Re: How to use Autz-Type?
On Tue, Mar 31, 2009 at 7:10 AM, Alan DeKok al...@deployingradius.com wrote: Fajar A. Nugraha wrote: Hi, I'm using freeradius 2.1.3 (self-compiled as RPM), and trying to use Autz-Type. Don't. In 2.1.3, unlang is better. Read man unlang, and create your policy that way. Thanks Ivan and Alan. So is this syntax correct in Authorize section? if (control:Realm == domain1.com) { sql1 } Regards, Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[fixed version] rlm_perl and tagged attributes problem
Hello [Update: fixed script so that it won't set incorrect attributes, but problem persist] I'm trying to set up FreeRADIUS with rlm_perl module to have ability to interoperate with our billing/provisioning system. FreeRADIUS version: # radiusd -v radiusd: FreeRADIUS Version 1.1.7, for host amd64-portbld-freebsd6.3, built on Jan 15 2009 at 18:36:52 Perl version: # perl -V Summary of my perl5 (revision 5 version 8 subversion 8) configuration: Platform: osname=freebsd, osvers=6.3-rc2, archname=amd64-freebsd We are using Juniper ERX-310 BRAS to terminate our customers and to configure policies and so on, he need few attributes to be tagged. Here is what normal session should be like to: [ne...@nemo ~]$ radtest admin test 127.0.0.1 2 testing123 Sending Access-Request of id 229 to 127.0.0.1 port 1812 User-Name = admin User-Password = test NAS-IP-Address = 255.255.255.255 NAS-Port = 2 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=127, length=126 ERX-Qos-Profile-Name = SP_Tele_Internet ERX-Qos-Parameters = internet_tr_value 2097152 Framed-IP-Address = 10.0.112.2 Framed-IP-Netmask = 255.255.255.255 ERX-Service-Statistics:1 = time-volume ERX-Service-Activate:1 = telesys(1048576) Please note ERX-Service-Statistics:1 and ERX-Service-Activate:1 attributes. I have minimized code in Perl module to achieve this, to exclude any possibility of our system influence: sub authorize { if (($RAD_REQUEST{'User-Name'} eq 'admin') and ($RAD_REQUEST{'User-Password'} eq 'test')) { $RAD_REPLY{'ERX-Service-Activate:1'} = 'telesys(1048576)'; $RAD_REPLY{'ERX-Service-Statistics:1'} = 'time-volume'; $RAD_REPLY{'ERX-Qos-Parameters'} = internet_tr_value 2097152; $RAD_REPLY{'ERX-Qos-Profile-Name'} = SP_Tele_Internet; $RAD_REPLY{'Framed-IP-Address'} = '10.0.112.2'; $RAD_REPLY{'Framed-IP-Netmask'}= 255.255.255.255; return RLM_MODULE_OK; }; } Now let me to describe what happens. When I restart radiusd and issue 1st radius Access-Request packet, it returns attributes as expected. But the next one returns this: $ radtest admin test 127.0.0.1 2 testing123 Sending Access-Request of id 32 to 127.0.0.1 port 1812 User-Name = admin User-Password = test NAS-IP-Address = 255.255.255.255 NAS-Port = 2 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=37, length=125 ERX-Qos-Profile-Name = SP_Tele_Internet ERX-Qos-Parameters = internet_tr_value 2097152 Framed-IP-Address = 10.0.112.2 Framed-IP-Netmask = 255.255.255.255 ERX-Service-Statistics:0 = time-volume ERX-Service-Activate:0 = telesys(1048576) Please note :0 after 2 last ERX-* attributes, which is a) incorrect, b) in perl code it is clearly written as :1. Please help me to resolve this issue. Thanks in advance. Here is log of correct behavior: rad_recv: Access-Request packet from host 127.0.0.1:64032, id=52, length=57 User-Name = admin User-Password = test NAS-IP-Address = 255.255.255.255 NAS-Port = 2 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = admin, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 171 modcall[authorize]: module files returns ok for request 0 Using perl at 0x592370 rlm_perl: $VAR1 = {}; rlm_perl: defined rlm_perl: Added pair ERX-Qos-Parameters = internet_tr_value 2097152 rlm_perl: Added pair ERX-Service-Activate = telesys(1048576) rlm_perl: Added pair ERX-Qos-Profile-Name = SP_Tele_Internet rlm_perl: Added pair ERX-Service-Statistics = time-volume rlm_perl: Added pair Framed-IP-Address = 10.0.112.2 rlm_perl: Added pair Framed-IP-Netmask = 255.255.255.255 rlm_perl: Added pair Auth-Type = Perl modcall[authorize]: module perl returns ok for request 0 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. modcall[authorize]: module pap returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type Perl auth: type Perl Processing the authenticate section of radiusd.conf modcall: entering group Perl for request 0 Using perl at 0x592370 rlm_perl: Added pair ERX-Qos-Profile-Name = SP_Tele_Internet rlm_perl: Added pair ERX-Qos-Parameters = internet_tr_value 2097152 rlm_perl: Added pair Framed-IP-Address = 10.0.112.2 rlm_perl: Added pair Framed-IP-Netmask = 255.255.255.255 rlm_perl: Added pair Auth-Type = Perl
PEAP test fails using eapol_test
I have spend more than a week, trying every hint i could extract from google. But I am still unable to get a working PEAP setup. Could someone please point out my glaringly obvious mistake. Versions: freeradius built from 2.1.4 source (but it reports 2.1.5 on start!) eapol_test from wpa_supplicant-0.6.9 I am trying to perform PEAP with MSCHAPV2. eapol_test (wpa_supplicant-0.6.9) configuration: network={ eap=PEAP eapol_flags=0 key_mgmt=IEEE8021X identity=testuser password=password ca_cert=ca.pem phase2=auth=MSCHAPV2 anonymous_identity=anonymous } ./eapol_test -c eapol_test.conf.peap -a130.225.51.102 -p1812 -stesting123 -r1 eapol_test.log http://kom.aau.dk/%7Ebai/wpa/eapol_test.log radiusd -X radiusd.log http://kom.aau.dk/%7Ebai/wpa/radiusd.log Troubled spost seem to be: [pap] WARNING! No known good password found for the user. Authentication may fail because of this. Do i have to create an entry in users for the anonymous user? [peap] FAIL: Forcibly stopping session resumption as it is not allowed. This seems to happen after successful mschapv2 trough the tunnel. Any help will be appreciated! /Bo Bai - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: autostart script for FreeRADIUS
On 31/3/09 02:46, Tseveendorj tseveend...@gmail.com wrote: John Hawkes-Reed wrote: [ ... ] Hi John Thank you for trying to help me. It has but I didn't know this is exactly right. Something looks like following inside /usr/local/etc/rc.d/mysql-server # PROVIDE: mysql # REQUIRE: LOGIN # KEYWORD: shutdown inside /usr/local/etc/rc.d/radiusd # PROVIDE: radiusd # REQUIRE: NETWORKING SERVERS mysql # KEYWORD: shutdown In my opinion the MySQL starts after LOGIN process then radiusd is starting when the mysql started. But it doesn't. Hm. Bother. From 'man 8 rc': Certain scripts may want to provide enhanced functionality. The user may access this functionality through additional commands. The script may list and define as many commands at it needs. #!/bin/sh # # PROVIDE: foo # REQUIRE: bar_service_required_to_precede_foo # BEFORE: baz_service_requiring_foo_to_precede_it So I guess try a 'BEFORE: radiusd' in the mysql rc file. After that, I'd be debugging the script start order by hand. [ ... ] -- John Hawkes-Reed Systems Administrator. Future Publishing. x 2526 -- Future Publishing Limited (registered company number 2008885) and Future Publishing (Overseas) Limited (registered company number 06202940) are wholly owned subsidiaries of Future plc (registered company number 3757874). Future Publishing Limited, Future Publishing (Overseas) Limited and Future plc are all incorporated in England and Wales and share the same registered address at Beauford Court, 30 Monmouth Street, Bath BA1 2BW. This email and any files transmitted with it are confidential. If you have received this email in error please notify the sender and then delete it immediately. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Future. The recipient should check this email and any attachments for the presence of viruses. Future accepts no liability for any damage caused by any virus transmitted by this email. Future may regularly and randomly monitor outgoing and incoming emails (including the content of them) and other telecommunications on its email and telecommunications systems. By replying to this email you give your consent to such monitoring. * Save resources: think before you print. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Duplicate Acct-Status packets
I'm running freeradius-1.1.7: NAS server sends Acct-Status-Start packet, then freeradius processes it, and confirms with Acct-Status-Reply. But if the reply packet is lost due UDP-nature, NAS sends second Acct-Status-Start. In this situation I have two duplicate records in radacct table. How can I avoid this? Unique db-indexes, or better something else? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP test fails using eapol_test
I have spend more than a week, trying every hint i could extract from google. But I am still unable to get a working PEAP setup. Could someone please point out my glaringly obvious mistake. The main mistake is that authentication - works: Sending Access-Accept of id 9 to 130.225.51.87 port 49707 MS-MPPE-Recv-Key = 0xabfe75a439bfffee14fbe7b08175c562a6ca31ee35da0da4b529c7e245aedbb0 MS-MPPE-Send-Key = 0xb2b712c4df5ba5cdfbc893e6fdc6cbb710d3a52c5d868f8cfcbf7635184cb9aa EAP-Message = 0x03090004 Message-Authenticator = 0x User-Name = anonymous Finished request 9. and eapol: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully EAPOL: IEEE 802.1X for plaintext connection; no EAPOL-Key frames required WPA: EAPOL processing complete EAPOL: SUPP_PAE entering state AUTHENTICATED EAPOL: SUPP_BE entering state RECEIVE EAPOL: SUPP_BE entering state SUCCESS EAPOL: SUPP_BE entering state IDLE Reauthentication failed. Read cache section of eap.conf. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to use Autz-Type?
On Tue, Mar 31, 2009 at 1:50 PM, Fajar A. Nugraha fa...@fajar.net wrote: Thanks Ivan and Alan. So is this syntax correct in Authorize section? if (control:Realm == domain1.com) { sql1 } After some testing, apparently it should be request:Realm or simply Realm Regards, Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [fixed version] rlm_perl and tagged attributes problem
[Update: fixed script so that it won't set incorrect attributes, but problem persist] I'm trying to set up FreeRADIUS with rlm_perl module to have ability to interoperate with our billing/provisioning system. FreeRADIUS version: # radiusd -v radiusd: FreeRADIUS Version 1.1.7, for host amd64-portbld-freebsd6.3, built on Jan 15 2009 at 18:36:52 Perl version: # perl -V Summary of my perl5 (revision 5 version 8 subversion 8) configuration: Platform: osname=freebsd, osvers=6.3-rc2, archname=amd64-freebsd We are using Juniper ERX-310 BRAS to terminate our customers and to configure policies and so on, he need few attributes to be tagged. Here is what normal session should be like to: [ne...@nemo ~]$ radtest admin test 127.0.0.1 2 testing123 Sending Access-Request of id 229 to 127.0.0.1 port 1812 User-Name = admin User-Password = test NAS-IP-Address = 255.255.255.255 NAS-Port = 2 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=127, length=126 ERX-Qos-Profile-Name = SP_Tele_Internet ERX-Qos-Parameters = internet_tr_value 2097152 Framed-IP-Address = 10.0.112.2 Framed-IP-Netmask = 255.255.255.255 ERX-Service-Statistics:1 = time-volume ERX-Service-Activate:1 = telesys(1048576) Please note ERX-Service-Statistics:1 and ERX-Service-Activate:1 attributes. I have minimized code in Perl module to achieve this, to exclude any possibility of our system influence: sub authorize { if (($RAD_REQUEST{'User-Name'} eq 'admin') and ($RAD_REQUEST{'User-Password'} eq 'test')) { $RAD_REPLY{'ERX-Service-Activate:1'} = 'telesys(1048576)'; $RAD_REPLY{'ERX-Service-Statistics:1'} = 'time-volume'; $RAD_REPLY{'ERX-Qos-Parameters'} = internet_tr_value 2097152; $RAD_REPLY{'ERX-Qos-Profile-Name'} = SP_Tele_Internet; $RAD_REPLY{'Framed-IP-Address'} = '10.0.112.2'; $RAD_REPLY{'Framed-IP-Netmask'}= 255.255.255.255; return RLM_MODULE_OK; }; } Now let me to describe what happens. When I restart radiusd and issue 1st radius Access-Request packet, it returns attributes as expected. But the next one returns this: $ radtest admin test 127.0.0.1 2 testing123 Sending Access-Request of id 32 to 127.0.0.1 port 1812 User-Name = admin User-Password = test NAS-IP-Address = 255.255.255.255 NAS-Port = 2 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=37, length=125 ERX-Qos-Profile-Name = SP_Tele_Internet ERX-Qos-Parameters = internet_tr_value 2097152 Framed-IP-Address = 10.0.112.2 Framed-IP-Netmask = 255.255.255.255 ERX-Service-Statistics:0 = time-volume ERX-Service-Activate:0 = telesys(1048576) Please note :0 after 2 last ERX-* attributes, which is a) incorrect, b) in perl code it is clearly written as :1. I can't replicate this in 2.1.3. Upgrade - it has been fixed. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicate Acct-Status packets
Unique will solve your problem but keep in mind that this will consume more resources. On Tue, Mar 31, 2009 at 11:50 AM, Bogomolov Andrei d...@clink.ru wrote: I'm running freeradius-1.1.7: NAS server sends Acct-Status-Start packet, then freeradius processes it, and confirms with Acct-Status-Reply. But if the reply packet is lost due UDP-nature, NAS sends second Acct-Status-Start. In this situation I have two duplicate records in radacct table. How can I avoid this? Unique db-indexes, or better something else? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_python example?
I am trying to figure out how to properly setup freeradius with rlm_python. The module loads and scripts execute, but I seem to miss something when I try to return value pairs to be used in the reply packet (Access-Accept). I have tried with the following script: def authorize (params): print params return (0, ('Reply-Message', 'banned1'), ('Reply-Message', 'banned2')) and received (when I run with -X option): -snip- +- entering group authorize {...} rlm_python:authorize: tuple element 0 is not a tuple rlm_python:authorize: tuple element 1 is not a tuple rlm_python:authorize: tuple element 0 is not a tuple rlm_python:authorize: tuple element 1 is not a tuple ++[python] returns reject -snip- I have also tried changing it to: def authorize (params): print params return (0, ('Reply-Message', 'banned')) but then I get: -snip- +- entering group authorize {...} rlm_python:authorize: tuple must be (return, replyTuple, configTuple) ++[python] returns ?? -snip- Can someone point me in the right direction? What is supposed to be passed in configTuple? How do I return multiple value pairs at? I was able to make it work with rlm_exec, but I'd like to use the the python module instead. I am using freeradius on ubuntu 8.04. installed via apt-get from hardy-backports (2.1.0+dfsg-0ubuntu2~hardy1) BR, Hristo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Need help to identify source of problem
Hi. I managed to get FreeRADIUS to work with PEAP and WPA2 authentication using a Linksys WRT54GL wireless router. The weird problem I'm now having is a follows: If the client logging onto the Wi-Fi network tries to login with incorrect credentials (incorrect user or pass) then he gets an access-reject as expected. However, any subsequent login requests from the same client machine (even with correct credentials) seem to be ignored completely. Other client machines CAN login however. Restarting FreeRADIUS or the wi-fi network interface card of the client does not help at all. The only way I can get the client machine to login again is by rebooting the wireless router. Now when I say ignored completely, I mean having FreeRADIUS running in debug mode (freeradius -X) shows absolutely nothing for any of failed logins. The output just stays on Ready to process requests. However, logins from other client machines that have not been access-rejected yet cause outptut on the freeradius debug. So I am trying to identify the source of the problem. My question is, are there any cases where freeradius will silently (without debug output) reject login requests? If not, then I guess the problem lies with the router itself. And if it is the router causing the problem, can you please help me with what I should search for on message boards and forums to fix the problem as I have limited experience with RADIUS. Kind Regards, Doron - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help to identify source of problem
I managed to get FreeRADIUS to work with PEAP and WPA2 authentication using a Linksys WRT54GL wireless router. The weird problem I'm now having is a follows: If the client logging onto the Wi-Fi network tries to login with incorrect credentials (incorrect user or pass) then he gets an access-reject as expected. However, any subsequent login requests from the same client machine (even with correct credentials) seem to be ignored completely. Other client machines CAN login however. Restarting FreeRADIUS or the wi-fi network interface card of the client does not help at all. The only way I can get the client machine to login again is by rebooting the wireless router. There you go. Source of the problem is wireless router. Looks like it's cacheing failed authentications. Read router documentation to see how to fix that. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicate Acct-Status packets
Unique will solve your problem but keep in mind that this will consume more resources. That is not a very good solution. True, there will be only one insert in the table but if you make sql fail the insert, sql module will fail as will accounting, so no response will go back to the NAS. And it will send that accounting packet again and again and again ... Under normal circumstances one dropped response is not a problem. NAS tends to repeat unanswered accounting packets every 2 seconds, while freeradius keep the request on the list for 5 seconds. So you would need three consecutive dropped responses for duplicate to end up in the radacct table. If your network has such packet loss fiddling with accounting is least of your worries. But if if your NAS is retransmitting in intervals longer than 5 seconds you should fix that. Ivan Kalik Kalik Informatika ISP On Tue, Mar 31, 2009 at 11:50 AM, Bogomolov Andrei d...@clink.ru wrote: I'm running freeradius-1.1.7: NAS server sends Acct-Status-Start packet, then freeradius processes it, and confirms with Acct-Status-Reply. But if the reply packet is lost due UDP-nature, NAS sends second Acct-Status-Start. In this situation I have two duplicate records in radacct table. How can I avoid this? Unique db-indexes, or better something else? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_python example?
The examples in src/modules/rlm_python gave me some hints and I figured it out. Thanks anyway. On Tue, Mar 31, 2009 at 3:43 PM, Hristo Trendev dist.li...@gmail.com wrote: I am trying to figure out how to properly setup freeradius with rlm_python. The module loads and scripts execute, but I seem to miss something when I try to return value pairs to be used in the reply packet (Access-Accept). I have tried with the following script: def authorize (params): print params return (0, ('Reply-Message', 'banned1'), ('Reply-Message', 'banned2')) and received (when I run with -X option): -snip- +- entering group authorize {...} rlm_python:authorize: tuple element 0 is not a tuple rlm_python:authorize: tuple element 1 is not a tuple rlm_python:authorize: tuple element 0 is not a tuple rlm_python:authorize: tuple element 1 is not a tuple ++[python] returns reject -snip- I have also tried changing it to: def authorize (params): print params return (0, ('Reply-Message', 'banned')) but then I get: -snip- +- entering group authorize {...} rlm_python:authorize: tuple must be (return, replyTuple, configTuple) ++[python] returns ?? -snip- Can someone point me in the right direction? What is supposed to be passed in configTuple? How do I return multiple value pairs at? I was able to make it work with rlm_exec, but I'd like to use the the python module instead. I am using freeradius on ubuntu 8.04. installed via apt-get from hardy-backports (2.1.0+dfsg-0ubuntu2~hardy1) BR, Hristo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap+freeradius
Please now i have a new problem; i use an Active Directory database and when i do a radtest, it is always access-reject like this: rad_recv: Access-Request packet from host 172.41.10.71 port 42678, id=153, length=61 User-Name = azerty5 User-Password = x NAS-IP-Address = 172.30.10.71 NAS-Port = 1812 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [suffix] No '@' in User-Name = azerty5, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Login incorrect: [azerty5/] (from client SRV-RADIUS port 1812) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - lndakpaze attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 153 to 172.30.10.71 port 42678 Waking up in 4.9 seconds. Cleaning up request 0 ID 153 with timestamp +7 thank you for your help 2009/3/30 John Dennis jden...@redhat.com David N'DAKPAZE wrote: I am re-intalling freeradius and when I run make after ./configure --disable-shared I have this: Don't make matters worse by trying to defeat loadable modules. Go back and figure out why the loader can't find the modules. A good place to start is looking to see what libdir was defined as when you ran configure and/or look to see where the modules were installed when you ran make install (should be the same place and by default is /usr/lib/freeradius). Are the modules there? Was rpath set when the modules were linked? Was ldconfig run so the loader knows where to find them? radiusd: Instantiating modules instantiate { /usr/local/etc/raddb/modules/exec[24]: Failed to link to module 'rlm_exec': rlm_exec.a: cannot open shared object file: No such file or directory Errors initializing modules Same applies to *any* missing library.If your linker doesn't have the correct path it doesn't matter what's the library called. -- John Dennis jden...@redhat.com jden...@redhat.com Looking to carve out IT costs?www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: autostart script for FreeRADIUS
On 31/3/09 02:46, Tseveendorj tseveend...@gmail.com wrote: Hi John Thank you for trying to help me. It has but I didn't know this is exactly right. Something looks like following inside /usr/local/etc/rc.d/mysql-server # PROVIDE: mysql # REQUIRE: LOGIN # KEYWORD: shutdown inside /usr/local/etc/rc.d/radiusd # PROVIDE: radiusd # REQUIRE: NETWORKING SERVERS mysql # KEYWORD: shutdown In my opinion the MySQL starts after LOGIN process then radiusd is starting when the mysql started. But it doesn't. I would wonder if MySQL is fully up and running by the time radius gets to trying to login. If MySQL is being launched before FreeRADIUS when you boot, you might try putting a sleep into the radiusd startup script. If you can watch the console during bootup, that would be an easy way to determine which script is starting first, and perhaps, how much time is passing between launches. -- Scott LambertKC5MLE Unix SysAdmin lamb...@lambertfam.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: User Authorization question
Config now reads #DEFAULTAuth-Type = System Still not working though Gonna run through a couple iterations here as I do not think I am expressing the problem properly. First I would like to lay the ground rules. 1: Compare Attribute User-Name to a list of usernames in a text file. Format of text file GROUP-NAME:Usernamea,Usernameb,usernamec ex TEST:Noc1,Noc2 Here we have two usernames Noc1 and Noc2 they are in group TEST 2: Assign Group-Name attributes to the Auth request. IN this ex Noc1 and Noc2 usernames would have Group-Name field set to TEST 3: Use Group-Name as a flag to assign privileges. ex. When you log onto our Foundry switch gear it places you in a non admin role. To become an admin the Radius server must send a flag back to the switch as part of the authentication process. We have devices other than the Foundry gear that behaves the same way. We will have multiple groups with different members all accounts will be members of more than one group so I will need to perform some logic using the Authenticating device as well as group membership, so based on which device is asking for Auth and what the users accounts is a member of will dictate what flags are sent back. Right now I am on step 2. I have one account on the machine (its my Linux dev box so I only need my account on it..) and have Kerberos up and running to auth campus accounts. Lets call my account usernamea which resides locally AND remotely in Kerberos with different passwords, however the accounts from a string compare standpoint are identical (ie on the linux box my username is usernamea my campus kerberos principal is also usernamea) The second Username usernameb is not local to my machine and thus only resides in remote kerberos. Lets look at some Debug output, see attached file Initialization.txt Lets look at some auth attmepts. See attached files. I think the way I am trying to implement this is way off base. If I could have my way I would rock it from clients.conf. ie Place the logic in the clients configuration, that way when a client auths against radius all the group logic and radius reply attribute logic is performed on a client by client basis (ie have a client group for the foundry gear, if your username is in the foundry group you get access. Another group for hte packshaper group, they log into the shaper, they are in the packeteer group, bam they get access to said device (with approprite reply flags). Hope this is possible. Thank you reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = yes main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = md5 Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = (null) unix: group = (null) unix: radwtmp = /var/log/radius/radwtmp unix: usegroup = no unix:
RE: What can cause the Exiting normally without prompting
sorry, it includes the prepaid module that i write. u can not reproduce. test shell #!/bin/bash i=0 while true do date time ../radclient -p 16 -q -s -t 3 -r 3 -f auth_test 127.0.0.1:1812 auth xx i=`expr $i \+ 1` echo $i done auth_test User-Name=test1, User-Password=11, Calling-Station-Id=192.168.10.1 ,NAS-IP-Address=192.168.0.1, NAS-Port=1, Service-Type=Framed, Framed-Protocol=PPP User-Name=test2, User-Password=11, Calling-Station-Id=192.168.10.1 ,NAS-IP-Address=192.168.0.1, NAS-Port=2, Service-Type=Framed, Framed-Protocol=PPP User-Name=test3, User-Password=11, Calling-Station-Id=192.168.10.1 ,NAS-IP-Address=192.168.0.1, NAS-Port=3, Service-Type=Framed, Framed-Protocol=PPP User-Name=test4, User-Password=11, Calling-Station-Id=192.168.10.1 ,NAS-IP-Address=192.168.0.1, NAS-Port=4, Service-Type=Framed, Framed-Protocol=PPP User-Name=test5, User-Password=11, Calling-Station-Id=192.168.10.1 ,NAS-IP-Address=192.168.0.1, NAS-Port=5, Service-Type=Framed, Framed-Protocol=PPP ... --- i am testing, possible the same code have not the problem on Centos 5.2 X86. CENTOS 5.2 X86_64 have the problem. Date: Mon, 30 Mar 2009 16:17:02 -0300 Subject: Re: What can cause the Exiting normally without prompting From: listas.luaf...@gmail.com To: freeradius-users@lists.freeradius.org 2009/3/29 韩枫 switchp...@hotmail.com: hi, os is centos 5.2 x64,pgsql is 8.3.7. i have not set the cpu quotas. Even, I do not know how to set up cpu quotas. -- # ulimit -a core file size (blocks, -c) unlimited data seg size (kbytes, -d) unlimited scheduling priority (-e) 0 file size (blocks, -f) unlimited pending signals (-i) 139264 max locked memory (kbytes, -l) 32 max memory size (kbytes, -m) unlimited open files (-n) 8192 pipe size (512 bytes, -p) 8 POSIX message queues nb! sp; (bytes, -q) 819200 real-time priority (-r) 0 stack size (kbytes, -s) 10240 cpu time (seconds, -t) unlimited max user processes (-u) 139264 virtual memory (kbytes, -v) unlimited file locks (-x) unlimited -- Whether or not the changed module will cause this to happen? Date: Sat, 28 Mar 2009 08:25:48 -0700 From: al...@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: What can cause the Exiting normally without prompting switchp...@hotmail.com wrote: i am testing freeradius 2.1.X by radclient , when the number of requests arrive 6million+, freeradius will Exiting normally without prompting. The only time it exits is when something tells it to exit. e.g. via SIGTERM. I've never seen it exit like that in any of my performance tests. Maybe you have CPU quotas for the server? Could you give more details about how to reproduce the situation? Thanks Luciano - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ 上Windows Live 中国首页,下载最新版 MSN! http://im.live.cn/- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What can cause the Exiting normally without prompting
Just in case this can help you, take a look at http://linux-mm.org/OOM_Killer Basically the linux kernel has mechanism to kill processes when it runs out of memory. In this case kill signal should not be SIGTERM but googling I found it may be possible in some cases the kernel use this signal. Search in your kernel logs (/var/log/dmesg) to see if you have something like invoked oom-killer Regards Luciano 2009/3/31 韩枫 switchp...@hotmail.com: sorry, it includes the prepaid module that i write. u can not reproduce. test shell #!/bin/bash i=0 while true do date time ../radclient -p 16 -q -s -t 3 -r 3 -f auth_test 127.0.0.1:1812 auth xx i=`expr $i \+ 1` echo $i done auth_test User-Name=test1, User-Password=11, Calling-Station-Id=192.168.10.1 ,NAS-IP-Address=192.168.0.1, NAS-Port=1, Service-Type=Framed, Framed-Protocol=PPP User-Name=test2, User-Password=11, Calling-Station-Id=192.168.10.1 ,NAS-IP-Address=192.168.0.1, NAS-Port=2, Service-Type=Framed, Framed-Protocol=PPP User-Name=test3, User-Password=11, Calling-Station-Id=192.168.10.1 ,NAS-IP-Address=192.168.0.1, NAS-Port=3, Service-Type=Framed, Framed-Protocol=PPP User-Name=test4, User-Password=11, Calling-Station-Id=192.168.10.1 ,NAS-IP-Address=192.168.0.1, NAS-Port=4, Service-Type=Framed, Framed-Protocol=PPP User-Name=test5, User-Password=11, Calling-Station-Id=192.168.10.1 ,NAS-IP-Address=192.168.0.1, NAS-Port=5, Service-Type=Framed, Framed-Protocol=PPP ... --- i am testing, possible the same code have not the problem on Centos 5.2 X86. CENTOS 5.2 X86_64 have the problem. Date: Mon, 30 Mar 2009 16:17:02 -0300 Subject: Re: What can cause the Exiting normally without prompting From: listas.luaf...@gmail.com To: freeradius-users@lists.freeradius.org 2009/3/29 韩枫 switchp...@hotmail.com: hi, os is centos 5.2 x64,pgsql is 8.3.7. i have not set the cpu quotas. Even, I do not know how to set up cpu quotas. -- # ulimit -a core file size (blocks, -c) unlimited data seg size (kbytes, -d) unlimited scheduling priority (-e) 0 file size (blocks, -f) unlimited pending signals (-i) 139264 max locked memory (kbytes, -l) 32 max memory size (kbytes, -m) unlimited open files (-n) 8192 pipe size (512 bytes, -p) 8 ! POSIX message queues nb! sp; (bytes, -q) 819200 real-time priority (-r) 0 stack size (kbytes, -s) 10240 cpu time (seconds, -t) unlimited max user processes (-u) 139264 virtual memory (kbytes, -v) unlimited file locks (-x) unlimited -- Whether or not the changed module will cause this to happen? Date: Sat, 28 Mar 2009 08:25:48 -0700 From: al...@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: What can cause the Exiting normally without prompting switchp...@hotmail.com wrote: i am testing freeradius 2.1.X by radclient , when the number of requests arrive 6million+, freeradius will Exiting normally without prompting. The only time it exits is when something tells it to exit. e.g. via SIGTERM. I've never seen it exit like that in any of my performance tests. Maybe you have CPU quotas for the server? Could you give more details about how to reproduce the situation? Thanks Luciano - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html 微软地图实时路况,为您节省的不仅仅是时间! 立即查看! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: What can cause the Exiting normally without prompting
thanks, logs (dmesg, messages, radius.log) does not have any special tips. Date: Tue, 31 Mar 2009 16:02:01 -0300 Subject: Re: What can cause the Exiting normally without prompting From: listas.luaf...@gmail.com To: freeradius-users@lists.freeradius.org Just in case this can help you, take a look at http://linux-mm.org/OOM_Killer Basically the linux kernel has mechanism to kill processes when it runs out of memory. In this case kill signal should not be SIGTERM but googling I found it may be possible in some cases the kernel use this signal. Search in your kernel logs (/var/log/dmesg) to see if you have something like invoked oom-killer Regards Luciano 2009/3/31 韩枫 switchp...@hotmail.com: sorry, it includes the prepaid module that i write. u can not reproduce. test shell #!/bin/bash i=0 while true do date time ../radclient -p 16 -q -s -t 3 -r 3 -f auth_test 127.0.0.1:1812 auth xx i=`expr $i \+ 1` echo $i done auth_test User-Name=test1, User-Password=11, Calling-Station-Id=192.168.10.1 ,NAS-IP-Address=192.168.0.1, NAS-Port=1, Service-Type=Framed, Framed-Protocol=PPP User-Name=test2, User-Password=11, Calling-Station-Id=192.168.10.1 ,NAS-IP-Address=192.168.0.1, NAS-Port=2, Service-Type=Framed, Framed-Protocol=PPP User-Name=test3, User-Password=11, Calling-Station-Id=192.168.10.1 ,NAS-IP-Address=192.168.0.1, NAS-Port=3, Service-Type=Framed, Framed-Protocol=PPP User-Name=test4, User-Password=11, Calling-Station-Id=192.168.10.1 ,NAS-IP-Address=192.168.0.1, NAS-Port=4, Service-Type=Framed, Framed-Protocol=PPP User-Name=test5, User-Password=11, Calling-Station-Id=192.168.10.1 ,NAS-IP-Address=192.168.0.1, NAS-Port=5, Service-Type=Framed, Framed-Protocol=PPP ... --- i am testing, possible the same code have not the problem on Centos 5.2 X86. CENTOS 5.2 X86_64 have the problem. Date: Mon, 30 Mar 2009 16:17:02 -0300 Subject: Re: What can cause the Exiting normally without prompting From: listas.luaf...@gmail.com To: freeradius-users@lists.freeradius.org 2009/3/29 韩枫 switchp...@hotmail.com: hi, os is centos 5.2 x64,pgsql is 8.3.7. i have not set the cpu quotas. Even, I do not know how to set up cpu quotas. -- # ulimit -a core file size (blocks, -c) unlimited data seg size (kbytes, -d) unlimited scheduling priority (-e) 0 file size (blocks, -f) unlimited pending signals (-i) 139264 max locked memory (kbytes, -l) 32 max memory size (kbytes, -m) unlimited open files (-n) 8192 pipe size (512 bytes, -p) 8 ! POSIX message queues nb! sp; (bytes, -q) 819200 real-time priority (-r) 0 stack size (kbytes, -s) 10240 cpu time (seconds, -t) unlimited max user processes (-u) 139264 virtual memory (kbytes, -v) unlimited file locks (-x) unlimited -- Whether or not the changed module will cause this to happen? Date: Sat, 28 Mar 2009 08:25:48 -0700 From: al...@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: What can cause the Exiting normally without prompting switchp...@hotmail.com wrote: i am testing freeradius 2.1.X by radclient , when the number of requests arrive 6million+, freeradius will Exiting normally without prompting. The only time it exits is when something tells it to exit. e.g. via SIGTERM. I've never seen it exit like that in any of my performance tests. Maybe you have CPU quotas for the server? Could you give more details about how to reproduce the situation? Thanks Luciano - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html 微软地图实时路况,为您节省的不仅仅是时间! 立即查看! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ 梦幻K图,百变造型,让你的照片与众不同,快来MClub试试吧! http://club.msn.cn/?form=3- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap+freeradius
Please now i have a new problem; i use an Active Directory database and when i do a radtest, it is always access-reject like this: http://deployingradius.com/documents/configuration/active_directory.html Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MAC auth won't work with SQL
Hi, I've setup two different Linux machines with FR and still can't get MAC authentication working with Calling-Station-Id in the radchk table. I've checked FAQ and have googled for hours. I've tried a hosted and local mySQL server. Right now I'm using FR 2.1.1 on openSUSE. I didn't install freeradius-mysql on this new Linux machine, because I can't find it. However, I can still do 802.1X/PEAP authentication against my MySQL DB if I don't have the Calling-Station-Id entry in the radchk table. I can't get SQL xlat to work in the Clients file either. I appreciate your help! Thanks! Associated entries in the radchk table: DEFAULT Fall-Through = yes ege...@skynets Cleartext-Password:= ege...@skynets Calling-Station-Id == 00-1C-B3-B1-3E-07 (if I remove this entry, I can get authenticated) Here's most of the debug: [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop [sql] expand: %{User-Name} - ege...@skynets [sql] sql_set_user escaped user -- 'ege...@skynets' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'ege...@skynets' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radreply WHERE username = 'ege...@skynets' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = 'ege...@skynets' ORDER BY priority rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 190 to 192.168.0.1 port 41576 EAP-Message = 0x016600061920 Message-Authenticator = 0x State = 0x887600b0881019123d77eed9ad3cef65 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.1 port 41576, id=191, length=230 User-Name = ege...@skynets NAS-IP-Address = 192.168.0.1 NAS-Port-Type = Wireless-802.11 Calling-Station-Id = 00-1C-B3-B1-3E-07 State = 0x887600b0881019123d77eed9ad3cef65 EAP-Message = 0x0266007d19800073160301006e016a030149d245f8cc2cbd4fe33cdb07dc35b6c8 7acfcc21da980a70fa466c6e819bf49118002f00350005000ac009c00ac013c014003200 380013000401290013001101000e65676569657240736b796e657473000a00080006 001700180019000b00020100 Message-Authenticator = 0x15b99d469f497dd1de41e19b04d463d9 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm skynets for User-Name = ege...@skynets [suffix] No such realm skynets ++[suffix] returns noop [eap] EAP packet type response id 102 length 125 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 115 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] TLS 1.0 Handshake [length 006e], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 191 to 192.168.0.1 port 41576 EAP-Message = 0x0167040019c0089b160301002a0226030149d245fcb6267b990aa260afc7ea5b36 69e5ee697512f85665761dad0e9b07762f00160301085e0b00085a0008570003a6308203
RE: User Authorization question
Config now reads #DEFAULT Auth-Type = System Still not working though Erm, what is not working? Gonna run through a couple iterations here as I do not think I am expressing the problem properly. First I would like to lay the ground rules. 1: Compare Attribute User-Name to a list of usernames in a text file. Format of text file GROUP-NAME:Usernamea,Usernameb,usernamec ex TEST:Noc1,Noc2 Here we have two usernames Noc1 and Noc2 they are in group TEST 2: Assign Group-Name attributes to the Auth request. IN this ex Noc1 and Noc2 usernames would have Group-Name field set to TEST You have done that. 3: Use Group-Name as a flag to assign privileges. ex. When you log onto our Foundry switch gear it places you in a non admin role. To become an admin the Radius server must send a flag back to the switch as part of the authentication process. We have devices other than the Foundry gear that behaves the same way. We will have multiple groups with different members all accounts will be members of more than one group so I will need to perform some logic using the Authenticating device as well as group membership, so based on which device is asking for Auth and what the users accounts is a member of will dictate what flags are sent back. Tht is going to be very complicated on this ancient server version. Any reason you are not doing this with current version? 3. would be so much easier using unlang. Also this: I think the way I am trying to implement this is way off base. If I could have my way I would rock it from clients.conf. ie Place the logic in the clients configuration, that way when a client auths against radius all the group logic and radius reply attribute logic is performed on a client by client basis (ie have a client group for the foundry gear, if your username is in the foundry group you get access. Another group for hte packshaper group, they log into the shaper, they are in the packeteer group, bam they get access to said device (with approprite reply flags). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC auth won't work with SQL
Hi, I've setup two different Linux machines with FR and still can't get MAC authentication working with Calling-Station-Id in the radchk table. I've checked FAQ and have googled for hours. I've tried a hosted and local mySQL server. If you only bothered looking at debug and configuration files for the authentication method you are using. Outer request: rad_recv: Access-Request packet from host 192.168.0.1 port 41576, id=191, length=230 .. Calling-Station-Id = 00-1C-B3-B1-3E-07 .. has that attribute in it, and inner request (user is authenticated in inner tunnel): Sending tunneled request EAP-Message = 0x026c00491a026c00443177f318d460fc36f9cc77a41c0a4b365610538d 55c2badfcc4a85b41f875a5521f978d255be29a7d20065676569657240736b796e657473 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = ege...@skynets State = 0x8433f2b7845fe8463016d60fe5b8c67e .. doesn't! You have a setting copy_request_to_tunnel in peap section of eap.conf. Enable it. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: User Authorization question
D'Oh. Its what Cent 5 installed (being a touch lazy... Sorry will rectify and touch base when on current code) -Original Message- From: freeradius-users-bounces+lfross=ucdavis@lists.freeradius.org [mailto:freeradius-users-bounces+lfross=ucdavis@lists.freeradius.org] On Behalf Of t...@kalik.net Sent: Tuesday, March 31, 2009 1:58 PM To: FreeRadius users mailing list Subject: RE: User Authorization question Config now reads #DEFAULT Auth-Type = System Still not working though Erm, what is not working? Gonna run through a couple iterations here as I do not think I am expressing the problem properly. First I would like to lay the ground rules. 1: Compare Attribute User-Name to a list of usernames in a text file. Format of text file GROUP-NAME:Usernamea,Usernameb,usernamec ex TEST:Noc1,Noc2 Here we have two usernames Noc1 and Noc2 they are in group TEST 2: Assign Group-Name attributes to the Auth request. IN this ex Noc1 and Noc2 usernames would have Group-Name field set to TEST You have done that. 3: Use Group-Name as a flag to assign privileges. ex. When you log onto our Foundry switch gear it places you in a non admin role. To become an admin the Radius server must send a flag back to the switch as part of the authentication process. We have devices other than the Foundry gear that behaves the same way. We will have multiple groups with different members all accounts will be members of more than one group so I will need to perform some logic using the Authenticating device as well as group membership, so based on which device is asking for Auth and what the users accounts is a member of will dictate what flags are sent back. Tht is going to be very complicated on this ancient server version. Any reason you are not doing this with current version? 3. would be so much easier using unlang. Also this: I think the way I am trying to implement this is way off base. If I could have my way I would rock it from clients.conf. ie Place the logic in the clients configuration, that way when a client auths against radius all the group logic and radius reply attribute logic is performed on a client by client basis (ie have a client group for the foundry gear, if your username is in the foundry group you get access. Another group for hte packshaper group, they log into the shaper, they are in the packeteer group, bam they get access to said device (with approprite reply flags). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MAC auth won't work with SQL
Great, works now. Thanks! Is there a way to load the Database Value field with multiple MAC addresses, and freeradius check against themso I can specify multiple devices the user can use? - Eric -Original Message- From: freeradius-users-bounces+me=egeier@lists.freeradius.org [mailto:freeradius-users-bounces+me=egeier@lists.freeradius.org] On Behalf Of t...@kalik.net Sent: Tuesday, March 31, 2009 5:11 PM To: FreeRadius users mailing list Subject: Re: MAC auth won't work with SQL Hi, I've setup two different Linux machines with FR and still can't get MAC authentication working with Calling-Station-Id in the radchk table. I've checked FAQ and have googled for hours. I've tried a hosted and local mySQL server. If you only bothered looking at debug and configuration files for the authentication method you are using. Outer request: rad_recv: Access-Request packet from host 192.168.0.1 port 41576, id=191, length=230 .. Calling-Station-Id = 00-1C-B3-B1-3E-07 .. has that attribute in it, and inner request (user is authenticated in inner tunnel): Sending tunneled request EAP-Message = 0x026c00491a026c00443177f318d460fc36f9cc77a41c0a4b3656 10538d 55c2badfcc4a85b41f875a5521f978d255be29a7d20065676569657240736b796e6574 73 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = ege...@skynets State = 0x8433f2b7845fe8463016d60fe5b8c67e .. doesn't! You have a setting copy_request_to_tunnel in peap section of eap.conf. Enable it. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL xlat not working
I can't get SQL xlat to work in the Clients file. I'm trying to do a DB query for the Shared Secret. I'm getting invalid Message-Authenticator (Shared secret is incorrect) errors. The select statement works fine when ran on my DB server. Have any suggestions? Thanks, Eric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: autostart script for FreeRADIUS
Scott Lambert wrote: On 31/3/09 02:46, Tseveendorj tseveend...@gmail.com wrote: Hi John Thank you for trying to help me. It has but I didn't know this is exactly right. Something looks like following inside /usr/local/etc/rc.d/mysql-server # PROVIDE: mysql # REQUIRE: LOGIN # KEYWORD: shutdown inside /usr/local/etc/rc.d/radiusd # PROVIDE: radiusd # REQUIRE: NETWORKING SERVERS mysql # KEYWORD: shutdown In my opinion the MySQL starts after LOGIN process then radiusd is starting when the mysql started. But it doesn't. I would wonder if MySQL is fully up and running by the time radius gets to trying to login. If MySQL is being launched before FreeRADIUS when you boot, you might try putting a sleep into the radiusd startup script. If you can watch the console during bootup, that would be an easy way to determine which script is starting first, and perhaps, how much time is passing between launches. Thank you very much. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Seg Fault in 2.0.3
I have a FR 2.0.3 server running under FreeBSD 6.3 which intermittently exits with a segmentation fault. I tried searching the list for known seg fault issues with 2.0.3 and only found one which sounded like it only happens when running under gdb. Do you think upgrading to 2.1.3 (it's the latest port for FR under FreeBSD) could potentially resolve this issue? (I'm not looking for a guarantee, just an opinion based upon whether there were known seg faults in 2.0.3 that were fixed in later releases.) Should I run FR under gdb to get more information about the seg fault? This morning it happened while I was running radiusd -Xx and the error occurred a few minutes after a request was successfully processed as a new request was received and before it was able to output any information about it. The server had been running for less than a week (most times it runs longer than this before crashing). So, the last two lines of output were: Tue Mar 31 07:52:08 2009 : Debug: Ready to process requests. Segmentation Fault: 11 I realize this isn't enough to diagnose the problem (but, it's all the information I currently have). Please let me know how you think it's best to proceed (e.g., upgrade, get more info about the problem, other..) Thanks in advance for any assistance/advice you can provide. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicate Acct-Status packets
Ivan, its interesting. Our NAS is linux pppoe-server with pppd last version. Pppd retransmits Acct-Status in 10 seconds. Is it possible to increase freeradius keep of tracking time, you talking about, from 5 to 15 seconds? Where is this place in configs/sources? t...@kalik.net wrote: Unique will solve your problem but keep in mind that this will consume more resources. That is not a very good solution. True, there will be only one insert in the table but if you make sql fail the insert, sql module will fail as will accounting, so no response will go back to the NAS. And it will send that accounting packet again and again and again ... Under normal circumstances one dropped response is not a problem. NAS tends to repeat unanswered accounting packets every 2 seconds, while freeradius keep the request on the list for 5 seconds. So you would need three consecutive dropped responses for duplicate to end up in the radacct table. If your network has such packet loss fiddling with accounting is least of your worries. But if if your NAS is retransmitting in intervals longer than 5 seconds you should fix that. Ivan Kalik Kalik Informatika ISP On Tue, Mar 31, 2009 at 11:50 AM, Bogomolov Andrei d...@clink.ru wrote: I'm running freeradius-1.1.7: NAS server sends Acct-Status-Start packet, then freeradius processes it, and confirms with Acct-Status-Reply. But if the reply packet is lost due UDP-nature, NAS sends second Acct-Status-Start. In this situation I have two duplicate records in radacct table. How can I avoid this? Unique db-indexes, or better something else? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html