Re: Sending Accounting Response
Padam J Singh wrote: > According to the RFC 2866, it is possible to send back attributes to an > accounting update packet sent from a NAS. *Please* use the correct terminology. It makes it easier for us to understand your question. If I read what I *think* you mean, then no, RFC 2866 does not allow attributes in an Accounting-Response. > What I have done is this: The authorization and authentication queries > are basically calls to a stored procedure in postgres that returns a set > of table type which contains the attribute, operator and value. > I can write a stored procedure to return a set of attributes to send > back in an accounting start/update/stop, but all the queries given as > examples in the default dialup.conf are update queries that do not > return any attribute. > > How do I configure the postgres module to return the attributes to the NAS? You don't. Please explain why you think this is necessary. Also be aware that any attributes you send in an Accounting-Response will be ignored by *every* NAS that anyone has ever made. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius not responding on machine specific IPs
kevin wrote: > I'm using fake data to send to the radius server. I do not care if it > passes or fails. I simply want the server to respond when I send a > message to x.x.3.199 (the network address of the machine) just as it > does when I send a request to the localhost address on the machine. It's not clear from your messages if you're running the server in debugging mode for these tests. If you are, the possible outcomes are: 1) it doesn't receive the packet. This usually means firewall issues. 2) it receives the packet, and doesn't respond. Debug output explains why. 3) it receives the packet and responds, but the client doesn't see the response. This usually means firewall issues. > It does respond to localhost, it does not respond to the network > address. That's where the problem lies, that I am trying to figure out. As always, READ the debug output. From your messages it looks like you are NOT looking at the debug output when you send requests from outside of localhost. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sending Accounting Response
Hello, According to the RFC 2866, it is possible to send back attributes to an accounting update packet sent from a NAS. What I have done is this: The authorization and authentication queries are basically calls to a stored procedure in postgres that returns a set of table type which contains the attribute, operator and value. I can write a stored procedure to return a set of attributes to send back in an accounting start/update/stop, but all the queries given as examples in the default dialup.conf are update queries that do not return any attribute. How do I configure the postgres module to return the attributes to the NAS? Thanks, Padam -- PGP Id 9EED2E09 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius not responding on machine specific IPs
Thanks Jason, but I might have been unclear. Sorry about that. I'm using fake data to send to the radius server. I do not care if it passes or fails. I simply want the server to respond when I send a message to x.x.3.199 (the network address of the machine) just as it does when I send a request to the localhost address on the machine. It does respond to localhost, it does not respond to the network address. That's where the problem lies, that I am trying to figure out. Thanks again, though. The network I am trying to authenticate is remote from the radius server, so I cannot use localhost. Otherwise, I wouldn't worry about it... Eventually, the remote location will be running covachilli or something similar. But for security (equipment) reasons, I cannot put a server at that end, so must do authentication remotely, at this end. Cheers, Kevin On Fri, 2008-12-12 at 16:11 -0500, Jason Wittlin-Cohen wrote: > Kevin, > > The relevant line is: > > "> rad_verify: Received Access-Reject packet from client 127.0.0.1 > port 1812 with invalid signature (err=2)! (Shared secret is > incorrect.)" > > The shared secret to authenticate a client to the RADIUS server (for > RADIUS, not EAP traffic) is either not set, or you're using the wrong > secret. By default there is no shared secret set for localhost. Edit > clients.conf, search for 127.0.0.1. You'll find a line that looks > like: > > ipaddr = 127.0.0.1 > > Now, add this line beneath: > > secret = secret > > Restart freeradius and try again. The message should go away. > Remember, you're still going to get an access-reject response unless > you setup the user account and password your authenticating with in > the "users" file. > > Jason > > -- > Jason Wittlin-Cohen > Yale Law School, Class of 2010 > jason.wittlin-co...@yale.edu > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS and LDAP Groups
> Add: DEFAULT Auth-Type := Reject Awesome, that worked. So, if I wanted to enable multiple LDAP groups, would this be the correct syntax: DEFAULT LDAP-Group == foo, Auth-Type := Accept DEFAULT LDAP-Group == bar, Auth-Type := Accept DEFAULT LDAP-Group == baz, Auth-Type := Accept DEFAULT Auth-Type := Reject Tim Gustafson SOE Webmaster UC Santa Cruz t...@soe.ucsc.edu 831-459-5354 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Logging authentication attempts while TLS session resumption (caching) is enabled
When authenticating via PEAP or TTLS with an anonymous identity, the log shows both the anonymous identity and the real identity tunneled through the TLS tunnel. However, when TLS session resumption (caching) is enabled, only the anonymous identity is logged. This is presumably due to the fact that the user is not actually sending the real ID and password through the tunnel; rather the saved session is being used. However, being that the tunneled username is still available, and obtained from the cache, it should be available to log. Is this the intended behavior? It would seem that logging authentication attempts would be more useful if the real username was provided in addition to the anonymous identity. Caching disabled: Fri Dec 12 17:35:38 2008 : Auth: Login OK: [Jason Wittlin-Cohen] (from client Wireless port 0 via TLS tunnel) Fri Dec 12 17:35:38 2008 : Auth: Login OK: [Anonymous] (from client Wireless port 55 cli 0013e87d571d) Caching enabled: Fri Dec 12 17:35:56 2008 : Auth: Login OK: [Anonymous] (from client Wireless port 55 cli 0013e87d571d) However, the tunneled username does seem to be available. It's obtained from the cache and added to the Access-Accept message: [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Success [peap] Adding cached attributes to the reply: User-Name = "Jason Wittlin-Cohen" Jason -- Jason Wittlin-Cohen Yale Law School, Class of 2010 jason.wittlin-co...@yale.edu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius not responding on machine specific IPs
Kevin, The relevant line is: "> rad_verify: Received Access-Reject packet from client 127.0.0.1 port 1812 with invalid signature (err=2)! (Shared secret is incorrect.)" The shared secret to authenticate a client to the RADIUS server (for RADIUS, not EAP traffic) is either not set, or you're using the wrong secret. By default there is no shared secret set for localhost. Edit clients.conf, search for 127.0.0.1. You'll find a line that looks like: ipaddr = 127.0.0.1 Now, add this line beneath: secret = secret Restart freeradius and try again. The message should go away. Remember, you're still going to get an access-reject response unless you setup the user account and password your authenticating with in the "users" file. Jason -- Jason Wittlin-Cohen Yale Law School, Class of 2010 jason.wittlin-co...@yale.edu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Best way of adding custom authentication procedure to Freeradius that works in Windows/Linux platforms?
One silly question. If i'm using cygwin version of freeradius.net, and i wish to create a custom module, do i need to recompile Radiusd with cygwin (i would like to avoid that as far as possible)? Or can i just simply compile my newly created module with cygwin? I read this but still can't figure out - http://wiki.freeradius.org/Modules Appreciate again. :) From: joshua__...@hotmail.com To: freeradius-users@lists.freeradius.org Subject: RE: Best way of adding custom authentication procedure to Freeradius that works in Windows/Linux platforms? Date: Fri, 12 Dec 2008 16:10:16 + Joshua Lim wrote: > A little info on the custom authentication procedure: > > 1. I need to provide a doubl! e-factor authentication to my users. > 2. The first level will be a simple challenge and password (i reckon > that this can be done using File or MySQL). Maybe. > 3. Upon successful first authentication, the user is not given > access-accept, instead, he needs to enter a second password (this is the > OTP). The OTP must be generated by the custom script/module by > accessing some external database - this is done immediately after the > first authentication has been successfully completed. You will need a custom module to do this. Alan DeKok. >>> Thanks. :) Share your beautiful moments with Photo Gallery. Windows Live Photo Gallery _ Easily edit your photos like a pro with Photo Gallery. http://get.live.com/photogallery/overview- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius not responding on machine specific IPs
Just to be "sure", iptables has been set to accept all.
A netstat shows:
> udp0 0 *:radius*:*
>
> udp0 0 *:radius-acct *:*
>
So radius appears to be "listening" to the ports on "ALL" IPs. If the
above is correct, then I should be able to do a radtest on any IPs
associated with the box and get a response. Yet I am only able to get a
response using localhost (127.0.0.1)...
Just to be sure, I also did a localhost radtest on the machine:
> radtest fred wilma localhost 1812 mysecret
And it resolved localhost as 127.0.0.1 (as expected) and responded the
same as when I used 127.0.0.1
In radiusd.conf, bind_address = * and listen { } is all commented out.
Running freeradius -XXX -A provides the following output:
> r...@server3:/home/kevin# freeradius -XXX -A
> Fri Dec 12 13:53:24 2008 : Info: Starting - reading configuration files ...
> Fri Dec 12 13:53:24 2008 : Debug: reread_config: reading radiusd.conf
> Fri Dec 12 13:53:24 2008 : Debug: Config: including file:
> /etc/freeradius/proxy.conf
> Fri Dec 12 13:53:24 2008 : Debug: Config: including file:
> /etc/freeradius/clients.conf
> Fri Dec 12 13:53:24 2008 : Debug: Config: including file:
> /etc/freeradius/snmp.conf
> Fri Dec 12 13:53:24 2008 : Debug: Config: including file:
> /etc/freeradius/eap.conf
> Fri Dec 12 13:53:24 2008 : Debug: Config: including file:
> /etc/freeradius/sql.conf
> Fri Dec 12 13:53:24 2008 : Debug: main: prefix = "/usr"
> Fri Dec 12 13:53:24 2008 : Debug: main: localstatedir = "/var"
> Fri Dec 12 13:53:24 2008 : Debug: main: logdir = "/var/log/freeradius"
> Fri Dec 12 13:53:24 2008 : Debug: main: libdir = "/usr/lib/freeradius"
> Fri Dec 12 13:53:24 2008 : Debug: main: radacctdir =
> "/var/log/freeradius/radacct"
> Fri Dec 12 13:53:24 2008 : Debug: main: hostname_lookups = no
> Fri Dec 12 13:53:24 2008 : Debug: main: max_request_time = 30
> Fri Dec 12 13:53:24 2008 : Debug: main: cleanup_delay = 5
> Fri Dec 12 13:53:24 2008 : Debug: main: max_requests = 1024
> Fri Dec 12 13:53:24 2008 : Debug: main: delete_blocked_requests = 0
> Fri Dec 12 13:53:24 2008 : Debug: main: port = 0
> Fri Dec 12 13:53:24 2008 : Debug: main: allow_core_dumps = no
> Fri Dec 12 13:53:24 2008 : Debug: main: log_stripped_names = no
> Fri Dec 12 13:53:24 2008 : Debug: main: log_file =
> "/var/log/freeradius/radius.log"
> Fri Dec 12 13:53:24 2008 : Debug: main: log_auth = no
> Fri Dec 12 13:53:24 2008 : Debug: main: log_auth_badpass = no
> Fri Dec 12 13:53:24 2008 : Debug: main: log_auth_goodpass = no
> Fri Dec 12 13:53:24 2008 : Debug: main: pidfile =
> "/var/run/freeradius/freeradius.pid"
> Fri Dec 12 13:53:24 2008 : Debug: main: user = "freerad"
> Fri Dec 12 13:53:24 2008 : Debug: main: group = "freerad"
> Fri Dec 12 13:53:24 2008 : Debug: main: usercollide = no
> Fri Dec 12 13:53:24 2008 : Debug: main: lower_user = "no"
> Fri Dec 12 13:53:24 2008 : Debug: main: lower_pass = "no"
> Fri Dec 12 13:53:24 2008 : Debug: main: nospace_user = "no"
> Fri Dec 12 13:53:24 2008 : Debug: main: nospace_pass = "no"
> Fri Dec 12 13:53:24 2008 : Debug: main: checkrad = "/usr/sbin/checkrad"
> Fri Dec 12 13:53:24 2008 : Debug: main: proxy_requests = yes
> Fri Dec 12 13:53:24 2008 : Debug: proxy: retry_delay = 5
> Fri Dec 12 13:53:24 2008 : Debug: proxy: retry_count = 3
> Fri Dec 12 13:53:24 2008 : Debug: proxy: synchronous = no
> Fri Dec 12 13:53:24 2008 : Debug: proxy: default_fallback = yes
> Fri Dec 12 13:53:24 2008 : Debug: proxy: dead_time = 120
> Fri Dec 12 13:53:24 2008 : Debug: proxy: post_proxy_authorize = no
> Fri Dec 12 13:53:24 2008 : Debug: proxy: wake_all_if_all_dead = no
> Fri Dec 12 13:53:24 2008 : Debug: security: max_attributes = 200
> Fri Dec 12 13:53:24 2008 : Debug: security: reject_delay = 1
> Fri Dec 12 13:53:24 2008 : Debug: security: status_server = no
> Fri Dec 12 13:53:24 2008 : Debug: main: debug_level = 0
> Fri Dec 12 13:53:24 2008 : Debug: read_config_files: reading dictionary
> Fri Dec 12 13:53:24 2008 : Debug: read_config_files: reading naslist
> Fri Dec 12 13:53:24 2008 : Info: Using deprecated naslist file. Support for
> this will go away soon.
> Fri Dec 12 13:53:24 2008 : Debug: read_config_files: reading clients
> Fri Dec 12 13:53:24 2008 : Debug: read_config_files: reading realms
> Fri Dec 12 13:53:24 2008 : Debug: radiusd: entering modules setup
> Fri Dec 12 13:53:24 2008 : Debug: Module: Library search path is
> /usr/lib/freeradius
> Fri Dec 12 13:53:24 2008 : Debug: Module: Loaded exec
> Fri Dec 12 13:53:24 2008 : Debug: exec: wait = yes
> Fri Dec 12 13:53:24 2008 : Debug: exec: program = "(null)"
> Fri Dec 12 13:53:24 2008 : Debug: exec: input_pairs = "request"
> Fri Dec 12 13:53:24 2008 : Debug: exec: output_pairs = "(null)"
> Fri Dec 12 13:53:24 2008 : Debug: exec: packet_type = "(null)"
> Fri Dec 12 13:53:24 2008 : Info: rlm_exec: Wait=yes but
Re: rpmbuild errors 2.1.3-0
Please ignore... tried again a few minutes later and it works perfectly. - Andrew Long - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ownership change
Norbert Wegener wrote: > Upgrading from 2.1.1 to 2.1.3 on a Suse10.2 system and restarting > radiusd with the identical configuration showed the following message: > > We do not own /var/run/radiusd/radiusd.sock. Ah... a side effect of fixing the "run as unprivileged user", I think. > Removing radiusd.sock and restarting radiusd solved the problem. > > 2.1.3 obviously changed the ownership: > ls -l /var/run/radiusd/radiusd.sock > srw-rw 1 root radiusd 0 12. Dez 16:20 /var/run/radiusd/radiusd.sock > > Shouldn't the ownership still be radiusd.radiusd ? Yes. The issue is that the server was change to: - setuid to radiusd/radiusd - BUT remember "root" - start booting - switch back to root - open sockets (including ports < 1024) as root - when done opening sockets, switch back to radiusd/radiusd The issue is that the file "radiusd.sock" is now opened as root, and therefore some of the previous logic to check ownerships is wrong. I'll commit a fix to the "stable" tree tomorrow. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rpmbuild errors 2.1.3-0
I'm back again trying to build the latest into rpm for our CentOS 5.x servers. I have edited the spec file so Name: freeradius and repacked the tgz so it is freeradius-2.1.3.tar.gz but I get [al...@host SPECS]$ rpmbuild -ba --nobuild freeradius.spec Processing files: freeradius-2.1.3-0 error: File not found: /var/tmp/freeradius-root/etc/pam.d/radius error: File not found: /var/tmp/freeradius-root/etc/logrotate.d/radiusd error: File not found: /var/tmp/freeradius-root/etc/rc.d/init.d/radiusd error: File not found by glob: /var/tmp/freeradius-root/etc/raddb/* error: File not found: /var/tmp/freeradius-root/usr/share/doc/freeradius-2.1.3 error: File not found by glob: /var/tmp/freeradius-root/usr/bin/* error: File not found: /var/tmp/freeradius-root/usr/share/freeradius error: File not found by glob: /var/tmp/freeradius-root/usr/lib/* error: File not found by glob: /var/tmp/freeradius-root/usr/share/man/*/* error: File not found by glob: /var/tmp/freeradius-root/usr/sbin/* error: File not found by glob: /var/tmp/freeradius-root/usr/include/freeradius/* error: File not found: /var/tmp/freeradius-root/var/log/radius error: File not found: /var/tmp/freeradius-root/var/log/radius/radacct error: File not found: /var/tmp/freeradius-root/var/run/radiusd Processing files: freeradius-debuginfo-2.1.3-0 error: Could not open %files file /home/along/rpmbuild/BUILD/freeradius-2.1.3/debugfiles.list: No such file or directory RPM build errors: File not found: /var/tmp/freeradius-root/etc/pam.d/radius File not found: /var/tmp/freeradius-root/etc/logrotate.d/radiusd File not found: /var/tmp/freeradius-root/etc/rc.d/init.d/radiusd File not found by glob: /var/tmp/freeradius-root/etc/raddb/* File not found: /var/tmp/freeradius-root/usr/share/doc/freeradius-2.1.3 File not found by glob: /var/tmp/freeradius-root/usr/bin/* File not found: /var/tmp/freeradius-root/usr/share/freeradius File not found by glob: /var/tmp/freeradius-root/usr/lib/* File not found by glob: /var/tmp/freeradius-root/usr/share/man/*/* File not found by glob: /var/tmp/freeradius-root/usr/sbin/* File not found by glob: /var/tmp/freeradius-root/usr/include/freeradius/* File not found: /var/tmp/freeradius-root/var/log/radius File not found: /var/tmp/freeradius-root/var/log/radius/radacct File not found: /var/tmp/freeradius-root/var/run/radiusd Could not open %files file /home/along/rpmbuild/BUILD/freeradius-2.1.3/debugfiles.list: No such file or directory BTW - my last build was via rpmbuild: $ rpm -qv freeradius freeradius-2.0.3-0 Thank you. And look forward to a few more questions... -- I never think of the future - it comes soon enough. - Albert Einstein - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius not responding on machine specific IPs
Check firewall ports - we had "fun" when FR was listening on the 18s but our firewall guy did his config using the "traditional" 16s. Also have you got your FR client configured so FR server knows to process requests from that source? Hth Andy On 12/12/2008, kevin wrote: > I was loathe to ask a newbie question, but it appears I have one. > > How does one configure freeradius to listen on all IPs specific to a > machine? > > I have a remote Ubuntu 7.10 server (32bit) which I want to use for > authentication via freeradius. It (freeradius 1.1.6-2) installed all > nice and is running properly in default config, or it would seem. I > cannot get a response when a remote authenticate is made. > > When I ssh into the server, it appropriately responds to the following: > >> r...@server3:/home/kevin# radtest fred wilma 127.0.0.1 1812 mysecret >> Sending Access-Request of id 1 to 127.0.0.1 port 1812 >> User-Name = "fred" >> User-Password = "wilma" >> NAS-IP-Address = 255.255.255.255 >> NAS-Port = 1812 >> Re-sending Access-Request of id 1 to 127.0.0.1 port 1812 >> User-Name = "fred" >> User-Password = "wilma" >> NAS-IP-Address = 255.255.255.255 >> NAS-Port = 1812 >> rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=1, length=20 >> rad_verify: Received Access-Reject packet from client 127.0.0.1 port 1812 >> with invalid signature (err=2)! (Shared secret is incorrect.) > > When I try radtest on the network IP, it fails, as per: > >> r...@server3:/home/kevin# radtest fred wilma 192.168.3.199 1812 mysecret >> Sending Access-Request of id 5 to 192.168.3.199 port 1812 >> User-Name = "fred" >> User-Password = "wilma" >> NAS-IP-Address = 255.255.255.255 >> NAS-Port = 1812 >> Re-sending Access-Request of id 5 to 192.168.3.199 port 1812 >> User-Name = "fred" >> User-Password = "wilma" >> NAS-IP-Address = 255.255.255.255 >> NAS-Port = 1812 > > etc... > > I have tried setting the listen in Radiusd.conf to be the network IP of the > machine > (x.x.3.199), but that gave the same results. > > Any thoughts on what this n00b is doing wrong? > > Thanks, > > Kevin > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Sent from my mobile device - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius not responding on machine specific IPs
I was loathe to ask a newbie question, but it appears I have one. How does one configure freeradius to listen on all IPs specific to a machine? I have a remote Ubuntu 7.10 server (32bit) which I want to use for authentication via freeradius. It (freeradius 1.1.6-2) installed all nice and is running properly in default config, or it would seem. I cannot get a response when a remote authenticate is made. When I ssh into the server, it appropriately responds to the following: > r...@server3:/home/kevin# radtest fred wilma 127.0.0.1 1812 mysecret > Sending Access-Request of id 1 to 127.0.0.1 port 1812 > User-Name = "fred" > User-Password = "wilma" > NAS-IP-Address = 255.255.255.255 > NAS-Port = 1812 > Re-sending Access-Request of id 1 to 127.0.0.1 port 1812 > User-Name = "fred" > User-Password = "wilma" > NAS-IP-Address = 255.255.255.255 > NAS-Port = 1812 > rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=1, length=20 > rad_verify: Received Access-Reject packet from client 127.0.0.1 port 1812 > with invalid signature (err=2)! (Shared secret is incorrect.) When I try radtest on the network IP, it fails, as per: > r...@server3:/home/kevin# radtest fred wilma 192.168.3.199 1812 mysecret > Sending Access-Request of id 5 to 192.168.3.199 port 1812 > User-Name = "fred" > User-Password = "wilma" > NAS-IP-Address = 255.255.255.255 > NAS-Port = 1812 > Re-sending Access-Request of id 5 to 192.168.3.199 port 1812 > User-Name = "fred" > User-Password = "wilma" > NAS-IP-Address = 255.255.255.255 > NAS-Port = 1812 etc... I have tried setting the listen in Radiusd.conf to be the network IP of the machine (x.x.3.199), but that gave the same results. Any thoughts on what this n00b is doing wrong? Thanks, Kevin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need Help: 'Simultaneous-Use' don't work !!! =/ version 1.1.7 !
>My AP is a SMCWBR14T-G and i think the NAS is already well configured. How sure are you? I would be fairly certain that it isn't. >I'm really not understand the problem. =/ That's because you think that there is something wrong with freeradius. >I read FAQ (http://wiki.freeradius.org/FAQ) topic: >"Simultaneous-Use doesn't work" >and i done everything i it still don't work. So, tell us how did you do this: "Verify that the NAS is sending accounting packets. Without accounting packets, Simultaneous-Use will NOT work. " Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R: freeradius and IP pools
>OK. I have in proxy.conf:
>realm with_ip {
>authhost= LOCAL
>accthost= LOCAL
>
>realm without_ip {
>authhost= LOCAL
>accthost= LOCAL
>
>Next I have mysql tables containing usernames:
>mysql> select * from radcheck;
>++--+-+++---+
>| id | username | realm | attribute | op | value |
>++--+-+++---+
>| 1 | user | with_ip | Cleartext-Password | := | ip|
>++--+-+++---+
>mysql> select * from radgroupcheck;
>++-+---++--+
>| id | groupname | attribute | op | value|
>++-+---++--+
>| 1 | withipgroup | Pool-Name | := | ip_pool |
>++-+---++--+
>mysql> select * from radippool;
>++---+-+
>| id | pool_name | framedipaddress |
>++---+-+
>| 1 | ip_pool | 10.0.0.1|
>| 2 | ip_pool | 10.0.0.2|
>++---+-+
>mysql> select * from radusergroup;
>+--+-+-+--+
>| username | realm | groupname | priority |
>+--+-+-+--+
>| user | with_ip | withipgroup |1 |
>+--+-+-+--+
>
>That's good for ip-provided users and it works. But I need to understand how
>to configure the second user, the without-ip one.
Make just radcheck entry for that one.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need Help: 'Simultaneous-Use' don't work !!! =/ version 1.1.7 !
Diogo Teixeira wrote: > My radacct table is always empty ! =/ You've said this a lot. The reason WHY it's empty has been explained to you. If you don't understand the explanations, ask *new* questions. Posting the same complaint over and over again makes it look like you're ignoring our responses. If you're going to ignore our responses, we're going to STOP responding. You also need to do to work yourself. Posting an email asking where the FAQ is shows that you're not interested in doing any work yourself. This is another reason for people to ignore you. If you don't think your problem is serious enough to do any work on it, we wont'do any work on it, either. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need Help: 'Simultaneous-Use' don't work !!! =/ version 1.1.7 !
In my case i have SQL as a database to store accounting records. In this case, the script checkrad is also called ? My radacct table is always empty ! =/ My AP is a SMCWBR14T-G and i think the NAS is already well configured. I'm really not understand the problem. =/ I read FAQ (http://wiki.freeradius.org/FAQ) topic: "Simultaneous-Use doesn't work" and i done everything i it still don't work. Sorry for the inconvenience and for my possible role of ignorance. Regards, Diogo Teixeira 2008/12/12 > >What FAQ Alan ? > > Option 1: Go to the freeradius site. Click on Wiki link. Type FAQ in the > search box. Press Enter. > > Option 2: Type "freeradius faq" in Google. Click on the first link that > comes up. > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
R: freeradius and IP pools
OK. I have in proxy.conf:
realm with_ip {
authhost= LOCAL
accthost= LOCAL
realm without_ip {
authhost= LOCAL
accthost= LOCAL
Next I have mysql tables containing usernames:
mysql> select * from radcheck;
++--+-+++---+
| id | username | realm | attribute | op | value |
++--+-+++---+
| 1 | user | with_ip | Cleartext-Password | := | ip|
++--+-+++---+
mysql> select * from radgroupcheck;
++-+---++--+
| id | groupname | attribute | op | value|
++-+---++--+
| 1 | withipgroup | Pool-Name | := | ip_pool |
++-+---++--+
mysql> select * from radippool;
++---+-+
| id | pool_name | framedipaddress |
++---+-+
| 1 | ip_pool | 10.0.0.1|
| 2 | ip_pool | 10.0.0.2|
++---+-+
mysql> select * from radusergroup;
+--+-+-+--+
| username | realm | groupname | priority |
+--+-+-+--+
| user | with_ip | withipgroup |1 |
+--+-+-+--+
That's good for ip-provided users and it works. But I need to understand how
to configure the second user, the without-ip one.
Arrigo
-Messaggio originale-
Da: freeradius-users-bounces+a.savio=bascom...@lists.freeradius.org
[mailto:freeradius-users-bounces+a.savio=bascom...@lists.freeradius.org] Per
conto di t...@kalik.net
Inviato: venerdì 12 dicembre 2008 17.02
A: FreeRadius users mailing list
Oggetto: Re: freeradius and IP pools
>For example:
>
>
>
>u...@with_ip
>
>has to receive an IP from configured RADIPPOOL table
>
>
>
>u...@without_ip
>
>has only to be authenticated (a user who log to a portal, for example).
>
>
>
>How can I make it possibile? Where can I setup this behaviuor?
Create those realms as local realms in proxy.conf. Put:
DEFAULT Realm == with_ip, Pool-Name:= your_pool_name
in users file.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Best way of adding custom authentication procedure to Freeradius that works in Windows/Linux platforms?
Joshua Lim wrote: > A little info on the custom authentication procedure: > > 1. I need to provide a doubl! e-factor authentication to my users. > 2. The first level will be a simple challenge and password (i reckon > that this can be done using File or MySQL). Maybe. > 3. Upon successful first authentication, the user is not given > access-accept, instead, he needs to enter a second password (this is the > OTP). The OTP must be generated by the custom script/module by > accessing some external database - this is done immediately after the > first authentication has been successfully completed. You will need a custom module to do this. Alan DeKok. >>> Thanks. :) _ Manage multiple email accounts with Windows Live Mail effortlessly. http://www.get.live.com/wl/all- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and IP pools
>For example: > > > >u...@with_ip > >has to receive an IP from configured RADIPPOOL table > > > >u...@without_ip > >has only to be authenticated (a user who log to a portal, for example). > > > >How can I make it possibile? Where can I setup this behaviuor? Create those realms as local realms in proxy.conf. Put: DEFAULT Realm == with_ip, Pool-Name:= your_pool_name in users file. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need Help: 'Simultaneous-Use' don't work !!! =/ version 1.1.7 !
>What FAQ Alan ? Option 1: Go to the freeradius site. Click on Wiki link. Type FAQ in the search box. Press Enter. Option 2: Type "freeradius faq" in Google. Click on the first link that comes up. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ownership change
Upgrading from 2.1.1 to 2.1.3 on a Suse10.2 system and restarting radiusd with the identical configuration showed the following message: We do not own /var/run/radiusd/radiusd.sock. ls -l /var/run/radiusd/radiusd.sock srw-rw 1 radiusd radiusd 0 12. Dez 16:18 /var/run/radiusd/radiusd.sock That fits to the entries user = radiusd group = radiusd in radiusd.conf. Removing radiusd.sock and restarting radiusd solved the problem. 2.1.3 obviously changed the ownership: ls -l /var/run/radiusd/radiusd.sock srw-rw 1 root radiusd 0 12. Dez 16:20 /var/run/radiusd/radiusd.sock Shouldn't the ownership still be radiusd.radiusd ? Norbert Wegener -- Norbert Wegener Siemens IT Solutions and Services GmbH & Co. OHG SIS GO GIO NW PSU2 Kruppstraße 16 D-45128 Essen Phone : +49 (0) 201 816-3116 Fax. : +49 (0) 201 816-5581284 mailto:norbert.wege...@siemens.com Siemens IT Solutions and ServicesGmbH & Co. OHG Offene Handelsgesellschaft, Sitz der Gesellschaft: München; Registergericht: München, HRA 69235; Geschäftsführende Gesellschafterin: Siemens Business Services Beteiligungs-GmbH, Geschäftsführer: Christoph Kollatz, Vorsitzender; Jürgen Frischmuth, Michael Schulz-Drost; Sitz der Gesellschaft: München; Registergericht: München, HRB 50462; Weitere Gesellschafter: Siemens Business Services Investment GmbH & Co. KG, Sitz der Gesellschaft: München; Registergericht: München, HRA 86893; Persönlich haftende Gesellschafterin der Siemens Business Services Investment GmbH & Co. KG: Siemens Business Services Beteiligungs-GmbH, Geschäftsführer: Christoph Kollatz, Vorsitzender; Jürgen Frischmuth, Michael Schulz-Drost; Sitz der Gesellschaft: München; Registergericht: München, HRB 50462 WEEE-Reg.Nr. DE 88294312 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need Help: 'Simultaneous-Use' don't work !!! =/ version 1.1.7 !
What FAQ Alan ? 2008/12/12 Alan DeKok > Diogo Teixeira wrote: > > My table radacct is empty every time. > > This is in the FAQ. > > > > and simultaneous-use don't work, because radacct table empty, even after > > user success logged ! =// > > As I already said: > > You are likely *not* getting accounting packets. > > If the NAS doesn't send accounting packets, fix it so that it *does* > send accounting packets. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Forging a RADIUS request within a module
> And you are absolutely sure that you are supposed to send it an > Accounting-Request and not proxy Access-Request? Considering that > filtering policies are a part of the access setup that would make much > more sense. Yes I am. Actually, the appliance works like this, and is not the same box as the NAS. We are already connected to it and we use radclient to send the accounting-request to it. But as a migration from FreeRADIUS 1.1.3 towards 2.1.x may occur, I take a look whether the behaviour could be changed or not. Geoff. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: domain security problem
>>> I just thought there is a setting which is usefull to differentiate the >>> HOST/username and DOMAIN/username >>> >>> >> >> OK. Lets try. What is SOMETHING in SOMETHING\username - HOST or DOMAIN? >> If you can't tell ... >> >> Ivan Kalik >> Kalik Informatika ISP >> >> >okay I understand, i just thought we have other informations, but i see no. But you *do* have other information. Just not in the User-Name. You can do checks on the mac address that comes in Calling-Station-Id. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Forging a RADIUS request within a module
>> >During authentication process, I need to send an Accounting-Start to a >> >network equipment >> >> Just out of interest - what is "network equipment" going to do with the >> accounting request? > >It's a network filtering appliance. The Accounting-Request ships >attributes that say which filtering policy must be applied to the user >traffic. And you are absolutely sure that you are supposed to send it an Accounting-Request and not proxy Access-Request? Considering that filtering policies are a part of the access setup that would make much more sense. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Freeradius and WiMAX
Kristoffer Milligan wrote: > This is my first post to the list, so let me open by congratulating on a > great piece of software. I'm impressed. Thanks. > I have the pleasure of working with WiMAX and a system called 4motion. > We have chosen to use FreeRadius as our AAA server, but are experiencing > some problems. > > http://pastebin.com/m269e9250 > > As far as I can tell, everything is fine till I get the "[eap] NAK asked > for unsupported type 21" error? That's TTLS. > Could anyone give me any pointer or ideas about what I am doing wrong, > and how I can fix it? You haven't built the server with OpenSSL support. You need to install the OpenSSL development headers && libraries. This is also in the debug output... http://deployingradius.com/documents/configuration/openssl.html Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with Freeradius and WiMAX
Good day list This is my first post to the list, so let me open by congratulating on a great piece of software. I'm impressed. I have the pleasure of working with WiMAX and a system called 4motion. We have chosen to use FreeRadius as our AAA server, but are experiencing some problems. http://pastebin.com/m269e9250 As far as I can tell, everything is fine till I get the "[eap] NAK asked for unsupported type 21" error? Could anyone give me any pointer or ideas about what I am doing wrong, and how I can fix it? Sincerely, Kristoffer Milligan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need Help: 'Simultaneous-Use' don't work !!! =/ version 1.1.7 !
Diogo Teixeira wrote: > My table radacct is empty every time. This is in the FAQ. > and simultaneous-use don't work, because radacct table empty, even after > user success logged ! =// As I already said: You are likely *not* getting accounting packets. If the NAS doesn't send accounting packets, fix it so that it *does* send accounting packets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need Help: 'Simultaneous-Use' don't work !!! =/ version 1.1.7 !
My table radacct is empty every time.
in radiusd.conf
i put option sql everywhere.
accounting{
}
session{
}
authorize{
}
authentication{
}
post-auth{
}
in uncomment the "simul_count_query" in sql.conf
and simultaneous-use don't work, because radacct table empty, even after
user success logged ! =//
please help. =/
Best Regards,
Diogo Teixeira
2008/12/12 Alan DeKok
> Diogo Teixeira wrote:
> > But two different clients (PCs) whit the same pair user/password can do
> > success login. =/
> >
> > What i have done wrong ?
>
> read doc/Simultaneous-Use. The requirements for it to work are
> explained there.
>
> You are likely *not* getting accounting packets.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Forging a RADIUS request within a module
Geoffroy Arnoud wrote: > Is it possible to create the Accounting-Request from inside a module and > "post it" as an event, to let FreeRADIUS core manage processing/sending? Yes. See src/main/session.c, session_zap() for a function that does this. But if you plan on sending a packet to another box, the best approach is to use radclient. Posting "internal" packets that get forwarded off of the box is likely not to work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Forging a RADIUS request within a module
On Fri, Dec 12, 2008 at 7:45 AM, Geoffroy ARNOUD wrote: > > >During authentication process, I need to send an Accounting-Start to a > network equipment > > > > Just out of interest - what is "network equipment" going to do with the > > accounting request? > > It's a network filtering appliance. The Accounting-Request ships > attributes that say which filtering policy must be applied to the user > traffic. > And these attributes can't be sent in the access-accept? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius and IP pools
Hi. I need to use freeradius in multiple ways. I mean: based on realm, I need to assign or not an IP address. For example: u...@with_ip has to receive an IP from configured RADIPPOOL table u...@without_ip has only to be authenticated (a user who log to a portal, for example). How can I make it possibile? Where can I setup this behaviuor? Thanks. Arrigo. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Forging a RADIUS request within a module
> >During authentication process, I need to send an Accounting-Start to a > >network equipment > > Just out of interest - what is "network equipment" going to do with the > accounting request? It's a network filtering appliance. The Accounting-Request ships attributes that say which filtering policy must be applied to the user traffic. Geoff. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: domain security problem
t...@kalik.net wrote: I just thought there is a setting which is usefull to differentiate the HOST/username and DOMAIN/username OK. Lets try. What is SOMETHING in SOMETHING\username - HOST or DOMAIN? If you can't tell ... Ivan Kalik Kalik Informatika ISP okay I understand, i just thought we have other informations, but i see no. thank you, ans sorry for this foolish question. bye Gabor - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Forging a RADIUS request within a module
>During authentication process, I need to send an Accounting-Start to a network >equipment Just out of interest - what is "network equipment" going to do with the accounting request? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration sample CDMA-EVDO
Hi, Aldo. There's nothing special for freeradius providing AAA services for cdma ev-do. We're running CDMA (1xRTT, 1xEV-DO rev0/revA) network with ~25k peak online users on two servers running FR. Drop me a message if you're interested in details. -- Alexander Aldo wrote: Hello, could please somebody provide a configuration sample of a CDMA network which provides EVDO using RADIUS? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SUN_LEN Error
Good day! Thank you! It is working! Could I ask about key for Solaris OS in future? Something like --without-SUN_LEN... Sorry about duplicate, I thought my first message was rejected by mail-filter. Alan DeKok wrote: Anton Borisov wrote: Good day! You don't need to post the same message multiple times. I try to use new version 2.1.3 in Solaris10. (uname -a SunOS x 5.10 Generic_125100-06 sun4u sparc SUNW,Netra-240) ... Undefined first referenced symbol in file SUN_LEN .libs/listen.o You need to add: #define SUN_LEN(su) (sizeof(*(su)) - sizeof((su)->sun_path) + strlen((su)->sun_path)) to src/include/radiusd.h Apparently Solaris doesn't have SUN_LEN Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Yours faithfully, Anton Borisov. smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Forging a RADIUS request within a module
Hi all, During authentication process, I need to send an Accounting-Start to a network equipment when the authentication is successful (when processing the Access-Request), before sending the Access-Accept back. Is it possible to create the Accounting-Request from inside a module and "post it" as an event, to let FreeRADIUS core manage processing/sending? If not, I will have to trigger an external radiusclient to do the job. Thanks for your answers. Geoff. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: domain security problem
>I just thought there is a setting which is usefull to differentiate the >HOST/username and DOMAIN/username > OK. Lets try. What is SOMETHING in SOMETHING\username - HOST or DOMAIN? If you can't tell ... Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: domain security problem
t...@kalik.net wrote: It is bad news, you say check mac address too no way reject it simple without mac... How much simpler can you get? You say that it is a problem that a user with AD account gets access from an unauthorized machine. The only answer is to check machine credentials. mac filtering is the simplest thing you could posssibly do. People who consider this a real problem use machine certificates. Or NAC. Ivan Kalik Kalik Informatika ISP I just thought there is a setting which is usefull to differentiate the HOST/username and DOMAIN/username Thank you Gabor - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SUN_LEN Error
Anton Borisov wrote: > Good day! You don't need to post the same message multiple times. > I try to use new version 2.1.3 in Solaris10. > (uname -a SunOS x 5.10 Generic_125100-06 sun4u sparc SUNW,Netra-240) ... > Undefined first referenced > symbol in file > SUN_LEN .libs/listen.o You need to add: #define SUN_LEN(su) (sizeof(*(su)) - sizeof((su)->sun_path) + strlen((su)->sun_path)) to src/include/radiusd.h Apparently Solaris doesn't have SUN_LEN Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need Help: 'Simultaneous-Use' don't work !!! =/ version 1.1.7 !
Diogo Teixeira wrote: > But two different clients (PCs) whit the same pair user/password can do > success login. =/ > > What i have done wrong ? read doc/Simultaneous-Use. The requirements for it to work are explained there. You are likely *not* getting accounting packets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
