Re: problem with checking dhcp-packet type
Alexander Kubatkin wrote: > problem with build: Ok... wait a bit, and then grab another copy of the source. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout in Access-Challenge (that contains EAP-Message)
Gong Cheng wrote: > Hi, > I wonder if there is a way > - not to include "Session-Timeout" value intended for Access-Accept in > Access-Challenge messages? In 2.1.7, see raddb/sites-available/default. Look for Access-Challenge. There is sample configuration. > - or to configure a different Session-Timeout value for Access-Challenges > (which contain EAP-Message)? > > This is about the following section in RFC3579 where Session-Timeout in > Access-Challenge is used to influence EAP retransmission behavior. I'm not sure any AP supports that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alvarion BreezeMax BTS - Service provisioning?
Hi, Hopefully someone has come across this before and can easily answer the question I am attempting to get an Alvarion Breezemax basestation working with FreeRadius for provisioning of services. Essentially it appears straight forward the manual provides the following info: 1 Verify that the necessary Service Profiles are available in the database of the relevant Base Station(s). 2 The Users List of the server must include the default User Name and Password of the NPU (both are KeepAliveUserNameAndPassword). 3 The format of the each Service in the ID Filter in the RADIUS Authentication server(s) is n:v:h:a:c; The ID Filter may include up to 5 Services, separated by “;”: s1;s2;... �n = Service Profile Name � v=. v=<> is an empty VLAN list. � h=ON or OFF, indicating the configured Hybrid VLAN Mode. � a=, indicating the configured Access VLAN Mode, and the Access VLAN ID for Access VLAN ON. � c=ON/OFF, indicating the configured VLAN Classification Mode. The first 2 are straight forward and as things stand the CPE user get authenticated by the Radius server however defining the service whatever I do cannot get it to work! The setup is just in a lab environment so the Radius server is just using the conf files no databases and in the very simple user file I have the following: username User-password == "password" Filter-id = "n=InternetAccess:v=<>:h=OFF:a=:c=OFF;" The manual seems to point towards the filter-id but this does not work! I see in the reply-details log files that the filter-id is being sent however I then check on the Alvarion CPE and it doesn't have any Service configured. . . I have tried the alvarion-vsa-## and the the breezemax-attrb and these still make no difference! Has anyone got this working? The supposed Alvarion support is as widely reported non-existant - the two contacts I have are both on leave! Cheers in Advance Steve - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Session-Timeout in Access-Challenge (that contains EAP-Message)
Hi, I wonder if there is a way - not to include "Session-Timeout" value intended for Access-Accept in Access-Challenge messages? - or to configure a different Session-Timeout value for Access-Challenges (which contain EAP-Message)? This is about the following section in RFC3579 where Session-Timeout in Access-Challenge is used to influence EAP retransmission behavior. http://tools.ietf.org/html/rfc3579#section-2.3 thanks! -gong -- View this message in context: http://www.nabble.com/Session-Timeout-in-Access-Challenge-%28that-contains-EAP-Message%29-tp24383664p24383664.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Incorrect MySQL schema?
On 07/07/2009 04:54 PM, Jeanette Lee wrote: Hi, I have just installed 2.1.6-2 on a Centos 5.3 machine with MySQL 6.0.11. When I run the schema.sql to create the radius database tables I get an error on the last table, radpostauth about a syntax error: # mysql -u root -p radius The error message is pretty clear, it does not like the length parameter of (14). see: http://dev.mysql.com/doc/refman/5.0/en/timestamp.html timestamps are no longer 14 chars long, there is no need to specify the length, it's implicit (although I imagine a value of 19 might work. Try removing the (14) -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Incorrect MySQL schema?
Hi, I have just installed 2.1.6-2 on a Centos 5.3 machine with MySQL 6.0.11. When I run the schema.sql to create the radius database tables I get an error on the last table, radpostauth about a syntax error: # mysql -u root -p radius ERROR 1064 (42000) at line 127: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '(14) NOT NULL, PRIMARY KEY (id), KEY username (username(32)) )' at line 6 If I log in and check the database, all of the tables are created except radpostauth. I've googled and read FAQs and everything I could think of, but I can't seem to figure this out or find a post from someone who had the same problem. Can anyone suggest anything? Many thanks! -- Cheers, jeanette- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radius.log not working
Sorry about the HTML and that did it I did not realize that when in -x it did not write to the log as well. Thank you Thank you for choosing -- Michael J Humphries Penstar Office Center, Suite 101 1431 N. 26th Street Escanaba, MI 49829 Phone: 906.786.3583 ext. 139 Fax: 906.786.4300 E-Mail: mhumphr...@dstech.us www.dstech.us -Original Message- From: freeradius-users-bounces+mhumphries=dstech...@lists.freeradius.org [mailto:freeradius-users-bounces+mhumphries=dstech...@lists.freeradius.org] On Behalf Of a.l.m.bu...@lboro.ac.uk Sent: Tuesday, July 07, 2009 1:10 PM To: FreeRadius users mailing list Subject: Re: radius.log not working Hi, please do not mail in HTML - look at this junk and the size of the email! > xmlns:o="urn:schemas-microsoft-com:office:office" > xmlns:w="urn:schemas-microsoft-com:office:word" > xmlns:m="http://schemas.microsoft.com/office/2004/12/omml"; > xmlns="http://www.w3.org/TR/REC-html40";> >Free radius is accepting requests and everything is working > as it should except that the radius.log is not propagating. I changed > the > IP address of the server and moved it to a new location. The portmasters > are authenticating to it and I see the requests coming in under radius > –X > however radius.log has not changed since the move. I am not sure where > else to look I have googled this to no avail. Any help would be > great there. thats all the text that needs to be in the email. have you checked file permissions and the real radiusd.conf - what does radiusd -x (small x!) giv you when it runs? FR wont put anything into radiusd.log whilst in -X mode (all the output goes to the debug output!) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius.log not working
Hi, please do not mail in HTML - look at this junk and the size of the email! > xmlns:o="urn:schemas-microsoft-com:office:office" > xmlns:w="urn:schemas-microsoft-com:office:word" > xmlns:m="http://schemas.microsoft.com/office/2004/12/omml"; > xmlns="http://www.w3.org/TR/REC-html40";> >Free radius is accepting requests and everything is working > as it should except that the radius.log is not propagating. I changed > the > IP address of the server and moved it to a new location. The portmasters > are authenticating to it and I see the requests coming in under radius > –X > however radius.log has not changed since the move. I am not sure where > else to look I have googled this to no avail. Any help would be > great there. thats all the text that needs to be in the email. have you checked file permissions and the real radiusd.conf - what does radiusd -x (small x!) giv you when it runs? FR wont put anything into radiusd.log whilst in -X mode (all the output goes to the debug output!) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius.log not working
Free radius is accepting requests and everything is working as it should except that the radius.log is not propagating. I changed the IP address of the server and moved it to a new location. The portmasters are authenticating to it and I see the requests coming in under radius –X however radius.log has not changed since the move. I am not sure where else to look I have googled this to no avail. Any help would be great Thank you for choosing -- Michael J Humphries Penstar Office Center, Suite 101 1431 N. 26th Street Escanaba, MI 49829 Phone: 906.786.3583 ext. 139 Fax: 906.786.4300 E-Mail: mhumphr...@dstech.us www.dstech.us - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fallback LDAP Attribute Value
>> Thanks Ivan, the following in the post-auth section of the default file
>> works:
>>
>>> if ((!reply:Tunnel-Private-Group-ID) || (reply:Tunnel-Private-Group-ID
>>> == "")) {
>>> update reply {
>>> Tunnel-Private-Group-ID = "666"
>>> }
>>> }
>
> OK for my next part on this subject, this returns the values for all
> users regardless of what they are connecting to. Is it possible to
> either restrict this value to only be returned to a particular huntgroup
> or to remove this value from being returned from the huntgroups that
> don't need it.
Yes.
if(((!reply:...) || (reply:... = "")) && Huntgroup-Name = "whatever")
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fallback LDAP Attribute Value
On 7/7/09 16:16, Steven Carr wrote:
> Thanks Ivan, the following in the post-auth section of the default file
> works:
>
>> if ((!reply:Tunnel-Private-Group-ID) || (reply:Tunnel-Private-Group-ID
>> == "")) {
>> update reply {
>> Tunnel-Private-Group-ID = "666"
>> }
>> }
OK for my next part on this subject, this returns the values for all
users regardless of what they are connecting to. Is it possible to
either restrict this value to only be returned to a particular huntgroup
or to remove this value from being returned from the huntgroups that
don't need it.
We are doing 802.1x and only want the 802.1x attributes to be returned
to our cisco switches.
E.g. I have a huntgroup called ciscoswitches which has all of our
switches listed in it. In the users file I have the following
declaration to add the 802.1x attributes:
DEFAULT Huntgroup-Name == "ciscoswitches"
Service-Type = Framed-User,
Tunnel-Type = "VLAN",
Tunnel-Medium-Type = "IEEE-802",
Fall-Through = Yes
The "Tunnel-Private-Group-ID" is then added from the post-auth, which is
fine for this huntgroup, but I don't want it there for the rest of them.
Thanks
Steve
--
Steven Carr
Systems Development Officer
SLS/ITS/Systems - (0191) 515 3953
signature.asc
Description: OpenPGP digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Re: receives 1 request --> proxy 2 requests?
> > Fix the shared secret between proxy and home servers. > > > > the shared secrets are the same! to 100%. Shared secret *is* wrong - chance 99.9% MD5 crypto libraries are corrupted on one of the systems - chance 0.1% Can you do radtest from the home server? Or that shows wrong shared secret too? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fallback LDAP Attribute Value
On 7/7/09 16:04, Ivan Kalik wrote:
> OK, try:
>
> if (!reply:Tunnel-Private-Group-ID)
>
> that should cover the case when there is no ldap attribute in user
> profile. If attribute can be empty or missing you will need to OR those
> two expessions.
Thanks Ivan, the following in the post-auth section of the default file
works:
> if ((!reply:Tunnel-Private-Group-ID) || (reply:Tunnel-Private-Group-ID
> == "")) {
> update reply {
> Tunnel-Private-Group-ID = "666"
> }
> }
Steve
--
Steven Carr
Systems Development Officer
SLS/ITS/Systems - (0191) 515 3953
signature.asc
Description: OpenPGP digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Re: receives 1 request --> proxy 2 requests?
> > i installed a new server with ubuntu 8.04 lts and
> > freeradius 2.1.0
> > behind this radius are 2 other radius-server
(failover)
> > after configuration i always get an error-message
after
> > succesfull login of an user.
> >
> > Error: Received Accounting-Response packet from
client
> > x.x.xx port 1813 with invalid signature (err=2)!
(Shared
> > secret is incorrect.) Dropping packet without
response.
>
> Fix the shared secret between proxy and home servers.
the shared secrets are the same! to 100%.
#adBox3 {display:none;}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fallback LDAP Attribute Value
>>> Use unlang. Put something like this in post-auth:
>>>
>>> if(reply:Tunnel-Private-Group-ID == "") {
>>> update reply {
>>> Tunnel-Private-Group-ID = "666"
>>> }
>>> }
>>
>> I've tried this in both the default and inner-tunnel post-auth sections
>> and neither returned the value 666 in the Radius Accept. Do I need to
>> add anything as a placeholder in the users config file?
>
> Digging into debug came back with:
>
>> ++? if (reply:Tunnel-Private-Group-ID == "")
>> (Attribute reply:Tunnel-Private-Group-ID was not found)
OK, try:
if (!reply:Tunnel-Private-Group-ID)
that should cover the case when there is no ldap attribute in user
profile. If attribute can be empty or missing you will need to OR those
two expessions.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rmauth.c line 79: Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2)
parlato wrote: > hi, I get the following error on freeradius 1.1.7 : ... > rmauth.c line 79: Can't connect to local MySQL server through socket > '/var/lib/mysql/mysql.sock' (2) rmauth.c is not a program included with FreeRADIUS. Ask the authors of rmauth why it's failing. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius_auth for big endian
maxim maxim wrote: > How i can to fix pam_radius_auth for big endian platform? The module works (or should) on big endian systems. See md5.c for sparc/mips configuration. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fallback LDAP Attribute Value
On 7/7/09 15:48, Steven Carr wrote:
> Hi Ivan
>
> On 7/7/09 14:29, Ivan Kalik wrote:
>> Use unlang. Put something like this in post-auth:
>>
>> if(reply:Tunnel-Private-Group-ID == "") {
>> update reply {
>> Tunnel-Private-Group-ID = "666"
>> }
>> }
>
> I've tried this in both the default and inner-tunnel post-auth sections
> and neither returned the value 666 in the Radius Accept. Do I need to
> add anything as a placeholder in the users config file?
Digging into debug came back with:
> ++? if (reply:Tunnel-Private-Group-ID == "")
> (Attribute reply:Tunnel-Private-Group-ID was not found)
Steve
--
Steven Carr
Systems Development Officer
SLS/ITS/Systems - (0191) 515 3953
signature.asc
Description: OpenPGP digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: receives 1 request --> proxy 2 requests?
> i installed a new server with ubuntu 8.04 lts and > freeradius 2.1.0 > behind this radius are 2 other radius-server (failover) > after configuration i always get an error-message after > succesfull login of an user. > > Error: Received Accounting-Response packet from client > x.x.xx port 1813 with invalid signature (err=2)! (Shared > secret is incorrect.) Dropping packet without response. Fix the shared secret between proxy and home servers. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fallback LDAP Attribute Value
Hi Ivan
On 7/7/09 14:29, Ivan Kalik wrote:
> Use unlang. Put something like this in post-auth:
>
> if(reply:Tunnel-Private-Group-ID == "") {
> update reply {
> Tunnel-Private-Group-ID = "666"
> }
> }
I've tried this in both the default and inner-tunnel post-auth sections
and neither returned the value 666 in the Radius Accept. Do I need to
add anything as a placeholder in the users config file?
Thanks
Steve
--
Steven Carr
Systems Development Officer
SLS/ITS/Systems - (0191) 515 3953
signature.asc
Description: OpenPGP digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Building FreeRADIUS2 on Solaris10
Steven Carr wrote:
> The documentation doesn't have any real consistency to it, some parts
> are indepth while others are sparse or just show the default
> configuration file. The config files may have comments in them that
> describe what each configuration item does, but there is no overview
> configuration, a workflow on how all of the configuration files fit
> together would be good.
doc/aaa.txt is a start. Also raddb/sites-available/README
> Under the HOWTO section [http://wiki.freeradius.org/HOWTO] most of the
> ones on the wiki itself refer to v1 and the offsite ones either no
> longer exist or are for v1.
We had people complaining recently that most of the content on the
Wiki was for v2, and that documentation for v1 was hard to find.
I think the confusion is that there are *very* few differences between
the two versions. The documentation for one applies 95% to the other.
> The Build instructions [http://wiki.freeradius.org/Build] for Solaris10
> are still for v1 and indicate that extra packages/modifications are
> needed, but there is no indication if these requirements are still
> current for v2.
The comments for Solaris are (a) fixing Solaris so that it can compile
programs, and (b) setting LD_LIBRARY_PATH to point to any locally
installed libraries (ldap, mysql, etc.)
These are *not* FreeRADIUS issues. That Wiki page also says that the
configure/make/make install process works for Solaris.
> There are lots of small changes which have been made in the FreeRADIUS
> code with regards to variables which have not been updated in the
> documentation, an important one being with the LDAP configuration
> %{Ldap-UserDn} is no longer valid and %{control:Ldap-UserDn} should be
> used instead. [http://wiki.freeradius.org/Rlm_ldap] still refers to the
> old variable, although the latest source code does have this corrected
> in the radiusd.conf file, the version which I am testing with on Debian
> (2.0.4) did not and so it broke, looking at the wiki showed the same
> information as was already present in my config file, it was only by
> searching deeper that I found this configuration to be incorrect.
Well... the most recent version has the most up to date documentation.
If you want a Wiki account to update the howto's, it's easy enough to
get you one.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
receives 1 request --> proxy 2 requests?
Hi there,
i installed a new server with ubuntu 8.04 lts and
freeradius 2.1.0
behind this radius are 2 other radius-server (failover)
after configuration i always get an error-message after
succesfull login of an user.
Error: Received Accounting-Response packet from client
x.x.xx port 1813 with invalid signature (err=2)! (Shared
secret is incorrect.) Dropping packet without response.
...after 30 sec. again
this is the debug:
rad_recv: Accounting-Request packet from host x.x.x.x port
3989, id=185, length=135
User-Name = \"111...@test\"
NAS-Port = 1967
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = 172.x.x.x
Class = 0x346d613475
Calling-Station-Id = \"x.x.x.x\"
Acct-Status-Type = Start
Acct-Session-Id = \"DB900337\"
Tunnel-Client-Endpoint:0 = \"x.x.x.x\"
Acct-Authentic = RADIUS
Acct-Delay-Time = 0
NAS-IP-Address = 172x.x.x
NAS-Port-Type = Virtual
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing \'NAS-Port = 1967,Client-IP-Address =
172.x.x.x,NAS-IP-Address = 172.x.x.x,Acct-Session-Id =
\"DB900337\",User-Name = \"111...@test\"\'
[acct_unique] Acct-Unique-Session-ID =
\"a6246460a4bd5acf\".
++[acct_unique] returns ok
[suffix] Looking up realm \"test\" for User-Name =
\"111...@test\"
[suffix] Found realm \"test\"
[suffix] Adding Realm = \"test\"
[suffix] Proxying request from user 11 to realm test
[suffix] Preparing to proxy accounting request to realm
\"test\"
++[suffix] returns updated
[prefix] Request already proxied. Ignoring.
++[prefix] returns ok
++[files] returns noop
+- entering group accounting {...}
expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d
-> /var/log/freeradius/radacct/172.x.x.x/detail-20090707
[detail]
/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to
/var/log/freeradius/radacct/172.x.x.x/detail-20090707
expand: %t -> Tue Jul 7 13:42:39 2009
++[detail] returns ok
expand: /var/log/freeradius/radutmp ->
/var/log/freeradius/radutmp
expand: %{User-Name} -> 111...@test
++[radutmp] returns ok
expand: %{User-Name} -> 111...@test
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Request of id 252 to 172.y.y.y port 1813
User-Name = \"111...@test\"
NAS-Port = 1967
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = 172.x.x.x
Class = 0x346d613475
Calling-Station-Id = \"x.x.x.x\"
Acct-Status-Type = Start
Acct-Session-Id = \"DB900337\"
Tunnel-Client-Endpoint:0 = \"x.x.x.x\"
Acct-Authentic = RADIUS
Acct-Delay-Time = 0
NAS-IP-Address = 172x.x.x
NAS-Port-Type = Virtual
Proxy-State = 0x313835
Proxying request 0 to home server 172.y.y.y port 1813
Sending Accounting-Request of id 252 to 172.y.y.y port 1813
User-Name = \"111...@test\"
NAS-Port = 1967
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = 172.x.x.x
Class = 0x346d613475
Calling-Station-Id = \"x.xx.x\"
Acct-Status-Type = Start
Acct-Session-Id = \"DB900337\"
Tunnel-Client-Endpoint:0 = \"x.x.x.x\"
Acct-Authentic = RADIUS
Acct-Delay-Time = 0
NAS-IP-Address = 172.x.x.x
NAS-Port-Type = Virtual
Proxy-State = 0x313835
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Accounting-Response packet from host 172.y.y.y
port 1813, id=252, length=140
Received Accounting-Response packet from client 172.y.y.y
port 1813 with invalid signature (err=2)! (Shared secret is
incorrect.) Dropping packet without response.
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Accounting-Request packet from host 172.x.x.x
port 3989, id=185, length=135
Sending duplicate reply to client XXX port 3989 - ID: 185
Cleaning up request 0 ID 185 with timestamp +6
Ready to process requests.
Is the second Accounting-Request the normal way? for me it
looks like a repeat of the request.
thanks!
#adBox3 {display:none;}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pam_radius_auth for big endian
How i can to fix pam_radius_auth for big endian platform? Thanks, Max - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fallback LDAP Attribute Value
> I have the following line in my ldap.attrmap file to pull back a users
> VLAN assignment:
>
>> replyItemTunnel-Private-Group-ID destinationIndicator
>
> The users file contains the following:
>
>> DEFAULT Ldap-Group == "allowed-access"
>> Service-Type = Framed-User,
>> Tunnel-Type = "VLAN",
>> Tunnel-Medium-Type = "IEEE-802"
>
> For the users which are in the "allowed-access" group those which have a
> value in the destinationIndicator attribute in LDAP work OK and are
> flipped into the appropriate VLAN. How do I specify a fallback so that
> if the user does not have this attribute set or it is empty then they
> are put into VLAN 666 for example.
Use unlang. Put something like this in post-auth:
if(reply:Tunnel-Private-Group-ID == "") {
update reply {
Tunnel-Private-Group-ID = "666"
}
}
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fallback LDAP Attribute Value
Hi list, I have the following line in my ldap.attrmap file to pull back a users VLAN assignment: > replyItem Tunnel-Private-Group-ID destinationIndicator The users file contains the following: > DEFAULT Ldap-Group == "allowed-access" > Service-Type = Framed-User, > Tunnel-Type = "VLAN", > Tunnel-Medium-Type = "IEEE-802" For the users which are in the "allowed-access" group those which have a value in the destinationIndicator attribute in LDAP work OK and are flipped into the appropriate VLAN. How do I specify a fallback so that if the user does not have this attribute set or it is empty then they are put into VLAN 666 for example. Thanks Steve -- Steven Carr Systems Development Officer SLS/ITS/Systems - (0191) 515 3953 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP and Huntgroup-Name
Ivan Kalik wrote: > > Enable copy_request_to_tunnel in peap section of eap.conf. Hmmm... Now I feel stupid for not finding this myself... Thanks for showing me the right direction. Regards, -- Nicolas Boullis Ecole Centrale Paris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius active directory integration fails with "no such realm"
> Ivan Kalik wrote:
>>> One thing stands out though in the output of freeradius -X (only after
>>> changing the order of suffix and ntdomain in sites-available/default
>>> and
>>> radiusd.conf:
>>> ++[mschap] returns noop
>>> rlm_realm: Looking up realm "IPSO0" for User-Name =
>>> "IPSO0\andrei.staicu"
>>> rlm_realm: No such realm "IPSO0"
>>> ++[ntdomain] returns noop
>>> rlm_realm: No '@' in User-Name = "IPSO0\andrei.staicu", looking up
>>> realm
>>> NULL
>>> rlm_realm: No such realm "NULL"
>>>
>>> IPSO0 is the realm name for the domain ipso.biz (not the public site;
>>> this is internal and resolved as such by our dns)
>>> I've tried for about two weeks now, but i still have no ideea on how to
>>> define the realm IPSO0.
>>>
>>
>> Look at proxy.conf.
>>
>> Ivan Kalik
>> Kalik Informatika ISP
>>
> Hello again
>
> I tried defining the realm IPSO0 (probably wrong) and i see the requests
> being proxied to it, but it finally failes
You have. It should be defined as local realm:
realm IPSO0 {
}
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rmauth.c line 79: Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2)
hi, I get the following error on freeradius 1.1.7 : srv-rm:~# radiusd -x Starting - reading configuration files ... Using deprecated naslist file. Support for this will go away soon. Module: Loaded exec rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded System Module: Instantiated unix (unix) Module: Loaded eap rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap rlm_eap: Loaded and initialized type gtc rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess Module: Instantiated preprocess (preprocess) Module: Loaded realm Module: Instantiated realm (suffix) Module: Loaded files Module: Instantiated files (files) Module: Loaded SQL rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to rad...@localhost:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_mysql #1 rlm_sql_mysql: Starting connect to MySQL server for #1 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 rlm_sql_mysql: Starting connect to MySQL server for #2 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 rlm_sql_mysql: Starting connect to MySQL server for #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 rlm_sql_mysql: Starting connect to MySQL server for #4 rlm_sql (sql): Connected new DB handle, #4 Module: Instantiated sql (sql) Module: Loaded Acct-Unique-Session-Id Module: Instantiated acct_unique (acct_unique) Initializing the thread pool... Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. when I try: radtest user localhost 1812 testing123 I get: rad_recv: Access-Request packet from host 127.0.0.1:53727, id=94, length=56 User-Name = "user" User-Password = "" NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): Released sql socket id: 4 rlm_sql (sql): Reserving sql socket id: 3 rlm_sql (sql): Released sql socket id: 3 rmauth.c line 79: Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2) Exec-Program: returned: 1 rad_recv: Access-Request packet from host 127.0.0.1:53727, id=94, length=56 Sending Access-Reject of id 94 to 127.0.0.1 port 53727 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius active directory integration fails with "no such realm"
Ivan Kalik wrote: One thing stands out though in the output of freeradius -X (only after changing the order of suffix and ntdomain in sites-available/default and radiusd.conf: ++[mschap] returns noop rlm_realm: Looking up realm "IPSO0" for User-Name = "IPSO0\andrei.staicu" rlm_realm: No such realm "IPSO0" ++[ntdomain] returns noop rlm_realm: No '@' in User-Name = "IPSO0\andrei.staicu", looking up realm NULL rlm_realm: No such realm "NULL" IPSO0 is the realm name for the domain ipso.biz (not the public site; this is internal and resolved as such by our dns) I've tried for about two weeks now, but i still have no ideea on how to define the realm IPSO0. Look at proxy.conf. Ivan Kalik Kalik Informatika ISP Hello again I tried defining the realm IPSO0 (probably wrong) and i see the requests being proxied to it, but it finally failes with Login incorrect (Home Server says so): [IPSO0\\andrei.staicu/] I put the output here http://pastebin.com/m516967e2 , should it help. All i see in the output is ++[mschap] returns noop. Should the module "do" something before failing? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cisco ignores Framed-IP-Address from freeradius
Hi James, Thank you for your reply! I tried many aaa configurations but it does not solve the problem for me Using 'debug radius' and 'debug isakmp error' on the CISCO, I can see that it complains about "Unknown attr 0x4E24, 0x4E25, ..." and then ISAKMP also complains with the same attributes CONFIG_MODE_UNKNOWN 0x4E24 ... -Message d'origine- De : freeradius-users-bounces+frederic_gilloteau=yahoo...@lists.freeradius.org [mailto:freeradius-users-bounces+frederic_gilloteau=yahoo...@lists.freeradiu s.org] De la part de u...@3.am Envoyé : lundi 6 juillet 2009 17:38 À : FreeRadius users mailing list Objet : Re: Cisco ignores Framed-IP-Address from freeradius On Mon, 6 Jul 2009, Gilloteau Frederic wrote: > Hello, I use freeradius 2.1.1-7 and a CISCO router (IOS 12.4(6)T9) to provide VPN connections. and the CISCO router gets it ... .. but never assign it to remote users, the cisco router assigns an IP address from its local pool. The interesting lines of my cisco configuration are : aaa new-model ! ! aaa authentication login ClientAuth group radius aaa authorization network ClientAuth group radius local aaa accounting delay-start aaa accounting network ClientAuth start-stop group radius I had a similar problem...it was with my aaa config. Try: aaa authentication login default local group radius aaa authentication ppp default group radius local aaa authorization exec default local aaa authorization network default group radius local James Smallacombe PlantageNet, Inc. CEO and Janitor u...@3.am http://3.am = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP and Huntgroup-Name
> Currently, the relevant part of my users file is: > > | DEFAULT Huntgroup-Name == ap, Prefix == "guest/", Autz-Type := GUEST > | Fall-Through = No > | > | DEFAULT Autz-Type := DEFAULT > > The trouble is the inner request has no NAS-IP-Address, so the > Huntgroup-Name is not set and does not match. > > Running freeradius -X shows that the Huntgroup-Name condition is > correctly verified for the outer request, but not for the inner one. Enable copy_request_to_tunnel in peap section of eap.conf. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP and Huntgroup-Name
Hello, I'm using Freeradius 2.0.4 from the package in Debian Lenny for WPA (for wifi) and 802.1x (for wired ethernet) authentication and authorization. They use PEAP/MSchapv2 for authentication. Most users are in LDAP and are allowed to connect either to wired ethernet or to wifi. But I also have to deal with some "guest" users, whose usernames all begin with the "guest/" prefix, who are in a SQL database, and who only should be allowed to connect to wifi. Currently, the relevant part of my users file is: | DEFAULT Huntgroup-Name == ap, Prefix == "guest/", Autz-Type := GUEST | Fall-Through = No | | DEFAULT Autz-Type := DEFAULT The trouble is the inner request has no NAS-IP-Address, so the Huntgroup-Name is not set and does not match. Running freeradius -X shows that the Huntgroup-Name condition is correctly verified for the outer request, but not for the inner one. And if I remove the Huntgroup-Name condition, everything works fine, but the guest users are allowed to connect to wired ethernet. Is there a way I can test the outer Huntgroup-Name in my users file? Regards, -- Nicolas Boullis Ecole Centrale Paris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Building FreeRADIUS2 on Solaris10
On 7/7/09 09:53, Alan DeKok wrote:
> Perhaps you could try explaining *what* is so atrocious. That might
> give us an opportunity to fix it. Instead, you've just said "you guys
> suck", which isn't helpful.
Yes I will admit I am a "newbie" to FreeRADIUS, it is a steep learning
curve, RADIUS itself is abit of a dark art, but your documentation does
not make this any easier to understand.
The documentation doesn't have any real consistency to it, some parts
are indepth while others are sparse or just show the default
configuration file. The config files may have comments in them that
describe what each configuration item does, but there is no overview
configuration, a workflow on how all of the configuration files fit
together would be good.
Under the HOWTO section [http://wiki.freeradius.org/HOWTO] most of the
ones on the wiki itself refer to v1 and the offsite ones either no
longer exist or are for v1.
> And what's so hard about installing it?
>
> $ ./configure
> $ make
> $ make install
> $ radiusd -X
The Build instructions [http://wiki.freeradius.org/Build] for Solaris10
are still for v1 and indicate that extra packages/modifications are
needed, but there is no indication if these requirements are still
current for v2. This is my reason for asking if there are any
instructions, I'd rather know up front if I'm going to run into any
potential issues compiling the software.
> Um... no. The *organization* has changed, but the configuration is
> 95% identical.
There are lots of small changes which have been made in the FreeRADIUS
code with regards to variables which have not been updated in the
documentation, an important one being with the LDAP configuration
%{Ldap-UserDn} is no longer valid and %{control:Ldap-UserDn} should be
used instead. [http://wiki.freeradius.org/Rlm_ldap] still refers to the
old variable, although the latest source code does have this corrected
in the radiusd.conf file, the version which I am testing with on Debian
(2.0.4) did not and so it broke, looking at the wiki showed the same
information as was already present in my config file, it was only by
searching deeper that I found this configuration to be incorrect.
Steve
--
Steven Carr
Systems Development Officer
SLS/ITS/Systems - (0191) 515 3953
signature.asc
Description: OpenPGP digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with checking dhcp-packet type
On Вторник 07 июля 2009 12:08:06 Alan DeKok wrote: > Alexander Kubatkin wrote: > > Below of the message translated and not translated code of dhcp-packet > > from client soho-router TrendNet 631BRP. > > As i can see, the main problem is a wrong order (for freeradius rules) of > > dhcp options and that's why such packet did not recognized and did not > > accepted. When packet is arriving i see "Unknown, or badly formatted DHCP > > packet". > > > > How to fix this? > > http://git.freeradius.org/pre/ > > Download the pre-release of 2.1.7. It should fix this problem. problem with build: cc -O2 -fno-strict-aliasing -pipe -march=pentium4 -I/usr/local/include -L/usr/local/lib -pthread -Wall -D_GNU_SOURCE -DNDEBUG -I/usr/ports/net/freeradius2/work/freeradius-server-2.1.7/src - DHOSTINFO=\"i386-portbld-freebsd7.0\" -DRADIUSD_VERSION=\"2.1.7\" -I/usr/local/include -DOPENSSL_NO_KRB5 -c listen.c -fPIC -DPIC -o .libs/listen.o listen.c: In function 'client_listener_find': listen.c:129: warning: passing argument 1 of 'listener->print' discards qualifiers from pointer target type listen.c:209: warning: assignment discards qualifiers from pointer target type In file included from listen.c:1305: dhcpd.c: In function 'dhcp_process': dhcpd.c:88: error: 'packet' undeclared (first use in this function) dhcpd.c:88: error: (Each undeclared identifier is reported only once dhcpd.c:88: error: for each function it appears in.) dhcpd.c:100: error: 'union ' has no member named 's_addr' dhcpd.c:107: error: 'data_len' undeclared (first use in this function) In file included from listen.c:1307: command.c: In function 'command_show_client_config': command.c:845: warning: passing argument 2 of 'cf_section2file' discards qualifiers from pointer target type gmake[4]: *** [listen.lo] Error 1 -- __ Alexander Kubatkin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to control users traffic ?
> Which is conventional way for checking online users traffic volume and > disconnecting who reach to the limit of every user in freeradius: There are no standard radius attributes for this. Your NAS might have vendor specific attributes that can be used for data (sql)counters but many don't. > 1- using acct-interim packets to update output or input octets in sql and > if user reach to the max of its accounting permission disconnect > him/her.(Is > there any patch to do this ?) Again, this will depend on NAS supporting PoD or CoA. You can make a policy that sends instructions to NAS to disconnect the user if he goes over the limit on update packet. If it doesn't, you should still be able to disconnect the user using SNMP. > 2- freeradius sends Session-Octets-Limit to the NAS and NAS can does this? If it has such VSA. You can then use standard (sql)counter. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to control users traffic ?
Eric wrote: > Which is conventional way for checking online users traffic volume and > disconnecting who reach to the limit of every user in freeradius: It's hard, and often specific to a particular NAS. Newer NASes may support disconnect packets. The upcoming 2.1.7 can send disconnect packets, which will help. > 1- using acct-interim packets to update output or input octets in sql > and if user reach to the max of its accounting permission disconnect > him/her.(Is there any patch to do this ?) See the NAS documentation for how to disconnect users. If it doesn't say you can disconnect users... it likely can't be done. Maybe SNMP can be used to reset the port, but that may not always be supported, either. > 2- freeradius sends Session-Octets-Limit to the NAS and NAS can does this? Does the NAS documentation say it supports that attribute? > 3- using billing softwares such as nibs . No. The billing software runs on a server, and not on the NAS. It can't control the NAS any more than FreeRADIUS can control the NAS. > 4-other ways? Buy a NAS that supports disconnect packets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Building FreeRADIUS2 on Solaris10
Steven Carr wrote: > Are there any instructions for building FreeRADIUS2 on Solaris10? There's an INSTALL file that is included with the software. It contains installation instructions. They work on Linux, *BSD, Solaris, and probably AIX. > (or > any prebuilt packages anywhere?) Sunfreeware doesn't have any. > I must comment the state of FreeRADIUS documentation is atrocious, it > has taken me days to get our RADIUS implementation up and running due to > the amount of outdated or lack of documentation (instead of what could > have been hours). Perhaps you could try explaining *what* is so atrocious. That might give us an opportunity to fix it. Instead, you've just said "you guys suck", which isn't helpful. And what's so hard about installing it? $ ./configure $ make $ make install $ radiusd -X That's it. After that, if you have OpenSSL installed, the following authentication protocols will work: PAP, CHAP, MS-CHAP, MS-CHAPv2, EAP-MD5, EAP-PEAP, EAP-TTLS (PAP, CHAP, MS-CHAP) If it takes you days to figure something out, perhaps it would be faster to ask questions on this list. Ask *DETAILED* questions. Like "I'm trying to do X, and I expect Y to happen, but instead Z happens". > The wiki mayaswell not exist as 90% of it is relating > to v1 of FreeRADIUS which is no longer maintained, and the configuration > of v2 is completely different. Um... no. The *organization* has changed, but the configuration is 95% identical. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Building FreeRADIUS2 on Solaris10
Are there any instructions for building FreeRADIUS2 on Solaris10? (or any prebuilt packages anywhere?) I must comment the state of FreeRADIUS documentation is atrocious, it has taken me days to get our RADIUS implementation up and running due to the amount of outdated or lack of documentation (instead of what could have been hours). The wiki mayaswell not exist as 90% of it is relating to v1 of FreeRADIUS which is no longer maintained, and the configuration of v2 is completely different. Regards Steve -- Steven Carr Systems Development Officer SLS/ITS/Systems - (0191) 515 3953 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with checking dhcp-packet type
Alexander Kubatkin wrote: > Below of the message translated and not translated code of dhcp-packet from > client soho-router TrendNet 631BRP. > As i can see, the main problem is a wrong order (for freeradius rules) of > dhcp > options and that's why such packet did not recognized and did not accepted. > When packet is arriving i see "Unknown, or badly formatted DHCP packet". > > How to fix this? http://git.freeradius.org/pre/ Download the pre-release of 2.1.7. It should fix this problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to control users traffic ?
Hi, Which is conventional way for checking online users traffic volume and disconnecting who reach to the limit of every user in freeradius: 1- using acct-interim packets to update output or input octets in sql and if user reach to the max of its accounting permission disconnect him/her.(Is there any patch to do this ?) 2- freeradius sends Session-Octets-Limit to the NAS and NAS can does this? 3- using billing softwares such as nibs . 4-other ways? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
