RE: MAC auth won't work with SQL
Great, works now. Thanks! Is there a way to load the Database Value field with multiple MAC addresses, and freeradius check against themso I can specify multiple devices the user can use? http://wiki.freeradius.org/SQL_Huntgroup_HOWTO Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
vlan priority query
hi, How we can configure radius server to send vlan priority in access accept message? Thanks, Mitul Modi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL xlat not working
I can't get SQL xlat to work in the Clients file. I'm trying to do a DB query for the Shared Secret. And where did you find that it should work? I'm getting invalid Message-Authenticator (Shared secret is incorrect) errors. You should fix client secret to match the server not other way round. The select statement works fine when ran on my DB server. Have any suggestions? You can load clients from nas table. See read_clients setting near the end of sql.conf file. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicate Acct-Status packets
Ivan, its interesting. Our NAS is linux pppoe-server with pppd last version. Pppd retransmits Acct-Status in 10 seconds. Is it possible to increase freeradius keep of tracking time, you talking about, from 5 to 15 seconds? Where is this place in configs/sources? See cleanup_delay in radiusd.conf. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: vlan priority query
How we can configure radius server to send vlan priority in access accept message? http://tools.ietf.org/html/rfc4675 Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: vlan priority query
hi Ivan , Sorry for the confusion. my question was how to configure it in freeradius server? Thanks, Mitul Modi On Wed, Apr 1, 2009 at 2:32 PM, t...@kalik.net wrote: How we can configure radius server to send vlan priority in access accept message? http://tools.ietf.org/html/rfc4675 Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: vlan priority query
Sorry for the confusion. my question was how to configure it in freeradius server? Just like any other attribute. You have plenty of examples how to send attributes in the reply in users file, sql howto etc. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: vlan priority query
hi , following is my configuration Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 32, Reply-Message = Hello, %u here for vlan id tag is Tunnel-Private-Group-Id. but i dont know the standard attribute for vlan priority. thanks, mitul modi On Wed, Apr 1, 2009 at 3:25 PM, t...@kalik.net wrote: Sorry for the confusion. my question was how to configure it in freeradius server? Just like any other attribute. You have plenty of examples how to send attributes in the reply in users file, sql howto etc. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: vlan priority query
Am Mittwoch, 1. April 2009 12:25:13 schrieb Mitul Modi: hi , following is my configuration Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 32, Reply-Message = Hello, %u here for vlan id tag is Tunnel-Private-Group-Id. but i dont know the standard attribute for vlan priority. thanks, mitul modi On Wed, Apr 1, 2009 at 3:25 PM, t...@kalik.net wrote: Sorry for the confusion. my question was how to configure it in freeradius server? Just like any other attribute. You have plenty of examples how to send attributes in the reply in users file, sql howto etc. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html See dictionary.rfc2868. Perhaps it's Tunnel-Preference? MfG, -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: mi...@multinet.de web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: vlan priority query
following is my configuration Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 32, Reply-Message = Hello, %u here for vlan id tag is Tunnel-Private-Group-Id. but i dont know the standard attribute for vlan priority. Did you read that RFC document I have posted? There are only 4 attributes in there - not that hard to find which one it is. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authenticating Restricted Users through LDAP
Hi All, I have a setup of Freeradius 1.1.4 running with openldap 2.2.13. The radius server authenticates clients based on Username and Password that clients provide through a web page. This is working fine. Now I want that restricted users in LDAP can be authenticated, but I cannot make a separated OU for those users, since there are other applications being served by this LDAP. Is there a way that I can set an attribute like radiusAccess in LDAP, and Radius Server will check from LDAP that if radiusAccess attribute is set to 1 AND Username and Passwords match, then it shoud give the access. For users whose radiusAccess attribute is not set, access should not be given even if Username and Password are correct. In the current scenario, I am not using any radius Schema or any other attribute specific to Radius. Thanks and Regards, Sankalp +! ! --! -! ! --!
Is WLAN IEEE802.1x EAP-TLS authentication with ESSID selection possible?
Hi FreeRADIUS user community I'm in search for some ideas for the following situation: Given are several WLANS controlled by a Siemens Hipath C2400 WLAN Controller with Siemens APs. The controller provides different WLANs identified by different ESSIDs. All WLAN Clients use IEEE802.1x authentication with EAP-TLS and client certificates. The authentication is done by FreeRADIUS 1.0.1 on Redhat EL AS4. At the moment, all clients use certificates and inside the FreeRADIUS eap-tls section the ca certificates are trusted. All Windows clients use a MS CA an have certificates with the Windows system name as the certificates common name. Other devices like mobile scanners or WLAN mobile phones (VoIP) have manually generated certificates with the device type as the certificates common name like phone, mobile scanner or else. So long, it works. But now I was asked if it is possible to restrict the association of several device types to defined ESSIDs. There shoul be a WLAN office where all devices are allowed to connect if they have a valid certificate. Other ESSIDs should only accept special devices, eg. only devices with the certificates common name phone should be allowed to connect to the ESSID voice. I know, the Siemens controller is able to send the ESSID the device is trying to connect inside the RADIUS request as vendor specific attribute. Is it possible with FreeRADIUS to match these requirements? To select based on the ESSID the device is connecting to? If the connecting ESSID is office, all devices with a valid certificate are allowed to connect. If the ESSID is voice, only devices with a valid certificate and with a certificates common name that contains *phone* are allowed to connect. If the ESSID is production-1, only devices with a valid certificate and with a certificates common name that contains *mobile scanner* are allowed to connect. I've googled a lot, without success. All Freeradius documentation I've found about eap-tls only descibes how to accept all devices with a valid certificate. I've seen this scenario running with commercial RADIUS servers but I guess it might also be possible using FreeRADIUS. Any tip oder idea is welcome. -- Ulf Leichsenring u...@leichsenring.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating Restricted Users through LDAP
I have a setup of Freeradius 1.1.4 running with openldap 2.2.13. The radius server authenticates clients based on Username and Password that clients provide through a web page. This is working fine. Now I want that restricted users in LDAP can be authenticated, but I cannot make a separated OU for those users, since there are other applications being served by this LDAP. Is there a way that I can set an attribute like radiusAccess in LDAP, and Radius Server will check from LDAP that if radiusAccess attribute is set to 1 AND Username and Passwords match, then it shoud give the access. For users whose radiusAccess attribute is not set, access should not be given even if Username and Password are correct. Yes, attribute is called dialupAccess in ldap. Read ldap.conf to see how to set this up. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is WLAN IEEE802.1x EAP-TLS authentication with ESSID selection possible?
Am Mittwoch, 1. April 2009 13:43:30 schrieb Ulf Leichsenring: Hi FreeRADIUS user community I'm in search for some ideas for the following situation: Given are several WLANS controlled by a Siemens Hipath C2400 WLAN Controller with Siemens APs. The controller provides different WLANs identified by different ESSIDs. All WLAN Clients use IEEE802.1x authentication with EAP-TLS and client certificates. The authentication is done by FreeRADIUS 1.0.1 on Redhat EL AS4. At the moment, all clients use certificates and inside the FreeRADIUS eap-tls section the ca certificates are trusted. All Windows clients use a MS CA an have certificates with the Windows system name as the certificates common name. Other devices like mobile scanners or WLAN mobile phones (VoIP) have manually generated certificates with the device type as the certificates common name like phone, mobile scanner or else. So long, it works. But now I was asked if it is possible to restrict the association of several device types to defined ESSIDs. There shoul be a WLAN office where all devices are allowed to connect if they have a valid certificate. Other ESSIDs should only accept special devices, eg. only devices with the certificates common name phone should be allowed to connect to the ESSID voice. I know, the Siemens controller is able to send the ESSID the device is trying to connect inside the RADIUS request as vendor specific attribute. Is it possible with FreeRADIUS to match these requirements? To select based on the ESSID the device is connecting to? If the connecting ESSID is office, all devices with a valid certificate are allowed to connect. If the ESSID is voice, only devices with a valid certificate and with a certificates common name that contains *phone* are allowed to connect. If the ESSID is production-1, only devices with a valid certificate and with a certificates common name that contains *mobile scanner* are allowed to connect. I've googled a lot, without success. All Freeradius documentation I've found about eap-tls only descibes how to accept all devices with a valid certificate. I've seen this scenario running with commercial RADIUS servers but I guess it might also be possible using FreeRADIUS. Any tip oder idea is welcome. Hi, 1) Upgrade to an actual version of FR. 2.1.4 should do. 2) Edit your dictionary so that your FR understands the Siemens vendor spec attributes. 3) create a unlang (only FR version 2!) config to also check for the new essid attribute and according group membership should do the job. Greetings, -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: mi...@multinet.de web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is WLAN IEEE802.1x EAP-TLS authentication with ESSID selectionpossible?
I know, the Siemens controller is able to send the ESSID the device is trying to connect inside the RADIUS request as vendor specific attribute. And what VSA would it be? If you can find that attribute in the dictionaries - it is possible. If you can't - you can add it yourself to raddb/dictionary. It would be better to get the dictionary from Siemens and post it to this list so it can be included in freeradius distribution (I don't see dictionary.siemens in current server dictionaries). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_python example?
Hi Hristo
Could you supply a quick example ?
Its always good to get working example after a problem is resolved (even
if the person is resolved by the questioner)
Mike
Hristo Trendev wrote:
The examples in src/modules/rlm_python gave me some hints and I
figured it out. Thanks anyway.
On Tue, Mar 31, 2009 at 3:43 PM, Hristo Trendev dist.li...@gmail.com wrote:
I am trying to figure out how to properly setup freeradius with
rlm_python. The module loads and scripts execute, but I seem to miss
something when I try to return value pairs to be used in the reply
packet (Access-Accept). I have tried with the following �script:
def authorize (params):
� � � �print params
� � � �return (0, ('Reply-Message', 'banned1'), ('Reply-Message', 'banned2'))
and received (when I run with -X option):
-snip-
+- entering group authorize {...}
rlm_python:authorize: tuple element 0 is not a tuple
rlm_python:authorize: tuple element 1 is not a tuple
rlm_python:authorize: tuple element 0 is not a tuple
rlm_python:authorize: tuple element 1 is not a tuple
++[python] returns reject
-snip-
I have also tried changing it to:
def authorize (params):
� � � �print params
� � � �return (0, ('Reply-Message', 'banned'))
but then I get:
-snip-
+- entering group authorize {...}
rlm_python:authorize: tuple must be (return, replyTuple, configTuple)
++[python] returns ??
-snip-
Can someone point me in the right direction? What is supposed to be
passed in configTuple? How do I return multiple value pairs at? I was
able to make it work with rlm_exec, but I'd like to use the the python
module instead.
I am using freeradius on ubuntu 8.04. installed via apt-get from
hardy-backports (2.1.0+dfsg-0ubuntu2~hardy1)
BR,
Hristo
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem matching realms - for local auth not proxy
Hi
Using freeradius2.1.3 for seperate Auth and Acct servers in DSL/PPPoE n/w.
Using CHAP auth only and lookup via dbm file with users.txt fallback.
Can successfully authenticate/authorise against specific user profiles in
users dbm/txt but problems when trying to match realms.
Have users dbm/txt file with list of DEFAULT realm=xxx followed by users
profiles. realm matches simply returns L2TP tunnel profiles
for these realms (no fallthru). No realm match (null or other domains not in
proxy.conf) will do lookup and return specific user profiles (i.e matching
userxx Cleartext-Password := ).
Debug shows the rlm_realms module logging error: [suffix] Looking up realm
dslip for User-Name = j...@dslip [suffix] No such realm dslip
We are not proxying to remote servers but do local auth on matching realms.
Am I missing some step/module which imports the proxy.conf
file - or the order of modules in authorise{} This issue occurs regardless
dbm or files based lookup and in realms module.If I remove proxy.conf
radius does not complain.
Ive looked in maillist for similiar problems. Some reference to include
suffix in preacct module but ours is Auth server only. I have spent some
time
testing and read man pages, searching related etc before resorting to first
my first query to this maillist.
Any help appreciated
SeamusB
Setup
--
[1] Test users file with single record - a default realm :
DEFAULT Realm == dslip, Auth-Type := Accept
Tunnel-Type:1 = L2TP,
Tunnel-Medium-Type:1 = IP,
Tunnel-Server-Endpoint:1 = xxx.xxx.xxx.xxx,
Tunnel-Client-Auth-Id:1 = yyy,
Tunnel-Password:1 = yyy,
Tunnel-Assignment-Id:1 = dslip,
Tunnel_Algorithm = 2,
Tunnel_Domain = 1
Added to dbm file:
/usr/local/freeradius/bin/rlm_dbm_cat -f
/usr/local/freeradius/etc/raddb/users
DEFAULT Realm == dslip, Auth-Type := Accept
Tunnel-Type:1 = L2TP, Tunnel-Medium-Type:1 = IPv4,
Tunnel-Server-Endpoint:1 = 159.134.191.145, Tunnel-Client-Auth-Id:1 =
dslip, Tunnel-Password:1 = unlock, Tunnel-Assignment-Id:1 = dslip,
Tunnel_Algorithm = 2, Tunnel_Domain = 1
freeradiusdsldev00#
[2] proxy.conf has realm added as below and permissions 644 for
radius/radadmin
realm dslip {
type= radius
authhost= LOCAL
accthost= LOCAL
nostrip
}
[3] radiusd.conf includes reference to realm module and includes in
authorise {} section. Also not including policy.conf which denies realms by
default.
modules {
..
realm suffix {
format = suffix
delimiter = @
ignore_default = no
ignore_null = no
}
}
authorize {
preprocess
suffix
chap
group {
dbm {
ok = return
reject = return
notfound = return
fail = 1
}
files {
ok = return
reject = return
notfound = return
fail = return
}
}
}
[4] Radiusd -X output
client freeradiusdsldev00 {
require_message_authenticator = no
secret = testing123
shortname = freeradiusdsldev00
}
radiusd: Loading Realms and Home Servers
radiusd: Instantiating modules
radiusd: Loading Virtual Servers
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = /usr/local/freeradius/etc/raddb/huntgroups
hints = /usr/local/freeradius/etc/raddb/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = suffix
delimiter = @
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_dbm
Module: Instantiating dbm
dbm {
usersfile = /usr/local/freeradius/etc/raddb/users
byclid_length = 4
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = /usr/local/freeradius/etc/raddb/users.txt
compat = no
byclid_length = 4
}
}
radiusd: Opening IP addresses and Ports
bind_address = *
WARNING: The directive 'bind_adress' is deprecated, and will be removed in
future versions of FreeRADIUS. Please edit the configuration files to use
the directive 'listen'.
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
[5] Test when using radclient with test username j...@dslip which should
match the realm in proxy.conf and default profile in users.db. Server
RE: SQL xlat not working
I can't get SQL xlat to work in the Clients file. I'm trying to do a DB query for the Shared Secret. And where did you find that it should work? I've googled for it. Plus someone here had mentioned rlm_raw and use it with a SQL xlat rule. I think I'm doing that, but it's not working. Please let me know what might be holding it up. I'm getting invalid Message-Authenticator (Shared secret is incorrect) errors. You should fix client secret to match the server not other way round. The select statement works fine when ran on my DB server. Have any suggestions? You can load clients from nas table. See read_clients setting near the end of sql.conf file. That may work, but could I have the Name field represent something besides the IP, like the NAS-Identifier? Thanks! Eric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is WLAN IEEE802.1x EAP-TLS authentication with ESSID selection possible?
Michael Schwartzkopff schrieb: 1) Upgrade to an actual version of FR. 2.1.4 should do. 2) Edit your dictionary so that your FR understands the Siemens vendor spec attributes. 3) create a unlang (only FR version 2!) config to also check for the new essid attribute and according group membership should do the job. Thanks. I will update and study how to create a ulang config. -- Ulf Leichsenring u...@leichsenring.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is WLAN IEEE802.1x EAP-TLS authentication with ESSID selectionpossible?
t...@kalik.net schrieb: And what VSA would it be? If you can find that attribute in the dictionaries - it is possible. If you can't - you can add it yourself to raddb/dictionary. It would be better to get the dictionary from Siemens and post it to this list so it can be included in freeradius distribution (I don't see dictionary.siemens in current server dictionaries). I will ask Siemens to get their VSA dictionary and post it to the list if Siemens doesn't mind. -- Ulf Leichsenring u...@leichsenring.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius help
Hello , I am using Freeradius-1.1.7 with ldap , i am being able to authenticate users when i run radtest , those who are in my ldap directory, but i am unable to authenticate the same authenticate users when i try from the laptop(wifi ) . What should i do .. here the debug mode when i try from radtest rad_recv: Access-Request packet from host 127.0.0.1:2050, id=203, length=58 User-Name = basant User-Password = basant NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = basant, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 users: Matched entry DEFAULT at line 152 modcall[authorize]: module files returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for basant radius_xlat: '(cn=basant)' radius_xlat: 'ou=radius,dc=basant,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=admin,dc=basant,dc=com/basant to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=radius,dc=basant,dc=com, with filter (cn=basant) rlm_ldap: checking if remote access for basant is allowed by cn rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user basant authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type LDAP auth: type LDAP Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by basant with password basant rlm_ldap: user DN: cn=basant,ou=admins,ou=radius,dc=basant,dc=com rlm_ldap: (re)connect to localhost:389, authentication 1 rlm_ldap: bind as cn=basant,ou=admins,ou=radius,dc=basant,dc=com/basant to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user basant authenticated succesfully modcall[authenticate]: module ldap returns ok for request 0 modcall: leaving group LDAP (returns ok) for request 0 Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 0 modcall[post-auth]: module ldap returns noop for request 0 modcall: leaving group post-auth (returns noop) for request 0 Sending Access-Accept of id 203 to 127.0.0.1 port 2050 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 203 with timestamp 49d36e19 Nothing to do. Sleeping until we see a request. -(Above output is of, when i run the same FR server on virtual machine, result are same as when i do the same radtest on the server which is used below but name of users, password, and LDAP server name are different, ) Here the debug mode output when i try to test from the labtop -- rad_recv: Access-Request packet from host 172.16.1.205:3072, id=0, length=129 User-Name = easypush NAS-IP-Address = 172.16.1.205 Called-Station-Id = 001a70aa5bee Calling-Station-Id = 0021002ca72e NAS-Identifier = 001a70aa5bee NAS-Port = 37 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020d016561737970757368 Message-Authenticator = 0x19517eaaaf0d384f55a94c110166d9a7 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = easypush, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 0 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 users: Matched entry DEFAULT at line 152 modcall[authorize]: module files returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for easypush radius_xlat: '(uid=easypush)' radius_xlat: 'ou=people,dc=mnit,dc=ac,dc=in' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 172.16.1.150:389, authentication 0 rlm_ldap: bind as
RE: SQL xlat not working
I've googled for it. Plus someone here had mentioned rlm_raw and use it with a SQL xlat rule. I think I'm doing that, but it's not working. Please let me know what might be holding it up. Lack of rlm_raw? That doesn't come with the server. You can load clients from nas table. See read_clients setting near the end of sql.conf file. That may work, but could I have the Name field represent something besides the IP, like the NAS-Identifier? No. Unless you alter source code. Patches are welcome. Ivan Kalik Kalik informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius help
rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/peap rlm_eap: No such EAP type peap rlm_eap: Failed in EAP select You have done something to eap.conf and disabled peap. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: SQL xlat not working
I've googled for it. Plus someone here had mentioned rlm_raw and use
it
with a SQL xlat rule. I think I'm doing that, but it's not working.
Please
let me know what might be holding it up.
Lack of rlm_raw? That doesn't come with the server.
But even without using a raw attribute, the SQL xlat rule doesn't work, such
as:
client 192.168.0.1/32 {
secret = %{sql:SELECT secret FROM APs WHERE NAS-Identifier='blah'
shortname = testnet
}
When googling, I think I found that when using LDAP, I would have to change
a setting to get this workingI didn't find a similar setting for SQL.
You can load clients from nas table. See read_clients setting near
the
end of sql.conf file.
That may work, but could I have the Name field represent something
besides
the IP, like the NAS-Identifier?
No. Unless you alter source code. Patches are welcome.
Is there a how to I can read to learn about this?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem matching realms - for local auth not proxy
Seamus Bridgeman wrote:
Using freeradius2.1.3 for seperate Auth and Acct servers in DSL/PPPoE
n/w. Using CHAP auth only and lookup via dbm file with users.txt fallback.
Can successfully authenticate/authorise against specific user profiles
in users dbm/txt but problems when trying to match realms.
Why are you using the DBM files?
We are not proxying to remote servers but do local auth on matching
realms. Am I missing some step/module which imports the proxy.conf
file - or the order of modules in authorise{} This issue occurs
regardless dbm or files based lookup and in realms module.
No. The default configuration loads the proxy.conf file.
If I remove proxy.conf radius does not complain.
Because it's not required in all configurations.
Added to dbm file:
/usr/local/freeradius/bin/rlm_dbm_cat -f
Don't use rlm_dbm. Just use the normal users file. It works, and
it's fast.
[3] radiusd.conf includes reference to realm module and includes in
authorise {} section. Also not including policy.conf which denies realms
by default.
No, it doesn't. As the comments in that file should make clear, those
are SAMPLE policies. They aren't used until you tell the server to use
them.
authorize {
...
}
Great. You've completely butchered the authorize section, and
removed all references to the realms module.
Can you explain WHY you did this? What documentation led you to
conclude that deleting the majority of that section was a good idea?
The recommendation here is simple:
DO NOT BUTCHER THE DEFAULT INSTALL
The default installation WORKS. If you had simple added a realm, and
added entries in the users file... it would have WORKED.
Instead, you spent a great deal of effort editing the configuration,
breaking it, and then trying to debug it. Almost all of that work was
wasted.
The default installation works. Don't butcher it. Read man
radiusd for instructions on how to edit the configuration without
breaking it.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL xlat not working
Eric Geier wrote:
But even without using a raw attribute, the SQL xlat rule doesn't work, such
as:
client 192.168.0.1/32 {
secret = %{sql:SELECT secret FROM APs WHERE NAS-Identifier='blah'
That doesn't work. Not only that, nothing in the documentation leads
you to believe that it COULD work.
shortname = testnet
}
When googling, I think I found that when using LDAP, I would have to change
a setting to get this workingI didn't find a similar setting for SQL.
There isn't one.
Is there a how to I can read to learn about this?
The source code is freely available, and well commented.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Seg Fault in 2.0.3
Garber, Neal wrote: I have a FR 2.0.3 server running under FreeBSD 6.3 which intermittently exits with a segmentation fault. Upgrade. I tried searching the list for known seg fault issues with 2.0.3 and only found one which sounded like it only happens when running under gdb. Do you think upgrading to 2.1.3 (it’s the latest port for FR under FreeBSD) could potentially resolve this issue? (I’m not looking for a guarantee, just an opinion based upon whether there were known seg faults in 2.0.3 that were fixed in later releases.) Yes. Should I run FR under gdb to get more information about the seg fault? You could, but unless you're going to debug the source code yourself, I wouldn't suggest it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
if we add a smartcard!
Hi everybody and experts in freeradius; :) I'm a new user of the server.. I succeeded to connect a client (supplicant) over wifi to the radius server using eap method.. now, i have to secure the server private key in a smart card.. have you an idea what can I add in eap.conf and in this attribute: certificate_file = ?? I'll be grateful for your help! thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: if we add a smartcard!
or private_key_file=... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radclient PHP
Hii All , Please Any one have an idea how to make a PHP code to run Radclient in order to disconnect users , Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radclient PHP
try exec() or shell_exec() 2009/4/1 AHMED KHIDR a.kh...@gmail.com: Hii All , Please Any one have an idea how to make a PHP code to run Radclient in order to disconnect users , Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Random quote of the week/month/whenever i get to updating it: Opportunity knocked. My doorman threw him out. - Adrienne Gusoff At school you don't get parole, good behavior only brings a longer sentence. - The History Boys - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radclient PHP
Thanks ,
I tried it but didn't work ,
I found another method ,
Here is the code ,
?
$user=ahmedkhidr;
$nas=1.1.1.2;
$secret=password;
$handle = popen('/bin/echo User-Name='.$user.' | /usr/local/bin/radclient -x
'.$nas.':1700 disconnect '.$secret.' 21', 'r');
$read = fread($handle, 2096);
echo $read;
pclose($handle);
?
Don't forget to chmod the /usr/local/etc/raddb/dictionary to be 644
Regards
On Thu, Apr 2, 2009 at 3:14 AM, Paul Bartell paul.bart...@gmail.com wrote:
try
exec() or shell_exec()
2009/4/1 AHMED KHIDR a.kh...@gmail.com:
Hii All ,
Please Any one have an idea how to make a PHP code to run Radclient in
order to disconnect users ,
Thanks
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Random quote of the week/month/whenever i get to updating it:
Opportunity knocked. My doorman threw him out. - Adrienne Gusoff
At school you don't get parole, good behavior only brings a longer
sentence. - The History Boys
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Seg Fault in 2.0.3
Upgrade. That's what I was hoping you would say. Thanks Alan. Should I run FR under gdb to get more information about the seg fault? You could, but unless you're going to debug the source code yourself, I wouldn't suggest it. I would, but there's no need if upgrading to 2.1.3 will correct the problem. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
