Re: how to disable double connection
Tseveendorj wrote: I didn't know where is the problem. Neither do I. You haven't posted the debug output, as suggested in the FAQ, README, INSTALL, man page, and daily on this list. Really appreciate help on it more detailed. Did you follow the instructions in the file doc/Simultaneous-Use? Do you have any questions about it? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to disable double connection
I m use db and nas alive/iterium-update packets and rlm_perl scripts. - Original Message - From: Alan DeKok al...@deployingradius.com To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thursday, April 16, 2009 12:02 PM Subject: Re: how to disable double connection Tseveendorj wrote: I didn't know where is the problem. Neither do I. You haven't posted the debug output, as suggested in the FAQ, README, INSTALL, man page, and daily on this list. Really appreciate help on it more detailed. Did you follow the instructions in the file doc/Simultaneous-Use? Do you have any questions about it? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Tagged attributes problem and rlm_perl in FreeRADIUS 2.1.4
Hello! I've already asked about the very same problem with tagged attributes and rlm_perl in FreeRADIUS 1.1.7, and Ivan Kalik t...@kalik.net told me that he tested it on 2.1.4, so I've upgraded to new version: FreeRADIUS Version 2.1.4, for host i386-portbld-freebsd7.1, built on Apr 16 2009 at 10:42:09 But the problem persist. But now it became even worse, it does not authorize even for the first time. Log file attached. If I uncomment $RAD_REPLY{'ERX-Service-Activate:2'} = deny line in code radiusd just dies. When it is commented radiusd returns attributes ERX-Service-Activate and ERX-Service-Statistics without tag. Thanks in advance for help. Code snippet of my rlm_perl authorize( ) function: if (($RAD_REQUEST{'User-Name'} eq 'admin') and ($RAD_REQUEST{'User-Password'} eq 'test')) { %RAD_REPLY = undef; $RAD_REPLY{'ERX-Service-Activate:1'} = telesys; $RAD_REPLY{'ERX-Service-Statistics:1'}[0] = time-volume; $RAD_REPLY{'ERX-Qos-Parameters'}[0] = internet_tr_value 2097152; $RAD_REPLY{'ERX-Qos-Parameters'}[1] = internet_tr_value_in 2097152; #$RAD_REPLY{'ERX-Service-Activate:2'} = deny; $RAD_REPLY{'ERX-Qos-Profile-Name'} = SP_Tele_Internet; $RAD_REPLY{'Framed-IP-Address'} = '10.0.112.2'; $RAD_REPLY{'Framed-IP-Netmask'}= 255.255.255.255; $RAD_REPLY{'ERX-Primary-DNS'} = 77.91.190.21; $RAD_REPLY{'ERX-Secondary-DNS'} = 77.91.190.24; return RLM_MODULE_OK; } else { return RLM_MODULE_REJECT; }; -- Alexandr Kovalenko http://uafug.org.ua/ radiusd.log Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Tagged attributes problem and rlm_perl in FreeRADIUS 2.1.4
Another one log file with $RAD_REPLY{'ERX-Service-Activate:2'} = deny; uncommented attached (crash was not related to freeradius initially). On Thu, Apr 16, 2009 at 12:31 PM, Alexandr Kovalenko alexandr.kovale...@gmail.com wrote: Hello! I've already asked about the very same problem with tagged attributes and rlm_perl in FreeRADIUS 1.1.7, and Ivan Kalik t...@kalik.net told me that he tested it on 2.1.4, so I've upgraded to new version: FreeRADIUS Version 2.1.4, for host i386-portbld-freebsd7.1, built on Apr 16 2009 at 10:42:09 But the problem persist. But now it became even worse, it does not authorize even for the first time. Log file attached. If I uncomment $RAD_REPLY{'ERX-Service-Activate:2'} = deny line in code radiusd just dies. When it is commented radiusd returns attributes ERX-Service-Activate and ERX-Service-Statistics without tag. Thanks in advance for help. Code snippet of my rlm_perl authorize( ) function: if (($RAD_REQUEST{'User-Name'} eq 'admin') and ($RAD_REQUEST{'User-Password'} eq 'test')) { %RAD_REPLY = undef; $RAD_REPLY{'ERX-Service-Activate:1'} = telesys; $RAD_REPLY{'ERX-Service-Statistics:1'}[0] = time-volume; $RAD_REPLY{'ERX-Qos-Parameters'}[0] = internet_tr_value 2097152; $RAD_REPLY{'ERX-Qos-Parameters'}[1] = internet_tr_value_in 2097152; # $RAD_REPLY{'ERX-Service-Activate:2'} = deny; $RAD_REPLY{'ERX-Qos-Profile-Name'} = SP_Tele_Internet; $RAD_REPLY{'Framed-IP-Address'} = '10.0.112.2'; $RAD_REPLY{'Framed-IP-Netmask'}= 255.255.255.255; $RAD_REPLY{'ERX-Primary-DNS'} = 77.91.190.21; $RAD_REPLY{'ERX-Secondary-DNS'} = 77.91.190.24; return RLM_MODULE_OK; } else { return RLM_MODULE_REJECT; }; -- Alexandr Kovalenko http://uafug.org.ua/ -- Alexandr Kovalenko http://uafug.org.ua/ radiusd2.log Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Tagged attributes problem and rlm_perl in FreeRADIUS 2.1.4
On Thu, Apr 16, 2009 at 1:34 PM, Alan DeKok al...@deployingradius.com wrote: Alexandr Kovalenko wrote: I've already asked about the very same problem with tagged attributes and rlm_perl in FreeRADIUS 1.1.7, and Ivan Kalik t...@kalik.net told me that he tested it on 2.1.4, so I've upgraded to new version: It doesn't support tagged attributes, either. The source code for the module will need to be updated to support tagged attributes. Thanks for reply. Then I have few questions: 1. How could this be that it worked in 1.1.7 (but only 1st auth attempt, all further didn't, until restart)? 2. Is there any work-in-progress project on adding support for tagged attributes in rlm_perl? 3. Is there any workaround to make it work? 4. Which of these modules: rlm_python, rlm_exec, rlm_anything other user programmable support tagged attributes? Thanks in advance. -- Alexandr Kovalenko http://uafug.org.ua/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Tagged attributes problem and rlm_perl in FreeRADIUS 2.1.4
Alexandr Kovalenko wrote: I've already asked about the very same problem with tagged attributes and rlm_perl in FreeRADIUS 1.1.7, and Ivan Kalik t...@kalik.net told me that he tested it on 2.1.4, so I've upgraded to new version: It doesn't support tagged attributes, either. The source code for the module will need to be updated to support tagged attributes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl behavior
Yes, that would be great. One perl interpreter per freeradius thread, that is. And I suppose the CLONE function would work again as expected (i.e. each freeradius thread would have its own perl interpreter and each script relaying on this interpreter would have its own connection to the DB). And the perl clones will not be controlled by the perl.conf (as in 2.0.x) but from the max_servers directive in radiusd.conf, right? I am ready for testing whenever you have a patch ready. Alan DeKok wrote: Apostolos Pantsiopoulos wrote: I understand that there may some benefits in the current implementation (2.1.x) such as less threads, smaller memory footprint etc. but why change something that has been tested and working in the first place? A quest to make it better. If we were satisfied with the functionality of the server in 1.0, we would have had no improvements since then. In any case, it looks like it may be easy to change it so that there is one Perl thread per server thread. Would you be prepared to test patches? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- --- Apostolos Pantsiopoulos Kinetix Tele.com R D email: r...@kinetix.gr --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: NAS table
dearl list all..don't know how to thanks to you to reply my email and answer my quest. and sorry for to much question.:Di've run this commandradiusd -X but it return this The program 'radiusd' can be found in the following packages: * radiusd-livingston * yardradius * xtradiusTry: apt-get install selected package i read freeradius documentation to do debug in ubuntu, and i try this command but i freeradius -X and return this messagefreeradius -XStarting - reading configuration files ...reread_config: reading radiusd.confConfig: including file: /etc/freeradius/proxy.confConfig: including file: /etc/freeradius/clients.confConfig: including file: /etc/freeradius/snmp.confConfig: including file: /etc/freeradius/eap.confConfig: including file: /etc/freeradius/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/freeradius main: libdir = /usr/lib/freeradius main: radacctdir = /var/log/freeradius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/freeradius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/freeradius/freeradius.pid main: user = freerad main: group = freerad main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0read_config_files: reading dictionaryread_config_files: reading naslistUsing deprecated naslist file. Support for this will go away soon.read_config_files: reading clients this message after i comment out this inf clients.conf#client 127.0.0.1 {# secret = passwordradius# shortname = localhost# nastype = other # localhost isn't usually a NAS... # } but if i uncomment that then i run freeradius -X it return this message main: debug_level = 0read_config_files: reading dictionaryread_config_files: reading naslistUsing deprecated naslist file. Support for this will go away soon.read_config_files: reading clientsread_config_files: reading realmsradiusd: entering modules setupModule: Library search path is /usr/lib/freeradiusModule: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null)rlm_exec: Wait=yes but no output defined. Did you mean output=none?Module: Instantiated exec (exec)Module: Loaded exprModule: Instantiated expr (expr)Module: Loaded PAP pap: encryption_scheme = crypt pap: auto_header = yesModule: Instantiated pap (pap)Module: Loaded CHAPModule: Instantiated chap (chap)Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: ntlm_auth = (null)Module: Instantiated mschap (mschap)Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = /etc/shadow unix: group = (null) unix: radwtmp = /var/log/freeradius/radwtmp unix: usegroup = no unix: cache_reload = 600Module: Instantiated unix (unix)Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = norlm_eap: Loaded and initialized type md5rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAPrlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = norlm_eap: Loaded and initialized type mschapv2Module: Instantiated eap (eap)Module: Loaded preprocess preprocess: huntgroups = /etc/freeradius/huntgroups preprocess: hints = /etc/freeradius/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = noModule: Instantiated preprocess (preprocess)Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = noModule: Instantiated realm (suffix)Module: Loaded SQL sql: driver = rlm_sql_mysql sql: server = localhost sql: port = sql: login = root sql: password = jOeLya sql: radius_db = radius sql: nas_table = nas sql: sqltrace = no sql: sqltracefile = /var/log/freeradius/sqltrace.sql sql: readclients = yes sql: deletestalesessions = yes sql: num_sql_socks = 5 sql: sql_user_name = %{User-Name} sql: default_user_profile = sql: query_on_not_found = no sql:
Mikrotik radius-mac-authentication
I'm using Freeradius to control the access to my Mikrotik APs. In the radius database I've put at the radcheck table all the mac-addresses of my clients. When I put accept as a value, the clients connects immediately, but when I put reject the clients that are connected do not disconnect. I have to disable radius-mac-authentication at the security profile of the wireless interface and enable it again so that the connected clients that are declared as rejected disconnect from the APs and do not reconnect again. Is there anything I can do to automatically block even the connected clients when I put reject as a value Thanks in advance Adi -- View this message in context: http://www.nabble.com/Mikrotik-radius-mac-authentication-tp23077135p23077135.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl behavior
From my point of view we should have pool of perl clones per each module instance. This way we could have multiple perl instances (each with its own perl script to run). Limiting on perl clone or interp per server thread will limit the multiple instances feature of rlm_perl. Again playing with min and max spare can give us some possibility's to force not unload perl interpreter during the lifetime of server and this way we can keep some DB handlers not to reconnect each time. Alan what is your point ? Best Regards, Boian Jordanov SNE Orbitel - Next Generation Telecom tel. +359 2 4004 723 tel. +359 2 4004 002 On Apr 16, 2009, at 2:38 PM, Apostolos Pantsiopoulos wrote: Yes, that would be great. One perl interpreter per freeradius thread, that is. And I suppose the CLONE function would work again as expected (i.e. each freeradius thread would have its own perl interpreter and each script relaying on this interpreter would have its own connection to the DB). And the perl clones will not be controlled by the perl.conf (as in 2.0.x) but from the max_servers directive in radiusd.conf, right? I am ready for testing whenever you have a patch ready. Alan DeKok wrote: Apostolos Pantsiopoulos wrote: I understand that there may some benefits in the current implementation (2.1.x) such as less threads, smaller memory footprint etc. but why change something that has been tested and working in the first place? A quest to make it better. If we were satisfied with the functionality of the server in 1.0, we would have had no improvements since then. In any case, it looks like it may be easy to change it so that there is one Perl thread per server thread. Would you be prepared to test patches? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- --- Apostolos Pantsiopoulos Kinetix Tele.com R D email: r...@kinetix.gr --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help with initial setup Sita--Ext. Radius--Int.Radius--AD
Good morning , Our organization is trying to set Wireless Users authentication via AD with Radius in between. The reason for Ext. and Int. Radius based on our security group recommendations. I've installed freeradius-1.1.3 from RedHat . It's up on both Ext and Int boxes. I was able to run radtest and radclient locally on both machines but when I am trying to run them from Ext to Int I am getting these errors radclient: no response from server for ID 174 . I've set access for all users in /etc/raddb/users and defined clients in /etc/raddb/clients.conf according to documentation. I am totally new to Radius and this point I am lost what to try next. Any help greatly appreciated Thanks Lev Podlazov IMF 202-623-4054 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with initial setup Sita--Ext. Radius--Int.Radius--AD
On Thu, Apr 16, 2009 at 09:41:21AM -0400, Podlazov, Lev wrote: Good morning , Our organization is trying to set Wireless Users authentication via AD with Radius in between. The reason for Ext. and Int. Radius based on our security group recommendations. I've installed freeradius-1.1.3 from RedHat . It's up on both Ext and Int boxes. I was able to run radtest and radclient locally on both machines but when I am trying to run them from Ext to Int I am getting these errors radclient: no response from server for ID 174 . I've set access for all users in /etc/raddb/users and defined clients in /etc/raddb/clients.conf according to documentation. I am totally new to Radius and this point I am lost what to try next. Any help greatly appreciated Thanks Lev Podlazov IMF 202-623-4054 Wow, I would really recommend using the latest 2.x release or if you absolutely have to use 1.x use version 1.1.7. The 2.x is much easier to use. Cheers, Ken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Help with initial setup Sita--Ext. Radius--Int.Radius--AD
This is the only one officially offered by Redhat for Redhat 5 i386 we are using . -Original Message- From: freeradius-users-bounces+lpodlazov=imf@lists.freeradius.org [mailto:freeradius-users-bounces+lpodlazov=imf@lists.freeradius.org] On Behalf Of Kenneth Marshall Sent: Thursday, April 16, 2009 10:04 AM To: FreeRadius users mailing list Cc: TGSI, Unix Administrator - Shared Mailbox Subject: Re: Help with initial setup Sita--Ext. Radius--Int.Radius--AD On Thu, Apr 16, 2009 at 09:41:21AM -0400, Podlazov, Lev wrote: Good morning , Our organization is trying to set Wireless Users authentication via AD with Radius in between. The reason for Ext. and Int. Radius based on our security group recommendations. I've installed freeradius-1.1.3 from RedHat . It's up on both Ext and Int boxes. I was able to run radtest and radclient locally on both machines but when I am trying to run them from Ext to Int I am getting these errors radclient: no response from server for ID 174 . I've set access for all users in /etc/raddb/users and defined clients in /etc/raddb/clients.conf according to documentation. I am totally new to Radius and this point I am lost what to try next. Any help greatly appreciated Thanks Lev Podlazov IMF 202-623-4054 Wow, I would really recommend using the latest 2.x release or if you absolutely have to use 1.x use version 1.1.7. The 2.x is much easier to use. Cheers, Ken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with initial setup Sita--Ext. Radius--Int.Radius--AD
Podlazov, Lev wrote: This is the only one officially offered by Redhat for Redhat 5 i386 we are using . I've installed freeradius-1.1.3 from RedHat . Wow, I would really recommend using the latest 2.x release or if you absolutely have to use 1.x use version 1.1.7. The 2.x is much easier to use. http://wiki.freeradius.org/Red_Hat_FAQ explains how to build a current 2.x version of FreeRADIUS for RHEL5. I agree you should update to a current version. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamically set password_attribute
Being able to verify the mac against the ldap database is the best scenario, the mysql database we are using for accounting only. I added: DEFAULT User-Name =~ ([0-9a-fA-F]{2}:){5}[0-9a-fA-F] Auth-Type := Accept to the users file, but I am still see it setting auth type to ldap after authorization: Thu Apr 16 13:59:32 2009 : Debug: rlm_ldap: waiting for bind result ... Thu Apr 16 13:59:32 2009 : Debug: rlm_ldap: Bind was successful Thu Apr 16 13:59:32 2009 : Debug: rlm_ldap: performing search in dc=gwis, with filter ((macaddress=00:1f:3a:21:62:f8)(aaaenable=1)) Thu Apr 16 13:59:32 2009 : Info: [ldap] looking for check items in directory... Thu Apr 16 13:59:32 2009 : Debug: rlm_ldap: aaasimultaneoususe - Simultaneous-Use == 1 Thu Apr 16 13:59:32 2009 : Info: [ldap] looking for reply items in directory... Thu Apr 16 13:59:32 2009 : Debug: WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? Thu Apr 16 13:59:32 2009 : Info: [ldap] Setting Auth-Type = LDAP On Wed, Apr 15, 2009 at 5:06 PM, Kenneth Grady k...@lanl.gov wrote: If you don't want LDAP to authenticate your mac addresses you need to set the Auth-Type before it gets set to ldap. You can do that a number of ways (I use #3) 1) try macs in the users file 00:1f:3a:21:62:f8 ClearText-Password := 00:1f:3a:21:62:f8 or DEFAULT User-Name =~ ^00:1f:3a:[a-fA-F0-9][a-fA-F0-9]:[a-fA-F0-9][a-fA-F0-9]:[a-fA-F0-9][a-fA-F0-9]$, Auth-Type := Accept 2) or add mac addresses in your mysql database INSERT INTO radcheck VALUES (null,${MAC-Address},ClearText-Password,:=,${MAC-Address}); or INSERT INTO radcheck VALUES (null,${MAC-Address},Auth-Type,:=,Accept); 3) a combination of put the DEFAULT and all MAC-Addresses in the mysql database and don't have ldap set the Auth-Type INSERT INTO radgroupcheck values (null,DEFAULT,Auth-Type,:=,LDAP); INSERT INTO radusergroup VALUES (DEFAULT,DEFAULT,1); INSERT INTO radgroupcheck values (null,MAC,Auth-Type,:=,Accept); #for each MAC you want to accept replace the 00: with your mac addresses INSERT INTO radusergroup VALUES (00:00:00:00:00:00,MAC,1); DELETE FROM radusergroup where username =00:00:00:00:00:00; and in modules/ldap ldap { ... set_auth_type = no } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: other device to store configuration!
I m Ok that the whole point of using a smart card is that we can't extract keys.. I learned that OPENSSL using the API pkcs#11 must communication with a middleware called openSC that really comunicate with the card.. the problem is that opensc, do not understand the structure of card if it is non standard ( exple pkcs#15). SO: 1- I should write an emulation driver that will create a structure ( similar to pkcs#15) in host memory to allow the middleware to know the structure ( exple: ID/path of keys) 2- I should write a driver card to make opensc doing basic commands, such as sign data with that key(if needed ) - the outputs will be understood by openssl. I'm thinking about another solution: why not creating a new module ( in place of eap-tls) that freeradius will use to apply eap-tls via APDU outputs of card instead of openssl. client must have the same structure of messages to send! *Another question to consider is if a smartcard will give you adequate performance for your server load, a different type of hardware based key management might be more appropriate than using a smartcard for a server. Smartcards are typically used for client authentication and signing where the volume of cryptographic operations is relatively low. *if i will be able to connect one card, i will use many cards to connect with server to optimize the performences and the access to the data.. can you give me an exemple of other hardware key management usable for that aim?! thanks a lot! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius+Java application api call and authenticate
team howto disable nas-port, nas-port-type,nas-identifier, called-station-id, calling-station-id, i would like to use only username, user-password, nas-ip-address 2009-04-16 20:55:13,614 ERROR [net.jradius.log.BaseRadiusLog] - Problem: Request Missing: NAS-Port, NAS-Port-Type, NAS-Identifier, Called-Station-Id, Calling-Station-Id sollunga wrote: sorry to bring it back i am bit confused, even though i have the username and password in simulator, still it gives me this error message ERROR [net.jradius.log.BaseRadiusLog] - Problem: Request Missing: User-Password CHAP-Password = [Binary Data (length=10)] NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Called-Station-Id = 1 Calling-Station-Id = 2 NAS-Identifier = logmon NAS-Port-Type = Ethernet CHAP-Challenge = [Binary Data (length=16)] CHAP-Password = [Binary Data (length=17)] Message-Authenticator = [Binary Data (length=16)] --- RADIUS Reply: --- Class: class net.jradius.packet.AccessReject Attributes: also i would like to use only username, userpassword and a 10 digit number tobe checked how to achieve this? sollunga wrote: my apologies ivan tnt-4 wrote: http://coova.org/wiki/index.php/JRadius/WithFreeRADIUS http://coova.org/wordpress/index.php/2007/04/07/integrating-radius-with-your-java-enterprise/ i can find only these two urls for documentation? anywhere else as a reference? Ask them, not us. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Freeradius%2BJava-application-api-call-and-authenticate-tp22449820p23080283.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamically set password_attribute
James Devine wrote: Being able to verify the mac against the ldap database is the best scenario, the mysql database we are using for accounting only. I added: DEFAULT User-Name =~ ([0-9a-fA-F]{2}:){5}[0-9a-fA-F] Auth-Type := Accept If you really put that into the users file, you would see warning messages being printed out when using radiusd -X. Read the messages. They explain what's wrong, and how to fix it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Help with LDAP groupOfNames?
I can't seem to find anything concrete online for freeradius1 relating to groupOfNames, so I've just been trying random things that I found online (for raddb/users) hoping one would work. RELEVANT CONFIGS (only relevant portions, comments removed) raddb/sites-enabled/default: authorize { ldap } authenticate { Auth-Type LDAP { ldap } } And did you find that any part of documentation suggesting that you should cripple the server and then wonder why it's not working? Or does it say: use default configuration and make only small changes? Now, go back to the default configuration, configure *only* ldap module, disable ldap authentication (without the password in the request it can't work as it is clearly stated in ldap module) set_auth_type = no. Add this unlang statements to authorize: if(Ldap-Group == WirelessUsers) { update control { Auth-Type := Accept } } else { reject } Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: strange for me
Access-Accept returns only IP address. Why it gives only ip address? That user is not in the sql group that gets the avpair. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: priority in radcheck and radgroupcheck
Doesnt it makes sense of overwriting user atributes to group attributes. So I can set group specific attributes and some user specific attributes for a certain user too? It does but code doesn't work for := operator. In case of that operator group overrides the user value. In case of = user value takes presedence ove group value - and that is most commonly used operator. Patches are welcome - if you can figure out how to fix the code to work properly with := as well do send it in. So if both user and group attributes are on sql, only way for me to remove that user from group to use user attributes right? You can also update that attribute with unlang. Ivan Kalik Kalik Informatika ISP -Original Message- From: freeradius-users-bounces+tnt=kalik@lists.freeradius.org [mailto:freeradius-users-bounces+tnt=kalik@lists.freeradius.org] On Behalf Of Oguzhan Kayhan Sent: 15 April 2009 12:50 To: freeradius-users@lists.freeradius.org Subject: priority in radcheck and radgroupcheck Hi, I have a simultaneous-use information belongs to a users radgropcheck.. What i want is, if i enter a value to users radcheck, it should bypass the radgroupcheck value..how it is possible?? For now, whatever i make the simultaneous use value for user, it uses the default settings from the radgroupcheck. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.0.238 / Virus Database: 270.11.57/2060 - Release Date: 04/15/09 06:34:00 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.0.238 / Virus Database: 270.11.57/2060 - Release Date: 04/15/09 19:52:00 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl behavior
Boian Jordanov wrote: From my point of view we should have pool of perl clones per each module instance. Yes. This way we could have multiple perl instances (each with its own perl script to run). Yes. Limiting on perl clone or interp per server thread will limit the multiple instances feature of rlm_perl. We don't need that limit. The server should not be running more Perl threads than system threads. It also should not be running less Perl threads than system threads. It should be running one Perl thread per system thread. The server core already manages min/max spare threads, idle threads, etc. Again playing with min and max spare can give us some possibility's to force not unload perl interpreter during the lifetime of server and this way we can keep some DB handlers not to reconnect each time. Alan what is your point ? The pthread keys in the current rlm_perl should be moved to the perl_inst struct. The keys should be allocated per thread, and not via pthread_once. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Tagged attributes problem and rlm_perl in FreeRADIUS 2.1.4
Alexandr Kovalenko wrote: Then I have few questions: 1. How could this be that it worked in 1.1.7 (but only 1st auth attempt, all further didn't, until restart)? shrug Look at the code. I don't want to debug it. 2. Is there any work-in-progress project on adding support for tagged attributes in rlm_perl? Nope. As always, patches are welcome. 3. Is there any workaround to make it work? Edit the source code. 4. Which of these modules: rlm_python, rlm_exec, rlm_anything other user programmable support tagged attributes? The python module looks like it should. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl behavior
Alan DeKok wrote: Boian Jordanov wrote: From my point of view we should have pool of perl clones per each module instance. Yes. This way we could have multiple perl instances (each with its own perl script to run). Yes. Limiting on perl clone or interp per server thread will limit the multiple instances feature of rlm_perl. We don't need that limit. The server should not be running more Perl threads than system threads. It also should not be running less Perl threads than system threads. My point exactly. It should be running one Perl thread per system thread. The server core already manages min/max spare threads, idle threads, etc. I totally agree. In the old config I used to have the same clone= and max_servers= directives to achieve that. Again playing with min and max spare can give us some possibility's to force not unload perl interpreter during the lifetime of server and this way we can keep some DB handlers not to reconnect each time. Alan what is your point ? The pthread keys in the current rlm_perl should be moved to the perl_inst struct. The keys should be allocated per thread, and not via pthread_once. I hope this implementation will satisfy Borislav too. Will he be able to instantiate different perl scripts for different needs? So, when do I start testing :) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- --- Apostolos Pantsiopoulos Kinetix Tele.com R D email: r...@kinetix.gr --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl behavior
I hope this implementation will satisfy Borislav too. Will he be able to instantiate different perl scripts for different needs? So, when do I start testing :) Hi, Yes, being able to instantiate and use several rlm_perl instances with different scripts to take care of different circumstances is what will make me and many others (I think) happy. Sacrificing the *_clones flexibility for lower memory footprint, better performance and more importantly code is certainly worth doing it, if people are still able to have multiple rlm_perl instances. I imagine that probably the best way will be to have X (the number of rlm_perl instances) per system thread - this is the way it'd be if they were different modules (like sql, preprocess etc) which custom Perl scripts executing under rlm_perl a kind of are... For now I downgraded to 2.0.5 which works perfect for me but will be happy to help with testing (on some client's production system... don't tell anyone ;-) ). OFFTOPIC: Btw, do you know of some existing effort to develop rlm_ruby? What's its state etc? I had the ambition to develop something like that myself but don't have the time anymore :-(. On 16.04.2009, at 20:17, Apostolos Pantsiopoulos wrote: Alan DeKok wrote: Boian Jordanov wrote: From my point of view we should have pool of perl clones per each module instance. Yes. This way we could have multiple perl instances (each with its own perl script to run). Yes. Limiting on perl clone or interp per server thread will limit the multiple instances feature of rlm_perl. We don't need that limit. The server should not be running more Perl threads than system threads. It also should not be running less Perl threads than system threads. My point exactly. It should be running one Perl thread per system thread. The server core already manages min/max spare threads, idle threads, etc. I totally agree. In the old config I used to have the same clone= and max_servers= directives to achieve that. Again playing with min and max spare can give us some possibility's to force not unload perl interpreter during the lifetime of server and this way we can keep some DB handlers not to reconnect each time. Alan what is your point ? The pthread keys in the current rlm_perl should be moved to the perl_inst struct. The keys should be allocated per thread, and not via pthread_once. I hope this implementation will satisfy Borislav too. Will he be able to instantiate different perl scripts for different needs? So, when do I start testing :) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- --- Apostolos Pantsiopoulos Kinetix Tele.com R D email: r...@kinetix.gr --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl behavior
Borislav Dimitrov wrote: Sacrificing the *_clones flexibility for lower memory footprint, better performance and more importantly code is certainly worth doing it, if people are still able to have multiple rlm_perl instances. If we update the module to have one Perl thread per system thread, it will still have the clone functionality. I imagine that probably the best way will be to have X (the number of rlm_perl instances) per system thread - this is the way it'd be if they were different modules (like sql, preprocess etc) which custom Perl scripts executing under rlm_perl a kind of are... For now I downgraded to 2.0.5 which works perfect for me but will be happy to help with testing (on some client's production system... don't tell anyone ;-) ). Or, grab the rlm_perl source from 2.1.x, and use it in the latest version. I don't think that there are any incompatibilities. OFFTOPIC: Btw, do you know of some existing effort to develop rlm_ruby? What's its state etc? I had the ambition to develop something like that myself but don't have the time anymore :-(. http://github.com/Antti/rlm_ruby/tree/master If he can fork the git tree, and add the rlm_ruby module to it, I can pull the changes into the main server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radpostauth sql logging of bad passwords
I have installed : radiusd: FreeRADIUS Version 2.1.3, for host i386-portbld-freebsd7.1, built on Feb 26 2009 at 15:47:46 I have not been able figure out how to get it to log failed authentication attempts into the radpostauth sql table, like I had it working in Version 1. -- Guy Fraser Network Administrator The Internet Centre 1-888-450-6787 (780)450-6787 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with LDAP groupOfNames?
Ivan, Thank you so much! Perhaps you misunderstood my intention of saying relevant portions of the configs - this isn't *everything* in the config, just everything related to LDAP. Regardless, I just removed all of what I'd added to users and added that construct to authorize{} in my default site, and it seems to be working perfectly. I had to change update control { Auth-Type := Accept } to Fall-Through: yes to get LDAP authentication to work, but other than that, perfect! Thanks, Jason Ivan Kalik wrote: I can't seem to find anything concrete online for freeradius1 relating to groupOfNames, so I've just been trying random things that I found online (for raddb/users) hoping one would work. RELEVANT CONFIGS (only relevant portions, comments removed) raddb/sites-enabled/default: authorize { ldap } authenticate { Auth-Type LDAP { ldap } } And did you find that any part of documentation suggesting that you should cripple the server and then wonder why it's not working? Or does it say: use default configuration and make only small changes? Now, go back to the default configuration, configure *only* ldap module, disable ldap authentication (without the password in the request it can't work as it is clearly stated in ldap module) set_auth_type = no. Add this unlang statements to authorize: if(Ldap-Group == WirelessUsers) { update control { Auth-Type := Accept } } else { reject } Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html