can the modules cause 'Exiting normally'?
i write a likely rlm_sql module. test radius by the below shell, the auth_test file contain 8000 users. --- #!/bin/bash i=0 while true do date time ../radclient -p 16 -q -s -f auth_test 127.0.0.1:1812 auth xx i=`expr $i \+ 1` echo $i done when tested xk or 1xk cycles, radius can 'Exiting normally' without no detail log. what wrong? the test shell echo 3872 Fri Mar 20 09:01:09 CST 2009 Total approved auths: 8000 Total denied auths: 0 Total lost auths: 0 real0m3.344s user0m0.793s sys 0m1.245s 3873 Fri Mar 20 09:01:12 CST 2009 Total approved auths: 8000 Total denied auths: 0 Total lost auths: 0 real0m3.352s user0m0.778s sys 0m1.266s 3874 Fri Mar 20 09:01:16 CST 2009 Total approved auths: 8000 Total denied auths: 0 Total lost auths: 0 real0m3.359s user0m0.764s sys 0m1.277s 3875 Fri Mar 20 09:01:19 CST 2009 radclient: no response from server for ID 195 socket 3 Total approved auths: 7999 Total denied auths: 0 Total lost auths: 1 real0m20.599s user0m0.836s sys 0m1.477s 3876 Fri Mar 20 09:01:40 CST 2009 radclient: no response from server for ID 46 socket 3 radclient: no response from server for ID 162 socket 3 radclient: no response from server for ID 132 socket 3 radclient: no response from server for ID 81 socket 3 ... --- radius log show - Fri Mar 20 08:58:03 2009 : Error: Discarding conflicting packet from client localhost port 55746 - ID: 32 due to recent request 30648083. Fri Mar 20 08:58:57 2009 : Error: Discarding conflicting packet from client localhost port 54935 - ID: 39 due to recent request 30759434. Fri Mar 20 08:59:09 2009 : Error: Discarding conflicting packet from client localhost port 60967 - ID: 103 due to recent request 30770305. Fri Mar 20 08:59:43 2009 : Error: Discarding conflicting packet from client localhost port 58098 - ID: 131 due to recent request 30839295. Fri Mar 20 09:00:00 2009 : Error: Discarding conflicting packet from client localhost port 55258 - ID: 182 due to recent request 30862096. Fri Mar 20 09:00:14 2009 : Error: Discarding conflicting packet from client localhost port 42660 - ID: 47 due to recent request 30880046. Fri Mar 20 09:00:44 2009 : Error: Discarding conflicting packet from client localhost port 53858 - ID: 222 due to recent request 30932873. Fri Mar 20 09:01:22 2009 : Error: Discarding conflicting packet from client localhost port 44717 - ID: 195 due to recent request 31006705. Fri Mar 20 09:01:24 2009 : Info: Exiting normally. - radiusd.conf thread pool { start_servers = 8 max_servers = 64 min_spare_servers = 4 max_spare_servers = 12 max_requests_per_server = 0 } -- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP ntPassword and lmPassword help
Padam J Singh wrote: > I have a LDAP server which contains ntPassword and lmPassword attributes > like following: ... > lmPassword: {ENC}9846B736BDDA9E7CAAD3B435B51404EE > ntPassword: {ENC}22D6ADD4E9AD37B87B8EDB2C91E1EE67 Ugh. > FR 2.1.1 is configured for doing 802.1x authentication. While doing the > authentication, I obviously get Invalid NT-Password and Invalid > LM-Password error. The error stems from the fact that the length is > incorrect because of the additional {ENC} prefix. > > Is there some configuration where I can set something so it ignores the > initial {ENC} while doing the password comparison? Edit raddb/dictionary. Add a new "string" attribute: ATTRIBUTE ENC-NT-Password string 3000 Edit raddb/ldap.attrmap. Delete the entries containing LM-Password. Edit raddb/ldap.attrmap. Find the entries containing NT-Password, and change them to ENC-NT-Password. Edit raddb/sites-available/default (I presume you're running a recent version of the server...) Look for the "authorize" section. In it, look for the "ldap" module. Change it to: authorize { ... ldap # leave this here # all of this goes on one line if (control:ENC-NT-Password && (control:ENC-NT-Password =~ /{ENC}(.*)/) { update control { NT-Password := "%{1}" } } ... } That should work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Login to Cisco devices through freeradius
Bruno Noronha wrote: > I issued "chmod 777 *" in every directory related to freeradius. Don't do that. Ever. The server comes with a default configuration that WORKS. The only reason that it doesn't have permission to read those files is because YOU changed the configuration so that the server doesn't have permission. Why are so many people insistent on breaking the working configuration? Where else do we need to document "DON'T BREAK IT" ? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Login to Cisco devices through freeradius
I issued "chmod 777 *" in every directory related to freeradius. There is no freeradius user in users command output! No success until now... tks! Bruno 2009/3/19 > > After installing freeradius, I couldn't start it. Checking > >radius.log I saw the following errors: > > > >Wed Mar 18 15:31:28 2009 : Error: rlm_eap: SSL error error:0200100D:system > >library:fopen:Permission denied > >Wed Mar 18 15:31:28 2009 : Error: rlm_eap_tls: Error reading Trusted root > CA > >list /etc/raddb/certs/ca.pem > > There is nothing misterious about these messages. User freeradius runs > under doesn't have permission to open certificate files. > > Check permissions on the file directory mentioned in the debug. > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Login to Cisco devices through freeradius
> After installing freeradius, I couldn't start it. Checking >radius.log I saw the following errors: > >Wed Mar 18 15:31:28 2009 : Error: rlm_eap: SSL error error:0200100D:system >library:fopen:Permission denied >Wed Mar 18 15:31:28 2009 : Error: rlm_eap_tls: Error reading Trusted root CA >list /etc/raddb/certs/ca.pem There is nothing misterious about these messages. User freeradius runs under doesn't have permission to open certificate files. Check permissions on the file directory mentioned in the debug. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Perl/Peap-MSChapV2 Issues
>Ok, I've made a little progress. The perl script is now being called >correctly and returning the correct data. There seems to be something >else now. > Yes, there is something else. >I added DEFAULT Auth-Type = Perl Fall-Through = 1 to users, I think >that's what you were wanting. Fine. Only you haven't listed files in inner-tunnel, so this is never used. > > >Inner-tunnel authorize >-- >Authorize { > > Mschap > Suffix > Update control { > Proxy-To-Realm := LOCAL > } Remove that. > Eap { > Ok=return > } > Perl > Expiration > Logintime > Pap >} > .. >perl_pool: item 0x8192020 asigned new request. Handled so far: 1 >found interpetator at address 0x8192020 >rlm_perl: Added pair User-Name = testUser >rlm_perl: Added pair EAP-Message = 0x0207000d016c6a61636b736f6e >rlm_perl: Added pair EAP-Type = Identity >rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1 >rlm_perl: Added pair Filter-Id = Enterasys:version=1:policy=CCP_Student >rlm_perl: Added pair Cleartext-Password = password09 >rlm_perl: Added pair Proxy-To-Realm = LOCAL >rlm_perl: Added pair EAP-Type = MS-CHAP-V2 >perl_pool total/active/spare [64/0/64] >Unreserve perl at address 0x8192020 >++[perl] returns ok >++[expiration] returns noop >++[logintime] returns noop >rlm_pap: No clear-text password in the request. Not performing PAP. >++[pap] returns noop >auth: type Local This is breaking EAP. Remove forcing Auth-Type Local. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Login to Cisco devices through freeradius
Buddies, I don't know if I can issue this question here, but I need your help to implement RADIUS solution... I think that my objective is quite simple in comparison with RADIUS most variables purposes. I must login to my network devices through RADIUS server, centralizing this management process. After installing freeradius, I couldn't start it. Checking radius.log I saw the following errors: Wed Mar 18 15:31:28 2009 : Error: rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied Wed Mar 18 15:31:28 2009 : Error: rlm_eap_tls: Error reading Trusted root CA list /etc/raddb/certs/ca.pem Wed Mar 18 15:31:28 2009 : Error: rlm_eap: Failed to initialize type tls Wed Mar 18 15:31:28 2009 : Error: /etc/raddb/eap.conf[17]: Instantiation failed for module "eap" Wed Mar 18 15:31:28 2009 : Error: /etc/raddb/sites-enabled/inner-tunnel[223]: Failed to find module "eap". Wed Mar 18 15:31:28 2009 : Error: /etc/raddb/sites-enabled/inner-tunnel[176]: Errors parsing authenticate section. Wed Mar 18 15:31:28 2009 : Error: Errors initializing modules I'm completely lost about the solution and I wasn't able to find any "how to" on the web. I appreciate any help, thanks in advance. Bruno - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: packet freeradius-mysql for RH
Martin Silvero wrote: Hi list! I need the packets freeradius-mysql... I have this: freeradius-mysql-1.1.3-1.2.el5.i386.rpm but my freeradius is 2.1.3 and this rpm don´t work. I have Red Hat 5.1 Somebody have any idea where I get this packet? My problem is this: **Could not link driver rlm_sql_mysql: rlm_sql_mysql.so: cannot open shared object file: No such file or directory Make sure it (and all its dependent libraries!) are in the search path of your system's ld. /usr/local/etc/raddb/sql.conf[22]: Instantiation failed for module "sql" Errors initializing modules** I reed RedHat FAQ. I have "freeradius-mysql-2.1.3-1.fc9.i386.rpm", but is Fedora. I don´t find the solution. Any idea? If you're running on RHEL5 or CentOS5 then pre-built versions of freeradius > 1.1.3 are not available. You'll have to build the set of packages yourself. The RedHat FAQ explains how to do this. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: packet freeradius-mysql for RH
Hi, > I need the packets freeradius-mysql... I have this: > freeradius-mysql-1.1.3-1.2.el5.i386.rpm > > but my freeradius is 2.1.3 and this rpm don´t work. > I have Red Hat 5.1 you've built this yourself? if so, you need to install the mysql-devel package FIRST, then build freeradius (do make clean, ./configure etc etc, make make install) > I have "freeradius-mysql-2.1.3-1.fc9.i386.rpm", but is Fedora. there are several resources where CentOS, Fedora, Redhat etc RPMs can be downloaded for the latest release of the server alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Perl/Peap-MSChapV2 Issues
Ok, I've made a little progress. The perl script is now being called correctly and returning the correct data. There seems to be something else now. Thanks for the help! I added DEFAULT Auth-Type = Perl Fall-Through = 1 to users, I think that's what you were wanting. Inner-tunnel authorize -- Authorize { Mschap Suffix Update control { Proxy-To-Realm := LOCAL } Eap { Ok=return } Perl Expiration Logintime Pap } Log: - Ready to process requests. rad_recv: Access-Request packet from host 192.168.240.78 port 2676, id=2, length=152 Message-Authenticator = 0xcea30489b92c26ffdaa8fdb6da8efae0 User-Name = "testUser" NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" EAP-Message = 0x0201000d016c6a61636b736f6e Framed-MTU = 1000 Called-Station-Id = "0001F4-B6-1B-80\0004" NAS-Identifier = "HOKDORM_01953_M48" NAS-Port-Id = "fe.0.4" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 1 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 2 to 192.168.240.78 port 2676 EAP-Message = 0x010200061920 Message-Authenticator = 0x State = 0xe12d310ae12f28a1800156155aa34531 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.240.78 port 2676, id=3, length=249 Message-Authenticator = 0x467724da1090475e0f600ab2cb4381ad User-Name = "testUser" State = 0xe12d310ae12f28a1800156155aa34531 NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" Called-Station-Id = "00-01-F4-B6-1B-80" Framed-MTU = 1000 EAP-Message = 0x0202005c19001603010051014d030149c2aa62e5b90d83cec04128bd232e5827f8 075bed072a76f61960ee34f465cb2600390038003500160013000a00330032002f00 050004001500120009001400110008000600030100 NAS-Identifier = "HOKDORM_01953_M48" NAS-Port-Id = "fe.0.4" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 2 length 92 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0051], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 085e], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange TLS_accept: SSLv3 write key exchange A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 3 to 192.168.240.78 port 2676 EAP-Message = 0x010303e419c00acd160301004a0246030149c2956da03287d649f047c44cec a603858ff8c65ebdfa6e815377215d9e4fb7201cc450e78d0b149401ea7fda15a2461da3 49131ba90f408400edf975dde9ce60003900160301085e0b00085a0008570003a6308203 a23082028aa003020102020101300d06092a864886f70d0101040500308193310b300906 0355040613024652310f300d060355040813065261646975733112301006035504071309 536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e 06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603 5504 EAP-Message = 0x03131d4578616d706c6520436572746966696361746520417574686f72697479301e17 0d3039303232363138313530335a170d3130303232363138313530335a307c310b300906 0355040613024652310f300d0603550408130652616469757331153013060355040a130c 4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665 722043657274696669636174653120301e06092a864886f70d010901161161646d696e40
packet freeradius-mysql for RH
Hi list! I need the packets freeradius-mysql... I have this: freeradius-mysql-1.1.3-1.2.el5.i386.rpm but my freeradius is 2.1.3 and this rpm don´t work. I have Red Hat 5.1 Somebody have any idea where I get this packet? My problem is this: **Could not link driver rlm_sql_mysql: rlm_sql_mysql.so: cannot open shared object file: No such file or directory Make sure it (and all its dependent libraries!) are in the search path of your system's ld. /usr/local/etc/raddb/sql.conf[22]: Instantiation failed for module "sql" Errors initializing modules** I reed RedHat FAQ. I have "freeradius-mysql-2.1.3-1.fc9.i386.rpm", but is Fedora. I don´t find the solution. Any idea? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Name/Message with own values (FR 2.0.5)
>I would like to change the reply-Messages of sqlcounter. Looked in the list >and the www, but >there was not really a useful info. And like always I can not solve the >problem. > >Tried : > >sqlcounter Duration { >counter-name = Duration >check-name = Card-Duration >sqlmod-inst = sql >key = User-Name >reset = never >reply-message = "Hail Satan" Adding that config line would require source code changes. Patches are welcome. >Is there a list somewhere, where I can see the reply-names with corresponding >reply-messages ? Reply-Message has reset configuration item not reply-name hardcoded in it. >Is there a way to change these messages ? most of our customers are germans >and their english is worse than mine. >It would be nice to give them german messages and spanish for the spanish. Use unlang in Post-Auth-Type REJECT: if(reply:Reply-Message == "Your maximum never usage time has been reached") { update reply { Reply-Message = "Something else" } } Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP ntPassword and lmPassword help
>I have a LDAP server which contains ntPassword and lmPassword attributes >like following: > > >dn: uid=subs, ou=accounts, dc=test, dc=com >uid: subs >userPassword:: e01ENX03MmIwMTViNDhlOTU5ZTlkYWQ3MTAxNjNiYjJhZDkyMQ== >mac: "" >lmPassword: {ENC}9846B736BDDA9E7CAAD3B435B51404EE >ntPassword: {ENC}22D6ADD4E9AD37B87B8EDB2C91E1EE67 >objectClass: objDevices >objectClass: top > > >FR 2.1.1 is configured for doing 802.1x authentication. While doing the >authentication, I obviously get Invalid NT-Password and Invalid >LM-Password error. The error stems from the fact that the length is >incorrect because of the additional {ENC} prefix. > >Is there some configuration where I can set something so it ignores the >initial {ENC} while doing the password comparison? > >I cannot get rid of the {ENC} prefix. > Rewrite NT-Password and LM-Password using unlang (or perl) after ldap in authorize. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP ntPassword and lmPassword help
Hello, I have a LDAP server which contains ntPassword and lmPassword attributes like following: dn: uid=subs, ou=accounts, dc=test, dc=com uid: subs userPassword:: e01ENX03MmIwMTViNDhlOTU5ZTlkYWQ3MTAxNjNiYjJhZDkyMQ== mac: "" lmPassword: {ENC}9846B736BDDA9E7CAAD3B435B51404EE ntPassword: {ENC}22D6ADD4E9AD37B87B8EDB2C91E1EE67 objectClass: objDevices objectClass: top FR 2.1.1 is configured for doing 802.1x authentication. While doing the authentication, I obviously get Invalid NT-Password and Invalid LM-Password error. The error stems from the fact that the length is incorrect because of the additional {ENC} prefix. Is there some configuration where I can set something so it ignores the initial {ENC} while doing the password comparison? I cannot get rid of the {ENC} prefix. Thanks, Padam -- PGP Id 9EED2E09 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Perl/Peap-MSChapV2 Issues
>I've taken out all perl references from the sites-enabled/default and >moved them to sites-enabled/inner-tunnel > I don't see perl being called: > rlm_eap_peap: Session established. Decoding tunneled attributes. > rlm_eap_peap: Identity - 192.168. > PEAP: Got tunneled identity of 192.168. > PEAP: Setting default EAP type for tunneled EAP session. > PEAP: Setting User-Name to 192.168. >+- entering group authorize >++[mschap] returns noop >rlm_realm: No '@' in User-Name = "192.168.", looking up realm NULL >rlm_realm: No such realm "NULL" >++[suffix] returns noop >++[control] returns noop > rlm_eap: Request is supposed to be proxied to Realm LOCAL. Not doing >EAP. >++[eap] returns noop >++? if (EAP-Message) >? Evaluating (EAP-Message) -> TRUE >++? if (EAP-Message) -> TRUE >++- entering if (EAP-Message) >+++[noop] returns noop >++- if (EAP-Message) returns noop >++ ... skipping elsif for request 6: Preceding "if" was taken >++ ... skipping elsif for request 6: Preceding "if" was taken >++[expiration] returns noop >++[logintime] returns noop >++[pap] returns noop > WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist! > Cancelling invalid proxy request. >auth: No authenticate method (Auth-Type) configuration found for the >request: Rejecting the user Post the inner-tunnel authorize section. >>I assume you hardcoded that in perl sub authorize. That's a good place >>for it. Put it back. > >I'm not sure what you mean. > You need to set Auth-Type perl somewhere: users file or perl sub authorize. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Perl/Peap-MSChapV2 Issues
Thanks for the reply. I've left the Local {} alone in the proxy.conf file. I've taken out the "DEFAULT EAP-TYPE.." from the users file. I've taken out all perl references from the sites-enabled/default and moved them to sites-enabled/inner-tunnel >I assume you hardcoded that in perl sub authorize. That's a good place >for it. Put it back. I'm not sure what you mean. Here is the new log: - Ready to process requests. rad_recv: Access-Request packet from host 192.168.240.78 port 2565, id=118, length=152 Message-Authenticator = 0xc4502f1e386b9fdcd2d095862915551d User-Name = "192.168." NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" EAP-Message = 0x02f1000d016c6a61636b736f6e Framed-MTU = 1000 Called-Station-Id = "0001F4-B6-1B-80\0004" NAS-Identifier = "HOKDORM_01953_M48" NAS-Port-Id = "fe.0.4" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 241 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 118 to 192.168.240.78 port 2565 EAP-Message = 0x01f200061920 Message-Authenticator = 0x State = 0x2eb069552e427044fa9b3b9c6df5c6ff Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.240.78 port 2565, id=119, length=249 Message-Authenticator = 0x069b37b2ecf7a36edb9c581f848d9ce9 User-Name = "192.168." State = 0x2eb069552e427044fa9b3b9c6df5c6ff NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" Called-Station-Id = "00-01-F4-B6-1B-80" Framed-MTU = 1000 EAP-Message = 0x02f2005c19001603010051014d030149c281bb53687b34071ca2e5b38c3b0b6fff 5d19ebbc4ca51b11a45f82eb1da62600390038003500160013000a00330032002f00 050004001500120009001400110008000600030100 NAS-Identifier = "HOKDORM_01953_M48" NAS-Port-Id = "fe.0.4" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 242 length 92 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0051], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 085e], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange TLS_accept: SSLv3 write key exchange A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 119 to 192.168.240.78 port 2565 EAP-Message = 0x01f303e419c00acd160301004a0246030149c26cc54f36624e97984c353fd6 febf8ac11f718be7a317523cb2ec51d441db20007643dca31a0dc8721df5ecd3af888cee 91d082de6b97048be35489cc70e8dc003900160301085e0b00085a0008570003a6308203 a23082028aa003020102020101300d06092a864886f70d0101040500308193310b300906 0355040613024652310f300d060355040813065261646975733112301006035504071309 536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e 06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603 5504 EAP-Message = 0x03131d4578616d706c6520436572746966696361746520417574686f72697479301e17 0d3039303232363138313530335a170d3130303232363138313530335a307c310b300906 0355040613024652310f300d0603550408130652616469757331153013060355040a130c 4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665 722043657274696669636174653120301e06092a864886f70d010901161161646d696e40 6578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f0030 82010a0282010100af91ce4cc96ce447a1b9ce6a3c8d5cee0655
Reply-Name/Message with own values (FR 2.0.5)
Hello world !!! First : I used the search, but it did not help me. I would like to change the reply-Messages of sqlcounter. Looked in the list and the www, but there was not really a useful info. And like always I can not solve the problem. Tried : sqlcounter Duration { counter-name = Duration check-name = Card-Duration sqlmod-inst = sql key = User-Name reset = never reply-message = "Hail Satan" query = "SELECT unix_timestamp(now())-min(unix_timestamp(acctstarttime)) FROM radacct WHERE UserName='%{%k}'" } and got : rlm_sqlcounter: (Check item - counter) is less than zero rlm_sqlcounter: Rejected user test, check_item=1000, counter=20098 ++[Duration] returns reject Found Post-Auth-Type Reject <> Sending Access-Reject of id 103 to 127.0.0.1 port 38075 Reply-Message = "Your maximum never usage time has been reached" the same with reply-name = Mikrotik-Xmit-Limit or reply-name = some other values Is there a list somewhere, where I can see the reply-names with corresponding reply-messages ? Is there a way to change these messages ? most of our customers are germans and their english is worse than mine. It would be nice to give them german messages and spanish for the spanish. Thanks Jan ___ DSL zum Nulltarif + 20 Euro Extraprämie bei Online-Bestellung über die DSL Freundschaftswerbung! http://dsl.web.de/?ac=OM.AD.AD008K15279B7069a - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql database on non standard port
>I'm trying to configure the mysql module to use a port different than >3306 to connect to the db server. I've tried setting the server string >as "mysql-server.domain.com:12345" on sql.conf, but that's >unfortunately not correct. Can anyone point me to the correct syntax? > And the line below server in sql.conf is ... port. Use that to configure the port number. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mysql database on non standard port
Hello all! I'm trying to configure the mysql module to use a port different than 3306 to connect to the db server. I've tried setting the server string as "mysql-server.domain.com:12345" on sql.conf, but that's unfortunately not correct. Can anyone point me to the correct syntax? thanks all. --- Augusto G. Andreollo CCUEC/DCNET/SREDE Universidade Estadual de Campinas - UNICAMP +55 19 3521-2276 -- "Wit beyond measure is men's greatest treasure." - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Perl/Peap-MSChapV2 Issues
>In my proxy.conf file, I have > >Realm LOCAL { >} > >I noticed right above that, that it suggest to add "DEFAULT EAP-TYPE == >PEAP, Proxy-To-Realm := LOCAL to the users file. So I added that to the >users file. Is realm Local {} not correct? If not, what should it be? Nothing. Zou can delete that DEFAULT entry. > >In the sites-enabled/default I had eap { ok = return} before I had the >statement calling perl, so I moved the eap {} to after the perl >statement. This is in the authorize function. > Put it back as it was. You don't need perl in TLS exchange. Don't list it in default virtual server. > >I did hardcode the Auth-Type perl because the wiki said to in the users >file. I've taken that out now. > I assume you hardcoded that in perl sub authorize. That's a good place for it. Put it back. >I know that perl is being initiated because this is in the log file, > >Module: Instantiating perl > perl { >module = "/etc/raddb/perl/authorize.pl" >func_authorize = "authorize" >func_authenticate = "authenticate" > >and I do call perl in the authorize section of the sites-enabled/default >file. No, don't call perl in default virtual server. Call it in authorize and authenticate in inner-tunnel virtual server. That's where (if you haven't made changes to eap.conf) mschap authentication takes place. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Perl/Peap-MSChapV2 Issues
In my proxy.conf file, I have Realm LOCAL { } I noticed right above that, that it suggest to add "DEFAULT EAP-TYPE == PEAP, Proxy-To-Realm := LOCAL to the users file. So I added that to the users file. Is realm Local {} not correct? If not, what should it be? In the sites-enabled/default I had eap { ok = return} before I had the statement calling perl, so I moved the eap {} to after the perl statement. This is in the authorize function. I did hardcode the Auth-Type perl because the wiki said to in the users file. I've taken that out now. I know that perl is being initiated because this is in the log file, Module: Instantiating perl perl { module = "/etc/raddb/perl/authorize.pl" func_authorize = "authorize" func_authenticate = "authenticate" and I do call perl in the authorize section of the sites-enabled/default file. Thanks for your help. -Adam New Log: - Listening on authentication address 192.168.214.119 port 1812 Listening on accounting address * port 1813 Ready to process requests. rad_recv: Access-Request packet from host 192.168.240.78 port 2435, id=224, length=152 Message-Authenticator = 0xb681fb7cb43023dfa88fdf7c84c72173 User-Name = "testUser" NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" EAP-Message = 0x0201000d016c6a61636b736f6e Framed-MTU = 1000 Called-Station-Id = "0001F4-B6-1B-80\0004" NAS-Identifier = "HOKDORM_01953_M48" NAS-Port-Id = "fe.0.4" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop ++? if (EAP-Message) ? Evaluating (EAP-Message) -> TRUE ++? if (EAP-Message) -> TRUE ++- entering if (EAP-Message) +++[noop] returns noop ++- if (EAP-Message) returns noop ++ ... skipping elsif for request 0: Preceding "if" was taken ++ ... skipping elsif for request 0: Preceding "if" was taken rlm_eap: EAP packet type response id 1 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 224 to 192.168.240.78 port 2435 EAP-Message = 0x010200061920 Message-Authenticator = 0x State = 0x4729b2a0472bab8876dd9daf2a9b0548 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.240.78 port 2435, id=225, length=249 Message-Authenticator = 0xcb9007ad59f00da438e5b5f58606ae9d User-Name = "testUser" State = 0x4729b2a0472bab8876dd9daf2a9b0548 NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" Called-Station-Id = "00-01-F4-B6-1B-80" Framed-MTU = 1000 EAP-Message = 0x0202005c19001603010051014d030149c261cf4866425b9fb5f855a3b6cf3e448f a79400bdae2cd5c064fe096c57a12600390038003500160013000a00330032002f00 050004001500120009001400110008000600030100 NAS-Identifier = "HOKDORM_01953_M48" NAS-Port-Id = "fe.0.4" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop ++? if (EAP-Message) ? Evaluating (EAP-Message) -> TRUE ++? if (EAP-Message) -> TRUE ++- entering if (EAP-Message) +++[noop] returns noop ++- if (EAP-Message) returns noop ++ ... skipping elsif for request 1: Preceding "if" was taken ++ ... skipping elsif for request 1: Preceding "if" was taken rlm_eap: EAP packet type response id 2 length 92 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0051], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 085e], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange TLS_accept: SSLv3 write key exchange A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept
Re: Perl/Peap-MSChapV2 Issues
Hi, you dont have a LOCAL defined in proxy.conf - set that. you are allowing EAP to come before perl, it seems, in your auth or post-auth sections. also, are you hardcoding Auth-Type ? it appears that you are. that is bad in general. if the PERL isnt being called check that you have enabled PERL functionality - ie in 2.x check that the perl module is configured correctly in modules/perl and that the function you want to call (auth, or post-auth) is enabled in that module. check that you call 'perl' in the Authorise section, for example, in your sites-enabled/$VIRTUAL-HOST-YOU-USE alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Perl/Peap-MSChapV2 Issues
I'm trying to get Perl authentication setup along with Peap/MSChapV2. I have a perl script that I wish to use to authenticate the user but for some reason, it does not look like the perl script is even being called at the point where it needs to. See below for the log. I could be wrong, but the issue seems to be here: WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist! Cancel ling invalid proxy request. auth: No authenticate method (Auth-Type) configuration found for the request: Re jecting the user auth: Failed to validate the user. Login incorrect: [testUser] (from client DORMTEST2_M80 port 0 via TLS tunnel) PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE ++[eap] returns handled -- If I need to provide any config files, please just say so. I'm not sure which ones to include here. Version is 2.0.5 Thanks. -Adam Sewell Log: -- rad_recv: Access-Request packet from host 192.168.240.78 port 2372, id=131, lengt h=152 Message-Authenticator = 0xede4cc6e1f95787b1f2f1eb7172fdf44 User-Name = "testUser" NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" EAP-Message = 0x0207000d016c6a61636b736f6e Framed-MTU = 1000 Called-Station-Id = "0001F4-B6-1B-80\0004" NAS-Identifier = "HOKDORM_01953_M48" NAS-Port-Id = "fe.0.4" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop users: Matched entry DEFAULT at line 189 ++[files] returns ok rlm_eap: EAP packet type response id 7 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++? if (EAP-Message) ? Evaluating (EAP-Message) -> TRUE ++? if (EAP-Message) -> TRUE ++- entering if (EAP-Message) +++[noop] returns noop ++- if (EAP-Message) returns noop ++ ... skipping elsif for request 0: Preceding "if" was taken ++ ... skipping elsif for request 0: Preceding "if" was taken rad_check_password: Found Auth-Type Perl rad_check_password: Found Auth-Type EAP Warning: Found 2 auth-types on request for user 'testUser' auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 131 to 192.168.240.78 port 2372 EAP-Message = 0x010800061920 Message-Authenticator = 0x State = 0xbd856426bd8d7d24113b1577a1fc0b35 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.240.78 port 2372, id=132, lengt h=249 Message-Authenticator = 0xff045bcad52434215028c1d31990ae00 User-Name = "testUser" State = 0xbd856426bd8d7d24113b1577a1fc0b35 NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" Called-Station-Id = "00-01-F4-B6-1B-80" Framed-MTU = 1000 EAP-Message = 0x0208005c19001603010051014d030149c2516a7d86eed958cf9d bcc1b3a313d5271a03db4f39f3ce88760640dfaabc2600390038003500160013000a 00330032 002f00050004001500120009001400110008000600030100 NAS-Identifier = "HOKDORM_01953_M48" NAS-Port-Id = "fe.0.4" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop users: Matched entry DEFAULT at line 189 ++[files] returns ok rlm_eap: EAP packet type response id 8 length 92 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type Perl rad_check_password: Found Auth-Type EAP Warning: Found 2 auth-types on request for user 'testUser' auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0051], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [
Re: A couple of NAS servers with same Port ID problem.
Thx for the answers Alan. p Piero Giobbi wrote: This is probably a silly question but i can't solve it by myself. I have a couple of WLANS (Proxim AP4000), works great with FR but im having some accounting trouble (guessing), i get a lot of these in my log: The AP's don't do accounting "well". I tripplechecked the shared secret. That's not the problem. The authentication works, clients can connect. What does rlm_radutmp do? Could i turn it off in my config (what would happened)? It shows who is currently logged in. If you don't need to know that, delete the references to radutmp from the configuration files. Should i specify different NAS-PORTS for each NAS-server? No. OR - could it just be that Proxim AP4000 is not handling these logouts correctly, a hardware problem? The AP is giving different information for the accounting start && stop. Not surprisingly... this is allowed by the RADIUS RFC's. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radclient: problem with exit code 0 and 1
t...@kalik.net wrote: from that release. It was succesfully built, yeay, but has another bug with masking the password when it is used in the radtest-script :-/ Sending Access-Request of id 110 to 192.168.X.X:1812 User-Name = "testuser" User-Password = "\360\213[p\224\212I\314\217\343\361\214\370\326\351$" Not a bug. Shared secret is wrong. It looks like a wrong shared secret, ... usr/local/src/freeradius-0.9.2/src/main# ./radclient -d /usr/local/src/freeradius-0.9.2/share -f /home/me/radpacket -x 192.168.111.18:1812 auth test123 Sending Access-Request of id 20 to 192.168.111.18:1812 User-Name = "testuser" Password = "testpassword" NAS-IP-Address = pluto NAS-Port = 10 rad_recv: Access-Reject packet from host 192.168.111.18:1812, id=20, length=20 rad_decode: Received Access-Reject packet from 192.168.111.18 with invalid signature (err=2)! (Shared secret is incorrect.) ... but it is not wrong, I used the same secret as on 2.1.4, where it works. I compiled both versions on an AMD64 arch and found some hints on the internet, that this might be the problem. Version 0.9.2 is from October 2003, so it is probably too old. As Alan said, I have to wait for a new release of freeradius. Thanks for your help, oz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and mikrotik auth problem pppoe error 691
2009/3/19 Lazar Cherveniakov : > Everything looks fine in IP addresses, but the problem is still the same. Looks like you got exactly the problem I described. See here : > Mikrotik debug log > 01:33:40 radius,debug sending 53:02 to 192.168.200.2:1812 Mikrotik thinks radius IP is 192.168.200.2 > radius server ip`s > # ifconfig > eth0 Link encap:Ethernet HWaddr 00:19:66:4E:F4:E8 > inet addr:192.168.200.3 Bcast:192.168.200.255 Mask:255.255.255.0 > eth0:1 Link encap:Ethernet HWaddr 00:19:66:4E:F4:E8 > inet addr:192.168.200.2 Bcast:192.168.200.255 Mask:255.255.255.0 ... while that IP is secondary IP on the radius server. Do a tcpdump on radius and you should see that radius replies comes from 192.168.200.3 (which mikrotik discards, because it's not the IP it sends the request to). There are several ways to fix this (one of them involves recompiling freeradius with --with-udpfromto, see http://wiki.freeradius.org/index.php/FAQ#Why_does_the_NAS_ignore_the_RADIUS_server.27s_reply.3F ), but the easiest way is simply change mikrotik's config to use 192.168.200.3 as radius IP address. Regards, Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radclient: problem with exit code 0 and 1
Alan DeKok wrote: Uh... you *can* run just radclient from the new version of the server. You don't have to upgrade the server to run radclient. Yes, thanks, I built the latest 2.1.4 but it still has the bug: /usr/local/src/freeradius-server-2.1.4/src/main# ./radclient -d /usr/local/src/freeradius-server-2.1.4/share -f /home/me/radpacket -x 192.168.X.X:1812 auth secret123 Sending Access-Request of id 41 to 192.168.X.X port 1812 User-Name = "testuser" Password = "testpassword" NAS-IP-Address = 192.168.x.x NAS-Port = 10 ... radclient: no response from server for ID 41 socket 3 yoda:/usr/local/src/freeradius-server-2.1.4/src/main# echo $? 0 I just hope to find a workaround for my alarm-monitoring in using an old version, until a fixed version of freeradius is released. - Ok, now that I know, you will fix it, I can wait. Thanks for your help, oz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to prevent account to do multiple login
>i've configure freeradius and chillispot and running well, i jut have one user >in radcheck table, the problem i use that account to login to the server from >two client in same time both of computer got the access. how to prevent >this..?? anyone help me. hope u understand. Simultaneous-Use attribute. Accounting need to be enabled for it to work. Ivanb Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and mikrotik auth problem pppoe error 691
>The machines are connected to cable and on 2 meters, >in this case where to find the problem? >What and how to get to see where the real problem? Wireshark. If you see packets on the wire - Mikrotik is stopping it. If you don't see them on the wire - radius machine is stopping them. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius with Postgresql
Hi, > I install the freeradius from the Ubuntu repo. yep - and as explained in my message, you didnt install all the required freeradius packages that ubuntu give you, for example http://packages.ubuntu.com/hardy/freeradius-postgresql apt-get install freeradius-postgresql ..and for other functions you may need to install any of the several other split of parts of freeradius alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Bandwidth limit
>Thanks Ivan, > >Actually I've installed Mikrotik Router OS in single pc and Freeradius + >Mysql server in other. I want to shape the client bandwidth with mysql >database. If you have any idea then please send me. > Vendor attributes are just like any other - you put them in radreply or radgroupreply. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to prevent account to do multiple login
i've configure freeradius and chillispot and running well, i jut have one user in radcheck table, the problem i use that account to login to the server from two client in same time both of computer got the access. how to prevent this..?? anyone help me. hope u understand. sorry for my very bad english really apreciate for your feedback - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Bandwidth limit
Thanks Ivan, Actually I've installed Mikrotik Router OS in single pc and Freeradius + Mysql server in other. I want to shape the client bandwidth with mysql database. If you have any idea then please send me. Thanks, Gunza tnt-4 wrote: > >>What to check? I didn't got the point for the bandwidth shaping. Can you send >>me more detail information about it. > > This is freeradius list. Ask Mikrotik how their attributes work. > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > -- View this message in context: http://www.nabble.com/Bandwidth-limit-tp21449601p22598223.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and mikrotik auth problem pppoe error 691
The machines are connected to cable and on 2 meters, in this case where to find the problem? What and how to get to see where the real problem? -- Lazar Cherveniakov Micro computers system - Lazkom LIVE FREE OR DIE - Powered by Mail.BG - http://mail.bg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: filter-id help
>I am running freeradius 1.0 . My server has been running for several years >and has worked great authenticating users with a PIX and dialup servers. We >are adding a watchguard firewall. Freeradius needs to send the watchguard >the following filter-id on successful authentication: IPSEC_RADIUS. It >appears to just send RADIUS and causes the authentication to fail. I know >this is simple but I am having trouble getting this to work. > http://wiki.freeradius.org/index.php/FreeRADIUS_Wiki:FAQ#It_still_doesn.27t_work.21 Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Bandwidth limit
>What to check? I didn't got the point for the bandwidth shaping. Can you send >me more detail information about it. This is freeradius list. Ask Mikrotik how their attributes work. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and mikrotik auth problem pppoe error 691
>Everything looks fine in IP addresses, but the problem is still the same. No, it's not looking fine. >Mikrotik debug log . has no trace of Access-Accept packet - it didn't arrive. >Here again the log of Mikrotik and freeradius: > Stop looking at the logs and start looking at the network. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Bandwidth limit
What to check? I didn't got the point for the bandwidth shaping. Can you send me more detail information about it. Thanks, Gunza Marinko Tarlac wrote: > > Check Mikrotik Radius attributes. > > Gunza wrote: >> Dear All, >> >> I have installed Mikrotik Router OS server for PPPoE and I have >> installed Ubuntu Server 8.10 with Freeradius+My Sql server. I want to >> create user with bandwith limit in mysql database. Anybody please help >> me. >> >> >> >> >> >> >> >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > -- View this message in context: http://www.nabble.com/Bandwidth-limit-tp21449601p22598033.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius with Postgresql
>I install the freeradius from the Ubuntu repo. With mysql support (freeradius-mysql)? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and mikrotik auth problem pppoe error 691
Everything looks fine in IP addresses, but the problem is still the same. Here again the log of Mikrotik and freeradius: Mikrotik debug log 01:33:40 pppoe,info PPPoE connection established from 00:15:AF:1F:23:1A 01:33:40 pppoe,ppp,info : waiting for call... 01:33:40 radius,debug new request 53:02 code=Access-Request service=ppp called-id=pppoe-in 01:33:40 radius,debug sending 53:02 to 192.168.200.2:1812 01:33:40 radius,debug,packet sending Access-Request with id 8 to 192.168.200.2:1812 01:33:40 radius,debug,packet Signature = 0x83d0415d6b98f0421df6bb83a01bdb28 01:33:40 radius,debug,packet Service-Type = 2 01:33:40 radius,debug,packet Framed-Protocol = 1 01:33:40 radius,debug,packet NAS-Port = 10 01:33:40 radius,debug,packet NAS-Port-Type = 15 01:33:40 radius,debug,packet User-Name = "lacho" 01:33:40 radius,debug,packet Calling-Station-Id = "00:15:AF:1F:23:1A" 01:33:40 radius,debug,packet Called-Station-Id = "pppoe-in" 01:33:40 radius,debug,packet NAS-Port-Id = "ether1" 01:33:40 radius,debug,packet CHAP-Challenge = 0xe3c819400560adadbf019f209dc42f7e 01:33:40 radius,debug,packet CHAP-Password = 0x01dad26d1d56167a1899b3e9c8a8ba01 01:33:40 radius,debug,packet 18 01:33:40 radius,debug,packet NAS-Identifier = "TEST-RADIUS" 01:33:40 radius,debug,packet NAS-IP-Address = 192.168.200.4 01:33:41 radius,debug resending 53:02 01:33:41 radius,debug,packet sending Access-Request with id 8 to 192.168.200.2:1812 01:33:41 radius,debug,packet Signature = 0x83d0415d6b98f0421df6bb83a01bdb28 01:33:41 radius,debug,packet Service-Type = 2 01:33:41 radius,debug,packet Framed-Protocol = 1 01:33:41 radius,debug,packet NAS-Port = 10 01:33:41 radius,debug,packet NAS-Port-Type = 15 01:33:41 radius,debug,packet User-Name = "lacho" 01:33:41 radius,debug,packet Calling-Station-Id = "00:15:AF:1F:23:1A" 01:33:41 radius,debug,packet Called-Station-Id = "pppoe-in" 01:33:41 radius,debug,packet NAS-Port-Id = "ether1" 01:33:41 radius,debug,packet CHAP-Challenge = 0xe3c819400560adadbf019f209dc42f7e 01:33:41 radius,debug,packet CHAP-Password = 0x01dad26d1d56167a1899b3e9c8a8ba01 01:33:41 radius,debug,packet 18 01:33:41 radius,debug,packet NAS-Identifier = "TEST-RADIUS" 01:33:41 radius,debug,packet NAS-IP-Address = 192.168.200.4 01:33:41 radius,debug resending 53:02 01:33:41 radius,debug,packet sending Access-Request with id 8 to 192.168.200.2:1812 01:33:41 radius,debug,packet Signature = 0x83d0415d6b98f0421df6bb83a01bdb28 01:33:41 radius,debug,packet Service-Type = 2 01:33:41 radius,debug,packet Framed-Protocol = 1 01:33:41 radius,debug,packet NAS-Port = 10 01:33:41 radius,debug,packet NAS-Port-Type = 15 01:33:41 radius,debug,packet User-Name = "lacho" 01:33:41 radius,debug,packet Calling-Station-Id = "00:15:AF:1F:23:1A" 01:33:41 radius,debug,packet Called-Station-Id = "pppoe-in" 01:33:41 radius,debug,packet NAS-Port-Id = "ether1" 01:33:41 radius,debug,packet CHAP-Challenge = 0xe3c819400560adadbf019f209dc42f7e 01:33:41 radius,debug,packet CHAP-Password = 0x01dad26d1d56167a1899b3e9c8a8ba01 01:33:41 radius,debug,packet 18 01:33:41 radius,debug,packet NAS-Identifier = "TEST-RADIUS" 01:33:41 radius,debug,packet NAS-IP-Address = 192.168.200.4 01:33:41 radius,debug timeout for 53:02 01:33:41 pppoe,ppp,info : terminating... - user lacho authentication failed - radius timeout (6) 01:33:41 pppoe,ppp,info : disconnected Freeradius debug log: Sending Access-Accept of id 7 to 192.168.200.4 port 32768 Acct-Interim-Interval = 300 Session-Timeout = 31 Mikrotik-Xmit-Limit = 1073217536 Framed-IP-Address = 10.8.15.44 Mikrotik-Recv-Limit = 1073217536 Framed-IP-Netmask = 255.255.255.255 Thu Mar 19 12:37:16 2009 : Debug: Finished request 3 Thu Mar 19 12:37:16 2009 : Debug: Going to the next request Thu Mar 19 12:37:16 2009 : Debug: Thread 4 waiting to be assigned a request rad_recv: Access-Request packet from host 192.168.200.4:32768, id=8, length=144 Thu Mar 19 12:37:31 2009 : Debug: --- Walking the entire request list --- Thu Mar 19 12:37:31 2009 : Debug: Cleaning up request 3 ID 7 with timestamp 49c2205c Thu Mar 19 12:37:31 2009 : Debug: Waking up in 31 seconds... Thu Mar 19 12:37:31 2009 : Debug: Threads: total/active/spare threads = 5/0/5 Thu Mar 19 12:37:31 2009 : Debug: Thread 5 got semaphore Thu Mar 19 12:37:31 2009 : Debug: Thread 5 handling request 4, (1 handled so far) Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 10 NAS-Port-Type = Ethernet User-Name = "lacho" Calling-Station-Id = "00:15:AF:1F:23:1A" Called-Station-Id = "pppoe-in" NAS-Port-Id = "ether1" CHAP-Challenge = 0xe3c819400560adadbf019f209dc42f7e CHAP-Password = 0x01dad26d1d56167a1899b
filter-id help
I am running freeradius 1.0 . My server has been running for several years and has worked great authenticating users with a PIX and dialup servers. We are adding a watchguard firewall. Freeradius needs to send the watchguard the following filter-id on successful authentication: IPSEC_RADIUS. It appears to just send RADIUS and causes the authentication to fail. I know this is simple but I am having trouble getting this to work. Please help Dan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius with Postgresql
P -- Message: 5 Date: Thu, 19 Mar 2009 11:23:53 +0100 From: oz Subject: Re: radclient: problem with exit code 0 and 1 To: FreeRadius users mailing list Message-ID: <49c21d39.9080...@bluemonk.de> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Alan DeKok wrote: > oz wrote: >> the normal behavior of radclient seems to get lost somewhere in the >> versions later than freeradius-0.7, where it worked: > > That's nice... but 1.1.x will NOT be fixed. > > I've committed a fix that will be in the next release of the server. > If you need this functionality, upgrade. Thanks, but for some reasons I cannot do updates to the upcoming release on that server. So I compiled 0.7 this morning, just to get the radclient tool from that release. It was succesfully built, yeay, but has another bug with masking the password when it is used in the radtest-script :-/ Sending Access-Request of id 110 to 192.168.X.X:1812 User-Name = "testuser" User-Password = "\360\213[p\224\212I\314\217\343\361\214\370\326\351$" Do you have an idea, which freeradius version after 0.7 has a working exit code 1, but is free from that other problem with the password-masking? Then I'd like to try that. Else I would have to test-compile the 19 releases between 0.7 and 1.1.7 for a possible workaround. oz -- Message: 6 Date: Thu, 19 Mar 2009 11:31:43 +0100 From: Subject: Re: FreeRadius with Postgresql To: "FreeRadius users mailing list" Message-ID: <2mx3zcoa.1237458703.3584630@kalik.net> Content-Type: text/plain; charset=ISO-8859-2 >rlm_sql (sql): Could not link driver rlm_sql_postgresql: >rlm_sql_postgresql.so: cannot open shared object file: No such file or >directory >rlm_sql (sql): Make sure it (and all its dependent libraries!) are in the >search path of your system's ld. >radiusd.conf[11]: sql: Module instantiation failed. >radiusd.conf[1860] Unknown module "sql". >radiusd.conf[1789] Failed to parse authorize section. http://wiki.freeradius.org/index.php/FreeRADIUS_Wiki:FAQ#It_says_.22Could_not_link_..._file_not_found.22.2C_what_do_I_do.3F Ivan Kalik Kalik Informatika ISP -- Message: 7 Date: Thu, 19 Mar 2009 11:37:47 +0100 From: Subject: Re: radclient: problem with exit code 0 and 1 To: "FreeRadius users mailing list" Message-ID: Content-Type: text/plain; charset=ISO-8859-2 >from that release. It was succesfully built, yeay, but has another bug with >masking the password when it is used in the radtest-script :-/ > > Sending Access-Request of id 110 to 192.168.X.X:1812 > User-Name = "testuser" > User-Password = "\360\213[p\224\212I\314\217\343\361\214\370\326\351$" > Not a bug. Shared secret is wrong. Ivan Kalik Kalik Informatika ISP -- Message: 8 Date: Thu, 19 Mar 2009 03:41:30 -0700 (PDT) From: Nizar Zulmi Subject: Re: dear everyone.. To: FreeRadius users mailing list Message-ID: <820558.16835...@web30401.mail.mud.yahoo.com> Content-Type: text/plain; charset="iso-8859-1" still can't get it. can u show me please which script to do benchmarking the RADIUS server, and how to running the script,. --- On Thu, 3/19/09, a.l.m.bu...@lboro.ac.uk wrote: From: a.l.m.bu...@lboro.ac.uk Subject: Re: dear everyone.. To: "FreeRadius users mailing list" Date: Thursday, March 19, 2009, 4:20 PM -Inline Attachment Follows- Hi, > iam a new bie freeradius user, i have a duty from my lecture to build a > hotspot captive portal using chillispot and freeradius. now i make it, > chilispot and freeradius working well on ubuntu machine, but the problem is > my lecture want me to do stress test on the radius server to make sure that > the system is still working well in any condition.. > > i still confused how to perform the stress test...anyone help me > please..thank you for your attentionsorry for bad english :D there are a couple of scripts supplied with the server to allow benchmarking which hit the server fast and hard. run a couple of those whilst eg flood pinging the system.? but 'any condition' is hardly any kind of scientific or useful phrase. for example, is the system working well if half the packets get lost? does the system work well if packets are routed in different directions? does the system work well when an idiot logs into the box and runs other random processes that take up CPU time (nice bit of SETI or D2OL etc)?? quantify the scenarios before you can demonstrate behaviour. useful exercise as you might uncover some wierd corner case to help improve the server (I've found several Linux kernel issues over the years on very stressed servers) a
Re: dear everyone..
Hi, > still can't get it. can u show me please which script to do benchmarking the > RADIUS server, and how to running the script,. freeradius-server-$version/doc/performance-testing read, follow, run. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radclient: problem with exit code 0 and 1
oz wrote: > Thanks, but for some reasons I cannot do updates to the upcoming release > on that server. Uh... you *can* run just radclient from the new version of the server. You don't have to upgrade the server to run radclient. Just make sure that the new version is installed in an independent directory, and isn't in the PATH. > So I compiled 0.7 this morning, just to get the > radclient tool from that release. It was succesfully built, yeay, but > has another bug with masking the password when it is used in the > radtest-script :-/ Stop wasting your time with old versions of the server. We can't help you fix, or understand, code that is many years old. It's not worth *our* time to re-debug problems that were found and fixed years ago. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dear everyone..
>still can't get it. can u show me please which script to do benchmarking the >RADIUS server, and how to running the script,. > http://wiki.freeradius.org/Radclient Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dear everyone..
thanks, so nice...I'll Try it.. --- On Thu, 3/19/09, Alan DeKok wrote: From: Alan DeKok Subject: Re: dear everyone.. To: "FreeRadius users mailing list" Date: Thursday, March 19, 2009, 5:51 PM Nizar Zulmi wrote: > still can't get it. can u show me please which script to do benchmarking > the RADIUS server, and how to running the script,. $ man radclient Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dear everyone..
Nizar Zulmi wrote: > still can't get it. can u show me please which script to do benchmarking > the RADIUS server, and how to running the script,. $ man radclient Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dear everyone..
still can't get it. can u show me please which script to do benchmarking the RADIUS server, and how to running the script,. --- On Thu, 3/19/09, a.l.m.bu...@lboro.ac.uk wrote: From: a.l.m.bu...@lboro.ac.uk Subject: Re: dear everyone.. To: "FreeRadius users mailing list" Date: Thursday, March 19, 2009, 4:20 PM -Inline Attachment Follows- Hi, > iam a new bie freeradius user, i have a duty from my lecture to build a > hotspot captive portal using chillispot and freeradius. now i make it, > chilispot and freeradius working well on ubuntu machine, but the problem is > my lecture want me to do stress test on the radius server to make sure that > the system is still working well in any condition.. > > i still confused how to perform the stress test...anyone help me > please..thank you for your attentionsorry for bad english :D there are a couple of scripts supplied with the server to allow benchmarking which hit the server fast and hard. run a couple of those whilst eg flood pinging the system. but 'any condition' is hardly any kind of scientific or useful phrase. for example, is the system working well if half the packets get lost? does the system work well if packets are routed in different directions? does the system work well when an idiot logs into the box and runs other random processes that take up CPU time (nice bit of SETI or D2OL etc)? quantify the scenarios before you can demonstrate behaviour. useful exercise as you might uncover some wierd corner case to help improve the server (I've found several Linux kernel issues over the years on very stressed servers) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radclient: problem with exit code 0 and 1
>from that release. It was succesfully built, yeay, but has another bug with >masking the password when it is used in the radtest-script :-/ > > Sending Access-Request of id 110 to 192.168.X.X:1812 > User-Name = "testuser" > User-Password = "\360\213[p\224\212I\314\217\343\361\214\370\326\351$" > Not a bug. Shared secret is wrong. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius with Postgresql
>rlm_sql (sql): Could not link driver rlm_sql_postgresql: >rlm_sql_postgresql.so: cannot open shared object file: No such file or >directory >rlm_sql (sql): Make sure it (and all its dependent libraries!) are in the >search path of your system's ld. >radiusd.conf[11]: sql: Module instantiation failed. >radiusd.conf[1860] Unknown module "sql". >radiusd.conf[1789] Failed to parse authorize section. http://wiki.freeradius.org/index.php/FreeRADIUS_Wiki:FAQ#It_says_.22Could_not_link_..._file_not_found.22.2C_what_do_I_do.3F Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radclient: problem with exit code 0 and 1
Alan DeKok wrote: oz wrote: the normal behavior of radclient seems to get lost somewhere in the versions later than freeradius-0.7, where it worked: That's nice... but 1.1.x will NOT be fixed. I've committed a fix that will be in the next release of the server. If you need this functionality, upgrade. Thanks, but for some reasons I cannot do updates to the upcoming release on that server. So I compiled 0.7 this morning, just to get the radclient tool from that release. It was succesfully built, yeay, but has another bug with masking the password when it is used in the radtest-script :-/ Sending Access-Request of id 110 to 192.168.X.X:1812 User-Name = "testuser" User-Password = "\360\213[p\224\212I\314\217\343\361\214\370\326\351$" Do you have an idea, which freeradius version after 0.7 has a working exit code 1, but is free from that other problem with the password-masking? Then I'd like to try that. Else I would have to test-compile the 19 releases between 0.7 and 1.1.7 for a possible workaround. oz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding users in the database from a client computer
>Again, I'm a relatively new freeradius user so I am not really an expert >with it. > >In our project, we need to "add" and "delete" users from the server database >from an authorized client computer. See: - dialup admin (included with the server) - daloRadius (same thing but under active development) - phpMy Admin (works directly with the database; requires for you to know what you are doing- if you don't use the admin tools above) Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and mikrotik auth problem pppoe error 691
>I don`t have firewall >How i solve the problem ? Yes, you do. Things like iptables are also firewalls. Use wireshark to find where are packets stopped. And then fix it. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MacOS X Leopard version of FR crashing with segmentation fault
Randall Newman wrote: > I looked at the permissions but everything looks ok, so still not sure > why the -x and -xx options are not working, but that's not my main > problem. I did notice one strange thing in the log shortly before one of > the segmentation faults. Not sure if its related but perhaps someone > here can shed some light: > > radiusd(32122,0xa0479720) malloc: *** error for object 0x1d3610: > incorrect checksum for freed object - object was probably modified after > being freed. > *** set a breakpoint in malloc_error_break to debug Yes, that would be related. It's a bug. The simple suggestion is to upgrade to a recent version, which won't have this bug. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius with Postgresql
Hi, > On following the messages; this is what I get from running freeradius -X > but before point it to PostgreSQL it runs fine. > rlm_sql (sql): Could not link driver rlm_sql_postgresql: > rlm_sql_postgresql.so: cannot open shared object file: No such file or > directory > rlm_sql (sql): Make sure it (and all its dependent libraries!) are in the > search path of your system's ld. fairly straight forward - did you build this server yourself? If so, did you check the output of the ./configure stage? looks like it hasnt built the postgres modules - probably because the required postgres devel package wasnt installed at the time. if this is from a package, check that there isnt some additional part package that provides the postgres functionality - I note that several distros split FR into multiple parts. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius with Postgresql
On following the messages; this is what I get from running freeradius -X but before point it to PostgreSQL it runs fine. Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/freeradius/proxy.conf Config: including file: /etc/freeradius/clients.conf Config: including file: /etc/freeradius/snmp.conf Config: including file: /etc/freeradius/eap.conf Config: including file: /etc/freeradius/postgresql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/freeradius" main: libdir = "/usr/lib/freeradius" main: radacctdir = "/var/log/freeradius/radacct" main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/freeradius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/freeradius/freeradius.pid" main: user = "freerad" main: group = "freerad" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" pap: auto_header = yes Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "/etc/shadow" unix: group = "(null)" unix: radwtmp = "/var/log/freeradius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/freeradius/huntgroups" preprocess: hints = "/etc/freeradius/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/freeradius/users" files: acctusersfile = "/etc/freeradius/acct_users" files: preproxy_usersfile = "/etc/freeradius/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded SQL sql: driver = "rlm_sql_postgresql" sql: server = "localhost" sql: port = "" sql: login = "postgres" sql: password = "hello" sql: radius_db = "radius" sql: nas_table = "nas" sql: sqltrace = yes sql: sqltracefile = "/var/log/freeradius/sqltrace.sql" sql: readclients = no sql: deletestalesessions = yes sql: num_sql_socks = 5 sql: sql_user_name = "%{Stripped-User-Name:-%{User-Name:-none}}" sql: default_user_profile = "" sql: query_on_not_found = no sql: authorize_check_query = "SELECT id, UserName, Attribute, Value, Op ??FROM radcheck ??WHERE Username = '%{SQL-User-Name}' ??ORDER BY id" sql: authorize_reply_query = "SELECT id, UserName, Attribute, Value, Op ??FROM radreply ??WHERE Username = '%{SQL-User-Name}' ??ORDER BY id" sql: authorize_group_check_query = "SELECT radgroupcheck.id, radgroupcheck.Gro
Re: radclient: problem with exit code 0 and 1
oz wrote: > the normal behavior of radclient seems to get lost somewhere in the > versions later than freeradius-0.7, where it worked: That's nice... but 1.1.x will NOT be fixed. I've committed a fix that will be in the next release of the server. If you need this functionality, upgrade. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dear everyone..
Hi, > iam a new bie freeradius user, i have a duty from my lecture to build a > hotspot captive portal using chillispot and freeradius. now i make it, > chilispot and freeradius working well on ubuntu machine, but the problem is > my lecture want me to do stress test on the radius server to make sure that > the system is still working well in any condition.. > > i still confused how to perform the stress test...anyone help me > please..thank you for your attentionsorry for bad english :D there are a couple of scripts supplied with the server to allow benchmarking which hit the server fast and hard. run a couple of those whilst eg flood pinging the system. but 'any condition' is hardly any kind of scientific or useful phrase. for example, is the system working well if half the packets get lost? does the system work well if packets are routed in different directions? does the system work well when an idiot logs into the box and runs other random processes that take up CPU time (nice bit of SETI or D2OL etc)? quantify the scenarios before you can demonstrate behaviour. useful exercise as you might uncover some wierd corner case to help improve the server (I've found several Linux kernel issues over the years on very stressed servers) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radclient: problem with exit code 0 and 1
Hello, Alan DeKok wrote: oz wrote: for monitoring our radius-servers, I use radclient for a long time in a script. After migration to another platform, radclient seems to work else, than before. If a monitored radiusd is down or the Auth of my monitoring-user fails, radclient gets an expected answer, but exits with status 0 in these cases. Hmm... good point. I'll take a look at that. the normal behavior of radclient seems to get lost somewhere in the versions later than freeradius-0.7, where it worked: ... radclient: no response from server host1:/usr/local/src/freeradius-0.7/src/main# echo $? 1 ... with ./radclient -v radclient: $Id: radclient.c,v 1.46 2002/06/21 19:57:26 cparker Exp $ built on Nov 5 2002 at 09:31:53 And it fails with later versions like # radclient -v radclient: $Id: radclient.c,v 1.72.2.1.2.7 2007/04/07 22:22:51 aland Exp $ built on No v 16 2007 at 14:04:12 ... from freeradius-1.1.7 and ... radclient -v radclient: $Id: radclient.c,v 1.120 2008/04/03 13:43:12 aland Exp $ built on Jul 7 20 08 at 16:01:22 ... from freeradius-2.0.5: radclient -v radclient: $Id: radclient.c,v 1.120 2008/04/03 13:43:12 aland Exp $ built on Jul 7 20 08 at 16:01:22 Kind regards, oz I am running radclient from freeradius 1.1.3-3, Debian/etch amd64: # radclient -v radclient: $Id: radclient.c,v 1.72.2.1.2.5 2006/05/16 18:26:08 aland Exp $ built on Dec 17 2006 at 01:07:36 Err... that won't be fixed. The fix will be in a recent version of the server. Not one that is three years old. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and mikrotik auth problem pppoe error 691
ping NAS from radius server ping radius server from nas Also, check mtik logs... you can turn on radius debugging in mtik and you will see what is the problem... On Thu, Mar 19, 2009 at 9:42 AM, Fajar A. Nugraha wrote: > 2009/3/19 Lazar Cherveniakov : > > I don`t have firewall > > How i solve the problem ? > > Does your radius server have more than one IP address? > If yes, then probably you tell mikrotik that radius IP is the > secondary address while freeradius sends replies from primary IP > address. There are some ways to fix this, but the easiest way is to > set your NAS (mikrotik) to use the radius server's primary IP address. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding users in the database from a client computer
2009/3/19 Joeven Rex Dizon : > When the > client makes a request to add a user in the database, does it simply ask > access in the mysql backend of the server Assuming your users are stored in MySQL, short answer is yes. > How exactly do we request an addition or deletion of a user? Do we use the > simple sql queries in the radcheck table? Again, short answer, yes :) > By the way, we've already configured the server to allow access from this > client computer in the clients.conf file. If you don't plan to use this client as a NAS (i.e. to use radtest command or similar), It's not necessary. You simply need to allow access to MySQL database. Regards, Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and mikrotik auth problem pppoe error 691
2009/3/19 Lazar Cherveniakov : > I don`t have firewall > How i solve the problem ? Does your radius server have more than one IP address? If yes, then probably you tell mikrotik that radius IP is the secondary address while freeradius sends replies from primary IP address. There are some ways to fix this, but the easiest way is to set your NAS (mikrotik) to use the radius server's primary IP address. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dear everyone..
iam a new bie freeradius user, i have a duty from my lecture to build a hotspot captive portal using chillispot and freeradius. now i make it, chilispot and freeradius working well on ubuntu machine, but the problem is my lecture want me to do stress test on the radius server to make sure that the system is still working well in any condition.. i still confused how to perform the stress test...anyone help me please..thank you for your attentionsorry for bad english :D - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAM-Radius authentication issue on Ubuntu 7.4: can not authenticate SSH users not present in /etc/passwd
Hi, I was trying to find a PAM-Radius mailing list and it seems that this is the best one. A Ubuntu 7.4 box needs to be configured such that SSH users will be authenticated against an external FreeRadius server. FreeRadius server version is 1.1.7-1build4. The Ubuntu box uses OpenSSH 4.3-p2 and /etc/ssh/sshd_config is set to "UsePAM yes". I downloaded PAM_Radius 1.3.17. Below is the procedure that I use Radius to authenticate a user in /etc/passwd (/etc/shadow doesn't have the password for that user). 1. FreeRadius server configures its clients.conf and user file to include a new user called "test1". 2. On my Ubuntu 7.4 box, add a user with command "useradd" to add a user "test1" but don't set a password. So the user "test1" on the Ubuntu box will be inactive. 3. Configure /etc/pam.d/ssh on the Ubuntu box to use "auth sufficient pam_radius_auth.so" 4. Also update the /etc/raddb/server on the Ubuntu box to point to the remote Radius server IP. 5. Try ssh te...@ubuntu box and it worked. Also monitored the Free Radius logging and it did show that the Access-Request packets went to Radius server. So step 1-5 worked well for me. Note that at step 2, the user account to be authenticated is added to /etc/passwd. The issue is: if step 2 is omitted, SSH login will fail. ACCESS_REQUEST packets with INCORRECT password were even sent to the Radius server. Further troubleshooting showed that PAM_Radius module got a bad password from PAM. I did some research from the website and some emails dated in 2006 said that PAM_Radius can only authenticate user accounts in /etc/passwd file. Is that right? Many thanks in advance, Feng - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SV: RADIUS challenge response using the PAM module
Yes. I'm talking about the PAM module. I've tried the debug option but it isn't verbose enough. I need to recompile the module with some extra debug messages regarding the access challenge. I'll figure it out one way or another -Ursprungligt meddelande- Från: freeradius-users-bounces+robert.svensson=mideye@lists.freeradius.org [mailto:freeradius-users-bounces+robert.svensson=mideye@lists.freeradius.org] För t...@kalik.net Skickat: den 18 mars 2009 23:49 Till: FreeRadius users mailing list Ämne: RE: RADIUS challenge response using the PAM module >The problem is that the access challenge sent by the radius server, to the pam >module, is returned by the pam module without being displayed to the user. >What I expect is for the access challenge to be displayed to the user: Enter >your OTP (or something). After the user has responded to the access challenge, >the response should be sent back to the radius server for authentication. Is this PAM module you are talking about pam_radius_auth from freeradius? Did you try debug option? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html