Re: Alvarion BreezeMax BTS - Service provisioning?
Well that is the Authenticating, Authorising done and the Service provisioning sorted. Now it's time to see if I can get anything useful out of the BTS for Account purposes. Any pointer Ben? Ideally the customer would like to see session bandwidth usage and all those normal kind of stats - will the BTS provide anything remotely resembling this look at that Acct log files on the FreeRadius the only information seems to be login info (but at least the MAC is provided in the Calling-Station-id!) ? :-/ Thanks in advance Steve On Thu, 09 Jul 2009 09:17:32 +0700, Ben Wiechman wrote: Actually authorization in their hybrid 16d system that Steve is using is very seamless. We've looked at many solutions and in most configuration/service assignment revolves around some kind of custom NMS that is a complete kludge or require service levels to be configured in each MS individually. Supplying the services via RADIUS is a decent semi-standardized approach that helps with centralization. I think they could stand to improve the attribute structure a bit as the long string is a fun regular expression exercise when you work for standardization. Then again, you should see the DHCP option string that is used to configure their ATA adapters... heh It's really their ASN-GW that deviates... a bit... from the standard. And the fact that they have a strange attitude toward IOT. We asked and were essentially told that the FR team would have to come crawling to Tel Aviv on their bellies and beg for the chance to be forced to pay for IOT testing. Helpfully pointing out that IOT testing would be a non-issue if the established standard was followed wasn't met with much of a response. Ben -Original Message- From: freeradius-users- bounces+wiechman.lists=gmail@lists.freeradius.org [mailto:freeradius-users- bounces+wiechman.lists=gmail@lists.freeradius.org] On Behalf Of Ivan Kalik Sent: Wednesday, July 08, 2009 3:45 AM To: FreeRadius users mailing list Subject: Re: Alvarion BreezeMax BTS - Service provisioning? >Hopefully someone has come across this before and can easily answer the > question I am attempting to get an Alvarion Breezemax basestation working > with FreeRadius for provisioning of services. Best advice you are going to get here is: "avoid Alvarion if possible". Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to control a wpa_supplicant client request can only send to a hostapd NAS?
How to control a wpa_supplicant client request can only send to a hostapd NAS? My network struct was following: RADIUS(freeradius) | | SWITCH(cisco) | | | | NAS1(hostapd) NAS2(hostapd) | | CLIENT1(wpa_supplicant) CLIENT2(wpa_supplicant) If the network only has the NAS1 device, the CLIENT1 can pass the authentication. When the network have two NAS device, which one is NAS1 and the other is NAS2, the CLIENT1 request can send to NAS1 and NAS2, then NAS1 and NAS2 all send the request to radius. I don't know whether CLIENT1 under NAS1 or NAS2 in radius. How to control a wpa_supplicant client request can only send to a hostapd NAS? Thank you very much! The CLIENT1 MAC: 00:0F:1E:34:28:B4 The NAS1 MAC: 00:0F:1E:34:26:50 The NAS2 MAC: 00:0f:1e:00:00:83 The CLIENT1 log -- EAPOL: txSuppRsp TX EAPOL - hexdump(len=26): 01 00 00 16 02 00 00 16 01 30 30 3a 30 46 3a 31 45 3a 33 34 3a 32 38 3a 42 34 EAPOL: SUPP_BE entering state RECEIVE RX EAPOL from *00:0f:1e:34:26:50* RX EAPOL - hexdump(len=14): 02 00 00 0a 01 00 00 0a 01 68 65 6c 6c 6f EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request method=1 id=0 EAP: EAP entering state RETRANSMIT EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp TX EAPOL - hexdump(len=26): 01 00 00 16 02 00 00 16 01 30 30 3a 30 46 3a 31 45 3a 33 34 3a 32 38 3a 42 34 EAPOL: SUPP_BE entering state RECEIVE RX EAPOL from *00:0f:1e:00:00:83* RX EAPOL - hexdump(len=46): 02 00 00 16 01 01 00 16 04 10 e3 1f ff 34 85 47 cd 3c d7 14 60 22 fc 2a 24 fb 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request method=4 id=1 EAP: EAP entering state GET_METHOD EAP: initialize selected EAP method (4, MD5) CTRL-EVENT-EAP-METHOD EAP method 4 (MD5) selected EAP: EAP entering state METHOD EAP-MD5: Challenge - hexdump(len=16): e3 1f ff 34 85 47 cd 3c d7 14 60 22 fc 2a 24 fb EAP-MD5: generating Challenge Response EAP-MD5: Response - hexdump(len=16): 7d 5e a6 ea 11 c7 d9 ad ed 44 a4 b9 61 b5 ab 41 EAP: method process -> ignore=FALSE methodState=DONE decision=UNCOND_SUCC EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp TX EAPOL - hexdump(len=26): 01 00 00 16 02 01 00 16 04 10 7d 5e a6 ea 11 c7 d9 ad ed 44 a4 b9 61 b5 ab 41 EAPOL: SUPP_BE entering state RECEIVE RX EAPOL from 00:0f:1e:34:26:50 RX EAPOL - hexdump(len=26): 02 00 00 16 01 01 00 16 04 10 02 c8 6c 9b 31 7d 34 bc 09 6a 0f f2 c3 a8 01 54 EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request method=4 id=1 EAP: AS used the same Id again, but EAP packets were not identical EAP: workaround - assume this is not a duplicate packet EAP: EAP entering state DISCARD EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RECEIVE RX EAPOL from 00:0f:1e:34:26:50 RX EAPOL - hexdump(len=8): 02 00 00 04 04 01 00 04 EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Failure EAP: EAP entering state DISCARD EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RECEIVE RX EAPOL from 00:0f:1e:00:00:83 RX EAPOL - hexdump(len=46): 02 00 00 04 03 01 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Success EAP: EAP entering state SUCCESS The NAS1 log -- Deauthenticate all stations br0: STA *00:0f:1e:34:28:b4* IEEE 802.1X: start authentication br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: received EAPOL-Start from STA br0: STA 00:0f:1e:34:28:b4 WPA: event 5 notification br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: unauthorizing port br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: received EAP packet (code=2 id=0 len=22) from STA: EAP Response-Identity (1) br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: STA identity '00:0F:1E:34:28:B4' br0: RADIUS Sending RADIUS message to authentication server br0: RADIUS
Re: Alvarion BreezeMax BTS - Service provisioning?
Hi Ben, Right then now I'm getting somewhere! That does indeed work and what's more annoying is I tried removing the semi colon yesterday - however what I failed to notice was in my service profile string the c: for VLAN classification for some reason I had entered a capital C - d'oh!!! I only notice as I was about to type out the exact string saying it wasn't working However I now have the CPE for some reason recieving VLAN 4095 - opposed to it's real VLAN - I've seen this before when using Service Profiles configured on the BTS and if I remember rightly rebooting the CPE with the shadow code then back to default fixes it! Anyway cheers for the tip - I'd spent to long staring at the same string to notice the capital! But if you could let know on the IPCS details it'd be appreciated. Cheers Steve On Thu, 09 Jul 2009 09:05:30 +0700, Ben Wiechman wrote: Remove the trailing semicolon. The documentation isn't very clear on that point, but the semicolon is only needed as a separator if you are supplying multiple services to the BTS. It should not be included as the trailing character. The debug output for this was... unhelpful in earlier versions. Not sure if they've improved it any. (Note, the listed service is for Eth CS on a non 16e BTS correct?) If you need clarification on the ramifications of the different service options let me know. Ben -Original Message- From: freeradius-users- bounces+wiechman.lists=gmail@lists.freeradius.org [mailto:freeradius-users- bounces+wiechman.lists=gmail@lists.freeradius.org] On Behalf Of Steve Evans Sent: Wednesday, July 08, 2009 4:00 AM To: t...@kalik.net; FreeRadius users mailing list Subject: Re: Alvarion BreezeMax BTS - Service provisioning? Unfortunately not possible - I am doing this on behalf of a customer who has already had the network installed (albeit poorly) and I am trying to give them some control over it. I have quick discovered that Alvarion on somewhat how is best to put it . . unique . . in there Radius approach! There support & documentation is absolutely non existant, they very much strike me as a box shifting company - just get it out and once it's in forget the customer. So I guess no one has this in and working then?!!? :( On Wed, 08 Jul 2009 15:45:05 +0700, Ivan Kalik wrote: >>Hopefully someone has come across this before and can easily answer >> the >> question I am attempting to get an Alvarion Breezemax basestation >> working >> with FreeRadius for provisioning of services. > > Best advice you are going to get here is: "avoid Alvarion if possible". > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Alvarion BreezeMax BTS - Service provisioning?
Thanks Ben, Can you just clarify that it is the service is defined using the Filter-ID attrib? Yes the service is for Eth CS although I think it's 16e capable - but due to a complete lack of response from Alvarion I do not exactly know! On that note I am also trying to find out the RADIUS Attribs for the IPCS mode - of which there is absolutely no details of in the Alvarion manuals! Cheers Steve On Thu, 09 Jul 2009 09:05:30 +0700, Ben Wiechman wrote: Remove the trailing semicolon. The documentation isn't very clear on that point, but the semicolon is only needed as a separator if you are supplying multiple services to the BTS. It should not be included as the trailing character. The debug output for this was... unhelpful in earlier versions. Not sure if they've improved it any. (Note, the listed service is for Eth CS on a non 16e BTS correct?) If you need clarification on the ramifications of the different service options let me know. Ben -Original Message- From: freeradius-users- bounces+wiechman.lists=gmail@lists.freeradius.org [mailto:freeradius-users- bounces+wiechman.lists=gmail@lists.freeradius.org] On Behalf Of Steve Evans Sent: Wednesday, July 08, 2009 4:00 AM To: t...@kalik.net; FreeRadius users mailing list Subject: Re: Alvarion BreezeMax BTS - Service provisioning? Unfortunately not possible - I am doing this on behalf of a customer who has already had the network installed (albeit poorly) and I am trying to give them some control over it. I have quick discovered that Alvarion on somewhat how is best to put it . . unique . . in there Radius approach! There support & documentation is absolutely non existant, they very much strike me as a box shifting company - just get it out and once it's in forget the customer. So I guess no one has this in and working then?!!? :( On Wed, 08 Jul 2009 15:45:05 +0700, Ivan Kalik wrote: >>Hopefully someone has come across this before and can easily answer >> the >> question I am attempting to get an Alvarion Breezemax basestation >> working >> with FreeRadius for provisioning of services. > > Best advice you are going to get here is: "avoid Alvarion if possible". > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to control a wpa_supplicant client request can only send to a hostapd NAS?
How to control a wpa_supplicant client request can only send to a hostapd NAS? My network struct was following: RADIUS(freeradius) | | SWITCH(cisco) | | | | NAS1(hostapd) NAS2(hostapd) | | CLIENT1(wpa_supplicant) CLIENT2(wpa_supplicant) If the network only has the NAS1 device, the CLIENT1 can pass the authentication. When the network have two NAS device, which one is NAS1 and the other is NAS2, the CLIENT1 request can send to NAS1 and NAS2, then NAS1 and NAS2 all send the request to radius. I don't know whether CLIENT1 under NAS1 or NAS2 in radius. How to control a wpa_supplicant client request can only send to a hostapd NAS? Thank you very much! The CLIENT1 MAC: 00:0F:1E:34:28:B4 The NAS1 MAC: 00:0F:1E:34:26:50 The NAS2 MAC: 00:0f:1e:00:00:83 The CLIENT1 log -- EAPOL: txSuppRsp TX EAPOL - hexdump(len=26): 01 00 00 16 02 00 00 16 01 30 30 3a 30 46 3a 31 45 3a 33 34 3a 32 38 3a 42 34 EAPOL: SUPP_BE entering state RECEIVE RX EAPOL from *---00:0f:1e:34:26:50---* RX EAPOL - hexdump(len=14): 02 00 00 0a 01 00 00 0a 01 68 65 6c 6c 6f EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request method=1 id=0 EAP: EAP entering state RETRANSMIT EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp TX EAPOL - hexdump(len=26): 01 00 00 16 02 00 00 16 01 30 30 3a 30 46 3a 31 45 3a 33 34 3a 32 38 3a 42 34 EAPOL: SUPP_BE entering state RECEIVE RX EAPOL from *---**00:0f:1e:00:00:83**---* RX EAPOL - hexdump(len=46): 02 00 00 16 01 01 00 16 04 10 e3 1f ff 34 85 47 cd 3c d7 14 60 22 fc 2a 24 fb 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request method=4 id=1 EAP: EAP entering state GET_METHOD EAP: initialize selected EAP method (4, MD5) CTRL-EVENT-EAP-METHOD EAP method 4 (MD5) selected EAP: EAP entering state METHOD EAP-MD5: Challenge - hexdump(len=16): e3 1f ff 34 85 47 cd 3c d7 14 60 22 fc 2a 24 fb EAP-MD5: generating Challenge Response EAP-MD5: Response - hexdump(len=16): 7d 5e a6 ea 11 c7 d9 ad ed 44 a4 b9 61 b5 ab 41 EAP: method process -> ignore=FALSE methodState=DONE decision=UNCOND_SUCC EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp TX EAPOL - hexdump(len=26): 01 00 00 16 02 01 00 16 04 10 7d 5e a6 ea 11 c7 d9 ad ed 44 a4 b9 61 b5 ab 41 EAPOL: SUPP_BE entering state RECEIVE RX EAPOL from 00:0f:1e:34:26:50 RX EAPOL - hexdump(len=26): 02 00 00 16 01 01 00 16 04 10 02 c8 6c 9b 31 7d 34 bc 09 6a 0f f2 c3 a8 01 54 EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request method=4 id=1 EAP: AS used the same Id again, but EAP packets were not identical EAP: workaround - assume this is not a duplicate packet EAP: EAP entering state DISCARD EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RECEIVE RX EAPOL from 00:0f:1e:34:26:50 RX EAPOL - hexdump(len=8): 02 00 00 04 04 01 00 04 EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Failure EAP: EAP entering state DISCARD EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RECEIVE RX EAPOL from 00:0f:1e:00:00:83 RX EAPOL - hexdump(len=46): 02 00 00 04 03 01 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Success EAP: EAP entering state SUCCESS The NAS1 log -- Deauthenticate all stations br0: STA *00:0f:1e:34:28:b4* IEEE 802.1X: start authentication br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: received EAPOL-Start from STA br0: STA 00:0f:1e:34:28:b4 WPA: event 5 notification br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: unauthorizing port br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: received EAP packet (code=2 id=0 len=22) from STA: EAP Response-Identity (1) br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: STA identity '00:0F:1E:34:28:B4' br0: RADIUS Sending RADIUS message to authentication se
RE: Alvarion BreezeMax BTS - Service provisioning?
Actually authorization in their hybrid 16d system that Steve is using is very seamless. We've looked at many solutions and in most configuration/service assignment revolves around some kind of custom NMS that is a complete kludge or require service levels to be configured in each MS individually. Supplying the services via RADIUS is a decent semi-standardized approach that helps with centralization. I think they could stand to improve the attribute structure a bit as the long string is a fun regular expression exercise when you work for standardization. Then again, you should see the DHCP option string that is used to configure their ATA adapters... heh It's really their ASN-GW that deviates... a bit... from the standard. And the fact that they have a strange attitude toward IOT. We asked and were essentially told that the FR team would have to come crawling to Tel Aviv on their bellies and beg for the chance to be forced to pay for IOT testing. Helpfully pointing out that IOT testing would be a non-issue if the established standard was followed wasn't met with much of a response. Ben > -Original Message- > From: freeradius-users- > bounces+wiechman.lists=gmail@lists.freeradius.org > [mailto:freeradius-users- > bounces+wiechman.lists=gmail@lists.freeradius.org] On Behalf Of Ivan > Kalik > Sent: Wednesday, July 08, 2009 3:45 AM > To: FreeRadius users mailing list > Subject: Re: Alvarion BreezeMax BTS - Service provisioning? > > >Hopefully someone has come across this before and can easily answer > the > > question I am attempting to get an Alvarion Breezemax basestation > working > > with FreeRadius for provisioning of services. > > Best advice you are going to get here is: "avoid Alvarion if possible". > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Alvarion BreezeMax BTS - Service provisioning?
Remove the trailing semicolon. The documentation isn't very clear on that point, but the semicolon is only needed as a separator if you are supplying multiple services to the BTS. It should not be included as the trailing character. The debug output for this was... unhelpful in earlier versions. Not sure if they've improved it any. (Note, the listed service is for Eth CS on a non 16e BTS correct?) If you need clarification on the ramifications of the different service options let me know. Ben > -Original Message- > From: freeradius-users- > bounces+wiechman.lists=gmail@lists.freeradius.org > [mailto:freeradius-users- > bounces+wiechman.lists=gmail@lists.freeradius.org] On Behalf Of > Steve Evans > Sent: Wednesday, July 08, 2009 4:00 AM > To: t...@kalik.net; FreeRadius users mailing list > Subject: Re: Alvarion BreezeMax BTS - Service provisioning? > > Unfortunately not possible - I am doing this on behalf of a customer who > has already had the network installed (albeit poorly) and I am trying to > give them some control over it. > > I have quick discovered that Alvarion on somewhat how is best to put it > . > . unique . . in there Radius approach! > > There support & documentation is absolutely non existant, they very > much > strike me as a box shifting company - just get it out and once it's in > forget the customer. > > So I guess no one has this in and working then?!!? :( > > > > On Wed, 08 Jul 2009 15:45:05 +0700, Ivan Kalik wrote: > > >>Hopefully someone has come across this before and can easily > answer > >> the > >> question I am attempting to get an Alvarion Breezemax basestation > >> working > >> with FreeRadius for provisioning of services. > > > > Best advice you are going to get here is: "avoid Alvarion if > possible". > > > > Ivan Kalik > > Kalik Informatika ISP > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to control a wpa_supplicant client request can only send to a hostapd NAS?
How to control a wpa_supplicant client request can only send to a hostapd NAS? My network struct was following: RADIUS(freeradius) | | SWITCH(cisco) | | | | NAS1(hostapd) NAS2(hostapd) | | CLIENT1(wpa_supplicant) CLIENT2(wpa_supplicant) If the network only has the NAS1 device, the CLIENT1 can pass the authentication. When the network have two NAS device, which one is NAS1 and the other is NAS2, the CLIENT1 request can send to NAS1 and NAS2, then NAS1 and NAS2 all send the request to radius. I don't know whether CLIENT1 under NAS1 or NAS2 in radius. How to control a wpa_supplicant client request can only send to a hostapd NAS? Thank you very much! The CLIENT1 MAC: 00:0F:1E:34:28:B4 The NAS1 MAC: 00:0F:1E:34:26:50 The NAS2 MAC: 00:0f:1e:00:00:83 The CLIENT1 log -- EAPOL: txSuppRsp TX EAPOL - hexdump(len=26): 01 00 00 16 02 00 00 16 01 30 30 3a 30 46 3a 31 45 3a 33 34 3a 32 38 3a 42 34 EAPOL: SUPP_BE entering state RECEIVE RX EAPOL from *00:0f:1e:34:26:50* RX EAPOL - hexdump(len=14): 02 00 00 0a 01 00 00 0a 01 68 65 6c 6c 6f EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request method=1 id=0 EAP: EAP entering state RETRANSMIT EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp TX EAPOL - hexdump(len=26): 01 00 00 16 02 00 00 16 01 30 30 3a 30 46 3a 31 45 3a 33 34 3a 32 38 3a 42 34 EAPOL: SUPP_BE entering state RECEIVE RX EAPOL from *00:0f:1e:00:00:83* RX EAPOL - hexdump(len=46): 02 00 00 16 01 01 00 16 04 10 e3 1f ff 34 85 47 cd 3c d7 14 60 22 fc 2a 24 fb 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request method=4 id=1 EAP: EAP entering state GET_METHOD EAP: initialize selected EAP method (4, MD5) CTRL-EVENT-EAP-METHOD EAP method 4 (MD5) selected EAP: EAP entering state METHOD EAP-MD5: Challenge - hexdump(len=16): e3 1f ff 34 85 47 cd 3c d7 14 60 22 fc 2a 24 fb EAP-MD5: generating Challenge Response EAP-MD5: Response - hexdump(len=16): 7d 5e a6 ea 11 c7 d9 ad ed 44 a4 b9 61 b5 ab 41 EAP: method process -> ignore=FALSE methodState=DONE decision=UNCOND_SUCC EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp TX EAPOL - hexdump(len=26): 01 00 00 16 02 01 00 16 04 10 7d 5e a6 ea 11 c7 d9 ad ed 44 a4 b9 61 b5 ab 41 EAPOL: SUPP_BE entering state RECEIVE RX EAPOL from 00:0f:1e:34:26:50 RX EAPOL - hexdump(len=26): 02 00 00 16 01 01 00 16 04 10 02 c8 6c 9b 31 7d 34 bc 09 6a 0f f2 c3 a8 01 54 EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request method=4 id=1 EAP: AS used the same Id again, but EAP packets were not identical EAP: workaround - assume this is not a duplicate packet EAP: EAP entering state DISCARD EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RECEIVE RX EAPOL from 00:0f:1e:34:26:50 RX EAPOL - hexdump(len=8): 02 00 00 04 04 01 00 04 EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Failure EAP: EAP entering state DISCARD EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RECEIVE RX EAPOL from 00:0f:1e:00:00:83 RX EAPOL - hexdump(len=46): 02 00 00 04 03 01 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Success EAP: EAP entering state SUCCESS The NAS1 log -- Deauthenticate all stations br0: STA *00:0f:1e:34:28:b4* IEEE 802.1X: start authentication br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: received EAPOL-Start from STA br0: STA 00:0f:1e:34:28:b4 WPA: event 5 notification br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: unauthorizing port br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: received EAP packet (code=2 id=0 len=22) from STA: EAP Response-Identity (1) br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: STA identity '00:0F:1E:34:28:B4' br0: RADIUS Sending RADIUS message to authentication server br0: RADIUS
pam_radius_auth for big endian
I try to authenticate on sshd through pam by the pam_radius_auth, my platform is based on PowerPc(big endian). After changes in md5 file i accepted authentication is ok on the radius server, but my side of sshd is failed( i don't succeed to accept the session when i try to connect to sshd ) with log error of password or shared secret is wrong.Any suggestions to solve this problem? Thanks, Maxim 2009/7/7 > Send Freeradius-Users mailing list submissions to >freeradius-users@lists.freeradius.org > > -- > > Message: 5 > Date: Tue, 07 Jul 2009 16:57:31 +0200 > From: Alan DeKok > Subject: Re: pam_radius_auth for big endian > To: FreeRadius users mailing list > > Message-ID: <4a53625b.2040...@deployingradius.com> > Content-Type: text/plain; charset=UTF-8 > > maxim maxim wrote: > > How i can to fix pam_radius_auth for big endian platform? > > The module works (or should) on big endian systems. See md5.c for > sparc/mips configuration. > > Alan DeKok. > > > -- > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout in Access-Challenge (that contains EAP-Message)
Just checked hostapd and it seems to implement this too:
hostapd/ieee802_1x.c:
"
case RADIUS_CODE_ACCESS_CHALLENGE:
sm->eap_if->aaaEapReq = TRUE;
if (session_timeout_set) {
/* RFC 2869, Ch. 2.3.2; RFC 3580, Ch. 3.17 */
sm->eap_if->aaaMethodTimeout = session_timeout;
"
Gong Cheng wrote:
>
> Hi Alan, thanks for the answer. (and thanks to David too).
> I can't seem to find 2.1.7 yet, but I will keep this in mind.
>
> Just as an FYI, I do see commercial NAS code that implements this.
>
>
> Alan DeKok-2 wrote:
>>
>> Gong Cheng wrote:
>>> Hi,
>>> I wonder if there is a way
>>> - not to include "Session-Timeout" value intended for Access-Accept in
>>> Access-Challenge messages?
>>
>> In 2.1.7, see raddb/sites-available/default. Look for
>> Access-Challenge. There is sample configuration.
>>
>>> - or to configure a different Session-Timeout value for
>>> Access-Challenges
>>> (which contain EAP-Message)?
>>>
>>> This is about the following section in RFC3579 where Session-Timeout in
>>> Access-Challenge is used to influence EAP retransmission behavior.
>>
>> I'm not sure any AP supports that.
>>
>> Alan DeKok.
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>>
>
>
--
View this message in context:
http://www.nabble.com/Session-Timeout-in-Access-Challenge-%28that-contains-EAP-Message%29-tp24383664p24397046.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout in Access-Challenge (that contains EAP-Message)
Hi Alan, thanks for the answer. (and thanks to David too). I can't seem to find 2.1.7 yet, but I will keep this in mind. Just as an FYI, I do see commercial NAS code that implements this. Alan DeKok-2 wrote: > > Gong Cheng wrote: >> Hi, >> I wonder if there is a way >> - not to include "Session-Timeout" value intended for Access-Accept in >> Access-Challenge messages? > > In 2.1.7, see raddb/sites-available/default. Look for > Access-Challenge. There is sample configuration. > >> - or to configure a different Session-Timeout value for Access-Challenges >> (which contain EAP-Message)? >> >> This is about the following section in RFC3579 where Session-Timeout in >> Access-Challenge is used to influence EAP retransmission behavior. > > I'm not sure any AP supports that. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > -- View this message in context: http://www.nabble.com/Session-Timeout-in-Access-Challenge-%28that-contains-EAP-Message%29-tp24383664p24396317.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: realm in User-Name stripped in accounting data?
>> We setup proxy (on freeradius 2.1.3) by putting following lines in >> users and acct_users: >> >> DEFAULT Huntgroup-Name == Aruba, Aruba-Essid-Name == "Univ >> WiFi", Realm != "localream.mydomain", Proxy-to-realm := "remoteRealm" >> >> Authentication works properly while User-Name in accounting data, the >> @realm part is removed. > >Is it there in Access-Accept? If username is stripped in Access-Accept it won't be present in accounting packets. No, it's not in Access-Accept... Is it possible to append @realm part to proxied User-Name field in accounting data (or somewhere else where appropriate)? Thanks a lot. /ST Wong - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fallback LDAP Attribute Value
Ivan Kalik wrote: > reply:Tmp-String-0 Whoops.. that's my typo. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fallback LDAP Attribute Value
On 8/7/09 16:21, Ivan Kalik wrote:
>>> e.g. map it to Tmp-String-0, (ldap.attrmap), and then do:
>>>
>>>
>>> if (... i want to send vlan) {
>>> update reply {
>>> Tunnel-Private-Group-Id = "%{Tmp-String-0}"
>
> reply:Tmp-String-0
Pants! I was almost certain I'd tried that previously and it had failed.
Tis working now though :)
Thanks
Steve
--
Steven Carr
Systems Development Officer
SLS/ITS/Systems - (0191) 515 3953
signature.asc
Description: OpenPGP digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius 2.1.6 + EAP-PEAP issue
Hi, > csd-notebook\user_name Cleartext-Password := "user_password" > > Where csd-notebook is notebook name. > This setting is working. > > But I would like to make 2 improvements to current configuration. > > 1. to have an ability to specify only user name in users file in order to > not depend on user computer name. > > I was trying to do this by changing some FR 2.1.6 configuration parameters > but failed. you need to ensure that the preprocess module is called and that is configured with the nt_domain_hack = yes > 2. To add athentication by computer MAC address > > I added Calling-Station-Id == "00-16-EA-8A-DE-38" parameter to users file > > csd-notebook\user_name Cleartext-Password := "user_password", > Calling-Station-Id == "00-16-EA-8A-DE-38" > > [mschap] FAILED: MS-CHAP2-Response is incorrect > ++[mschap] returns reject this log is very much chewed alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fallback LDAP Attribute Value
>>
>> e.g. map it to Tmp-String-0, (ldap.attrmap), and then do:
>>
>>
>> if (... i want to send vlan) {
>> update reply {
>> Tunnel-Private-Group-Id = "%{Tmp-String-0}"
reply:Tmp-String-0
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: realm in User-Name stripped in accounting data?
> We setup proxy (on freeradius 2.1.3) by putting following lines in users > and acct_users: > > DEFAULT Huntgroup-Name == Aruba, Aruba-Essid-Name == "Univ > WiFi", Realm != "localream.mydomain", Proxy-to-realm := "remoteRealm" > > Authentication works properly while User-Name in accounting data, the > @realm part is removed. Is it there in Access-Accept? If username is stripped in Access-Accept it won't be present in accounting packets. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fallback LDAP Attribute Value
On 8/7/09 15:07, Alan DeKok wrote:
> You can map that VLAN number to a server-side attribute. Then, copy
> it to the correct tunnel attribute when you want.
>
> e.g. map it to Tmp-String-0, (ldap.attrmap), and then do:
>
>
> if (... i want to send vlan) {
> update reply {
> Tunnel-Private-Group-Id = "%{Tmp-String-0}"
> ...
> }
> }
OK getting closer...
ldap.attrmap contains:
replyItem Tmp-String-0destinationindicator
post-auth section contains:
if ((!reply:Tmp-String-0) || (reply:Tmp-String-0 == "")) {
update reply {
Tunnel-Private-Group-Id = "666"
}
}
else {
update reply {
Tunnel-Private-Group-Id = "%{Tmp-String-0}"
}
}
debug output shows:
++? if ((!reply:Tmp-String-0) || (reply:Tmp-String-0 == ""))
?? Evaluating !(reply:Tmp-String-0) -> TRUE
?? Evaluating (reply:Tmp-String-0 == "") -> FALSE
++? if ((!reply:Tmp-String-0) || (reply:Tmp-String-0 == "")) -> FALSE
++- entering else else
expand: %{Tmp-String-0} ->
So Tmp-String-0 supposedly is there, and isn't empty, but I cant get the
data out of it.
In the packet back it is set to:
Tunnel-Private-Group-Id:0 = ""
What am I missing?
Steve
--
Steven Carr
Systems Development Officer
SLS/ITS/Systems - (0191) 515 3953
signature.asc
Description: OpenPGP digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
realm in User-Name stripped in accounting data?
Hi all, We setup proxy (on freeradius 2.1.3) by putting following lines in users and acct_users: DEFAULT Huntgroup-Name == Aruba, Aruba-Essid-Name == "Univ WiFi", Realm != "localream.mydomain", Proxy-to-realm := "remoteRealm" Authentication works properly while User-Name in accounting data, the @realm part is removed. However, there is no problem for other 'simple' proxy settings (only define realm in proxy.conf, without Proxy-to-realm). We're using LDAP as authentication backend. Would anyone please advise if we can keep the @realm part in all accounting data? Thanks a lot. /ST Wong - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Session-Timeout in Access-Challenge (that contains EAP-Message)
Alan, They most certainly do! I just debugged a case where the Cisco 1200 takes the 30s Session-Timeout that the Microsoft IAS server sends and treats it as a response timeout. (It then aborts the authentication, which I believe is wrong, but that's another story) When doing a SecurID authentication with user input of a 60s token OTP, the default 30s is "inadequate". Cisco does document the way to extend or override this behavior. The Session-Timeout on Access-Challenges for EAP should be a separate "design" somehow. In the older MS RasEap API, it was crudely based on on the type of Send action the EAP server used. In the newer MS EAPHost API, the EAP server code has direct control. I don't know how your EAP modules interface to the RADIUS server proper, but a method that is expecting interactive user control _will_ want to create some slack here. Not all EAP methods complete in short time. Dave. On Jul 8, 2009, al...@deployingradius.com wrote: Gong Cheng wrote: > Hi, > I wonder if there is a way > - not to include "Session-Timeout" value intended for Access-Accept in > Access-Challenge messages? In 2.1.7, see raddb/sites-available/default. Look for Access-Challenge. There is sample configuration. > - or to configure a different Session-Timeout value for Access-Challenges > (which contain EAP-Message)? > > This is about the following section in RFC3579 where Session-Timeout in > Access-Challenge is used to influence EAP retransmission behavior. I'm not sure any AP supports that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fallback LDAP Attribute Value
Steven Carr wrote:
> That is the issue, I do not know what attributes we do want, only what
> we don't want.
If you don't want the attributes, it would be simplest to not add them
in the first place.
> We only want to send back the VLAN switching dot1x attributes if the
> request comes from a particular huntgroup (containing devices that are
> allowed to do dot1x), the problem being one of these attributes is
> stored in LDAP (the actual VLAN number to put someone in).
You can map that VLAN number to a server-side attribute. Then, copy
it to the correct tunnel attribute when you want.
e.g. map it to Tmp-String-0, (ldap.attrmap), and then do:
if (... i want to send vlan) {
update reply {
Tunnel-Private-Group-Id = "%{Tmp-String-0}"
...
}
}
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate-based client side authentication towards a website with freeradius
Martin, The Internet Draft address what you described in web client/Apache server and mail client and mail server applications. The TLS-EAp extension is leveraging existing user credential and profile in AAA server. In addition, you have flexibility to choose different authentication method using EAP. You can use token based authentication or client Certificate based authentication. What kind of mail client/mail server and web client/web server are you using? I am recruiting more volunteers for the project and I will keep you posted of my progress. Thanks, jay On Thu, Jul 2, 2009 at 3:16 AM, Martin Schneider wrote: > Hello Jay > >> If you want to leverage the existing user profiles in the RADIUS >> server for authentication, authorization, this Internet Draft TLS-EAP >> Extension http://tools.ietf.org/html/draft-nir-tls-eap-06 might be >> what you are looking for. Unfortunately, there is no implementation up >> to date as far as I know. >> >> I am designing and developing the software for this Internet draft >> based on OpenSSL, EAP module from wpa-supplicant and freeradius >> client. Please let me know any special requirements if you are >> interested in using TLS-EAP Extension. > > I read the draft you mentioned above and I'm not 100% sure if I > understood it correctly. > > So basically spoken the authentication/authorization becomes more of > less independant from the application using this software/draft. > There's an authentication/authorization infrastructure besides client > and service that is generic and can be used for *different* services. > So, e.g. I can use it for authentication/authorization for a > webbrowser towards apache, for a mailclient towards the mailservice > etc. > > If it is like that, this sounds pretty amazing and would give us > exactely what we need. > > Best regards! > M > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fallback LDAP Attribute Value
On 8/7/09 14:36, Ivan Kalik wrote: > Well, reply attributes don't appear from nowhere - *you* configure them! > List what you want to leave in the packet (lets say Service-Type) - rest > will be deleted. That is the issue, I do not know what attributes we do want, only what we don't want. We only want to send back the VLAN switching dot1x attributes if the request comes from a particular huntgroup (containing devices that are allowed to do dot1x), the problem being one of these attributes is stored in LDAP (the actual VLAN number to put someone in). The idea is that the RADIUS server is also going to process other authentication requests aswell as dot1x requests, but to ensure that nothing gets triggered on other devices (Wireless etc.) these attributes can't be sent back devices that aren't allowed for dot1x. We can't be the only people wanting to do this? Or do you have any other suggestions as to how this can be achieved? Thanks Steve -- Steven Carr Systems Development Officer SLS/ITS/Systems - (0191) 515 3953 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius 2.1.6 + EAP-PEAP issue
Hello,
I am configuring FreeRadius 2.1.6 to athenticate MS Vista user
using EAP-PEAP protocol.
The file users looks as follows:
csd-notebook\user_name Cleartext-Password := "user_password"
Where csd-notebook is notebook name.
This setting is working.
But I would like to make 2 improvements to current configuration.
1. to have an ability to specify only user name in users file in order to
not depend on user computer name.
I was trying to do this by changing some FR 2.1.6 configuration parameters
but failed.
2. To add athentication by computer MAC address
I added Calling-Station-Id == "00-16-EA-8A-DE-38" parameter to users file
csd-notebook\user_name Cleartext-Password := "user_password", Calling-Station-Id ==
"00-16-EA-8A-DE-38"
but got such error message:
.
[eap] EAP packet type response id 17 length 67
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 159
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for oreshkin with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
What parameters should I change to make these 2 configurations to work ?
Current FR 2.1.6 configuration is as follows.
eap.conf:
--
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = no
virtual_server = "inner-tunnel"
}
modules/mschap:
--
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
}
modules/preprocess:
---
preprocess {
with_ascend_hack = no
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
modules/realm:
--
realm ntdomain {
format = prefix
delimiter = "\\"
}
sites-available/default:
---
authorize {
preprocess
mschap
suffix
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
...
}
sites-available/inner-tunnel:
authorize {
mschap
suffix
update control {
Proxy-To-Realm := LOCAL
}
...
}
Thank you.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fallback LDAP Attribute Value
> On 8/7/09 14:19, Ivan Kalik wrote: >> Obviously not. There is no wildcard. If you want wildcard use attribute >> filter instead of update reply. > > Tried that too, but the attribute filter only seems to allow you to > filter on items that you want to be returned, rather than filter out > those that you don't want to be returned :( Well, reply attributes don't appear from nowhere - *you* configure them! List what you want to leave in the packet (lets say Service-Type) - rest will be deleted. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fallback LDAP Attribute Value
On 8/7/09 14:19, Ivan Kalik wrote: > Obviously not. There is no wildcard. If you want wildcard use attribute > filter instead of update reply. Tried that too, but the attribute filter only seems to allow you to filter on items that you want to be returned, rather than filter out those that you don't want to be returned :( Steve -- Steven Carr Systems Development Officer SLS/ITS/Systems - (0191) 515 3953 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ubuntu / debian rlm_python issues using mysqldb module
On 07/08/2009 04:16 AM, Michael da Silva Pereira wrote: Hi All, I am sure i'm not the only person experiencing this problem. It seems when using the python module to handle auth/acct. If you include the MySQLdb module in the python script freeradius then dies and is unable to load the pythong module. I am using the latest stable freeradius version 2.1.6, built for ubuntu as per http://wiki.freeradius.org/Build using fakeroot. The python script being used is the "prepaid.py" script renamed to "radiusd_test.py" in the example below. I am using the standard scripts and config from freeradius, I found a similar article regarding this and apparently has something to do with statically linking the module ? Are there any solutions for this ? Wed Jul 8 12:10:51 2009 : Error: rlm_python:python_load_function: module 'radiusd_test' is not found Wed Jul 8 12:10:51 2009 : Error: rlm_python:EXCEPT:: /var/lib/python-support/python2.6/_mysql.so: undefined symbol: PyExc_ImportError Wed Jul 8 12:10:51 2009 : Error: rlm_python:python_load_function: failed to import python function 'radiusd_test.instantiate' Wed Jul 8 12:10:51 2009 : Error: /etc/freeradius/modules/python[1]: Instantiation failed for module "python" Wed Jul 8 12:10:51 2009 : Error: /etc/freeradius/sites-enabled/iburst-prepaid[30]: Failed to find module "python". Wed Jul 8 12:10:51 2009 : Error: /etc/freeradius/sites-enabled/iburst-prepaid[30]: Failed to parse "python" entry. Wed Jul 8 12:10:51 2009 : Error: Errors initializing modules This seems to be wholey a Python problem, not a FreeRADIUS problem because you're getting a Python import error, specifically an unresolved reference to a symbol in a .so. It's probably easiest to diagnose this outside of FreeRADIUS. My first guess would be you've got something amiss in your Python setup because the missing symbol PyExc_ImportError is a common symbol which should be defined in libpython2.6.so. I'm guessing something is linked against the wrong libraries or a library path is not pointing in the right place. Here is a series of steps I would try: Fire up python from the command line by typing python, that will put you in a python interpreter shell. Then type "import MySQLdb". Does the import succeed? Try the same thing with your script. Check which libraries standard python are using (note, the path name will likely be different). % ldd /usr/bin/python linux-gate.so.1 => (0x005fc000) libpython2.6.so.1.0 => /usr/lib/libpython2.6.so.1.0 (0x0361d000) libpthread.so.0 => /lib/libpthread.so.0 (0x003c2000) libdl.so.2 => /lib/libdl.so.2 (0x003bb000) libutil.so.1 => /lib/libutil.so.1 (0x001d5000) libm.so.6 => /lib/libm.so.6 (0x00391000) libc.so.6 => /lib/libc.so.6 (0x0021d000) /lib/ld-linux.so.2 (0x001f9000) On my system _mysql.so in in /usr/lib/python2.6/site-packages but on yours its in /var/lib/python-support/python2.6/_mysql.so, adjust the paths appropriately. % ldd /usr/lib/python2.6/site-packages/_mysql.so linux-gate.so.1 => (0x00acd000) libmysqlclient_r.so.16 => /usr/lib/mysql/libmysqlclient_r.so.16 (0x004c8000) libz.so.1 => /lib/libz.so.1 (0x0011) libpthread.so.0 => /lib/libpthread.so.0 (0x004ac000) libcrypt.so.1 => /lib/libcrypt.so.1 (0x009e6000) libnsl.so.1 => /lib/libnsl.so.1 (0x00407000) libm.so.6 => /lib/libm.so.6 (0x00b6) libssl.so.8 => /usr/lib/libssl.so.8 (0x00f58000) libcrypto.so.8 => /usr/lib/libcrypto.so.8 (0x0021b000) libpython2.6.so.1.0 => /usr/lib/libpython2.6.so.1.0 (0x0063c000) libc.so.6 => /lib/libc.so.6 (0x007bc000) /lib/ld-linux.so.2 (0x001f9000) libfreebl3.so => /lib/libfreebl3.so (0x00123000) libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x0016b000) libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x00e13000) libcom_err.so.2 => /lib/libcom_err.so.2 (0x00196000) libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x00199000) libresolv.so.2 => /lib/libresolv.so.2 (0x00ed6000) libdl.so.2 => /lib/libdl.so.2 (0x001cc000) libutil.so.1 => /lib/libutil.so.1 (0x001d1000) libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0x0043e000) libkeyutils.so.1 => /lib/libkeyutils.so.1 (0x00cea000) libselinux.so.1 => /lib/libselinux.so.1 (0x001d5000) This will tell you what the loader will try to resolve when you try to do the import. If you see a mismatch in the libraries or their paths then there is your culprit. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fallback LDAP Attribute Value
> Is it not possible to use something like...
>
> if ((!Huntgroup-Name) || (Huntgroup-Name != "ciscoswitches")) {
> update reply {
> Tunnel-Private-Group-ID -=
> Tunnel-Type -=
> Tunnel-Medium-Type -=
> }
> }
>
> I did try this and it came back with:
> ERROR: No value given for attribute Tunnel-Private-Group-ID.
Obviously not. There is no wildcard. If you want wildcard use attribute
filter instead of update reply.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: want to authorise but not authenticate
Arran Cudbard-Bell wrote:
> On 8/7/09 13:20, a.l.m.bu...@lboro.ac.uk wrote:
> Can't you bind the same virtual server to multiple IPs? Less duplication...
listen {
... # ip 1
virtual_server = foo
}
listen {
... # ip 2
virtual_server = foo
}
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fallback LDAP Attribute Value
On 8/7/09 08:18, Steven Carr wrote:
> On 7/7/09 17:01, Ivan Kalik wrote:
>> Yes.
>>
>> if(((!reply:...) || (reply:... = "")) && Huntgroup-Name = "whatever")
>
> This works for those users that have the attribute set as a fallback
> measure but how do I stop it from returning the attribute when it was
> retrieved from LDAP, again I only want this attribute to be returned
> when the are calling from a particular huntgroup.
>
> So the scenario is - if they are calling from huntgroup "ciscoswitches"
> then we return the attributes either the value from LDAP for the VLAN or
> the fallback value from the post auth, if they are not calling from the
> huntgroup then don't return these attributes.
Is it not possible to use something like...
if ((!Huntgroup-Name) || (Huntgroup-Name != "ciscoswitches")) {
update reply {
Tunnel-Private-Group-ID -=
Tunnel-Type -=
Tunnel-Medium-Type -=
}
}
I did try this and it came back with:
ERROR: No value given for attribute Tunnel-Private-Group-ID.
There must be an easy way to strip attributes from being returned?
Steve
--
Steven Carr
Systems Development Officer
SLS/ITS/Systems - (0191) 515 3953
signature.asc
Description: OpenPGP digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: want to authorise but not authenticate
On 8/7/09 13:20, a.l.m.bu...@lboro.ac.uk wrote: Hi, Listen on multiple interfaces and use the packet destination IP attribute with Unlang to determine policy? Then point the different services at the different IP addresses ? currently this is what we are looking at - a new virtual server on a different port that does the authorisation job only. its a little natty but seems the best way :-| Can't you bind the same virtual server to multiple IPs? Less duplication... Arran -- Arran Cudbard-Bell , Systems Administrator (AAA), Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: matching on nas entry/shortname
> Matching an entry based on the NAS's IP Address value in the request is > doable > via DEFAULT NAS-IP-Address == "1.2.3.4" ... > > How about if I wouldn't want to count on that attribute and I'd rather > just > want to > match based on the NAS entry itself (which is read from mysql) or the > shortname > assigned to the NAS in that mysql database. How would that work? You read something from the database and compare it to - what? If you don't wan't to rely on NAS-IP-Address you can use internal attribute Client-IP-Address which can't be spoofed. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: receives 1 request --> proxy 2 requests?
> ok, next try to explain the problem:
>
> if i start radtest everything looks fine:
> radtest 111...@test 111...@test localhost:1645 0 *secret*
> Sending Access-Request of id 176 to 127.0.0.1 port 1645
> User-Name = \"111...@test\"
> User-Password = \"111...@test\"
> NAS-IP-Address = 172.x.x.x
> NAS-Port = 0
> rad_recv: Access-Accept packet from host 127.0.0.1 port
> 1645, id=176, length=20
>
So, no shared secret error! Secrets match for authentication but don't for
accounting. Check *accounting* port secrets on both ends.
>
> if i look in freeradius-debug:
>
> rad_recv: Access-Request packet from host 127.0.0.1 port
> 58236, id=177, length=64
> User-Name = \"111...@test\"
> User-Password = \"111...@test\"
> NAS-IP-Address = 172.x.x.x
> NAS-Port = 0
> +- entering group authorize {...}
> ++[preprocess] returns ok
> expand:
> /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
> ->
> /var/log/freeradius/radacct/127.0.0.1/auth-detail-20090708
> [auth_log]
> /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
> expands to
> /var/log/freeradius/radacct/127.0.0.1/auth-detail-20090708
> expand: %t -> Wed Jul 8 13:07:36 2009
> ++[auth_log] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] Looking up realm \"test\" for User-Name =
> \"111...@test\"
> [suffix] Found realm \"test\"
> [suffix] Adding Realm = \"test\"
> [suffix] Proxying request from user 11 to realm test
> [suffix] Preparing to proxy authentication request to realm
> \"test\"
> ++[suffix] returns updated
> [prefix] Request already proxied. Ignoring.
> ++[prefix] returns ok
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> ++[files] returns noop
> ++[expiration] returns noop
> ++[logintime] returns noop
> ++[pap] returns noop
>
> --until here ok-
>
> Sending Access-Request of id 207 to 172.y.y.y port 1812
> User-Name = \"111...@test\"
> User-Password = \"111...@test\"
> NAS-IP-Address = 172.x.x.x
> NAS-Port = 0
> Proxy-State = 0x313737
> Proxying request 34 to home server 172.y.y.y port 1812
> Sending Access-Request of id 207 to 172.y.y.y port 1812
> User-Name = \"111...@test\"
> User-Password = \"111...@test\"
> NAS-IP-Address = 172.x.x.x
> NAS-Port = 0
> Proxy-State = 0x313737
>
> -why a second identical
> request?
It's not the second request, it's the same one.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: want to authorise but not authenticate
Hi, > Listen on multiple interfaces and use the packet destination IP attribute > with Unlang to determine policy? Then point the different services at the > different IP addresses ? currently this is what we are looking at - a new virtual server on a different port that does the authorisation job only. its a little natty but seems the best way :-| alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
matching on nas entry/shortname
Hey, Matching an entry based on the NAS's IP Address value in the request is doable via DEFAULT NAS-IP-Address == "1.2.3.4" ... How about if I wouldn't want to count on that attribute and I'd rather just want to match based on the NAS entry itself (which is read from mysql) or the shortname assigned to the NAS in that mysql database. Regards, Liran. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: want to authorise but not authenticate
On 8/7/09 12:39, a.l.m.bu...@lboro.ac.uk wrote:
Hi,
authorize {
if((User-Name == User-Password)&& %{ldap:etc...}){
update control {
Auth-Type := 'NULL'
}
}
else {
// Authentication modules
}
}
Auth-Type NULL {
ok
}
this is pretty uch what is already on the system - the trouble then is that
people can then just login by using any account so long as the password
is the same value
eg
hacker
hacker
they dont even need a valid account to actually authenticate.
Well the LDAP string expansion should make sure the account is actually
valid... But you could use the LDAP module and check the return codes to do the
same thing.
what we need is for the X=Y to work for authorise and then
not give a damn about authentication - but, as said, looks like
we cannot distinguish between auth and auth (if you get what
I mean ;-) ) - if only we could send Service-Type from the device...
Listen on multiple interfaces and use the packet destination IP attribute with
Unlang to determine policy? Then point the different services at the different
IP addresses ?
Arran
--
Arran Cudbard-Bell ,
Systems Administrator (AAA),
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: want to authorise but not authenticate
Hi,
> authorize {
> if((User-Name == User-Password) && %{ldap:etc...}){
> update control {
> Auth-Type := 'NULL'
> }
> }
> else {
> // Authentication modules
> }
> }
>
>
> Auth-Type NULL {
> ok
> }
this is pretty uch what is already on the system - the trouble then is that
people can then just login by using any account so long as the password
is the same value
eg
hacker
hacker
they dont even need a valid account to actually authenticate.
what we need is for the X=Y to work for authorise and then
not give a damn about authentication - but, as said, looks like
we cannot distinguish between auth and auth (if you get what
I mean ;-) ) - if only we could send Service-Type from the device...
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unable to configure rlm_ldap on Solaris 10 - doesn't find libldap_r
On 8/7/09 12:12, Nicolas Goutte wrote: > > > "checking for ldap_init in -lldap_r... no" > > -lldap means compile time linking. By using LD_LIBRARY_PATH you change > only runtime linking, which is not the same I have found the error, looking in the config.log file I have the following: > configure:2891: gcc -o conftest -g -O2 conftest.c -lldap_r -lpthread >&5 > ld: fatal: file /usr/lib/libresolv.so.2: version `SUNW_2.2.2' does not exist: > required by file /usr/local/lib/libldap_r.so > ld: fatal: File processing errors. No output written to conftest Now time to hunt down v2.2.2 of libresolv :| Thanks for your replies Steve -- Steven Carr Systems Development Officer SLS/ITS/Systems - (0191) 515 3953 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: receives 1 request --> proxy 2 requests?
ok, next try to explain the problem:
if i start radtest everything looks fine:
radtest 111...@test 111...@test localhost:1645 0 *secret*
Sending Access-Request of id 176 to 127.0.0.1 port 1645
User-Name = \"111...@test\"
User-Password = \"111...@test\"
NAS-IP-Address = 172.x.x.x
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1 port
1645, id=176, length=20
if i look in freeradius-debug:
rad_recv: Access-Request packet from host 127.0.0.1 port
58236, id=177, length=64
User-Name = \"111...@test\"
User-Password = \"111...@test\"
NAS-IP-Address = 172.x.x.x
NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
->
/var/log/freeradius/radacct/127.0.0.1/auth-detail-20090708
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/var/log/freeradius/radacct/127.0.0.1/auth-detail-20090708
expand: %t -> Wed Jul 8 13:07:36 2009
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm \"test\" for User-Name =
\"111...@test\"
[suffix] Found realm \"test\"
[suffix] Adding Realm = \"test\"
[suffix] Proxying request from user 11 to realm test
[suffix] Preparing to proxy authentication request to realm
\"test\"
++[suffix] returns updated
[prefix] Request already proxied. Ignoring.
++[prefix] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
--until here ok-
Sending Access-Request of id 207 to 172.y.y.y port 1812
User-Name = \"111...@test\"
User-Password = \"111...@test\"
NAS-IP-Address = 172.x.x.x
NAS-Port = 0
Proxy-State = 0x313737
Proxying request 34 to home server 172.y.y.y port 1812
Sending Access-Request of id 207 to 172.y.y.y port 1812
User-Name = \"111...@test\"
User-Password = \"111...@test\"
NAS-IP-Address = 172.x.x.x
NAS-Port = 0
Proxy-State = 0x313737
-why a second identical
request?
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Accept packet from host 172.y.y.y port
1812, id=207, length=25
Proxy-State = 0x313737
+- entering group post-proxy {...}
[eap] No pre-existing handler found
++[eap] returns noop
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
Login OK: [111...@test/111...@test] (from client localhost
port 0)
Sending Access-Accept of id 177 to 127.0.0.1 port 58236
Finished request 34.
Going to the next request
Waking up in 2.9 seconds.
Cleaning up request 34 ID 177 with timestamp +4454
Ready to process requests.
--End-
So, i get an access-accept. But freeradius generates a
second request.
#adBox3 {display:none;}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unable to configure rlm_ldap on Solaris 10 - doesn't find libldap_r
Am 08.07.2009 um 13:07 schrieb Steven Carr: On 8/7/09 12:00, Ivan Kalik wrote: Your linker is probably looking in /usr/lib but not in /usr/local/ lib. Add the correct path. I have tried with the following set: export LD_LIBRARY_PATH=/usr/local/lib "checking for ldap_init in -lldap_r... no" -lldap means compile time linking. By using LD_LIBRARY_PATH you change only runtime linking, which is not the same and I still get the same errors. Steve -- Steven Carr Systems Development Officer SLS/ITS/Systems - (0191) 515 3953 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unable to configure rlm_ldap on Solaris 10 - doesn't find libldap_r
On 8/7/09 12:00, Ivan Kalik wrote: > Your linker is probably looking in /usr/lib but not in /usr/local/lib. Add > the correct path. I have tried with the following set: export LD_LIBRARY_PATH=/usr/local/lib and I still get the same errors. Steve -- Steven Carr Systems Development Officer SLS/ITS/Systems - (0191) 515 3953 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unable to configure rlm_ldap on Solaris 10 - doesn't find libldap_r
>> # ./configure >> ... >> checking for ldap_init in -lldap_r... no >> checking for ldap.h... yes >> configure: WARNING: silently not building rlm_ldap. >> configure: WARNING: FAILURE: rlm_ldap requires: libldap_r. >> configure: creating ./config.status >> config.status: creating Makefile > > When manually specifying the directories it still comes back with the > same error: >> r...@radius0:/usr/local/src/freeradius/freeradius-server-2.1.6/src/modules/rlm_ldap >> # ./configure \ >>> --with-rlm-ldap-lib-dir=/usr/local/lib \ >>> --with-rlm-ldap-include-dir=/usr/local/include >> ... >> checking for ldap_init in -lldap_r... no >> checking for ldap.h... yes >> configure: WARNING: silently not building rlm_ldap. >> configure: WARNING: FAILURE: rlm_ldap requires: libldap_r. >> configure: creating ./config.status >> config.status: creating Makefile > > Contents of the directories: > >> r...@radius0:/usr/local/src/freeradius/freeradius-server-2.1.6/src/modules/rlm_ldap >> # ls -la /usr/local/lib/libldap* >> lrwxrwxrwx 1 root root 20 Jul 8 09:10 >> /usr/local/lib/libldap-2.4.so.2 -> libldap-2.4.so.2.4.2 >> -rwxr-xr-x 1 bin bin 306312 May 30 02:46 >> /usr/local/lib/libldap-2.4.so.2.4.2 >> -rw-r--r-- 1 bin bin 373348 May 30 02:46 >> /usr/local/lib/libldap.a >> -rw-r--r-- 1 bin bin 1290 May 30 02:46 >> /usr/local/lib/libldap.la >> lrwxrwxrwx 1 root root 20 Jul 8 09:10 >> /usr/local/lib/libldap.so -> libldap-2.4.so.2.4.2 >> lrwxrwxrwx 1 root root 22 Jul 8 09:10 >> /usr/local/lib/libldap_r-2.4.so.2 -> libldap_r-2.4.so.2.4.2 >> -rwxr-xr-x 1 bin bin 332016 May 30 02:46 >> /usr/local/lib/libldap_r-2.4.so.2.4.2 >> -rw-r--r-- 1 bin bin 410146 May 30 02:46 >> /usr/local/lib/libldap_r.a >> -rw-r--r-- 1 bin bin 1304 May 30 02:46 >> /usr/local/lib/libldap_r.la >> lrwxrwxrwx 1 root root 22 Jul 8 09:10 >> /usr/local/lib/libldap_r.so -> libldap_r-2.4.so.2.4.2 > >> r...@radius0:/usr/local/src/freeradius/freeradius-server-2.1.6/src/modules/rlm_ldap >> # ls -la /usr/local/include/ldap* >> -rw-r--r-- 1 bin bin63828 May 30 02:46 >> /usr/local/include/ldap.h >> -rw-r--r-- 1 bin bin 9538 May 30 02:46 >> /usr/local/include/ldap_cdefs.h >> -rw-r--r-- 1 bin bin 1890 May 30 02:46 >> /usr/local/include/ldap_features.h >> -rw-r--r-- 1 bin bin 9523 May 30 02:46 >> /usr/local/include/ldap_schema.h >> -rw-r--r-- 1 bin bin 3539 May 30 02:46 >> /usr/local/include/ldap_utf8.h > > Any ideas what is going wrong? Your linker is probably looking in /usr/lib but not in /usr/local/lib. Add the correct path. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unable to configure rlm_ldap on Solaris 10 - doesn't find libldap_r
Hi list, I have been trying to configure FreeRADIUS 2.1.6 on Solaris 10 (sparc) but I am having issues with the rlm_ldap module not being able to locate libldap_r. I have installed the OpenSSL and OpenLDAP packages + dependencies from Sunfreeware. When issuing the plain "./configure" it returns the following: > r...@radius0:/usr/local/src/freeradius/freeradius-server-2.1.6/src/modules/rlm_ldap > # ./configure > ... > checking for ldap_init in -lldap_r... no > checking for ldap.h... yes > configure: WARNING: silently not building rlm_ldap. > configure: WARNING: FAILURE: rlm_ldap requires: libldap_r. > configure: creating ./config.status > config.status: creating Makefile When manually specifying the directories it still comes back with the same error: > r...@radius0:/usr/local/src/freeradius/freeradius-server-2.1.6/src/modules/rlm_ldap > # ./configure \ >> --with-rlm-ldap-lib-dir=/usr/local/lib \ >> --with-rlm-ldap-include-dir=/usr/local/include > ... > checking for ldap_init in -lldap_r... no > checking for ldap.h... yes > configure: WARNING: silently not building rlm_ldap. > configure: WARNING: FAILURE: rlm_ldap requires: libldap_r. > configure: creating ./config.status > config.status: creating Makefile Contents of the directories: > r...@radius0:/usr/local/src/freeradius/freeradius-server-2.1.6/src/modules/rlm_ldap > # ls -la /usr/local/lib/libldap* > lrwxrwxrwx 1 root root 20 Jul 8 09:10 > /usr/local/lib/libldap-2.4.so.2 -> libldap-2.4.so.2.4.2 > -rwxr-xr-x 1 bin bin 306312 May 30 02:46 > /usr/local/lib/libldap-2.4.so.2.4.2 > -rw-r--r-- 1 bin bin 373348 May 30 02:46 /usr/local/lib/libldap.a > -rw-r--r-- 1 bin bin 1290 May 30 02:46 > /usr/local/lib/libldap.la > lrwxrwxrwx 1 root root 20 Jul 8 09:10 > /usr/local/lib/libldap.so -> libldap-2.4.so.2.4.2 > lrwxrwxrwx 1 root root 22 Jul 8 09:10 > /usr/local/lib/libldap_r-2.4.so.2 -> libldap_r-2.4.so.2.4.2 > -rwxr-xr-x 1 bin bin 332016 May 30 02:46 > /usr/local/lib/libldap_r-2.4.so.2.4.2 > -rw-r--r-- 1 bin bin 410146 May 30 02:46 > /usr/local/lib/libldap_r.a > -rw-r--r-- 1 bin bin 1304 May 30 02:46 > /usr/local/lib/libldap_r.la > lrwxrwxrwx 1 root root 22 Jul 8 09:10 > /usr/local/lib/libldap_r.so -> libldap_r-2.4.so.2.4.2 > r...@radius0:/usr/local/src/freeradius/freeradius-server-2.1.6/src/modules/rlm_ldap > # ls -la /usr/local/include/ldap* > -rw-r--r-- 1 bin bin63828 May 30 02:46 > /usr/local/include/ldap.h > -rw-r--r-- 1 bin bin 9538 May 30 02:46 > /usr/local/include/ldap_cdefs.h > -rw-r--r-- 1 bin bin 1890 May 30 02:46 > /usr/local/include/ldap_features.h > -rw-r--r-- 1 bin bin 9523 May 30 02:46 > /usr/local/include/ldap_schema.h > -rw-r--r-- 1 bin bin 3539 May 30 02:46 > /usr/local/include/ldap_utf8.h Any ideas what is going wrong? Thanks Steve -- Steven Carr Systems Development Officer SLS/ITS/Systems - (0191) 515 3953 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius 2.1.6: LDAP connect
Hello there! Hope you can help. I´m running freeradius 2.1.6 on sles 11 and do LDAP-Authentificaiton on Radius. EAP/TTLS with cleartext-password against ldap works fine. PEAP/MSCHAP with universal password retrieval works fine. Ldap-Groups work fine. Load-Balancing with multiple ldap-servers also work fine. The only problem is: From time to time! the radius-debug fpr rlm_ldap says: rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in c=de, with filter (&(objectClass=inetOrgPerson)(uid=abc12345)) rlm_ldap: object not found So, radius doesn´t know the dn and can´t go on. The difference between other ldap searches and the one with this error is, that there is no new connect to the ldap-server and no new bind. Also, this never happens with the first access-request. Besides: A trace on my ldap servers shows no communication in that case (looks like radius doesntt ask after all) ... and: same problem appears with freeradius 2.1.1. Any ideas...??? Thank you very much... Kind regards Anja - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure 2 wimax qos profiles for the user in users file
> I am trying to configure the two wimax qos profiles for the single user as > one for uplink and another for downlink. > If i configure the same attributes two times, in the Access-Accept message > the first configured wimax attribute value only is sending but its not > sending the same attribute again which has different value. is there any > way > to do this and make it work? http://wiki.freeradius.org/Operators += Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: want to authorise but not authenticate
> we have a system that we've been done plain authorizations > via FreeRADIUS - the device sends the following RADIUS request > > username: userid > password: userid > > (ie the system sends the username and makes the password the same) > > okay. fair enougha bit of unlang and a check that if the username = > password > then set the Auth-Type to something false et voila. all okay. > > > it has now been decided to also do authentication via RADIUS > and this is where things get messy. > > > by removing the Auth-Type kludge, we can successfully authenticate > a real user with their real password however, the authorization > now fails because the device still sends username/password with > the password the same as the username - this now hits the > FreeRADIUS server which cannot find a valid Auth-Type for the user > and thus fails authentication and therefore sends back a 'blurgh' > to the box requesting authorization. > > this is to be expected because there is nothing in the request to > distoniguish between an authorization request and an authentication > request. > > so the question is, how do we handle this so that the system can > send a username=password for authorization AND a proper authentication > can happen WITHOUT (hers a gotcha) the user doing something cute > like putting their username in as their password! ;-) Send Service-Type = Authorize-Only in authorization request. Then you can distinguish between the requsts. Or do authorization in the same time as authentication. Without opening a major security hole. You can set Auth-Type to Accept if User-Name = User-Password in the request but that would enable anyone to log in knowing just username. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: want to authorise but not authenticate
On 8/7/09 10:19, a.l.m.bu...@lboro.ac.uk wrote:
hi,
heres one for a wednesday morning.
we have a system that we've been done plain authorizations
via FreeRADIUS - the device sends the following RADIUS request
username: userid
password: userid
(ie the system sends the username and makes the password the same)
okay. fair enougha bit of unlang and a check that if the username = password
then set the Auth-Type to something false et voila. all okay.
it has now been decided to also do authentication via RADIUS
and this is where things get messy.
by removing the Auth-Type kludge, we can successfully authenticate
a real user with their real password however, the authorization
now fails because the device still sends username/password with
the password the same as the username - this now hits the
FreeRADIUS server which cannot find a valid Auth-Type for the user
and thus fails authentication and therefore sends back a 'blurgh'
to the box requesting authorization.
authorize {
if((User-Name == User-Password) && %{ldap:etc...}){
update control {
Auth-Type := 'NULL'
}
}
else {
// Authentication modules
}
}
Auth-Type NULL {
ok
}
this is to be expected because there is nothing in the request to
distoniguish between an authorization request and an authentication
request.
so the question is, how do we handle this so that the system can
send a username=password for authorization AND a proper authentication
can happen WITHOUT (hers a gotcha) the user doing something cute
like putting their username in as their password! ;-)
Slightly confused as to what you want... Try again without the caffeine ?
Arran
--
Arran Cudbard-Bell ,
Systems Administrator (AAA),
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius active directory integration fails with "no such realm"
Alan DeKok wrote:
Andrei-Florian Staicu wrote:
Hello again. I've reached the output from here:
http://pastebin.com/d19f28a24 , and i still don't understand why it
doesen't call the ntlm_auth line
It looks like you are adding a "Proxy-To-Realm := LOCAL".
...
PEAP: Sending tunneled request
EAP-Message =
0x02060018014950534f305c616e647265692e737461696375
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "IPSO0\\andrei.staicu"
server inner-tunnel {
+- entering group authorize
rlm_realm: Looking up realm "IPSO0" for User-Name =
"IPSO0\andrei.staicu"
rlm_realm: Found realm "IPSO0"
rlm_realm: Adding Stripped-User-Name = "andrei.staicu"
rlm_realm: Adding Realm = "IPSO0"
rlm_realm: Authentication realm is LOCAL.
++[ntdomain] returns noop
++[mschap] returns noop
++[control] returns noop
Why is that "update control" section there? What is in it?
rlm_eap: Request is supposed to be proxied to Realm LOCAL. Not doing
EAP.
It's being proxied to realm LOCAL. You have added a LOCAL realm.
Don't do that.
++[eap] returns noop
WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not
exist! Cancelling invalid proxy request.
Even more proof. The IPSO0 realm above is added because it exists.
The server does NOT add a "Proxy-To-Realm := LOCAL". You have done
that. Delete it from your configuration.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
It works now. Thank you very much for clearing thing up for me.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ubuntu / debian rlm_python issues using mysqldb module
Yeah sure does,
If I remove the line "import MySQLdb" it works fine.
It seems to definanetly have a issue with this module. I've also tried
sqlobject as a module and I get the same problem.
Thanks,
Mike
Ivan Kalik wrote:
I am sure i'm not the only person experiencing this problem. It seems
when using the python module to handle auth/acct.
If you include the MySQLdb module in the python script freeradius then
dies and is unable to load the pythong module.
I am using the latest stable freeradius version 2.1.6, built for ubuntu
as per http://wiki.freeradius.org/Build using fakeroot.
The python script being used is the "prepaid.py" script renamed to
"radiusd_test.py" in the example below.
...
Wed Jul 8 12:10:51 2009 : Debug: Module: Instantiating python
Wed Jul 8 12:10:51 2009 : Debug: python_init done
Wed Jul 8 12:10:51 2009 : Debug: python {
Wed Jul 8 12:10:51 2009 : Debug: mod_instantiate = "radiusd_test"
Wed Jul 8 12:10:51 2009 : Debug: func_instantiate = "instantiate"
Wed Jul 8 12:10:51 2009 : Debug: mod_authorize = "radiusd_test"
Wed Jul 8 12:10:51 2009 : Debug: func_authorize = "authorize"
Wed Jul 8 12:10:51 2009 : Debug: mod_authenticate = "radiusd_test"
Wed Jul 8 12:10:51 2009 : Debug: func_authenticate = "authenticate"
Wed Jul 8 12:10:51 2009 : Debug: mod_preacct = "radiusd_test"
Wed Jul 8 12:10:51 2009 : Debug: func_preacct = "accounting"
Wed Jul 8 12:10:51 2009 : Debug: mod_detach = "radiusd_test"
Wed Jul 8 12:10:51 2009 : Debug: func_detach = "detach"
Wed Jul 8 12:10:51 2009 : Debug: }
Wed Jul 8 12:10:51 2009 : Error: rlm_python:python_load_function:
module 'radiusd_test' is not found
Are you sure radius user has permissions on radiusd_test.py?
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Re: receives 1 request --> proxy 2 requests?
>> Can you do radtest from the home server? Or that shows > wrong shared secret >> too? > > the home server isnt a freeeradius server. its a ncp radius > server > I checked the secret again. they are the same! > > The error message is not my problem. The problem is: why > sends freeradius 2 requests to the home server? > One should be enough. It will keep on sending them until you (or they) fix the shared secret problem. It is wrong. Don't just check it - retype them again at both ends. It could easily be an extra whitespace character before or after the secret. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
want to authorise but not authenticate
hi, heres one for a wednesday morning. we have a system that we've been done plain authorizations via FreeRADIUS - the device sends the following RADIUS request username: userid password: userid (ie the system sends the username and makes the password the same) okay. fair enougha bit of unlang and a check that if the username = password then set the Auth-Type to something false et voila. all okay. it has now been decided to also do authentication via RADIUS and this is where things get messy. by removing the Auth-Type kludge, we can successfully authenticate a real user with their real password however, the authorization now fails because the device still sends username/password with the password the same as the username - this now hits the FreeRADIUS server which cannot find a valid Auth-Type for the user and thus fails authentication and therefore sends back a 'blurgh' to the box requesting authorization. this is to be expected because there is nothing in the request to distoniguish between an authorization request and an authentication request. so the question is, how do we handle this so that the system can send a username=password for authorization AND a proper authentication can happen WITHOUT (hers a gotcha) the user doing something cute like putting their username in as their password! ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ubuntu / debian rlm_python issues using mysqldb module
> I am sure i'm not the only person experiencing this problem. It seems
> when using the python module to handle auth/acct.
> If you include the MySQLdb module in the python script freeradius then
> dies and is unable to load the pythong module.
>
> I am using the latest stable freeradius version 2.1.6, built for ubuntu
> as per http://wiki.freeradius.org/Build using fakeroot.
> The python script being used is the "prepaid.py" script renamed to
> "radiusd_test.py" in the example below.
>
...
> Wed Jul 8 12:10:51 2009 : Debug: Module: Instantiating python
> Wed Jul 8 12:10:51 2009 : Debug: python_init done
> Wed Jul 8 12:10:51 2009 : Debug: python {
> Wed Jul 8 12:10:51 2009 : Debug: mod_instantiate = "radiusd_test"
> Wed Jul 8 12:10:51 2009 : Debug: func_instantiate = "instantiate"
> Wed Jul 8 12:10:51 2009 : Debug: mod_authorize = "radiusd_test"
> Wed Jul 8 12:10:51 2009 : Debug: func_authorize = "authorize"
> Wed Jul 8 12:10:51 2009 : Debug: mod_authenticate = "radiusd_test"
> Wed Jul 8 12:10:51 2009 : Debug: func_authenticate = "authenticate"
> Wed Jul 8 12:10:51 2009 : Debug: mod_preacct = "radiusd_test"
> Wed Jul 8 12:10:51 2009 : Debug: func_preacct = "accounting"
> Wed Jul 8 12:10:51 2009 : Debug: mod_detach = "radiusd_test"
> Wed Jul 8 12:10:51 2009 : Debug: func_detach = "detach"
> Wed Jul 8 12:10:51 2009 : Debug: }
> Wed Jul 8 12:10:51 2009 : Error: rlm_python:python_load_function:
> module 'radiusd_test' is not found
Are you sure radius user has permissions on radiusd_test.py?
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Re: receives 1 request --> proxy 2 requests?
> Can you do radtest from the home server? Or that shows
wrong shared secret
> too?
the home server isnt a freeeradius server. its a ncp radius
server
I checked the secret again. they are the same!
The error message is not my problem. The problem is: why
sends freeradius 2 requests to the home server?
One should be enough.
#adBox3 {display:none;}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Alvarion BreezeMax BTS - Service provisioning?
Unfortunately not possible - I am doing this on behalf of a customer who has already had the network installed (albeit poorly) and I am trying to give them some control over it. I have quick discovered that Alvarion on somewhat how is best to put it . . unique . . in there Radius approach! There support & documentation is absolutely non existant, they very much strike me as a box shifting company - just get it out and once it's in forget the customer. So I guess no one has this in and working then?!!? :( On Wed, 08 Jul 2009 15:45:05 +0700, Ivan Kalik wrote: Hopefully someone has come across this before and can easily answer the question I am attempting to get an Alvarion Breezemax basestation working with FreeRadius for provisioning of services. Best advice you are going to get here is: "avoid Alvarion if possible". Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fallback LDAP Attribute Value
> On 7/7/09 17:01, Ivan Kalik wrote:
>> Yes.
>>
>> if(((!reply:...) || (reply:... = "")) && Huntgroup-Name = "whatever")
>
> This works for those users that have the attribute set as a fallback
> measure but how do I stop it from returning the attribute when it was
> retrieved from LDAP, again I only want this attribute to be returned
> when the are calling from a particular huntgroup.
>
> So the scenario is - if they are calling from huntgroup "ciscoswitches"
> then we return the attributes either the value from LDAP for the VLAN or
> the fallback value from the post auth, if they are not calling from the
> huntgroup then don't return these attributes.
If I understand you well:
if(Huntgroup-Name == "ciscoswitches") {
if((!reply:...) || (reply:... = "")) {
update reply {
Tunnel-Private-Group-ID = "666"
}
}
}
else {
update reply {
Tunnel-Private-Group-ID -= "%{reply:Tunnel-Private-Group-ID}"
}
}
Extra bit will remove VLAN ID assigned from ldap for those not in
ciscoswitches huntgroup.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Alvarion BreezeMax BTS - Service provisioning?
>Hopefully someone has come across this before and can easily answer the > question I am attempting to get an Alvarion Breezemax basestation working > with FreeRadius for provisioning of services. Best advice you are going to get here is: "avoid Alvarion if possible". Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius active directory integration fails with "no such realm"
Andrei-Florian Staicu wrote:
> Hello again. I've reached the output from here:
> http://pastebin.com/d19f28a24 , and i still don't understand why it
> doesen't call the ntlm_auth line
It looks like you are adding a "Proxy-To-Realm := LOCAL".
...
> PEAP: Sending tunneled request
>EAP-Message =
>0x02060018014950534f305c616e647265692e737461696375
>FreeRADIUS-Proxied-To = 127.0.0.1
>User-Name = "IPSO0\\andrei.staicu"
>server inner-tunnel {
>+- entering group authorize
>rlm_realm: Looking up realm "IPSO0" for User-Name =
>"IPSO0\andrei.staicu"
>rlm_realm: Found realm "IPSO0"
>rlm_realm: Adding Stripped-User-Name = "andrei.staicu"
>rlm_realm: Adding Realm = "IPSO0"
>rlm_realm: Authentication realm is LOCAL.
>++[ntdomain] returns noop
>++[mschap] returns noop
>++[control] returns noop
Why is that "update control" section there? What is in it?
> rlm_eap: Request is supposed to be proxied to Realm LOCAL. Not doing
EAP.
It's being proxied to realm LOCAL. You have added a LOCAL realm.
Don't do that.
>++[eap] returns noop
> WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not
> exist! Cancelling invalid proxy request.
Even more proof. The IPSO0 realm above is added because it exists.
The server does NOT add a "Proxy-To-Realm := LOCAL". You have done
that. Delete it from your configuration.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius active directory integration fails with "no such realm"
Ivan Kalik wrote:
Ivan Kalik wrote:
One thing stands out though in the output of freeradius -X (only after
changing the order of suffix and ntdomain in sites-available/default
and
radiusd.conf:
++[mschap] returns noop
rlm_realm: Looking up realm "IPSO0" for User-Name =
"IPSO0\andrei.staicu"
rlm_realm: No such realm "IPSO0"
++[ntdomain] returns noop
rlm_realm: No '@' in User-Name = "IPSO0\andrei.staicu", looking up
realm
NULL
rlm_realm: No such realm "NULL"
IPSO0 is the realm name for the domain ipso.biz (not the public site;
this is internal and resolved as such by our dns)
I've tried for about two weeks now, but i still have no ideea on how to
define the realm IPSO0.
Look at proxy.conf.
Ivan Kalik
Kalik Informatika ISP
Hello again
I tried defining the realm IPSO0 (probably wrong) and i see the requests
being proxied to it, but it finally failes
You have. It should be defined as local realm:
realm IPSO0 {
}
Ivan Kalik
Kalik Informatika ISP
Hello again. I've reached the output from here:
http://pastebin.com/d19f28a24 , and i still don't understand why it
doesen't call the ntlm_auth line
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with checking dhcp-packet type
Alexander Kubatkin wrote: > trying to build from: > > freeradius-server-2.1.7.tar.bz2 08-Jul-2009 08:57 2.4M Yes... the fix wasn't in yet. If you want the latest version, use git. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ubuntu / debian rlm_python issues using mysqldb module
Hi All, I am sure i'm not the only person experiencing this problem. It seems when using the python module to handle auth/acct. If you include the MySQLdb module in the python script freeradius then dies and is unable to load the pythong module. I am using the latest stable freeradius version 2.1.6, built for ubuntu as per http://wiki.freeradius.org/Build using fakeroot. The python script being used is the "prepaid.py" script renamed to "radiusd_test.py" in the example below. I am using the standard scripts and config from freeradius, I found a similar article regarding this and apparently has something to do with statically linking the module ? Are there any solutions for this ? Thanks, Michael Please see the log below from freeradius: Wed Jul 8 12:10:51 2009 : Info: FreeRADIUS Version 2.1.6, for host i486-pc-linux-gnu, built on Jul 7 2009 at 19:08:38 Wed Jul 8 12:10:51 2009 : Info: Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. Wed Jul 8 12:10:51 2009 : Info: There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A Wed Jul 8 12:10:51 2009 : Info: PARTICULAR PURPOSE. Wed Jul 8 12:10:51 2009 : Info: You may redistribute copies of FreeRADIUS under the terms of the Wed Jul 8 12:10:51 2009 : Info: GNU General Public License v2. Wed Jul 8 12:10:51 2009 : Info: Starting - reading configuration files ... Wed Jul 8 12:10:51 2009 : Debug: including configuration file /etc/freeradius/radiusd.conf Wed Jul 8 12:10:51 2009 : Debug: including configuration file /etc/freeradius/proxy.conf Wed Jul 8 12:10:51 2009 : Debug: including configuration file /etc/freeradius/clients.conf Wed Jul 8 12:10:51 2009 : Debug: including files in directory /etc/freeradius/modules/ Wed Jul 8 12:10:51 2009 : Debug: including configuration file /etc/freeradius/modules/realm Wed Jul 8 12:10:51 2009 : Debug: including configuration file /etc/freeradius/modules/radutmp Wed Jul 8 12:10:51 2009 : Debug: including configuration file /etc/freeradius/modules/logintime Wed Jul 8 12:10:51 2009 : Debug: including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login Wed Jul 8 12:10:51 2009 : Debug: including configuration file /etc/freeradius/modules/counter Wed Jul 8 12:10:51 2009 : Debug: including configuration file /etc/freeradius/modules/chap Wed Jul 8 12:10:51 2009 : Debug: including configuration file /etc/freeradius/modules/unix Wed Jul 8 12:10:51 2009 : Debug: including configuration file /etc/freeradius/modules/pap Wed Jul 8 12:10:51 2009 : Debug: including configuration file /etc/freeradius/modules/acct_unique Wed Jul 8 12:10:51 2009 : Debug: including configuration file /etc/freeradius/modules/expiration Wed Jul 8 12:10:51 2009 : Debug: including configuration file /etc/freeradius/modules/digest Wed Jul 8 12:10:51 2009 : Debug: including configuration file /etc/freeradius/modules/policy Wed Jul 8 12:10:51 2009 : Debug: including configuration file /etc/freeradius/modules/linelog Wed Jul 8 12:10:51 2009 : Debug: including configuration file /etc/freeradius/modules/checkval Wed Jul 8 12:10:51 2009 : Debug: including configuration file /etc/freeradius/modules/sradutmp Wed Jul 8 12:10:51 2009 : Debug: including configuration file /etc/freeradius/modules/files Wed Jul 8 12:10:51 2009 : Debug: including configuration file /etc/freeradius/modules/detail Wed Jul 8 12:10:51 2009 : Debug: including configuration file /etc/freeradius/modules/smsotp Wed Jul 8 12:10:51 2009 : Debug: including configuration file /etc/freeradius/modules/preprocess Wed Jul 8 12:10:51 2009 : Debug: including configuration file /etc/freeradius/modules/expr Wed Jul 8 12:10:51 2009 : Debug: including configuration file /etc/freeradius/modules/sql_log Wed Jul 8 12:10:51 2009 : Debug: including configuration file /etc/freeradius/modules/python Wed Jul 8 12:10:51 2009 : Debug: including configuration file /etc/freeradius/modules/pam Wed Jul 8 12:10:51 2009 : Debug: including configuration file /etc/freeradius/modules/attr_filter Wed Jul 8 12:10:51 2009 : Debug: including configuration file /etc/freeradius/modules/ippool Wed Jul 8 12:10:51 2009 : Debug: including configuration file /etc/freeradius/modules/mac2vlan Wed Jul 8 12:10:51 2009 : Debug: including configuration file /etc/freeradius/modules/passwd Wed Jul 8 12:10:51 2009 : Debug: including configuration file /etc/freeradius/modules/mschap Wed Jul 8 12:10:51 2009 : Debug: including configuration file /etc/freeradius/modules/detail.log Wed Jul 8 12:10:51 2009 : Debug: including configuration file /etc/freeradius/modules/inner-eap Wed Jul 8 12:10:51 2009 : Debug: including configuration file /etc/freeradius/modules/always Wed Jul 8 12:10:51 2009 : Debug: including configuration file /etc/freeradius/modules/mac2ip Wed Jul 8 12:10:51 2009 : Debug: including configuration file /etc/freeradius/modules/detail.example.com Wed Jul 8 12:10:51 2009 : Debug: including configuratio
Re: problem with checking dhcp-packet type
On Среда 08 июля 2009 10:47:41 Alan DeKok wrote: > Alexander Kubatkin wrote: > > problem with build: > > Ok... wait a bit, and then grab another copy of the source. > > Alan DeKok. trying to build from: freeradius-server-2.1.7.tar.bz2 08-Jul-2009 08:57 2.4M without success... = cc -O2 -fno-strict-aliasing -pipe -march=pentium4 -I/usr/local/include -L/usr/local/lib -pthread -Wall -D_GNU_SOURCE -DNDEBUG -I/usr/ports/net/freeradius2/work/freeradius-server-2.1.7/src - DHOSTINFO=\"i386-portbld-freebsd7.0\" -DRADIUSD_VERSION=\"2.1.7\" -I/usr/local/include -DOPENSSL_NO_KRB5 -c listen.c -fPIC -DPIC -o .libs/listen.o listen.c: In function 'client_listener_find': listen.c:129: warning: passing argument 1 of 'listener->print' discards qualifiers from pointer target type listen.c:209: warning: assignment discards qualifiers from pointer target type In file included from listen.c:1305: dhcpd.c: In function 'dhcp_process': dhcpd.c:97: error: 'packet' undeclared (first use in this function) dhcpd.c:97: error: (Each undeclared identifier is reported only once dhcpd.c:97: error: for each function it appears in.) In file included from listen.c:1307: command.c: In function 'command_show_client_config': command.c:845: warning: passing argument 2 of 'cf_section2file' discards qualifiers from pointer target type gmake[4]: *** [listen.lo] Error 1 gmake[4]: Leaving directory `/usr/ports/net/freeradius2/work/freeradius-server-2.1.7/src/main' gmake[3]: *** [common] Error 2 gmake[3]: Leaving directory `/usr/ports/net/freeradius2/work/freeradius-server-2.1.7/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/usr/ports/net/freeradius2/work/freeradius-server-2.1.7/src' gmake[1]: *** [common] Error 2 gmake[1]: Leaving directory `/usr/ports/net/freeradius2/work/freeradius-server-2.1.7' gmake: *** [all] Error 2 *** Error code 1 Stop in /usr/ports/net/freeradius2. *** Error code 1 -- Alexander Kubatkin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to configure 2 wimax qos profiles for the user in users file
HI All, I am trying to configure the two wimax qos profiles for the single user as one for uplink and another for downlink. If i configure the same attributes two times, in the Access-Accept message the first configured wimax attribute value only is sending but its not sending the same attribute again which has different value. is there any way to do this and make it work? Please help me on this. Thanks in advance, Gayathri - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fallback LDAP Attribute Value
On 7/7/09 17:01, Ivan Kalik wrote: > Yes. > > if(((!reply:...) || (reply:... = "")) && Huntgroup-Name = "whatever") This works for those users that have the attribute set as a fallback measure but how do I stop it from returning the attribute when it was retrieved from LDAP, again I only want this attribute to be returned when the are calling from a particular huntgroup. So the scenario is - if they are calling from huntgroup "ciscoswitches" then we return the attributes either the value from LDAP for the VLAN or the fallback value from the post auth, if they are not calling from the huntgroup then don't return these attributes. Thanks Steve -- Steven Carr Systems Development Officer SLS/ITS/Systems - (0191) 515 3953 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
