Re: Active Directory/freeradius/enterasys - combination
t.rob...@heidelberg.de wrote: ... > Sending Access-Challenge of id 191 to 172.16.255.101 port 49169 > EAP-Message = > 0x010700b519003082a52b18d9963104cec8ab3f3ddc453b55e1519bcf57d5178ca7fbc8 > 1d20727b3d75c92c438dbafd9a5544e5443ad544f16869af57ef84883eebc730362387c9 > e6357c18fcb15a8e862e2b6c2ea1871b8756414a7ba875ff9416143a5baf78b6a9f7c93d > c023f5edd6c8da55e646513482e5a39f9ccb7c480d68b7e965247b4accf8c1fa07b08368 > 80301de9e7058a5b891fd8f9e8443517e0eb83847723441ae98c447e7416030100040e00 > > Message-Authenticator = 0x > State = 0x113208ad153511cced08469153aa8038 > Finished request 5. > Going to the next request > Waking up in 4.9 seconds. > Cleaning up request 1 ID 187 with timestamp +63 > Cleaning up request 2 ID 188 with timestamp +63 ... > The server don't do ldap. > > What is my mistake ? Read the FAQ, and eap.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: xsupplicant - freeradius EAP-TTLS PAP Access-Reject
Thanks Ivan, Commenting out DEFAULT has worked for me. Thanks, Nagendra. On Tue, Oct 13, 2009 at 8:52 PM, Ivan Kalik wrote: > > freeradius version: FreeRADIUS Version 1.0.1 > > That is seriously outdated. Upgrade. > > > Following is the output of freeRadius. > > > ... > > users: Matched DEFAULT at 164 > > users: Matched test...@mynet.net at 235 > > modcall[authorize]: module "files" returns ok for request 5 > > modcall: group authorize returns ok for request 5 > > rad_check_password: Found Auth-Type System > > auth: type "System" > ... > > You are using much outdated freeradius version that has Auth-Type System > enabled by default in users file. Comment that DEFAULT line out. > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: raddebug before 2.1.4
Got it. Thanks! Gina -Original Message- From: freeradius-users-bounces+gina.zhang=alcatel-lucent@lists.freeradius. org [mailto:freeradius-users-bounces+gina.zhang=alcatel-lucent@lists.fre eradius.org] On Behalf Of Alan DeKok Sent: Tuesday, October 13, 2009 3:05 PM To: FreeRadius users mailing list Subject: Re: raddebug before 2.1.4 ZHANG Gina wrote: > Where to get a copy of raddebug? It's included in all recent versions of the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Munin Graphs
Hi, > I've installed the freeradius_auth plugin > > added to plugins.conf > > [freeradius*] > user root > > But still I get the following error when the plugin is run... > > radmin: Failed connecting to /usr/local/var/run/radiusd/radiusd.sock: > Permission denied edit the munin/plugins/freeradius* files and put the correct user into the RADMIN= part. you really should NEVER be using the root user - simply use the user that you run radiusd as (once again, should never be root) - check the radiusd.sock to see who/what owns it (ls -l /usr/local/var/run/radiusd/radiusd.sock) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Munin Graphs
Hi, I've installed the freeradius_auth plugin added to plugins.conf [freeradius*] user root But still I get the following error when the plugin is run... radmin: Failed connecting to /usr/local/var/run/radiusd/radiusd.sock: Permission denied Any ideas Running direct from root works fine, just [r...@vpn1 munin]# radmin -f /usr/local/var/run/radiusd/radiusd.sock -e "stats client auth" requests273 responses 273 accepts 206 rejects 67 challenges 0 dup 0 invalid 0 malformed 0 bad_signature 0 dropped 0 unknown_types 0 Thx Nev - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error on log radius
thanks for the information, i tougth that was a error beacause I never got this message thank you 2009/10/13 Alan Buxey > Hi, > > i get this message > > > > Info: rlm_sql (sql): received Acct On/Off packet > > ??? your FR server received an accounting packet and > your system is configured to use sql in the accounting > section - whats the error? > > alan > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Att. Alisson F. Gonçalves Sistemas de Informação - UFGD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error on log radius
Hi, > i get this message > > Info: rlm_sql (sql): received Acct On/Off packet ??? your FR server received an accounting packet and your system is configured to use sql in the accounting section - whats the error? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius, Cisco WLC, configuration
Jalil, Refer to this page as it will be extremely helpful! http://www.cisco.com/en/US/products/ps6307/products_tech_note09186a0080870334.shtml James Taylor From: freeradius-users-bounces+jtaylor=fcip@lists.freeradius.org [mailto:freeradius-users-bounces+jtaylor=fcip@lists.freeradius.org] On Behalf Of Aziz, Jalil Sent: Tuesday, October 13, 2009 2:12 PM To: FreeRadius users mailing list Subject: FreeRadius, Cisco WLC, configuration Hello all, I need help with FreeRadius and Cisco's WLC. Anyone ever did this deployment before? Please help. Regards, Jalil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius, Cisco WLC, configuration
Hello all, I need help with FreeRadius and Cisco's WLC. Anyone ever did this deployment before? Please help. Regards, Jalil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: raddebug before 2.1.4
ZHANG Gina wrote: > Where to get a copy of raddebug? It's included in all recent versions of the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
error on log radius
i get this message Info: rlm_sql (sql): received Acct On/Off packet -- Att. Alisson F. Gonçalves Sistemas de Informação - UFGD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: raddebug before 2.1.4
Where to get a copy of raddebug? Thanks, Gina -Original Message- From: freeradius-users-bounces+gina.zhang=alcatel-lucent@lists.freeradius. org [mailto:freeradius-users-bounces+gina.zhang=alcatel-lucent@lists.fre eradius.org] On Behalf Of Alan DeKok Sent: Tuesday, October 13, 2009 10:46 AM To: FreeRadius users mailing list Subject: Re: raddebug before 2.1.4 marco perugini wrote: > hi list! my simple question is: is there a way to use the > powerfull/wonderfull raddebug script with version 2.1.1? or the only > way is to start the server with -x option? It can't be used with 2.1.1. There are other changes inside of the server to work with raddebug. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
wpa/wpa2 on logs
Hi, Is there a way to log if a supplicant is using either wpa or wpa2? Thanks in advance! -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + OpenLdap + WindowsXP(Wifi)
> Have any idea ? Where can i find the solution ? > When i trying connect freeradius server with wireless over > access point i get this error: > Tue Oct 13 12:00:45 2009 : Debug: rlm_eap_peap: Had sent TLV failure. > User was rejcted rejected earlier in this session. The error you're looking for is earlier that what you posted. Look at the previous round trip in the debug output to see why it failed.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius + OpenLdap + WindowsXP(Wifi)
Freeradius 1.1.7 Openldap Windows XP SP2 (WPA-TKIP / Protected EAP (PEAP)) Have any idea ? Where can i find the solution ? When i trying connect freeradius server with wireless over access point i get this error: Tue Oct 13 12:00:45 2009 : Debug: Finished request 7 Tue Oct 13 12:00:45 2009 : Debug: Going to the next request Tue Oct 13 12:00:45 2009 : Debug: Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.155.123:1812, id=77, length=117 User-Name = "kleberl" NAS-IP-Address = 192.168.155.123 NAS-Port-Type = Wireless-802.11 State = 0xcdb24b80885193f00e1673d06eb7859c EAP-Message = 0x029600261900170301001b8cfe319046bdc5f99d42805f852d4695a57e722889822c7a01be3f Message-Authenticator = 0x9d1262ea1db0eca8f5ecaaee93e7ff1d Tue Oct 13 12:00:45 2009 : Debug: Processing the authorize section of radiusd.conf Tue Oct 13 12:00:45 2009 : Debug: modcall: entering group authorize for request 8 Tue Oct 13 12:00:45 2009 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 8 Tue Oct 13 12:00:45 2009 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 8 Tue Oct 13 12:00:45 2009 : Debug: modcall[authorize]: module "preprocess" returns ok for request 8 Tue Oct 13 12:00:45 2009 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 8 Tue Oct 13 12:00:45 2009 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 8 Tue Oct 13 12:00:45 2009 : Debug: modcall[authorize]: module "chap" returns noop for request 8 Tue Oct 13 12:00:45 2009 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 8 Tue Oct 13 12:00:45 2009 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 8 Tue Oct 13 12:00:45 2009 : Debug: modcall[authorize]: module "mschap" returns noop for request 8 Tue Oct 13 12:00:45 2009 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 8 Tue Oct 13 12:00:45 2009 : Debug: rlm_realm: No '@' in User-Name = "kleberl", looking up realm NULL Tue Oct 13 12:00:45 2009 : Debug: rlm_realm: No such realm "NULL" Tue Oct 13 12:00:45 2009 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 8 Tue Oct 13 12:00:45 2009 : Debug: modcall[authorize]: module "suffix" returns noop for request 8 Tue Oct 13 12:00:45 2009 : Debug: modsingle[authorize]: calling ldap (rlm_ldap) for request 8 Tue Oct 13 12:00:45 2009 : Debug: rlm_ldap: - authorize Tue Oct 13 12:00:45 2009 : Debug: rlm_ldap: performing user authorization for kleberl Tue Oct 13 12:00:45 2009 : Debug: radius_xlat: '(uid=kleberl)' Tue Oct 13 12:00:45 2009 : Debug: radius_xlat: 'ou=People,dc=stars,dc=net' Tue Oct 13 12:00:45 2009 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Tue Oct 13 12:00:45 2009 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Tue Oct 13 12:00:45 2009 : Debug: rlm_ldap: performing search in ou=People,dc=stars,dc=net, with filter (uid=kleberl) Tue Oct 13 12:00:45 2009 : Debug: rlm_ldap: looking for check items in directory... Tue Oct 13 12:00:45 2009 : Debug: rlm_ldap: looking for reply items in directory... Tue Oct 13 12:00:45 2009 : Debug: rlm_ldap: user kleberl authorized to use remote access Tue Oct 13 12:00:45 2009 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Tue Oct 13 12:00:45 2009 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 8 Tue Oct 13 12:00:45 2009 : Debug: modcall[authorize]: module "ldap" returns ok for request 8 Tue Oct 13 12:00:45 2009 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 8 Tue Oct 13 12:00:45 2009 : Debug: rlm_eap: EAP packet type response id 150 length 38 Tue Oct 13 12:00:45 2009 : Debug: rlm_eap: No EAP Start, assuming it's an on-going EAP conversation Tue Oct 13 12:00:45 2009 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 8 Tue Oct 13 12:00:45 2009 : Debug: modcall[authorize]: module "eap" returns updated for request 8 Tue Oct 13 12:00:45 2009 : Debug: modcall: leaving group authorize (returns updated) for request 8 Tue Oct 13 12:00:45 2009 : Debug: rad_check_password: Found Auth-Type EAP Tue Oct 13 12:00:45 2009 : Debug: auth: type "EAP" Tue Oct 13 12:00:45 2009 : Debug: Processing the authenticate section of radiusd.conf Tue Oct 13 12:00:45 2009 : Debug: modcall: entering group authenticate for request 8 Tue Oct 13 12:00:45 2009 : Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 8 Tue Oct 13 12:00:45 2009 : Debug: rlm_eap: Request found, released from the list Tue Oct 13 12:00:45 2009 : Debug: rlm_eap: EAP/peap Tue Oct 13 12:00:45 2009 : Debug: rlm_eap: processing type peap Tue Oct 13 12:00:45 2009 : Debug: rlm_eap_peap: Authenticate Tue Oct 13 12:00:45 2009 : Debug: rlm_eap_tls: processing TLS Tue Oct 13 12:00:45 2009 : Debug: eaptls_verify returned 7 Tue Oct 13 12:00:45 2009 : Debug: rlm_eap_tls: Done initial handshake Tue
Re: Odd proxy authentication failures
I don't suppose anyone has any ideas on this issue I posted, do they? If I missed something in the documentation for relaying, etc. it would be greatly appreciated if someone could point it out to me. Michael Schlies - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: raddebug before 2.1.4
marco perugini wrote: > hi list! my simple question is: is there a way to use the > powerfull/wonderfull raddebug script with version 2.1.1? or the only way > is to start the server with -x option? It can't be used with 2.1.1. There are other changes inside of the server to work with raddebug. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating access via caller-id or username/password
Hi There, the authentication will take place based only on the calling station id. in one scenario: the users use usernames and passwords. in the second scenario, a device is authenticated on the calling-station-id as it has no username or password. the device is put into a different part of the network. i was thinking of this: sql_user_name = "%{User-Name:-%{Calling-Station-Id:-DENY}}" the problem is that the NAS returns "VOID" as the username if its left blank. seeing as i have to tie the username to something usefull to make a select statement i guess i'm looking for a method to put the calling station id into the username field if the username is "VOID" where would the best place for that be and how could it be done? I see some nifty UNLANG examples but none that work on run time substitutions. Regards John On Tue, Oct 13, 2009 at 3:54 PM, Ivan Kalik wrote: >> I now have to authenticate users based on username and password in one >> instance > > That's easy, but ... > >> and solely calling-station-id in another. > > ... what does that mean? Each user can call from a specific callerID? Each > user can call from a specific list of callerIDs? Every user can call from > a list of (all) known callerIDs? Solution will depend on the policy. > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
raddebug before 2.1.4
hi list! my simple question is: is there a way to use the powerfull/wonderfull raddebug script with version 2.1.1? or the only way is to start the server with -x option? thanks and regards, marco -- 4IT S.r.l. Marco Perugini | system administrator - Via Udine 30-36, 00161 Roma Phone +39 06 97601680 Mobile +39 339.39.81.246 Fax +39 06 97601683 m.perug...@4it.it www.4it.it “Il presente messaggio e gli eventuali allegati sono di natura confidenziale. Qualora vi fosse pervenuto per errore, vi preghiamo di cancellarlo immediatamente dal vostro sistema e di avvisare il mittente. Grazie.” “This electronic mail transmission and any accompanying attachments contain confidential information. If you have received this communication in error, please immediately delete the E-mail and either notify the sender. Thank you.” - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: xsupplicant - freeradius EAP-TTLS PAP Access-Reject
> freeradius version: FreeRADIUS Version 1.0.1 That is seriously outdated. Upgrade. > Following is the output of freeRadius. > ... > users: Matched DEFAULT at 164 > users: Matched test...@mynet.net at 235 > modcall[authorize]: module "files" returns ok for request 5 > modcall: group authorize returns ok for request 5 > rad_check_password: Found Auth-Type System > auth: type "System" ... You are using much outdated freeradius version that has Auth-Type System enabled by default in users file. Comment that DEFAULT line out. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
xsupplicant - freeradius EAP-TTLS PAP Access-Reject
Hi All, Supplicant tries authentication with EAP-TTLS, TLS tunnel is established properly but Radius sends Access-Reject. Following are the xsupplicant.conf, eap.conf and radius output. radiusd.conf is not changed. It would be great if anyone could help in solving this issue or identify it. Thanks, Nagendra. freeradius version: FreeRADIUS Version 1.0.1 xsupplicant version: 1.2.8 Following is my xsupplicant configuration: eap-ttls { root_cert = /etc/raddb/certs/ca.pem phase2_type = pap pap { username = test...@mynet.net password = "test123" } } Following is my eap.conf configuration with freeradius: eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 md5 { } leap { } gtc { auth_type = PAP } tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = nagendra private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem CA_file = ${cadir}/ca.pem dh_file = ${certdir}/dh random_file = ${certdir}/random fragment_size = 1024 include_length = yes } ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no } } Following is the output of freeRadius. rad_recv: Access-Request packet from host 12.12.12.2:52660, id=201, length=300 User-Name = "test...@mynet.net" NAS-Port = 68 State = 0x31f6a6d18c0edbbe0a8135be701c9eff EAP-Message = 0x020e00801500170301002003c6f62435902b65dc7748b238fc47a7e5af9cfdbfed7ce3763b8a3830ac25a41703010050bd010059a58d0a9db18cb4df099dca43c1cadebca1672d9fb2b08a9131aa32b657e2d497196c130405e11396402abbcc130558325bc9ef888c19692d6ce7e2d736b463e6bfa09de4cacdc2511be08c20 Message-Authenticator = 0x9b2ba395fe336634039600437f39e5e4 Acct-Session-Id = "8O2.1x81680002" NAS-Port-Id = "ge-0/0/0.0" Calling-Station-Id = "00-30-48-8b-7f-ff" Called-Station-Id = "00-1f-12-3f-89-40" NAS-Identifier = "bng-l24f1-dev" NAS-Port-Type = Virtual Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 rlm_eap: EAP packet type response id 14 length 128 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 users: Matched DEFAULT at 164 users: Matched test...@mynet.net at 235 modcall[authorize]: module "files" returns ok for request 5 modcall: group authorize returns updated for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. TTLS: Got tunneled request User-Name = "test...@mynet.net" User-Password = "test123" FreeRADIUS-Proxied-To = 127.0.0.1 TTLS: Sending tunneled request User-Name = "test...@mynet.net" User-Password = "test123" FreeRADIUS-Proxied-To = 127.0.0.1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 5 users: Matched DEFAULT at 164 users: Matched test...@mynet.net at 235 modcall[authorize]: module "files" returns ok for request 5 modcall: group authorize returns ok for request 5 rad_check_password: Found Auth-Type System auth: type "System" ERROR: Unknown value specified for Auth-Type. Cannot perform requested action. auth: Failed to validate the user. TTLS: Got tunneled reply RADIUS code 3 TTLS: Got tunneled Access-Reject rlm_eap: Handler failed in EAP/ttls rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 5 modcall: group authenticate returns invalid for request 5 auth: Failed to validate the user. Delaying request 5 for 1 seconds Finished request 5 Going to the next requ
RE: Improving Auth-Rate
Hi, When you have 100 auths/sec rate, what protocol are you using? Thanks, Gina -Original Message- From: freeradius-users-bounces+gina.zhang=alcatel-lucent@lists.freeradius.org [mailto:freeradius-users-bounces+gina.zhang=alcatel-lucent@lists.freeradius.org] On Behalf Of Michael Schwartzkopff Sent: Tuesday, October 13, 2009 5:25 AM To: FreeRadius users mailing list Subject: Re: Improving Auth-Rate Am Dienstag, 13. Oktober 2009 12:18:24 schrieb kachin Agarwal: > Hi, > I m trying to improve the auth rate. > the auth-rate i m getting now is 3 i.e number of mobile units that can > authenticate per minute is 3. So how can i increase it to 5 or something? > Which part of the code should i focus on? > > Thanx Hi, somehow your setup is messed up. I have several 100 auths/sec on a quite standard hardware. -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: mi...@multinet.de web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory/freeradius/enterasys - combination
> Now I need a username/password auth against AD. > Ntlm-auth works very well. > > If I activate ldap in /etc/raddb/modules: > The server don't do ldap. > > What is my mistake ? > > First the server should do a ntlm-auth and then check an ldap-group in > AD. How does that ldap-group check look like and where is it? BTW I don't see ntlm-auth on that debug either. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: perl_rlm and differences FR 1 and 2
On 10/13/2009 01:57 AM, Alan DeKok wrote: David Jones wrote: Thanks to some handy hints in here, I've had some success with rlm_perl. But (and there is always a but) I've been happily developing against 2.x but have just discovered I need to actually use 1.x because of RHEL. You can install version 2.x on RHEL. http://wiki.freeradius.org/Red_Hat_FAQ -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating access via caller-id or username/password
> I now have to authenticate users based on username and password in one > instance That's easy, but ... > and solely calling-station-id in another. ... what does that mean? Each user can call from a specific callerID? Each user can call from a specific list of callerIDs? Every user can call from a list of (all) known callerIDs? Solution will depend on the policy. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: errors There are no DB handles to use and Discarding conflicting packet from client
Hi, I still have the problems, I changed some variables, but the problem continues 2009/10/9 Marinko Tarlac > This is not database list but here what you can do: > - install sysbench and do some tests with your current settings > - tunning-primer.sh (http://www.day32.com/MySQL/tuning-primer.sh), > - mytop, > - mysqlreport (http://hackmysql.com/mysqlreport) and > - mysqltuner.pl (http://wiki.mysqltuner.com/MySQLTuner) > > Tools I mentioned above will help you to track down the bottleneck you have > with your database. > > Of course, you have a task to find a problem and tell us about it :) > > Best regards > > > Ivan Kalik wrote: > >> ok.. but what I need to do on my DB? >>> >>> >> >> Is your database server/process running? Is database IP/port/user/password >> correct in sql.conf? Is correct type of database selected? Is your >> database configured to recieve queries from radius server (ie. not >> localhost) if they are not on the same machine? Have you created radius >> database? Does user configured in radius have permissions to run queries >> on radius database? Is there a firewall stopping traffic? Do you see >> radius handles connected to the database server when you start radius >> server? >> >> Should I go on? >> >> Ivan Kalik >> Kalik Informatika ISP >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> >> >> > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Att. Alisson F. Gonçalves Sistemas de Informação - UFGD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: acct_postgresql+auth_ldap
understood 2009/10/13 Rakotomandimby Mihamina > 10/09/2009 04:05 PM, José Johnny RANDRIAMAMPIONONA:: > >> Thank u guys! >> > > Please keep us in touch. > and if you kept some history of what you've done, > I am interested in. > > -- > Architecte Informatique chez Blueline/Gulfsat: > Administration Systeme, Recherche & Developpement > +261 34 29 155 34 > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- JJohnny RANDRIAMAMPIONONA Phone: +212663682554, +212533158575 National School of Applied Sciences ZIP 1818 TANGIER 9 -Morocco --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: NAS ? What is the best option
Hi, I am using MikroTik and I am vry satisfied. However, it is not a easy device to configura and understand all its different configurations. I do not understand why you have to ue POD packets. If you do correctly the configurations and you have you want to offer your users, I think you needn't it. Think twice what you want to offer! The best device are Cisco ones, but you have to prepare a good quantity of money. Not 200-300€ which a mikrotik cost. Sincerely, Santiago > Date: Tue, 13 Oct 2009 01:29:40 +0200 > From: mangi...@gmail.com > To: freeradius-users@lists.freeradius.org > Subject: NAS ? What is the best option > > I know that this list is not connected with any hardware vendor but I > see that every couple days someone cries here NAS problems... > > I use Mikrotik and I'm not satisfied (duplicated packets, does not > support POD correctly , etc) > > Also, yesterday I see that Cisco can be pain in the a*** too :) > > So, dear friends... What is the best solution for ISP (PPPoE)? > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ ¿Estás fuera de temporada? Entra ya en Nueva Temporada y entérate antes que nadie de sobre famosos, moda, belleza y el look que se lleva este otoño. http://events.es.msn.com/entretenimiento/nueva-temporada/vuelta-al-cole/- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authenticating access via caller-id or username/password
Good Day, I've an interesting question. I currently authenticate users via caller-id for a static ip delivery system. I have had to change the "sql_user_name" to the "calling-station-id" attribute so that i can match the entries to so called usernames in the MYSQL database This is working and works well as the username for authentication ends up being the caller id. I now have to authenticate users based on username and password in one instance and solely calling-station-id in another. the config i use in the "files" to authenticate a user on caller id is as follows: DEFAULT Calling-Station-ID =="1234567890", Auth-Type := Accept Framed-IP-Address = 155.22.0.21 DEFAULT Calling-Station-ID =="2234567890", Auth-Type := Accept Framed-IP-Address = 155.22.0.22 DEFAULT Calling-Station-ID =="3234567890", Auth-Type := Accept Framed-IP-Address = 155.22.0.23 DEFAULT Calling-Station-ID =="4234567890", Auth-Type := Accept Framed-IP-Address = 155.22.0.24 the DEFAULT section has the framing types etc set. How would i now do this in the MYSQL database as there is no way of tying the "username" to anything ? Regards John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dynamic crl fetching
Hello, is or will there be a feature called "dynamic crl fetching" in FreeRADIUS 2.x ? Strongswan for example is able to fetch actual crls via http and ldap. In the wiki i only could get information about defining local stored pem files. regards, Simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: over 30 radiusd processes
Freeradius 2.1.6 Running on Redhat AS5 Update 3 with mysql-devel rpms added to enable mysql support. Compiled with no options specified. (./configure ; make clean ; make ; make install) Thanks, -craig - Original Message - From: "Alan DeKok" To: "FreeRadius users mailing list" Sent: Tuesday, October 13, 2009 1:55 AM Subject: Re: over 30 radiusd processes Craig Campbell wrote: Up to 65 processes now Any ideas how to stop this from happening? Which version are you running? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Information from ESET Smart Security, version of virus signature database 4501 (20091012) __ The message was checked by ESET Smart Security. http://www.eset.com __ Information from ESET Smart Security, version of virus signature database 4502 (20091013) __ The message was checked by ESET Smart Security. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Active Directory/freeradius/enterasys - combination
Hello, I know there was a threat with the same subject 3 years ago, but in addition we need mac-authentication (printers,..),too. The Mac-auth is ok: Ready to process requests. rad_recv: Access-Request packet from host 172.16.255.101 port 49169, id=98, length=158 User-Name = "00-13-20-73-D0-45" Service-Type = Framed-User Called-Station-Id = "00-1F-45-19-9C-68" Calling-Station-Id = "00-13-20-73-D0-45" NAS-Identifier = "D2_Zi31_Tom" NAS-IP-Address = 172.16.255.101 NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = "ge.1.1" User-Password = "hdpasswd" Message-Authenticator = 0xc2baf30d011d595efa42357331abcc6c +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/172.16.255.101/auth-detail-20091013 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/172.16.255.101/auth-detail-20091013 [auth_log] expand: %t -> Tue Oct 13 11:59:35 2009 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "00-13-20-73-D0-45", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "00-13-20-73-D0-45", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 213 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "hdpasswd" [pap] Using clear text password "hdpasswd" [pap] User authenticated successfully ++[pap] returns ok Login OK: [00-13-20-73-D0-45/hdpasswd] (from client 172.16.255.101 port 1 cli 00-13-20-73-D0-45) +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 98 to 172.16.255.101 port 49169 Framed-Filter-Id = "Enterasys:version=1:policy=Mitarbeiter" Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 98 with timestamp +31 Ready to process requests. Now I need a username/password auth against AD. Ntlm-auth works very well. If I activate ldap in /etc/raddb/modules: rad_recv: Access-Request packet from host 172.16.255.101 port 49169, id=191, length=167 User-Name = "DNT1\\testtom" Service-Type = Framed-User Called-Station-Id = "00-1F-45-19-9C-68" Calling-Station-Id = "00-13-20-73-D0-45" NAS-Identifier = "D2_Zi31_Tom" NAS-IP-Address = 172.16.255.101 NAS-Port = 1 NAS-Port-Id = "ge.1.1" Framed-MTU = 1500 NAS-Port-Type = Ethernet State = 0x113208ad123411cced08469153aa8038 EAP-Message = 0x020600061900 Message-Authenticator = 0x27fe716e0b83c7d08f295275043550f4 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/172.16.255.101/auth-detail-20091013 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/172.16.255.101/auth-detail-20091013 [auth_log] expand: %t -> Tue Oct 13 13:16:13 2009 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "DNT1\testtom", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "DNT1" for User-Name = "DNT1\testtom" [ntdomain] Found realm "DNT1" [ntdomain] Adding Stripped-User-Name = "testtom" [ntdomain] Adding Realm = "DNT1" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 191 to 172.16.255.101 port 49169 EAP-Message = 0x010700b519003082a52b18d9963104cec8ab3f3ddc453b55e1519bcf57d5178ca7fbc8 1d20727b3d75c92c438dbafd9a5544e5443ad544f16869af57ef84883eebc730362387c9 e6357c18fcb15a8e862e2b6c2ea1871b8756414a7ba875ff9416143a5baf78b6a9f7c93d c023f5edd6c8da55e646513482e5a39f9ccb7c480d68b7e965247b4accf8c1fa07b08368 80301de9e
Re: Improving Auth-Rate
> I m trying to improve the auth rate. > the auth-rate i m getting now is 3 i.e number of mobile units that can > authenticate per minute is 3. > So how can i increase it to 5 or something? > Which part of the code should i focus on? What modules are you using? Chances are that problem comes from outside database (sql, ldap). Post a debug with timestamps (radiusd -Xx) that will show where is the delay. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Improving Auth-Rate
Am Dienstag, 13. Oktober 2009 12:18:24 schrieb kachin Agarwal: > Hi, > I m trying to improve the auth rate. > the auth-rate i m getting now is 3 i.e number of mobile units that can > authenticate per minute is 3. So how can i increase it to 5 or something? > Which part of the code should i focus on? > > Thanx Hi, somehow your setup is messed up. I have several 100 auths/sec on a quite standard hardware. -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: mi...@multinet.de web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Improving Auth-Rate
Hi, I m trying to improve the auth rate. the auth-rate i m getting now is 3 i.e number of mobile units that can authenticate per minute is 3. So how can i increase it to 5 or something? Which part of the code should i focus on? Thanx From cricket scores to your friends. Try the Yahoo! India Homepage! Try the new Yahoo! India Homepage. Click here. http://in.yahoo.com/trynew- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Improving Auth-Rate..
kachin Agarwal wrote: > hi, >If i want to improve the auth-rate which part of the code should i > focus on? Improving it from... what? Why do you want to improve it? "Hi, I want to fix the server so it's better. How do I do that" That question is nearly content-free. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS ? What is the best option
> I know that this list is not connected with any hardware vendor but I > see that every couple days someone cries here NAS problems... > > I use Mikrotik and I'm not satisfied (duplicated packets, does not > support POD correctly , etc) > > Also, yesterday I see that Cisco can be pain in the a*** too :) > > So, dear friends... What is the best solution for ISP (PPPoE)? There is no problem with using Cisco for PPPoE termination. That chap doesn't know the difference between duplicated (packet re-sent with same id) and confilicting packet (packet with same port/user etc. but different id). With default settings Cisco will send duplicated packets every 2 seconds (if there is no reply from radius server); after 30 seconds it will discard the original request and try to mark the radius server as dead (and fail over to secondary radius server). If there have been responses from radius server to other requests it won't mark it as dead (or fail over - it can be debated if that is the correct pathway; prehaps second request should go to secondary server anyway; freeradius now implements this when working in proxy mode) but send the new request (with same user/port etc.). In response to recieving this "conflicting" packet (user/port etc. matches but not id) freeradius will discard the original packet correctly assuming that NAS has abandoned it. For some reason user in thread you have mentioned can't comprehend that this is the correct action. He would continue processing original requests which will then get discarded by the NAS. With default settings that would extend processing time some 30 times in his example (perl processing that takes 1 second per request). So, Cisco and freeradius work fine there. Problem is his perl script. I assume he is using it to connect to the database and get data from there. Connecting to the database is very expensive. If he would offload data gathering to sql module and use perl just for calculation chances are that request processing would take 100 time shorter and his problems would vanish. But he is adamant that Cisco is broken (sending new requests every few seconds, not 30 seconds or 2 minutes that are defaults known to me; repeating same request defaults are 2 and 5 seconds on various devices). All in all, don't worry about using Cisco and freeradius for broadband aggregation. They work fine together. Just don't trust Cisco claims about numbers device can handle. Divide it by 10. If brochure says device can handle 10,000 connections it will handle about 1,000 in a realistic case. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Improving Auth-Rate..
hi, If i want to improve the auth-rate which part of the code should i focus on? Keep up with people you care about with Yahoo! India Mail. Learn how. http://in.overview.mail.yahoo.com/connectmore- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html