Re: Unresponsive Child in component authorize
@kesm0724 FreeRadius version is? On Wed, Oct 8, 2008 at 4:22 AM, Alan DeKok [EMAIL PROTECTED]wrote: kesm0724 wrote: Does the Unresponsive Child in module files component authorize allude to something I have misconfigured in the virtual server or a process that is hung? The server is blocked somewhere. Tue Oct 7 12:14:43 2008 : Error: WARNING: Unresponsive child (id 3054615440) for request 8, in module files component authorize Hm... that's a little surprising. The files module doesn't take much CPU time. It doesn't use locks. So there's no reason for it to block for long periods of time. That may be a side-effect of something else taking long amounts of time. Usually, this is SQL. Or, if you're putting hostnames in the users file, instead of numerical IP addresses... and your DNS server is down. The server won't be able to create the reply because it needs the IP address. It won't be able to create the IP address because DNS is down. Don't use hostnames. Or, fix DNS so that it works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschap No Cleartext-Password configured
ablasbichler Cleartext-Password == ablasbichler With no success Should be := not ==. Hello Thank you for the the answers. I changed how you suggested but without success. Another thing : we use md5 encrypted passwords in our Ldap-DB for userpasswords - is it right that the line above in users overwrite this ? Here my log (tested with user test password alois) Why pap use CRYPT encryption not it should be cleartext ? by luis server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop request done: ld 0x81a0ba8 msgid 7 ++[unix] returns updated [suffix] No '@' in User-Name = test, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[control] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry test at line 3 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password alois [pap] Using CRYPT encryption. [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. Login incorrect (rlm_pap: CRYPT password check failed): [test] (from client ciscosw port 0 via TLS tunnel) } # server inner-tunnel [ttls] Got tunneled reply code 3 [ttls] Got tunneled Access-Reject [eap] Handler failed in EAP/ttls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [test] (from client ciscosw port 29 cli 00-40-96-B4-5B-0F) Using Post-Auth-Type Reject +- entering group REJECT {...} expand: %{User-Name} - test attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 13 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 13 Sending Access-Reject of id 6 to 10.53.240.10 port 32769 EAP-Message = 0x0414 Message-Authenticator = 0x Waking up in 3.4 seconds. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CA.all and CA.certs in Freeradius 2.x
* Vegard Svanberg [EMAIL PROTECTED] [2008-10-07 12:16]: Perhaps you should bother reading the mysteriously named file README in /certs directory before asking questions. Seems the file got lost during the transition from 1.x. Thanks! Hm, something is not working right, but I'm not sure where. Created (ca, server, client) certificates per the instructions in the README file. Enabled EAP-TLS in eap.conf and verified that paths etc are correct. Then created the client certificate and imported it on the client. -X gives me this before it fails: Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 1497 [tls] Length Included [tls] eaptls_verify returned 11 [tls] TLS 1.0 Handshake [length 0393], Certificate -- verify error:num=20:unable to get local issuer certificate [tls] TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned SSL: SSL_read failed in a system call (-1), TLS session fails. TLS receive handshake failed during operation [tls] eaptls_process returned 4 [eap] Handler failed in EAP/tls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} expand: %{User-Name} - testuser2 Also, openssl can't verify the generated client certificate: $ openssl verify -CAfile ca.pem client.pem client.pem: /C=NO/ST=testprovincename/O=testorganization/CN=testuser2/[EMAIL PROTECTED] error 20 at 0 depth lookup:unable to get local issuer certificate Oh BTW, there is a small error in the README, on line 132 it reads: The users certificate will be in commonName.pem, i.e. [EMAIL PROTECTED]. This is wrong; the Makefile is using emailAddress. -- Vegard Svanberg [EMAIL PROTECTED] [EMAIL PROTECTED] (EFnet)] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschap No Cleartext-Password configured
Am 08.10.2008 um 09:49 schrieb alois blasbichler: ablasbichler Cleartext-Password == ablasbichler With no success Should be := not ==. Hello Thank you for the the answers. I changed how you suggested but without success. Another thing : we use md5 encrypted passwords in our Ldap-DB for userpasswords - is it right that the line above in users overwrite this ? I am not sure, so I won't answer this one. Here my log (tested with user test password alois) Why pap use CRYPT encryption not it should be cleartext ? If you define a Cleartext-Password for a user, it does not mean that you force the use of cleartext for the authentification for the user. If the authentification needs the password in another form, it will transform the cleartext password into the needed form. (For example for MS-CHAP, it would encode the password into UTF32-LE and then make the MD4 hash of it.) by luis Have a nice day! [...] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
config mysql with Linux PAM for SSH
Hi all, I've installed an authentication's solution using freeradius, with mysql database on RedHat 4.7. I would like users logging into other Linux Machines to have their login/passwd authenticated using mysql on freeradius server (SSH) I've seen that to authenticate successfully, the login id has to be defined locally on client Linux machines. In summary, is it mandatory to have the login id defined in the client linux machine ? other solutions ? thanks, Nasr-Eddine BADAOUI - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschap No Cleartext-Password configured
Am 08.10.2008 um 10:12 schrieb Nicolas Goutte: Am 08.10.2008 um 09:49 schrieb alois blasbichler: ablasbichler Cleartext-Password == ablasbichler With no success Should be := not ==. Hello Thank you for the the answers. I changed how you suggested but without success. Another thing : we use md5 encrypted passwords in our Ldap-DB for userpasswords - is it right that the line above in users overwrite this ? I am not sure, so I won't answer this one. Here my log (tested with user test password alois) Why pap use CRYPT encryption not it should be cleartext ? If you define a Cleartext-Password for a user, it does not mean that you force the use of cleartext for the authentification for the user. If the authentification needs the password in another form, it will transform the cleartext password into the needed form. (For example for MS-CHAP, it would encode the password into UTF32-LE and then make the MD4 hash of it.) Sorry, I meant UTF16-LE (16 bit Unicode, little endian) instead of UTF32-LE by luis Have a nice day! [...] - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Primary key in radacct table
I use an index on acctuniqueid along with acct_unique { key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id } It works fine for me. Thanks, Alex 2008/10/7 Marinko Tarlac [EMAIL PROTECTED]: acctuniqueid is not unique in default configuration. according to my experience, problem with duplicated session is very strange. My NAS (Mtik 2.9.x and Mtik 3.x) sends duplicated session ids but almost in the same time. For example one session is started now and the second one is transfered 1 second later. On Tue, Oct 7, 2008 at 8:54 AM, Santiago Balaguer García [EMAIL PROTECTED] wrote: I have a script to delete duplicate entries and stale session. But the duplicate accounting records were created in real time, I have to create a trigger in the database to detect these entries or activate a exec in accounting module. Is the 'acctuniqueid' attribute unique in all database in a default freeradius configuration? Date: Mon, 6 Oct 2008 17:53:32 +0200 From: [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Subject: Re: Primary key in radacct table You can do it and it will solve your problem but it can create small overhead because radius tries to write into database and it will be rejected. you will see this in your log files. Another idea is to change NAS or you can create cron script to delete duplicated entries. MT On Mon, Oct 6, 2008 at 5:35 PM, Santiago Balaguer García [EMAIL PROTECTED] wrote: Hi, I am using a freeradius 1.1.7 + postgres since 3 years ago. The AAA service works fine, however my radacct table has sonetimes duplicate registers. I realize that it happens when a NAS does not have a realiable Internet conection, so NAS send the accounting packets several times. My radacct table has 'radacctid' as primary key. I realize that two (or more) duplicate registers share 'acctsessionid' and 'acctuniqueid' fields amog others. I know 'acctsessionid' field can be the same in diferent NASes. Would be a good idea change the primery key by 'acctuniqueid' ? Santiago La cartera, las gafas. ¿te falta algo? Ahora llévate Messenger en tu móvil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Ahora llévate lo mejor de MSN y Windows Live, en tu móvil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschap No Cleartext-Password configured
Enable ldap in inner-tunnel virtual server. Radtest works because this is enabled in default virtual server. It looks like auto headers are not enabled in pap module. It defaults to crypt instead of detecting md5 header. Yes so it works - also with eap-mschap Great and many many thanks to you finaly it works ... By luis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How do I tell if accounting module fails?
2008/10/8 [EMAIL PROTECTED]: Your program should return this. See raddb/modules/echo for instructions. Ivan, Sorry, I was not sufficiently clear in my explanation. My program wants to know if the sql module that ran *before* it failed or succeded. (And I'm running 1.1.7 not 2.x but the theory is the same I presume). Thanks, Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Different configuration upon realm
Hello all! I have a quick question. I have SQL based setup, little bit modified to suit our needs. Everything works well! We have username scheme like that: [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] which goes through our SQL based authentication. Now, I would like to configure radius, to return different attributes for different domains (without SQL). So if user comes in with: Service-Type: Framed-User User-Name: [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] ... I would like to reply with some AVPairs, without any password checks ... So, OURDOMAIN.com should go through normal process, but other domains, should go through this process. How is that possible to implement?! I was looking for examples, but didn't find any - or maybe I don't know what I'm looking for. Thanks for your help! Kind regards, Dejan Markic - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Searching for an up to date tutorial for freeRADIUS + Active Directory
I want to set up a freeRADIUS server to work together with an active directory. The best tutorial I've found is http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO but it seems to be outdated because the part with the Configuration of radius.conf is based on an older version of freeRADIUS. I have installed 2.1.1 and there the radius.conf links to other modules / VHosts. What must I change to make it work with version 2.1.1? Thanks in advance. Best regards, F. Niedernolte - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Searching for an up to date tutorial for freeRADIUS + Active Directory
mcshap module is now in raddb/modules/mschap. Updated instructions: http://deployingradius.com/documents/configuration/active_directory.html Ivan Kalik Kalik Informatika ISP Dana 8/10/2008, [EMAIL PROTECTED] [EMAIL PROTECTED] piše: I want to set up a freeRADIUS server to work together with an active directory. The best tutorial I've found is http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO but it seems to be outdated because the part with the Configuration of radius.conf is based on an older version of freeRADIUS. I have installed 2.1.1 and there the radius.conf links to other modules / VHosts. What must I change to make it work with version 2.1.1? Thanks in advance. Best regards, F. Niedernolte - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS computer account(not user)
I use eap-tsl for the registration record of computer. It is necessary to open access to the network to pressure of Ctrl+Alt+Del. I will not understand what is the matter: rad_recv: Access-Request packet from host 10.0.1.2:5007, id=154, length=216 User-Name = host/cit44 EAP-Message = 0x0202000f01686f73742f6369743434 Message-Authenticator = 0xda5f6a382f76e341ecd76c7fe2eda837 NAS-IP-Address = 10.0.1.2 NAS-Identifier = 001ac1d4ee42 NAS-Port = 117604353 NAS-Port-Id = unit=7;subslot=0;port=40;vlanid=1 NAS-Port-Type = Ethernet Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = 0013-7737-714e Vendor-25506-Attr-26 = 0x001e Vendor-25506-Attr-255 = 0x353530302d4549 Vendor-25506-Attr-60 = 0x302e302e302e302030303a31333a37373a33373a37313a3465 Vendor-25506-Attr-59 = 0x38e68c68 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '\' in User-Name = host/cit44, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module ntdomain returns noop for request 0 rlm_eap: EAP packet type response id 2 length 15 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 users: Matched entry DEFAULT at line 152 users: Matched entry host/cit44 at line 235 modcall[authorize]: module files returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 154 to 10.0.1.2 port 5007 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 2 EAP-Message = 0x010300060d20 Message-Authenticator = 0x State = 0x85f944d1ab810baf397561351f4da39d Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.0.1.2:5007, id=155, length=335 User-Name = host/cit44 EAP-Message = 0x020300740d80006a16030100650161030148eca4801a94d16d54f4d65aa34134bcbd1fb96c22cd0e25ccbbcb4298d76bee18002f00350005000ac009c00ac013c0140032003800130004012a0008056369743434000a00080006001700180019000b00020100 Message-Authenticator = 0x2e81df002f583a191f6f4845ac7caac4 NAS-IP-Address = 10.0.1.2 NAS-Identifier = 001ac1d4ee42 NAS-Port = 117604353 NAS-Port-Id = unit=7;subslot=0;port=40;vlanid=1 NAS-Port-Type = Ethernet Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = 0013-7737-714e State = 0x85f944d1ab810baf397561351f4da39d Vendor-25506-Attr-26 = 0x001e Vendor-25506-Attr-255 = 0x353530302d4549 Vendor-25506-Attr-60 = 0x302e302e302e302030303a31333a37373a33373a37313a3465 Vendor-25506-Attr-59 = 0x38e68c68 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module mschap returns noop for request 1 rlm_realm: No '\' in User-Name = host/cit44, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module ntdomain returns noop for request 1 rlm_eap: EAP packet type response id 3 length 116 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 1 users: Matched entry DEFAULT at line 152 users: Matched entry host/cit44 at line 235 modcall[authorize]: module files returns ok for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: TLS 1.0 Handshake [length 0065], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: TLS 1.0 Handshake [length 056e], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: TLS 1.0 Handshake
Re: CA.all and CA.certs in Freeradius 2.x
Try with ca-server bundle: cat ca.pem server.pem cabundle.pem Use that as CAfile and export (appropriate version) to the clients. Ivan Kalik Kalik Informatika ISP Dana 8/10/2008, Vegard Svanberg [EMAIL PROTECTED] piše: * Vegard Svanberg [EMAIL PROTECTED] [2008-10-07 12:16]: Perhaps you should bother reading the mysteriously named file README in /certs directory before asking questions. Seems the file got lost during the transition from 1.x. Thanks! Hm, something is not working right, but I'm not sure where. Created (ca, server, client) certificates per the instructions in the README file. Enabled EAP-TLS in eap.conf and verified that paths etc are correct. Then created the client certificate and imported it on the client. -X gives me this before it fails: Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 1497 [tls] Length Included [tls] eaptls_verify returned 11 [tls] TLS 1.0 Handshake [length 0393], Certificate -- verify error:num=20:unable to get local issuer certificate [tls] TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned SSL: SSL_read failed in a system call (-1), TLS session fails. TLS receive handshake failed during operation [tls] eaptls_process returned 4 [eap] Handler failed in EAP/tls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} expand: %{User-Name} - testuser2 Also, openssl can't verify the generated client certificate: $ openssl verify -CAfile ca.pem client.pem client.pem: /C=NO/ST=testprovincename/O=testorganization/CN=testuser2/[EMAIL PROTECTED] error 20 at 0 depth lookup:unable to get local issuer certificate Oh BTW, there is a small error in the README, on line 132 it reads: The users certificate will be in commonName.pem, i.e. [EMAIL PROTECTED]. This is wrong; the Makefile is using emailAddress. -- Vegard Svanberg [EMAIL PROTECTED] [EMAIL PROTECTED] (EFnet)] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS and EDUROAM timeout issues
How have other EDUROAM sites configured their EDUROAM servers with regard to timeout issues? The default setting seems to be less than optimal since if a remote site have problems with their home RADIUS servers then we risk having our local servers mark the upstream servers as dead since it's not receiving answers for a specific 'realm'... I've been using the default values so far: response_window = 20 zombie_period = 40 revive_interval = 120 status_check = status-server check_interval = 30 num_answers_to_alive = 3 But I wonder if these can be tuned a bit to better work in the EDUROAM environment. Perhaps increase the 'response_window', and lower 'zombie_period' and 'revive_interval' and 'check_interval' values... Best would probably be if FreeRadius kept a separate timeout for each 'server/realm' tuple... What have other sites done? - Peter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How do I tell if accounting module fails?
You will need to log that into a file or a database. Ivan Kalik Kalik Informatika ISP Dana 8/10/2008, Alex French [EMAIL PROTECTED] piše: 2008/10/8 [EMAIL PROTECTED]: Your program should return this. See raddb/modules/echo for instructions. Ivan, Sorry, I was not sufficiently clear in my explanation. My program wants to know if the sql module that ran *before* it failed or succeded. (And I'm running 1.1.7 not 2.x but the theory is the same I presume). Thanks, Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different configuration upon realm
Users file: DEFAULT Realm == otherdomain reply item, reply item, ... Ivan Kalik Kalik Informatika ISP Dana 8/10/2008, Dejan Markic [EMAIL PROTECTED] piše: Hello all! I have a quick question. I have SQL based setup, little bit modified to suit our needs. Everything works well! We have username scheme like that: [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] which goes through our SQL based authentication. Now, I would like to configure radius, to return different attributes for different domains (without SQL). So if user comes in with: Service-Type: Framed-User User-Name: [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] I would like to reply with some AVPairs, without any password checks ... So, OURDOMAIN.com should go through normal process, but other domains, should go through this process. How is that possible to implement?! I was looking for examples, but didn't find any - or maybe I don't know what I'm looking for. Thanks for your help! Kind regards, Dejan Markic - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How do I tell if accounting module fails?
Alex French wrote: Sorry, I was not sufficiently clear in my explanation. My program wants to know if the sql module that ran *before* it failed or succeded. (And I'm running 1.1.7 not 2.x but the theory is the same I presume). Each module returns a code: noop/ok/fail/etc. It's a little difficult to access this from another module in 1.1.7. In 2.x, see man unlang for how to access the return codes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Searching for an up to date tutorial for freeRADIUS + ActiveDirectory
I know but how can I use/activate it? And must I do more than a aptitude install samba for ntlm_auth on Debian Etch? Where should I add ntlm_auth in the authenticate { section of the default sites-enabled? Under Auth-Type MS-CHAP { chap? -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von [EMAIL PROTECTED] Gesendet: Mittwoch, 8. Oktober 2008 14:57 An: FreeRadius users mailing list Betreff: Re: Searching for an up to date tutorial for freeRADIUS + ActiveDirectory mcshap module is now in raddb/modules/mschap. Updated instructions: http://deployingradius.com/documents/configuration/active_directory.html Ivan Kalik Kalik Informatika ISP Dana 8/10/2008, [EMAIL PROTECTED] [EMAIL PROTECTED] piše: I want to set up a freeRADIUS server to work together with an active directory. The best tutorial I've found is http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO but it seems to be outdated because the part with the Configuration of radius.conf is based on an older version of freeRADIUS. I have installed 2.1.1 and there the radius.conf links to other modules / VHosts. What must I change to make it work with version 2.1.1? Thanks in advance. Best regards, F. Niedernolte - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS computer account(not user)
I use eap-tsl for the registration record of computer. It is necessary to open access to the network to pressure of Ctrl+Alt+Del. I will not understand what is the matter: .. radius_xlat: 'host/cit44' rlm_eap_tls: checking certificate CN (cit44) with xlat'ed value (host/cit44) rlm_eap_tls: Certificate CN (cit44) does not match specified value (host/cit44)! chain-depth=0, error=0 -- User-Name = host/cit44 -- BUF-Name = cit44 -- subject = /C=UA/ST=Berkshire/L=Newbury/O=zaz/OU=mis/CN=cit44 -- issuer = /C=UA/ST=ZaporozshE/L=ZP/O=ZAZ/OU=MIS/CN=Administrator -- verify return:0 .. User-Name and CN are not the same. Create a proper certificate. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: Searching for an up to date tutorial for freeRADIUS +ActiveDirectory
I know but how can I use/activate it? It just works. And must I do more than a aptitude install samba for ntlm_auth on Debian Etch? Someone with Debian might be able to answer this. Probably not. Where should I add ntlm_auth in the authenticate { section of the default sites-enabled? Under Auth-Type MS-CHAP { chap? No. On a new line. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS and EDUROAM timeout issues
Peter Eriksson wrote: The default setting seems to be less than optimal since if a remote site have problems with their home RADIUS servers then we risk having our local servers mark the upstream servers as dead since it's not receiving answers for a specific 'realm'... That's been a bit of a problem in RADIUS proxying. The specification says that serves MUST answer Access-Requests. But some implementations don't do that when they're proxying. This causes all sorts of problems. Perhaps increase the 'response_window', and lower 'zombie_period' and 'revive_interval' and 'check_interval' values... If you're using status-server, then revive_interval isn't used. Best would probably be if FreeRadius kept a separate timeout for each 'server/realm' tuple... Ugh. That's adding complexity to work around bugs in other RADIUS servers, IMHO. Rather than keeping track of N realms M home servers, it now has to keep track of (N x M) combinations. That's expensive. Still, if someone sends a patch, I'll look at it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: config mysql with Linux PAM for SSH
BADAOUI Nasr-Eddine (P) wrote: I've seen that to authenticate successfully, the login id has to be defined locally on client Linux machines. In summary, is it mandatory to have the login id defined in the client linux machine ? other solutions ? That's the way PAM works. There is apparently a way to define uid's gid's via PAM, but the documentation for that didn't exist the last time I looked. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschap No Cleartext-Password configured
Enable ldap in inner-tunnel virtual server. Radtest works because this is enabled in default virtual server. It looks like auto headers are not enabled in pap module. It defaults to crypt instead of detecting md5 header. Ivan Kalik Kalik Informatike ISP Dana 8/10/2008, alois blasbichler [EMAIL PROTECTED] piše: Hello Thank you for the replay. I maked another test with user test and password test with radtest and then from a windowsxp-client (should be pap) with radtest test test 127.0.0.1 12 password - all works fine - i see in the log : rlm_ldap: userPassword - User-Password == {md5}CY9rzUYh03PK3k6DJie09g== rlm_ldap: sambaNtPassword - NT-Password == 0x3043423639343838303546373937424632413832383037393733423839353337 rlm_ldap: sambaLmPassword - LM-Password == 0x3031464335413642453742433639323941414433423433354235313430344545 [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = LDAP +- entering group LDAP {...} [ldap] login attempt by test with password test [ldap] user DN: uid=test,ou=users,dc=sb-brixen,dc=it rlm_ldap: (re)connect to mir:389, authentication 1 rlm_ldap: bind as uid=test,ou=users,dc=sb-brixen,dc=it/test to mir:389 rlm_ldap: Bind was successful [ldap] user test authenticated succesfully ++[ldap] returns ok Login OK: [test] (from client localhost port 12) and here the full log for my windows-client accessing via a cisco wireless switch (maybe he gives me the problems) : Maybe sombody see where i have the problems By luis - rad_recv: Access-Request packet from host 10.53.240.10 port 32769, id=77, length=170 User-Name = test Calling-Station-Id = 00-40-96-B4-5B-0F Called-Station-Id = 00-0B-85-95-70-80:prova NAS-Port = 29 NAS-IP-Address = 10.53.240.10 NAS-Identifier = WS4404_Pri Airespace-Wlan-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 156 EAP-Message = 0x020f00090174657374 Message-Authenticator = 0xf69a987d74a723bbc2981decb8c871a0 +- entering group authorize {...} ++[preprocess] returns ok expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /usr/local/var/log/radius/radacct/10.53.240.10/auth-detail-20081008 [auth_log] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.53.240.10/auth-detail-20081008 expand: %t - Wed Oct 8 10:33:11 2008 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = test, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 15 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns updated [files] users: Matched entry test at line 7 ++[files] returns ok [ldap] performing user authorization for test WARNING: Deprecated conditional expansion :-. See man unlang for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) - (uid=test) expand: ou=users,dc=sb-brixen,dc=it - ou=users,dc=sb-brixen,dc=it rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to mir:389, authentication 0 rlm_ldap: bind as uid=cyrus,dc=sb-brixen,dc=it/niko2006 to mir:389 rlm_ldap: waiting for bind result ... request done: ld 0x81a9290 msgid 1 rlm_ldap: Bind was successful rlm_ldap: performing search in ou=users,dc=sb-brixen,dc=it, with filter (uid=test) request done: ld 0x81a9290 msgid 2 [ldap] looking for check items in directory... rlm_ldap: userPassword - User-Password == {md5}CY9rzUYh03PK3k6DJie09g== rlm_ldap: sambaNtPassword - NT-Password == 0x3043423639343838303546373937424632413832383037393733423839353337 rlm_ldap: sambaLmPassword - LM-Password == 0x3031464335413642453742433639323941414433423433354235313430344545 [ldap] looking for reply items in directory... [ldap] user test authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing NT-Password from hex encoding [pap] Normalizing LM-Password from hex encoding [pap] Normalizing MD5-Password from base64 encoding [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 77 to 10.53.240.10 port 32769 EAP-Message = 0x011000160410741fcd7da1e640ba9f4390917645a3ad Message-Authenticator
AW: AW: Searching for an up to date tutorial for freeRADIUS+ActiveDirectory
OK. I cannot find password server = or realm = entries in the smb.conf . Should I add them by myself? Start the Samba and Kerberos servers,... you mean on the freeRADIUS system? I have only installed Samba and its running. Should I restart it? Thanks a lot! F. Niedernolte -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von [EMAIL PROTECTED] Gesendet: Mittwoch, 8. Oktober 2008 15:18 An: FreeRadius users mailing list Betreff: Re: AW: Searching for an up to date tutorial for freeRADIUS+ActiveDirectory I know but how can I use/activate it? It just works. And must I do more than a aptitude install samba for ntlm_auth on Debian Etch? Someone with Debian might be able to answer this. Probably not. Where should I add ntlm_auth in the authenticate { section of the default sites-enabled? Under Auth-Type MS-CHAP { chap? No. On a new line. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How do I tell if accounting module fails?
Thanks all for the responses. I will use a DB table for now, and look at other alternatives once we migrate to 2.x Alex 2008/10/8 Alan DeKok [EMAIL PROTECTED]: Alex French wrote: Sorry, I was not sufficiently clear in my explanation. My program wants to know if the sql module that ran *before* it failed or succeded. (And I'm running 1.1.7 not 2.x but the theory is the same I presume). Each module returns a code: noop/ok/fail/etc. It's a little difficult to access this from another module in 1.1.7. In 2.x, see man unlang for how to access the return codes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CA.all and CA.certs in Freeradius 2.x
* [EMAIL PROTECTED] [EMAIL PROTECTED] [2008-10-08 15:03]: Try with ca-server bundle: cat ca.pem server.pem cabundle.pem Use that as CAfile and export (appropriate version) to the clients. Worked great, thanks! Perhaps the Makefile should be updated? -- Vegard Svanberg [EMAIL PROTECTED] [EMAIL PROTECTED] (EFnet)] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Primary key in radacct table
I work with Mtik too, and I have the same problem with duplicate sessions. I am going to try Alex's solution. Thanks!!! Date: Wed, 8 Oct 2008 10:46:43 +0100 From: [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Subject: Re: Primary key in radacct table I use an index on acctuniqueid along with acct_unique { key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id } It works fine for me. Thanks, Alex 2008/10/7 Marinko Tarlac [EMAIL PROTECTED]: acctuniqueid is not unique in default configuration. according to my experience, problem with duplicated session is very strange. My NAS (Mtik 2.9.x and Mtik 3.x) sends duplicated session ids but almost in the same time. For example one session is started now and the second one is transfered 1 second later. On Tue, Oct 7, 2008 at 8:54 AM, Santiago Balaguer García [EMAIL PROTECTED] wrote: I have a script to delete duplicate entries and stale session. But the duplicate accounting records were created in real time, I have to create a trigger in the database to detect these entries or activate a exec in accounting module. Is the 'acctuniqueid' attribute unique in all database in a default freeradius configuration? Date: Mon, 6 Oct 2008 17:53:32 +0200 From: [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Subject: Re: Primary key in radacct tableYou can do it and it will solve your problem but it can create small overhead because radius tries to write into database and it will be rejected. you will see this in your log files. Another idea is to change NAS or you can create cron script to delete duplicated entries. MT On Mon, Oct 6, 2008 at 5:35 PM, Santiago Balaguer García [EMAIL PROTECTED] wrote: Hi, I am using a freeradius 1.1.7 + postgres since 3 years ago. The AAA service works fine, however my radacct table has sonetimes duplicate registers. I realize that it happens when a NAS does not have a realiable Internet conection, so NAS send the accounting packets several times. My radacct table has 'radacctid' as primary key. I realize that two (or more) duplicate registers share 'acctsessionid' and 'acctuniqueid' fields amog others. I know 'acctsessionid' field can be the same in diferent NASes. Would be a good idea change the primery key by 'acctuniqueid' ? Santiago La cartera, las gafas. ¿te falta algo? Ahora llévate Messenger en tu móvil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Ahora llévate lo mejor de MSN y Windows Live, en tu móvil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Llega la nueva temporada. Consulta las nuevas tendencias en MSN Estilo http://estilo.es.msn.com/moda/- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschap No Cleartext-Password configured
Hello Thank you for the replay. I maked another test with user test and password test with radtest and then from a windowsxp-client (should be pap) with radtest test test 127.0.0.1 12 password - all works fine - i see in the log : rlm_ldap: userPassword - User-Password == {md5}CY9rzUYh03PK3k6DJie09g== rlm_ldap: sambaNtPassword - NT-Password == 0x3043423639343838303546373937424632413832383037393733423839353337 rlm_ldap: sambaLmPassword - LM-Password == 0x3031464335413642453742433639323941414433423433354235313430344545 [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = LDAP +- entering group LDAP {...} [ldap] login attempt by test with password test [ldap] user DN: uid=test,ou=users,dc=sb-brixen,dc=it rlm_ldap: (re)connect to mir:389, authentication 1 rlm_ldap: bind as uid=test,ou=users,dc=sb-brixen,dc=it/test to mir:389 rlm_ldap: Bind was successful [ldap] user test authenticated succesfully ++[ldap] returns ok Login OK: [test] (from client localhost port 12) and here the full log for my windows-client accessing via a cisco wireless switch (maybe he gives me the problems) : Maybe sombody see where i have the problems By luis - rad_recv: Access-Request packet from host 10.53.240.10 port 32769, id=77, length=170 User-Name = test Calling-Station-Id = 00-40-96-B4-5B-0F Called-Station-Id = 00-0B-85-95-70-80:prova NAS-Port = 29 NAS-IP-Address = 10.53.240.10 NAS-Identifier = WS4404_Pri Airespace-Wlan-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 156 EAP-Message = 0x020f00090174657374 Message-Authenticator = 0xf69a987d74a723bbc2981decb8c871a0 +- entering group authorize {...} ++[preprocess] returns ok expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /usr/local/var/log/radius/radacct/10.53.240.10/auth-detail-20081008 [auth_log] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.53.240.10/auth-detail-20081008 expand: %t - Wed Oct 8 10:33:11 2008 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = test, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 15 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns updated [files] users: Matched entry test at line 7 ++[files] returns ok [ldap] performing user authorization for test WARNING: Deprecated conditional expansion :-. See man unlang for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) - (uid=test) expand: ou=users,dc=sb-brixen,dc=it - ou=users,dc=sb-brixen,dc=it rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to mir:389, authentication 0 rlm_ldap: bind as uid=cyrus,dc=sb-brixen,dc=it/niko2006 to mir:389 rlm_ldap: waiting for bind result ... request done: ld 0x81a9290 msgid 1 rlm_ldap: Bind was successful rlm_ldap: performing search in ou=users,dc=sb-brixen,dc=it, with filter (uid=test) request done: ld 0x81a9290 msgid 2 [ldap] looking for check items in directory... rlm_ldap: userPassword - User-Password == {md5}CY9rzUYh03PK3k6DJie09g== rlm_ldap: sambaNtPassword - NT-Password == 0x3043423639343838303546373937424632413832383037393733423839353337 rlm_ldap: sambaLmPassword - LM-Password == 0x3031464335413642453742433639323941414433423433354235313430344545 [ldap] looking for reply items in directory... [ldap] user test authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing NT-Password from hex encoding [pap] Normalizing LM-Password from hex encoding [pap] Normalizing MD5-Password from base64 encoding [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 77 to 10.53.240.10 port 32769 EAP-Message = 0x011000160410741fcd7da1e640ba9f4390917645a3ad Message-Authenticator = 0x State = 0x8d60a8298d70aca02ffd6ac34c7adfdb Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.53.240.10 port 32769, id=78, length=185 User-Name = test Calling-Station-Id = 00-40-96
Re: How do I tell if accounting module fails?
2008/10/8 Marinko Tarlac [EMAIL PROTECTED]: create log file on disk and check does it exist or add one column to your table and write something inside ? Yes, my fallback solution is to add a column to my radacct table (or possibly to another, more transient table) that I can do a SELECT FOR UPDATE on. However, I hoped there was a more elegant solution that did not involve an additional database connection. Perhaps not... Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How do I tell if accounting module fails?
Your program should return this. See raddb/modules/echo for instructions. Ivan Kalik Kalik Informatika ISP Dana 8/10/2008, Alex French [EMAIL PROTECTED] piše: Hi all, I'm using an Exec-Program to do some user-specific stuff when a user logs out of our network (i.e. it is invoked with DEFAULT Acct-Status-Type == Stop). I'm trying to find a way for it to detect whether the database accounting module has succeedded in updating the user's accounting record or not (it will fail if the STOP packet is a duplicate). I can't find an attribute that I can test to check the status of the request at that stage. Any suggestions? Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How do I tell if accounting module fails?
create log file on disk and check does it exist or add one column to your table and write something inside ? On Wed, Oct 8, 2008 at 11:46 AM, Alex French [EMAIL PROTECTED] wrote: Hi all, I'm using an Exec-Program to do some user-specific stuff when a user logs out of our network (i.e. it is invoked with DEFAULT Acct-Status-Type == Stop). I'm trying to find a way for it to detect whether the database accounting module has succeedded in updating the user's accounting record or not (it will fail if the STOP packet is a duplicate). I can't find an attribute that I can test to check the status of the request at that stage. Any suggestions? Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Unresponsive Child in component authorize
FreeRadius version is? Version of Freeradius is 2.0.5 That may be a side-effect of something else taking long amounts of time. Usually, this is SQL. I believe this may have been a side effect of perhaps all my ldap threads being utilized. I have increased the number of ldap threads and have adjusted the timeout values somewhat. I'll keep an eye on it. Thanks! From: [EMAIL PROTECTED] g [mailto:[EMAIL PROTECTED] adius.org] On Behalf Of Marinko Tarlac Sent: Wednesday, October 08, 2008 3:36 AM To: FreeRadius users mailing list Subject: Re: Unresponsive Child in component authorize @kesm0724 FreeRadius version is? On Wed, Oct 8, 2008 at 4:22 AM, Alan DeKok [EMAIL PROTECTED] wrote: kesm0724 wrote: Does the Unresponsive Child in module files component authorize allude to something I have misconfigured in the virtual server or a process that is hung? The server is blocked somewhere. Tue Oct 7 12:14:43 2008 : Error: WARNING: Unresponsive child (id 3054615440) for request 8, in module files component authorize Hm... that's a little surprising. The files module doesn't take much CPU time. It doesn't use locks. So there's no reason for it to block for long periods of time. That may be a side-effect of something else taking long amounts of time. Usually, this is SQL. Or, if you're putting hostnames in the users file, instead of numerical IP addresses... and your DNS server is down. The server won't be able to create the reply because it needs the IP address. It won't be able to create the IP address because DNS is down. Don't use hostnames. Or, fix DNS so that it works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How do I tell if accounting module fails?
Hi all, I'm using an Exec-Program to do some user-specific stuff when a user logs out of our network (i.e. it is invoked with DEFAULT Acct-Status-Type == Stop). I'm trying to find a way for it to detect whether the database accounting module has succeedded in updating the user's accounting record or not (it will fail if the STOP packet is a duplicate). I can't find an attribute that I can test to check the status of the request at that stage. Any suggestions? Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CA.all and CA.certs in Freeradius 2.x
That's just the ad-hoc solution for the error you reported (error 20 - incomplete chain). It might not be the best way of doing things. I don't use certificates that much. Others might know a better way of sorting this out. Ivan Kalik Kalik Informatika ISP Dana 8/10/2008, Vegard Svanberg [EMAIL PROTECTED] piše: * [EMAIL PROTECTED] [EMAIL PROTECTED] [2008-10-08 15:03]: Try with ca-server bundle: cat ca.pem server.pem cabundle.pem Use that as CAfile and export (appropriate version) to the clients. Worked great, thanks! Perhaps the Makefile should be updated? -- Vegard Svanberg [EMAIL PROTECTED] [EMAIL PROTECTED] (EFnet)] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeNIBS
Hi, Is FreeNIBS supported by FreeRADIUS 2.X ? Has anyone deployed this in conjunction with SQLIPPOOL for prepaid data charging ? Thanks for sharing your experiences. Regards, rg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeNIBS
rsg wrote: Is FreeNIBS supported by FreeRADIUS 2.X ? Try it. As i know - nobody tested it with 2.x. Has anyone deployed this in conjunction with SQLIPPOOL for prepaid data charging ? It should work. -- With best regards, Evgeniy Kozhuhovskiy Leader, Services team Minsk State Phone Network, RUE Beltelecom. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Programming freeradius to react in different way for accepts and rejects
Hello all, I'm looking for some tutorial that explain how I can programming the freeradius to work as described below. At my lab environment I have two situations: access-accept (the password is correct) and access-reject (the password is wrong). I would like to programming the freeradius to after the fifth try of an user to authenticate (all five tries was reject), the freeradius authenticate the user within a specific policy for this case. I know how to send different policies to user, but I don't know how to make freeradius answer accept after the fifth try of authentication. Example: user test passwd test123 time: 00:00:00 1st try: test passwd test456 - radius answer reject 2nd try: test passwd test456 - radius answer reject 3rd try: test passwd test456 - radius answer reject 4th try: test passwd test456 - radius answer reject 5th try: test passwd test456 - radius answer reject time: 00:05:00 6th try: test passwd test456 - radius answer accept but athenticate the user in a specific policy to block its access but keep it authenticated. If in five minutes the user has received more than 5 access-reject then I would like to authenticate and block its access with a specific policy. Thanks in advance! ./diogo -montagner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeNIBS
rsg wrote: Is FreeNIBS supported by FreeRADIUS 2.X ? It won't work. The source code has to be updated to work with the new API. In addition, it has it's own SQL module subsystem. This is inefficient, and could use the existing rlm_sql. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Programming freeradius to react in different way for accepts andrejects
Create a (perl, exec) program that handles authentication that way. Ivan Kalik Kalik Informatika ISP Dana 8/10/2008, Diogo Montagner [EMAIL PROTECTED] piše: Hello all, I'm looking for some tutorial that explain how I can programming the freeradius to work as described below. At my lab environment I have two situations: access-accept (the password is correct) and access-reject (the password is wrong). I would like to programming the freeradius to after the fifth try of an user to authenticate (all five tries was reject), the freeradius authenticate the user within a specific policy for this case. I know how to send different policies to user, but I don't know how to make freeradius answer accept after the fifth try of authentication. Example: user test passwd test123 time: 00:00:00 1st try: test passwd test456 - radius answer reject 2nd try: test passwd test456 - radius answer reject 3rd try: test passwd test456 - radius answer reject 4th try: test passwd test456 - radius answer reject 5th try: test passwd test456 - radius answer reject time: 00:05:00 6th try: test passwd test456 - radius answer accept but athenticate the user in a specific policy to block its access but keep it authenticated. If in five minutes the user has received more than 5 access-reject then I would like to authenticate and block its access with a specific policy. Thanks in advance! ../diogo -montagner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Programming freeradius to react in different way for accepts and rejects
Diogo Montagner wrote: I would like to programming the freeradius to after the fifth try of an user to authenticate (all five tries was reject), the freeradius authenticate the user within a specific policy for this case. I know how to send different policies to user, but I don't know how to make freeradius answer accept after the fifth try of authentication. Write a Perl script to implement this logic. It is a *very* unusual request, and cannot be implemented in the normal configuration files. You will need to keep track of the number of rejects in a DB. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Programming freeradius to react in different way for accepts and rejects
And how I can say to freeradius always ask this script before it authenticate an user ? Thanks ./diogo -montagner On Wed, Oct 8, 2008 at 12:06 PM, Alan DeKok [EMAIL PROTECTED]wrote: Diogo Montagner wrote: I would like to programming the freeradius to after the fifth try of an user to authenticate (all five tries was reject), the freeradius authenticate the user within a specific policy for this case. I know how to send different policies to user, but I don't know how to make freeradius answer accept after the fifth try of authentication. Write a Perl script to implement this logic. It is a *very* unusual request, and cannot be implemented in the normal configuration files. You will need to keep track of the number of rejects in a DB. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Programming freeradius to react in different way for accepts and rejects
Diogo Montagner wrote: And how I can say to freeradius always ask this script before it authenticate an user ? See the example configuration files for how to configure the perl module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Programming freeradius to react in different way for accepts andrejects
http://wiki.freeradius.org/Rlm_perl Ivan Kalik Kalik Informatika ISP Dana 8/10/2008, Diogo Montagner [EMAIL PROTECTED] piše: And how I can say to freeradius always ask this script before it authenticate an user ? Thanks ../diogo -montagner On Wed, Oct 8, 2008 at 12:06 PM, Alan DeKok [EMAIL PROTECTED]wrote: Diogo Montagner wrote: I would like to programming the freeradius to after the fifth try of an user to authenticate (all five tries was reject), the freeradius authenticate the user within a specific policy for this case. I know how to send different policies to user, but I don't know how to make freeradius answer accept after the fifth try of authentication. Write a Perl script to implement this logic. It is a *very* unusual request, and cannot be implemented in the normal configuration files. You will need to keep track of the number of rejects in a DB. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Programming freeradius to react in different way for accepts andrejects
Thank you for all replies!! ./diogo -montagner 2008/10/8 [EMAIL PROTECTED] http://wiki.freeradius.org/Rlm_perl Ivan Kalik Kalik Informatika ISP Dana 8/10/2008, Diogo Montagner [EMAIL PROTECTED] piše: And how I can say to freeradius always ask this script before it authenticate an user ? Thanks ../diogo -montagner On Wed, Oct 8, 2008 at 12:06 PM, Alan DeKok [EMAIL PROTECTED] wrote: Diogo Montagner wrote: I would like to programming the freeradius to after the fifth try of an user to authenticate (all five tries was reject), the freeradius authenticate the user within a specific policy for this case. I know how to send different policies to user, but I don't know how to make freeradius answer accept after the fifth try of authentication. Write a Perl script to implement this logic. It is a *very* unusual request, and cannot be implemented in the normal configuration files. You will need to keep track of the number of rejects in a DB. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius reply multivalue VSA question.
Hi, We are defining custom VSA's for our company. We have ldap configured in freeradius which returns back the VSA's. I defined custom VSA in $freeradius/share/freeradius/dictionary.abc ATTRIBUTE rEntitlements 113 string entitlements is multivalue attribute (vARRAY) in LDAP. In the ldap.attrmap it is defined as replyItem rEntitlements entitlements == So after the successful authentication, I am getting the rEntitlements back as Sending Access-Accept of id 50 to 69.74.69.31 port 1814 Session-Timeout = 7200 rEntitlements == ADMALL rEntitlements == STORE rEntitlements == WEPG rEntitlements == WADM rEntitlements == SDNLD rEntitlements == WIFILOC1 BUT I am looking for ONLY WIFILOC1 for the NAS. NAS will redirect if WIFILOC1 exists. Can I do regex in the rEntitlements so freeradius ONLY returns rEntitlements = WIFILOC1 and ignore the rest? Please let me know. Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Install error
installing v.2.1.1 I got errors. Any clues ? thanks Duan ./configure ... ... gcc version 4.1.2 20071124 (Red Hat 4.1.2-42) configure:3000: $? = 0 configure:3007: g++ -V 5 g++: '-V' option must have argument configure:3010: $? = 1 configure:3013: checking whether we are using the GNU C++ compiler configure:3042: g++ -c conftest.cpp 5 configure:3048: $? = 0 configure:3065: result: yes configure:3070: checking whether g++ accepts -g configure:3100: g++ -c -g conftest.cpp 5 configure:3106: $? = 0 - Ignored: configure:3205: result: yes configure:3235: checking how to run the C preprocessor configure:3275: gcc -E conftest.c configure:3281: $? = 0 configure:3312: gcc -E conftest.c conftest.c:8:28: error: ac_nonexistent.h: No such file or directory configure:3318: $? = 1 configure: failed program was: | /* confdefs.h. */ | #define PACKAGE_NAME | #define PACKAGE_TARNAME | #define PACKAGE_VERSION | #define PACKAGE_STRING | #define PACKAGE_BUGREPORT | /* end confdefs.h. */ | #include ac_nonexistent.h configure:3351: result: gcc -E configure:3380: gcc -E conftest.c configure:3386: $? = 0 configure:3417: gcc -E conftest.c conftest.c:8:28: error: ac_nonexistent.h: No such file or directory configure:3423: $? = 1 configure: failed program was: | /* confdefs.h. */ | #define PACKAGE_NAME | #define PACKAGE_TARNAME | #define PACKAGE_VERSION | #define PACKAGE_STRING | #define PACKAGE_BUGREPORT | /* end confdefs.h. */ | #include ac_nonexistent.h ... .. ... configure:4417: checking whether byte ordering is bigendian configure:4450: gcc -c -g -O2 conftest.c 5 configure:4456: $? = 0 configure:4488: gcc -c -g -O2 conftest.c 5 conftest.c: In function 'main': conftest.c:25: error: 'not' undeclared (first use in this function) conftest.c:25: error: (Each undeclared identifier is reported only once conftest.c:25: error: for each function it appears in.) conftest.c:25: error: expected ';' before 'big' configure:4494: $? = 1 configure: failed program was: | /* confdefs.h. */ | #define PACKAGE_NAME | #define PACKAGE_TARNAME | #define PACKAGE_VERSION | #define PACKAGE_STRING | #define PACKAGE_BUGREPORT | #define STDC_HEADERS 1 | #define HAVE_SYS_TYPES_H 1 | #define HAVE_SYS_STAT_H 1 | #define HAVE_STDLIB_H 1 | #define HAVE_STRING_H 1 | #define HAVE_MEMORY_H 1 | #define HAVE_STRINGS_H 1 | #define HAVE_INTTYPES_H 1 | #define HAVE_STDINT_H 1 | #define HAVE_UNISTD_H 1 | /* end confdefs.h. */ | #include sys/types.h | #include sys/param.h | | int | main () | { | #if BYTE_ORDER != BIG_ENDIAN | not big endian | #endif | | ; | return 0; | } ... ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
blocking anonymous outer identity
Hello, I have some anonymous outer identity in the autentication log of freeradius. I use freeradius version 2.0 with EAP-TTLS and 802.1x on hte supplicant side. how can I forbid users to use an anonymous identity or to use an outer identity different from the real identity used for authentication/authorization ? I want to force users to use their own real identity based on their real credentials [EMAIL PROTECTED] without using an outer identity. I want to forbid this because if users use anonymous outer identity in the freeradius log I cannot see who is the user actually autenticating. any hints about this problem of mine ? thank you Rick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: blocking anonymous outer identity
Riccardo Veraldi wrote: Hello, I have some anonymous outer identity in the autentication log of freeradius. I use freeradius version 2.0 with EAP-TTLS and 802.1x on hte supplicant side. how can I forbid users to use an anonymous identity or to use an outer identity different from the real identity used for authentication/authorization ? I want to force users to use their own real identity based on their real credentials [EMAIL PROTECTED] without using an outer identity. I want to forbid this because if users use anonymous outer identity in the freeradius log I cannot see who is the user actually autenticating. Sure you can. Just log the inner auth request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Install error
Am 08.10.2008 um 18:22 schrieb Olavo Dietrich: installing v.2.1.1 I got errors. Can you be more specific? Can't you configure? Compile? Install? That tests of configure fail is fully expected, so unfortunately you have not given much information (except that your computer is little endian). Any clues ? thanks Duan [...] Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Link problem in v2.1.1
Hi, I think I found a problem when compiling v2.1.1: gmake[4]: *** No rule to make target `-lreadline', needed by `radmin'. Stop. In src/main/Makefile: radmin: radmin.lo $(LIBREADLINE) $(LIBRADIUS) util.lo log.lo conffile.lo $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) $(LINK_MODE) -o $@ $^ $(LIBS) I think it should be: radmin: radmin.lo $(LIBRADIUS) util.lo log.lo conffile.lo $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) $(LINK_MODE) -o $@ $^ $(LIBS) -lreadline -ltermcap are already in LIBS in Make.inc, so I don't think LIBREADLINE is needed here. -John -- John Center Villanova University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Install error
Thanks Nicolas I have these fail alll over the place in my configure. Attached. Thanks Duan ./configure error configure: WARNING: snmpget not found - Simultaneous-Use and checkrad.pl may not work configure: WARNING: snmpwalk not found - Simultaneous-Use and checkrad.pl may not work configure: WARNING: pcap library not found, silently disabling the RADIUS sniffer. config.status: WARNING: ./Make.inc.in seems to ignore the --datarootdir setting config.status: WARNING: ./src/include/build-radpaths-h.in seems to ignore the --datarootdir setting configure: WARNING: the TNCS library isn't found! configure: WARNING: silently not building rlm_eap_tnc. configure: WARNING: FAILURE: rlm_eap_tnc requires: -lTNCS. configure: WARNING: silently not building rlm_eap_ikev2. configure: WARNING: FAILURE: rlm_eap_ikev2 requires: libeap-ikev2 EAPIKEv2/connector.h. configure: WARNING: silently not building rlm_sql_iodbc. configure: WARNING: FAILURE: rlm_sql_iodbc requires: libiodbc isql.h. configure: WARNING: MySQL libraries not found. Use --with-mysql-lib-dir=path. configure: WARNING: MySQL headers not found. Use --with-mysql-include-dir=path. configure: WARNING: silently not building rlm_sql_mysql. configure: WARNING: FAILURE: rlm_sql_mysql requires: libmysqlclient_r mysql.h. configure: WARNING: silently not building rlm_sql_postgresql. configure: WARNING: FAILURE: rlm_sql_postgresql requires: libpq-fe.h libpq. configure: WARNING: oracle headers not found. Use --with-oracle-home-dir=path. configure: WARNING: silently not building rlm_sql_oracle. configure: WARNING: FAILURE: rlm_sql_oracle requires: oci.h. configure: WARNING: silently not building rlm_sql_unixodbc. configure: WARNING: FAILURE: rlm_sql_unixodbc requires: sql.h. -Original Message- From: [EMAIL PROTECTED] dius.org [mailto:freeradius-users- [EMAIL PROTECTED] On Behalf Of Nicolas Goutte Sent: Wednesday, October 08, 2008 9:48 AM To: FreeRadius users mailing list Subject: Re: Install error Am 08.10.2008 um 18:22 schrieb Olavo Dietrich: installing v.2.1.1 I got errors. Can you be more specific? Can't you configure? Compile? Install? That tests of configure fail is fully expected, so unfortunately you have not given much information (except that your computer is little endian). Any clues ? thanks Duan [...] Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html error Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Install error
Olavo Dietrich wrote: Thanks Nicolas I have these fail alll over the place in my configure. Attached. Do you have these dependencies installed? If not then there is nothing wrong other than not preparing your system to perform the build. You need to go back and install the missing dependencies. One advantage of RPM based builds is they declare dependencies and won't run until the dependencies are satisfied. Because the dependencies are specified at the package level it's easy to know which packages to install to satisfy the dependencies. -- John Dennis [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Install error
All right, Yes, I have tried the rpm and got failed dependencies. Then I tried to install the dependencies and got another failed dependencies. So , I was in a loop, and decided to go with the source. It looks like it won't be as simple as I thought. rpm -ivh freeradius-2.1.1-2.fc10.x86_64.rpm error: Failed dependencies: libcrypto.so.7()(64bit) is needed by freeradius-2.1.1-2.fc10.x86_64 libssl.so.7()(64bit) is needed by freeradius-2.1.1-2.fc10.x86_64 Thank you for your help. I'll try the rpms again. Duan -Original Message- From: [EMAIL PROTECTED] dius.org [mailto:freeradius-users- [EMAIL PROTECTED] On Behalf Of John Dennis Sent: Wednesday, October 08, 2008 10:46 AM To: FreeRadius users mailing list Subject: Re: Install error Olavo Dietrich wrote: Thanks Nicolas I have these fail alll over the place in my configure. Attached. Do you have these dependencies installed? If not then there is nothing wrong other than not preparing your system to perform the build. You need to go back and install the missing dependencies. One advantage of RPM based builds is they declare dependencies and won't run until the dependencies are satisfied. Because the dependencies are specified at the package level it's easy to know which packages to install to satisfy the dependencies. -- John Dennis [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On/Off packets
Hi All , Please any one have an idea about this , I am using cisco 1721 to terminate PPPOE sessions and authentication by freeradius , when I reload the router there is no *On/Off* packets sent from cisco , so the users still online on database , How to make my cisco router send *On/Off* packets to radius ?? Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: On/Off packets
On Oct 8, 2008, at 11:05 AM, AHMED KHIDR wrote: Hi All , Please any one have an idea about this , I am using cisco 1721 to terminate PPPOE sessions and authentication by freeradius , when I reload the router there is no On/Off packets sent from cisco , so the users still online on database , How to make my cisco router send On/Off packets to radius ?? Ask Cisco. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Install error
Hi, I have these fail alll over the place in my configure. Attached. read the WARNINGS - they are only WARNINGS and not failures. do you need any of the following? ./configure error configure: WARNING: snmpget not found - Simultaneous-Use and checkrad.pl may not work configure: WARNING: snmpwalk not found - Simultaneous-Use and checkrad.pl may not work do you want simulatneous-use etc? if so, install snmp-utils configure: WARNING: pcap library not found, silently disabling the RADIUS sniffer. do you want to use radsniff? if so, install libpcap and libpcap-devel configure: WARNING: the TNCS library isn't found! configure: WARNING: silently not building rlm_eap_tnc. configure: WARNING: FAILURE: rlm_eap_tnc requires: -lTNCS. are you planning on using TNC? if not, then dont worry. if so, then install the latest beta TNC package configure: WARNING: silently not building rlm_eap_ikev2. configure: WARNING: FAILURE: rlm_eap_ikev2 requires: libeap-ikev2 EAPIKEv2/connector.h. likewise. are you planning to use IKEv2 ? configure: WARNING: silently not building rlm_sql_iodbc. configure: WARNING: FAILURE: rlm_sql_iodbc requires: libiodbc isql.h. wanting to use IODBC? if not, dont worry configure: WARNING: MySQL libraries not found. Use --with-mysql-lib-dir=path. configure: WARNING: MySQL headers not found. Use --with-mysql-include-dir=path. configure: WARNING: silently not building rlm_sql_mysql. configure: WARNING: FAILURE: rlm_sql_mysql requires: libmysqlclient_r mysql.h. configure: WARNING: silently not building rlm_sql_postgresql. configure: WARNING: FAILURE: rlm_sql_postgresql requires: libpq-fe.h libpq. were you planning on using mysql or postgres DB? if so, then install the required mysql-devel or postgres-devel + the relevant server RPM configure: WARNING: oracle headers not found. Use --with-oracle-home-dir=path. configure: WARNING: silently not building rlm_sql_oracle. configure: WARNING: FAILURE: rlm_sql_oracle requires: oci.h. likewise for oracle configure: WARNING: silently not building rlm_sql_unixodbc. configure: WARNING: FAILURE: rlm_sql_unixodbc requires: sql.h. and for unixodbc (install unixodbc + devel package if you want it) aside from the database support (which most people use) very few people want or need TNV or IKEv2 - and likewise, I'd say less than 10% need the SNMP stuff...and very very few people spend time with radsniff (you can tell from some of the debug/error reports we get on this list! ;-) ) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Install error
Olavo Dietrich wrote: All right, Yes, I have tried the rpm and got failed dependencies. Then I tried to install the dependencies and got another failed dependencies. So , I was in a loop, and decided to go with the source. It looks like it won't be as simple as I thought. rpm -ivh freeradius-2.1.1-2.fc10.x86_64.rpm error: Failed dependencies: libcrypto.so.7()(64bit) is needed by freeradius-2.1.1-2.fc10.x86_64 libssl.so.7()(64bit) is needed by freeradius-2.1.1-2.fc10.x86_64 Thank you for your help. I'll try the rpms again. The problem is you're not using an rpm installer, but trying to install an rpm directly. yum is the rpm installer for fedora and RHEL. % yum --enable-repo fedora-development install freeradius Just be careful, this is rawhide the latest bits, to solve dependencies yum might pull in a lot of stuff. You can also do a local build and avoid the issues with pulling in dependencies from rawhide. If rpmbuild is not installed, then install it. % yum install rpm-build Get the latest srpm from http://koji.fedoraproject.org/koji/packageinfo?packageID=298 Click on the latest build, download the srpm and install the srpm via 'rpm -ihv path to downloaded srpm) % rpmbuild -ba freeradius.spec rpmbuild might complain about missing dependencies, for each missing dependency do a yum install for the missing dependency. This will pull in dependencies for your current OS version, probably what you want (instead of rawhide). -- John Dennis [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Install error
Thanks John, Do I need a RH subscription for this or the repo name is not right ? # yum --enablerepo fedora-development install freeradius Loading rhnplugin plugin Loading security plugin This system is not registered with RHN. RHN support will be disabled. Error getting repository data for fedora-development, repository not found Duan -Original Message- From: [EMAIL PROTECTED] dius.org [mailto:freeradius-users- [EMAIL PROTECTED] On Behalf Of John Dennis Sent: Wednesday, October 08, 2008 11:24 AM To: FreeRadius users mailing list Subject: Re: Install error Olavo Dietrich wrote: All right, Yes, I have tried the rpm and got failed dependencies. Then I tried to install the dependencies and got another failed dependencies. So , I was in a loop, and decided to go with the source. It looks like it won't be as simple as I thought. rpm -ivh freeradius-2.1.1-2.fc10.x86_64.rpm error: Failed dependencies: libcrypto.so.7()(64bit) is needed by freeradius-2.1.1-2.fc10.x86_64 libssl.so.7()(64bit) is needed by freeradius-2.1.1-2.fc10.x86_64 Thank you for your help. I'll try the rpms again. The problem is you're not using an rpm installer, but trying to install an rpm directly. yum is the rpm installer for fedora and RHEL. % yum --enable-repo fedora-development install freeradius Just be careful, this is rawhide the latest bits, to solve dependencies yum might pull in a lot of stuff. You can also do a local build and avoid the issues with pulling in dependencies from rawhide. If rpmbuild is not installed, then install it. % yum install rpm-build Get the latest srpm from http://koji.fedoraproject.org/koji/packageinfo?packageID=298 Click on the latest build, download the srpm and install the srpm via 'rpm -ihv path to downloaded srpm) % rpmbuild -ba freeradius.spec rpmbuild might complain about missing dependencies, for each missing dependency do a yum install for the missing dependency. This will pull in dependencies for your current OS version, probably what you want (instead of rawhide). -- John Dennis [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to forward MAC-authentiation-requests over a FreeRADIUS-proxy to a FreeRADIUS-server?
Hello again, here is the info I collected concerning the “It still doesn’t work” section: * FreeRADIUS-proxy * users: Standard entry of localhost and DEFAULT Proxy-To-Realm := RADIUS_REALM * clients.conf: client 192.168.1.58 { secret = testing123 } * debug: main { prefix = /usr localstatedir = /var logdir = /var/log/freeradius libdir = /usr/lib/freeradius radacctdir = /var/log/freeradius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = /var/run/freeradius/freeradius.pid user = freerad group = freerad checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = yes security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = testing123 nastype = other } client 192.168.1.58 { require_message_authenticator = no secret = testing123 } radiusd: Loading Realms and Home Servers proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server RADIUS_SERVER { ipaddr = 192.168.1.61 port = 1812 type = auth secret = testing123 response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = request ping_check = none ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool RADIUS_SERVER_POOL { type = fail-over home_server = RADIUS_SERVER } realm RADIUS_REALM { auth_pool = RADIUS_SERVER_POOL } radiusd: Instantiating modules instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = request shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = Password Has Expired } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = You are calling outside your allowed timespan minimum-timeout = 60 } } radiusd: Loading Virtual Servers server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = auto auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = /var/log/freeradius/radwtmp } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = md5 timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = Password: auth_type = PAP } rlm_eap: Ignoring EAP-Type/tls because we do not have OpenSSL support. rlm_eap: Ignoring EAP-Type/ttls because we do not have OpenSSL support. rlm_eap: Ignoring EAP-Type/peap because we do not have OpenSSL support. Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = suffix delimiter = @ ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = /etc/freeradius/users acctusersfile = /etc/freeradius/acct_users preproxy_usersfile = /etc/freeradius/preproxy_users compat = no } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = /var/log/freeradius/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = /etc/freeradius/attrs.access_reject key = %{User-Name} } } } server { modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = /etc/freeradius/huntgroups hints = /etc/freeradius/hints
Re: Install error
Olavo Dietrich wrote: Thanks John, Do I need a RH subscription for this or the repo name is not right ? # yum --enablerepo fedora-development install freeradius Loading rhnplugin plugin Loading security plugin This system is not registered with RHN. RHN support will be disabled. Error getting repository data for fedora-development, repository not found You didn't say this was RHEL, Fedora != RHEL, there is no fedora-development repository for RHEL. I suggest you follow the instructions for building from an srpm then. -- John Dennis [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Install error
Won't it be easier for you to just download the source, compile and install? You will be chasing lot's of rpm dependencies if you don't have all your packages install under RHEL. Just a thought. else, you can check this site for your missing rpm package. http://rpmfine.net if you are lucky, you will find some RHEL package. John Dennis wrote: Olavo Dietrich wrote: Thanks John, Do I need a RH subscription for this or the repo name is not right ? # yum --enablerepo fedora-development install freeradius Loading rhnplugin plugin Loading security plugin This system is not registered with RHN. RHN support will be disabled. Error getting repository data for fedora-development, repository not found You didn't say this was RHEL, Fedora != RHEL, there is no fedora-development repository for RHEL. I suggest you follow the instructions for building from an srpm then. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Install error
Oops!! Wrong URL http://rpmfind.net Sorry about that. Madwifi Wireless wrote: Won't it be easier for you to just download the source, compile and install? You will be chasing lot's of rpm dependencies if you don't have all your packages install under RHEL. Just a thought. else, you can check this site for your missing rpm package. http://rpmfine.net if you are lucky, you will find some RHEL package. John Dennis wrote: Olavo Dietrich wrote: Thanks John, Do I need a RH subscription for this or the repo name is not right ? # yum --enablerepo fedora-development install freeradius Loading rhnplugin plugin Loading security plugin This system is not registered with RHN. RHN support will be disabled. Error getting repository data for fedora-development, repository not found You didn't say this was RHEL, Fedora != RHEL, there is no fedora-development repository for RHEL. I suggest you follow the instructions for building from an srpm then. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Install error
On Wed, 2008-10-08 at 15:25 -0400, Madwifi Wireless wrote: Won't it be easier for you to just download the source, compile and install? You will be chasing lot's of rpm dependencies if you don't have all your packages install under RHEL. Compiling from source will end up chasing an equivalent list of dependencies, as we've already seen. There is no way to avoid installing an SQL package if you compile freeradius with SQL support, for example. I personally find installing from packages to be a lot easier, but you can't always do that. For instance, I am using a freeradius compiled from source, and it was a pain to chase down all the -devel packages I needed because all I get from the configure/compile is that some include file wasn't found or some library file is missing. It's not always obvious which -devel package I need. Whereas installing freeradius from yum would automatically bring in all the dependencies. The reason I compiled from source is that the RPM packages do not include the latest version, and I needed the support for clients with dynamic addresses which is only available in freeradius 2.1.1 and beyond. --Greg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Install error
Madwifi Wireless wrote: Won't it be easier for you to just download the source, compile and install? He did, he was missing (optional) dependencies. The advantage of an rpm spec file is that it tells you exactly what you're missing rather than having to guess. You will be chasing lot's of rpm dependencies if you don't have all your packages install under RHEL. One way or another, there are dependencies, pick your poison. Ain't no such thing as a free lunch either :-) -- John Dennis [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Install error
Greg Woods wrote: On Wed, 2008-10-08 at 15:25 -0400, Madwifi Wireless wrote: Won't it be easier for you to just download the source, compile and install? You will be chasing lot's of rpm dependencies if you don't have all your packages install under RHEL. Compiling from source will end up chasing an equivalent list of dependencies, as we've already seen. There is no way to avoid installing an SQL package if you compile freeradius with SQL support, for example. I personally find installing from packages to be a lot easier, but you can't always do that. For instance, I am using a freeradius compiled from source, and it was a pain to chase down all the -devel packages I needed because all I get from the configure/compile is that some include file wasn't found or some library file is missing. It's not always obvious which -devel package I need. That is why using a srpm with a spec file specific to your distribution is your friend because it explicitly lists the *exact* set of dependencies needed to build from the srpm. You can either let rpm-build tell you what is missing or you can open the spec file in an editor and search for BuildRequires which is where the rpm's needed to build are listed. -- John Dennis [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Link problem in v2.1.1
John Center wrote: I think I found a problem when compiling v2.1.1: gmake[4]: *** No rule to make target `-lreadline', needed by `radmin'. Stop. Hmm... good point. In src/main/Makefile: radmin: radmin.lo $(LIBREADLINE) $(LIBRADIUS) util.lo log.lo conffile.lo $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) $(LINK_MODE) -o $@ $^ $(LIBS) I think it should be: radmin: radmin.lo $(LIBRADIUS) util.lo log.lo conffile.lo $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) $(LINK_MODE) -o $@ $^ $(LIBS) Pretty much, yes. -lreadline -ltermcap are already in LIBS in Make.inc, so I don't think LIBREADLINE is needed here. I'll re-arrange the dependencies. One of the issues with adding -lreadline to LIBS is that ALL of the modules end up depending on libreadline (via libtool...) which is crazy. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [Suspected Spam]Re: Install error
Guys, let me make sure I understood your thoughts. I cannot use this http://koji.fedoraproject.org/koji/buildinfo?buildID=64378 freeradius-2.1.1-2.fc10 from http://koji.fedoraproject.org/koji/packageinfo?packageID=298 because my OS is not fedora , is that right ? So my only option is to use freeradius-server-2.1.1.tar.gz and manually try to satisfy the dependencies from those warnings ? thanks Duan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] rg] On Behalf Of John Dennis Sent: Wednesday, October 08, 2008 12:43 PM To: FreeRadius users mailing list Subject: [Suspected Spam]Re: Install error Greg Woods wrote: On Wed, 2008-10-08 at 15:25 -0400, Madwifi Wireless wrote: Won't it be easier for you to just download the source, compile and install? You will be chasing lot's of rpm dependencies if you don't have all your packages install under RHEL. Compiling from source will end up chasing an equivalent list of dependencies, as we've already seen. There is no way to avoid installing an SQL package if you compile freeradius with SQL support, for example. I personally find installing from packages to be a lot easier, but you can't always do that. For instance, I am using a freeradius compiled from source, and it was a pain to chase down all the -devel packages I needed because all I get from the configure/compile is that some include file wasn't found or some library file is missing. It's not always obvious which -devel package I need. That is why using a srpm with a spec file specific to your distribution is your friend because it explicitly lists the *exact* set of dependencies needed to build from the srpm. You can either let rpm-build tell you what is missing or you can open the spec file in an editor and search for BuildRequires which is where the rpm's needed to build are listed. -- John Dennis mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Install error
Saludos Estoy instalando freeradius-dialupadmin y nesecito configurarlo para poder trabajar el freeradius via web. Roldanis -- Este mensaje ha sido analizado por MailScanner en busca de virus y otros contenidos peligrosos, y se considera que está limpio. For all your IT requirements visit: http://www.transtec.co.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [Suspected Spam]Re: Install error
On Wed, 2008-10-08 at 13:28 -0700, Olavo Dietrich wrote: Guys, let me make sure I understood your thoughts. I cannot use this freeradius-2.1.1-2.fc10 from http://koji.fedoraproject.org/koji/packageinfo?packageID=298 because my OS is not fedora , is that right ? Correct. This one probably wouldn't even work on Fedora 8 or Fedora 9, it's specific to Fedora 10. The distribution-specific RPM's will have dependencies on versions of packages that come with that distribution. Try to use it on a different distro and you will get unsatisfied dependencies. So my only option is to use freeradius-server-2.1.1.tar.gz and manually try to satisfy the dependencies from those warnings ? Or find an RPM that is for your distribution. But if you do compile from source, it will be up to you to find out what -devel packages you need. The configure/compile/link process will probably turn up errors that are due to missing header files (.h) or missing library files (undefined symbols and so forth). Installing the proper -devel package will normally provide the missing files, but it's not always obvious which -devel package you need to fix a given error. Google searches can help here. --Greg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Startdate for sessions in FreeRadius with MySql?
Hello! We're using FreeRadius 1.1.7 along with MySql on an Ubuntu server. We have a web application to create users for FreeRadius and administrators can set the expire date for when a session should expire. This is achieved with the Expiration attribute in the table called RadCheck in the MySql database. However, a customer would like to be able to also set a start-date for when the session should become valid i.e. if I set 2008-10-06 it won't be possible to log in before that date. I haven't found a way to do this in FreeRadius. Does anyone have a solution for this? I thought that it might exist an attribute for Start as well when there is one for Expire but I haven't found any. The only solution I can come up with is some kind of own customized que handling for this altough I would prefer a simple attribute. Any thoughts? Johan -- View this message in context: http://www.nabble.com/Startdate-for-sessions-in-FreeRadius-with-MySql--tp19837587p19837587.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to forward MAC-authentiation-requests over a FreeRADIUS-proxyto a FreeRADIUS-server?
radiusd: Opening IP addresses and Ports listen { type = proxy ipaddr = 192.168.1.80 port = 1812 } Why did you do that? Put the listen section back as it was. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius reply multivalue VSA question.
+= http://wiki.freeradius.org/Operators Ivan Kalik Kalik Informatika ISP Dana 8/10/2008, Eric Martell [EMAIL PROTECTED] piše: Hi, We are defining custom VSA's for our company. We have ldap configured in freeradius which returns back the VSA's. I defined custom VSA in $freeradius/share/freeradius/dictionary.abc ATTRIBUTE rEntitlements 113 string entitlements is multivalue attribute (vARRAY) in LDAP. In the ldap.attrmap it is defined as replyItem rEntitlements entitlements == So after the successful authentication, I am getting the rEntitlements back as Sending Access-Accept of id 50 to 69.74.69.31 port 1814 Session-Timeout = 7200 rEntitlements == ADMALL rEntitlements == STORE rEntitlements == WEPG rEntitlements == WADM rEntitlements == SDNLD rEntitlements == WIFILOC1 BUT I am looking for ONLY WIFILOC1 for the NAS. NAS will redirect if WIFILOC1 exists. Can I do regex in the rEntitlements so freeradius ONLY returns rEntitlements = WIFILOC1 and ignore the rest? Please let me know. Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: On/Off packets
http://wiki.freeradius.org/index.php/Cisco#IOS_12.x Ivan Kalik Kalik Informatika ISP Dana 8/10/2008, AHMED KHIDR [EMAIL PROTECTED] piše: Hi All , Please any one have an idea about this , I am using cisco 1721 to terminate PPPOE sessions and authentication by freeradius , when I reload the router there is no *On/Off* packets sent from cisco , so the users still online on database , How to make my cisco router send *On/Off* packets to radius ?? Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Startdate for sessions in FreeRadius with MySql?
Any thoughts? Don't create the username before the startdate. There is absolutely no reason for it to be in the database before it. Make a script that creates the user entry when startdate is reached. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html