make install without messing with previous configuration?
Hello, I wonder if there's a way to install FreeRADIUS, but *not* have it install config files in its raddb dir. The reason being that if you have a previous version and a well-shepherded config directory with only exactly the needed files, a make install will clutter your raddb dir with default files. You can delete the unnecessary files afterwards for sure, but it would be preferable if raddb could remain untouched on request. I even had one instance where I got bitten by it: a server didn't have a sites-enabled/default. make install during an upgrade helpfully created it with a set of module calls in it which weren't configured. As a result, the server refused to start afterwards until the default server was deleted. So, is there some kind of make install-no-config, ./configure --no-touch-raddb or similar? Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_eap_md5: Cleartext-Password is required for EAP-MD5authentication
My running environment is freeraius-2.1.3,The authentication type is EAP/MD5. It's running not well with individual 'user' file.I can't find the problem. My mainly configuration file as follow: IN sites-enabled/default -- authorize { eap { ok = return } files #sql expiration logintime } authenticate { eap } IN eap.conf -- eap { default_eap_type = md5 timer_expire = 60 ignore_unknown_eap_types = no max_sessions = 2048 md5 { } } IN users chenyongle Cleartext-Password := 123456 -- debug information as following: rad_recv: Access-Request packet from host 127.0.0.1 port 43289, id=134, length=260 EAP-Message = 0x0285002004108010475cd7f849537fae81777bc3287f6368656e796f6e676c65 User-Name = chenyon...@localhost Prompt = 0x313233343536 Service-Type = Framed-User Framed-MTU = 1400 State = 0xa554770ea5d17374eb266130b8a3c5d8 Message-Authenticator = 0xd3f3ddc1a6813a6862213b0e5bc2fc02 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm localhost for User-Name = chenyon...@localhost [suffix] No such realm localhost ++[suffix] returns noop ++[files] returns noop [eap] EAP packet type response id 133 length 32 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/md5 [eap] processing type md5 rlm_eap_md5: Cleartext-Password is required for EAP-MD5 authentication [eap] Handler failed in EAP/md5 [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - chenyon...@localhost attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 43289, id=134, length=260 Waiting to send Access-Reject to client localhost port 43289 - ID: 134 Sending delayed reject for request 1 Sending Access-Reject of id 134 to 127.0.0.1 port 43289 EAP-Message = 0x04850004 Message-Authenticator = 0x -- View this message in context: http://www.nabble.com/rlm_eap_md5%3A-Cleartext-Password-is-required-for-EAP-MD5authentication-tp24492879p24492879.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: make install without messing with previous configuration?
Am 15.07.2009 um 08:16 schrieb Stefan Winter: Hello, I wonder if there's a way to install FreeRADIUS, but *not* have it install config files in its raddb dir. The reason being that if you have a previous version and a well-shepherded config directory with only exactly the needed files, a make install will clutter your raddb dir with default files. You can delete the unnecessary files afterwards for sure, but it would be preferable if raddb could remain untouched on request. I even had one instance where I got bitten by it: a server didn't have a sites-enabled/default. make install during an upgrade helpfully created it with a set of module calls in it which weren't configured. As a result, the server refused to start afterwards until the default server was deleted. So, is there some kind of make install-no-config, ./configure --no-touch-raddb or similar? I do not know how to do it at compile time but you can do it at runtime by specifing -d your_directory to radiusd. So perhaps a make install will install many configuration files but not where *your* configuration is. Greetings, Stefan Winter Have a nice day! -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_eap_md5: Cleartext-Password is required for EAP-MD5authentication
We are receiving your messages. You do not need to post them multiple times. (Posting to a mailing list is never immediate.) (See also the archives: http://lists.freeradius.org/pipermail/freeradius-users/2009-July/date.html ) Have a nice day! Am 15.07.2009 um 09:40 schrieb youler: My running environment is freeraius-2.1.3,The authentication type is EAP/MD5. It's running not well with individual 'user' file.I can't find the problem. My mainly configuration file as follow: [...] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: make install without messing with previous configuration?
Hi, I do not know how to do it at compile time but you can do it at runtime by specifing -d your_directory to radiusd. So perhaps a make install will install many configuration files but not where *your* configuration is. Yes, I considered pointing --with-raddb-dir=/tmp/trash or so. But I don't want a one-time installation problem to require attention whenever I run the service in the future. It is then something to remember constantly (and to document for on-duty personnel etc. ...), only to fix a single-shot problem. It just doesn't sound right to me. Greetings, Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: make install without messing with previous configuration?
Stefan Winter wrote: I wonder if there's a way to install FreeRADIUS, but *not* have it install config files in its raddb dir. $ rm -rf ./raddb $ make install ? Might work... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: make install without messing with previous configuration?
Am 15.07.2009 um 09:53 schrieb Stefan Winter: Hi, I do not know how to do it at compile time but you can do it at runtime by specifing -d your_directory to radiusd. So perhaps a make install will install many configuration files but not where *your* configuration is. Yes, I considered pointing --with-raddb-dir=/tmp/trash or so. But I I am not sure but does that mean that the binary that you create would point to that directory too. So in that case, you would have to specify the real directory at runtime too. don't want a one-time installation problem to require attention whenever I run the service in the future. It is then something to remember constantly (and to document for on-duty personnel etc. ...), only to fix a single-shot problem. It just doesn't sound right to me. Yes, I had not seen it from that point of view. Greetings, Have a nice day! Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: make install without messing with previous configuration?
Hi, I tar the entire raddb directory (from the level above), reinstall, and untar the original config over the top of the new one. That way I can keep multiple configs whilst experimenting and switch between them. Regards, Leighton -Original Message- From: freeradius-users-bounces+l.j.man=hud.ac...@lists.freeradius.or g [mailto:freeradius-users-bounces+l.j.man=hud.ac...@lists.freer adius.org] On Behalf Of Nicolas Goutte Sent: 15 July 2009 09:03 To: FreeRadius users mailing list Subject: Re: make install without messing with previous configuration? Am 15.07.2009 um 09:53 schrieb Stefan Winter: Hi, I do not know how to do it at compile time but you can do it at runtime by specifing -d your_directory to radiusd. So perhaps a make install will install many configuration files but not where *your* configuration is. Yes, I considered pointing --with-raddb-dir=/tmp/trash or so. But I I am not sure but does that mean that the binary that you create would point to that directory too. So in that case, you would have to specify the real directory at runtime too. don't want a one-time installation problem to require attention whenever I run the service in the future. It is then something to remember constantly (and to document for on-duty personnel etc. ...), only to fix a single-shot problem. It just doesn't sound right to me. Yes, I had not seen it from that point of view. Greetings, Have a nice day! Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html img src=http://www.hud.ac.uk/images/emails/neutral_navy_blue_003976.gif; alt=Inspiring tomorrow's professionals --- This transmission is confidential and may be legally privileged. If you receive it in error, please notify us immediately by e-mail and remove it from your system. If the content of this e-mail does not relate to the business of the University of Huddersfield, then we do not endorse it and will accept no liability. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_eap_md5: Cleartext-Password is required for EAP-MD5authentication
IN users chenyongle Cleartext-Password := 123456 -- debug information as following: ... ++[files] returns noop ... Check if users file you are changing *is* the one server is using. Look at list of included files and see if raddb directory is the one where users file you have changed is. Also check that you haven't mistyped the username. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HELP! EAP-TLS: how can I install a cert on a workstation so that it works for all users
Can I create a client cert for a computer so that any user that logs in may use it automatically under Windows XP? I have successfully created a client.p12 with the FQDN of the workstation I am using, installed it and been authenticated by Freeradius. However when I log in to the computer under a different windows profile authentication fails. Yes, that's how user certificates work. How should I create this file and where do I place this cert so that it's available for any user logging on? The whole idea of user certificates is for this not to be possible. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: make install without messing with previous configuration?
Leighton Man wrote: Hi, I tar the entire raddb directory (from the level above), reinstall, and untar the original config over the top of the new one. That way I can keep multiple configs whilst experimenting and switch between them. Just move the raddb directory to /etc/raddb and change the install path to /usr/local, then modify the startup script to use -d /etc/raddb. /etc/raddb is actually a working copy checked out from our subversion repository, so we can switch between development and production configurations very easily. Arran -Original Message- From: freeradius-users-bounces+l.j.man=hud.ac...@lists.freeradius.or g [mailto:freeradius-users-bounces+l.j.man=hud.ac...@lists.freer adius.org] On Behalf Of Nicolas Goutte Sent: 15 July 2009 09:03 To: FreeRadius users mailing list Subject: Re: make install without messing with previous configuration? Am 15.07.2009 um 09:53 schrieb Stefan Winter: Hi, I do not know how to do it at compile time but you can do it at runtime by specifing -d your_directory to radiusd. So perhaps a make install will install many configuration files but not where *your* configuration is. Yes, I considered pointing --with-raddb-dir=/tmp/trash or so. But I I am not sure but does that mean that the binary that you create would point to that directory too. So in that case, you would have to specify the real directory at runtime too. don't want a one-time installation problem to require attention whenever I run the service in the future. It is then something to remember constantly (and to document for on-duty personnel etc. ...), only to fix a single-shot problem. It just doesn't sound right to me. Yes, I had not seen it from that point of view. Greetings, Have a nice day! Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html img src=http://www.hud.ac.uk/images/emails/neutral_navy_blue_003976.gif; alt=Inspiring tomorrow's professionals --- This transmission is confidential and may be legally privileged. If you receive it in error, please notify us immediately by e-mail and remove it from your system. If the content of this e-mail does not relate to the business of the University of Huddersfield, then we do not endorse it and will accept no liability. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to publish vendor specific dictionary file?
Ila Palanisamy wrote: Hi Ivan, Our dictionary is already existing, it is called dictionary.foundry. We need update in this file. Here is the new list Which you pasted as text... and your mailer helpfully reformatted so that it is nearly useless. Please add it as an attachment so that it doesn't get destroyed when you post it to the list. Even better, send a diff, so that we can see what changed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help required in defining new string Attribute
Ila Palanisamy wrote: Can someone help me in defining new string Attribute in freeradius. Edit the dictionaries that the server is using. I have added a new attribute Foundry-INM-Role-AOR-List as string in dictionary and I’m trying to set this attribute for a user. With the below configuration radius server is not coming up. You are editing a dictionary that the server isn't using. Any help in resolving this issue will be greatly appreciated. Run the server in debugging mode. It will print out the path to the dictionaries it's using. Edit those. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Store message Multiple logins in MySQL.
Daniel Aparecido Martins Rosa wrote: Hi All! I need to register in a database when occurs simultaneous use. Currently I stored by postauth_query through the variable '% (reply: Packet-Type)', but the message is generic, ranging from Access-Reject or Access-Accept. Why? Why not just use the simultaneous use queries accounting logs from the default config? When a connection occurs simultaneously, The freeradius stores the message Access-Reject Because that's what you configured it to do. If you don't want it to do that, don't configure SQL in the post-auth-type Reject section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ippool performance
Santosh wrote: Error: WARNING: Unresponsive child for request 282, in module main_pool1 component post-auth That message comes out after the request has been blocked for ~30 seconds. If that's happening, you have a MAJOR problem that is unrelated to performance. i.e. the database is on an NFS mount, and NFS has gone away. The question here is will rlm_ippool be able to give away ip addresses to 100's of clients per second? or do I need to look at some thing else? Please suggest. Maybe the SQL IPpool module? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with checking dhcp-packet type
Alexander Kubatkin wrote: On Понедельник 13 июля 2009 11:53:23 Alan DeKok wrote: Alexander Kubatkin wrote: when it(fix) come to us? If you want the latest version, use git. last changes 4 days ago Did you download the version using git, as I said? The fix was available there when I sent my message. yes, i did, problem with build isn't fixed, i was trying and under FreeBSD 7 and under Linux kubuntu 9.04. OK. The fix should now be in git. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Store message Multiple logins in MySQL.
Thanks Kalik, think about this possibility. Alan, I use control simultaneous use using SQL, working perfectly. Why do I need to provide an Web interface to the Help Desk, to report the reason for which the user is not connected, and a generic message Access-Reject no difference if the error during the authentication is invalid username or password or problem of simultaneous use. The valuable information that I have is that it is restricted in radius.log Auth: Multiple logins (max 1) [MPP attempt]: [login @ realm. If it were possible to write the message Multiple logins in Database would be perfect, I suggested that the Kalik. Thank you. Daniel Aparecido Martins Rosa 2009/7/15 Alan DeKok al...@deployingradius.com Daniel Aparecido Martins Rosa wrote: Hi All! I need to register in a database when occurs simultaneous use. Currently I stored by postauth_query through the variable '% (reply: Packet-Type)', but the message is generic, ranging from Access-Reject or Access-Accept. Why? Why not just use the simultaneous use queries accounting logs from the default config? When a connection occurs simultaneously, The freeradius stores the message Access-Reject Because that's what you configured it to do. If you don't want it to do that, don't configure SQL in the post-auth-type Reject section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: make install without messing with previous configuration?
Hi, $ rm -rf ./raddb $ make install ? Might work... Not really... gmake[2]: Leaving directory `/home/swinter/packages/linux/freeradius-server-2.1.6/src' Making install in raddb... gmake: Entering an unknown directory gmake: *** raddb: Datei oder Verzeichnis nicht gefunden. Schluss. gmake: Leaving an unknown directory gmake[1]: *** [common] Fehler 2 gmake[1]: Leaving directory `/home/swinter/packages/linux/freeradius-server-2.1.6' make: *** [install] Fehler 2 And it breaks the next time you run configure: [...] config.status: creating ./src/main/Makefile config.status: creating ./src/main/checkrad.pl config.status: creating ./src/main/radlast config.status: creating ./src/main/radtest config.status: creating ./scripts/rc.radiusd config.status: creating ./scripts/radwatch config.status: creating ./scripts/radiusd.cron.daily config.status: creating ./scripts/radiusd.cron.monthly config.status: creating ./scripts/cryptpasswd config.status: error: cannot find input file: ./raddb/dictionary.in Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Store message Multiple logins in MySQL.
The valuable information that I have is that it is restricted in radius.log Auth: Multiple logins (max 1) [MPP attempt]: [login @ realm. If it were possible to write the message Multiple logins in Database would be perfect, I suggested that the Kalik. That would require (small) source code change. By default message is only written to the log. You can add a line that places it into an attribute that you can later use in post-auth query. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
./configure
hi all, this is shiva shankar. when i am isntalling freeradius-server-2.1.6 on solaris10. it is showing some warnings. plz help me out how to remove those warining miboss3:root$./configure log.txt configure: WARNING: snmpget not found - Simultaneous-Use and checkrad.pl may not work configure: WARNING: snmpwalk not found - Simultaneous-Use and checkrad.pl may not work configure: WARNING: pcap library not found, silently disabling the RADIUS sniffer. config.status: WARNING: ./Make.inc.in seems to ignore the --datarootdir setting config.status: WARNING: ./src/include/build-radpaths-h.in seems to ignore the --datarootdir setting configure: WARNING: silently not building rlm_counter. configure: WARNING: FAILURE: rlm_counter requires: libgdbm. configure: WARNING: silently not building rlm_eap_ikev2. configure: WARNING: FAILURE: rlm_eap_ikev2 requires: libeap-ikev2 EAPIKEv2/connector.h. configure: WARNING: silently not building rlm_eap_peap. configure: WARNING: FAILURE: rlm_eap_peap requires: OpenSSL. configure: WARNING: silently not building rlm_eap_tls. configure: WARNING: FAILURE: rlm_eap_tls requires: OpenSSL. configure: WARNING: the TNCS library isn't found! configure: WARNING: silently not building rlm_eap_tnc. configure: WARNING: FAILURE: rlm_eap_tnc requires: -lTNCS. configure: WARNING: silently not building rlm_eap_ttls. configure: WARNING: FAILURE: rlm_eap_ttls requires: OpenSSL. configure: WARNING: silently not building rlm_ippool. configure: WARNING: FAILURE: rlm_ippool requires: libgdbm. configure: WARNING: neither krb5 'k5crypto' nor 'crypto' libraries are found! configure: WARNING: the comm_err library isn't found! configure: WARNING: silently not building rlm_krb5. configure: WARNING: FAILURE: rlm_krb5 requires: krb5.h. configure: WARNING: silently not building rlm_ldap. configure: WARNING: FAILURE: rlm_ldap requires: libldap_r. configure: WARNING: silently not building rlm_otp. configure: WARNING: FAILURE: rlm_otp requires: openssl-libs openssl-includes openssl-includes openssl-includes openssl-includes openssl-includes. configure: WARNING: silently not building rlm_perl. configure: WARNING: FAILURE: rlm_perl requires: EXTERN.h perl.h libperl.so. configure: WARNING: silently not building rlm_sql_iodbc. configure: WARNING: FAILURE: rlm_sql_iodbc requires: libiodbc isql.h. configure: WARNING: MySQL libraries not found. Use --with-mysql-lib-dir=path. configure: WARNING: silently not building rlm_sql_mysql. configure: WARNING: FAILURE: rlm_sql_mysql requires: libmysqlclient_r. configure: WARNING: oracle headers not found. Use --with-oracle-home-dir=path. configure: WARNING: silently not building rlm_sql_oracle. configure: WARNING: FAILURE: rlm_sql_oracle requires: oci.h. configure: WARNING: silently not building rlm_sql_unixodbc. configure: WARNING: FAILURE: rlm_sql_unixodbc requires: libodbc sql.h. i set path like this /usr/sbin :/usr/bin: /usr/local/bin :/usr/local/ssl/bin: /usr/ccs/bin :/usr/sfw/bin plz help me out.it is orgent for me. thax for advance -- View this message in context: http://www.nabble.com/.-configure-tp24497117p24497117.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: make install without messing with previous configuration?
Stefan Winter wrote: Not really... gmake[2]: Leaving directory `/home/swinter/packages/linux/freeradius-server-2.1.6/src' Making install in raddb... gmake: Entering an unknown directory OK how about this. Edit Makefile. Change: SUBDIRS = $(LTDL_SUBDIRS) src raddb scripts doc to SUBDIRS = $(LTDL_SUBDIRS) $(wildcard src raddb scripts doc) Then configure;rm -rf raddb;make;make install And it breaks the next time you run configure: Well, that's what tar -zxf is for. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ./configure
shivashankar wrote: when i am isntalling freeradius-server-2.1.6 on solaris10. it is showing some warnings. plz help me out how to remove those warining You don't. They are WARNINGS, not ERRORS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ./configure
hi aland is is giveing problem while doing make. regard's shiva shankar 2009/7/15 Alan DeKok al...@deployingradius.com shivashankar wrote: when i am isntalling freeradius-server-2.1.6 on solaris10. it is showing some warnings. plz help me out how to remove those warining You don't. They are WARNINGS, not ERRORS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- regard's shiva shankar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ./configure
when i am isntalling freeradius-server-2.1.6 on solaris10. it is showing some warnings. plz help me out how to remove those warining Why? Do you need any of mentioned modules. openSSL is probably important. Do you have development headers for it installed? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ./configure
On 07/15/2009 09:20 AM, shivashankar wrote: hi all, this is shiva shankar. when i am isntalling freeradius-server-2.1.6 on solaris10. it is showing some warnings. plz help me out how to remove those warining miboss3:root$./configurelog.txt configure: WARNING: snmpget not found - Simultaneous-Use and checkrad.pl may not work configure: WARNING: snmpwalk not found - Simultaneous-Use and checkrad.pl may not work configure: WARNING: pcap library not found, silently disabling the RADIUS sniffer. config.status: WARNING: ./Make.inc.in seems to ignore the --datarootdir setting config.status: WARNING: ./src/include/build-radpaths-h.in seems to ignore the --datarootdir setting configure: WARNING: silently not building rlm_counter. configure: WARNING: FAILURE: rlm_counter requires: libgdbm. configure: WARNING: silently not building rlm_eap_ikev2. configure: WARNING: FAILURE: rlm_eap_ikev2 requires: libeap-ikev2 EAPIKEv2/connector.h. configure: WARNING: silently not building rlm_eap_peap. configure: WARNING: FAILURE: rlm_eap_peap requires: OpenSSL. configure: WARNING: silently not building rlm_eap_tls. configure: WARNING: FAILURE: rlm_eap_tls requires: OpenSSL. configure: WARNING: the TNCS library isn't found! configure: WARNING: silently not building rlm_eap_tnc. configure: WARNING: FAILURE: rlm_eap_tnc requires: -lTNCS. configure: WARNING: silently not building rlm_eap_ttls. configure: WARNING: FAILURE: rlm_eap_ttls requires: OpenSSL. configure: WARNING: silently not building rlm_ippool. configure: WARNING: FAILURE: rlm_ippool requires: libgdbm. configure: WARNING: neither krb5 'k5crypto' nor 'crypto' libraries are found! configure: WARNING: the comm_err library isn't found! configure: WARNING: silently not building rlm_krb5. configure: WARNING: FAILURE: rlm_krb5 requires: krb5.h. configure: WARNING: silently not building rlm_ldap. configure: WARNING: FAILURE: rlm_ldap requires: libldap_r. configure: WARNING: silently not building rlm_otp. configure: WARNING: FAILURE: rlm_otp requires: openssl-libs openssl-includes openssl-includes openssl-includes openssl-includes openssl-includes. configure: WARNING: silently not building rlm_perl. configure: WARNING: FAILURE: rlm_perl requires: EXTERN.h perl.h libperl.so. configure: WARNING: silently not building rlm_sql_iodbc. configure: WARNING: FAILURE: rlm_sql_iodbc requires: libiodbc isql.h. configure: WARNING: MySQL libraries not found. Use --with-mysql-lib-dir=path. configure: WARNING: silently not building rlm_sql_mysql. configure: WARNING: FAILURE: rlm_sql_mysql requires: libmysqlclient_r. configure: WARNING: oracle headers not found. Use --with-oracle-home-dir=path. configure: WARNING: silently not building rlm_sql_oracle. configure: WARNING: FAILURE: rlm_sql_oracle requires: oci.h. configure: WARNING: silently not building rlm_sql_unixodbc. configure: WARNING: FAILURE: rlm_sql_unixodbc requires: libodbc sql.h. i set path like this /usr/sbin :/usr/bin: /usr/local/bin :/usr/local/ssl/bin: /usr/ccs/bin :/usr/sfw/bin plz help me out.it is orgent for me. thax for advance The bulk of these are because you do not have build dependencies installed. You need to install the libraries and header files. I don't know how that's done on Solaris but for many OS's these are found in development packages which are not normally installed because most users won't need them, only if you're doing development, e.g. building. Also note, if aren't going to use a feature (e.g. mysql) you don't need to install the mysql development packages, you can either disable the build of the module by passing --withoutXXX to configure or just let configure figure it out on it's own and live with the warnings. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ./configure
Am 15.07.2009 um 15:45 schrieb shiva shankar: hi aland is is giveing problem while doing make. Then please post the relevant lines of the bottom of the output of make. regard's shiva shankar Have a nice day! 2009/7/15 Alan DeKok al...@deployingradius.com shivashankar wrote: when i am isntalling freeradius-server-2.1.6 on solaris10. it is showing some warnings. plz help me out how to remove those warining You don't. They are WARNINGS, not ERRORS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- regard's shiva shankar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ./configure
hi all, i am facing bleow problem while make gmake[10]: Nothing to be done for `all'. gmake[10]: Leaving directory `/opt/packages/freeradius-server-2.1.6/src/modules/rlm_sql/drivers/rlm_sql_unixodbc' gmake[9]: Leaving directory `/opt/packages/freeradius-server-2.1.6/src/modules/rlm_sql/drivers' gmake[8]: Leaving directory `/opt/packages/freeradius-server-2.1.6/src/modules/rlm_sql/drivers' gmake[7]: Leaving directory `/opt/packages/freeradius-server-2.1.6/src/modules/rlm_sql' for x in .libs/* rlm_sql.la; do \ rm -rf /opt/packages/freeradius-server-2.1.6/src/modules/lib/$x; \ ln -s /opt/packages/freeradius-server-2.1.6/src/modules/rlm_sql/$x /opt/packages/freeradius-server-2.1.6/src/modules/lib/$x; \ done gmake[6]: Leaving directory `/opt/packages/freeradius-server-2.1.6/src/modules/rlm_sql' Making all in rlm_sqlcounter... gmake[6]: Entering directory `/opt/packages/freeradius-server-2.1.6/src/modules/rlm_sqlcounter' for x in .libs/* rlm_sqlcounter.la; do \ rm -rf /opt/packages/freeradius-server-2.1.6/src/modules/lib/$x; \ ln -s /opt/packages/freeradius-server-2.1.6/src/modules/rlm_sqlcounter/$x /opt/packages/freeradius-server-2.1.6/src/modules/lib/$x; \ done gmake[6]: Leaving directory `/opt/packages/freeradius-server-2.1.6/src/modules/rlm_sqlcounter' Making all in rlm_sqlippool... gmake[6]: Entering directory `/opt/packages/freeradius-server-2.1.6/src/modules/rlm_sqlippool' for x in .libs/* rlm_sqlippool.la; do \ rm -rf /opt/packages/freeradius-server-2.1.6/src/modules/lib/$x; \ ln -s /opt/packages/freeradius-server-2.1.6/src/modules/rlm_sqlippool/$x /opt/packages/freeradius-server-2.1.6/src/modules/lib/$x; \ done gmake[6]: Leaving directory `/opt/packages/freeradius-server-2.1.6/src/modules/rlm_sqlippool' Making all in rlm_sql_log... gmake[6]: Entering directory `/opt/packages/freeradius-server-2.1.6/src/modules/rlm_sql_log' for x in .libs/* rlm_sql_log.la; do \ rm -rf /opt/packages/freeradius-server-2.1.6/src/modules/lib/$x; \ ln -s /opt/packages/freeradius-server-2.1.6/src/modules/rlm_sql_log/$x /opt/packages/freeradius-server-2.1.6/src/modules/lib/$x; \ done gmake[6]: Leaving directory `/opt/packages/freeradius-server-2.1.6/src/modules/rlm_sql_log' Making all in rlm_unix... gmake[6]: Entering directory `/opt/packages/freeradius-server-2.1.6/src/modules/rlm_unix' for x in .libs/* rlm_unix.la; do \ rm -rf /opt/packages/freeradius-server-2.1.6/src/modules/lib/$x; \ ln -s /opt/packages/freeradius-server-2.1.6/src/modules/rlm_unix/$x /opt/packages/freeradius-server-2.1.6/src/modules/lib/$x; \ done gmake[6]: Leaving directory `/opt/packages/freeradius-server-2.1.6/src/modules/rlm_unix' Making all in rlm_policy... gmake[6]: Entering directory `/opt/packages/freeradius-server-2.1.6/src/modules/rlm_policy' for x in .libs/* rlm_policy.la; do \ rm -rf /opt/packages/freeradius-server-2.1.6/src/modules/lib/$x; \ ln -s /opt/packages/freeradius-server-2.1.6/src/modules/rlm_policy/$x /opt/packages/freeradius-server-2.1.6/src/modules/lib/$x; \ done gmake[6]: Leaving directory `/opt/packages/freeradius-server-2.1.6/src/modules/rlm_policy' Making all in rlm_dynamic_clients... gmake[6]: Entering directory `/opt/packages/freeradius-server-2.1.6/src/modules/rlm_dynamic_clients' for x in .libs/* rlm_dynamic_clients.la; do \ rm -rf /opt/packages/freeradius-server-2.1.6/src/modules/lib/$x; \ ln -s /opt/packages/freeradius-server-2.1.6/src/modules/rlm_dynamic_clients/$x /opt/packages/freeradius-server-2.1.6/src/modules/lib/$x; \ done gmake[6]: Leaving directory `/opt/packages/freeradius-server-2.1.6/src/modules/rlm_dynamic_clients' gmake[5]: Leaving directory `/opt/packages/freeradius-server-2.1.6/src/modules' gmake[4]: Leaving directory `/opt/packages/freeradius-server-2.1.6/src/modules' Making all in main... gmake[4]: Entering directory `/opt/packages/freeradius-server-2.1.6/src/main' gmake[4]: Nothing to be done for `all'. gmake[4]: Leaving directory `/opt/packages/freeradius-server-2.1.6/src/main' gmake[3]: Leaving directory `/opt/packages/freeradius-server-2.1.6/src' gmake[2]: Leaving directory `/opt/packages/freeradius-server-2.1.6/src' Making all in raddb... gmake[2]: Entering directory `/opt/packages/freeradius-server-2.1.6/raddb' gmake[2]: Leaving directory `/opt/packages/freeradius-server-2.1.6/raddb' Making all in scripts... gmake[2]: Entering directory `/opt/packages/freeradius-server-2.1.6/scripts' gmake[2]: Nothing to be done for `all'. gmake[2]: Leaving directory `/opt/packages/freeradius-server-2.1.6/scripts' Making all in doc... gmake[2]: Entering directory `/opt/packages/freeradius-server-2.1.6/doc' gmake[3]: Entering directory `/opt/packages/freeradius-server-2.1.6/doc' Making all in examples... gmake[4]: Entering directory `/opt/packages/freeradius-server-2.1.6/doc/examples' gmake[4]: Nothing to be done for `all'. gmake[4]: Leaving directory
Re: ./configure
plz find gmake[10]: Nothing to be done for `all'. gmake[10]: Leaving directory `/opt/packages/freeradius-server-2.1.6/src/modules/rlm_sql/drivers/rlm_sql_unixodbc' gmake[9]: Leaving directory `/opt/packages/freeradius-server-2.1.6/src/modules/rlm_sql/drivers' gmake[8]: Leaving directory `/opt/packages/freeradius-server-2.1.6/src/modules/rlm_sql/drivers' gmake[7]: Leaving directory `/opt/packages/freeradius-server-2.1.6/src/modules/rlm_sql' for x in .libs/* rlm_sql.la; do \ rm -rf /opt/packages/freeradius-server-2.1.6/src/modules/lib/$x; \ ln -s /opt/packages/freeradius-server-2.1.6/src/modules/rlm_sql/$x /opt/packages/freeradius-server-2.1.6/src/modules/lib/$x; \ done gmake[6]: Leaving directory `/opt/packages/freeradius-server-2.1.6/src/modules/rlm_sql' Making all in rlm_sqlcounter... gmake[6]: Entering directory `/opt/packages/freeradius-server-2.1.6/src/modules/rlm_sqlcounter' for x in .libs/* rlm_sqlcounter.la; do \ rm -rf /opt/packages/freeradius-server-2.1.6/src/modules/lib/$x; \ ln -s /opt/packages/freeradius-server-2.1.6/src/modules/rlm_sqlcounter/$x /opt/packages/freeradius-server-2.1.6/src/modules/lib/$x; \ done gmake[6]: Leaving directory `/opt/packages/freeradius-server-2.1.6/src/modules/rlm_sqlcounter' Making all in rlm_sqlippool... gmake[6]: Entering directory `/opt/packages/freeradius-server-2.1.6/src/modules/rlm_sqlippool' for x in .libs/* rlm_sqlippool.la; do \ rm -rf /opt/packages/freeradius-server-2.1.6/src/modules/lib/$x; \ ln -s /opt/packages/freeradius-server-2.1.6/src/modules/rlm_sqlippool/$x /opt/packages/freeradius-server-2.1.6/src/modules/lib/$x; \ done gmake[6]: Leaving directory `/opt/packages/freeradius-server-2.1.6/src/modules/rlm_sqlippool' Making all in rlm_sql_log... gmake[6]: Entering directory `/opt/packages/freeradius-server-2.1.6/src/modules/rlm_sql_log' for x in .libs/* rlm_sql_log.la; do \ rm -rf /opt/packages/freeradius-server-2.1.6/src/modules/lib/$x; \ ln -s /opt/packages/freeradius-server-2.1.6/src/modules/rlm_sql_log/$x /opt/packages/freeradius-server-2.1.6/src/modules/lib/$x; \ done gmake[6]: Leaving directory `/opt/packages/freeradius-server-2.1.6/src/modules/rlm_sql_log' Making all in rlm_unix... gmake[6]: Entering directory `/opt/packages/freeradius-server-2.1.6/src/modules/rlm_unix' for x in .libs/* rlm_unix.la; do \ rm -rf /opt/packages/freeradius-server-2.1.6/src/modules/lib/$x; \ ln -s /opt/packages/freeradius-server-2.1.6/src/modules/rlm_unix/$x /opt/packages/freeradius-server-2.1.6/src/modules/lib/$x; \ done gmake[6]: Leaving directory `/opt/packages/freeradius-server-2.1.6/src/modules/rlm_unix' Making all in rlm_policy... gmake[6]: Entering directory `/opt/packages/freeradius-server-2.1.6/src/modules/rlm_policy' for x in .libs/* rlm_policy.la; do \ rm -rf /opt/packages/freeradius-server-2.1.6/src/modules/lib/$x; \ ln -s /opt/packages/freeradius-server-2.1.6/src/modules/rlm_policy/$x /opt/packages/freeradius-server-2.1.6/src/modules/lib/$x; \ done gmake[6]: Leaving directory `/opt/packages/freeradius-server-2.1.6/src/modules/rlm_policy' Making all in rlm_dynamic_clients... gmake[6]: Entering directory `/opt/packages/freeradius-server-2.1.6/src/modules/rlm_dynamic_clients' for x in .libs/* rlm_dynamic_clients.la; do \ rm -rf /opt/packages/freeradius-server-2.1.6/src/modules/lib/$x; \ ln -s /opt/packages/freeradius-server-2.1.6/src/modules/rlm_dynamic_clients/$x /opt/packages/freeradius-server-2.1.6/src/modules/lib/$x; \ done gmake[6]: Leaving directory `/opt/packages/freeradius-server-2.1.6/src/modules/rlm_dynamic_clients' gmake[5]: Leaving directory `/opt/packages/freeradius-server-2.1.6/src/modules' gmake[4]: Leaving directory `/opt/packages/freeradius-server-2.1.6/src/modules' Making all in main... gmake[4]: Entering directory `/opt/packages/freeradius-server-2.1.6/src/main' gmake[4]: Nothing to be done for `all'. gmake[4]: Leaving directory `/opt/packages/freeradius-server-2.1.6/src/main' gmake[3]: Leaving directory `/opt/packages/freeradius-server-2.1.6/src' gmake[2]: Leaving directory `/opt/packages/freeradius-server-2.1.6/src' Making all in raddb... gmake[2]: Entering directory `/opt/packages/freeradius-server-2.1.6/raddb' gmake[2]: Leaving directory `/opt/packages/freeradius-server-2.1.6/raddb' Making all in scripts... gmake[2]: Entering directory `/opt/packages/freeradius-server-2.1.6/scripts' gmake[2]: Nothing to be done for `all'. gmake[2]: Leaving directory `/opt/packages/freeradius-server-2.1.6/scripts' Making all in doc... gmake[2]: Entering directory `/opt/packages/freeradius-server-2.1.6/doc' gmake[3]: Entering directory `/opt/packages/freeradius-server-2.1.6/doc' Making all in examples... gmake[4]: Entering directory `/opt/packages/freeradius-server-2.1.6/doc/examples' gmake[4]: Nothing to be done for `all'. gmake[4]: Leaving directory `/opt/packages/freeradius-server-2.1.6/doc/examples' Making all in rfc... gmake[4]:
Re: ./configure
shiva shankar wrote: hi aland is is giveing problem while doing make. So you posted the output of configure, and not make. Hmm... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to reject when a user logs in without realm?
Hi, I am new to radius . hence kindly excuse if my terminologies are different from what is expected. I am using Freeradius Version 1.1.7. Is it possible to reject when a request comes from the NAS server with a user logging in without a realm as suffix? For example, if the FreeRadius server receives an authentication request for the user navin , it has to reject. but if it receives the request as na...@freescale.com it has to authenticate him. I tried the below options: I am not using the proxy request support. Hence commenting proxy.conf file and setting proxy_requests = no in the radiusd.conf file. Added the below in the radiusd.conf file with the intention that users of realm freescale.com has to be authenticated and other users should be rejected. realm freescale.com { type= radius authhost= LOCAL accthost= LOCAL } realm NULL { type= radius authhost= LOCAL accthost= LOCAL secret = test } In the radiusd.conf under the section realm module config options ignore_null = yes ignore_default = yes for u...@realm. In the users file, added na...@freescale.com Cleartext-Password := navin123 meaning authenticate navin having a password navin123. But what i observed is, i get authenticated when i login as navin and also as na...@freescale.com . This has been verified with the radtest client program which came along with the freeradius server. Kindly do let me know if the user can be rejected access if he logs in without realm. have a nice day, navin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ./configure
i thought configure has a no.of warnings that's why make giveing problem 2009/7/15 Alan DeKok al...@deployingradius.com shiva shankar wrote: hi aland is is giveing problem while doing make. So you posted the output of configure, and not make. Hmm... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- regard's shiva shankar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to reject when a user logs in without realm?
I am new to radius . hence kindly excuse if my terminologies are different from what is expected. I am using Freeradius Version 1.1.7. Is it possible to reject when a request comes from the NAS server with a user logging in without a realm as suffix? For example, if the FreeRadius server receives an authentication request for the user navin , it has to reject. but if it receives the request as na...@freescale.com it has to authenticate him. I tried the below options: I am not using the proxy request support. Hence commenting proxy.conf file and setting proxy_requests = no in the radiusd.conf file. Added the below in the radiusd.conf file with the intention that users of realm freescale.com has to be authenticated and other users should be rejected. realm freescale.com { type= radius authhost= LOCAL accthost= LOCAL } Remove that. Your user file entry will sort out who gets authenticated and who doesn't. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP + TTLS PAP
Hi. I've been trying to setup freeradius with LDAP + TTLS PAP. I use the default radius, eap users files configuration, I configure my modules/ldap file to connect to my ldap, sites-avilable/default file to authorize ldap, and ldap.attrmap to check Cleartext-Password against userPassword. Everything seems normal, when I test it with radtest user pass 10.14.56.26 0 secret is accepted. but when i try from mi XP client the debug show this: +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = user, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[control] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. } # server inner-tunnel [ttls] Got tunneled reply code 3 [ttls] Got tunneled Access-Reject [eap] Handler failed in EAP/ttls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} Here my /sites-avilable/default authorize section: authorize { preprocess chap mschap eap { ok = return } unix files ldap expiration logintime pap } Any Ideas? Thanks. -- View this message in context: http://www.nabble.com/LDAP-%2B-TTLS-PAP-tp24498710p24498710.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ./configure
shiva shankar wrote: i thought configure has a no.of warnings that's why make giveing problem They are different programs... And the output of make showed no errors. Why do you think there are errors? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ./configure
On 07/15/2009 09:55 AM, shiva shankar wrote: hi all, i am facing bleow problem while make gmake[10]: Nothing to be done for `all'. Well you don't say what you're problem is. Is it because make says everything is already done? Well that's probably true if you've already done a build. Note, if you change anything in your environment such as adding missing libraries and headers you'll have to run .configure and make again. A couple of suggestions: Please don't post the same thing multiple times, we're not deaf. Please be specific about your issues. Please go elsewhere to learn basic Unix tasks and come back and ask FreeRADIUS specific questions here, this is not a help forum for how to use basic Unix tools. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: make install without messing with previous configuration?
Hi, OK how about this. Edit Makefile. Change: SUBDIRS = $(LTDL_SUBDIRS) src raddb scripts doc to SUBDIRS = $(LTDL_SUBDIRS) $(wildcard src raddb scripts doc) Then configure;rm -rf raddb;make;make install Cute, works. I don't like deleting raddb; doing mv raddb getouttatheway make install mv getouttatheway raddb is maybe not really elegant, but good enough. Thanks! This new SUBDIRS shouldn't do harm either way. Any chance to push this into 2.1.7? Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: make install without messing with previous configuration?
Stefan Winter wrote: This new SUBDIRS shouldn't do harm either way. Any chance to push this into 2.1.7? Done. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP + TTLS PAP
but when i try from mi XP client the debug show this: You have deleted the interesting part of the debug. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to reject when a user logs in without realm?
Hi, Hope you are referring to realm freescale.com { type= radius authhost= LOCAL accthost= LOCAL present in the radiusd.conf file. removed it. Restarted the freeradius server. The user file contains na...@freescale.com Cleartext-Password := navin123 Even then when tested with radtest tool , the users navin na...@freescale.com are both getting authenticated. I would prefer only na...@freescale.com get authenticated and user navin should get rejected. have a nice day, navin At 07:37 PM 7/15/2009, you wrote: I am new to radius . hence kindly excuse if my terminologies are different from what is expected. I am using Freeradius Version 1.1.7. Is it possible to reject when a request comes from the NAS server with a user logging in without a realm as suffix? For example, if the FreeRadius server receives an authentication request for the user navin , it has to reject. but if it receives the request as na...@freescale.com it has to authenticate him. I tried the below options: I am not using the proxy request support. Hence commenting proxy.conf file and setting proxy_requests = no in the radiusd.conf file. Added the below in the radiusd.conf file with the intention that users of realm freescale.com has to be authenticated and other users should be rejected. realm freescale.com { type= radius authhost= LOCAL accthost= LOCAL } Remove that. Your user file entry will sort out who gets authenticated and who doesn't. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to reject when a user logs in without realm?
Hope you are referring to realm freescale.com { type= radius authhost= LOCAL accthost= LOCAL present in the radiusd.conf file. removed it. Restarted the freeradius server. The user file contains na...@freescale.com Cleartext-Password := navin123 Even then when tested with radtest tool , the users navin na...@freescale.com are both getting authenticated. I would prefer only na...@freescale.com get authenticated and user navin should get rejected. There is something else there then as well. Post the debug for navin. You can probably safely disable suffix as well. But lets first see what is stripping the username. There is nothing in the default configuration that does that. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with checking dhcp-packet type
On Среда 15 июля 2009 14:07:18 Alan DeKok wrote: Alexander Kubatkin wrote: On Понедельник 13 июля 2009 11:53:23 Alan DeKok wrote: Alexander Kubatkin wrote: when it(fix) come to us? If you want the latest version, use git. last changes 4 days ago Did you download the version using git, as I said? The fix was available there when I sent my message. yes, i did, problem with build isn't fixed, i was trying and under FreeBSD 7 and under Linux kubuntu 9.04. OK. The fix should now be in git. yes, it's working, thank you. test with trendnet soho-router will be later. Alan DeKok. -- __ Alexander Kubatkin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP + TTLS PAP
Ivan Kalik wrote: You have deleted the interesting part of the debug. Ivan Kalik Kalik Informatika ISP Sorry Here is my all debug. Ready to process requests. rad_recv: Access-Request packet from host 10.14.56.33 port 32768, id=2, length=163 User-Name = user Calling-Station-Id = 00-24-2C-83-AA-92 Called-Station-Id = 00-21-A1-9E-F9-30:testGDL NAS-Port = 1 NAS-IP-Address = 10.14.56.33 NAS-Identifier = test-gdl-wlc Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020800090175736572 Message-Authenticator = 0xb86c778d5e5cbb982425e05ea5b4b6e8 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = user, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 8 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop [ldap] performing user authorization for user [ldap] WARNING: Deprecated conditional expansion :-. See man unlang for details [ldap] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) - (cn=user) [ldap] expand: ou=Wireless,dc=local,dc=test,dc=com - ou=Wireless,dc=local,dc=test,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Wireless,dc=local,dc=test,dc=com, with filter (cn=user) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... rlm_ldap: userPassword - Cleartext-Password == Newuser01 [ldap] looking for reply items in directory... [ldap] user user authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 2 to 10.14.56.33 port 32768 EAP-Message = 0x010900160410a1a022fc9a0dfa06c749cc18033a2a4a Message-Authenticator = 0x State = 0xeb2a1c90eb2318c7f00b52ffc2a1bc44 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.14.56.33 port 32768, id=2, length=163 Sending duplicate reply to client 10.14.56.33 port 32768 - ID: 2 Sending Access-Challenge of id 2 to 10.14.56.33 port 32768 Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.14.56.33 port 32768, id=2, length=163 Sending duplicate reply to client 10.14.56.33 port 32768 - ID: 2 Sending Access-Challenge of id 2 to 10.14.56.33 port 32768 Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.14.56.33 port 32768, id=3, length=178 User-Name = user Calling-Station-Id = 00-24-2C-83-AA-92 Called-Station-Id = 00-21-A1-9E-F9-30:testGDL NAS-Port = 1 NAS-IP-Address = 10.14.56.33 NAS-Identifier = test-gdl-wlc Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020900060315 State = 0xeb2a1c90eb2318c7f00b52ffc2a1bc44 Message-Authenticator = 0xbe3af8eada8201dbfd51322d12e53c40 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = user, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 9 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop [ldap] performing user authorization for user [ldap] WARNING: Deprecated conditional expansion :-. See man unlang for details [ldap] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) - (cn=user) [ldap] expand: ou=Wireless,dc=local,dc=test,dc=com - ou=Wireless,dc=local,dc=test,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Wireless,dc=local,dc=test,dc=com, with filter (cn=user) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... rlm_ldap: userPassword - Cleartext-Password == Newuser01 [ldap] looking for reply items in directory... [ldap] user user authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/ttls [eap] processing type tls [tls] Initiate
Re: LDAP + TTLS PAP
Here is my all debug. Enable ldap in inner-tunnel virtual server as well. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mysql and SHA256 or SHA-2
I am using freeradius 2.1.6 with mysql backend, user's password are stored in database in SHA256 format , question is: does freeradius support this type of encryption?. I know it support SHA-1 and SSHA but it's not what I want. Thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
TTLS to require client cert
Hi all, I need help once again. I want TTLS to require client cert. I put EAP-TLS-Require-client-cert = YES in ttls { part of eap.conf but it's not working. What I am doing wrong here? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP + TTLS PAP
Ivan Kalik wrote: Here is my all debug. Enable ldap in inner-tunnel virtual server as well. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks for your help Ivan. Now everything looks fine. -- View this message in context: http://www.nabble.com/LDAP-%2B-TTLS-PAP-tp24498710p24500243.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
error 734
Hello folks, Below is log message after an attempt to authenticate. Wed Jul 15 16:31:31 2009 : Auth: Login OK: [t...@wimax.mtnonline.rw] (from client XX-bras-1 port 0) It is bring error 734 on a windows machine. Therefore, the user cannot be connected. Thanks in advance for you advise. Best regards, Issa This mail has been scanned by Symantec Mail Scan MTN Mail administrator- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
wpa2-psk and radiusd possible?
Hi,... i'm pretty new to radiusd, so this may be a dump question. :-) Is it possible to use something like MAC-based WPA2-PSK's to- gether with radiusd? I have used a single hostapd installation as AP, configured with unique WPA2-PSK's for each MAC-Addr that should have access. (which prevents trading the PSK) Now i want extend our network with a couple of Linksys Router, so I've installed radiusd and got EAP,PEAP,802.1X to work so far. But my users find it complicated to mess around with the Certs, so i decided to use the same PSK on all NAS-Clients (dd-wrt) and only doing MAC-Auth with radiusd. Is there a way to have different PSK's for every MAC? I bed, it is not a job for radius and maybe a complete wrong concept? best regards stefan PS: sorry for bad english ;-) -- Stefan Jensen sjen...@versanet.de signature.asc Description: Dies ist ein digital signierter Nachrichtenteil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with checking dhcp-packet type
On Среда 15 июля 2009 18:33:11 Alexander Kubatkin wrote: On Среда 15 июля 2009 14:07:18 Alan DeKok wrote: Alexander Kubatkin wrote: On Понедельник 13 июля 2009 11:53:23 Alan DeKok wrote: Alexander Kubatkin wrote: when it(fix) come to us? If you want the latest version, use git. last changes 4 days ago Did you download the version using git, as I said? The fix was available there when I sent my message. yes, i did, problem with build isn't fixed, i was trying and under FreeBSD 7 and under Linux kubuntu 9.04. OK. The fix should now be in git. yes, it's working, thank you. test with trendnet soho-router will be later. test passed. Alan DeKok. -- __ Alexander Kubatkin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: error 734
Don't worry, the issue is fixed. A vrf congiguration was missing. From: Issa Nkusi Karera [MTN Rwanda - MTN Centre] Sent: Wednesday, July 15, 2009 6:10 PM To: freeradius-users@lists.freeradius.org Subject: error 734 Hello folks, Below is log message after an attempt to authenticate. Wed Jul 15 16:31:31 2009 : Auth: Login OK: [t...@wimax.mtnonline.rw] (from client XX-bras-1 port 0) It is bring error 734 on a windows machine. Therefore, the user cannot be connected. Thanks in advance for you advise. Best regards, Issa This mail has been scanned by Symantec Mail Scan MTN Mail administrator- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HELP! EAP-TLS: how can I install a cert on a workstation so that it works for all users
On Wed, Jul 15, 2009 at 1:52 AM, Ivan Kalikt...@kalik.net wrote: Can I create a client cert for a computer so that any user that logs in may use it automatically under Windows XP? I have successfully created a client.p12 with the FQDN of the workstation I am using, installed it and been authenticated by Freeradius. However when I log in to the computer under a different windows profile authentication fails. Yes, that's how user certificates work. How should I create this file and where do I place this cert so that it's available for any user logging on? The whole idea of user certificates is for this not to be possible. Thanks for the reply Ivan, So are the following correct?: (1) I can create a single cert for a computer and distribute it to all users who may use that computer (2) I can create a cert for every user and distribute it to every computer that a user logs into. (3) I cannot create a generic computer cert that authenticates the computer and opens the port? Thanks! John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HELP! EAP-TLS: how can I install a cert on a workstation so that it works for all users
So are the following correct?: (1) I can create a single cert for a computer and distribute it to all users who may use that computer You can give same user certificate to any user using the computer - you can place it on the desktop with installatioon instructions. But don't you hear a voice in your head: what is the point of these certificates?. (2) I can create a cert for every user and distribute it to every computer that a user logs into. Yes. In normal circumstances such user will have his certificate on the smart card and computers will be equiped with reders. So, user certificate is with the (mobile) user, not any possible computer he might use. (3) I cannot create a generic computer cert that authenticates the computer and opens the port? Yes, you can. But as soon as some user logs onto that computer ... Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TTLS to require client cert
Hi all, I need help once again. I want TTLS to require client cert. I put EAP-TLS-Require-client-cert = YES in ttls { part of eap.conf but it's not working. What I am doing wrong here? What isn't working? Freeradius can request a certificate - does your supplicant support that? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HELP! EAP-TLS: how can I install a cert on a workstation so that it works for all users
(3) I cannot create a generic computer cert that authenticates the computer and opens the port? Yes, you can. But as soon as some user logs onto that computer ... Ivan Kalik Kalik Informatika ISP Thanks for the reply Ivan. I am fine with folks logging in and having access from computer that have already been authenticate via a computer certificate. If my users make it that far they have domain credentials and are supposed to be there. What I am trying to prevent is users from bringing their laptops from home and plugging them into a spare port (or removing the cable from the back of a school computer) in one of our computer labs. I am pretty sure I can put a cert into the computer that will authenticate the computer *before* a user even logs in. Once they provide their domain credentials they should have access to all the services we provide int the lab. I am having a hard time figuring out how to make this work. Where/how does the cert get imported. Do I need to make a registry change in KEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global to make this work? I hope this is the part someone on the list will have done before and be able to guide me or point me at a howto. Thanks! John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HELP! EAP-TLS: how can I install a cert on a workstation so that it works for all users
On 07/15/2009 01:08 PM, john wrote: So are the following correct?: (1) I can create a single cert for a computer and distribute it to all users who may use that computer (2) I can create a cert for every user and distribute it to every computer that a user logs into. (3) I cannot create a generic computer cert that authenticates the computer and opens the port? Think long and hard about what you want authentication to accomplish from a security standpoint, then worry about the implementation details. Ask the question Who are you authenticating? or What has permission to use the network? Am I trying to restrict access to a specific set of users or am I trying to restrict access to a specific set of machines? If it's the later does that mean anyone who sits down at that machine has access? In a very very simplified view a certificate is nothing more than a password. Would you give the same password to every user? Would you put that password on every machine? What you're learning is that certificate management is complex and often requires additional certificate management support. If you want users to be authenticated no matter what machine they are logging in from *and* you want to use certificates as opposed to passwords, you essentially have two choices. 1) The user is in physical possession of the certificate, he carries it from machine to machine. This is the smart card (i.e. token) solution. To protect against theft or loss of the token the use has to unlock the token using a password upon insertion of the token in the device. 2) The per user certificate is stored in a central location where only the user can access it. Usually this requires OS support and another layer of authentication. If you want to do machine authentication then per machine certificates must be generated and distributed (which is where your question began). There is no easy secure way to do this for a large number of devices in the absence of sophisticated certificate management software, this is why certificate management software is a growth industry. I'm not a Windows guy, but my understanding is that Microsoft offers (expensive) solutions. In the Linux world you might consider DogTag (http://pki.fedoraproject.org/wiki/PKI_Main_Page), this is the same certificate management system used by the DoD (Dept of Defense) and other high profile organizations which Red Hat has generously made available as open source after it's acquisition from Netscape. Note that DogTag supports Auto-Enrollment Proxy (AEP) for Windows, which allows users and computers in a Microsoft Windows domain to automatically enroll for certificates issued from Certificate System. Of course if you don't want to deal with the complexity of certificate based authentication you could just use passwords. Passwords are much less secure, but much simpler. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HELP! EAP-TLS: how can I install a cert on a workstation so that it works for all users
Hi John thanks for taking the time to reply, Ask the question Who are you authenticating? or What has permission to use the network? Am I trying to restrict access to a specific set of users or am I trying to restrict access to a specific set of machines? If it's the later does that mean anyone who sits down at that machine has access? In this instance I am trying to the network so that only computers which carry a credential are allowed to have port access. My users credentials are managed via Active Directory and I am trying to avoid issuing user certs if possible. More specifically we have a number of computer labs where users are in the habit of bringing in computers from home and plugging in, I'd like to prevent this. So what I am hoping to find out is that I can create a cert with the FQDN of the computer. Install it on the computer itself, and have the computer negotiate via the NAS with free-radius for access. I hope this process is completely transparent to the user. In a very very simplified view a certificate is nothing more than a password. Would you give the same password to every user? Would you put that password on every machine? Sort of. I guess I see it as a sort of 2 factor auth scheme. The computer has a credential which is processed by free-radius and the user has a separate credential which is processed by Active Directory. 2) The per user certificate is stored in a central location where only the user can access it. Usually this requires OS support and another layer of authentication. I am pretty sure that Windows XP can use a Computer Cert for dot1X auth via EAP. I've seen references to it. I've even found a mention of a registry hack that forces the computer to use machine auth for dot1X in lieu of user certs, but I am not sure how to correctly implement it when using free-radius, everythings written for IAS. If you want to do machine authentication then per machine certificates must be generated and distributed (which is where your question began). There is no easy secure way to do this for a large number of devices in the absence of sophisticated certificate management software, this is why certificate management software is a growth industry. I am willing to do it by hand if the process seems reasonably straight-forward. I've got about 200 machines and 1600 users, many users user multiple machines. You can see why I'd rather tackle the machines. :- I'm not a Windows guy, but my understanding is that Microsoft offers (expensive) solutions. In the Linux world you might consider DogTag (http://pki.fedoraproject.org/wiki/PKI_Main_Page), this is the same certificate management system used by the DoD (Dept of Defense) and other high profile organizations which Red Hat has generously made available as open source after it's acquisition from Netscape. Thanks for this resource. Note that DogTag supports Auto-Enrollment Proxy (AEP) for Windows, which allows users and computers in a Microsoft Windows domain to automatically enroll for certificates issued from Certificate System. Of course if you don't want to deal with the complexity of certificate based authentication you could just use passwords. Passwords are much less secure, but much simpler. Yes but then we're back to the problem of a user just providing domain credentials to gain port access. I can imagine a student downloading secure-w2 or similar and providing domain credentials to get access for their laptop. Thanks again John. I appreciate your insights. John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TTLS to require client cert
Yes, it does, but something isnt working, he is just not checking the client certificate On 07/15/2009, Ivan Kalik t...@kalik.net wrote: Hi all, I need help once again. I want TTLS to require client cert. I put EAP-TLS-Require-client-cert = YES in ttls { part of eap.conf but it's not working. What I am doing wrong here? What isn't working? Freeradius can request a certificate - does your supplicant support that? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius.log permissions issue
With freeradius 2.1.6, I have a configuration such as this in my radiusd.conf file: user = radiusd group = radiusd When I start up radiusd for the first time, the radius.log file gets created with 0640 permissions, owned by root:radiusd, instead of radiusd:radiusd. This doesn't prevent the RADIUS process from working, but it does prevent any useful information from being logged. Is this a known bug? Is there a workaround other than creating the file by hand and setting its ownership before starting freeradius? Philip - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
question about freeradius vs AA(ldap) and A(mysql)
hi, i have freeradius server over Debian Etch version FreeRADIUS Version 1.1.3 and making Accounting with MySQL radius DB. I want to make new form to authenticate my users to not have 2 password databases separated... so.. need auth ldap and account into mysql.. I test to make authorization + authentication with Ldap and keep going making Accounting into MySQL... and works but just basic mode. My question is how can i change the usergroup, radgroupcheck, radgroupreply, tables into Ldap to authorization-authentication step, with more options to check like Calling-Station-Id, Called-Station-Id, Hint, Groupnames, etc etc??? And in the schema of freeradius into Ldap, i load scheme but when i try to add new attribute to user like (option in the radiusd.conf) access_attr = dialupAccess what i type in the value?? .. just know string by the scheme explain but don't know that string exactly it is can help me any one..??? thanxs and regards and sorry by my english Tony signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about freeradius vs AA(ldap) and A(mysql)
ok i found this http://freeradius.org/radiusd/doc/ldap_howto.txt i guess to have many stuff to read and try my problem any way i can read more solutions to can make my trouble in fast way and short time. Regards again. Tony Tony P. escribió: hi, i have freeradius server over Debian Etch version FreeRADIUS Version 1.1.3 and making Accounting with MySQL radius DB. I want to make new form to authenticate my users to not have 2 password databases separated... so.. need auth ldap and account into mysql.. I test to make authorization + authentication with Ldap and keep going making Accounting into MySQL... and works but just basic mode. My question is how can i change the usergroup, radgroupcheck, radgroupreply, tables into Ldap to authorization-authentication step, with more options to check like Calling-Station-Id, Called-Station-Id, Hint, Groupnames, etc etc??? And in the schema of freeradius into Ldap, i load scheme but when i try to add new attribute to user like (option in the radiusd.conf) access_attr = dialupAccess what i type in the value?? .. just know string by the scheme explain but don't know that string exactly it is can help me any one..??? thanxs and regards and sorry by my english Tony - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html