R: Sql Counter reads only the first 4 digits
Uh... no. If it works for Ivan, then the problem is most likely in the unixodbc drivers. Alan DeKok. But when I run the same query in both isql and tsql the result is correct. So I think that unixodbc and freetds are ok. I'll try to recompile them anyway... Other ideas? Mauro Iorio. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
question about session resumption and reply attributes
Hi We are using dynamic VLAN assignment with freeradius 2.1.6 and tried to test session resumption. It looks like that freeradius doesn't cache all reply attributes and upon session resumption the VLAN assignment attributes don't get send. Is there any way to cache these attributes? The attributes are generated by rlm_perl in post-auth section of inner-tunnel virtual server - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about session resumption and reply attributes
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Anatoli Logvinski wrote: Hi We are using dynamic VLAN assignment with freeradius 2.1.6 and tried to test session resumption. It looks like that freeradius doesn't cache all reply attributes and upon session resumption the VLAN assignment attributes don't get send. Is there any way to cache these attributes? The attributes are generated by rlm_perl in post-auth section of inner-tunnel virtual server - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html No. You should be running through your authorisation policies on session resumption. All policies should be moved to the post-auth section of the outer server. Arran -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEUEARECAAYFAkoVCjwACgkQcaklux5oVKJvDwCYvPokdzA/pfBPJEJnfjaQLGSm 4gCfd17/hCU6qQUjoPu1yP+0hcSSV9Q= =p9OV -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about session resumption and reply attributes
Hi, No. You should be running through your authorisation policies on session resumption. All policies should be moved to the post-auth section of the outer server. but only the inner server knows the real id etc ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about session resumption and reply attributes
Hi, No. You should be running through your authorisation policies on session resumption. All policies should be moved to the post-auth section of the outer server. but only the inner server knows the real id etc ? Yes, so have it tell the outer server... Insert the (attached) snippet into the authorize section of the inner server. There's an issue where outer.reply items aren't merged with the reply when doing EAP-TTLS-MSCHAPv2. So you still have to have 'use_tunneled_reply' set to yes. I believe the User-Name attribute in outer.reply is cached, and available for use on session resumption. So just: Auth-Type EAP { eap if(ok %{reply:User-Name}){ update request { User-Name := %{reply:User-Name} } } } Once you've got the policies moved to post-auth, then any scripts or lookups used for authorisation will only be run once, so far greater efficiency with complex policies. Rejects are still handled properly even within the Post-Auth section (jumps to Post-Auth-Type reject). Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html # # Workaround for EAP-TTLS MsCHAPv2, not adding outer.reply attributes # If we use both methods we get duplicate User-Name attributes. # if((%{outer.request:EAP-Type} == 'EAP-TTLS') (%{control:Auth-Type} == 'MSCHAP')){ update reply { User-Name := %{Stripped-User-Name} } } else { update outer.reply { User-Name := %{Stripped-User-Name} } } signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
insert something into reply message
Version 2.0.4 We use digest authentication. It works properly. (with a little problem I will ask in another thread) The essential part of the debug: Thu May 21 09:41:17 2009 : Debug: ++[digest] returns ok Thu May 21 09:41:17 2009 : Auth: Login OK: [...@10.14.2.10/via Auth-Type = DIGEST] (from client 10.14.1.5 port 0 cli 5...@10.14.2.10) The reply message get at client 10.14.1.5 but our system expects in the reply the Session-Timeout. How to insert Session-Timeout into the reply message? I've read thoughtfully all parts of the configs where that parameter is mentioned. I've tried many - syntactically good an bad - config line without any success. Have I problem with reading? Ludwig M. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Interim Accouting
May I know the common practise of radius accounting, it is common to expect the radius client to provide interim accounting, ie it sends accounting info every so many seconds interval before the session is closed ? Every so many minutes, not seconds. It doesn't make much sense to have this interval at less than 5 minutes. I just checked Coova chilli, it does it for the clients session based on a configurable interval. But for the administrative account of the NAS itself, it does not do any interim accounting. Why on Earth would it? Are you going to charge administrators for using your equipment? Or do you actually pay them to do that? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Interim Accounting
--- On Thu, 5/21/09, Ivan Kalik t...@kalik.net wrote: I just checked Coova chilli, it does it for the clients session based on a configurable interval. But for the administrative account of the NAS itself, it does not do any interim accounting. Why on Earth would it? Are you going to charge administrators for using your equipment? Or do you actually pay them to do that? I did not say it does not make sense, did I ? I just put forward my observations. :) However, now that you are talking about it, I think it's not totally unreasonable to want to get accounting update on the 'administrator' account. There maybe cases where the accounting need to be done on ensamble basis of the traffic coming in/out of the whole box. Any agreement or objection ? :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Realms issues
I have an issue where i'm trying to use realms to determine what LDAP server to authenticate a user against. What seems to happen is that the realm in my users file is never matched and hence the authentication fails. Any help would be greatly appreciated. ... authorize { chap mschap eap files ### Added Autz-Type test.com { test.com } Autz-Type ldap-default { ldap-default } ### // } ... You removed suffix. If you added things to default configuration - it would of worked. Butchering the configuration like this is an easy way to get in trouble. Start with the default configuration; add things you need to add; when it works, remove things you think you don't need one by one cheking that everything still works - if you remove something vital you will know straight away. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R: Sql Counter reads only the first 4 digits
Mauro Iorio - Smart Soft s.r.l. wrote: But when I run the same query in both isql and tsql the result is correct. So I think that unixodbc and freetds are ok. I'll try to recompile them anyway... Other ideas? Instrument the FreeRADIUS source code. Follow the data from SQL, through the rlm_sql_FOO module, to rlm_sql, etc. See where it's being truncated. To put it another way, no one else has access to a system that can reproduce this. Only you do. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: insert something into reply message
Version 2.0.4 We use digest authentication. It works properly. (with a little problem I will ask in another thread) The essential part of the debug: Thu May 21 09:41:17 2009 : Debug: ++[digest] returns ok Thu May 21 09:41:17 2009 : Auth: Login OK: [...@10.14.2.10/via Auth-Type = DIGEST] (from client 10.14.1.5 port 0 cli 5...@10.14.2.10) The reply message get at client 10.14.1.5 but our system expects in the reply the Session-Timeout. How to insert Session-Timeout into the reply message? That's radius.log file. You won't see any reply attributes there. Post the output of radiusd -X and your user entry. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about session resumption and reply attributes
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Arran Cudbard-Bell wrote: Hi, No. You should be running through your authorisation policies on session resumption. All policies should be moved to the post-auth section of the outer server. but only the inner server knows the real id etc ? Yes, so have it tell the outer server... Insert the (attached) snippet into the authorize section of the inner server. * at the bottom of the authorize section of the inner server. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkoVIFQACgkQcaklux5oVKK33wCfdq4CkOvX7PAGwhL56KSLcyTk 3qoAn2HcsVUpaFZpQJmhd4VB28eCdyRi =utZd -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: insert something into reply message
Post the output of radiusd -X and your user entry. The relevant part of the freeradius output is: --- rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type DIGEST auth: type digest +- entering group authenticate rlm_digest: Converting Digest-Attributes to something sane... Digest-Realm = tequet Digest-Nonce = 4a1527742cb58a911390a13daeab535c71b92a74 Digest-URI = sip: Digest-Method = INVITE Digest-CNonce = 1242900340 Digest-Nonce-Count = 0001 Digest-QOP = auth Digest-User-Name = user8 A1 = user8:tequet:pass8 A2 = INVITE:sip: H(A1) = 1a2bb1fd4713741dbc8dcd841b2754c5 H(A2) = 4c2df2005737eb44dbf0c9993285dc46 KD = 1a2bb1fd4713741dbc8dcd841b2754c5:4a1527742cb58a911390a13daeab535c71b92a74:0001:1242900340:a uth:4c2df2005737eb44dbf0c9993285dc46 EXPECTED 10c0611670df125d841de06019a0ecd7 RECEIVED 10c0611670df125d841de06019a0ecd7 ++[digest] returns ok Login OK: [...@10.14.2.10/via Auth-Type = DIGEST] (from client 10.14.1.5 port 0 cli 5...@10.14.2.10 ) +- entering group post-auth ++[exec] returns noop Sending Access-Accept of id 199 to 10.14.1.5 port 40646 Finished request 0. Going to the next request -- The end of the users file (its other part is unchanged) --- user0 Cleartext-Password := pass0 user8 Cleartext-Password := pass8 5...@10.14.2.10Cleartext-Password := pass8 - Ludwig M. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Interim Accouting
Ming-Ching Tiew wrote: I just checked Coova chilli, it does it for the clients session based on a configurable interval. But for the administrative account of the NAS itself, it does not do any interim accounting. My coova-chilli DOES send interim accounting -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: insert something into reply message
Hi, How to insert Session-Timeout into the reply message? use what ever method you want to insert it PERL, unlang etc. a simple 'fix' that would be global in this example: for 2.1.x in section of sites-enabled/default post-auth { Post-Auth-Type REJECT { attr_filter.access_reject } update reply { Session-Timeout = 3600 } } that should slap a 3600 second (1 hour) session-timeout to any reply alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 49, Issue 95
Marco De Magistris wrote: In my opinion the packet (received from Radius Client) is sent towards the default gateway. Yes. That's how neteworking works. The following link describes the same scenario: http://www.opensubscriber.com/message/freeradius-users@lists.freeradius.org/82575.html They introduce *proxyip = 10.10.10.10* in proxy.conf. In 2.x, you can define the addresses that the server opens for proxying. See the listen section of radiusd.conf. That may help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius-Users Digest, Vol 49, Issue 95
3. RE: Freeradius-Users Digest, Vol 49, Issue 93 (Ivan Kalik) Radius Client-- Radius Proxy 192.168.1.2 192.168.1.3 192.168.14.3 -- IPS1(192.168.14.4) 192.168.24.3 -- IPS2(192.168.24.4) You say: Yes. Proxy server will change NAS-IP-Address from the original NAS address into it's own. That is OK. It not works. In my scenario I have two different NAS-IP-Address(a NAS-IP-Address for ISP1 and a NAS-IP-Address for ISP2). That's because that can't work: # Note: type = proxy lets you control the source IP used for # proxying packets, with some limitations: # # * Only ONE proxy listener can be defined. # * A proxy listener CANNOT be used in a virtual server section. # * You should probably set port = 0. # * Any clients configuration will be ignored. You can't define two IPs on which to proxy. You need two proxy servers for that: proxy1 gets requests from NAS - if it's for isp1 proxy to 192.168.14.4 from 192.168.14.3 if it's for isp2, proxy to proxy2 (also from 192.168.14.3) proxy2 will have 192.168.24.3 configured as proxy port and proxy to 192.168.24.4 (isp2) You can even have proxy1 and proxy2 on the same machine, one listening on 1812+ ports and other on 1645+ ports. They just can't be the same radiusd process. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about session resumption and reply attributes
Arran Cudbard-Bell wrote: Yes, so have it tell the outer server... Insert the (attached) snippet into the authorize section of the inner server. $ git format-patch ? I believe the User-Name attribute in outer.reply is cached, and available for use on session resumption. Yes. Once you've got the policies moved to post-auth, then any scripts or lookups used for authorisation will only be run once, so far greater efficiency with complex policies. Rejects are still handled properly even within the Post-Auth section (jumps to Post-Auth-Type reject). Documentation suggestions are always welcome. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxying packets from a fixed source IP address
Ivan Kalik wrote: That's because that can't work: # Note: type = proxy lets you control the source IP used for # proxying packets, with some limitations: # # * Only ONE proxy listener can be defined. That's actually wrong. It was true a while ago, but it's not true in 2.1.6. However... defining two proxy listeners won't do what he wants in 2.1.6. I've committed a patch to git head. See http://git.freeradius.org/pre/ for a snapshot of 2.1.7-pre that includes the fixes. See raddb/proxy.conf, and look for src_ipaddr. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rewriting User-Name in pre-proxy
On May 18, 2009, at 11:16 AM, William Taylor wrote: Im currently using freeradius 2.1.4 I need to lookup a username in a dbm and rewrite it before sending off the proxy request. I have achieved this by using the below method. But I was wondering if there was a better way. It would seem that invoking perl with every auth request might be bad. Thanks in advance! -William In: /etc/raddb/dictionary ATTRIBUTE My-Local-String 3000 string In: sites-available/default pre-proxy { rewrite update proxy-request { User-Name := %{proxy-request:My-Local-String} } } In: /etc/raddb/modules/rewrite exec rewrite { wait = yes program = /etc/raddb/rewriteusername.pl %{User-Name} %{Stripped- User-Name} %{Realm} input_pairs = proxy-request output_pairs = proxy-request shell_escape = yes } In: /etc/raddb/rewriteusername.pl #!/usr/bin/perl use strict; use DB_File; my %h; tie %h, DB_File, /etc/raddb/rewritemap.db, O_RDONLY, 0444, $DB_HASH or die Cannot open file rewritemap.db: $!\n; my $fuser = $ARGV[0]; my $suser = $ARGV[1]; my $realm = $ARGV[2]; if($realm eq foobee.net) { if($h{$suser}) { print My-Local-String= . $h{$suser}; } else { print My-Local-String=$suser; } } else { print My-Local-String=$suser; } exit 0; Anyone doing something similar ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: current RHEL/CentOS pre-built packages (Was: freeRADIUS)
John Dennis wrote: Just E. Mail wrote: I am trying to install freeRADIUS on a CentOS 5.3 machine with PostgreSQL-8.3.7. My plan is to first install freeRADIUS and test it then setup PostgreSQL as the backend to store data. Is there any freeRADIUS RPMS V#2.1.4 or newer for CentOS? No, the version in RHEL and CentOS is 1.1.3. The following link explains why and also explains how to acquire and build a current FreeRADIUS RPM for RHEL/CentOS (but read the rest of this email, pre-built versions are coming). http://wiki.freeradius.org/Red_Hat_FAQ I read response from John Dennis and looked at the web site URL he provided. I am ready to install FR and I have one more question! In my setup, I plan to (1) Install FR and test it and if everything works, then (2) setup PostgreSQL backend at a SQL server and test it again. I noticed that at the URL listed by John Dennis, there are two files; freradius-2.2.1.6-1.el5.i386.rpm freradius-postgresql-2.2.1.6-1.el5.i386.rpm I am pretty new to FR so please advice; do I need to install both of these RPMs or just the second for my setup to work? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: current RHEL/CentOS pre-built packages (Was: freeRADIUS)
Hi, freradius-2.2.1.6-1.el5.i386.rpm freradius-postgresql-2.2.1.6-1.el5.i386.rpm I am pretty new to FR so please advice; do I need to install both of these RPMs or just the second for my setup to work? both. the second one adds the postgres support. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: current RHEL/CentOS pre-built packages (Was: freeRADIUS)
Just E. Mail wrote: John Dennis wrote: http://wiki.freeradius.org/Red_Hat_FAQ I read response from John Dennis and looked at the web site URL he provided. I am ready to install FR and I have one more question! In my setup, I plan to (1) Install FR and test it and if everything works, then (2) setup PostgreSQL backend at a SQL server and test it again. I noticed that at the URL listed by John Dennis, there are two files; freradius-2.2.1.6-1.el5.i386.rpm freradius-postgresql-2.2.1.6-1.el5.i386.rpm I am pretty new to FR so please advice; do I need to install both of these RPMs or just the second for my setup to work? Did you read the FAQ listed at the top. The section Why are there optional subpackages instead of just one package? should have explained it, was it not clear? If so I'll update it to make it clearer if you explain what was not clear. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: current RHEL/CentOS pre-built packages (Was: freeRADIUS)
John Dennis wrote: Did you read the FAQ listed at the top. The section Why are there optional subpackages instead of just one package? should have explained it, was it not clear? If so I'll update it to make it clearer if you explain what was not clear. Yes I read it and read it again after receiving the above email.Missed it both times. Thank for your HELP. Jennifer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeRADIUS - New Install testing!
Installed freeradius-2.2.1 (RPM). Installation configuration went well. RADIUS starts with no problem. radiusd -XC output shows no errors. Now I want to do some preliminary testing. In the older versions, I used to run the command: radtest User P/W localhost Port Secret-Key and see the output to verify that RADIUS server was up and running. After I did the above install, radtest command is not included. How does one test a new freeRADIUS installation? Is radtest replaced by another command? Is there any GUI testing tool for RADIUS? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
accounting with 802.1X: some clients trigger multiple starts at a time
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi folks, We're running SQL accounting for the FR servers authenticating our 802.1X users, now. I'm seeing some annoying duplicate entries, and am wondering if anyone else has had this experience: mysql SELECT acctsessionid, username, nasipaddress, acctstarttime, callingstationid FROM radacct WHERE acctstoptime IS NULL ORDER BY acctstarttime; +---++-+-+--+ | acctsessionid | username | nasipaddress| acctstarttime | callingstationid | +---++-+-+--+ ... | 4a15bfef/00:23:12:07:e9:c4/74507 | [redacted] | 10.246.207.234 | 2009-05-21 16:56:15 | 192.168.2.17 | | 4a15bfef/00:23:12:07:e9:c4/74505 | [redacted] | 10.246.207.234 | 2009-05-21 16:56:15 | w.x.38.213 | | 4a15bfef/00:23:12:07:e9:c4/74514 | [redacted] | 10.246.207.234 | 2009-05-21 16:56:15 | 10.250.61.133| | 4a15bfef/00:23:12:07:e9:c4/74516 | [redacted] | 10.246.207.234 | 2009-05-21 16:56:15 | 192.168.1.25 | | 4a15bfef/00:23:12:07:e9:c4/74513 | [redacted] | 10.246.207.234 | 2009-05-21 16:56:15 | w.x.38.213 | ... I would think this to be pretty normal-looking, except: 1) in this particular group, all the usernames and MAC components of the acctsessionid are the same (i.e., this is one node causing multiple accounting starts to be sent); and 2) our 802.1X wireless clients would not have IP addresses in RFC1918 space. Ever. Most of the time, a group like this will include an address in our real wireless address range (that's what I've replaced with w.x.38.213), but sometimes not. If the callingstationid weren't different for each entry, I'd think retries or EAP-FAST. (I think I see EAP-FAST activity going on elsewhere; or, at least, that's what I assume it is.) As far as I can tell, this occurs pretty infrequently, given the number of users we have, but it does occur consistently for a given set of users in a given day, which makes me think it's something about their location on the network. Reducing all the accounting detail to a spreadsheet, I see that this is a flurry of start and stop messages (and one Interim-Update!), and will comb through that closely tomorrow morning. Seems odd, though, that there would be a stop logged to the detail, but not to SQL, in this case. I have little- to no visibility into the networking configuration (our systems and network groups bristle at each other; a situation I'm trying to remedy), but I do know this: One department is located across the street from our main campus. It connects to the Internet by way of a commodity ISP. It is, however, close enough to pick up one of our APs, and the enterprising IT guy for that department has set up a Windows box as a wireless client, and bridged that into their LAN for access to institutional resources. (He has been duly chastised for this.) In at least that case, I've seen their LAN IPs (in a reasonably-unusual RFC1918 subnet) as the callingstationid. (Oddly, though, this is sometimes the LAN IP of their print server, or default gateway -- some artifact of bridging?) This makes me think that there are more clients out there that can see more than one subnet at a time, and just report in with whatever IP they feel like. I suppose my real question is this: Is there anything I can do, from the FR server end, to winnow out one reliable accounting entry per event? Sure, I can make my reports (like 'radwho') filter WHERE callingstationid LIKE 'w.x.%', but that runs the risk of missing entries where the group fails to include one of our legit addresses. Alternatively, has anyone else faced this and addressed it on the client side? (Tell the rogue departments to comply with your network policies, is a valid answer and, frankly, my favorite.) As ever, pointers to pre-existing threads answering this are welcome; I couldn't come up with the right combination of search terms to find them myself... Cheers, - -sth sam hooker|s...@noiseplant.com|http://www.noiseplant.com Are you satisfied? ([y]/n): -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Use GnuPG with Firefox : http://getfiregpg.org (Version: 0.7.5) iEYEARECAAYFAkoVzbIACgkQX8KByLv3aQ3tVQCdEOfZCztHLnmvCvfiuax1Y6Qu pA0AoLhQLZCIP/0DwXWje1PY41suMq8o =JDqP -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRADIUS - New Install testing!
Just E. Mail wrote: Installed freeradius-2.2.1 (RPM). Installation configuration went well. RADIUS starts with no problem. radiusd -XC output shows no errors. Now I want to do some preliminary testing. In the older versions, I used to run the command: radtest User P/W localhost Port Secret-Key and see the output to verify that RADIUS server was up and running. After I did the above install, radtest command is not included. How does one test a new freeRADIUS installation? Is radtest replaced by another command? Is there any GUI testing tool for RADIUS? radtest is in the utils subpackage. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRADIUS - New Install testing!
John Dennis wrote: radtest is in the utils subpackage. Thanks.It works fine. Jennifer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Add clients into nas table
May I ask if I am using sql to store the client list in the sql table 'nas', is there a way for me to ask freeradius to refresh the list ? Or is it that I must kill and restart freeradius ? Regards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
usr-hiper and freeradius 2.1.5 accounting problem
Hi All, I wanna migrate my radius server from icradius to freeradius 2.1.5. i have two ras modem for my nas (patton and usr-hiper). When I do some migration simulation, client that connect from patton goes normally (authentication,accounting,authorization). But when they use usr-hiper (system version :V5.1.6/Non-Encr), the client could connect to the network but the accounting goes wrong. In my freeradius debugging mode, the error message was : rad_recv: Accounting-Request packet from host x.x.x.x (* encrypted ip) port 1646, id=63, length=405 Received Accounting-Request packet from x.x.x.x (* encrypted ip) with invalid signature! (Shared secret is incorrect.) Dropping packet without response. Going to the next request Waking up in 0.9 seconds. The usr-hiper accounting settings : HiPer sh accounting RADIUS ACCOUNTING SETTINGS The Primary Server Status is: ENABLED Primary Server is: x.x.x.x(* encrypted ip) Primary First Backup Server is:0.0.0.0 Primary Second Backup Server is: 0.0.0.0 Primary Destination Port is: 1648 Primary First Backup Destination Port: 1646 Primary Second Backup Destination Port:1646 Primary Preference:1 Primary First Backup Preference: 2 Primary Second Backup Preference: 3 Max Primary Retransmissions: 0 The Secondary Server Status is:ENABLED Secondary Server is: 0.0.0.0 Secondary First Backup Server is: 0.0.0.0 Secondary Second Backup Server is: 0.0.0.0 Secondary Destination Port is: 1646 Secondary First Backup Destination Port: 1646 Secondary Second Backup Destination Port: 1646 Secondary Preference : 1 Secondary First Backup Preference: 2 Secondary Second Backup Preference:3 What I have tried to solve it : 1. I've tried to make multi port for accounting packet (1646 1648), because i thought that the error message refer to wrong accounting port. But the accounting still wrong. 2. I've tried to use default freeradius secret at the freeradius side with testing123 without changing the secret at the ras modem. But still failed. Do you have another solution ? Thanks before :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to: freeRADIUS with PostgreSQL Backend!
I have setup a working freeRADIUS server now want to add PostgreSQL as backend for storage of data. I have read the freeRADIUS documentation and researched the internet on this subject. What I am looking for is any kind of Step-by-Step document detailing sequential steps needed to setup a PostgreSQL back end for freeRADIUS. Has someone written such a document? Is there such a writeup available? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html