SQLCounter configuration
Dear All, I have a few questions regarding the rlm_sqlcounter module and its configuration. I have a freeradius 2.1.0 communicating with a router running chillispot 1.1 I set up counters for time, data volume, and with different reset periods. All works fine and as expected. Here my questions: 1) After the time or data volume for a period (say a month) is reached the user is automatically disconnected - as expected. Rather them not allowing to log in , I would like freeradius to return some other attributes (WISPr-Bandwidth-Max-Up and WISPr-Bandwidth-Max-Down work fine with ChilliSpot) to be sent to the router for the user, so that a connection is still possible, but at a much lower maximum speed. Can that be done, and if so, can someone give me a pointer. I was thinking maybe using unlang, but I may be barking up the wrong tree. 2) The reset = monthly method seem to the first of the current month. That is one way of doing it, but I would like the reset to occur at the same date in the month every month. So if someone signs up, say on the 12th of a month, the reset will occur every month on the 12th. Can that be done with freeradius? 3) Currently I receive something like Reply-Message = "Your maximum never usage time has been reached" when the counter reaches its limit - even when what was counted as not time but data volume. Can Reply-Message for sqlcounter be configured as in the expiration module? 4) One surprise I have had: I don't quite understand how the system calculates the day for the beginning of the reset = weekly. I appreciate that calculating the day of the week is not easy as for example first of the current month or beginning of the day, so I was not surprised to not have a Monday, but I was surprised to see the SQL query run with 'Fri Jan 09 2009 00:00:00 GMT+1300 (New Zealand Daylight Time)' as beginning of the week, when running the query on a Saturday. BTW, SQL time is configured correctly, and the UNIX_TIMESTAMP is giving a correct timestamp for local time. What am I missing? (Note: When setting reset = 7d, I get something more explainable like 'Sat Jan 10 2009 00:00:00 GMT+1300 (New Zealand Daylight Time)', which is the beginning of the today's day. Should reset = weekly and reset =7d yield the same result? If not, what is weekly vs 7d, and why does the week not start on a Monday? Any hints welcome - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error in SQL statement expansion? And how to correct it?
>Sat Jan 10 10:21:47 2009 : Debug: expand: SELECT COUNT(*)
>FROM radacct WHERE username =
>'%{SQL-User-Name}' AND acctstoptime IS NULL
>AND callingstationid <> '{%Calling-Station-Id}'
'%{SQL-User-Name}'
'{%Calling-Station-Id}'
Can you see the typing error now?
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error in SQL statement expansion? And how to correct it?
Hanno Schupp wrote:
> I found the following in my freeradius 2.1.0 debug on Ubuntu 8.10 for my
> simultaneous use check:
You have edited the default configuration and broken it.
> Sat Jan 10 10:21:47 2009 : Debug: expand: SELECT
> COUNT(*) FROM
> radacct WHERE username =
> '%{SQL-User-Name}' AND acctstoptime IS
> NULL AND callingstationid <>
> '{%Calling-Station-Id}' -> SELECT COUNT(*)
This is not the correct syntax for expanding a variable. See "man
unlang".
You want %{Calling-Station-Id}, not {%Calling-Station-Id}.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication Problem with PEAP and openldap
>it was a bit ambiguous. The term "md4 encoded utf-16e password hash" should >express, that it is an NTLM Hash. Sorry for the confusion. > smbencrypt is distributed with the server. Use it to check the password hash. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error in SQL statement expansion? And how to correct it?
Dear All,
I found the following in my freeradius 2.1.0 debug on Ubuntu 8.10 for my
simultaneous use check:
...
Sat Jan 10 10:21:47 2009 : Debug: expand: SELECT COUNT(*)
FROM radacct WHERE username =
'%{SQL-User-Name}' AND acctstoptime IS NULL
AND callingstationid <> '{%Calling-Station-Id}' -> SELECT COUNT(*)
FROM radacct WHERE username = 'yubvef23'
AND acctstoptime IS NULL AND callingstationid
<> '{anyonealling-Station-Id}'
...
It appears that after expansion of {%Calling-Station-Id} the looked for
value is {anyonealling-Station-Id}. The {} suggest this si a value that
should have been expanded/replaced further. The spelling -
{anyonealling-Station-Id} as opposed to {anyonecalling-Station-Id} as one
might expect - suggested the expansion/replacement fails due to a syntax
error. I have looked in the sql.conf and includes where the SQL statements
are defined. The SQL statement looks OK but I cannot find any definition of
or reference to {anyonealling-Station-Id}.
I would like to confirm firstly that this is indeed a syntax error and
secondly, where the value of {anyonealling-Station-Id} may be defined, so I
can fix this.
Thanks
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication Problem with PEAP and openldap
Hello Thiabault, >> native wired xp 802.1X client with PEAP (mschapv2) tries to authenticate >> via freeradius against openldap with an md4 encoded utf-16e password hash. > This is just not possible. > PEAP (mschapv2) requires you can read the user password either as a > cleartext password or as a NTLM-hashed password in your DB. it was a bit ambiguous. The term "md4 encoded utf-16e password hash" should express, that it is an NTLM Hash. Sorry for the confusion. Best Regards, Michael - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem whith upgrade
>These attributes in reply come from attrs file, the missing is >ERX-Egress-Police-Name. > >In radreply it entry is: > >ID Username >Attribute op value >521 testesd...@sercomtel.com.brERX-Egress-Police-Name > =silver > Try adding sql.authorize in post-auth section. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: eap/tls freeradius openssl
No - you download the fedora source rpm and build from spec file and it compiles using openssl-devel (and other development libraries as required) Craig On Fri, 2009-01-09 at 14:54 -0500, Brian Ertel wrote: > Hi Craig, > > So if I install freeradius as an rpm is there also a freeradius-openssl and > freeradius-openssl-dev rpm? > > Thanks, > > Brian > > -Original Message- > From: freeradius-users-bounces+bsertel=amherst@lists.freeradius.org on > behalf of Craig White > Sent: Fri 1/9/2009 2:41 PM > To: freeradius-users@lists.freeradius.org > Subject: RE: eap/tls freeradius openssl > > http://wiki.freeradius.org/Red_Hat_FAQ > > nice wiki > > On Fri, 2009-01-09 at 14:21 -0500, Brian Ertel wrote: > > Alan, > > > > I am running CentOS 5. > > > > Thanks, > > > > Brian > > > > > > -Original Message- > > From: freeradius-users-bounces+bsertel=amherst@lists.freeradius.org on > > behalf of Alan DeKok > > Sent: Fri 1/9/2009 2:15 PM > > To: FreeRadius users mailing list > > Subject: Re: eap/tls freeradius openssl > > > > Brian Ertel wrote: > > > I am ready to get flamed. I reinstalled the newest ver. of Freeradius > > > and did not change anything. It started up in debug mode. I am trying > > > to put together a system that will do eap/tls. Wireless client -> WAP > > > -> Radius... I also just installed the newest version of openssl. > > > Freeradius starts up, but I get the: > > > > > > Ignoring EAP-Type/tls because we do not have OpenSSL support. > > > Ignoring EAP-Type/ttls because we do not have OpenSSL support. > > > Ignoring EAP-Type/peap because we do not have OpenSSL support. > > > > You need to install the OpenSSL *development* headers. > > > > > output. > > > > > > I read on another thread about freeradius not being able to find the > > > proper Openssl libs. I do not understand the process of making FR aware > > > of OpenSSL and getting FR to "not Ingore" EAP-Type/tls... > > > > Which OS are you running? The name of the OpenSSL development package > > is OS dependent. > > > > Alan DeKok. > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: eap/tls freeradius openssl
Hi Craig, So if I install freeradius as an rpm is there also a freeradius-openssl and freeradius-openssl-dev rpm? Thanks, Brian -Original Message- From: freeradius-users-bounces+bsertel=amherst@lists.freeradius.org on behalf of Craig White Sent: Fri 1/9/2009 2:41 PM To: freeradius-users@lists.freeradius.org Subject: RE: eap/tls freeradius openssl http://wiki.freeradius.org/Red_Hat_FAQ nice wiki On Fri, 2009-01-09 at 14:21 -0500, Brian Ertel wrote: > Alan, > > I am running CentOS 5. > > Thanks, > > Brian > > > -Original Message- > From: freeradius-users-bounces+bsertel=amherst@lists.freeradius.org on > behalf of Alan DeKok > Sent: Fri 1/9/2009 2:15 PM > To: FreeRadius users mailing list > Subject: Re: eap/tls freeradius openssl > > Brian Ertel wrote: > > I am ready to get flamed. I reinstalled the newest ver. of Freeradius > > and did not change anything. It started up in debug mode. I am trying > > to put together a system that will do eap/tls. Wireless client -> WAP > > -> Radius... I also just installed the newest version of openssl. > > Freeradius starts up, but I get the: > > > > Ignoring EAP-Type/tls because we do not have OpenSSL support. > > Ignoring EAP-Type/ttls because we do not have OpenSSL support. > > Ignoring EAP-Type/peap because we do not have OpenSSL support. > > You need to install the OpenSSL *development* headers. > > > output. > > > > I read on another thread about freeradius not being able to find the > > proper Openssl libs. I do not understand the process of making FR aware > > of OpenSSL and getting FR to "not Ingore" EAP-Type/tls... > > Which OS are you running? The name of the OpenSSL development package > is OS dependent. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <>- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: eap/tls freeradius openssl
http://wiki.freeradius.org/Red_Hat_FAQ nice wiki On Fri, 2009-01-09 at 14:21 -0500, Brian Ertel wrote: > Alan, > > I am running CentOS 5. > > Thanks, > > Brian > > > -Original Message- > From: freeradius-users-bounces+bsertel=amherst@lists.freeradius.org on > behalf of Alan DeKok > Sent: Fri 1/9/2009 2:15 PM > To: FreeRadius users mailing list > Subject: Re: eap/tls freeradius openssl > > Brian Ertel wrote: > > I am ready to get flamed. I reinstalled the newest ver. of Freeradius > > and did not change anything. It started up in debug mode. I am trying > > to put together a system that will do eap/tls. Wireless client -> WAP > > -> Radius... I also just installed the newest version of openssl. > > Freeradius starts up, but I get the: > > > > Ignoring EAP-Type/tls because we do not have OpenSSL support. > > Ignoring EAP-Type/ttls because we do not have OpenSSL support. > > Ignoring EAP-Type/peap because we do not have OpenSSL support. > > You need to install the OpenSSL *development* headers. > > > output. > > > > I read on another thread about freeradius not being able to find the > > proper Openssl libs. I do not understand the process of making FR aware > > of OpenSSL and getting FR to "not Ingore" EAP-Type/tls... > > Which OS are you running? The name of the OpenSSL development package > is OS dependent. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem whith upgrade
These attributes in reply come from attrs file, the missing is
ERX-Egress-Police-Name.
In radreply it entry is:
ID Username
Attribute op value
521 testesd...@sercomtel.com.brERX-Egress-Police-Name
=silver
t...@kalik.net escreveu:
>> [suffix] Proxying request from user testesdx520 to realm sercomtel.com.br
>> [suffix] Preparing to proxy authentication request to realm
>> "sercomtel.com.br"
>>
>
> It would help if you mention that this is a proxy reply.
>
> ..
>
>> rad_recv: Access-Accept packet from host 2x port 1812, id=217,
>> length=25
>>Proxy-State = 0x313133
>> +- entering group post-proxy {...}
>> [attr_filter.post-proxy]expand: %{Realm} -> sercomtel.com.br
>> attr_filter: Matched entry sercomtel.com.br at line 84
>> ++[attr_filter.post-proxy] returns updated
>>
>
> Hm, you are sure this filter has nothing to do with it.
>
> .
>
>> Sending Access-Accept of id 113 to 127.0.0.1 port 40409
>>X-Ascend-Client-Primary-DNS := 2x
>>X-Ascend-Client-Secondary-DNS := 2xxx
>>X-Ascend-Client-Assign-DNS := DNS-Assign-Yes
>>ERX-Virtual-Router-Name := "default"
>>Framed-IP-Address = xxx
>>
>
> OK. So you have some attributes in the reply. Where did they come from
> and what is missing?
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: eap/tls freeradius openssl
Alan, I am running CentOS 5. Thanks, Brian -Original Message- From: freeradius-users-bounces+bsertel=amherst@lists.freeradius.org on behalf of Alan DeKok Sent: Fri 1/9/2009 2:15 PM To: FreeRadius users mailing list Subject: Re: eap/tls freeradius openssl Brian Ertel wrote: > I am ready to get flamed. I reinstalled the newest ver. of Freeradius > and did not change anything. It started up in debug mode. I am trying > to put together a system that will do eap/tls. Wireless client -> WAP > -> Radius... I also just installed the newest version of openssl. > Freeradius starts up, but I get the: > > Ignoring EAP-Type/tls because we do not have OpenSSL support. > Ignoring EAP-Type/ttls because we do not have OpenSSL support. > Ignoring EAP-Type/peap because we do not have OpenSSL support. You need to install the OpenSSL *development* headers. > output. > > I read on another thread about freeradius not being able to find the > proper Openssl libs. I do not understand the process of making FR aware > of OpenSSL and getting FR to "not Ingore" EAP-Type/tls... Which OS are you running? The name of the OpenSSL development package is OS dependent. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <>- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem whith upgrade
>[suffix] Proxying request from user testesdx520 to realm sercomtel.com.br
>[suffix] Preparing to proxy authentication request to realm
>"sercomtel.com.br"
It would help if you mention that this is a proxy reply.
..
>rad_recv: Access-Accept packet from host 2x port 1812, id=217,
>length=25
>Proxy-State = 0x313133
>+- entering group post-proxy {...}
>[attr_filter.post-proxy]expand: %{Realm} -> sercomtel.com.br
> attr_filter: Matched entry sercomtel.com.br at line 84
>++[attr_filter.post-proxy] returns updated
Hm, you are sure this filter has nothing to do with it.
.
>Sending Access-Accept of id 113 to 127.0.0.1 port 40409
>X-Ascend-Client-Primary-DNS := 2x
>X-Ascend-Client-Secondary-DNS := 2xxx
>X-Ascend-Client-Assign-DNS := DNS-Assign-Yes
>ERX-Virtual-Router-Name := "default"
>Framed-IP-Address = xxx
OK. So you have some attributes in the reply. Where did they come from
and what is missing?
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap/tls freeradius openssl
Brian Ertel wrote: > I am ready to get flamed. I reinstalled the newest ver. of Freeradius > and did not change anything. It started up in debug mode. I am trying > to put together a system that will do eap/tls. Wireless client -> WAP > -> Radius... I also just installed the newest version of openssl. > Freeradius starts up, but I get the: > > Ignoring EAP-Type/tls because we do not have OpenSSL support. > Ignoring EAP-Type/ttls because we do not have OpenSSL support. > Ignoring EAP-Type/peap because we do not have OpenSSL support. You need to install the OpenSSL *development* headers. > output. > > I read on another thread about freeradius not being able to find the > proper Openssl libs. I do not understand the process of making FR aware > of OpenSSL and getting FR to "not Ingore" EAP-Type/tls... Which OS are you running? The name of the OpenSSL development package is OS dependent. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap/tls freeradius openssl
Ok, I am ready to get flamed. I reinstalled the newest ver. of Freeradius and did not change anything. It started up in debug mode. I am trying to put together a system that will do eap/tls. Wireless client -> WAP -> Radius... I also just installed the newest version of openssl. Freeradius starts up, but I get the: Ignoring EAP-Type/tls because we do not have OpenSSL support. Ignoring EAP-Type/ttls because we do not have OpenSSL support. Ignoring EAP-Type/peap because we do not have OpenSSL support. output. I read on another thread about freeradius not being able to find the proper Openssl libs. I do not understand the process of making FR aware of OpenSSL and getting FR to "not Ingore" EAP-Type/tls... Thanks, Brian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem whith upgrade
ect rlm_sql_oracle #34
rlm_sql (sql): Connected new DB handle, #34
rlm_sql (sql): starting 35
rlm_sql (sql): Attempting to connect rlm_sql_oracle #35
rlm_sql (sql): Connected new DB handle, #35
rlm_sql (sql): starting 36
rlm_sql (sql): Attempting to connect rlm_sql_oracle #36
rlm_sql (sql): Connected new DB handle, #36
rlm_sql (sql): starting 37
rlm_sql (sql): Attempting to connect rlm_sql_oracle #37
rlm_sql (sql): Connected new DB handle, #37
rlm_sql (sql): starting 38
rlm_sql (sql): Attempting to connect rlm_sql_oracle #38
rlm_sql (sql): Connected new DB handle, #38
rlm_sql (sql): starting 39
rlm_sql (sql): Attempting to connect rlm_sql_oracle #39
rlm_sql (sql): Connected new DB handle, #39
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Framed-IP-Address, ERX-Pppoe-Description, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_sqlippool
Module: Instantiating SERCOMTEL
sqlippool SERCOMTEL {
sql-instance-name = "sql"
lease-duration = 7320
pool-name = ""
allocate-begin = "savepoint allocate_begin"
allocate-clear = "UPDATE radippool SET nasipaddress = '',
pool_key = 0, callingstationid = '', expiry_time = current_timestamp -
INTERVAL '1' second(1) WHERE pool_key = '%{ERX-Pppoe-Description}'"
allocate-find = "select
sercomtel('%{SQL-User-Name}','%{control:Pool-Name}','%{Calling-Station-Id}')
from dual"
allocate-update = "UPDATE radippool SET nasipaddress =
'%{NAS-IP-Address}', pool_key = '%{ERX-Pppoe-Description}',
callingstationid = '%{Calling-Station-Id}', username =
'%{SQL-User-Name}', expiry_time = current_timestamp + INTERVAL '7320'
second(1) WHERE framedipaddress = '%I'"
allocate-commit = "COMMIT"
allocate-rollback = "ROLLBACK"
pool-check = "SELECT id FROM (SELECT id FROM radippool WHERE
pool_name='%{control:Pool-Name}') WHERE ROWNUM = 1"
start-begin = "savepoint start_begin"
start-update = "UPDATE radippool SET expiry_time =
current_timestamp + INTERVAL '7320' second(1) WHERE nasipaddress =
'%{NAS-IP-Address}' AND pool_key = '%{ERX-Pppoe-Description}'"
start-commit = "COMMIT"
start-rollback = "ROLLBACK"
alive-begin = "savepoint alive_begin"
alive-update = "UPDATE radippool SET expiry_time =
current_timestamp + INTERVAL '7320' second(1) WHERE framedipaddress =
'%{Framed-IP-Address}'"
alive-commit = "COMMIT"
alive-rollback = "ROLLBACK"
stop-begin = "savepoint stop_begin"
stop-clear = "UPDATE radippool SET nasipaddress = '', pool_key
= 0, callingstationid = '', expiry_time = current_timestamp - INTERVAL
'1' second(1) WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key
= '%{ERX-Pppoe-Description}' AND username = '%{SQL-User-Name}' AND
callingstationid = '%{Calling-Station-Id}' AND framedipaddress =
'%{Framed-IP-Address}'"
stop-commit = "COMMIT"
stop-rollback = "ROLLBACK"
on-begin = "savepoint on_begin"
on-clear = "UPDATE radippool SET nasipaddress = '', pool_key =
0, callingstationid = '', expiry_time = current_timestamp - INTERVAL
'1' second(1) WHERE nasipaddress = '%{Nas-IP-Address}'"
on-commit = "COMMIT"
on-rollback = "ROLLBACK"
off-begin = "savepoint off_begin"
off-clear = "UPDATE radippool SET nasipaddress = '', pool_key
= 0, callingstationid = '', expiry_time = current_timestamp - INTERVAL
'1' second(1) WHERE nasipaddress = '%{Nas-IP-Address}'"
off-commit = "COMMIT"
off-rollback = "ROLLBACK"
sqlippool_log_exists = "Existing IP:
%{reply:Framed-IP-Address} (did %{Called-Station-Id} cli
%{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
sqlippool_log_success = "Allocated IP:
%{reply:Framed-IP-Address} from %{control:Pool-Name} (did
%{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user
%{User-Name})"
sqlippool_log_clear = "Released IP %{Framed-IP-Address} (did
%{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})"
sqlippool_log_failed = "IP Allocatio
Re: Problem whith upgrade
>Yesterday i upgrade my freeradius from version 2.0.4 to 2.1.3 and >still using the same configuration files but when i start the server >with the new version it dont reply the attributes there are in radreply. >In debug mode i saw that freeradius search in sql for these attributes >but don`t put it in the response. > Do we get to see the debug? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: server selection
Norbert Wegener wrote:
>> update control {
>> Proxy-To-Realm := "%{sql:SELECT ... from.. where
>> %{NAS-IP-Addres}"
>> }
>>
> OK, but I did not yet hear about that before and it seems no topic for
> the mass media: googling for Proxy-To-Realm gives 94 results.
It's not well documented...
> In a greater installation there are numerous different rules for vlan
> assignements. Before applying even the slightest configuration change to
> a production system, I want to make sure, that as much different
> configurations as possible have been checked to deliver those attributes
> that they are expected to.
> Obviously a part of those checks can be done using radtest. Running
> radtest with nasip as an argument should therefore bring freeradius to
> use the server the nasip belongs to, and not the server the machine
> running radtest belongs to.
Hmm... OK. That's reasonable, and can be done. But it may take some
minor effort.
My $0.02:
- set up one fake realm for each virtual server
- point the realm to a home server pool
- point the home server pool to a home server
- point the home server to the virtual_server
Then:
- create a "listen" section ONLY for testing
- point it to a "testing" virtual server
- configure a policy to switch over NAS-IP-Address:
switch "%{NAS-IP-Address}" {
case 1.2.3.4 {
update control {
Proxy-To-Realm = "home_server_foo"
}
}
...
It's a fair bit of typing, unfortunately. I can take a look at
poking the code to simplify it a little bit. i.e. create the listen
section for testing, and then in it, do:
update control {
Proxy-To-Virtual-Server :=
"%{config:client[%{NAS-IP-Address].virtual_server}"
}
i.e. proxy to a virtual server rather than a realm (this isn't
implemented yet).
Then... look for a "client" section in the configuration, that has a
name matching the NAS-IP-Address of the current packet... and grab the
"virtual_server" configuration from that client section.
> Btw: Is eapol_test *the* tool to do such checks in an automated way for
> eap/tls authentications or is there a better one available?
It's the best tool by far. I'm thinking of deleting radeapclient from
the FreeRADIUS source, because it does a lot less.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication Problem with PEAP and openldap
Michael Poser a écrit : Hello, native wired xp 802.1X client with PEAP (mschapv2) tries to authenticate via freeradius against openldap with an md4 encoded utf-16e password hash. This is just not possible. PEAP (mschapv2) requires you can read the user password either as a cleartext password or as a NTLM-hashed password in your DB. Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentication Problem with PEAP and openldap
Hello,
native wired xp 802.1X client with PEAP (mschapv2) tries to authenticate via
freeradius against openldap with an md4 encoded utf-16e password hash. The
authentication fails. If we use the hash instead of the clear-text password
with the xp client, the authentication works fine. There must be some
problems with the encryption of the password. How do we fix the problem? Any
help is appreciated.
Here are the radiusd.conf file and the debug output aof radiusd -X:
Best Regards, Michael
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = /usr/lib
pidfile = ${run_dir}/radiusd.pid
user = radiusd
group = radiusd
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions= yes
extended_expressions= yes
log_stripped_names = yes
log_auth = yes
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp= no
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
radwtmp = ${logdir}/radwtmp
}
$INCLUDE ${confdir}/eap.conf
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
}
ldap {
server = "ldaps://XX.XX"
identity = "uid=XXX,o=XXX,dc=XXX,dc=de"
password = XXX
basedn = "ou=XXX,ou=XXX,o=XXX,dc=XXX,dc=de"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
start_tls = no
tls_cacertfile= /etc/openldap/cacerts/ca-bundle.crt
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_attribute = userPassword
timeout = 4
timelimit = 3
net_timeout = 1
}
realm IPASS {
format = prefix
delimiter = "/"
ignore_default = no
ignore_null = no
}
realm suffix {
format = suffix
delimiter = "@"
ignore_default = no
ignore_null = no
}
realm realmpercent {
format = suffix
delimiter = "%"
ignore_default = no
ignore_null = no
}
realm ntdomain {
format = prefix
delimiter = "\\"
ignore_default = no
ignore_null = no
}
checkval {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = no
}
detail {
detailfile = ${radacctdir}/sammeldir/detail
detailperm = 0600
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
$INCLUDE ${confdir}/sql.conf
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter daily
Problem whith upgrade
Hi! Yesterday i upgrade my freeradius from version 2.0.4 to 2.1.3 and still using the same configuration files but when i start the server with the new version it dont reply the attributes there are in radreply. In debug mode i saw that freeradius search in sql for these attributes but don`t put it in the response. Any help is welcome.. Tks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Creation of User Accounts and Certificates
mihir patankar wrote: > We want to know how to create EAP-TTLS User Accounts and Accounts specific > Certificates in Free-Radius. As of now we have only created PAP Accounts. TTLS doesn't use account-specific certificates. For user accounts, TTLS will use the same methods as for PAP accounts. i.e. there's almost nothing you need to do. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Creation of User Accounts and Certificates
raddb/certs/README Ivan Kalik Kalik Informatika ISP Dana 9/1/2009, "mihir patankar" piše: >Hi, > >We want to know how to create EAP-TTLS User Accounts and Accounts specific >Certificates in Free-Radius. As of now we have only created PAP Accounts. > >Mihir V Patankar > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Tunnel attributes
>How to support these attributes ...Disc-Cause-Ext, PPP-Disconnect-Cause. Are >they supported in freeradius version 1.1.6? > >Do i need to import any dictionary files if this version doesn't supports? > They look like vendor specific. Look in the vendor dictionary. Are those Cisco avpairs? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Creation of User Accounts and Certificates
Hi, We want to know how to create EAP-TTLS User Accounts and Accounts specific Certificates in Free-Radius. As of now we have only created PAP Accounts. Mihir V Patankar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius not start after upgrade from 1.1.7 to 2.1.0
Hi, > Hi all, i'm new on this ML. > I've problem after upgrading from v1 to v2 the log section for freeradius v2 has changed a lot since version 1- so if you're using the same config file then it wont work. and using the same config file is VERY BAD what you need to do is backup your V1 config, then install a clean vanilla v2 config and then edit that config to match your V1 requirements. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius not start after upgrade from 1.1.7 to 2.1.0
Hi all, i'm new on this ML.
I've problem after upgrading from v1 to v2
--
# /etc/init.d/freeradius start
* Starting FreeRADIUS daemon
freeradius
radiusd: Error: No log destination specified.
--
In radiusd.conf the parameter of log are right with all permess:
--
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
# Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/freeradius
#
# The logging messages for the server are appended to the
# tail of this file.
#
log_file = ${logdir}/radius.log
--
I've search on the ML archive and i've found another thread with this
problem but seems different.
In my case freeradius not start with -X option and exit with error
--
# freeradius -X
...
...
...
Module: Instantiating suffix
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = "/etc/freeradius/users"
acctusersfile = "/etc/freeradius/acct_users"
preproxy_usersfile = "/etc/freeradius/preproxy_users"
compat = "no"
}
/etc/freeradius/radiusd.conf[1860]: Entry is not a reference to a module
/etc/freeradius/radiusd.conf[1789]: Errors parsing authorize section.
--
The two line in radiusd.conf:
--
...
1787 # Make *sure* that 'preprocess' comes before any realm if you
1788 # need to setup hints for the remote radius server
1789 authorize {
...
1856# Look in an SQL database. The schema of the database
1857# is meant to mirror the "users" file.
1858#
1859# See "Authorization Queries" in sql.conf
1860sql # Edited
...
--
Any ideas?
Thanks
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
