Simutaneus Check Query in FR2?
Hi, Currently my Simultaneous-Use attribute is not working and I have few questions regarding this. Following are my setup: OS: CentOS 5.3 freeradius2-2.1.6 MySQL 5.0.45 PERL 5.8.8 === I am consulting the FAQ checklist. Some are not applicable to me since I am doing everything from SQL. 1) FAQ says uncheck the Simutaneus check query in sql.conf but I couldn't find that in in my sql.conf. Where is this in FR2? 2) in /etc/raddb/sites-enable/default I noticed that radutmp is uncommented by default in session and accounting section. I tried disabling this but no effect on simultaneous use. Do I need to turn on radutmp for something else (like for radwho? (What I mean is does any other part the freeradius use this feature for session and accounting purpose? Is it necessary to turn on this feature if I am using SQL for my session and accounting?) 3) I am trying to use radwho and it is giving me the error == radwho: Error reading /var/log/radius/sradutmp: No such file or directory. == It is looking for sradutmp instead of radutmp which is not there. I guess probably it has its historical reasons. May be I can solve this my renaming the radutmp to sradutmp but I am not sure if I want to do that. 4) What are the other things I need to look for to solve this problem? Some suggestions greatly appreciated Thanks -- == Registered Linux User #460714 Currently Using Fedora 10, CentOS 5.3 == - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reject group
Define group in your database. In radgroupreply put Auth-Type := Reject hashim zayed wrote: Hi all: I am using freeradius with mysql I want to want to create a group that with default reject response . so when I put a user in this group he gets access-reject from freeradius. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Simutaneus Check Query in FR2?
Hi, Currently my Simultaneous-Use attribute is not working and I have few questions regarding this. Following are my setup: OS: CentOS 5.3 freeradius2-2.1.6 MySQL 5.0.45 PERL 5.8.8 === I am consulting the FAQ checklist. Some are not applicable to me since I am doing everything from SQL. 1) FAQ says uncheck the Simutaneus check query in sql.conf but I couldn't find that in in my sql.conf. Where is this in FR2? You are looking for in the wrong directory. In FR2 the SQL queries are in sql/mysql/dialup.conf. In this file you will find the simulaneus-use queries. 2) in /etc/raddb/sites-enable/default I noticed that radutmp is uncommented by default in session and accounting section. I tried disabling this but no effect on simultaneous use. Do I need to turn on radutmp for something else (like for radwho? (What I mean is does any other part the freeradius use this feature for session and accounting purpose? Is it necessary to turn on this feature if I am using SQL for my session and accounting?) This service is check using SQL queries in radacct table. Think that all checks are in the Database and not in files. 3) I am trying to use radwho and it is giving me the error == radwho: Error reading /var/log/radius/sradutmp: No such file or directory. == It is looking for sradutmp instead of radutmp which is not there. I guess probably it has its historical reasons. May be I can solve this my renaming the radutmp to sradutmp but I am not sure if I want to do that. 4) What are the other things I need to look for to solve this problem? Some suggestions greatly appreciated Thanks -- == Registered Linux User #460714 Currently Using Fedora 10, CentOS 5.3 == - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Internet Explorer 8 más sencillo y seguro ¡Descárgatelo gratis! http://events.es.msn.com/noticias/internet-explorer-8/- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Filter or restrict on NAS
08/03/2009 05:00 PM, Ivan Kalik: Yes, there are a few ways to do that. But what is bad NAS doing in the clients.conf in the first place? Or do you want to tie users to devices? Yes, the goal is to tie a user to a specific NAS. To tie the user to a single device you need just NAS IP, for multiple devices you should use huntgroupss/sqlhuntgroups. Okay! Great. -- Architecte Informatique: Administration Systeme, Recherche Developpement + 261 32 11 401 65 Pensez a l'environnement avant d'imprimer ce message - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simutaneus Check Query in FR2?
You are looking for in the wrong directory. In FR2 the SQL queries are in sql/mysql/dialup.conf. In this file you will find the simulaneus-use queries. Thanks for the quick reply. This solved the problem. What about the radutmp thing? Do I need to leave it uncommented or disable it in default file since I am using SQL? Thanks -- == Registered Linux User #460714 Currently Using Fedora 10, CentOS 5.3 == - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Simutaneus Check Query in FR2?
Date: Tue, 4 Aug 2009 14:42:55 +0800 Subject: Re: Simutaneus Check Query in FR2? From: d88...@gmail.com To: freeradius-users@lists.freeradius.org You are looking for in the wrong directory. In FR2 the SQL queries are in sql/mysql/dialup.conf. In this file you will find the simulaneus-use queries. Thanks for the quick reply. This solved the problem. What about the radutmp thing? Do I need to leave it uncommented or disable it in default file since I am using SQL? I think you do not understand why you use radutmp. If you use a DB system, then you needn't use a flat file for save the session log. Look at radacct table. _ Entérate de todas las noticias al instante ¡Suscríbete al servicio de Alertas MSN! http://especiales.es.msn.com/noticias/msninforma.aspx- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: urgent
RANDRIAMAMPIONONA José Johnny wrote: Hi everyone, I ve just setup freeradius-server 2.1.6 + OpenLdap. Everything seems to be cool without the output which looks like contradictory. The */output of radtest blabla ect ../* proves that there is no response from the server. Then the server gives these lines: ... Sun Aug 2 14:37:09 2009 : Info: [ldap] login attempt by ytabaa with password coucou Sun Aug 2 14:37:09 2009 : Info: [ldap] user DN: uid=ytabaa,ou=People,dc=uae,dc=ac,dc=ma Sun Aug 2 14:37:09 2009 : Debug: rlm_ldap: (re)connect to ldap.uae.ac.ma:389, authentication 1 Sun Aug 2 14:37:09 2009 : Debug: rlm_ldap: bind as uid=ytabaa,ou=People,dc=uae,dc=ac,dc=ma/passwd to ldap.uae.ac.ma:389 Does anyone know what's wrong in my configuration? The output seems relatively obvious. FreeRADIUS tries to contact the LDAP server, and then everything stops. Install an LDAP server that works. Is it the expiration in the configuration file that I have to expand (what file?) to give a server a possibility to response? Follow the example in the FAQ, add an entry in the users file, and DON'T use ldap. It should work. This will prove that FreeRADIUS works, and that the LDAP server doesn't work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WPA Authentication
Hi I have followed the instructions in /etc/raddb/certs to generate root server and client certificates . i copied root.der and client.p12 to XP machine and managed to install without any problems on XP i had configured Proxim AP 700 with WPA authentication When i click on SSID palstaff i get a pop up to select the client devin...@palettemm.com When i ran radisud -X i get some strange error in SSL Need you assistance on this. files] users: Matched entry devin...@palettemm.com at line 94 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] eaptls_verify returned 7 [tls] Done initial handshake [tls] TLS 1.0 Handshake [length 03b2], Certificate -- verify error:num=20:unable to get local issuer certificate [tls] TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned SSL: SSL_read failed in a system call (-1), TLS session fails. TLS receive handshake failed during operation [tls] eaptls_process returned 4 [eap] Handler failed in EAP/tls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - devin...@palettemm.com attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 6 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 6 Sending Access-Reject of id 126 to 203.121.4.59 port 6001 EAP-Message = 0x04070004 Message-Authenticator = 0x Waking up in 3.8 seconds. Cleaning up request 0 ID 120 with timestamp +781 Cleaning up request 1 ID 121 with timestamp +781 Cleaning up request 2 ID 122 with timestamp +781 Cleaning up request 3 ID 123 with timestamp +781 Cleaning up request 4 ID 124 with timestamp +781 Cleaning up request 5 ID 125 with timestamp +781 Waking up in 1.0 seconds. Cleaning up request 6 ID 126 with timestamp +781 Ready to process requests. Devinder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: new to freeRADIUS - Help
Am 03.08.2009 um 21:46 schrieb Radius Master: Hi, I am in the process of setting up freeRADIUS on Mac OSX. We're a small group looking into becoming a WISP. Can anyone tell me if there is a RAS that runs on OSX? If by RAS, you mean remote access, then MacOSX has plenty of them: - ssh - (direct) remote desktop client (MacOS 10.5; see in Finder) - remote desktop per iChat (MacOS 10.5) The install of freeRADIUS itself seems to have gone smoothly, and I installed MySQL 5.1 as well, no hitches. I have not, tho, found out how to tell is freeRADIUS is actually running or not. If by actually running or not, you mean that a user could check then use: ps ax If you mean that a program should check I am not sure. A shell script could use ps, fgrep and co to do that. Thanks in advance for all help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP (Was: urgent)
The output seems relatively obvious. FreeRADIUS tries to contact the LDAP server, and then everything stops. Install an LDAP server that works. There is really a need of more LDAP-FreeRadius beginner documentation :-P -- Architecte Informatique: Administration Systeme, Recherche Developpement + 261 32 11 401 65 Pensez a l'environnement avant d'imprimer ce message - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Decoupled accounting
HI Ivan Thanks. Yes i have double click on the ca.der file and client.p12 both were installed successfuly. I also manaed to set up my SSID palstaff and when i click on the SSID i see a pop up windows on my wireles LAN asking for my username on certificate and i selected devin...@palettemm.com from the combo drop down list and click OK when i click OK radius reports the following error TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned SSL: SSL_read failed in a system call (-1), TLS session fails. TLS receive handshake failed during operation [tls] eaptls_process returned 4 [eap] Handler failed in EAP/tls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - devin...@palettemm.com attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 6 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 6 Sending Access-Reject of id 133 to 203.121.4.59 port 6001 EAP-Message = 0x040a0004 Message-Authenticator = 0x Waking up in 3.6 seconds. Cleaning up request 0 ID 127 with timestamp +18 Cleaning up request 1 ID 128 with timestamp +18 Cleaning up request 2 ID 129 with timestamp +18 Cleaning up request 3 ID 130 with timestamp +18 Cleaning up request 4 ID 131 with timestamp +18 Waking up in 0.2 seconds. Cleaning up request 5 ID 132 with timestamp +18 Waking up in 1.0 seconds. Cleaning up request 6 ID 133 with timestamp +19 Ready to process requests. 2009/8/4 Ivan Kalik t...@kalik.net: I mnaged to follow the steps in /etc/raddb/certs/README and copied ca.der and client.p12 to XP machine It looks like you have copied them but not installed them in the certificate store. Double-click the certificates and install them first. Ivan Kalik Kalik Informatika ISP -- Devinder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Decoupled accounting
Ok i took your advise and yes its a diffeenrent error now Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 203.121.4.59 port 6001, id=134, length=181 User-Name = devin...@palettemm.com NAS-IP-Address = 203.121.4.59 Called-Station-Id = 00-20-a6-6c-49-9d:palstaff Calling-Station-Id = 00-04-23-7b-56-b9 NAS-Identifier = ORiNOCO-AP-700-6c-49-9d Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0203001b01646576696e6465724070616c657474656d6d2e636f6d Message-Authenticator = 0xb7f29ed2232abda7b5b24bb131883617 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm palettemm.com for User-Name = devin...@palettemm.com [suffix] No such realm palettemm.com ++[suffix] returns noop [eap] EAP packet type response id 3 length 27 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry devin...@palettemm.com at line 94 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 134 to 203.121.4.59 port 6001 EAP-Message = 0x010400160410edd3007f1e599b71120693ed62eaee7c Message-Authenticator = 0x State = 0x17b5db9117b1dfd16583cca5ed9db022 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 134 with timestamp +1 Ready to process requests. 2009/8/4 Devinder Singh devinbhul...@gmail.com: HI Ivan Thanks. Yes i have double click on the ca.der file and client.p12 both were installed successfuly. I also manaed to set up my SSID palstaff and when i click on the SSID i see a pop up windows on my wireles LAN asking for my username on certificate and i selected devin...@palettemm.com from the combo drop down list and click OK when i click OK radius reports the following error TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned SSL: SSL_read failed in a system call (-1), TLS session fails. TLS receive handshake failed during operation [tls] eaptls_process returned 4 [eap] Handler failed in EAP/tls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - devin...@palettemm.com attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 6 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 6 Sending Access-Reject of id 133 to 203.121.4.59 port 6001 EAP-Message = 0x040a0004 Message-Authenticator = 0x Waking up in 3.6 seconds. Cleaning up request 0 ID 127 with timestamp +18 Cleaning up request 1 ID 128 with timestamp +18 Cleaning up request 2 ID 129 with timestamp +18 Cleaning up request 3 ID 130 with timestamp +18 Cleaning up request 4 ID 131 with timestamp +18 Waking up in 0.2 seconds. Cleaning up request 5 ID 132 with timestamp +18 Waking up in 1.0 seconds. Cleaning up request 6 ID 133 with timestamp +19 Ready to process requests. 2009/8/4 Ivan Kalik t...@kalik.net: I mnaged to follow the steps in /etc/raddb/certs/README and copied ca.der and client.p12 to XP machine It looks like you have copied them but not installed them in the certificate store. Double-click the certificates and install them first. Ivan Kalik Kalik Informatika ISP -- Devinder -- Devinder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Decoupled accounting
Hi Ivan I still get the same error now Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] eaptls_verify returned 7 [tls] Done initial handshake [tls] TLS 1.0 Handshake [length 03b2], Certificate -- verify error:num=20:unable to get local issuer certificate [tls] TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned SSL: SSL_read failed in a system call (-1), TLS session fails. TLS receive handshake failed during operation [tls] eaptls_process returned 4 [eap] Handler failed in EAP/tls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - devin...@palettemm.com attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 7 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 7 Sending Access-Reject of id 141 to 203.121.4.59 port 6001 EAP-Message = 0x04070004 Message-Authenticator = 0x Waking up in 3.8 seconds. Cleaning up request 1 ID 135 with timestamp +120 Cleaning up request 2 ID 136 with timestamp +120 Cleaning up request 3 ID 137 with timestamp +120 Cleaning up request 4 ID 138 with timestamp +120 Cleaning up request 5 ID 139 with timestamp +120 Cleaning up request 6 ID 140 with timestamp +120 Waking up in 1.0 seconds. Cleaning up request 7 ID 141 with timestamp +120 Ready to process requests. 2009/8/4 Devinder Singh devinbhul...@gmail.com: Ok i took your advise and yes its a diffeenrent error now Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 203.121.4.59 port 6001, id=134, length=181 User-Name = devin...@palettemm.com NAS-IP-Address = 203.121.4.59 Called-Station-Id = 00-20-a6-6c-49-9d:palstaff Calling-Station-Id = 00-04-23-7b-56-b9 NAS-Identifier = ORiNOCO-AP-700-6c-49-9d Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0203001b01646576696e6465724070616c657474656d6d2e636f6d Message-Authenticator = 0xb7f29ed2232abda7b5b24bb131883617 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm palettemm.com for User-Name = devin...@palettemm.com [suffix] No such realm palettemm.com ++[suffix] returns noop [eap] EAP packet type response id 3 length 27 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry devin...@palettemm.com at line 94 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 134 to 203.121.4.59 port 6001 EAP-Message = 0x010400160410edd3007f1e599b71120693ed62eaee7c Message-Authenticator = 0x State = 0x17b5db9117b1dfd16583cca5ed9db022 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 134 with timestamp +1 Ready to process requests. 2009/8/4 Devinder Singh devinbhul...@gmail.com: HI Ivan Thanks. Yes i have double click on the ca.der file and client.p12 both were installed successfuly. I also manaed to set up my SSID palstaff and when i click on the SSID i see a pop up windows on my wireles LAN asking for my username on certificate and i selected devin...@palettemm.com from the combo drop down list and click OK when i click OK radius reports the following error TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned SSL: SSL_read failed in a system call (-1), TLS session fails. TLS receive handshake failed during operation [tls] eaptls_process returned 4 [eap] Handler failed in EAP/tls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - devin...@palettemm.com attr_filter: Matched entry DEFAULT at line 11
Re: Freeradius-Users Digest, Vol 52, Issue 21
Thank you for your message. I am away until August 7th. I will respond to your message on my return . For urgent matters, please contact helpd...@stgeorges.bc.ca . Cheers, Gilbert Lo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simutaneus Check Query in FR2?
I think you do not understand why you use radutmp. If you use a DB system, then you needn't use a flat file for save the session log. Look at radacct table. Thanks. I understand that but I was just concerned about unwanted side effects if in case other tools are using that. I got the idea. Thanks again -- == Registered Linux User #460714 Currently Using Fedora 10, CentOS 5.3 == - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP (Was: urgent)
Rakotomandimby Mihamina wrote: The output seems relatively obvious. FreeRADIUS tries to contact the LDAP server, and then everything stops. Install an LDAP server that works. There is really a need of more LDAP-FreeRadius beginner documentation :-P Like how to run an LDAP server that responds to queries ? That isn't a RADIUS question. The O'Reilly OpenLDAP book has 10 or so pages on FreeRADIUS. It's pretty good. But the documentation that is *included* with FreeRADIUS should be sufficient. It looks like you followed it enough to get the server talking to LDAP... at which point your LDAP server failed. That can't solved through more FreeRADIUS documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP PEAPv0/MSCHAPv2 Authentication
Nicholas Cappelletti wrote: After a little trial and error, and not changing anything on the wireless client side, I got FreeRADIUS to use mschap, but I'm now getting this error: [mschap] No MS-CHAP-Challenge in the request ++[mschap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - nick attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated I didn't have anything in the LDAP database for the user, but once I added radiusAuthType mschap, I am not being rejected, which is better then nothing I guess. DON'T DO THAT. Setting Auth-Type manually will break the server. (Almost always). Again, when I'm using the users file, I have no isssue authenticating. Is there something more I have to add to the users to allow this to work. Again, thank for the help and/or guidance. Ensure that LDAP returns a clear-text password to FreeRADIUS. All of the authentication methods will work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Decoupled accounting
Hi Ivan, ok could you let me know what do i need to alter in the Make File. Just wanted to make sure i dont do something wrong here What are the steps that i need to take to do this. I can see a Makefile in /etc/raddb/certs Thanks Devinder 2009/8/4 Ivan Kalik t...@kalik.net: OK, I think this is the issue where Windows refuses to accept server certificate as the intermediate CA. You should alter Makefile in certs to sign client certificates with CA and not server certificate. Ivan Kalik Kalik Informatika ISP Hi Ivan I still get the same error now Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] eaptls_verify returned 7 [tls] Done initial handshake [tls] TLS 1.0 Handshake [length 03b2], Certificate -- verify error:num=20:unable to get local issuer certificate [tls] TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned SSL: SSL_read failed in a system call (-1), TLS session fails. TLS receive handshake failed during operation [tls] eaptls_process returned 4 [eap] Handler failed in EAP/tls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - devin...@palettemm.com attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 7 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 7 Sending Access-Reject of id 141 to 203.121.4.59 port 6001 EAP-Message = 0x04070004 Message-Authenticator = 0x Waking up in 3.8 seconds. Cleaning up request 1 ID 135 with timestamp +120 Cleaning up request 2 ID 136 with timestamp +120 Cleaning up request 3 ID 137 with timestamp +120 Cleaning up request 4 ID 138 with timestamp +120 Cleaning up request 5 ID 139 with timestamp +120 Cleaning up request 6 ID 140 with timestamp +120 Waking up in 1.0 seconds. Cleaning up request 7 ID 141 with timestamp +120 Ready to process requests. 2009/8/4 Devinder Singh devinbhul...@gmail.com: Ok i took your advise and yes its a diffeenrent error now Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 203.121.4.59 port 6001, id=134, length=181 User-Name = devin...@palettemm.com NAS-IP-Address = 203.121.4.59 Called-Station-Id = 00-20-a6-6c-49-9d:palstaff Calling-Station-Id = 00-04-23-7b-56-b9 NAS-Identifier = ORiNOCO-AP-700-6c-49-9d Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0203001b01646576696e6465724070616c657474656d6d2e636f6d Message-Authenticator = 0xb7f29ed2232abda7b5b24bb131883617 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm palettemm.com for User-Name = devin...@palettemm.com [suffix] No such realm palettemm.com ++[suffix] returns noop [eap] EAP packet type response id 3 length 27 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry devin...@palettemm.com at line 94 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 134 to 203.121.4.59 port 6001 EAP-Message = 0x010400160410edd3007f1e599b71120693ed62eaee7c Message-Authenticator = 0x State = 0x17b5db9117b1dfd16583cca5ed9db022 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 134 with timestamp +1 Ready to process requests. 2009/8/4 Devinder Singh devinbhul...@gmail.com: HI Ivan Thanks. Yes i have double click on the ca.der file and client.p12 both were installed successfuly. I also manaed to set up my SSID palstaff and when i click on the SSID i see a pop up windows on my wireles LAN asking for my username on certificate and i selected devin...@palettemm.com from the combo drop down list and click OK when i click OK radius reports the following error TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3
Re: Decoupled accounting
Ok once i have made the changes shoud i repeat the steps in the /etc/raddb/README to generate the certs , server and client once again? 2009/8/4 Ivan Kalik t...@kalik.net: ok could you let me know what do i need to alter in the Make File. Just wanted to make sure i dont do something wrong here What are the steps that i need to take to do this. I can see a Makefile in /etc/raddb/certs I don't know much about makefiles. I have altered one using hit and miss method. Alter the client section like this: client.csr client.key: client.cnf openssl req -new -out client.csr -keyout client.key -config ./client.cnf client.crt: client.csr ca.pem ca.key index.txt serial openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf client.p12: client.crt openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) client.pem: client.p12 openssl pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) cp client.pem $(USER_NAME).pem .PHONY: server.vrfy client.vrfy: ca.pem client.pem c_rehash . openssl verify -CApath . client.pem Ivan Kalik Kalik Informatika ISP -- Devinder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA
Hi Ivan These are the changes made to Makefile client.csr client.key: client.cnf openssl req -new -out client.csr -keyout client.key -config ./client.cnf client.crt: client.csr ca.pem ca.key index.txt serial openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf client.p12: client.crt openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) client.pem: client.p12 openssl pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) cp client.pem $(USER_NAME).pem .PHONY: server.vrfy client.vrfy: ca.pem client.pem c_rehash . openssl verify -CApath . client.pem Ok iam about to re do the certiicates do i need to delete any files from /certs directory? 2009/8/4 Devinder Singh devinbhul...@gmail.com: Ok 2009/8/4 Ivan Kalik t...@kalik.net: Ok once i have made the changes shoud i repeat the steps in the /etc/raddb/README to generate the certs , server and client once again? Yes, make certificates again. Ivan Kalik Kalik Informatika ISP -- Devinder -- Devinder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Decoupled accounting
Hi Ivan Before i generate the certificates do i need to delete any files from /etc/raddb/certs folder Devinder 2009/8/4 Ivan Kalik t...@kalik.net: Ok once i have made the changes shoud i repeat the steps in the /etc/raddb/README to generate the certs , server and client once again? Yes, make certificates again. Ivan Kalik Kalik Informatika ISP -- Devinder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius.log with timestamp in filename
Hi all, I'm using FreeRADIUS Version 2.0.4 and i would like to have timestamps within the filename of the radius.log, i.e. radius.log-20090804. For the other logfiles, like the detailfile, this is the default setting in the radiusd.conf: detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d In good faith I have tried the same thing with the radius.log... file = ${logdir}/radius.log-%Y%m%d but it didn't work. Freeradius then creates a logfile with the explicit name radius.log-%Y%m%d, but not with the timestamp of the actual day. Can anyone help? Thanks in advance! -- View this message in context: http://www.nabble.com/radius.log-with-timestamp-in-filename-tp24804436p24804436.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius upgrade
Alexandre Chapellon wrote: I am wondering if I shall upgrade now to 2.1.6 or wait until the next comming 2.1.7 release. What are the new features, improvements, or bug fixes that should come with 2.1.7? I've put the preliminary ChangeLog below. Is there Major leacks in 2.1.6? Not that I'm aware of. Here's the preliminary changelog for 2.1.7: Feature improvements * Full support for CoA and Disconnect packets as per RFC 3576 and RFC 5176. Both receiving and proxying CoA is supported. * Added src_ipaddr configuration to home_server. See proxy.conf for details. * radsniff now accepts -I, to read from a filename instead of a device. * radsniff also prints matching requests and any responses to those requests when '-r' is used. * Added example of attr_filter for Access-Challenge packets * Added support for udpfromto in DHCP code * radmin can now selectively mark modules alive/dead. See set module state. * Added customizable messages on login success/fail. See msg_goodpass msg_badpass in log{} section of radiusd.conf * Document chase_referrals and rebind in raddb/modules/ldap * Preliminary implementation of DHCP relay. * Made thread pool section optional. If it doesn't exist, The server will run single-threaded. * Added sample radrelay.conf for people upgrading from 1.x * Made proxying more stable by failing over, rather than rejecting the first request. See response_window in proxy.conf * Add dictionary.iea (closes bug #7) Bug fixes * Fixed corner case where proxied packets could have extra character in User-Password attribute. Fix from Niko Tyni. * Extended size of attribute field in SQL to 64. * Fixes to ruby module to be more careful about when it builds. * Updated Perl module configure script to check for broken Perl installations. * Fix status_check = none. It would still send packets in some cases. * Set recursive flag on the proxy mutex, which enables safer cleanup on some platforms. * Copy the EAP username verbatim, rather than escaping it. * Update handling so that robust-proxy-accounting works when all home servers are down for extended periods of time. * Look for DHCP option 53 anywhere in the packet, not just at the start. * Mark proxy mutex as recursive. This solves issues on exit with some platforms. * Fix processing of proxy fail handler with virtual servers. * DHCP code now prints out correct src/dst IP addresses when sending packets. * Removed requirement for DHCP to have clients * Fixed handling of packets with message-type buried in the packet * Fixed corner case with negation in unlang. * Minor fixes to default MySQL PostgreSQL schemas * Suppress MSCHAP complaints in debugging mode. * Fix SQL module for multiple instance, and possible crash on HUP * Fix permissions for radius.log for sites that change user/group, but which don't create the file before starting radiusd. * Fix double counting of packets when proxying * Make %l work * Fix pthread keys in rlm_perl * Log reasons for EAP failure (closes bug #8) * Load home servers and pools that aren't referenced from a realm. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius.log with timestamp in filename
RadiusGuy wrote: In good faith I have tried the same thing with the radius.log... file = ${logdir}/radius.log-%Y%m%d but it didn't work. Freeradius then creates a logfile with the explicit name radius.log-%Y%m%d, but not with the timestamp of the actual day. Can anyone help? Write a cron job to rename the file. Dynamically expanding the filename for *every* log message is an enormous waste of time. The filename changes only once a day, so it should be renamed only once a day. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius and memory usage
Alan DeKok wrote: Roy Kartadinata wrote: An update on this issue, I was finally able to split the detail file log into hourly by adding another entry to modules/detail.log file. So far the memory usage is still increasing but in a much slower rate. That helps narrow it down a bit. But it's still a bit worrying. I'll see if I can find out any leaks in the code... Do you need any other information from me to help you with finding the leaks? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Cheers, Roy Kartadinata - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reject group
I was wrong. In your radgroupreply put: +++---++--+ | id | GroupName | Attribute | op | Value| +++---++--+ | 8 | locked | Reply-Message | := | Account is locked | In your radgroupcheck put: +++---++---+ | id | GroupName | Attribute | op | Value | +++---++---+ | 1 | locked | Auth-Type | == | Reject| Didn't have morning coffee at the time of my first post:) Igor Smitran wrote: Define group in your database. In radgroupreply put Auth-Type := Reject hashim zayed wrote: Hi all: I am using freeradius with mysql I want to want to create a group that with default reject response . so when I put a user in this group he gets access-reject from freeradius. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wind XP supplicant Domain//Username
On 08/03/2009 04:13 PM, Ivan Kalik wrote: ... filter = (uid=%u) ... Put ldap filter back to what it was. Enable ntdomain in inner-tunnel. Create local realm LINUX in proxy.conf: realm LINUX { } Ivan Kalik Kalik Informatika ISP Thanks Ivan this worked great. -- Mark Saner System Administrator Hustler Turf Equipment msa...@hustlerturf.com IS ext. 192 Per ext. 205 (620)327-1205 www.hustlerturf.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius with cisco vpn client
Hi List, I need to replace an old vpn solution with freeradius. The clients connect to a Cisco NAS, which authenticates them with the old radius software, which uses LDAP as backend. The clients use Cisco VPN client. This is the present, and it works. The future should be: Cisco VPN client, Cisco NAS, freeradius and ldap. The freeradius server is installed and configured, it can process requests from command line. The problem is that the Cisco VPN client uses a group name+password pair. The username is given to the NAS with the password cisco, and the username/password pair should be entered after this. How is this possible with freeradius? I'm using version 1.1. Tbor - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reject group
In your radgroupreply put: +++---++--+ | id | GroupName | Attribute | op | Value| +++---++--+ | 8 | locked | Reply-Message | := | Account is locked | In your radgroupcheck put: +++---++---+ | id | GroupName | Attribute | op | Value | +++---++---+ | 1 | locked | Auth-Type | == | Reject| That should also be :=. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reject group
thank very much you Ivan, it works 2009/8/4 Ivan Kalik t...@kalik.net: In your radgroupreply put: +++---++--+ | id | GroupName | Attribute | op | Value | +++---++--+ | 8 | locked | Reply-Message | := | Account is locked | In your radgroupcheck put: +++---++---+ | id | GroupName | Attribute | op | Value | +++---++---+ | 1 | locked | Auth-Type | == | Reject | That should also be :=. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: new to freeRADIUS - Help
Hi Nicolas, Thanks so much for your answer. What i meant was, in the terminal, what can I type as a test to get a response from a running instance of freeradius. by RAS, I mean Remote Access Server. Also know as a Network Access Server. As I understand it, the PPPoE users first hit the RAS, then the rAS passes the query off to freeRadius, then freeRadius tells the RAS what to do based on the user's validity, and the RAS either accepts or rejects the user. Do I have the concept right? And if so, do you or anyone know of a RAS software that will run on OS X? Another question i have, When I spoke briefly to the folks at Network RADIUS, they told me that freeRadius includes the required db schema for mySQL. When I installed mySQL 5.1, there was a db in there that I didn't recognize, called information_schema, comprised of 28 tables. Is this it, or is there something special I need to do to enable the schema, as i understand from the docs that freeRadius will work with almost any datasource including flatfiles. Thanks in advance. PS, if you're wondering if I'm aware of the irony in my name, the answer is yes ;) On Tue, Aug 4, 2009 at 3:35 AM, Nicolas Gouttenicolas.gou...@extragroup.de wrote: Am 03.08.2009 um 21:46 schrieb Radius Master: Hi, I am in the process of setting up freeRADIUS on Mac OSX. We're a small group looking into becoming a WISP. Can anyone tell me if there is a RAS that runs on OSX? If by RAS, you mean remote access, then MacOSX has plenty of them: - ssh - (direct) remote desktop client (MacOS 10.5; see in Finder) - remote desktop per iChat (MacOS 10.5) The install of freeRADIUS itself seems to have gone smoothly, and I installed MySQL 5.1 as well, no hitches. I have not, tho, found out how to tell is freeRADIUS is actually running or not. If by actually running or not, you mean that a user could check then use: ps ax If you mean that a program should check I am not sure. A shell script could use ps, fgrep and co to do that. Thanks in advance for all help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius upgrade
will this also be fixed? http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg55702.html Original-Nachricht Datum: Tue, 04 Aug 2009 12:07:08 +0200 Von: Alan DeKok al...@deployingradius.com An: FreeRadius users mailing list freeradius-users@lists.freeradius.org Betreff: Re: freeradius upgrade Alexandre Chapellon wrote: I am wondering if I shall upgrade now to 2.1.6 or wait until the next comming 2.1.7 release. What are the new features, improvements, or bug fixes that should come with 2.1.7? I've put the preliminary ChangeLog below. Is there Major leacks in 2.1.6? Not that I'm aware of. Here's the preliminary changelog for 2.1.7: Feature improvements * Full support for CoA and Disconnect packets as per RFC 3576 and RFC 5176. Both receiving and proxying CoA is supported. * Added src_ipaddr configuration to home_server. See proxy.conf for details. * radsniff now accepts -I, to read from a filename instead of a device. * radsniff also prints matching requests and any responses to those requests when '-r' is used. * Added example of attr_filter for Access-Challenge packets * Added support for udpfromto in DHCP code * radmin can now selectively mark modules alive/dead. See set module state. * Added customizable messages on login success/fail. See msg_goodpass msg_badpass in log{} section of radiusd.conf * Document chase_referrals and rebind in raddb/modules/ldap * Preliminary implementation of DHCP relay. * Made thread pool section optional. If it doesn't exist, The server will run single-threaded. * Added sample radrelay.conf for people upgrading from 1.x * Made proxying more stable by failing over, rather than rejecting the first request. See response_window in proxy.conf * Add dictionary.iea (closes bug #7) Bug fixes * Fixed corner case where proxied packets could have extra character in User-Password attribute. Fix from Niko Tyni. * Extended size of attribute field in SQL to 64. * Fixes to ruby module to be more careful about when it builds. * Updated Perl module configure script to check for broken Perl installations. * Fix status_check = none. It would still send packets in some cases. * Set recursive flag on the proxy mutex, which enables safer cleanup on some platforms. * Copy the EAP username verbatim, rather than escaping it. * Update handling so that robust-proxy-accounting works when all home servers are down for extended periods of time. * Look for DHCP option 53 anywhere in the packet, not just at the start. * Mark proxy mutex as recursive. This solves issues on exit with some platforms. * Fix processing of proxy fail handler with virtual servers. * DHCP code now prints out correct src/dst IP addresses when sending packets. * Removed requirement for DHCP to have clients * Fixed handling of packets with message-type buried in the packet * Fixed corner case with negation in unlang. * Minor fixes to default MySQL PostgreSQL schemas * Suppress MSCHAP complaints in debugging mode. * Fix SQL module for multiple instance, and possible crash on HUP * Fix permissions for radius.log for sites that change user/group, but which don't create the file before starting radiusd. * Fix double counting of packets when proxying * Make %l work * Fix pthread keys in rlm_perl * Log reasons for EAP failure (closes bug #8) * Load home servers and pools that aren't referenced from a realm. -- Jetzt kostenlos herunterladen: Internet Explorer 8 und Mozilla Firefox 3 - sicherer, schneller und einfacher! http://portal.gmx.net/de/go/atbrowser - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
assignment signs(=,==,:=)
please could you tel me what is the difference between ('=','==',':=') in freereadius world , it confused me ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: new to freeRADIUS - Help
Am 04.08.2009 um 17:13 schrieb Radius Master: Hi Nicolas, Thanks so much for your answer. What i meant was, in the terminal, what can I type as a test to get a response from a running instance of freeradius. by RAS, I mean Remote Access Server. Also know as a Network Access Server. As I understand it, the PPPoE users first hit the RAS, then the rAS passes the query off to freeRadius, then freeRadius tells the RAS what to do based on the user's validity, and the RAS either accepts or rejects the user. Do I have the concept right? And if so, do you or anyone know of a RAS software that will run on OS X? Ah, then I have misunderstood you. Sorry that I could not help you. Perhaps this answer can bring you further: http://lists.freeradius.org/pipermail/freeradius-users/2009-January/msg00515.html Another question i have, When I spoke briefly to the folks at Network RADIUS, they told me that freeRadius includes the required db schema for mySQL. When I installed mySQL 5.1, there was a db in there that I didn't recognize, called information_schema, comprised of 28 tables. Is this it, or is there something special I need to do to enable the schema, as i understand from the docs that freeRadius will work with almost any datasource including flatfiles. Thanks in advance. PS, if you're wondering if I'm aware of the irony in my name, the answer is yes ;) Have a nice day! On Tue, Aug 4, 2009 at 3:35 AM, Nicolas Gouttenicolas.gou...@extragroup.de wrote: Am 03.08.2009 um 21:46 schrieb Radius Master: Hi, I am in the process of setting up freeRADIUS on Mac OSX. We're a small group looking into becoming a WISP. Can anyone tell me if there is a RAS that runs on OSX? If by RAS, you mean remote access, then MacOSX has plenty of them: - ssh - (direct) remote desktop client (MacOS 10.5; see in Finder) - remote desktop per iChat (MacOS 10.5) The install of freeRADIUS itself seems to have gone smoothly, and I installed MySQL 5.1 as well, no hitches. I have not, tho, found out how to tell is freeRADIUS is actually running or not. If by actually running or not, you mean that a user could check then use: ps ax If you mean that a program should check I am not sure. A shell script could use ps, fgrep and co to do that. Thanks in advance for all help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius upgrade
Sebastian Heil wrote: will this also be fixed? http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg55702.html In commit 7839f54f422362b81d4f0ee5487a34870295c16b, June 25. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: assignment signs(=,==,:=)
hashim zayed wrote: please could you tel me what is the difference between ('=','==',':=') in freereadius world , it confused me ... See the documentation. This *is* documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: urgent
U are right! It works with the userfile! I don't know exactly what's wrong because the LDAP server works with another application: it means that maybe the problem is in the configuration! (I followed the faq!) Help! 2009/8/4 Alan DeKok al...@deployingradius.com RANDRIAMAMPIONONA José Johnny wrote: Hi everyone, I ve just setup freeradius-server 2.1.6 + OpenLdap. Everything seems to be cool without the output which looks like contradictory. The */output of radtest blabla ect ../* proves that there is no response from the server. Then the server gives these lines: ... Sun Aug 2 14:37:09 2009 : Info: [ldap] login attempt by ytabaa with password coucou Sun Aug 2 14:37:09 2009 : Info: [ldap] user DN: uid=ytabaa,ou=People,dc=uae,dc=ac,dc=ma Sun Aug 2 14:37:09 2009 : Debug: rlm_ldap: (re)connect to ldap.uae.ac.ma:389, authentication 1 Sun Aug 2 14:37:09 2009 : Debug: rlm_ldap: bind as uid=ytabaa,ou=People,dc=uae,dc=ac,dc=ma/passwd to ldap.uae.ac.ma:389 Does anyone know what's wrong in my configuration? The output seems relatively obvious. FreeRADIUS tries to contact the LDAP server, and then everything stops. Install an LDAP server that works. Is it the expiration in the configuration file that I have to expand (what file?) to give a server a possibility to response? Follow the example in the FAQ, add an entry in the users file, and DON'T use ldap. It should work. This will prove that FreeRADIUS works, and that the LDAP server doesn't work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- JJohnny R. vasian...@gmail.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: realm matching and multiple eap types
Upgrade. This is easy to do with unlang in 2.x. :) Hint taken. Thanks Paul - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: urgent
08/04/2009 07:16 PM, RANDRIAMAMPIONONA José Johnny:: U are right! It works with the userfile! I don't know exactly what's wrong because the LDAP server works with another application: it means that maybe the problem is in the configuration! (I followed the faq!) Help! Now then its more about: http://www.umich.edu/~dirsvcs/ldap/mailinglist.html http://www.openldap.org/lists/ -- Architecte Informatique: Administration Systeme, Recherche Developpement + 261 32 11 401 65 Pensez a l'environnement avant d'imprimer ce message - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: urgent
thx I lltry again! 2009/8/4 Rakotomandimby Mihamina miham...@gulfsat.mg 08/04/2009 07:16 PM, RANDRIAMAMPIONONA José Johnny:: U are right! It works with the userfile! I don't know exactly what's wrong because the LDAP server works with another application: it means that maybe the problem is in the configuration! (I followed the faq!) Help! Now then its more about: http://www.umich.edu/~dirsvcs/ldap/mailinglist.htmlhttp://www.umich.edu/%7Edirsvcs/ldap/mailinglist.html http://www.openldap.org/lists/ -- Architecte Informatique: Administration Systeme, Recherche Developpement + 261 32 11 401 65 Pensez a l'environnement avant d'imprimer ce message - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- JJohnny R. vasian...@gmail.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: new to freeRADIUS - Help
Another question i have, When I spoke briefly to the folks at Network RADIUS, they told me that freeRadius includes the required db schema for mySQL. When I installed mySQL 5.1, there was a db in there that I didn't recognize, called information_schema, comprised of 28 tables. Is this it, or is there something special I need to do to enable the schema, as i understand from the docs that freeRadius will work with almost any datasource including flatfiles. Information_schema is a built in database used to provide information about the mysql database server. You will have to import the required database schemas and configure the sql module to use MySQL as your datastore. See raddb/sql/mysql. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to send accouting without expecting a response
Dear FreeRADIUS users, I need to send a copy of all accounting RADIUS our FreeRADIUS receives to another FreeRADIUS that is configured to send no accounting response. How can I configure my proxy RADIUS to not expect for a response for the requests our FreeRADIUS send? Appreciate any help. Thanks, Cristina Miyata - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unable to connection freeradius with mysql
hi i am useing freeradius2.1.6 and mysql5.0 on solaris10. when ever i start the server radiusd -X . i am getting below problem. i think it is not connected to mysql.plz help me how to connect Note: i changed sql.conf site-available/defaults radiusd.conf ... . Error showing below === Module: Instantiating sql sql { driver = rlm_sql_mysql server = localhost port = login = radius password = welcome radius_db = radius read_groups = yes sqltrace = no sqltracefile = /usr/local/var/log/radius/sqltrace.sql readclients = no deletestalesessions = yes num_sql_socks = 5 lifetime = 0 max_queries = 0 sql_user_name = %{User-Name} default_user_profile = nas_query = SELECT id, nasname, shortname, type, secret FROM nas authorize_check_query = SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id authorize_reply_query = SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id authorize_group_check_query = SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id authorize_group_reply_query = SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id accounting_onoff_query = UPDATE radacct SET acctstoptime = '%S', acctsessiontime= unix_timestamp('%S') - unix_timestamp(acctstarttime), acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = %{%{Acct-Delay-Time}:-0} WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime = '%S' accounting_update_query =UPDATE radacct SET framedipaddress = '%{Framed-IP-Address}', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets= '%{%{Acct-Output-Gigawords}:-0}' 32 | '%{%{Acct-Output-Octets}:-0}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username= '%{SQL-User-Name}' AND nasipaddress= '%{NAS-IP-Address}' accounting_update_query_alt =INSERT INTO radacct (acctsessionid,acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctsessiontime, acctauthentic,connectinfo_start, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, servicetype, framedprotocol, framedipaddress, acctstartdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{%{Acct-Input-Gigawords}:-0}' 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{X-Ascend-Session-Svr-Key}') accounting_start_query =INSERT INTO radacct (acctsessionid,acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}',