dynamic ip address allocation problem for wifi system
I have implemented a wifi authentication system wherein users authenticate themselves using their username and password. I am using EAP-PEAP for this purpose.Further, I want to assign ip addresses to the users dynamically.From whatever documentation i have read, I gather that using rlm_ippool module does not work for EAP authentication.Also,FreeRADIUS does not support DHCP fully. I am using OpenLDAP as a database which stores entries of all the users authorised to use the wireless system.FreeRADIUS version is 2.1.1. So,first of all,am I correct in saying that rlm_ippool cannot be used with EAP authentication for assigning ip addresses to clients(not access points but end users of wifi system)?Also,is there any patch or sample code available for allocating ip addresses dynamically using DHCP?And if both the above methods are not possible, then is there any other way to assign ip addresses to clients dynamically? -- View this message in context: http://www.nabble.com/dynamic-ip-address-allocation-problem-for-wifi-system-tp23018683p23018683.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: billing using radius
> > Thanks parham, I'm new in freeradius. could you please send me configs needed in freeradius files? I want to disconnect some users after receiving 8G and for others I want to calculate base on KB that they have used rather than 8G. In which file I should do changes? > > > Message: 1 > Date: Sun, 12 Apr 2009 14:45:21 +0430 > From: "Parham Beheshti" > Subject: RE: billing using radius > To: "FreeRadius users mailing list" >, > > Message-ID: > Content-Type: text/plain; charset="iso-8859-1" > > Hello, > Well, this can be very simple ... or very complicated ... > I'm doing traffic based accounting with freeradius and have been more then > happy. > Our scenario is pretty complicated, it involves different pricing KB for > day of week/time of day, users are able to purchase additional credit,etc. > to get you started: > > 1. you can get user's traffic (acctinputoctets+acctoutputoctets) for a > given time period and don't let the user login next time he/she wants to > access the service. This will take care of not letting users over the quota > to login... > > 2. you can check your online users periodically send COA (Disconnect > packet) if user's traffic is above your limit... > > 3. you may have very long sessions(days, weeks or months) that cross > bounderies for example: 10GB/week and have sessions longer then week. to > solve this issue you need to have interim-update packets from your NAS, the > nas will send you packets regularly... use this against your old data to > calculate how much traffic was used. create a daily traffic table and update > it with calculated amount. use counters based on the dailytraffic. > > depending on number of users you have you may need to partition your daily > traffic table. > > this solution scales pretty good: > we have about 50,000 broadband users, 5 minute interim-update and we have > hourly and daily traffic information tables. we are no where near our limits > and freeradius/mysql is scaling very well. (10% load) > > You will be better off to do all this calculation in stored procedures > instead of queries ... > Let me know if you need more info > > Cheers, > Parham > > > -- > > > Hi, > I use freeradius server for accounting of vpn users.I use monthly counter > to limit users but now I want if user's traffic is rather than specific > amount, I will be able to have billing for them and to disconnect some of > them. Is it possible to have billing with config in freeradius or a new > software is needed? > could radius disconnect users based on amount of traffic not counters? > > > > End of Freeradius-Users Digest, Vol 48, Issue 48 > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian lenny with freeradius 2.1.4/2.1.5 sql module fail.
Similar problem here... $INCLUDE sql.conf was commented in modules section Removing # was the solution. By default, this was ok in older versions . On Mon, Apr 13, 2009 at 7:42 AM, piston wrote: > > IBM x3550 server install Debian lenny. > > Download freeradius from > ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.1.4.tar.gz, > compile and install. > > Question: > > 1. freeradius -v showing freeradius 2.1.5, was this correct? > > 2. trying to using mysql as database, ucomment sql in > site-available/default, running debug mode got such error > /etc/freeradius/sites-enabled/default[152]: Failed to find module "sql". > /etc/freeradius/sites-enabled/default[62]: Errors parsing authorize > section. > > 3. On the same server download, compile & install freeradius 2.1.3 with > mysql, no problem. What could be the problem on the version 2.1.4/2.1.5? > > Thank you > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian lenny with freeradius 2.1.4/2.1.5 sql module fail.
Thanks. Got is resolve. By the way this version of freeradius is 2.1.4 or 2.1.5? A bit confuse here. From: Marinko Tarlac To: FreeRadius users mailing list Sent: Monday, April 13, 2009 3:20:08 PM Subject: Re: Debian lenny with freeradius 2.1.4/2.1.5 sql module fail. Similar problem here... $INCLUDE sql.conf was commented in modules section Removing # was the solution. By default, this was ok in older versions . On Mon, Apr 13, 2009 at 7:42 AM, piston wrote: IBM x3550 server install Debian lenny. Download freeradius from ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.1.4.tar.gz, compile and install. Question: 1. freeradius -v showing freeradius 2.1.5, was this correct? 2. trying to using mysql as database, ucomment sql in site-available/default, running debug mode got such error /etc/freeradius/sites-enabled/default[152]: Failed to find module "sql". /etc/freeradius/sites-enabled/default[62]: Errors parsing authorize section. 3. On the same server download, compile & install freeradius 2.1.3 with mysql, no problem. What could be the problem on the version 2.1.4/2.1.5? Thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Log and datatime
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 is possible to log the date and time of connection and disconnection of each user? - -- -- |Giuseppe Moscato aka peppeska - Linux User - no html messages---| |ggipp...@yahoo.it - http://peppeska.altervista.org--| |Fingerprint = 90DC 05A8 2D65 BC04 BD1B 4C07 C389 434B 3201 319D| -- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkni/rQACgkQkA6hcnFZI/a1XACg1Y3VkjixKecvn9SYtOxWVNdE YtYAoJZKm27pygq7LcmkSF1dWgg4ERYZ =Tdgk -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Log and datatime
yes it 's store in table radacct. - Original Message - From: "peppeska" To: "FreeRadius users mailing list" Sent: Monday, April 13, 2009 3:58 PM Subject: Log and datatime -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 is possible to log the date and time of connection and disconnection of each user? - -- -- |Giuseppe Moscato aka peppeska - Linux User - no html messages---| |ggipp...@yahoo.it - http://peppeska.altervista.org--| |Fingerprint = 90DC 05A8 2D65 BC04 BD1B 4C07 C389 434B 3201 319D| -- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkni/rQACgkQkA6hcnFZI/a1XACg1Y3VkjixKecvn9SYtOxWVNdE YtYAoJZKm27pygq7LcmkSF1dWgg4ERYZ =Tdgk -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
no entries in radacct
Complete Newb to FreeRadius here. I have: radiusd -v radiusd: FreeRADIUS Version 2.1.5, for host x86_64-unknown-linux-gnu, built on Apr 1 2009 at 15:51:57 built from freeradius-server-2.1.4.tar.gz on an OpenSuSE 10.X server using postgresql 8.3.3 Authorize works well, all my NAS info is in the NAS table, and I have dial up clients using now on a very limited basis. My problem is that I can not get the accounting to work in postgres, my radacct table is empty. Everything I have read has said to put sql in the accounting section and I have done this. I also uncommented the section: $INCLUDE sql/${database}/dialup.conf At the end of the log file I have this: radiusd: Instantiating modules instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr /usr/local/etc/raddb/modules/counter[71]: Failed to link to module 'rlm_counter': rlm_counter.so: cannot open shared object file: No such file or directory Errors initializing modules I "assume" this is my problem? I did a find for rlm_counter.so and, guess what, it was not found. I then looked for just rlm_counter and it was found in freeradius-server-2.1.4/src/modules/rlm_counter from the tarball. I did read a list post from back in October of 2002 that talked about libtool not working well on SuSE, not sure if this is still the case. Any pointers? Am I going down the wrong road? Is there anything else that is glaringly missing? Any other relevant info I need to add here to aid in getting help? Thanks for any help. -- JohnM - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Offloading password verification
Hi All, I'm running version 1.18 currently on Ubuntu 2.6.24-19-server; configured to use MYSQL for all auth and accounting requests. I have been asked to move the password verification away from MySQL and use an external username/password DB (managed by another company), for which my only method of access is an http API (given a username and password the API returns either 1 or 0). All attributes will still be held in the current MySQL freeradius DB; and all the users that exist in the API DB will also exist in the same current MySQL DB. The password is passed as PAP through to freeradius currently from the NAS devices, and the API also expects a plaintext password. I was thinking I could use the perl module to achieve this; but am a little lost with where to start (writing the perl script is fine). I guess the point of my post is how to keep all the attributes in MySQL and only offload the password to the API; and where this change would fit in to the radiusd.conf file? Any advice would be gratefully received. Many Thanks, Phil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl don't support tagged attributes
Hello Freeradius-users, FreeRADIUS Version 2.1.5 (it was downloaded as 2.1.4, but it writes about itself as 2.1.5) Portion from "radiusd -X" output Module: Linked to module rlm_perl Module: Instantiating erxlogontime perl erxlogontime { module = "/usr/local/freeradius-2.1.4/etc/raddb/servicelogintime.pl" func_authorize = "authorize" func_authenticate = "authenticate" func_accounting = "accounting" func_preacct = "preacct" func_checksimul = "checksimul" func_detach = "detach" func_xlat = "xlat" func_pre_proxy = "pre_proxy" func_post_proxy = "post_proxy" func_post_auth = "post_auth_erx" } File servicelogintime.pl use strict; # use ... # This is very important ! Without this script will not get the filled hashesh from main. use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK); use Data::Dumper; # This is hash wich hold original request from radius #my %RAD_REQUEST; # In this hash you add values that will be returned to NAS. #my %RAD_REPLY; #This is for check items #my %RAD_CHECK; # # This the remapping of return values # use constantRLM_MODULE_REJECT=>0;# /* immediately reject the request */ use constantRLM_MODULE_FAIL=> 1;# /* module failed, don't reply */ use constantRLM_MODULE_OK=>2;# /* the module is OK, continue */ use constantRLM_MODULE_HANDLED=> 3;# /* the module handled the request, so stop. */ use constantRLM_MODULE_INVALID=> 4;# /* the module considers the request invalid. */ use constantRLM_MODULE_USERLOCK=> 5;# /* reject the request (user is locked out) */ use constantRLM_MODULE_NOTFOUND=> 6;# /* user not found */ use constantRLM_MODULE_NOOP=> 7;# /* module succeeded without doing anything */ use constantRLM_MODULE_UPDATED=> 8;# /* OK (pairs modified) */ use constantRLM_MODULE_NUMCODES=> 9;# /* How many return codes there are */ # Function to handle post_auth sub post_auth_erx { &radiusd::radlog(1, "* custom post_auth procedure *"); # For debugging purposes only #&log_request_attributes; #for (keys %RAD_REPLY) #{ # &radiusd::radlog(1, "RAD_REPLY: $_ = $RAD_REPLY{$_}"); #} return RLM_MODULE_NOOP; } procedure post_auth_erx executed as expected portion from debug output: +- entering group post-auth {...} GOT CLONE -1212740928 0x82bbaf0 rlm_perl: * custom post_auth procedure * but after returning from post_auth_erx all tags from attributes are resetted to zero: Sending Access-Accept of id 186 to 192.168.100.73 port 60654 ERX-Service-Login-Time:0 = "Al1800-2359,Al-0859" ERX-Qos-Profile-Name = "SP_WCL" ERX-Qos-Parameters += "world_value 100" ERX-Qos-Parameters += "assure_world_value 10" ERX-Qos-Parameters += "city_value 1000" ERX-Service-Statistics:0 += time-volume ERX-Service-Statistics:0 += time-volume ERX-Service-Activate:0 += "world(100)" ERX-Service-Activate:0 += "city(1000)" ERX-Service-Activate:0 += "deny" ERX-Service-Interim-Acct-Interval:0 += 600 ERX-Service-Interim-Acct-Interval:0 += 600 If we comment out module servicelogintime.pl, we receive correct tagged attributes: Sending Access-Accept of id 154 to 192.168.100.73 port 65168 ERX-Service-Login-Time:1 = "Al1800-2359,Al-0859" ERX-Service-Activate:1 += "world(100)" ERX-Service-Statistics:1 += time-volume ERX-Service-Interim-Acct-Interval:1 += 600 ERX-Qos-Parameters += "world_value 100" ERX-Qos-Parameters += "assure_world_value 10" ERX-Service-Activate:2 += "city(1000)" ERX-Service-Statistics:2 += time-volume ERX-Service-Interim-Acct-Interval:2 += 600 ERX-Qos-Parameters += "city_value 1000" ERX-Service-Activate:3 += "deny" ERX-Qos-Profile-Name = "SP_WCL" -- Best regards, Igor mailto:i...@is.ua - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: no entries in radacct
>'rlm_counter': rlm_counter.so: cannot open shared object file: No such file or directory This is in the FAQ. Fix your linker PATH. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Offloading password verification
>I was thinking I could use the perl module to achieve this; but am a little lost with where to start (writing the perl script is fine). Just pass $RAD_REQUEST User-Name and User-Password to the API and set Auth-Type to Accept or Reject according to the reply from it. >I guess the point of my post is how to keep all the attributes in MySQL and only offload the password to the API Just remove the password from the database and lave rest as it is. You can list perl in authorize or make Auth-Type perl and than force it. Listing in authorize gives you more options if something goes wrong with remote authentication. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: dynamic ip address allocation problem for wifi system
>So,first of all,am I correct in saying that rlm_ippool cannot be used with EAP authentication for assigning ip addresses to clients Yes. Also,is there any patch or sample code available for allocating ip addresses dynamically using DHCP? Erm, no. DHCP server *will* assign dynamic IPs by default. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Detail file polling issues
Alan DeKok wrote: Some people have seen the detail file listener go "crazy", and use lots of CPU. I've managed to reproduce the problem, and have committed a fix to the "stable" tree. Please see http://git.freeradius.org/pre/ for tar files && debian files containing the fix. Or, see http://git.freeradius.org/ for instructions on grabbing the latest "stable" code from git. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Alan, I just tried the 2.1.5 pre-release and the issue with the detail file listener going crazy seems to have been corrected. Thank you. However, the issue of the spooled detail files being deleted remains. Doing my best to analyze the debug file and some copies of the listener detail files before they are deleted, it appears that FR starts to read the detail file (i.e. detail.work) and then starts a loop where it keeps adding the data that is read back into the main listener file (i.e. detail-20090413). It appears to do this a number of times and then stops and deletes all of the files in the listener directory. If you need any additional information from me, please let me know. I could send you examples of the listener detail files off list if it will be of assistance. Thanks, Jim L. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: no entries in radacct
Ivan Kalik wrote: >> 'rlm_counter': rlm_counter.so: cannot open shared object file: No such file > or directory > > This is in the FAQ. Fix your linker PATH. > > Ivan Kalik > Kalik Informatika ISP OK I read the section that says: "Could not link ... file not found", what do I do? and I have in ld.so.conf the paths to the SQL libs in /usr/local/pgsql I also have the normal /usr/local/lib and /usr/local/lib64 Also the sql module is loading as evidenced by the fact that the users are authorizing against the postgresql DB. I know I must be missing something simple but I do not know what. What libs am I looking for for the rlm_counter to build if not the postgresql libs? I even did an export of the postgresql libs reran configure and make found this in the make output: Making all in rlm_sqlcounter... gmake[6]: Entering directory `/home/jmillican/installs/freeradius-server-2.1.4/src/modules/rlm_sqlcounter' for x in .libs/* rlm_sqlcounter.la; do \ rm -rf /home/jmillican/installs/freeradius-server-2.1.4/src/modules/lib/$x; \ ln -s /home/jmillican/installs/freeradius-server-2.1.4/src/modules/rlm_sqlcounter/$x /home/jmillican/installs/freeradius-server-2.1.4/src/modules/lib/$x; \ done gmake[6]: Leaving directory `/home/jmillican/installs/freeradius-server-2.1.4/src/modules/rlm_sqlcounter' then from make install: gmake[6]: Entering directory `/home/jmillican/installs/freeradius-server-2.1.4/src/modules/rlm_sqlcounter' if [ "xrlm_sqlcounter" != "x" ]; then \ /home/jmillican/installs/freeradius-server-2.1.4/libtool --mode=install /home/jmillican/installs/freeradius-server-2.1.4/install-sh -c -c \ rlm_sqlcounter.la /usr/local/lib/rlm_sqlcounter.la || exit $?; \ rm -f /usr/local/lib/rlm_sqlcounter-2.1.5.la; \ ln -s rlm_sqlcounter.la /usr/local/lib/rlm_sqlcounter-2.1.5.la || exit $?; \ fi libtool: install: warning: relinking `rlm_sqlcounter.la' (cd /home/jmillican/installs/freeradius-server-2.1.4/src/modules/rlm_sqlcounter; /bin/sh /home/jmillican/installs/freeradius-server-2.1.4/libtool --mode=relink gcc -release 2.1.5 -module -export-dynamic -o rlm_sqlcounter.la -rpath /usr/local/lib rlm_sqlcounter.lo rlm_sqlcounter.c /home/jmillican/installs/freeradius-server-2.1.4/src/lib/libfreeradius-radius.la -lnsl -lresolv -lpthread ) gcc -shared .libs/rlm_sqlcounter.o -L/usr/local/lib -lfreeradius-radius -lnsl -lresolv -lpthread -Wl,-soname -Wl,rlm_sqlcounter-2.1.5.so -o .libs/rlm_sqlcounter-2.1.5.so /home/jmillican/installs/freeradius-server-2.1.4/install-sh -c -c .libs/rlm_sqlcounter-2.1.5.soT /usr/local/lib/rlm_sqlcounter-2.1.5.so (cd /usr/local/lib && { ln -s -f rlm_sqlcounter-2.1.5.so rlm_sqlcounter.so || { rm -f rlm_sqlcounter.so && ln -s rlm_sqlcounter-2.1.5.so rlm_sqlcounter.so; }; }) /home/jmillican/installs/freeradius-server-2.1.4/install-sh -c -c .libs/rlm_sqlcounter.lai /usr/local/lib/rlm_sqlcounter.la /home/jmillican/installs/freeradius-server-2.1.4/install-sh -c -c .libs/rlm_sqlcounter.a /usr/local/lib/rlm_sqlcounter.a chmod 644 /usr/local/lib/rlm_sqlcounter.a ranlib /usr/local/lib/rlm_sqlcounter.a PATH="$PATH:/sbin" ldconfig -n /usr/local/lib -- Libraries have been installed in: /usr/local/lib If you ever happen to want to link against installed libraries in a given directory, LIBDIR, you must either use libtool, and specify the full pathname of the library, or use the `-LLIBDIR' flag during linking and do at least one of the following: - add LIBDIR to the `LD_LIBRARY_PATH' environment variable during execution - add LIBDIR to the `LD_RUN_PATH' environment variable during linking - use the `-Wl,--rpath -Wl,LIBDIR' linker flag - have your system administrator add LIBDIR to `/etc/ld.so.conf' See any operating system documentation about shared libraries for more information, such as the ld(1) and ld.so(8) manual pages. -- gmake[6]: Leaving directory `/home/jmillican/installs/freeradius-server-2.1.4/src/modules/rlm_sqlcounter' Could it be that radiusd is looking for rlm_counter.so while what I actualy have is rlm_sqlcounter.so If this is the case is it due to a config error on my part? -- JohnM - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Offloading password verification
Phil Meech wrote: > I'm running version 1.18 currently on Ubuntu 2.6.24-19-server; There is no version 1.18, and no version 1.1.8, either. > configured to use MYSQL for all auth and accounting requests. I have > been asked to move the password verification away from MySQL and use > an external username/password DB (managed by another company), for > which my only method of access is an http API (given a username and > password the API returns either 1 or 0). That's horrible. And it won't work for most EAP types. > All attributes will still be > held in the current MySQL freeradius DB; and all the users that exist > in the API DB will also exist in the same current MySQL DB. The > password is passed as PAP through to freeradius currently from the NAS > devices, and the API also expects a plaintext password. If all you're doing is PAP, it's ugly, but perhaps functional. > I was thinking I could use the perl module to achieve this; but am a > little lost with where to start (writing the perl script is fine). I > guess the point of my post is how to keep all the attributes in MySQL > and only offload the password to the API; and where this change would > fit in to the radiusd.conf file? Write a Perl script to do the authentication from the command line. Hard-code the username/password in the script to start. Once it works, change the username && password to use $RAD_REQUEST{'User-Name'}, and ${RAD_REQUEST{'User-Password'}. Then, configure the Perl module to use your script, and have the "check http" function be called from the authenticate hook. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Detail file polling issues
JDL wrote: > I just tried the 2.1.5 pre-release and the issue with the detail file > listener going crazy seems to have been corrected. Thank you. That's good. > However, the issue of the spooled detail files being deleted remains. > Doing my best to analyze the debug file and some copies of the listener > detail files before they are deleted, it appears that FR starts to read > the detail file (i.e. detail.work) and then starts a loop where it keeps > adding the data that is read back into the main listener file (i.e. > detail-20090413). The detail module does NOT write to the detail file if the request was read from a detail file. However, it checks this only for accounting. On top of that, your configuration clearly logs to the detail file *twice*. Once when the packet is read from the network, and then again when it's read from the detail file. The solution is simple: 1) Don't write to the detail file twice. See raddb/sites-available/robust-proxy-accounting. Note that the listen section that reads from the detail file is in a virtual server. AND the "accounting" section for that virtual server does NOT log to the detail file. 2) Ensure that only the "accounting" section is logging to the detail file, and not any others. > It appears to do this a number of times and then stops > and deletes all of the files in the listener directory. Because it has processed all of the packets in all of the files. The fact that it's logged them *again* to a detail file is little more than a misconfiguration on your local system. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: no entries in radacct
John Millican wrote: > "Could not link ... file not found", what do I do? > and I have in ld.so.conf the paths to the SQL libs in /usr/local/pgsql I > also have the normal /usr/local/lib and /usr/local/lib64 No. The entry in the FAQ is an *EXAMPLE*. If it can't find a module... ANY module, not JUST the SQL module... it's because the libraries for that module can't be found. This usually happens when: 1) you build on one server, and copy the rlm_* to another server, but *don't* install the libraries needed by the rlm_* modules. 2) you ignored the output of "configure" and "make", and try to configure a module that needs a library... when that library isn't on your system. This looks like case (2). The rlm_counter module needs some things (these are printed out at the "configure" stage). They haven't been found, so the rlm_counter module wasn't built. Even though the module doesn't exist, you're trying to make the server use it. Install the dependencies needed by rlm_counter, and it will be created during the "make" process. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Looking to pay someone for a customization
Hi, if anyone is interested in customizing the source code for me, please check out either site: http://www.getacoder.com/projects/c_developer_radius_expe_102912.html http://www.odesk.com/jobs/Developer-with-RADIUS-Experience_~~f48a82c177d7e1b 3?tot=129&pos=7 I would like FreeRADIUS to check incoming requests based upon the domain (derived from the username), instead of the NAS IP addresses. Thanks! Eric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Detail file polling issues
Alan DeKok wrote: On top of that, your configuration clearly logs to the detail file *twice*. Once when the packet is read from the network, and then again when it's read from the detail file. I assume you are referring to this server acct_detail.imaginenet { accounting { detail detail.imaginenet } } I was logging the accounting packets twice to try to locate the missing information. The listener should only see the second one which writes to the listener directory, correct? The solution is simple: 1) Don't write to the detail file twice. I have commented out ALL detail lines from all active configuration files (including sites-enabled/default) except for the one that corresponds to the robust-proxy-accounting example. See raddb/sites-available/robust-proxy-accounting. My configuration matches robust-proxy-accounting as much as it can and still work in my site (see attached). Note that the listen section that reads from the detail file is in a virtual server. AND the "accounting" section for that virtual server does NOT log to the detail file. The accounting section for that virtual server matches robust-proxy-acounting. 2) Ensure that only the "accounting" section is logging to the detail file, and not any others. Done. The files are still being deleted when the home accounting server is down. I have attached my site configuration. Jim L. # -*- text -*- ## # # This is a sample configuration for robust proxy accounting. # accounting packets are proxied, OR logged locally if all # home servers are down. When the home servers come back up, # the accounting packets are forwarded. # # This method enables the server to proxy all packets to the # home servers when they're up, AND to avoid writing to the # detail file in most situations. # # In most situations, proxying of accounting messages is done # in a "pass-through" fashion. If the home server does not # respond, then the proxy server does not respond to the NAS. # That means that the NAS must retransmit packets, sometimes # forever. This example shows how the proxy server can still # respond to the NAS, even if all home servers are down. # # This configuration could be done MUCH more simply if ALL # packets were written to the detail file. But that would # involve a lot more disk writes, which may not be a good idea. # # This file is NOT meant to be used as-is. It needs to be # edited to match your local configuration. # # $Id$ # ## # Authentication Servers ## home_server auth_home1.imaginenet.net { type = auth ipaddr = 192.168.78.115 port = 1812 secret = # Mark this home server alive ONLY when it starts being responsive status_check = status-server # Set the response timeout aggressively low. # You MAY have to increase this, depending on tests with # your local installation. response_window = 6 # response_window = 20 # zombie_period = 40 # revive_interval = 120 # check_interval = 30 # num_answers_to_alive = 3 } home_server auth_home2.imaginenet.net { type = auth ipaddr = 192.168.78.6 port = 1812 secret = # Mark this home server alive ONLY when it starts being responsive status_check = status-server # Set the response timeout aggressively low. # You MAY have to increase this, depending on tests with # your local installation. response_window = 6 # response_window = 20 # zombie_period = 40 # revive_interval = 120 # check_interval = 30 # num_answers_to_alive = 3 } home_server_pool auth_pool.imaginenet { type = load-balance # type = fail-over home_server = auth_home1.imaginenet.net home_server = auth_home2.imaginenet.net } # Accounting Servers ## home_server acct_home1.imaginenet.net { type = acct ipaddr = 192.168.78.115 port = 1813 secret = # Mark this home server alive ONLY when it starts being responsive status_check = status-server # Set the response timeout aggressively low. # You MAY have to increase this, depending on tests with # your local installation. response_window = 6 # response_window = 20 # zombie_period = 40 # revive_interval = 120 # check_interval = 30 # num_answers_to_alive = 3 } home_server acct_detail.imaginenet { virtual_server = acct_detail.imaginenet } home_serve
Help for radius configuration
Hello , I want to install freeradius server for the authentic wifi users , whose database is stored in ldap server ..Users who will use the wifi are mostly windows xp /vista users. what i have tried: (1) Install openssl by apt-get install command ... (Also By the source code by the commands ./configure make make make install) (2) installed freeradius-1.1.7 ./configure make make install (3) used default configuration and added one entry in the users file .. (Also tried for installing with apt-get install freeradius freeradius-ldap freeradius-eappeap .. ) It worked well with radtest from localhost .. But when i try from laptop ..it does not work .. After That i tried to configure eap type peap since i came to know that windows xp /vista support EAP/PEAP for wifi authentication . with this configuration also radtest works well ...but from laptop it does not work (4) I receive the following request from AP Message-Authenticator = 0x3f459af06e42a2a0b7cf9c1d80092e31 Service-Type = Framed-User User-Name = "testap" Framed-MTU = 1488 Called-Station-Id = "00-15-E9-C9-F3-80:MNIT-DC-AP" Calling-Station-Id = "00-16-6F-7C-DB-2D" NAS-Identifier = "D-link Corp. Access Point" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020b01746573746170 NAS-IP-Address = 172.16.1.80 NAS-Port = 1 NAS-Port-Id = "STA port # 1" I want to ask you that how radius server with get authentic the user since it is not getting user password or hashed password ..?? (4) I have tried all the above process for the freearadius-2.1.4 also , (When i try to install freeradius-2.1.4 it does not include eap/peap even i have installed openssl previously ... No problem with freeradius-1.1.7) I have tried all installation on debian/ubuntu/deepofix. I want to ask .. Is this compulsory to configure EAP/PEAP since our end users would have windows xp/ vista ..?? what will be basic configuration ..?? I am sorry .. i am not posting any debug output here .. reason is -- i have been posted those already , got solutions for that but still i am not getting things working.. probably i got things wrong hence i am posting all things which i need .. Please give your views on what i have understood wrong ..!! and what should i do ..?? Please provide me the steps for this scenario ...!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NAS table
anyone can help.. i want to set my radius server reading the NAS from table NAS on radius database. my radius are still reading NAS from clients.conf. apreciate your help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap issues
module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } } modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/etc/raddb/huntgroups" hints = "/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_detail Module: Instantiating auth_log detail auth_log { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Instantiating detail detail { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m% d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } radiusd: Opening IP addresses and Ports listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/var/run/radiusd/radiusd.sock" } } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.10.251 port 2054, id=2, length=143 User-Name = "spare" NAS-IP-Address = 192.168.10.251 NAS-Port = 0 Called-Station-Id = "00-21-29-E3-D1-8A" Calling-Station-Id = "00-1F-5B-CB-1C-DB" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x02e5000a017370617265 Message-Authenticator = 0xd54f005ed1a17b4b96c8f2875e2a4e95 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.10.251/auth-detail-20090413 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m %d expands to /var/log/radius/radacct/192.168.10.251/auth-detail-20090413 [auth_log] expand: %t -> Mon Apr 13 11:39:49 2009 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "spare", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 229 length 10 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for spare [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=spare) [ldap] expand: ou=People,ou=Accounts,o=Company,c=US -> ou=People,ou=Accounts,o=Company,c=US rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=admin,o=Company,c=US/$OBSCURED to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=People,ou=Accounts,o=Company,c=US, with filter (uid=spare) [ldap] checking if remote access for spare is allowed by uid [ldap] Added User-Password = {crypt}$OBSCURED in check items [ldap] looking for check items in directory... rlm_ldap: sambaNtPassword -> NT-Password == 0x$OBSCURED rlm_ldap: sambaLmPassword -> LM-Password == 0x$OBSCURED [ldap] looking for reply items in directory... [ldap] user spare autho
RE: no entries in radacct
>Could it be that radiusd is looking for rlm_counter.so while what I actualy have is rlm_sqlcounter.so If this is the case is it due to a config error on my part? Rlm_counter and rlm_sqlcounter are different modules. If you are not using counter module remove it from the configuration (I think daily is enabled in default configuration). Check instantiate (radiusd.conf) and authorize and accounting sections in virtual servers. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Help for radius configuration
> I want to ask you that how radius server with get authentic the user since it is not getting user password or hashed password ..?? I t is. It's in EAP-Message. So, stop forcing Auth-Type Ldap. Don't do that. Just don't. Delete that line and EAP will work. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: NAS table
Have you enabled read_clients in sql.conf? Doing that doesn't disable reading clients.conf. Just remove duplicate clients from the file. Ivan Kalik Kalik Informatika ISP -Original Message- From: freeradius-users-bounces+tnt=kalik@lists.freeradius.org [mailto:freeradius-users-bounces+tnt=kalik@lists.freeradius.org] On Behalf Of Nizar Zulmi Sent: 13 April 2009 19:40 To: freeradius-users@lists.freeradius.org Subject: NAS table i want to set my radius server reading the NAS from table NAS on radius database. my radius are still reading NAS from clients.conf. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: eap issues
> using the ca.der and caclient.p12 (using Ivan's newer script for generating) for TLS That was for 2.0.5. 2.1.x has updated Makefile by default. >Below is radiusd -X log with one failed attempt and it just seems as if the eap challenges go out but responses never come back. [ldap] checking if remote access for spare is allowed by uid [ldap] Added User-Password = {crypt}$OBSCURED in check items [ldap] looking for check items in directory... rlm_ldap: sambaNtPassword -> NT-Password == 0x$OBSCURED rlm_ldap: sambaLmPassword -> LM-Password == 0x$OBSCURED ... [eap] processing type md5 rlm_eap_md5: Issuing Challenge ... No wonder. You are using crypt and nt hased passwords for EAP-MD5. That can't work. http://deployingradius.com/documents/protocols/compatibility.html Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: eap issues
On Mon, 2009-04-13 at 22:20 +0100, Ivan Kalik wrote: > > using the ca.der and caclient.p12 (using Ivan's newer script for > generating) for TLS > > That was for 2.0.5. 2.1.x has updated Makefile by default. it didn't have the various caclient generation stuff - > >Below is radiusd -X log with one failed attempt and it just seems as if the > eap challenges go out but responses never come back. > > [ldap] checking if remote access for spare is allowed by uid [ldap] Added > User-Password = {crypt}$OBSCURED in check items [ldap] looking for check > items in directory... > rlm_ldap: sambaNtPassword -> NT-Password == 0x$OBSCURED > rlm_ldap: sambaLmPassword -> LM-Password == 0x$OBSCURED > ... > [eap] processing type md5 > rlm_eap_md5: Issuing Challenge > ... > > No wonder. You are using crypt and nt hased passwords for EAP-MD5. That > can't work. > > http://deployingradius.com/documents/protocols/compatibility.html OK that sort of makes sense to me. So I have two sections in eap.conf, ttls and peap which both ask for 'default_eap_type = *' and I have set them both to mschapv2 and in the eap section at the top, I changed default_eap_type to tls Does this make sense? Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
3Com 3226 .1X to freeradius fails
Hello all, I am trying to connect a Windows XP/sp2 machine to my network using a 3com 3226 superstack switch as a NAS. This windows Client can successfully authenticate via an wireless access point when using WPA2/AES via PEAP/mschap2. However when I plug the same client into my 3com 3226 switch configured for .1X I am unable to authenticate. The supplicant interface is the only wired interface on this laptop, is configured for PEAP, I am not trying to use a certificate at this point, Auth type is EAP-MSCHAPV2, and automatically user windows logon is ticked. Running wireshark on the XP box shows no radius traffic but a series of EAP messages that go like this: EAP failure from NAS EAP Request message from NAS EAP Response from supplicant EAP Request from NAS EAP Response from Supplicant EAP failure from NAS EAP Request from NAS EAP Response from supplicant EAP request, PEAP [Palekar] from NAS Client hello, SSL from supplicant Then nothing else... I hope someone can help me figure this out. Thanks! John Output from the Freeradius server is below: FreeRADIUS Version 2.1.5, for host i486-pc-linux-gnu, built on Apr 1 2009 at 10:01:13 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/mschap.back.secondtry including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/mschap.back including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/control-socket including configuration file /etc/freeradius/sites-enabled/inner-tunnel group = freerad user = freerad including dictionary file /etc/freeradius/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/fr
Re: other device to store configuration!
Hello; I realize that my smart card has a non-standard structure (and private keys are stored in a table) non structured with pkcs#12 or 15. So I have to request it to have that keys. I have the commands to do that. My question is, it is possible to convert the outputs of th smartcard( APDUs in hexadecimal format) to a ".pem" file that my server can request? please, have you an idea? a suggestions? thank youu W. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP with fallback on local authentication?
On Mon, Apr 13, 2009 at 4:48 AM, Ivan Kalik wrote: > > You've mentioned a few times that LDAP is not meant for > authentication, however the default config that ships with FreeRADIUS has > LDAP in > > the authentication section. Could you clear that up a little for me > please? (or point me to somewhere it's been cleared up before?) > > Don't force Auth-Type Ldap. > > But you will have to use two sql instances - one to store reply info and > one to store backup passwords. You can't store passwords in sql (used for > reply attributes) and ldap as well. > authorize { > ... > sql_reply > ldap > if (notfound | fail) { > sql_bkp_pass > } > ... > } > > Works perfectly. Exactly what I was after. Thanks Ivan. Regards, Justin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: eap issues
On Mon, 2009-04-13 at 22:20 +0100, Ivan Kalik wrote: > > using the ca.der and caclient.p12 (using Ivan's newer script for > generating) for TLS > > That was for 2.0.5. 2.1.x has updated Makefile by default. > > >Below is radiusd -X log with one failed attempt and it just seems as if the > eap challenges go out but responses never come back. > > [ldap] checking if remote access for spare is allowed by uid [ldap] Added > User-Password = {crypt}$OBSCURED in check items [ldap] looking for check > items in directory... > rlm_ldap: sambaNtPassword -> NT-Password == 0x$OBSCURED > rlm_ldap: sambaLmPassword -> LM-Password == 0x$OBSCURED > ... > [eap] processing type md5 > rlm_eap_md5: Issuing Challenge > ... > > No wonder. You are using crypt and nt hased passwords for EAP-MD5. That > can't work. > > http://deployingradius.com/documents/protocols/compatibility.html I'm working...at least on Macintosh. I'll drag in my Windows laptop tomorrow to see if I can make either the standard WinXP SP3 supplicant work now and I've also got the S2ecure TTLS software. Thanks, that was a helpful clue. Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS table
i enable this on sql.conf readclients = yes do i have to remove this : client 127.0.0.1 { # # The shared secret use to "encrypt" and "sign" packets between # the NAS and FreeRADIUS. You MUST change this secret from the # default, otherwise it's not a secret any more! # # The secret can be any string, up to 31 characters in length. # secret = passwordradius # # # The shared secret use to "encrypt" and "sign" packets between # the NAS and FreeRADIUS. You MUST change this secret from the # default, otherwise it's not a secret any more! # # The secret can be any string, up to 31 characters in length. # secret = passwordradius # # The short name is used as an alias for the fully qualified # domain name, or the IP address. # shortname = localhost # # the following three fields are optional, but may be used by # checkrad.pl for simultaneous use checks # # # The nastype tells 'checkrad.pl' which NAS-specific method to # use to query the NAS for simultaneous use. # # Permitted NAS types are: # # cisco # computone # livingston # max40xx # multitech # netserver # pathras # patton # portslave # tc # usrhiper # other # for all other types # nastype = other # localhost isn't usually a NAS... From: Ivan Kalik To: FreeRadius users mailing list Sent: Tuesday, April 14, 2009 5:11:55 AM Subject: RE: NAS table Have you enabled read_clients in sql.conf? Doing that doesn't disable reading clients.conf. Just remove duplicate clients from the file. Ivan Kalik Kalik Informatika ISP -Original Message- From: freeradius-users-bounces+tnt=kalik@lists.freeradius.org [mailto:freeradius-users-bounces+tnt=kalik@lists.freeradius.org] On Behalf Of Nizar Zulmi Sent: 13 April 2009 19:40 To: freeradius-users@lists.freeradius.org Subject: NAS table i want to set my radius server reading the NAS from table NAS on radius database. my radius are still reading NAS from clients.conf. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
help for radius
Hello , Please let me know .. Is it compulsory to configure EAP/PEAP . Since our end user have windows xp /vista .. Or it will work with EAP -md5 (that is default configuration , without any change after installation ...!!) also ..?? thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS table
Nizar Zulmi wrote: i enable this on sql.conf readclients = yes do i have to remove this : client 127.0.0.1 { Do you have a "127.0.0.1" client in your the nas table? If so, then yes, you will need to remove it or else you will end up with a duplicate. If this client is not in your nas table, then you can just leave the 127.0.0.1 client in the clients.conf file. BTW, I think the 127.0.0.1 client is just there for testing purposes. I do not believe it will break anything if it is completely removed (unless, of course, you are running also running some sort of radius client on the same server as FreeRADIUS). Jim L. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html