NAS has wrong ID?
hi, could someone pleas help me with this: my log file has lots of entries like this one: Error: rlm_radutmp: Logout entry for NAS Cisco WLC4402 port 29 has wrong ID What can I do to get this straight? Thanks Qrt- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS has wrong ID?
qrt wrote: could someone pleas help me with this: my log file has lots of entries like this one: /Error: rlm_radutmp: Logout entry for NAS Cisco WLC4402 port 29 has wrong ID/ What can I do to get this straight? Fix the NAS so that it doesn't send different sets of information for login logout. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting only client?
ST Wong (ITSC) wrote: Can I setup clients.conf so that some clients are allowed to send accounting packet only ? I'm using 2.1.3. No. You can set up a listen section dso that it only accepts accounting packets. You then add clients to that listen section. This is documented. See radiusd.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
accounting only client?
Hi all, Can I setup clients.conf so that some clients are allowed to send accounting packet only ? I'm using 2.1.3. Thanks a lot. /ST Wong - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with udpfromto in version 2.1.1 - please help
Will D. Spann wrote: I see; thanks for the clarification. This is a departure from how FreeRADIUS 1.0 was configured, where the authenticate and authorize sections resided in the radiusd.conf file. Yes... and the comments in the file you edited document this. However, I noticed a new permission denied error, related to SSL in the rlm_eap module. Based on this, I checked the ownership/permissions of the configuration files and keys in the /etc/raddb folder below. It turns out they were all set to root.root r/w for root user only! That is an issue, and should be fixed. But the default configuration has radiusd running as the radiusd user, Maybe on Suse. That's not the default in the freeradius distribution. Unfortunately, I'm getting the same negative results when running the recommended initial radtest test radtest test test localhost 0 testing123. The following is the output I get. radclient: socket: cannot initialize udpfromto: Function not implemented I'm not sure where to go from here. I'm still running with the default configuration. You need to re-build the server without support for udpfromto. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Query on Acct-Status-Type
whats the difference between Accounting stop and AcctStatusType=stop? It's the same thing. Accounting stop and AcctStatusType=tunnel-stop Big. One is for accounting user sessions and the other for tunnel (which carries user sessions) sessions. If i send accounting stop packets and AcctStatusType=tunnel-stop am receiving it as AcctStatusType=Stop only. why? any reason? You NAS dictionaries are broken. Stop is coded as 2, while Tunnel-Stop is coded as 10. Freeradius will decode attribute correctly. Your NAS is encoding it wrongly. It's not sending Tunnel-Stop, but Stop instead. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Query on Acct-Status-Type
Thanks alot. On Tue, Feb 3, 2009 at 9:29 PM, t...@kalik.net wrote: You are aware that this will disable Simultaneous-Use? could you explain me more. If you don't record Start packets you won't be able to detect double (or multiple) logins by the same user. Potentially, one user can pay you and reveal his user/pass to everybody and all of them will be able to connect to your network as they please. If Simultaneous-Use is working only one at the time can connect - they can still share user details but they won't be able to connect in the same time. My routers will be sending packets types of Acct-Status0Type = Start, Stop, Checkpoint, Accounting-On, Accounting-Off, Tunnel-Start, Tunnel-Stop, Tunnel-Reject, Tunnel-Link-Start, Tunnel-Link-Stop, Tunnel-Link-Reject, Failed. There should be Interim-Update on that list as well. Freeradius processes Start, Stop, Update, On and Off by default. However i need to store only the category of Acct-Status-Type == Stop packets. You have done that already: At present am using Accounting_stop query and Accounting_stop_alt query for storing stop packets. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: mschav2 can't get connected
Hi Ivan,Thanks for your quick response.I'm using D Link DWA 510 PCI adaptor to connect to SmartBridge sB3210 AP (bridging). Is it the device problem or the Windows XP itself?what is the device in the market that you would recommend would solve such a problem? To: freeradius-users@lists.freeradius.org Subject: RE: mschav2 can't get connected Date: Tue, 3 Feb 2009 15:55:39 +0100 From: t...@kalik.net Hi Alan,Appreciated if you could give me some tips how to solve the problem.I ready have not idea why this happen or where did i get wrong..newbie.Thank in advance. What are you using to connect to the AP? Whatever you are using is broken. Fix it or get a new one. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Get rid of those unwanted christmas presents! Get what you want at ebay. http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Frover%2Eebay%2Ecom%2Frover%2F1%2F705%2D10129%2D5668%2D323%2F4%3Fid%3D10_t=763807330_r=hotmailTAGLINES_m=EXT- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dialup admin config
Hi users i have installed diualup admin i like it! I am traying to configure but my problem are that not list online users conected ,failed loging , and etc. I have been installed the net-snmp. I could create an user an conect but not the other thing like i said in the up lines. what is wrong ?? I read a lot of articles but not explain very good for newbie people. Someone have a How to ?? or a webpage ?? thz _ Permanece actualizado con MSN Noticias. Clic aquí http://noticias.cl.msn.com/- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Affect Static IP by Freeradius/ASA5510
Hi Sorry to restart the same subject, but actually i am search .. i am search but i don't see any solution ... I use: FreeRadius with a Perl Script A Cisco ASA5510 IOS 8.0 In debug i have: When a user don't have IP, use Pool : == rad_recv: Access-Request packet from host 10.218.7.243:1025, id=31, length=166 User-Name = vpn...@xx.fr User-Password = XXX NAS-Port = 1658880 Service-Type = Framed-User Framed-Protocol = PPP Called-Station-Id = 62.XX.XX.XX Calling-Station-Id = 88.XX.XX.XX NAS-Port-Type = Virtual Tunnel-Client-Endpoint:0 = 88.XX.XX.XX NAS-IP-Address = 10.218.7.243 Cisco-AVPair = ip:source-ip=88.XX.XX.XXy\223 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: Looking up realm xx.fr for User-Name = vpn...@xx.fr rlm_realm: No such realm xx.fr modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 154 users: Matched entry DEFAULT at line 173 users: Matched entry DEFAULT at line 185 modcall[authorize]: module files returns ok for request 0 Using perl at 0x8149a00 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Framed-IP-Address = 255.255.255.254 rlm_perl: Added pair Framed-Compression = Van-Jacobson-TCP-IP rlm_perl: Added pair Framed-MTU = 576 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Auth-Type = Perl modcall[authorize]: module perl returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type Perl auth: type Perl Processing the authenticate section of radiusd.conf modcall: entering group Perl for request 0 Using perl at 0x8149a00 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair h323-credit-amount = 100 rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Framed-IP-Address = 255.255.255.254 rlm_perl: Added pair Framed-Compression = Van-Jacobson-TCP-IP rlm_perl: Added pair Framed-MTU = 576 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Auth-Type = Perl modcall[authenticate]: module perl returns ok for request 0 modcall: leaving group Perl (returns ok) for request 0 Login OK: [vpn...@xx.fr/XXX] (from client 10.218.7.243 port 1658880 cli 88.XX.XX.XX) Sending Access-Accept of id 31 to 10.218.7.243 port 1025 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP h323-credit-amount = 100 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 31 with timestamp 4989aa4d Nothing to do. Sleeping until we see a request. No problems, the user connect and have a IP of the Pool When i use a user with static IP: rad_recv: Access-Request packet from host 10.218.7.243:1025, id=32, length=166 User-Name = vpn...@xx.fr User-Password = XXX NAS-Port = 1662976 Service-Type = Framed-User Framed-Protocol = PPP Called-Station-Id = 62.23.17.71 Calling-Station-Id = 88.XX.XX.XX NAS-Port-Type = Virtual Tunnel-Client-Endpoint:0 = 88.XX.XX.XX NAS-IP-Address = 10.218.7.243 Cisco-AVPair = ip:source-ip=88.XX.XX.XXy\223 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module chap returns noop for request 1 modcall[authorize]: module mschap returns noop for request 1 rlm_realm: Looking up realm xx.fr for User-Name = vpn...@xx.fr rlm_realm: No such realm xx.fr modcall[authorize]: module suffix returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 1 users: Matched entry DEFAULT at line 154 users: Matched entry DEFAULT at line 173 users: Matched entry DEFAULT at line 185 modcall[authorize]: module files returns ok for request 1 Using perl at 0x8149a00 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Framed-IP-Address = 10.218.3.41 rlm_perl: Added pair Framed-Compression = Van-Jacobson-TCP-IP rlm_perl: Added pair Framed-MTU = 576 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair
Re: Affect Static IP by Freeradius/ASA5510
Phibee Network Operation Center wrote: I see Framed-IP-Address = 10.218.3.41 but at the end of the logs he have: Sending Access-Accept of id 32 to 10.218.7.243 port 1025 Framed-IP-Address = 255.255.255.254 Why he sending 255.255.255.254 . Some part of the configuration *you* added does this. The default configuration as shipped with the server doesn't add a Framed-IP-Address of 255.255.255.254. Look at the debug output, and look at the users file entries it matches. You could also simply grep the configuration files for 255.255.255.254, and see where it comes from. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Affect Static IP by Freeradius/ASA5510
Alan DeKok a écrit : Phibee Network Operation Center wrote: I see Framed-IP-Address = 10.218.3.41 but at the end of the logs he have: Sending Access-Accept of id 32 to 10.218.7.243 port 1025 Framed-IP-Address = 255.255.255.254 Why he sending 255.255.255.254 . Some part of the configuration *you* added does this. The default configuration as shipped with the server doesn't add a Framed-IP-Address of 255.255.255.254. Look at the debug output, and look at the users file entries it matches. You could also simply grep the configuration files for 255.255.255.254, and see where it comes from. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html H very thanks Alan ! I have add a # into users: DEFAULT Service-Type == Framed-User # Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes And now, the user have the good IP address - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Affect Static IP by Freeradius/ASA5510
I see Framed-IP-Address = 10.218.3.41 but at the end of the logs he have: Sending Access-Accept of id 32 to 10.218.7.243 port 1025 Framed-IP-Address = 255.255.255.254 Why he sending 255.255.255.254 . Some part of the configuration *you* added does this. The default configuration as shipped with the server doesn't add a Framed-IP-Address of 255.255.255.254. Look at the debug output, and look at the users file entries it matches. You could also simply grep the configuration files for 255.255.255.254, and see where it comes from. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html H very thanks Alan ! I have add a # into users: DEFAULT Service-Type == Framed-User # Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes And now, the user have the good IP address Can perl overwrite the value from users file? From debug he did give the new address for $RAD_REPLY but it did not overwrite the previous value (from users file). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Affect Static IP by Freeradius/ASA5510
t...@kalik.net wrote: Can perl overwrite the value from users file? From debug he did give the new address for $RAD_REPLY but it did not overwrite the previous value (from users file). The perl module is supposed to *replace* the reply attributes with whatever it has. So a lingering IP address is strange. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with only some users. Monowall - Freeradius
t...@kalik.net wrote: I executed freeradius on debug mode, then I used the radtest command. The message is almost the same, Almost is the key word here. but the proxy (@dialup,usp.br - another radius server in another city) returns OK. Why using radtest it returns OK and using monowall it retorns Reject? Who knows (actually admin form the home server will know). Most likely it's because NAS request has Called-Station-Id in it. Or it could be NAS-Identifier. Or ... Mr. Daniel, the reason you connection was rejected is quite clear at the end of the debug you sent: Sending Access-Reject of id 166 to 123.123.123.123 port 63026 Reply-Message = \r\nYou are already logged in 2 times - access denied\r\n\n We are getting this situation of multiple logins when people don't disconnect properly from monowall (monowall opens a popup window with a logout window). For that reason I've installed some clean-up scripts in our freeradius database. Just wait a couple o hours and it will be reset by itself. I'm responsible for the server that is resolving the accounting requests at the domain dialup.usp.br. Please, next time, ask Rubens there at CIRP. If he doesn't has the answer, he knows our contact phone and e-mail. Roberto Greiner CCE-USP -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Affect Static IP by Freeradius/ASA5510
Can perl overwrite the value from users file? From debug he did give the new address for $RAD_REPLY but it did not overwrite the previous value (from users file). The perl module is supposed to *replace* the reply attributes with whatever it has. So a lingering IP address is strange. Alan DeKok. - I have tested it on 2.1.3 and it works that way - value from users file is replaced by the value entered in perl. The man from Phibee: what freeradius version are you using? That looks like 1.x. You should use latest version for new installations in order to avoid bugs like this. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS without Universal Password
Is there a way to integrate FreeRADIUS without having to use the universal password in Novell? Jason Brown - RHCT, Security+, Linux+, Network+ Systems Administrator Enterprise Technology Services Ferris State University (231) 591-2687 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS without Universal Password
In a word no. The Novell password is not stored as an attribute unless Universal password is enabled. It exists in eDirectory, can be created/modified by ldap as userpassword but cannot be returned in an ldap search. Otherwise you'd have to create an attribute and store the password in it as an nt hash or something and decrypt it to provide it to freeradius. Mearl -Original Message- From: freeradius-users- bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius- users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of Jason C Brown Sent: Wednesday, February 04, 2009 4:42 PM To: FreeRadius users mailing list Subject: FreeRADIUS without Universal Password Is there a way to integrate FreeRADIUS without having to use the universal password in Novell? Jason Brown - RHCT, Security+, Linux+, Network+ Systems Administrator Enterprise Technology Services Ferris State University (231) 591-2687 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS without Universal Password
Do you by chance know if every RADIUS server acts the same way? For instance would Steel Belted RADIUS require the use of UP as well? Thanks Jason Brown - RHCT, Security+, Linux+, Network+ Systems Administrator Enterprise Technology Services Ferris State University (231) 591-2687 On Feb 4, 2009, at 6:15 PM, Danner, Mearl wrote: In a word no. The Novell password is not stored as an attribute unless Universal password is enabled. It exists in eDirectory, can be created/ modified by ldap as userpassword but cannot be returned in an ldap search. Otherwise you'd have to create an attribute and store the password in it as an nt hash or something and decrypt it to provide it to freeradius. Mearl -Original Message- From: freeradius-users- bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius- users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of Jason C Brown Sent: Wednesday, February 04, 2009 4:42 PM To: FreeRadius users mailing list Subject: FreeRADIUS without Universal Password Is there a way to integrate FreeRADIUS without having to use the universal password in Novell? Jason Brown - RHCT, Security+, Linux+, Network+ Systems Administrator Enterprise Technology Services Ferris State University (231) 591-2687 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS without Universal Password
I have no idea. You'll need to ask them. Mearl -Original Message- From: freeradius-users- bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius- users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of Jason C Brown Sent: Wednesday, February 04, 2009 5:45 PM To: FreeRadius users mailing list Subject: Re: FreeRADIUS without Universal Password Do you by chance know if every RADIUS server acts the same way? For instance would Steel Belted RADIUS require the use of UP as well? Thanks Jason Brown - RHCT, Security+, Linux+, Network+ Systems Administrator Enterprise Technology Services Ferris State University (231) 591-2687 On Feb 4, 2009, at 6:15 PM, Danner, Mearl wrote: In a word no. The Novell password is not stored as an attribute unless Universal password is enabled. It exists in eDirectory, can be created/ modified by ldap as userpassword but cannot be returned in an ldap search. Otherwise you'd have to create an attribute and store the password in it as an nt hash or something and decrypt it to provide it to freeradius. Mearl -Original Message- From: freeradius-users- bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius- users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of Jason C Brown Sent: Wednesday, February 04, 2009 4:42 PM To: FreeRadius users mailing list Subject: FreeRADIUS without Universal Password Is there a way to integrate FreeRADIUS without having to use the universal password in Novell? Jason Brown - RHCT, Security+, Linux+, Network+ Systems Administrator Enterprise Technology Services Ferris State University (231) 591-2687 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS without Universal Password
You could just use BorderManager or whatever the new iteration of it is called. On Wed, Feb 4, 2009 at 8:33 PM, Danner, Mearl jmdan...@samford.edu wrote: I have no idea. You'll need to ask them. Mearl -Original Message- From: freeradius-users- bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius- users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of Jason C Brown Sent: Wednesday, February 04, 2009 5:45 PM To: FreeRadius users mailing list Subject: Re: FreeRADIUS without Universal Password Do you by chance know if every RADIUS server acts the same way? For instance would Steel Belted RADIUS require the use of UP as well? Thanks Jason Brown - RHCT, Security+, Linux+, Network+ Systems Administrator Enterprise Technology Services Ferris State University (231) 591-2687 On Feb 4, 2009, at 6:15 PM, Danner, Mearl wrote: In a word no. The Novell password is not stored as an attribute unless Universal password is enabled. It exists in eDirectory, can be created/ modified by ldap as userpassword but cannot be returned in an ldap search. Otherwise you'd have to create an attribute and store the password in it as an nt hash or something and decrypt it to provide it to freeradius. Mearl -Original Message- From: freeradius-users- bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius- users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of Jason C Brown Sent: Wednesday, February 04, 2009 4:42 PM To: FreeRadius users mailing list Subject: FreeRADIUS without Universal Password Is there a way to integrate FreeRADIUS without having to use the universal password in Novell? Jason Brown - RHCT, Security+, Linux+, Network+ Systems Administrator Enterprise Technology Services Ferris State University (231) 591-2687 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS without Universal Password
Jason C Brown wrote: Do you by chance know if every RADIUS server acts the same way? For instance would Steel Belted RADIUS require the use of UP as well? Please read this explanation again: The Novell password is not stored as an attribute unless Universal password is enabled. It exists in eDirectory, can be created/modified by ldap as userpassword but cannot be returned in an ldap search. The password can't be seen by *any* RADIUS server until it's stored as a Universal password. This is a limitation of Novell's LDAP server, and applies to all LDAP clients, whether they are RADIUS servers, command-line clients, web servers, or anything else. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html