Re: How to use Autz-Type?
On Tue, Mar 31, 2009 at 7:10 AM, Alan DeKok al...@deployingradius.com wrote:
Fajar A. Nugraha wrote:
Hi,
I'm using freeradius 2.1.3 (self-compiled as RPM), and trying to use
Autz-Type.
Don't. In 2.1.3, unlang is better. Read man unlang, and create
your policy that way.
Thanks Ivan and Alan. So is this syntax correct in Authorize section?
if (control:Realm == domain1.com) {
sql1
}
Regards,
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[fixed version] rlm_perl and tagged attributes problem
Hello
[Update: fixed script so that it won't set incorrect attributes, but
problem persist]
I'm trying to set up FreeRADIUS with rlm_perl module to have ability
to interoperate with our billing/provisioning system.
FreeRADIUS version:
# radiusd -v
radiusd: FreeRADIUS Version 1.1.7, for host amd64-portbld-freebsd6.3,
built on Jan 15 2009 at 18:36:52
Perl version:
# perl -V
Summary of my perl5 (revision 5 version 8 subversion 8) configuration:
Platform:
osname=freebsd, osvers=6.3-rc2, archname=amd64-freebsd
We are using Juniper ERX-310 BRAS to terminate our customers and to
configure policies and so on, he need few attributes to be tagged.
Here is what normal session should be like to:
[ne...@nemo ~]$ radtest admin test 127.0.0.1 2 testing123
Sending Access-Request of id 229 to 127.0.0.1 port 1812
User-Name = admin
User-Password = test
NAS-IP-Address = 255.255.255.255
NAS-Port = 2
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=127, length=126
ERX-Qos-Profile-Name = SP_Tele_Internet
ERX-Qos-Parameters = internet_tr_value 2097152
Framed-IP-Address = 10.0.112.2
Framed-IP-Netmask = 255.255.255.255
ERX-Service-Statistics:1 = time-volume
ERX-Service-Activate:1 = telesys(1048576)
Please note ERX-Service-Statistics:1 and ERX-Service-Activate:1 attributes.
I have minimized code in Perl module to achieve this, to exclude any
possibility of our system influence:
sub authorize {
if (($RAD_REQUEST{'User-Name'} eq 'admin') and
($RAD_REQUEST{'User-Password'} eq 'test')) {
$RAD_REPLY{'ERX-Service-Activate:1'} = 'telesys(1048576)';
$RAD_REPLY{'ERX-Service-Statistics:1'} = 'time-volume';
$RAD_REPLY{'ERX-Qos-Parameters'} = internet_tr_value 2097152;
$RAD_REPLY{'ERX-Qos-Profile-Name'} = SP_Tele_Internet;
$RAD_REPLY{'Framed-IP-Address'} = '10.0.112.2';
$RAD_REPLY{'Framed-IP-Netmask'}= 255.255.255.255;
return RLM_MODULE_OK;
};
}
Now let me to describe what happens.
When I restart radiusd and issue 1st radius Access-Request packet, it
returns attributes as expected. But the next one returns this:
$ radtest admin test 127.0.0.1 2 testing123
Sending Access-Request of id 32 to 127.0.0.1 port 1812
User-Name = admin
User-Password = test
NAS-IP-Address = 255.255.255.255
NAS-Port = 2
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=37, length=125
ERX-Qos-Profile-Name = SP_Tele_Internet
ERX-Qos-Parameters = internet_tr_value 2097152
Framed-IP-Address = 10.0.112.2
Framed-IP-Netmask = 255.255.255.255
ERX-Service-Statistics:0 = time-volume
ERX-Service-Activate:0 = telesys(1048576)
Please note :0 after 2 last ERX-* attributes, which is a) incorrect,
b) in perl code it is clearly written as :1.
Please help me to resolve this issue. Thanks in advance.
Here is log of correct behavior:
rad_recv: Access-Request packet from host 127.0.0.1:64032, id=52, length=57
User-Name = admin
User-Password = test
NAS-IP-Address = 255.255.255.255
NAS-Port = 2
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '@' in User-Name = admin, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 0
users: Matched entry DEFAULT at line 171
modcall[authorize]: module files returns ok for request 0
Using perl at 0x592370
rlm_perl: $VAR1 = {};
rlm_perl: defined
rlm_perl: Added pair ERX-Qos-Parameters = internet_tr_value 2097152
rlm_perl: Added pair ERX-Service-Activate = telesys(1048576)
rlm_perl: Added pair ERX-Qos-Profile-Name = SP_Tele_Internet
rlm_perl: Added pair ERX-Service-Statistics = time-volume
rlm_perl: Added pair Framed-IP-Address = 10.0.112.2
rlm_perl: Added pair Framed-IP-Netmask = 255.255.255.255
rlm_perl: Added pair Auth-Type = Perl
modcall[authorize]: module perl returns ok for request 0
rlm_pap: WARNING! No known good password found for the user.
Authentication may fail because of this.
modcall[authorize]: module pap returns noop for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type Perl
auth: type Perl
Processing the authenticate section of radiusd.conf
modcall: entering group Perl for request 0
Using perl at 0x592370
rlm_perl: Added pair ERX-Qos-Profile-Name = SP_Tele_Internet
rlm_perl: Added pair ERX-Qos-Parameters = internet_tr_value 2097152
rlm_perl: Added pair Framed-IP-Address = 10.0.112.2
rlm_perl: Added pair Framed-IP-Netmask = 255.255.255.255
rlm_perl: Added pair Auth-Type = Perl
PEAP test fails using eapol_test
I have spend more than a week, trying every hint i could extract from
google. But I am still unable to get a working PEAP setup. Could someone
please point out my glaringly obvious mistake.
Versions:
freeradius built from 2.1.4 source (but it reports 2.1.5 on start!)
eapol_test from wpa_supplicant-0.6.9
I am trying to perform PEAP with MSCHAPV2.
eapol_test (wpa_supplicant-0.6.9) configuration:
network={
eap=PEAP
eapol_flags=0
key_mgmt=IEEE8021X
identity=testuser
password=password
ca_cert=ca.pem
phase2=auth=MSCHAPV2
anonymous_identity=anonymous
}
./eapol_test -c eapol_test.conf.peap -a130.225.51.102 -p1812
-stesting123 -r1
eapol_test.log http://kom.aau.dk/%7Ebai/wpa/eapol_test.log
radiusd -X
radiusd.log http://kom.aau.dk/%7Ebai/wpa/radiusd.log
Troubled spost seem to be:
[pap] WARNING! No known good password found for the user.
Authentication may fail because of this.
Do i have to create an entry in users for the anonymous user?
[peap] FAIL: Forcibly stopping session resumption as it is not allowed.
This seems to happen after successful mschapv2 trough the tunnel.
Any help will be appreciated!
/Bo Bai
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: autostart script for FreeRADIUS
On 31/3/09 02:46, Tseveendorj tseveend...@gmail.com wrote: John Hawkes-Reed wrote: [ ... ] Hi John Thank you for trying to help me. It has but I didn't know this is exactly right. Something looks like following inside /usr/local/etc/rc.d/mysql-server # PROVIDE: mysql # REQUIRE: LOGIN # KEYWORD: shutdown inside /usr/local/etc/rc.d/radiusd # PROVIDE: radiusd # REQUIRE: NETWORKING SERVERS mysql # KEYWORD: shutdown In my opinion the MySQL starts after LOGIN process then radiusd is starting when the mysql started. But it doesn't. Hm. Bother. From 'man 8 rc': Certain scripts may want to provide enhanced functionality. The user may access this functionality through additional commands. The script may list and define as many commands at it needs. #!/bin/sh # # PROVIDE: foo # REQUIRE: bar_service_required_to_precede_foo # BEFORE: baz_service_requiring_foo_to_precede_it So I guess try a 'BEFORE: radiusd' in the mysql rc file. After that, I'd be debugging the script start order by hand. [ ... ] -- John Hawkes-Reed Systems Administrator. Future Publishing. x 2526 -- Future Publishing Limited (registered company number 2008885) and Future Publishing (Overseas) Limited (registered company number 06202940) are wholly owned subsidiaries of Future plc (registered company number 3757874). Future Publishing Limited, Future Publishing (Overseas) Limited and Future plc are all incorporated in England and Wales and share the same registered address at Beauford Court, 30 Monmouth Street, Bath BA1 2BW. This email and any files transmitted with it are confidential. If you have received this email in error please notify the sender and then delete it immediately. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Future. The recipient should check this email and any attachments for the presence of viruses. Future accepts no liability for any damage caused by any virus transmitted by this email. Future may regularly and randomly monitor outgoing and incoming emails (including the content of them) and other telecommunications on its email and telecommunications systems. By replying to this email you give your consent to such monitoring. * Save resources: think before you print. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Duplicate Acct-Status packets
I'm running freeradius-1.1.7: NAS server sends Acct-Status-Start packet, then freeradius processes it, and confirms with Acct-Status-Reply. But if the reply packet is lost due UDP-nature, NAS sends second Acct-Status-Start. In this situation I have two duplicate records in radacct table. How can I avoid this? Unique db-indexes, or better something else? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP test fails using eapol_test
I have spend more than a week, trying every hint i could extract from google. But I am still unable to get a working PEAP setup. Could someone please point out my glaringly obvious mistake. The main mistake is that authentication - works: Sending Access-Accept of id 9 to 130.225.51.87 port 49707 MS-MPPE-Recv-Key = 0xabfe75a439bfffee14fbe7b08175c562a6ca31ee35da0da4b529c7e245aedbb0 MS-MPPE-Send-Key = 0xb2b712c4df5ba5cdfbc893e6fdc6cbb710d3a52c5d868f8cfcbf7635184cb9aa EAP-Message = 0x03090004 Message-Authenticator = 0x User-Name = anonymous Finished request 9. and eapol: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully EAPOL: IEEE 802.1X for plaintext connection; no EAPOL-Key frames required WPA: EAPOL processing complete EAPOL: SUPP_PAE entering state AUTHENTICATED EAPOL: SUPP_BE entering state RECEIVE EAPOL: SUPP_BE entering state SUCCESS EAPOL: SUPP_BE entering state IDLE Reauthentication failed. Read cache section of eap.conf. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to use Autz-Type?
On Tue, Mar 31, 2009 at 1:50 PM, Fajar A. Nugraha fa...@fajar.net wrote:
Thanks Ivan and Alan. So is this syntax correct in Authorize section?
if (control:Realm == domain1.com) {
sql1
}
After some testing, apparently it should be request:Realm or simply Realm
Regards,
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [fixed version] rlm_perl and tagged attributes problem
[Update: fixed script so that it won't set incorrect attributes, but
problem persist]
I'm trying to set up FreeRADIUS with rlm_perl module to have ability
to interoperate with our billing/provisioning system.
FreeRADIUS version:
# radiusd -v
radiusd: FreeRADIUS Version 1.1.7, for host amd64-portbld-freebsd6.3,
built on Jan 15 2009 at 18:36:52
Perl version:
# perl -V
Summary of my perl5 (revision 5 version 8 subversion 8) configuration:
Platform:
osname=freebsd, osvers=6.3-rc2, archname=amd64-freebsd
We are using Juniper ERX-310 BRAS to terminate our customers and to
configure policies and so on, he need few attributes to be tagged.
Here is what normal session should be like to:
[ne...@nemo ~]$ radtest admin test 127.0.0.1 2 testing123
Sending Access-Request of id 229 to 127.0.0.1 port 1812
User-Name = admin
User-Password = test
NAS-IP-Address = 255.255.255.255
NAS-Port = 2
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=127, length=126
ERX-Qos-Profile-Name = SP_Tele_Internet
ERX-Qos-Parameters = internet_tr_value 2097152
Framed-IP-Address = 10.0.112.2
Framed-IP-Netmask = 255.255.255.255
ERX-Service-Statistics:1 = time-volume
ERX-Service-Activate:1 = telesys(1048576)
Please note ERX-Service-Statistics:1 and ERX-Service-Activate:1 attributes.
I have minimized code in Perl module to achieve this, to exclude any
possibility of our system influence:
sub authorize {
if (($RAD_REQUEST{'User-Name'} eq 'admin') and
($RAD_REQUEST{'User-Password'} eq 'test')) {
$RAD_REPLY{'ERX-Service-Activate:1'} = 'telesys(1048576)';
$RAD_REPLY{'ERX-Service-Statistics:1'} = 'time-volume';
$RAD_REPLY{'ERX-Qos-Parameters'} = internet_tr_value 2097152;
$RAD_REPLY{'ERX-Qos-Profile-Name'} = SP_Tele_Internet;
$RAD_REPLY{'Framed-IP-Address'} = '10.0.112.2';
$RAD_REPLY{'Framed-IP-Netmask'}= 255.255.255.255;
return RLM_MODULE_OK;
};
}
Now let me to describe what happens.
When I restart radiusd and issue 1st radius Access-Request packet, it
returns attributes as expected. But the next one returns this:
$ radtest admin test 127.0.0.1 2 testing123
Sending Access-Request of id 32 to 127.0.0.1 port 1812
User-Name = admin
User-Password = test
NAS-IP-Address = 255.255.255.255
NAS-Port = 2
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=37, length=125
ERX-Qos-Profile-Name = SP_Tele_Internet
ERX-Qos-Parameters = internet_tr_value 2097152
Framed-IP-Address = 10.0.112.2
Framed-IP-Netmask = 255.255.255.255
ERX-Service-Statistics:0 = time-volume
ERX-Service-Activate:0 = telesys(1048576)
Please note :0 after 2 last ERX-* attributes, which is a) incorrect,
b) in perl code it is clearly written as :1.
I can't replicate this in 2.1.3. Upgrade - it has been fixed.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicate Acct-Status packets
Unique will solve your problem but keep in mind that this will consume more resources. On Tue, Mar 31, 2009 at 11:50 AM, Bogomolov Andrei d...@clink.ru wrote: I'm running freeradius-1.1.7: NAS server sends Acct-Status-Start packet, then freeradius processes it, and confirms with Acct-Status-Reply. But if the reply packet is lost due UDP-nature, NAS sends second Acct-Status-Start. In this situation I have two duplicate records in radacct table. How can I avoid this? Unique db-indexes, or better something else? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_python example?
I am trying to figure out how to properly setup freeradius with
rlm_python. The module loads and scripts execute, but I seem to miss
something when I try to return value pairs to be used in the reply
packet (Access-Accept). I have tried with the following script:
def authorize (params):
print params
return (0, ('Reply-Message', 'banned1'), ('Reply-Message', 'banned2'))
and received (when I run with -X option):
-snip-
+- entering group authorize {...}
rlm_python:authorize: tuple element 0 is not a tuple
rlm_python:authorize: tuple element 1 is not a tuple
rlm_python:authorize: tuple element 0 is not a tuple
rlm_python:authorize: tuple element 1 is not a tuple
++[python] returns reject
-snip-
I have also tried changing it to:
def authorize (params):
print params
return (0, ('Reply-Message', 'banned'))
but then I get:
-snip-
+- entering group authorize {...}
rlm_python:authorize: tuple must be (return, replyTuple, configTuple)
++[python] returns ??
-snip-
Can someone point me in the right direction? What is supposed to be
passed in configTuple? How do I return multiple value pairs at? I was
able to make it work with rlm_exec, but I'd like to use the the python
module instead.
I am using freeradius on ubuntu 8.04. installed via apt-get from
hardy-backports (2.1.0+dfsg-0ubuntu2~hardy1)
BR,
Hristo
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Need help to identify source of problem
Hi. I managed to get FreeRADIUS to work with PEAP and WPA2 authentication using a Linksys WRT54GL wireless router. The weird problem I'm now having is a follows: If the client logging onto the Wi-Fi network tries to login with incorrect credentials (incorrect user or pass) then he gets an access-reject as expected. However, any subsequent login requests from the same client machine (even with correct credentials) seem to be ignored completely. Other client machines CAN login however. Restarting FreeRADIUS or the wi-fi network interface card of the client does not help at all. The only way I can get the client machine to login again is by rebooting the wireless router. Now when I say ignored completely, I mean having FreeRADIUS running in debug mode (freeradius -X) shows absolutely nothing for any of failed logins. The output just stays on Ready to process requests. However, logins from other client machines that have not been access-rejected yet cause outptut on the freeradius debug. So I am trying to identify the source of the problem. My question is, are there any cases where freeradius will silently (without debug output) reject login requests? If not, then I guess the problem lies with the router itself. And if it is the router causing the problem, can you please help me with what I should search for on message boards and forums to fix the problem as I have limited experience with RADIUS. Kind Regards, Doron - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help to identify source of problem
I managed to get FreeRADIUS to work with PEAP and WPA2 authentication using a Linksys WRT54GL wireless router. The weird problem I'm now having is a follows: If the client logging onto the Wi-Fi network tries to login with incorrect credentials (incorrect user or pass) then he gets an access-reject as expected. However, any subsequent login requests from the same client machine (even with correct credentials) seem to be ignored completely. Other client machines CAN login however. Restarting FreeRADIUS or the wi-fi network interface card of the client does not help at all. The only way I can get the client machine to login again is by rebooting the wireless router. There you go. Source of the problem is wireless router. Looks like it's cacheing failed authentications. Read router documentation to see how to fix that. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicate Acct-Status packets
Unique will solve your problem but keep in mind that this will consume more resources. That is not a very good solution. True, there will be only one insert in the table but if you make sql fail the insert, sql module will fail as will accounting, so no response will go back to the NAS. And it will send that accounting packet again and again and again ... Under normal circumstances one dropped response is not a problem. NAS tends to repeat unanswered accounting packets every 2 seconds, while freeradius keep the request on the list for 5 seconds. So you would need three consecutive dropped responses for duplicate to end up in the radacct table. If your network has such packet loss fiddling with accounting is least of your worries. But if if your NAS is retransmitting in intervals longer than 5 seconds you should fix that. Ivan Kalik Kalik Informatika ISP On Tue, Mar 31, 2009 at 11:50 AM, Bogomolov Andrei d...@clink.ru wrote: I'm running freeradius-1.1.7: NAS server sends Acct-Status-Start packet, then freeradius processes it, and confirms with Acct-Status-Reply. But if the reply packet is lost due UDP-nature, NAS sends second Acct-Status-Start. In this situation I have two duplicate records in radacct table. How can I avoid this? Unique db-indexes, or better something else? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_python example?
The examples in src/modules/rlm_python gave me some hints and I
figured it out. Thanks anyway.
On Tue, Mar 31, 2009 at 3:43 PM, Hristo Trendev dist.li...@gmail.com wrote:
I am trying to figure out how to properly setup freeradius with
rlm_python. The module loads and scripts execute, but I seem to miss
something when I try to return value pairs to be used in the reply
packet (Access-Accept). I have tried with the following script:
def authorize (params):
print params
return (0, ('Reply-Message', 'banned1'), ('Reply-Message', 'banned2'))
and received (when I run with -X option):
-snip-
+- entering group authorize {...}
rlm_python:authorize: tuple element 0 is not a tuple
rlm_python:authorize: tuple element 1 is not a tuple
rlm_python:authorize: tuple element 0 is not a tuple
rlm_python:authorize: tuple element 1 is not a tuple
++[python] returns reject
-snip-
I have also tried changing it to:
def authorize (params):
print params
return (0, ('Reply-Message', 'banned'))
but then I get:
-snip-
+- entering group authorize {...}
rlm_python:authorize: tuple must be (return, replyTuple, configTuple)
++[python] returns ??
-snip-
Can someone point me in the right direction? What is supposed to be
passed in configTuple? How do I return multiple value pairs at? I was
able to make it work with rlm_exec, but I'd like to use the the python
module instead.
I am using freeradius on ubuntu 8.04. installed via apt-get from
hardy-backports (2.1.0+dfsg-0ubuntu2~hardy1)
BR,
Hristo
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap+freeradius
Please now i have a new problem; i use an Active Directory database and when
i do a radtest, it is always access-reject like this:
rad_recv: Access-Request packet from host 172.41.10.71 port 42678, id=153,
length=61
User-Name = azerty5
User-Password = x
NAS-IP-Address = 172.30.10.71
NAS-Port = 1812
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[suffix] No '@' in User-Name = azerty5, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication
may fail because of this.
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
Failed to authenticate the user.
Login incorrect: [azerty5/] (from client SRV-RADIUS port 1812)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - lndakpaze
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 153 to 172.30.10.71 port 42678
Waking up in 4.9 seconds.
Cleaning up request 0 ID 153 with timestamp +7
thank you for your help
2009/3/30 John Dennis jden...@redhat.com
David N'DAKPAZE wrote:
I am re-intalling freeradius and when I run make after ./configure
--disable-shared I have this:
Don't make matters worse by trying to defeat loadable modules. Go back and
figure out why the loader can't find the modules. A good place to start is
looking to see what libdir was defined as when you ran configure and/or look
to see where the modules were installed when you ran make install (should
be the same place and by default is /usr/lib/freeradius). Are the modules
there? Was rpath set when the modules were linked? Was ldconfig run so the
loader knows where to find them?
radiusd: Instantiating modules
instantiate {
/usr/local/etc/raddb/modules/exec[24]: Failed to link to module
'rlm_exec': rlm_exec.a: cannot open shared object file: No such file
or directory
Errors initializing modules
Same applies to *any* missing library.If your linker doesn't have the
correct path it doesn't matter what's the library called.
--
John Dennis jden...@redhat.com jden...@redhat.com
Looking to carve out IT costs?www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: autostart script for FreeRADIUS
On 31/3/09 02:46, Tseveendorj tseveend...@gmail.com wrote: Hi John Thank you for trying to help me. It has but I didn't know this is exactly right. Something looks like following inside /usr/local/etc/rc.d/mysql-server # PROVIDE: mysql # REQUIRE: LOGIN # KEYWORD: shutdown inside /usr/local/etc/rc.d/radiusd # PROVIDE: radiusd # REQUIRE: NETWORKING SERVERS mysql # KEYWORD: shutdown In my opinion the MySQL starts after LOGIN process then radiusd is starting when the mysql started. But it doesn't. I would wonder if MySQL is fully up and running by the time radius gets to trying to login. If MySQL is being launched before FreeRADIUS when you boot, you might try putting a sleep into the radiusd startup script. If you can watch the console during bootup, that would be an easy way to determine which script is starting first, and perhaps, how much time is passing between launches. -- Scott LambertKC5MLE Unix SysAdmin lamb...@lambertfam.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: User Authorization question
Config now reads #DEFAULTAuth-Type = System Still not working though Gonna run through a couple iterations here as I do not think I am expressing the problem properly. First I would like to lay the ground rules. 1: Compare Attribute User-Name to a list of usernames in a text file. Format of text file GROUP-NAME:Usernamea,Usernameb,usernamec ex TEST:Noc1,Noc2 Here we have two usernames Noc1 and Noc2 they are in group TEST 2: Assign Group-Name attributes to the Auth request. IN this ex Noc1 and Noc2 usernames would have Group-Name field set to TEST 3: Use Group-Name as a flag to assign privileges. ex. When you log onto our Foundry switch gear it places you in a non admin role. To become an admin the Radius server must send a flag back to the switch as part of the authentication process. We have devices other than the Foundry gear that behaves the same way. We will have multiple groups with different members all accounts will be members of more than one group so I will need to perform some logic using the Authenticating device as well as group membership, so based on which device is asking for Auth and what the users accounts is a member of will dictate what flags are sent back. Right now I am on step 2. I have one account on the machine (its my Linux dev box so I only need my account on it..) and have Kerberos up and running to auth campus accounts. Lets call my account usernamea which resides locally AND remotely in Kerberos with different passwords, however the accounts from a string compare standpoint are identical (ie on the linux box my username is usernamea my campus kerberos principal is also usernamea) The second Username usernameb is not local to my machine and thus only resides in remote kerberos. Lets look at some Debug output, see attached file Initialization.txt Lets look at some auth attmepts. See attached files. I think the way I am trying to implement this is way off base. If I could have my way I would rock it from clients.conf. ie Place the logic in the clients configuration, that way when a client auths against radius all the group logic and radius reply attribute logic is performed on a client by client basis (ie have a client group for the foundry gear, if your username is in the foundry group you get access. Another group for hte packshaper group, they log into the shaper, they are in the packeteer group, bam they get access to said device (with approprite reply flags). Hope this is possible. Thank you reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = yes main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = md5 Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = (null) unix: group = (null) unix: radwtmp = /var/log/radius/radwtmp unix: usegroup = no unix:
RE: What can cause the Exiting normally without prompting
sorry, it includes the prepaid module that i write. u can not reproduce. test shell #!/bin/bash i=0 while true do date time ../radclient -p 16 -q -s -t 3 -r 3 -f auth_test 127.0.0.1:1812 auth xx i=`expr $i \+ 1` echo $i done auth_test User-Name=test1, User-Password=11, Calling-Station-Id=192.168.10.1 ,NAS-IP-Address=192.168.0.1, NAS-Port=1, Service-Type=Framed, Framed-Protocol=PPP User-Name=test2, User-Password=11, Calling-Station-Id=192.168.10.1 ,NAS-IP-Address=192.168.0.1, NAS-Port=2, Service-Type=Framed, Framed-Protocol=PPP User-Name=test3, User-Password=11, Calling-Station-Id=192.168.10.1 ,NAS-IP-Address=192.168.0.1, NAS-Port=3, Service-Type=Framed, Framed-Protocol=PPP User-Name=test4, User-Password=11, Calling-Station-Id=192.168.10.1 ,NAS-IP-Address=192.168.0.1, NAS-Port=4, Service-Type=Framed, Framed-Protocol=PPP User-Name=test5, User-Password=11, Calling-Station-Id=192.168.10.1 ,NAS-IP-Address=192.168.0.1, NAS-Port=5, Service-Type=Framed, Framed-Protocol=PPP ... --- i am testing, possible the same code have not the problem on Centos 5.2 X86. CENTOS 5.2 X86_64 have the problem. Date: Mon, 30 Mar 2009 16:17:02 -0300 Subject: Re: What can cause the Exiting normally without prompting From: listas.luaf...@gmail.com To: freeradius-users@lists.freeradius.org 2009/3/29 韩枫 switchp...@hotmail.com: hi, os is centos 5.2 x64,pgsql is 8.3.7. i have not set the cpu quotas. Even, I do not know how to set up cpu quotas. -- # ulimit -a core file size (blocks, -c) unlimited data seg size (kbytes, -d) unlimited scheduling priority (-e) 0 file size (blocks, -f) unlimited pending signals (-i) 139264 max locked memory (kbytes, -l) 32 max memory size (kbytes, -m) unlimited open files (-n) 8192 pipe size (512 bytes, -p) 8 POSIX message queues nb! sp; (bytes, -q) 819200 real-time priority (-r) 0 stack size (kbytes, -s) 10240 cpu time (seconds, -t) unlimited max user processes (-u) 139264 virtual memory (kbytes, -v) unlimited file locks (-x) unlimited -- Whether or not the changed module will cause this to happen? Date: Sat, 28 Mar 2009 08:25:48 -0700 From: al...@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: What can cause the Exiting normally without prompting switchp...@hotmail.com wrote: i am testing freeradius 2.1.X by radclient , when the number of requests arrive 6million+, freeradius will Exiting normally without prompting. The only time it exits is when something tells it to exit. e.g. via SIGTERM. I've never seen it exit like that in any of my performance tests. Maybe you have CPU quotas for the server? Could you give more details about how to reproduce the situation? Thanks Luciano - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ 上Windows Live 中国首页,下载最新版 MSN! http://im.live.cn/- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What can cause the Exiting normally without prompting
Just in case this can help you, take a look at http://linux-mm.org/OOM_Killer Basically the linux kernel has mechanism to kill processes when it runs out of memory. In this case kill signal should not be SIGTERM but googling I found it may be possible in some cases the kernel use this signal. Search in your kernel logs (/var/log/dmesg) to see if you have something like invoked oom-killer Regards Luciano 2009/3/31 韩枫 switchp...@hotmail.com: sorry, it includes the prepaid module that i write. u can not reproduce. test shell #!/bin/bash i=0 while true do date time ../radclient -p 16 -q -s -t 3 -r 3 -f auth_test 127.0.0.1:1812 auth xx i=`expr $i \+ 1` echo $i done auth_test User-Name=test1, User-Password=11, Calling-Station-Id=192.168.10.1 ,NAS-IP-Address=192.168.0.1, NAS-Port=1, Service-Type=Framed, Framed-Protocol=PPP User-Name=test2, User-Password=11, Calling-Station-Id=192.168.10.1 ,NAS-IP-Address=192.168.0.1, NAS-Port=2, Service-Type=Framed, Framed-Protocol=PPP User-Name=test3, User-Password=11, Calling-Station-Id=192.168.10.1 ,NAS-IP-Address=192.168.0.1, NAS-Port=3, Service-Type=Framed, Framed-Protocol=PPP User-Name=test4, User-Password=11, Calling-Station-Id=192.168.10.1 ,NAS-IP-Address=192.168.0.1, NAS-Port=4, Service-Type=Framed, Framed-Protocol=PPP User-Name=test5, User-Password=11, Calling-Station-Id=192.168.10.1 ,NAS-IP-Address=192.168.0.1, NAS-Port=5, Service-Type=Framed, Framed-Protocol=PPP ... --- i am testing, possible the same code have not the problem on Centos 5.2 X86. CENTOS 5.2 X86_64 have the problem. Date: Mon, 30 Mar 2009 16:17:02 -0300 Subject: Re: What can cause the Exiting normally without prompting From: listas.luaf...@gmail.com To: freeradius-users@lists.freeradius.org 2009/3/29 韩枫 switchp...@hotmail.com: hi, os is centos 5.2 x64,pgsql is 8.3.7. i have not set the cpu quotas. Even, I do not know how to set up cpu quotas. -- # ulimit -a core file size (blocks, -c) unlimited data seg size (kbytes, -d) unlimited scheduling priority (-e) 0 file size (blocks, -f) unlimited pending signals (-i) 139264 max locked memory (kbytes, -l) 32 max memory size (kbytes, -m) unlimited open files (-n) 8192 pipe size (512 bytes, -p) 8 ! POSIX message queues nb! sp; (bytes, -q) 819200 real-time priority (-r) 0 stack size (kbytes, -s) 10240 cpu time (seconds, -t) unlimited max user processes (-u) 139264 virtual memory (kbytes, -v) unlimited file locks (-x) unlimited -- Whether or not the changed module will cause this to happen? Date: Sat, 28 Mar 2009 08:25:48 -0700 From: al...@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: What can cause the Exiting normally without prompting switchp...@hotmail.com wrote: i am testing freeradius 2.1.X by radclient , when the number of requests arrive 6million+, freeradius will Exiting normally without prompting. The only time it exits is when something tells it to exit. e.g. via SIGTERM. I've never seen it exit like that in any of my performance tests. Maybe you have CPU quotas for the server? Could you give more details about how to reproduce the situation? Thanks Luciano - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html 微软地图实时路况,为您节省的不仅仅是时间! 立即查看! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: What can cause the Exiting normally without prompting
thanks, logs (dmesg, messages, radius.log) does not have any special tips. Date: Tue, 31 Mar 2009 16:02:01 -0300 Subject: Re: What can cause the Exiting normally without prompting From: listas.luaf...@gmail.com To: freeradius-users@lists.freeradius.org Just in case this can help you, take a look at http://linux-mm.org/OOM_Killer Basically the linux kernel has mechanism to kill processes when it runs out of memory. In this case kill signal should not be SIGTERM but googling I found it may be possible in some cases the kernel use this signal. Search in your kernel logs (/var/log/dmesg) to see if you have something like invoked oom-killer Regards Luciano 2009/3/31 韩枫 switchp...@hotmail.com: sorry, it includes the prepaid module that i write. u can not reproduce. test shell #!/bin/bash i=0 while true do date time ../radclient -p 16 -q -s -t 3 -r 3 -f auth_test 127.0.0.1:1812 auth xx i=`expr $i \+ 1` echo $i done auth_test User-Name=test1, User-Password=11, Calling-Station-Id=192.168.10.1 ,NAS-IP-Address=192.168.0.1, NAS-Port=1, Service-Type=Framed, Framed-Protocol=PPP User-Name=test2, User-Password=11, Calling-Station-Id=192.168.10.1 ,NAS-IP-Address=192.168.0.1, NAS-Port=2, Service-Type=Framed, Framed-Protocol=PPP User-Name=test3, User-Password=11, Calling-Station-Id=192.168.10.1 ,NAS-IP-Address=192.168.0.1, NAS-Port=3, Service-Type=Framed, Framed-Protocol=PPP User-Name=test4, User-Password=11, Calling-Station-Id=192.168.10.1 ,NAS-IP-Address=192.168.0.1, NAS-Port=4, Service-Type=Framed, Framed-Protocol=PPP User-Name=test5, User-Password=11, Calling-Station-Id=192.168.10.1 ,NAS-IP-Address=192.168.0.1, NAS-Port=5, Service-Type=Framed, Framed-Protocol=PPP ... --- i am testing, possible the same code have not the problem on Centos 5.2 X86. CENTOS 5.2 X86_64 have the problem. Date: Mon, 30 Mar 2009 16:17:02 -0300 Subject: Re: What can cause the Exiting normally without prompting From: listas.luaf...@gmail.com To: freeradius-users@lists.freeradius.org 2009/3/29 韩枫 switchp...@hotmail.com: hi, os is centos 5.2 x64,pgsql is 8.3.7. i have not set the cpu quotas. Even, I do not know how to set up cpu quotas. -- # ulimit -a core file size (blocks, -c) unlimited data seg size (kbytes, -d) unlimited scheduling priority (-e) 0 file size (blocks, -f) unlimited pending signals (-i) 139264 max locked memory (kbytes, -l) 32 max memory size (kbytes, -m) unlimited open files (-n) 8192 pipe size (512 bytes, -p) 8 ! POSIX message queues nb! sp; (bytes, -q) 819200 real-time priority (-r) 0 stack size (kbytes, -s) 10240 cpu time (seconds, -t) unlimited max user processes (-u) 139264 virtual memory (kbytes, -v) unlimited file locks (-x) unlimited -- Whether or not the changed module will cause this to happen? Date: Sat, 28 Mar 2009 08:25:48 -0700 From: al...@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: What can cause the Exiting normally without prompting switchp...@hotmail.com wrote: i am testing freeradius 2.1.X by radclient , when the number of requests arrive 6million+, freeradius will Exiting normally without prompting. The only time it exits is when something tells it to exit. e.g. via SIGTERM. I've never seen it exit like that in any of my performance tests. Maybe you have CPU quotas for the server? Could you give more details about how to reproduce the situation? Thanks Luciano - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html 微软地图实时路况,为您节省的不仅仅是时间! 立即查看! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ 梦幻K图,百变造型,让你的照片与众不同,快来MClub试试吧! http://club.msn.cn/?form=3- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap+freeradius
Please now i have a new problem; i use an Active Directory database and when i do a radtest, it is always access-reject like this: http://deployingradius.com/documents/configuration/active_directory.html Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MAC auth won't work with SQL
Hi, I've setup two different Linux machines with FR and still can't get MAC
authentication working with Calling-Station-Id in the radchk table. I've
checked FAQ and have googled for hours. I've tried a hosted and local mySQL
server.
Right now I'm using FR 2.1.1 on openSUSE. I didn't install freeradius-mysql
on this new Linux machine, because I can't find it. However, I can still do
802.1X/PEAP authentication against my MySQL DB if I don't have the
Calling-Station-Id entry in the radchk table.
I can't get SQL xlat to work in the Clients file either.
I appreciate your help! Thanks!
Associated entries in the radchk table:
DEFAULT Fall-Through = yes
ege...@skynets Cleartext-Password:=
ege...@skynets Calling-Station-Id ==
00-1C-B3-B1-3E-07 (if I remove this entry, I can get authenticated)
Here's most of the debug:
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
[sql] expand: %{User-Name} - ege...@skynets
[sql] sql_set_user escaped user -- 'ege...@skynets'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
- SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'ege...@skynets' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
- SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'ege...@skynets' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority - SELECT
groupname FROM radusergroup WHERE username =
'ege...@skynets' ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 190 to 192.168.0.1 port 41576
EAP-Message = 0x016600061920
Message-Authenticator = 0x
State = 0x887600b0881019123d77eed9ad3cef65
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.1 port 41576, id=191,
length=230
User-Name = ege...@skynets
NAS-IP-Address = 192.168.0.1
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = 00-1C-B3-B1-3E-07
State = 0x887600b0881019123d77eed9ad3cef65
EAP-Message =
0x0266007d19800073160301006e016a030149d245f8cc2cbd4fe33cdb07dc35b6c8
7acfcc21da980a70fa466c6e819bf49118002f00350005000ac009c00ac013c014003200
380013000401290013001101000e65676569657240736b796e657473000a00080006
001700180019000b00020100
Message-Authenticator = 0x15b99d469f497dd1de41e19b04d463d9
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm skynets for User-Name = ege...@skynets
[suffix] No such realm skynets
++[suffix] returns noop
[eap] EAP packet type response id 102 length 125
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 115
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] TLS 1.0 Handshake [length 006e], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] TLS 1.0 Handshake [length 085e], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate
A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 191 to 192.168.0.1 port 41576
EAP-Message =
0x0167040019c0089b160301002a0226030149d245fcb6267b990aa260afc7ea5b36
69e5ee697512f85665761dad0e9b07762f00160301085e0b00085a0008570003a6308203
RE: User Authorization question
Config now reads #DEFAULT Auth-Type = System Still not working though Erm, what is not working? Gonna run through a couple iterations here as I do not think I am expressing the problem properly. First I would like to lay the ground rules. 1: Compare Attribute User-Name to a list of usernames in a text file. Format of text file GROUP-NAME:Usernamea,Usernameb,usernamec ex TEST:Noc1,Noc2 Here we have two usernames Noc1 and Noc2 they are in group TEST 2: Assign Group-Name attributes to the Auth request. IN this ex Noc1 and Noc2 usernames would have Group-Name field set to TEST You have done that. 3: Use Group-Name as a flag to assign privileges. ex. When you log onto our Foundry switch gear it places you in a non admin role. To become an admin the Radius server must send a flag back to the switch as part of the authentication process. We have devices other than the Foundry gear that behaves the same way. We will have multiple groups with different members all accounts will be members of more than one group so I will need to perform some logic using the Authenticating device as well as group membership, so based on which device is asking for Auth and what the users accounts is a member of will dictate what flags are sent back. Tht is going to be very complicated on this ancient server version. Any reason you are not doing this with current version? 3. would be so much easier using unlang. Also this: I think the way I am trying to implement this is way off base. If I could have my way I would rock it from clients.conf. ie Place the logic in the clients configuration, that way when a client auths against radius all the group logic and radius reply attribute logic is performed on a client by client basis (ie have a client group for the foundry gear, if your username is in the foundry group you get access. Another group for hte packshaper group, they log into the shaper, they are in the packeteer group, bam they get access to said device (with approprite reply flags). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC auth won't work with SQL
Hi, I've setup two different Linux machines with FR and still can't get MAC authentication working with Calling-Station-Id in the radchk table. I've checked FAQ and have googled for hours. I've tried a hosted and local mySQL server. If you only bothered looking at debug and configuration files for the authentication method you are using. Outer request: rad_recv: Access-Request packet from host 192.168.0.1 port 41576, id=191, length=230 .. Calling-Station-Id = 00-1C-B3-B1-3E-07 .. has that attribute in it, and inner request (user is authenticated in inner tunnel): Sending tunneled request EAP-Message = 0x026c00491a026c00443177f318d460fc36f9cc77a41c0a4b365610538d 55c2badfcc4a85b41f875a5521f978d255be29a7d20065676569657240736b796e657473 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = ege...@skynets State = 0x8433f2b7845fe8463016d60fe5b8c67e .. doesn't! You have a setting copy_request_to_tunnel in peap section of eap.conf. Enable it. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: User Authorization question
D'Oh. Its what Cent 5 installed (being a touch lazy... Sorry will rectify and touch base when on current code) -Original Message- From: freeradius-users-bounces+lfross=ucdavis@lists.freeradius.org [mailto:freeradius-users-bounces+lfross=ucdavis@lists.freeradius.org] On Behalf Of t...@kalik.net Sent: Tuesday, March 31, 2009 1:58 PM To: FreeRadius users mailing list Subject: RE: User Authorization question Config now reads #DEFAULT Auth-Type = System Still not working though Erm, what is not working? Gonna run through a couple iterations here as I do not think I am expressing the problem properly. First I would like to lay the ground rules. 1: Compare Attribute User-Name to a list of usernames in a text file. Format of text file GROUP-NAME:Usernamea,Usernameb,usernamec ex TEST:Noc1,Noc2 Here we have two usernames Noc1 and Noc2 they are in group TEST 2: Assign Group-Name attributes to the Auth request. IN this ex Noc1 and Noc2 usernames would have Group-Name field set to TEST You have done that. 3: Use Group-Name as a flag to assign privileges. ex. When you log onto our Foundry switch gear it places you in a non admin role. To become an admin the Radius server must send a flag back to the switch as part of the authentication process. We have devices other than the Foundry gear that behaves the same way. We will have multiple groups with different members all accounts will be members of more than one group so I will need to perform some logic using the Authenticating device as well as group membership, so based on which device is asking for Auth and what the users accounts is a member of will dictate what flags are sent back. Tht is going to be very complicated on this ancient server version. Any reason you are not doing this with current version? 3. would be so much easier using unlang. Also this: I think the way I am trying to implement this is way off base. If I could have my way I would rock it from clients.conf. ie Place the logic in the clients configuration, that way when a client auths against radius all the group logic and radius reply attribute logic is performed on a client by client basis (ie have a client group for the foundry gear, if your username is in the foundry group you get access. Another group for hte packshaper group, they log into the shaper, they are in the packeteer group, bam they get access to said device (with approprite reply flags). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MAC auth won't work with SQL
Great, works now. Thanks! Is there a way to load the Database Value field with multiple MAC addresses, and freeradius check against themso I can specify multiple devices the user can use? - Eric -Original Message- From: freeradius-users-bounces+me=egeier@lists.freeradius.org [mailto:freeradius-users-bounces+me=egeier@lists.freeradius.org] On Behalf Of t...@kalik.net Sent: Tuesday, March 31, 2009 5:11 PM To: FreeRadius users mailing list Subject: Re: MAC auth won't work with SQL Hi, I've setup two different Linux machines with FR and still can't get MAC authentication working with Calling-Station-Id in the radchk table. I've checked FAQ and have googled for hours. I've tried a hosted and local mySQL server. If you only bothered looking at debug and configuration files for the authentication method you are using. Outer request: rad_recv: Access-Request packet from host 192.168.0.1 port 41576, id=191, length=230 .. Calling-Station-Id = 00-1C-B3-B1-3E-07 .. has that attribute in it, and inner request (user is authenticated in inner tunnel): Sending tunneled request EAP-Message = 0x026c00491a026c00443177f318d460fc36f9cc77a41c0a4b3656 10538d 55c2badfcc4a85b41f875a5521f978d255be29a7d20065676569657240736b796e6574 73 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = ege...@skynets State = 0x8433f2b7845fe8463016d60fe5b8c67e .. doesn't! You have a setting copy_request_to_tunnel in peap section of eap.conf. Enable it. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL xlat not working
I can't get SQL xlat to work in the Clients file. I'm trying to do a DB query for the Shared Secret. I'm getting invalid Message-Authenticator (Shared secret is incorrect) errors. The select statement works fine when ran on my DB server. Have any suggestions? Thanks, Eric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: autostart script for FreeRADIUS
Scott Lambert wrote: On 31/3/09 02:46, Tseveendorj tseveend...@gmail.com wrote: Hi John Thank you for trying to help me. It has but I didn't know this is exactly right. Something looks like following inside /usr/local/etc/rc.d/mysql-server # PROVIDE: mysql # REQUIRE: LOGIN # KEYWORD: shutdown inside /usr/local/etc/rc.d/radiusd # PROVIDE: radiusd # REQUIRE: NETWORKING SERVERS mysql # KEYWORD: shutdown In my opinion the MySQL starts after LOGIN process then radiusd is starting when the mysql started. But it doesn't. I would wonder if MySQL is fully up and running by the time radius gets to trying to login. If MySQL is being launched before FreeRADIUS when you boot, you might try putting a sleep into the radiusd startup script. If you can watch the console during bootup, that would be an easy way to determine which script is starting first, and perhaps, how much time is passing between launches. Thank you very much. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Seg Fault in 2.0.3
I have a FR 2.0.3 server running under FreeBSD 6.3 which intermittently exits with a segmentation fault. I tried searching the list for known seg fault issues with 2.0.3 and only found one which sounded like it only happens when running under gdb. Do you think upgrading to 2.1.3 (it's the latest port for FR under FreeBSD) could potentially resolve this issue? (I'm not looking for a guarantee, just an opinion based upon whether there were known seg faults in 2.0.3 that were fixed in later releases.) Should I run FR under gdb to get more information about the seg fault? This morning it happened while I was running radiusd -Xx and the error occurred a few minutes after a request was successfully processed as a new request was received and before it was able to output any information about it. The server had been running for less than a week (most times it runs longer than this before crashing). So, the last two lines of output were: Tue Mar 31 07:52:08 2009 : Debug: Ready to process requests. Segmentation Fault: 11 I realize this isn't enough to diagnose the problem (but, it's all the information I currently have). Please let me know how you think it's best to proceed (e.g., upgrade, get more info about the problem, other..) Thanks in advance for any assistance/advice you can provide. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicate Acct-Status packets
Ivan, its interesting. Our NAS is linux pppoe-server with pppd last version. Pppd retransmits Acct-Status in 10 seconds. Is it possible to increase freeradius keep of tracking time, you talking about, from 5 to 15 seconds? Where is this place in configs/sources? t...@kalik.net wrote: Unique will solve your problem but keep in mind that this will consume more resources. That is not a very good solution. True, there will be only one insert in the table but if you make sql fail the insert, sql module will fail as will accounting, so no response will go back to the NAS. And it will send that accounting packet again and again and again ... Under normal circumstances one dropped response is not a problem. NAS tends to repeat unanswered accounting packets every 2 seconds, while freeradius keep the request on the list for 5 seconds. So you would need three consecutive dropped responses for duplicate to end up in the radacct table. If your network has such packet loss fiddling with accounting is least of your worries. But if if your NAS is retransmitting in intervals longer than 5 seconds you should fix that. Ivan Kalik Kalik Informatika ISP On Tue, Mar 31, 2009 at 11:50 AM, Bogomolov Andrei d...@clink.ru wrote: I'm running freeradius-1.1.7: NAS server sends Acct-Status-Start packet, then freeradius processes it, and confirms with Acct-Status-Reply. But if the reply packet is lost due UDP-nature, NAS sends second Acct-Status-Start. In this situation I have two duplicate records in radacct table. How can I avoid this? Unique db-indexes, or better something else? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
