Re: How to control users traffic ?
I set reply-name = Session-Octets-Limit in sqlcounter but freeradius sends Seesion-Timeout in reply with value equal to the deduct of octets used until now from check-name = Max-Input-Octets. How should change the session-timeout to Session-Octets-Limit in auth-reply? what does Session-Octets-Limit exactly do? I have no idea. It's an attribute *you* wanted to use. As a guess, it limits number of octets for the session. How it is related to counters? You would configure it as a reply-name. I thought freeradius sends a value(is defined in DEFAULT) to the NAS and NAS limits users traffic to this value in each session. That's without counters. If you use counter, you place check-name attribute-value pair in users (or as DEFAULT) entry. On connection attempt freeradius will count usage so far, deduct it from the limit (check-name attribute value) and pace the reminder as a value for reply-name attribute. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with checking dhcp-packet type
Alexander Kubatkin wrote: when it(fix) come to us? If you want the latest version, use git. last changes 4 days ago Did you download the version using git, as I said? The fix was available there when I sent my message. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to control users traffic ?
I set reply-name = Session-Octets-Limit in sqlcounter but freeradius sends Seesion-Timeout in reply with value equal to the deduct of octets used until now from check-name = Max-Input-Octets. How should change the session-timeout to Session-Octets-Limit in auth-reply? That shouldn't happen. What freeradius version? Post the debug from server startup and request processiong. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with checking dhcp-packet type
On Понедельник 13 июля 2009 11:53:23 Alan DeKok wrote: Alexander Kubatkin wrote: when it(fix) come to us? If you want the latest version, use git. last changes 4 days ago Did you download the version using git, as I said? The fix was available there when I sent my message. yes, i did, problem with build isn't fixed, i was trying and under FreeBSD 7 and under Linux kubuntu 9.04. /usr/local/bin/libtool --mode=compile cc -O2 -fno-strict-aliasing -pipe -march=pentium4 -I/usr/local/include -L/usr/local/lib -pthread -Wall -D_GNU_SOURCE -DNDEBUG - I/usr/ports/net/freeradius2/work/freeradius-server-2.1.7/src -DHOSTINFO=\i386-portbld-freebsd7.0\ -DRADIUSD_VERSION=\2.1.7\ -I/usr/local/include -DOPENSSL_NO_KRB5 -c listen.c cc -O2 -fno-strict-aliasing -pipe -march=pentium4 -I/usr/local/include -L/usr/local/lib -pthread -Wall -D_GNU_SOURCE -DNDEBUG -I/usr/ports/net/freeradius2/work/freeradius-server-2.1.7/src - DHOSTINFO=\i386-portbld-freebsd7.0\ -DRADIUSD_VERSION=\2.1.7\ -I/usr/local/include -DOPENSSL_NO_KRB5 -c listen.c -fPIC -DPIC -o .libs/listen.o listen.c: In function 'client_listener_find': listen.c:129: warning: passing argument 1 of 'listener-print' discards qualifiers from pointer target type listen.c:209: warning: assignment discards qualifiers from pointer target type In file included from listen.c:1305: dhcpd.c: In function 'dhcp_process': dhcpd.c:97: error: 'packet' undeclared (first use in this function) dhcpd.c:97: error: (Each undeclared identifier is reported only once dhcpd.c:97: error: for each function it appears in.) In file included from listen.c:1307: command.c: In function 'command_show_client_config': command.c:845: warning: passing argument 2 of 'cf_section2file' discards qualifiers from pointer target type gmake[4]: *** [listen.lo] Error 1 gmake[4]: Leaving directory `/usr/ports/net/freeradius2/work/freeradius-server-2.1.7/src/main' gmake[3]: *** [common] Error 2 gmake[3]: Leaving directory `/usr/ports/net/freeradius2/work/freeradius-server-2.1.7/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/usr/ports/net/freeradius2/work/freeradius-server-2.1.7/src' gmake[1]: *** [common] Error 2 gmake[1]: Leaving directory `/usr/ports/net/freeradius2/work/freeradius-server-2.1.7' gmake: *** [all] Error 2 *** Error code 1 Stop in /usr/ports/net/freeradius2. *** Error code 1 Stop in /usr/ports/net/freeradius2. = -- Alexander Kubatkin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: /etc/passwd
Hi, how i can in sshd pam_radius_auth to do authentication , without checking the user in /etc/passwd? If i not define user with empty password, the authentication with pam_radius_auth.so is failed. not a freeradius issue - this is a PAM issue (and SSHD?) the user must exist in the system files or it cannot do its usual system-level functions - group checking et al alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with checking dhcp-packet type
On Понедельник 13 июля 2009 11:53:23 Alan DeKok wrote: Alexander Kubatkin wrote: when it(fix) come to us? If you want the latest version, use git. last changes 4 days ago Did you download the version using git, as I said? The fix was available there when I sent my message. may be i'm get wrong version? i use instructions for stable from http://git.freeradius.org/ -- Alexander Kubatkin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Invalid octet string Error
You need to list the sqlcounter in authorize (in virtual server) and instantiate (in radiusd.conf). Ivan Kalik Kalik Informatika ISP Thanks for the info. Its working now. :-) Regards -- == Registered Linux User #460714 Currently Using Fedora 10, CentOS 5.3 == - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius 2.1.6 + EAP-PEAP issue
hi, the client config means the machine name comes through - reconfigure the client ot NOT use the windows login/password - is under the PEAP settings for the client supplicant. then they'll log in as plain username / password rather than the additional junk. if you want to support random client configs you'll need to do a lot more work and debugging - I'm sure a consultant can help you further alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Acct-Interim-Interval not working.
Hi, I have freeradius version 2.1.1-7 running on fedora core 10. with mysql and rp-pppoe. In table radgroupreply 1 DEFAULT Service-Type == Framed-User 2 DEFAULT Framed-Protocol = PPP 3 DEFAULT Acct-Interim-Interval = 60 4 DEFAULT NAS-Port-Type = 15 5 DEFAULT Acct-Status-Type = Interim-Update I am getting log entry in radacct table when i connect thro' pppoe dialer. and it updates stoptime, input-octets, output-octets when i disconnect. but during live session it is not updating acct-input/ouput-octets and session time on every 60 sec. what should i change/look into to resolv this issue?. please help. Thanks and regards, Nirmal Patel | Mumbai - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Acct-Interim-Interval not working.
I have freeradius version 2.1.1-7 running on fedora core 10. with mysql and rp-pppoe. I am getting log entry in radacct table when i connect thro' pppoe dialer. and it updates stoptime, input-octets, output-octets when i disconnect. but during live session it is not updating acct-input/ouput-octets and session time on every 60 sec. what should i change/look into to resolv this issue?. please help. The penguin. Does it know what updates are? Does it have a minimum acceptable value for that attribute (60 is quite low)? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Acct-Interim-Interval not working.
In FC-4 with radius version 0.9 it is working properly. now it is time to upgrade. in FC-10 Even after making it 720 sec, it is not working. :-( --- On Mon, 7/13/09, Ivan Kalik t...@kalik.net wrote: From: Ivan Kalik t...@kalik.net Subject: Re: Acct-Interim-Interval not working. To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Date: Monday, July 13, 2009, 4:43 PM I have freeradius version 2.1.1-7 running on fedora core 10. with mysql and rp-pppoe. I am getting log entry in radacct table when i connect thro' pppoe dialer. and it updates stoptime, input-octets, output-octets when i disconnect. but during live session it is not updating acct-input/ouput-octets and session time on every 60 sec. what should i change/look into to resolv this issue?. please help. The penguin. Does it know what updates are? Does it have a minimum acceptable value for that attribute (60 is quite low)? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius 2.1.6 + EAP-PEAP issue
I've now enabled ntdomain in sites-available/inner-tunnel and
after that modification, authorization of Vista user succeeded.
Thank you very much.
I would to like to add MAC address authorization. For this purpose
I've added MAC address to users file like this:
oreshkin Cleartext-Password := some_password, Calling-Station-Id ==
00-16-EA-8A-DE-38
However authorization failed, the result of /usr/local/sbin/radiusd -fX
is provided below.
-
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.14.240 port 1072, id=0,
length=235
Message-Authenticator = 0xab90b4e8f45b2157028e895bf7f9ffdc
Service-Type = Framed-User
User-Name = csd-notebook\\oreshkin
Framed-MTU = 1488
Called-Station-Id = 00-18-6E-8F-73-40:200901azk71And
Calling-Station-Id = 00-16-EA-8A-DE-38
NAS-Identifier = 3Com Access Point 7760
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 54Mbps 802.11g
EAP-Message = 0x021a016373642d6e6f7465626f6f6b5c6f726573686b696e
NAS-IP-Address = 192.168.14.240
NAS-Port = 1
NAS-Port-Id = STA port # 1
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = csd-notebook\oreshkin, looking up realm NULL
[suffix] Found realm DEFAULT
[suffix] Adding Stripped-User-Name = csd-notebook\oreshkin
[suffix] Adding Realm = DEFAULT
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 0 length 26
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 159
[files] users: Matched entry DEFAULT at line 178
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication may
fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.14.240 port 1072
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message = 0x010100061920
Message-Authenticator = 0x
State = 0x1cd845841cd95ccb36bc9cf89bd12b63
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.14.240 port 1072, id=1,
length=359
Message-Authenticator = 0xe9dc83dc1457486ee19d0330fcb4e25e
Service-Type = Framed-User
User-Name = csd-notebook\\oreshkin
Framed-MTU = 1488
State = 0x1cd845841cd95ccb36bc9cf89bd12b63
Called-Station-Id = 00-18-6E-8F-73-40:200901azk71And
Calling-Station-Id = 00-16-EA-8A-DE-38
NAS-Identifier = 3Com Access Point 7760
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 54Mbps 802.11g
EAP-Message =
0x020100841980007a1603010075017103014a5b3da7091178c5ce612e30c36477888f6351b2a4ec4d31d47d537d05a1863418002f00350005000ac009c00ac013c01400320038001300040130001a0018156373642d6e6f7465626f6f6b5c6f726573686b696e000a00080006001700180019000b00020100
NAS-IP-Address = 192.168.14.240
NAS-Port = 1
NAS-Port-Id = STA port # 1
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = csd-notebook\oreshkin, looking up realm NULL
[suffix] Found realm DEFAULT
[suffix] Adding Stripped-User-Name = csd-notebook\oreshkin
[suffix] Adding Realm = DEFAULT
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 1 length 132
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 122
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] TLS 1.0 Handshake [length 0075], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] TLS 1.0 Handshake [length 084e], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL
Re: Failed to find module sql Error
On 07/11/2009 03:37 AM, Deepak wrote: No, there wasn't, in part because the INSTALL, README, etc. don't install as part of the doc install. However, I've fixed this now and those files will now be installed in the doc directory. -- John Dennisjden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hi, I am wondering is there a way to install via yum directly. Somehow I am getting package not signed error and yum refuse to install. Thanks for your effort for these rpms. Regards % man yum --nogpgcheck Run with gpg signature checking disabled. Configuration Option: gpgcheck I think that should do the trick. Because the packages I produced are not official they are not signed, nor to the best of my knowledge can I have them signed, so we'll have to live with defeating the signature check, at least for the time being. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Location of freeradius log file
Hi, I have following installed. === OS: CentOS 5.3 freeradius 2.1.6 (rpm version) daloradius 0.9-8 mysql 5.0.45 === When I try to check the radius log file from daloradius interface, it give me following error: error reading log file: looked for log file in /var/log/freeradius/radius.log and /usr/local/var/log/radius/radius.log but couldn't find it. if you know where your freeradius log file is located, set it's location in /zradius/rep-logs-radius.php I tried to look for this file but couldn't locate it. There is no freeradius directory in /var/log Where do freeradius keep the log file? Thanks -- == Registered Linux User #460714 Currently Using Fedora 10, CentOS 5.3 == - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Location of freeradius log file
Hi, Where do freeradius keep the log file? on most of my systems its in /var/log/radius/ check where your package management put it - or if you run eg slocate then you can do 'locate radius.log' alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Location of freeradius log file
Am 13.07.2009 um 17:35 schrieb Deepak: Hi, I have following installed. === OS: CentOS 5.3 freeradius 2.1.6 (rpm version) daloradius 0.9-8 mysql 5.0.45 === When I try to check the radius log file from daloradius interface, it give me following error: error reading log file: looked for log file in /var/log/freeradius/radius.log and /usr/local/var/log/radius/radius.log but couldn't find it. if you know where your freeradius log file is located, set it's location in /zradius/rep-logs-radius.php I tried to look for this file but couldn't locate it. There is no freeradius directory in /var/log Where do freeradius keep the log file? If you do not find, check your radiusd.conf The property is named log_file Thanks -- == Registered Linux User #460714 Currently Using Fedora 10, CentOS 5.3 == - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SELinux and FreeRADIUS interplay
hi, whilst working on a test/dev system i noted that the control-socket feature doesnt work if SELinux is runningponder if anyone has the policy for SELinux to allow this to operate otherwise I'll do some digging when I've next got time to give this community the recipe to allow SELinux to be enforcing and FreeRADIUS to work :-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Location of freeradius log file
On 07/13/2009 11:35 AM, Deepak wrote:
Hi,
I have following installed.
===
OS: CentOS 5.3
freeradius 2.1.6 (rpm version)
daloradius 0.9-8
mysql 5.0.45
===
When I try to check the radius log file from daloradius interface, it
give me following error:
error reading log file:
looked for log file in /var/log/freeradius/radius.log and
/usr/local/var/log/radius/radius.log but couldn't find it.
if you know where your freeradius log file is located, set it's
location in /zradius/rep-logs-radius.php
I tried to look for this file but couldn't locate it. There is no
freeradius directory in /var/log
Where do freeradius keep the log file?
Thanks
The default log location as defined by the configure.in script is
logdir='${localstatedir}/log/radius'
On most systems localstatedir is /var thus the default log location is
/var/log/radius.
On rpm based systems this can be deduced by looking at the file list
belonging to an rpm, for example:
$ rpm -ql freeradius | grep log
/etc/logrotate.d/radiusd
/etc/raddb/modules/detail.log
/etc/raddb/modules/linelog
/etc/raddb/modules/logintime
/etc/raddb/modules/sql_log
/etc/raddb/modules/sqlcounter_expire_on_login
/usr/lib/freeradius/rlm_acctlog-2.1.6.so
/usr/lib/freeradius/rlm_acctlog.so
/usr/lib/freeradius/rlm_linelog-2.1.6.so
/usr/lib/freeradius/rlm_linelog.so
/usr/lib/freeradius/rlm_logintime-2.1.6.so
/usr/lib/freeradius/rlm_logintime.so
/usr/lib/freeradius/rlm_sql_log-2.1.6.so
/usr/lib/freeradius/rlm_sql_log.so
/usr/share/man/man5/rlm_sql_log.5.gz
/var/log/radius
/var/log/radius/radacct
/var/log/radius/radius.log
/var/log/radius/radutmp
here you can see the log directory is /var/log/radius. But there is
another hint, the freeradius package included a logrotate file in
/etc/logrotate.d/radiusd. logrotate is responsible for rotating log
files and the /etc/logrotate.d/radiusd is the configuration file
specific to the radiusd service. Looking at that config file will show
you the path of every radius log file.
--
John Dennis jden...@redhat.com
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SELinux and FreeRADIUS interplay
On 07/13/2009 12:15 PM, a.l.m.bu...@lboro.ac.uk wrote: hi, whilst working on a test/dev system i noted that the control-socket feature doesnt work if SELinux is runningponder if anyone has the policy for SELinux to allow this to operate otherwise I'll do some digging when I've next got time to give this community the recipe to allow SELinux to be enforcing and FreeRADIUS to work :-) I recall running into this issue when the control socket was first added and my recollection is that I contacted our SELinux policy guru (Dan Walsh) to add support for it. However neither Dan nor myself has specific memories on this but we think it might have been for Fedora only (not RHEL) if it happened at all. Dan has promised me he will investigate and get back to me. I will follow up here at that time. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MAC Address filtering from a file
Hi list, Looking for some pointers if this is possible and to some documentation on howto if it is. I have EAP-PEAP working and would like a second layer of security by locking access to only allowed MAC addresses. Ideally a file containing a MAC address on each line. If the MAC address is in the file then allow it to connect (providing the authentication is also correct) but if the MAC address isn't in the file then deny access regardless of authentication. Thanks Steve -- Steven Carr Systems Development Officer SLS/ITS/Systems - (0191) 515 3953 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SELinux and FreeRADIUS interplay
Hi,
I recall running into this issue when the control socket was first added
and my recollection is that I contacted our SELinux policy guru (Dan
Walsh) to add support for it. However neither Dan nor myself has
specific memories on this but we think it might have been for Fedora
only (not RHEL) if it happened at all. Dan has promised me he will
investigate and get back to me. I will follow up here at that time.
okay - here is the SELinux magic that gets it working. perhaps suitable
for WIKI etc. i'm very keen on things working with SELinuxx - its a good tool.
okay, after running radiusd a few times and finding out the reason
for the failure using audit2why /var/log/audit/audit.log I built up a
local.te file - see attached. this is the 'foo' that SELinux needs for its
engine.
taking this local.te file i then created a suitable local module
checkmodule -M -m -o local.mod local.te
semodule_package -o local.pp -m local.mod
semodule -i local.pp
the radiusd daemon now runs with the control_socket on. hurrah!
alan
module local 1.0;
require {
type radiusd_var_run_t;
type radiusd_t;
class sock_file getattr;
}
#= radiusd_t ==
allow radiusd_t radiusd_var_run_t:sock_file getattr;
require {
type radiusd_var_run_t;
type radiusd_t;
class sock_file unlink;
}
#= radiusd_t ==
allow radiusd_t radiusd_var_run_t:sock_file unlink;
require {
type radiusd_var_run_t;
type radiusd_t;
class sock_file create;
}
#= radiusd_t ==
allow radiusd_t radiusd_var_run_t:sock_file create;
require {
type radiusd_var_run_t;
type radiusd_t;
class sock_file setattr;
}
#= radiusd_t ==
allow radiusd_t radiusd_var_run_t:sock_file setattr;
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to control users traffic ?
freeradius-1.1.3-1.4 !! Is it the reason of problem ? I set reply-name = Session-Octets-Limit in sqlcounter but freeradius sends Seesion-Timeout in reply with value equal to the deduct of octets used until now from check-name = Max-Input-Octets. How should change the session-timeout to Session-Octets-Limit in auth-reply? That shouldn't happen. What freeradius version? Post the debug from server startup and request processiong. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
