set it
up in both the users file and the hints file (separately) and get the
same result. No matter what I do, it tries to authenticate (System
auth type) the username "Pusername" instead of "username".
If I add a user named "Pusername" everything works correctly. It hits
the right default entry and authenticates fine, so it's just not
stripping off the "P" when authenticating. I have also tried suffixes
(".ppp") to test if it was just the prefix that wasn't working. Same
problem.
We're not using any realms, proxying, LDAP, SQL, etc at this time.
Just a very simple single RADIUS server reading from a users file and
authenticating against the system password file.
I first tried to set it up in the users file. I commented out
everything in the hints file. Here's what the DEFAULT entry looks like
in the users file:
DEFAULT Auth-Type := System, Prefix == "P"
User-Service-Type = Framed-User,
Session-Timeout = 36000,
Idle-Timeout = 600,
Port-Limit = 1,
Framed-Protocol = PPP,
Framed-Address = 255.255.255.254,
Framed-Netmask = 255.255.255.255,
Framed-Routing = None,
Framed-MTU = 1500,
Framed-Compression = Van-Jacobsen-TCP-IP
I attempt to authenticate:
# radtest Psweaver localhost 0 testing123
Sending Access-Request of id 43 to 127.0.0.1 port 1645
User-Name = "Psweaver"
User-Password = ""
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
rad_recv: Access-Reject packet from host 127.0.0.1 port 1645, id=43,
length=20
Things are working otherwise; without the "P" it works fine:
# radtest sweaver localhost 0 testing123
Sending Access-Request of id 223 to 127.0.0.1 port 1645
User-Name = "sweaver"
User-Password = ""
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1 port 1645, id=223,
length=56
Session-Timeout = 36000
Idle-Timeout = 600
Port-Limit = 1
Service-Type = Login-User
Login-IP-Host = ***.***.***.***
Login-Service = Rlogin
With the "P", here's the output of radiusd -X
rad_recv: Access-Request packet from host 127.0.0.1 port 35915, id=175,
length=6
0
User-Name = "Psweaver"
User-Password = ""
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
+- entering group authorize
++[preprocess] returns ok
expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
-> /var/log/radius/radacct/127.0.0.1/auth-detail-20080812
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20080812
expand: %t -> Tue Aug 12 10:10:44 2008
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "Psweaver", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
users: Matched entry DEFAULT at line 3526
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
rad_check_password: Found Auth-Type System
auth: type "System"
+- entering group authenticate
++[unix] returns notfound
auth: Failed to validate the user.
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> Psweaver
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 175 to 127.0.0.1 port 35915
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 2 ID 175 with timestamp +1013
Ready to process requests.
Note that it's matching line 3526, which is indeed the DEFAULT entry I
listed above.
If I move prefix information to the hints file, I end up with this
in the hints file:
DEFA
Re: Help needed for radrelay under 1.1.3
Ryan wrote: > Need some help on radrelay for 1.1.3 if possible. Upgrade to 2.0.5. The radrelay functionality is integrated into the server core, and works much better than 1.1.x. > Have tried running radrelay in debug mode but was not able to find any > error other than the following > rad_verify: Received Accounting-Response packet from client > xxx.xxx.xxx.xxx port 1813 with invalid signature (err=2)! (Shared > secret is incorrect.) Well... fix that. Really. It's making radrelay not work. > Both radius are running 1.1.3. > > The error is rather strange as I'm sure that the shared secret is correct. (a) the shared secret is wrong. (b) the MD5 libraries on the system are broken (c) the memory on the system is corrupt. Pick one. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Why do I need to force Auth-Type?
sphaero wrote: > Thanks for that Alan, that does work as well. However I still don'y know why > freeradius didn't try pap in the first place. It did. Read the debug output. > I need to work with the 1.1 serie since eventually I need to implement this > HP procurve agent for freeradius and I haven't found any support for 2.0 > series yet. Ask them. It shouldn't be too hard to port any module from 1.1.x. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help needed for radrelay under 1.1.3
Hi All, Need some help on radrelay for 1.1.3 if possible. I have a radius setup whereby there are two radius, one for authorization/authentication and one for accounting. The one doing authorization/authentication will relay the accounting detail using radrelay to the other radius which will update to sql. Currently I'm having some problem with the relaying, it does not seems to be working as the detail file which is suppose to be cleared as entries are relayed is getting filled up. I noticed that the radrelay process is not forking the detail.work file at all. Have tried running radrelay in debug mode but was not able to find any error other than the following rad_verify: Received Accounting-Response packet from client xxx.xxx.xxx.xxx port 1813 with invalid signature (err=2)! (Shared secret is incorrect.) Both radius are running 1.1.3. The error is rather strange as I'm sure that the shared secret is correct. Best Regards, Ryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: invalid login attempts user lockout
Evgeniy Kozhuhovskiy wrote: > And what can you say about rlm_caching? Not much. I've never used it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Lost entries from reply with multiple instances of the same attribute
Konstantin KABASSANOV wrote: Konstantin KABASSANOV wrote: Some months ago I mentioned a problem observed while sending Access- Accept with multiple Cisco-AVPair="ssid=..." entries. Even if fields are correctly retrieved from the LDAP server, only the first occurrence of the attribute is sent in the packet. Can you tell me if recent developments have solved this issue? This issue has been solved for almost 4 years now. Read ldap.attrmap. Alan, I'd be very happy if it was true, but: Even if my radius server gets the following from the rlm_ldap: rlm_ldap: looking for reply items in directory... rlm_ldap: LDAP attribute wireless as RADIUS attribute Cisco-AVPair = "ssid=mywifi1" rlm_ldap: LDAP attribute wireless as RADIUS attribute Cisco-AVPair = "ssid=mywifi2" Read the comments in "ldap.attrmap". Specifically you're going to want: replyItem Cisco-AVPair wireless += i.e. you need to use the "operator" field - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting
Jonathan Gazeley wrote: Phil Mayers wrote: Your NAS needs to support interim accounting. If it does already, it might be as simple as adding: DEFAULT Acct-Interim-Interval = 1800, Fall-Through = yes ...to the "users" file; modify as appropriate of course for your config. I have added the lines above to my "users" file, replacing 1800 with a value of 20. However, the updates do not occur every 20 minutes. Do I also need to enable something on my NAS (Cisco WiSMs) to allow it to provide accounting on demand? Not sure. It definitely works; we have it working here. Are you getting *any* accounting from the WISM? You'll need: radius acct add $server_id $server 1813 ascii secret wlan radius_server acct add $wlan_id $server_id I notice we've got: wlan session-timeout $wlan_id 1800 ...statements in our config, but I'm not an expert on the WISMs so I don't know if that's required. I did also try to edit the config on my WiSMs to push the accounting every 20 minutes but was unable to get that to work. The guy who primarily looks after the WiSMs is away at the moment. How is interim accounting normally done? I don't mind if the accounting is pushed or pulled, whatever works. Accounting is always pushed from the NAS to the Radius server. Thanks, Jonathan Jonathan Gazeley Systems Support Specialist ResNet | Wireless & VPN Team Information Services University of Bristol - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Lost entries from reply with multiple instances of the same attribute
> Konstantin KABASSANOV wrote: > > Some months ago I mentioned a problem observed while sending Access- > Accept > > with multiple Cisco-AVPair="ssid=..." entries. Even if fields are > correctly > > retrieved from the LDAP server, only the first occurrence of the > attribute > > is sent in the packet. Can you tell me if recent developments have > solved > > this issue? > > This issue has been solved for almost 4 years now. Read > ldap.attrmap. > Alan, I'd be very happy if it was true, but: Even if my radius server gets the following from the rlm_ldap: rlm_ldap: looking for reply items in directory... rlm_ldap: LDAP attribute wireless as RADIUS attribute Cisco-AVPair = "ssid=mywifi1" rlm_ldap: LDAP attribute wireless as RADIUS attribute Cisco-AVPair = "ssid=mywifi2" the outgoing access-accept packet contains only the first entry: rlm_ldap: LDAP attribute wireless as RADIUS attribute Cisco-AVPair = "ssid=mywifi1" FYI the version I use for radius is 2.0.4 so I don't think it is more than 4 years old. In an email sent in April 2008, I saw somebody with a similar problem with another attribute and there was an information that the bug was corrected only in unlang. Am I wrong? Konstantin smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Why do I need to force Auth-Type?
Alan DeKok-2 wrote: > > > List "pap" *inside* of the Autz-Type blocks, *after* your SQL modules. > >> This is all done on freeradius 1.1.6 (OSS 10.3) > > Ugh. 2.0 is much better. > > Alan DeKok. > Thanks for that Alan, that does work as well. However I still don'y know why freeradius didn't try pap in the first place. I need to work with the 1.1 serie since eventually I need to implement this HP procurve agent for freeradius and I haven't found any support for 2.0 series yet. Rg, Arnaud Loonstra -- View this message in context: http://www.nabble.com/Why-do-I-need-to-force-Auth-Type--tp18925418p18943719.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Trivial patch for rlm_acctlog in 2.0.5
Hello to everyone. As we are preparing for migration to 2.X version in some of our production systems, I took a closer look at the sources and found the rlm_acctlog module that allows for the logging of various types of accounting messages in the radius logs. Moreover I saw that syslog support in 2.X is vastly improved over 1.X series. My minor request is, could you include the following patch in later releases (so as to not maintain it internally)? --- rlm_acctlog.c.orig 2007-11-12 00:11:51.0 +0200 +++ rlm_acctlog.c 2008-08-08 13:54:34.0 +0300 @@ -79,7 +79,7 @@ rlm_acctlog_t *inst; VALUE_PAIR *pair; - charlogstr[MAX_STRING_LEN]; + charlogstr[1024]; int acctstatustype = 0; The idea is to have a bigger buffer than 253 characters for logging. Some old syslog implementations can have a 1024 character limit I think, so I guess that would be enough :) Thanks and keep up the good work. Kostas Zorbadelos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl not working as expected on 2.0.5
On Tue, August 12, 2008 11:08 am, Ivan Kalik wrote:
> You haven't got
>
> Auth-Type Perl {
> perl
> }
>
> in authentication section of inner-tunnel virtual server. You probably
> added it just to default one. In default configuration users file is
> common for all virtual servers.
Excellent! Thanks, Ivan. I must have missed that requirement in the docs.
Regards
Henry
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting
20 would mean 20 seconds not 20 minutes. Does the interim attribute appear in the Access-Accept packet? You can set up interim accounting by passing that radius attribute or it can be fixed in the NAS configuration. Ivan Kalik Kalik Informatika ISP Dana 12/8/2008, "Jonathan Gazeley" <[EMAIL PROTECTED]> piše: >Phil Mayers wrote: >> Your NAS needs to support interim accounting. >> >> If it does already, it might be as simple as adding: >> >> DEFAULT >> Acct-Interim-Interval = 1800, >> Fall-Through = yes >> >> ...to the "users" file; modify as appropriate of course for your config. > >I have added the lines above to my "users" file, replacing 1800 with a >value of 20. However, the updates do not occur every 20 minutes. Do I >also need to enable something on my NAS (Cisco WiSMs) to allow it to >provide accounting on demand? > >I did also try to edit the config on my WiSMs to push the accounting >every 20 minutes but was unable to get that to work. The guy who >primarily looks after the WiSMs is away at the moment. > >How is interim accounting normally done? I don't mind if the accounting >is pushed or pulled, whatever works. > >Thanks, >Jonathan > > >Jonathan Gazeley >Systems Support Specialist >ResNet | Wireless & VPN Team >Information Services >University of Bristol > > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: invalid login attempts user lockout
Alan DeKok wrote: Does anyone know of RadiusServer denying access for a particular user after a configurable number of invalid login attempts. You need to track this information yourself. It requires a DB, and some custom code on the server. I suggest using rlm_perl. And what can you say about rlm_caching? -- With best regards, Evgeniy Kozhuhovskiy, Leader of Services team, Minsk State Phony Network, RUE Beltelecom. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting
Phil Mayers wrote: Your NAS needs to support interim accounting. If it does already, it might be as simple as adding: DEFAULT Acct-Interim-Interval = 1800, Fall-Through = yes ...to the "users" file; modify as appropriate of course for your config. I have added the lines above to my "users" file, replacing 1800 with a value of 20. However, the updates do not occur every 20 minutes. Do I also need to enable something on my NAS (Cisco WiSMs) to allow it to provide accounting on demand? I did also try to edit the config on my WiSMs to push the accounting every 20 minutes but was unable to get that to work. The guy who primarily looks after the WiSMs is away at the moment. How is interim accounting normally done? I don't mind if the accounting is pushed or pulled, whatever works. Thanks, Jonathan Jonathan Gazeley Systems Support Specialist ResNet | Wireless & VPN Team Information Services University of Bristol - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl not working as expected on 2.0.5
You haven't got
Auth-Type Perl {
perl
}
in authentication section of inner-tunnel virtual server. You probably
added it just to default one. In default configuration users file is
common for all virtual servers.
Ivan Kalik
Kalik Informatika ISP
Dana 11/8/2008, "Henry" <[EMAIL PROTECTED]> piše:
>Greetings,
>
>I'm busy trying out Freeradius 2.0.5 before upgrading from 1.1.0, and so
>far everything looks good. I would like to try out rlm_perl since it
>presents some interesting possibilities, but am having a spot of bother.
>
>I followed the howto here: http://wiki.freeradius.org/Rlm_perl
>
>rlm_perl isn't event loaded/instantiated unless I add 'perl' to the
>instantiate section of radiusd.conf.
>
>Even if I do, however, I keep getting this error:
>
>"Parse error (check) for entry DEFAULT: Unknown value Perl for attribute
>Auth-Type"
>
>Any pointers on what I'm missing/doing wrong would be appreciated.
>
>Thanks
>Henry
>
>
>Here's the debug:
>
>Mon Aug 11 15:58:53 2008 : Info: FreeRADIUS Version 2.0.5, for host
>i686-pc-linux-gnu, built on Aug 8 2008 at 18:56:21
>Mon Aug 11 15:58:53 2008 : Info: Copyright (C) 1999-2008 The FreeRADIUS
>server project and contributors.
>Mon Aug 11 15:58:53 2008 : Info: There is NO warranty; not even for
>MERCHANTABILITY or FITNESS FOR A
>Mon Aug 11 15:58:53 2008 : Info: PARTICULAR PURPOSE.
>Mon Aug 11 15:58:53 2008 : Info: You may redistribute copies of FreeRADIUS
>under the terms of the
>Mon Aug 11 15:58:53 2008 : Info: GNU General Public License v2.
>Mon Aug 11 15:58:53 2008 : Info: Starting - reading configuration files ...
>Mon Aug 11 15:58:53 2008 : Debug: including configuration file
>/usr/local/freeradius-2.0.5/etc/raddb/radiusd.conf
>Mon Aug 11 15:58:53 2008 : Debug: including configuration file
>/usr/local/freeradius-2.0.5/etc/raddb/proxy.conf
>Mon Aug 11 15:58:53 2008 : Debug: including configuration file
>/usr/local/freeradius-2.0.5/etc/raddb/clients.conf
>Mon Aug 11 15:58:53 2008 : Debug: including configuration file
>/usr/local/freeradius-2.0.5/etc/raddb/snmp.conf
>Mon Aug 11 15:58:53 2008 : Debug: including files in directory
>/usr/local/freeradius-2.0.5/etc/raddb/modules/
>Mon Aug 11 15:58:53 2008 : Debug: including configuration file
>/usr/local/freeradius-2.0.5/etc/raddb/modules/policy
>Mon Aug 11 15:58:53 2008 : Debug: including configuration file
>/usr/local/freeradius-2.0.5/etc/raddb/modules/acct_unique
>Mon Aug 11 15:58:53 2008 : Debug: including configuration file
>/usr/local/freeradius-2.0.5/etc/raddb/modules/unix
>Mon Aug 11 15:58:53 2008 : Debug: including configuration file
>/usr/local/freeradius-2.0.5/etc/raddb/modules/chap
>Mon Aug 11 15:58:53 2008 : Debug: including configuration file
>/usr/local/freeradius-2.0.5/etc/raddb/modules/preprocess
>Mon Aug 11 15:58:53 2008 : Debug: including configuration file
>/usr/local/freeradius-2.0.5/etc/raddb/modules/expiration
>Mon Aug 11 15:58:53 2008 : Debug: including configuration file
>/usr/local/freeradius-2.0.5/etc/raddb/modules/mac2vlan
>Mon Aug 11 15:58:53 2008 : Debug: including configuration file
>/usr/local/freeradius-2.0.5/etc/raddb/modules/mschap
>Mon Aug 11 15:58:53 2008 : Debug: including configuration file
>/usr/local/freeradius-2.0.5/etc/raddb/modules/ippool
>Mon Aug 11 15:58:53 2008 : Debug: including configuration file
>/usr/local/freeradius-2.0.5/etc/raddb/modules/files
>Mon Aug 11 15:58:53 2008 : Debug: including configuration file
>/usr/local/freeradius-2.0.5/etc/raddb/modules/krb5
>Mon Aug 11 15:58:53 2008 : Debug: including configuration file
>/usr/local/freeradius-2.0.5/etc/raddb/modules/passwd
>Mon Aug 11 15:58:53 2008 : Debug: including configuration file
>/usr/local/freeradius-2.0.5/etc/raddb/modules/radutmp
>Mon Aug 11 15:58:53 2008 : Debug: including configuration file
>/usr/local/freeradius-2.0.5/etc/raddb/modules/attr_rewrite
>Mon Aug 11 15:58:53 2008 : Debug: including configuration file
>/usr/local/freeradius-2.0.5/etc/raddb/modules/echo
>Mon Aug 11 15:58:53 2008 : Debug: including configuration file
>/usr/local/freeradius-2.0.5/etc/raddb/modules/etc_group
>Mon Aug 11 15:58:53 2008 : Debug: including configuration file
>/usr/local/freeradius-2.0.5/etc/raddb/modules/pap
>Mon Aug 11 15:58:53 2008 : Debug: including configuration file
>/usr/local/freeradius-2.0.5/etc/raddb/modules/realm
>Mon Aug 11 15:58:53 2008 : Debug: including configuration file
>/usr/local/freeradius-2.0.5/etc/raddb/modules/pam
>Mon Aug 11 15:58:53 2008 : Debug: including configuration file
>/usr/local/freeradius-2.0.5/etc/raddb/modules/always
>Mon Aug 11 15:58:53 2008 : Debug: including configuration file
>/usr/local/freeradius-2.0.5/etc/raddb/modules/exec
>Mon Aug 11 15:58:53 2008 : Debug: including configuration file
>/usr/local/freeradius-2.0.5/etc/raddb/modules/logintime
>Mon Aug 11 15:58:53 2008 : Debug: including configuration file
>/usr/local/freeradius-2.0.5/etc/raddb/modules/sql_log
>Mon Aug 11 15:58:53 2008 : Debug: including configuration file
>/usr/local/freeradius-2.0.5/etc/raddb/modules/sm
Re: get problem with freeradius with LDAP authenticate
chenweiting wrote: rlm_ldap: (re)connect to ldap.icpdd.neca.nec.com.au:389, authentication 0 ld.so.1: radiusd: fatal: relocation error: file /usr/local/lib/rlm_ldap-1.1.7.so: symbol ldap_int_tls_config: referenced symbol not found Killed Any idea for this issue? A couple. Do you have more than one installation of freeradius ? How did you build the server ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP
thanks On Tue, Aug 12, 2008 at 5:24 PM, Maurizio Cimaschi <[EMAIL PROTECTED]> wrote: > Tried to find one, but they are all about the old 1.x version. > > Having just done a similar configuration I can suggest you to read some of > them, most of the information still apply. If you're interested in > authenticate wi-fi users there some specific information on the > wiki.freeradius.org. > > Remember to check the "modules/ldap" configuration file. > > I have a limited expirience, but you can ask if you have any problems. > >Bye. > > Ivan . wrote: >> >> Hi >> >> Does any have any links to some decent "how tos" for integrating >> OpenLDAP into freeradius for user management? >> >> Thanks >> Ivan >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Possible bug in shipped configuration file.
Maurizio Cimaschi wrote: I'm not an expert in this application and I don't know why that part was uncommented, but, may I suggest to uncomment that part in the configuration file ? I mean, may I suggest to *comment* that part in the default configuration file. (Sorry for the mistype). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
get problem with freeradius with LDAP authenticate
Dear all,
I am tying to configure freeradius 1.1.7 on Solaris10
to authenticate with ldap server. After I configure it, radiusd -X -A running
well, once I run radtest I got the error as
below:
==
./radiusd
-X -A
Starting - reading configuration files ...
reread_config: reading
radiusd.conf
Config: including file:
/usr/local/etc/raddb/proxy.conf
Config: including file:
/usr/local/etc/raddb/clients.conf
Config: including file:
/usr/local/etc/raddb/snmp.conf
Config: including file:
/usr/local/etc/raddb/eap.conf
Config: including file:
/usr/local/etc/raddb/sql.conf
main: prefix = "/usr/local"
main:
localstatedir = "/usr/local/var"
main: logdir =
"/usr/local/var/log/radius"
main: libdir = "/usr/local/lib"
main:
radacctdir = "/usr/local/var/log/radius/radacct"
main: hostname_lookups =
no
main: snmp = no
main: max_request_time = 30
main: cleanup_delay =
5
main: max_requests = 1024
main: delete_blocked_requests = 0
main:
port = 0
main: allow_core_dumps = no
main: lo!
g_stripped_names =
no
main: log_file = "/usr/local/var/log/radius/radius.log"
main:
log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass =
no
main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
main: user =
"(null)"
main: group = "(null)"
main: usercollide = no
main:
lower_user = "no"
main: lower_pass = "no"
main: nospace_user =
"no"
main: nospace_pass = "no"
main: checkrad =
"/usr/local/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay
= 5
proxy: retry_count = 3
proxy: synchronous = no
proxy:
default_fallback = yes
proxy: dead_time = 120
proxy:
post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security:
max_attributes = 200
security: reject_delay = 1
security: status_server
= no
main: debug_level = 0
read_config!
_files: reading
dictionary
read_config_files: reading n
aslist
Using deprecated
naslist file. Support for this will go away soon.
read_config_files:
reading clients
read_config_files: reading realms
radiusd: entering
modules setup
Module: Library search path is /usr/local/lib
Module: Loaded
exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs =
"request"
exec: output_pairs = "(null)"
exec: packet_type =
"(null)"
rlm_exec: Wait=yes but no output defined. Did you mean
output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded LDAP
ldap: server =
"ldap.icpdd.neca.nec.com.au"
ldap: port = 389
ldap: net_timeout =
10
ldap: timeout = 30
ldap: timelimit = 3
ldap: identity =
""
ldap: tls_mode = no
ldap: start_tls = no
ldap: tls_cacertfile =
"(null)"
ldap: tls_cacertdir = "(null)"!
ldap: tls_certfile =
"(null)"
ldap: tls_keyfile = "(null)"
ldap: tls_randfile =
"(null)"
ldap: tls_require_cert = "allow"
ldap: password = ""
ldap:
basedn = "ou=people,dc=icpdd,dc=neca,dc=nec,dc=com,dc=au"
ldap: filter =
"(uid=%u)"
ldap: base_filter = "(objectclass=radiusprofile)"
ldap:
default_profile = "(null)"
ldap: profile_attribute = "(null)"
ldap:
password_header = "(null)"
ldap: password_attribute = "(null)"
ldap:
access_attr = "dialupAccess"
ldap: groupname_attribute = "cn"
ldap:
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
ldap:
groupmembership_attribute = "(null)"
ldap: dictionary_mapping =
"/usr/local/etc/raddb/ldap.attrmap"
ldap: ldap_debug = 0
ldap:
ldap_connections_number = 5
&nbs!
p;ldap: compare_check_items =
no
ldap: access_attr_used_for_a
llow = yes
ldap: do_xlat =
yes
ldap: set_auth_type = yes
rlm_ldap: Registering ldap_groupcmp for
Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap:
reading ldap<->radius mappings from file
/usr/local/etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to
RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS
$GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS
Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS
Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS
Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS
Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS
LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS
NT-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS
SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS
Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS
NAS!
-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS
Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS
Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS
Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS
Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped t
Re: Freeradius + OpenLDAP
Tried to find one, but they are all about the old 1.x version. Having just done a similar configuration I can suggest you to read some of them, most of the information still apply. If you're interested in authenticate wi-fi users there some specific information on the wiki.freeradius.org. Remember to check the "modules/ldap" configuration file. I have a limited expirience, but you can ask if you have any problems. Bye. Ivan . wrote: Hi Does any have any links to some decent "how tos" for integrating OpenLDAP into freeradius for user management? Thanks Ivan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius + OpenLDAP
Hi Does any have any links to some decent "how tos" for integrating OpenLDAP into freeradius for user management? Thanks Ivan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: invalid login attempts user lockout
Iam sorry , i think i found similar reference in the mailing list. http://lists.freeradius.org/mailman/htdig/freeradius-users/2005-November/msg00057.html thanks all. On Tue, Aug 12, 2008 at 12:34 PM, Sudarshan Soma <[EMAIL PROTECTED]> wrote: > Hi All, > Does anyone know of RadiusServer denying access for a particular user > after a configurable number of invalid login attempts. I know this can > be done on the client side with pam modules. But i thought since > radius users are same across multple nodes connected to radiusserver, > it would be an useful option to lockout at radius server level. > > Please let me know if anyone is aware of this scenario. > > Regards, > Pavan. > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Possible bug in shipped configuration file.
Hi,
I don't know if this has been reported/discussed before, but it
happened to me last week. I was trying to setup a freeradius (2.0.5) to
authenticate requests from my access point (using WPA Enterprise)
aganist an LDAP server. It was working fine using the "radclient", but
the requests from the AP were buonced claiming that no authentication
metod was set. I checked the configuration file more than once, googled
a lot but was unable to solve. After almost a day of trying, I noticed a
line in the debug (radiusd -X) that said something about proxying. So I
remembered to have seen a statement in the "inner-server" configuration:
#update control {
# Proxy-To-Realm := LOCAL
#}
In the configuration file installed by the installation procedure that
part was uncommented; adding the comments was enough to make the server
work.
I'm not an expert in this application and I don't know why that part was
uncommented, but, may I suggest to uncomment that part in the
configuration file ?
Thank you for your great work. Bye.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: invalid login attempts user lockout
Sudarshan Soma wrote: > Does anyone know of RadiusServer denying access for a particular user > after a configurable number of invalid login attempts. You need to track this information yourself. It requires a DB, and some custom code on the server. I suggest using rlm_perl. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Why do I need to force Auth-Type?
sphaero wrote: > In a previous post "PAP what password encryption is used?" I managed to get > authentication working with a msssql backend however I need to force > Auth-Type := PAP. I read it's bad practice to force the Auth-Type so I was > wondering what I could do to let freeradius figure the authentication > itself. List "pap" *inside* of the Autz-Type blocks, *after* your SQL modules. > This is all done on freeradius 1.1.6 (OSS 10.3) Ugh. 2.0 is much better. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
invalid login attempts user lockout
Hi All, Does anyone know of RadiusServer denying access for a particular user after a configurable number of invalid login attempts. I know this can be done on the client side with pam modules. But i thought since radius users are same across multple nodes connected to radiusserver, it would be an useful option to lockout at radius server level. Please let me know if anyone is aware of this scenario. Regards, Pavan. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
