Question regarding retrying of requests in detail-combined file
Hi all :) FreeRADIUS 2.1.7 CentOS 5.2 I am not too sure where to start here so I will describe the symptoms first: I have 2 freeradius servers that both receive accounting requests, and proxy these requests to each other, as well as log these requests to a detail file. I have noticed now that while server A is processing the detail-combined file and proxying the requests to server B, server B will fail to get a lock on its detail file, and the request will fail. When this happens it is not passing anything back to server A, and server A does not seem to be timing out the request, so it stops processing the detail-combined file and just sits there. A bit more in depth, server B is still running FR 1.1.6. I am in the process of updating to 2.1.7 but am being delayed due to outdated OS, so am moving this lot to a new server. The lock fail is occurring when server B tries to get a lock on the detail-combined file, so it is very likely that I have had the proxying setup incorrectly here all along, but since it is 1.1.6 I do not expect help here... What I would like to try figure out is how to get server A (2.1.7) to time out a proxy request and retry it... Any pointers to sections/docs would be great as always, Thanks a mill! Patric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Question regarding retrying of requests in detail-combined file
Add this line to the home server configuration of Server A (running 2.1.7): no_response_fail = yes Tim > -Original Message- > From: freeradius-users- > bounces+tim.sylvester=networkradius@lists.freeradius.org > [mailto:freeradius-users- > bounces+tim.sylvester=networkradius@lists.freeradius.org] On Behalf > Of Patric > Sent: Thursday, October 15, 2009 12:05 AM > To: FreeRadius users mailing list > Subject: Question regarding retrying of requests in detail-combined > file > > Hi all :) > > FreeRADIUS 2.1.7 > CentOS 5.2 > > I am not too sure where to start here so I will describe the symptoms > first: > > I have 2 freeradius servers that both receive accounting requests, and > proxy these requests to each other, as well as log these requests to a > detail file. > I have noticed now that while server A is processing the detail- > combined > file and proxying the requests to server B, server B will fail to get a > lock on its detail file, and the request will fail. When this happens > it > is not passing anything back to server A, and server A does not seem to > be timing out the request, so it stops processing the detail-combined > file and just sits there. > > A bit more in depth, server B is still running FR 1.1.6. I am in the > process of updating to 2.1.7 but am being delayed due to outdated OS, > so > am moving this lot to a new server. The lock fail is occurring when > server B tries to get a lock on the detail-combined file, so it is very > likely that I have had the proxying setup incorrectly here all along, > but since it is 1.1.6 I do not expect help here... > > What I would like to try figure out is how to get server A (2.1.7) to > time out a proxy request and retry it... > > Any pointers to sections/docs would be great as always, > > Thanks a mill! > Patric > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question regarding retrying of requests in detail-combined file
Tim Sylvester wrote:
Add this line to the home server configuration of Server A (running 2.1.7):
no_response_fail = yes
Hi Tim,
That worked perfectly! Thank you :)
Rejecting request 191 (proxy Id 218) due to lack of any response from
home server xxx.xxx.xxx.xxx port 1813
No response configured for request 191. Will retry in 30 seconds
Finished request 191.
Cleaning up request 191 ID 56389 with timestamp +140
PROXY: Marking home server xxx.xxx.xxx.xxx port 1813 as zombie (it looks
like it is dead).
Sending Status-Server of id 46 to xxx.xxx.xxx.xxx port 1813
Message-Authenticator := 0x
NAS-Identifier := "Status Check. Are you alive?"
Waking up in 0.8 seconds.
Waking up in 3.9 seconds.
rad_recv: Access-Accept packet from host xxx.xxx.xxx.xxx port 1813,
id=46, length=49
And 30 seconds later the request is retried and succeeds :)
Is there any way for me to decrease the retry delay? In my specific case
I know why its failing so retrying sooner should not be a problem.
Also, since both servers are mine, I have setup my virtual server with
the following parameters. Any suggestions or tweaks would be appreciated :)
home_server copy-acct-to-server-b {
type = acct
ipaddr = xxx.xxx.xxx.xxx
port = 1813
secret = my_secret
response_window = 10
zombie_period = 20
#revive_interval = 120 (read in the docs that use of this is not
recommended?)
status_check = status-server
check_interval = 10
num_answers_to_alive = 1
no_response_fail = yes
}
Thanks again!
Patric
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with bootstrapping certificates
On Wed, Oct 14, 2009 at 07:07:59PM +0100, Alan Buxey wrote: > Hi, Hello Alan, thanks for the response. > > > I have a question regarding bootstrapping default certificates using > > bootstrap script in raddb/certs directory. > > Ideally once you've used the bootstrap you would remove the script that > makes them from the eap.conf and then thats done. > > even better, you dont use the boostrap script at all and instead install > a proper CA, server.crt file etc > > the boostrap is really only there to get a test server up and running > quickly - you wouldnt want a snakeoil and very low timescale certificate > to be used in production :-) I completely agree with you. However, there is still an issue that bootstrap script does IMHO something different than what is described in the README. To be more specific: I work on packaging freeradius server RPM. The README explictly states that "This bootstrap script SHOULD be run on installation of any pre-built binary package for your OS." I understand that it should be ran automatically in the %post section, like in the suse spec file included in the tarball. This leads to two problems: - if the user runs bootstrap script manually after installation, the certificates get corrupted - if the user performs upgrade of the package, the certificates get corrupted - this is worse than the first problem, since the user might already have his 'production' certificates installed. So I suggest either to 1) do not recommend running the bootstrap script automatically and force the user to run it manually or 2) fix the bootstrap script and/or Makefile to do nothing if the required files already exist. -- Best regards / s pozdravem Petr Uzel, openSUSE Boosters Team - SUSE LINUX, s.r.o. e-mail: pu...@suse.cz Lihovarská 1060/12 http://www.suse.cz 190 00 Prague 9, CR pgpZUGX0BQGOp.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Small suggestion for FreeRadius debug output
Hi again, Alan I have a very small suggestion, if I may - what about adding a timestamp to the debug output? I am not familiar with C, so dont know how difficult it would be to implement though... I have been going through debug output for the last couple of days now attempting to resolve various configuration problems, and while not essential, it would be nice to see how much time has elapsed between a request and response for example... Something like this: [2009-10-15 10:00:00] Sending Accounting-Response of id 0 to xxx.xxx.xxx.xxx port 59807 Proxy-State = 0x323138 [2009-10-15 10:00:00] Finished request 701. [2009-10-15 10:00:01] Cleaning up request 701 ID 0 with timestamp +1286 [2009-10-15 10:00:01] Going to the next request [2009-10-15 10:00:02] Waking up in 0.3 seconds. Just a thought :) Thanks for everything! Patric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Default Proxy and Domain
Hello,
i have a working setup but following question:
In my proxy.conf i have one entry with our company nt domain (for wlan auth)
realm ZB {
type= radius
authhost= LOCAL
accthost= LOCAL
strip
}
Why does it not work, if i configure the same with "realm DEFAULT", does the
DEFAULT realm not match
all realms, known or unknown ?
regards,
Andreas M.
--
g,
Andreas M.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Small suggestion for FreeRadius debug output
Hi, > I have been going through debug output for the last couple of days now > attempting to resolve various configuration problems, and while not > essential, it would be nice to see how much time has elapsed between a > request and response for example... add a small 'x' ie radiusd -Xx (this was mentioned on this list a couple of days back) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Small suggestion for FreeRadius debug output
Alan Buxey wrote: add a small 'x' ie radiusd -Xx (this was mentioned on this list a couple of days back) Arg, Im a dumbass... Sorry I must have missed it :) Thanks! Patric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Default Proxy and Domain
Hi,
> i have a working setup but following question:
> In my proxy.conf i have one entry with our company nt domain (for wlan auth)
>
>realm ZB {
> type= radius
> authhost= LOCAL
> accthost= LOCAL
> strip
> }
>
> Why does it not work, if i configure the same with "realm DEFAULT", does the
> DEFAULT realm not match
> all realms, known or unknown ?
which version of FreeRADIUS and are you using eg the preprocess call in the
config?
if you run in full debug mode, you will see the realm being handledand more
importantly
SEE how/why it is being handled.
I moved away from 'DEFAULT' some time back - and instead use unlang to check
the realm information
and if the realm is blank or one of my own, i set the proxy-to-realm control
stuff and if its not
one of mine, i set the proxy-to-realm stuff accordingly too. that way the
policy is defined
and i know how things are going to be dealt with.
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Postgres
Hi, I would like to get Freeradius working with a PostgreSQL database: are there any handy HOWTOs or Tutorials that explain how to do this? I am running RedHet EL5. Relevant Packages: freeradius2.x86_64 2.1.7-2.el5 installed freeradius2-libs.x86_64 2.1.7-2.el5 installed freeradius2-postgresql.x86_64 2.1.7-2.el5 installed freeradius2-python.x86_64 2.1.7-2.el5 installed freeradius2-utils.x86_642.1.7-2.el5 installed postgresql.x86_648.1.11-1.el5_1.1 installed postgresql-libs.i386 8.1.11-1.el5_1.1 installed postgresql-libs.x86_64 8.1.11-1.el5_1.1 installed postgresql-server.x86_64 8.1.11-1.el5_1.1 installed Regards, Dave - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP session matching the State variable
marco perugini wrote: > hi list, i use freeradius [v 2.1.1] in wimax context and from yesterday > this message is driving me crazy: "EAP session matching the State variable". That's "NO eap session matching..." > here's the use-case: i do auth and connection all right but if/when i lost my > connection and i try to reconnect that massage shows me up in radius' debug; Then your supplicant and/or access point is broken. If the supplicant loses association with the AP, then EAP *must* be re-started from scratch. Re-using State attributes from previous EAP sessions will cause authentication to fail on *every* single RADIUS server that exists. > in about 20 min i succeed in reconnecting. i thought radius was stateless.. No. EAP requires state. The AP maintains state for EAP sessions. > do you know if there is some config changes to do to avoid this trouble? Fix the AP so that it doesn't re-use old State attributes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Postgres
* Sparkes, David [2009-10-15 11:21]: > I would like to get Freeradius working with a PostgreSQL database: are > there any handy HOWTOs or Tutorials that explain how to do this? It's pretty easy, just study the docs and sample configs. Just a warning: You might run into the same problem as me, so test it thorougly before putting it in production. I'm running Freeradius (latest version) against a PostgreSQL database, and it crashes every other day or so when running normally (as a deamon). It doesn't crash in debug mode (-X), so I have to let it run like that for a while more, until I have the time to debug it. Can't risk a sudden stop for the time being. -- Vegard Svanberg [*tak...@irc (EFnet)] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Postgres
Hi, > I would like to get Freeradius working with a PostgreSQL database: are > there any handy HOWTOs or Tutorials that explain how to do this? some stuff here: http://wiki.freeradius.org/Rlm_sql basically, FreeRADIUS comes with the required SQL schema for RADIUS and NAS access with SQL (postgres, mysql, oracle or mssql). you will need to apply this schema to your SQL - after creating a suitable user and database for it. then you need to configure the relevant $raddb/sql/* stuff and add the required bit to $raddb/sql.conf once you have configured the SQL, you can then add it as a call in the main server(s) - either 'sql' or with whatever name you called the SQL instance (if you have multiple SQL configs). basically, configure sql.conf configure sql/postgresql/* edit sites-enabled/* (as appropriate) to call the SQL stuff in authen/author/acct/etc check debug logs thoroughly to see why/what and how things work/dont work alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Postgres
Sorry, I should clarify. I have spent some time looking through the docs including, http://wiki.freeradius.org/SQL_HOWTO, but that is the wrong version of FreeRadius (1.1.7) and doesn't work. I was looking for something a bit more up-to-date. Cheers, Dave -Original Message- From: freeradius-users-bounces+david.sparkes=keymile@lists.freeradius.org [mailto:freeradius-users-bounces+david.sparkes=keymile@lists.freerad ius.org] On Behalf Of Vegard Svanberg Sent: Thursday, October 15, 2009 11:31 AM To: FreeRadius users mailing list Subject: Re: Postgres * Sparkes, David [2009-10-15 11:21]: > I would like to get Freeradius working with a PostgreSQL database: are > there any handy HOWTOs or Tutorials that explain how to do this? It's pretty easy, just study the docs and sample configs. Just a warning: You might run into the same problem as me, so test it thorougly before putting it in production. I'm running Freeradius (latest version) against a PostgreSQL database, and it crashes every other day or so when running normally (as a deamon). It doesn't crash in debug mode (-X), so I have to let it run like that for a while more, until I have the time to debug it. Can't risk a sudden stop for the time being. -- Vegard Svanberg [*tak...@irc (EFnet)] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Postgres
Hi, > Sorry, I should clarify. I have spent some time looking through the > docs including, http://wiki.freeradius.org/SQL_HOWTO, but that is the > wrong version of FreeRadius (1.1.7) and doesn't work. had a quick look through - seems to be reasonbly fine - which bit didnt work? whats your issue - eg radiusd -X alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
To proxy, or not to proxy, that is the question ...
I currently run two virtual servers, one for our local secure wireless
and one for eduroam customers.
The local one receives RADIUS packets from Bradford Campus Manager,
which is responsible for Network Access Control and stamps Auth-OK
replies with the VLAN for the user.
What I want to do is combine these wireless services, so that we just
have eduroam.
The functionality we will need, will be:
The requests will come to the eduroam server address.
if (no domain specified) then
who are ya?
fi
if (domain is non-local) then
proxy to user's home site.
fi
if (domain is local AND authenticating from a local NAS) then
authenticate locally by proxy to Bradford Campus Manager
(Campus Manager will receive the stripped u...@realm as user and
proxy to the local server address)
else
authenticate and return ACK/NACK to remote server in usual way for
one of our users visiting remote site
fi
The part I am not sure how to do is the last part, a conditional proxy
based on source NAS. I assume I need to dip into unlang, but can I put
that into the proxy.conf file?
realm local.site.ac.uk {
if( NAS-IP-Address ~= /192.168.*/ ) then # match my likely clients...
set-up A
else
set-up B
fi
}
Or whatever (I don't speak unlang, yet!), or have I got to determine
the source of the request somewhere else and use unlang to re-write
the realm to some special sentinel value that would be caught in
proxy.conf like:
realm local.site.ac.uk {
do the normal thing
}
realm special.local.site.ac.uk {
do the clever NAC proxy stuff
}
As usual, thanks for your time and hope someone can steer me in the
right direction before my head explodes.
(Yes I did read the docs, didn't help in this case!)
--
Barry Dean
Principal Programmer/Analyst
Networks Group
Computing Services Department
<>
---
Nice boy, but about as sharp as a sack of wet mice.
-- Foghorn Leghorn
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Postgres
Hi again,
Radius works fine. I've been using it for a few weeks with no hitches.
I was working through the example to set up PostGres; I just was thrown
when I tried to set up the database ("Setting up the RADIUS database"
section), as I reached these lines:
cd /usr/share/doc/packages/freeradius/doc/examples/
psql -U radius radius < postgresql.sql
Of which I couldn't find the equivalent. The closest I could find was
/usr/share/doc/freeradius-2.1.7/examples/postgresql_update_radacct_group
_trigger.sql, which caused all kinds of scary error messages, which put
me off.
It occurs to me in the cold light of day that maybe this section
probably just creates the example tables, and the above example file is
completely inappropriate, but, at the time, I was in black box mysticism
mode. I wrote the SQL to create similar tables to those shown, but
stopped, because I thought that the basic database part was importing
something more clever into the database. I've probably overthought it
and can just get on with the configuration, then.
Thanks,
Dave
-Original Message-
From:
freeradius-users-bounces+david.sparkes=keymile@lists.freeradius.org
[mailto:freeradius-users-bounces+david.sparkes=keymile@lists.freerad
ius.org] On Behalf Of Alan Buxey
Sent: Thursday, October 15, 2009 12:11 PM
To: FreeRadius users mailing list
Subject: Re: Postgres
Hi,
> Sorry, I should clarify. I have spent some time looking through the
> docs including, http://wiki.freeradius.org/SQL_HOWTO, but that is the
> wrong version of FreeRadius (1.1.7) and doesn't work.
had a quick look through - seems to be reasonbly fine - which bit didnt
work?
whats your issue - eg radiusd -X
alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: To proxy, or not to proxy, that is the question ...
On Thu, 15 Oct 2009, Dean, Barry wrote:
if (domain is local AND authenticating from a local NAS) then
authenticate locally by proxy to Bradford Campus Manager
(Campus Manager will receive the stripped u...@realm as user and
proxy to the local server address)
else
authenticate and return ACK/NACK to remote server in usual way for
one of our users visiting remote site
fi
The part I am not sure how to do is the last part, a conditional proxy
based on source NAS. I assume I need to dip into unlang, but can I put
that into the proxy.conf file?
We're doing this by using a syntax in the client shortname ('client ... {
shortname = ... }' in clients.conf). We declare our RADIUS clients with
names such as:
@
So all our things are someth...@net.cam.ac.uk; things from internal
colleges or departments are someth...@college.cam.ac.uk or whatever. The
things from JANET Roaming are j...@ja.net.
Then, we can do things like:
if ("%{Client-Shortname}" =~ /\.cam\.ac\.uk$/) {
# do something special when NAS in Cambridge
}
Using literal matching or regexps, we've found we can do all sorts of
things here.
- Bob
--
Bob Franklin +44 1223 748479
Network Division, University of Cambridge Computing Service
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Postgres
Sparkes, David wrote:
> I was working through the example to set up PostGres; I just was thrown
> when I tried to set up the database ("Setting up the RADIUS database"
> section), as I reached these lines:
>
> cd /usr/share/doc/packages/freeradius/doc/examples/
> psql -U radius radius < postgresql.sql
See raddb/sql/postgresql/. Everything for postgres is there.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with bootstrapping certificates
Petr Uzel wrote: > To be more specific: I work on packaging freeradius server RPM. The > README explictly states that "This bootstrap script SHOULD be run on > installation of any pre-built binary package for your OS." I > understand that it should be ran automatically in the %post section, > like in the suse spec file included in the tarball. This leads to two > problems: > - if the user runs bootstrap script manually after installation, the > certificates get corrupted Yes. Re-generating the certs causes them to be regenerated. > - if the user performs upgrade of the package, the certificates get > corrupted - this is worse than the first problem, since the user > might already have his 'production' certificates installed. So don't regenerate them... > So I suggest either to > 1) do not recommend running the bootstrap script automatically and > force the user to run it manually > or > 2) fix the bootstrap script and/or Makefile to do nothing if > the required files already exist. That's already in the "makefile". I suggest a patch to the bootstrap script. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy based on Multiple Realms
What I want to do is proxy requests based on being in multiple realms. For example: Realm1/username.Realm2 Where is Realm1 is "host" AND Realm2 is "some.fqdn" then proxy to xxx.xxx.xxx.xxx Specifically what I am doing is trying to use FreeRadius to proxy for AD Domains. I want to enable host based authentication (i.e. host/ workstation.domain.name ) but for multiple domains. I believe proxying is the only why to accomplish this. All I can find are references/warnings to making sure that I DON'T do this by mistake. Problem is I believe this is what I must do. Is this even possible with FreeRadius? Thanks Bob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question regarding retrying of requests in detail-combined file
Patric wrote: > And 30 seconds later the request is retried and succeeds :) > Is there any way for me to decrease the retry delay? See the "retry_interval" configuration in the detail listener. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question regarding retrying of requests in detail-combined file
Alan DeKok wrote:
Patric wrote:
And 30 seconds later the request is retried and succeeds :)
Is there any way for me to decrease the retry delay?
See the "retry_interval" configuration in the detail listener.
Hi Alan,
Would I be correct in my understanding that I add that here:
sites-enabled/copy-acct-to-home-server:
-
server copy-acct-to-home-server {
listen {
type = detail
filename = ${radacctdir}/detail-combined
load_factor = 10
retry_interval = 10 <-
}
}
Thank you :)
Patric
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Postgres
On 10/15/2009 07:01 AM, Alan DeKok wrote:
Sparkes, David wrote:
I was working through the example to set up PostGres; I just was thrown
when I tried to set up the database ("Setting up the RADIUS database"
section), as I reached these lines:
cd /usr/share/doc/packages/freeradius/doc/examples/
psql -U radius radius< postgresql.sql
See raddb/sql/postgresql/. Everything for postgres is there.
Just for clarity, using the Red Hat packages (sice the OP did state this
is RHEL) that would be /etc/raddb/sql/postgresql and requires the
freeradius-postgresql subpackage to be installed.
--
John Dennis
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: wpa/wpa2 on logs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 14/10/2009 14:38, Alan Buxey wrote: > Hi, > >> Hmm, just thought, some vendors may include the information in the RADIUS >> packet as VSAs (Vendor Specific Attributes). >> >> Might be worth running the server in debugging mode (radiusd -X) and see >> what your wireless controllers >> are actually sending in Access-Request packets. >> >> So although you won't get the info in the EAP Tunnel, you may find it's >> available in the RADIUS Access-request >> packets. > > I thought the same thing - so had a quick look at our incoming RADIUS > Access-Requests etc... > and nothing useful buried there - but there again, I havent looked at the > other end > yet to see if there are other options or VSAs that can be used - we can > currently get > such info from the wireless control system - so that information is being > passed from > the LWAPP/CAPWAP systems to the controller - and a suitable SNMP to the WCS > from the > RADIUS server would allow you to tie the two together (best done out of > band!) .. > this is probably a useful step for any site wondering whether to drop WPA/TKIP > support for example (for security - move to WPA2/AES) - you'd need to see how > many non-AES clients you had before the change.. > > Slightly off topic: I've seen discussions about this on the Educase list, and it appears quite a few of our American counterparts have already dropped TKIP... The problem with trying to do something intelligent like you suggested, is that although many clients can be made to support WPA2/AES, they don't currently. For example the Intel 2200B/G Mini-Pci card used in many older laptops doesn't have WPA2 support in its older 2006 drivers. But a quick run of the Intel driver package and they'll happily connect to any WPA2-Enterprise network. Also WPA2 support only made it into Windows XP SP3 (or SP2 with KB KB917021), there are many unpatched clients out there, who'll connect to your network and select WPA/TKIP even though the hardware is capable of better. Until you actually make the switch over, you won't know how many clients really really can't support WPA2. - - We bit the bullet and turned off TKIP support on all Wireless networks at the beginning of September. So far we've had no real complaints. Arran - -- Arran Cudbard-Bell , Systems Administrator (AAA), Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkrXGX8ACgkQcaklux5oVKIvcwCfZ+qvD9A7njXJWYcZW7Lp3Ei4 yrkAn35UiYh3USKnMmianlNoPdUJSJtT =CPRf -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Several LDAP searches
Hello, I am configuring a freeradius server (version 2.1.7). I need two listen sections, both to authenticate users using the same LDAP server. The thing is that I need to do different searches with different filters, depending on which listen section is asked. What is the best way to configure this, if there is one? I have read the documentation, the wiki and the configuration files and I couldn't figure it out. Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
3GPP string Attributes, containing encapsulated information...
Hi there,
Is there a way to get Information out of the
3GPP-GPRS-Negotiated-QoS-profile?
The Attribute is defined in the dictionary as:
ATTRIBUTE 3GPP-GPRS-Negotiated-QoS-profile5 string
The Value of a String might be: 99-0B811F739687877401
To get the encapsulated "Traffic Class", I will need the most left 3 bits of
the first '7' of the string.
It would be 7 --> 0111 --> 011 --> 3
Is there a function available, to do this?
Following the complete Attribute:
AVP: l=33 v=3GPP(10415) t=3GPP-GPRS-Negotiated-QoS-profile(5): UMTS
GTP QoS Profile
Length: 25
UMTS GTP QoS Profile
Version: 99
Hyphen separator: -
00.. = Spare: 0
..00 1... = QoS delay: Delay class 1 (1)
.011 = QoS reliability: Unack GTP/LLC, Ack RLC,
Protected data (3)
1000 = QoS peak: Up to 128 000 oct/s (8)
0... = Spare: 0
.001 = QoS precedence: High priority (1)
000. = Spare: 0
...1 = QoS mean: Best effort (31)
011. = Traffic class: Interactive class (3)
...1 0... = Delivery order: Without delivery order ('no')
(2)
.011 = Delivery of erroneous SDU: Erroneous SDUs are
not delivered ('no') (3)
Maximum SDU size : 1500 octets
Maximum bit rate for uplink : 1024 kbps
Maximum bit rate for downlink : 1024 kbps
0111 = Residual BER: 1/100 000 = 1x10^-5 (7)
0100 = SDU Error ratio: 1/10 000 = 1x10^-4 (4)
00.. = Transfer delay: Subscribed Transfer Delay (in MS
to network direction) (0)
..01 = Traffic handling priority: Priority level 1 (1)
Guaranteed bit rate for uplink: Subscribed guaranteed bit
rate for uplink (in MS to network direction) (0)
Guaranteed bit rate for downlink: Subscribed guaranteed bit
rate for downlink (in MS to network direction) (0)
Thank You.
Stefan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Postgres
Hi again,
Ok... well I have created the tables using
/etc/raddb/sql/postgresql/schema.sql and populated the tables manually.
However no postgresql.conf file exists in either
/etc/raddb/sql/postgresql or /etc/raddb/postgresql. Have I missed a
package that would include this or should I just create it from scratch?
Looking at the examples that I've found, it seems to be a fairly
straightforward file to understand, if large. If I'd known that the
table name and SQL queries were defined in postgresql.conf, I wouldn't
have bothered to recreate the tables according to the schema. ;)
For the record, all of the configuration files are in
/etc/raddb/postgresql in this install.
Regards,
Dave
-Original Message-
From:
freeradius-users-bounces+david.sparkes=keymile@lists.freeradius.org
[mailto:freeradius-users-bounces+david.sparkes=keymile@lists.freerad
ius.org] On Behalf Of John Dennis
Sent: Thursday, October 15, 2009 2:35 PM
To: FreeRadius users mailing list
Subject: Re: Postgres
On 10/15/2009 07:01 AM, Alan DeKok wrote:
> Sparkes, David wrote:
>> I was working through the example to set up PostGres; I just was
thrown
>> when I tried to set up the database ("Setting up the RADIUS database"
>> section), as I reached these lines:
>>
>> cd /usr/share/doc/packages/freeradius/doc/examples/
>> psql -U radius radius< postgresql.sql
>
>See raddb/sql/postgresql/. Everything for postgres is there.
Just for clarity, using the Red Hat packages (sice the OP did state this
is RHEL) that would be /etc/raddb/sql/postgresql and requires the
freeradius-postgresql subpackage to be installed.
--
John Dennis
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
acct_users WARNING in 2.1.7
I've upgraded from 2.1.6 to 2.1.7 and the following error is now appearing in
my debug output.
[/usr/local/etc/raddb/acct_users]:36 WARNING! Check item "Tmp-String-0"
found in reply item list for user "DEFAULT".This attribute MUST go on the
first line with the other check items
acct_users contains the following, (Line 36 is the line beginning with DEFAULT)
#CECExec-Program = "%{exec:/usr/local/sbin/acctstop.sh}",
DEFAULT Acct-Status-Type == Stop
Tmp-String-0 = "%{exec:/usr/local/sbin/acctstop.sh}",
Fall-Through = no
What have I done wrong? It seems to be ok, and be doing what I desire.
but I want the config to be CLEAN.
All I really want is to run a script when an accounting STOP record is
received. Am I doing it wrong?
Thanks,
-craig
Craig Campbell
craig.campb...@ccraft.ca
CampbellCraft Consulting Inc
2 Kenny Court
Whitby, Ontario
Canada
L1R 2L8
905 922-2789
__ Information from ESET Smart Security, version of virus signature
database 4509 (20091015) __
The message was checked by ESET Smart Security.
http://www.eset.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Postgres
On 10/15/2009 09:17 AM, Sparkes, David wrote: Hi again, Ok... well I have created the tables using /etc/raddb/sql/postgresql/schema.sql and populated the tables manually. However no postgresql.conf file exists in either /etc/raddb/sql/postgresql or /etc/raddb/postgresql. Have I missed a package that would include this or should I just create it from scratch? There isn't a postgresql.conf file. You edit /etc/raddb/sql.conf and set the database to postgresql. For the record, all of the configuration files are in /etc/raddb/postgresql in this install. Not if you're using our packages. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy based on Multiple Realms
Hi, > What I want to do is proxy requests based on being in multiple realms. For > example: > Realm1/username.Realm2 so long as the second part with always be username.realm2 (and you dont get into user.name.realm2 then you can use 2.1.x with unlang to configure what you need. you need to use a decent regex parttern to match $1/[string].$2(in fact, you can simply ignore $1 as it will always be host/ if dealing with type of traffic i expect)...and then you can simply set the proxy-to-realm to be equal to the $2 value. however, this is not a trivial 'it'll just work' and the realm details might not be the sites real NAI realm (as it might be an internal AD realm that has no basis on real world name, for example). PS in eduroam we only allow the authentication of users via RFC NAI values - this stops this nasty machine authentication mess (which most RADIUS servers will not be able to handle) - i guess this is a demonstration of FR power/flexibility rather than common use :-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: To proxy, or not to proxy, that is the question ...
Hi,
> if (domain is local AND authenticating from a local NAS) then
> authenticate locally by proxy to Bradford Campus Manager
> (Campus Manager will receive the stripped u...@realm as user and
> proxy to the local server address)
> else
> authenticate and return ACK/NACK to remote server in usual way for
> one of our users visiting remote site
> fi
>
> The part I am not sure how to do is the last part, a conditional proxy
> based on source NAS. I assume I need to dip into unlang, but can I put
> that into the proxy.conf file?
with 2.x ? just ensure that clients are defined correctly - either by
doing as the other post said, or create a new virtual server (copy your
current one and rename it eg 'eduroam' and then define the proxies as being
handled by that server ie
internal stuff -> [RADIUS server {default/inner}] -> return attributes etc
external stuff -> [RADIUS server {eduroam/inner}] -> no return attributes etc
look at the virtual_server definition in the clients.conf - that says,
basically,
for any request from that client, slap it through that virtual server.
this means you can actually have a very stripped down virtual server... no need
for
anything wierd...anything coming from the proxies will be solely for you
(because
the proxy has done the realm work already and decided on suitable target) and
you dont need to deal with settings VLANs etc. the only thing you may want in
place
is an authorise section to deal with people who cannot remotely authenticate -
eg
they've broken AUP or are infected with virus/reported as bad etc
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: acct_users WARNING in 2.1.7
> I've upgraded from 2.1.6 to 2.1.7 and the following error is now appearing
> in my debug output.
>
> [/usr/local/etc/raddb/acct_users]:36 WARNING! Check item "Tmp-String-0"
> found in reply item list for user "DEFAULT".This attribute MUST
> go on the first line with the other check items
>
> acct_users contains the following, (Line 36 is the line beginning with
> DEFAULT)
>
> #CECExec-Program = "%{exec:/usr/local/sbin/acctstop.sh}",
> DEFAULT Acct-Status-Type == Stop
> Tmp-String-0 = "%{exec:/usr/local/sbin/acctstop.sh}",
> Fall-Through = no
>
>
> What have I done wrong? It seems to be ok, and be doing what I
> desire. but I want the config to be CLEAN.
> All I really want is to run a script when an accounting STOP record is
> received. Am I doing it wrong?
You can't use Tmp-String-0 as a reply item. Use Exec-Program-Wait.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAP / ntlm_auth fails unless "DEFAULT Auth-Type = ntlm_auth" in users.
I've been jacking around trying to fix this for several hours - but no go. I've RTFM several times, and read several docs such as: http://wiki.freeradius.org/Combining_authentication_of_AD_accounts_%28nt lm_auth%29_with_accounts_stored_elsewhere When I say "fix" - it's always been "broken" - it's never worked without the DEFAULT entry in users. Most all my accounts are in AD so the DEFAULT works for me, but I'm using this issue as a learning opportunity, but instead it's just a frustration opportunity. I'll post all my confs (2.1.6) and -X output if needed, but just looking for some hints to help determine why when the process fails through to PAP, it won't use ntlm_auth - it will only use "files" Thanks! Gary "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: To proxy, or not to proxy, that is the question ...
Thanks for this, and thanks to Bob Franklin to. I have something
working now by selecting on client name and re-writing the User-Name
to append "bcm", then proxying that alone to the NAC servers. This
leaves all the config I had before for my existing domains alone.
I might try the other virtual server approach as well as that is quite
neat.
All I need now is for the blasted NAC server to recognise me as a
client and actually do something instead of ignoring me!
Thanks again.
(I now speak some unlang!)
On 15 Oct 2009, at 15:50, Alan Buxey wrote:
> Hi,
>
>> if (domain is local AND authenticating from a local NAS) then
>> authenticate locally by proxy to Bradford Campus Manager
>> (Campus Manager will receive the stripped u...@realm as user and
>> proxy to the local server address)
>> else
>> authenticate and return ACK/NACK to remote server in usual way for
>> one of our users visiting remote site
>> fi
>>
>> The part I am not sure how to do is the last part, a conditional
>> proxy
>> based on source NAS. I assume I need to dip into unlang, but can I
>> put
>> that into the proxy.conf file?
>
> with 2.x ? just ensure that clients are defined correctly - either
> by
> doing as the other post said, or create a new virtual server (copy
> your
> current one and rename it eg 'eduroam' and then define the proxies
> as being
> handled by that server ie
>
> internal stuff -> [RADIUS server {default/inner}] -> return
> attributes etc
>
> external stuff -> [RADIUS server {eduroam/inner}] -> no return
> attributes etc
>
> look at the virtual_server definition in the clients.conf - that
> says, basically,
> for any request from that client, slap it through that virtual server.
>
> this means you can actually have a very stripped down virtual
> server... no need for
> anything wierd...anything coming from the proxies will be solely for
> you (because
> the proxy has done the realm work already and decided on suitable
> target) and
> you dont need to deal with settings VLANs etc. the only thing you
> may want in place
> is an authorise section to deal with people who cannot remotely
> authenticate - eg
> they've broken AUP or are infected with virus/reported as bad etc
>
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Barry Dean
Principal Programmer/Analyst
Networks Group
Computing Services Department
<>
---
Nice boy, but about as sharp as a sack of wet mice.
-- Foghorn Leghorn
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Postgres
Hi again, Thanks for the help. It is running correctly. Regards, Dave -Original Message- From: freeradius-users-bounces+david.sparkes=keymile@lists.freeradius.org [mailto:freeradius-users-bounces+david.sparkes=keymile@lists.freerad ius.org] On Behalf Of John Dennis Sent: Thursday, October 15, 2009 3:45 PM To: FreeRadius users mailing list Subject: Re: Postgres On 10/15/2009 09:17 AM, Sparkes, David wrote: > Hi again, > > Ok... well I have created the tables using > /etc/raddb/sql/postgresql/schema.sql and populated the tables manually. > > However no postgresql.conf file exists in either > /etc/raddb/sql/postgresql or /etc/raddb/postgresql. Have I missed a > package that would include this or should I just create it from scratch? There isn't a postgresql.conf file. You edit /etc/raddb/sql.conf and set the database to postgresql. > For the record, all of the configuration files are in > /etc/raddb/postgresql in this install. Not if you're using our packages. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP / ntlm_auth fails unless "DEFAULT Auth-Type = ntlm_auth" in users.
> I've been jacking around trying to fix this for several hours - but no > go. I've RTFM several times, and read several docs such as: > http://wiki.freeradius.org/Combining_authentication_of_AD_accounts_%28nt > lm_auth%29_with_accounts_stored_elsewhere > > > > When I say "fix" - it's always been "broken" - it's never worked without > the DEFAULT entry in users. Most all my accounts are in AD so the > DEFAULT works for me, but I'm using this issue as a learning > opportunity, but instead it's just a frustration opportunity. > > > > I'll post all my confs (2.1.6) and -X output if needed, but just looking > for some hints to help determine why when the process fails through to > PAP, it won't use ntlm_auth - it will only use "files" Post the debug. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PAP / ntlm_auth fails unless "DEFAULT Auth-Type = ntlm_auth" in users.
Working, uses DEFAULT Auth-Type = ntlm_auth in users file:
rad_recv: Access-Request packet from host 10.1.x.y port 1645, id=217,
length=85
User-Name = "myname"
User-Password = "myt0p$3cr...@$$w0rd"
NAS-Port = 1
NAS-Port-Id = "tty1"
NAS-Port-Type = Virtual
Calling-Station-Id = "192.168.x.y"
NAS-IP-Address = 10.x.y.z
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "myname", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns updated
[files] users: Matched entry DEFAULT at line 2
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = ntlm_auth
+- entering group authenticate {...}
[ntlm_auth] expand: --username=%{User-Name} -> --username=myname
[ntlm_auth] expand: --password=%{Password} ->
--password=myt0p$3cr...@$$w0rd
Exec-Program output: NT_STATUS_OK: Success (0x0)
Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
Exec-Program: returned: 0
++[ntlm_auth] returns ok
Login OK: [myname] (from client Ci$coSwitch port 1 cli 192.168.x.y)
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 217 to 10.x.y.z port 1645
Finished request 28.
Going to the next request
Waking up in 4.9 seconds.
NOT WORKING:
rad_recv: Access-Request packet from host 10.x.y.z port 1645, id=218,
length=85
User-Name = "myname"
User-Password = "myt0p$3cr...@$$w0rd"
NAS-Port = 1
NAS-Port-Id = "tty1"
NAS-Port-Type = Virtual
Calling-Station-Id = "192.168.x.y"
NAS-IP-Address = 10.x.y.z
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "myname", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "myt0p$3cr...@$$w0rd"
[pap] Using CRYPT encryption.
[pap] Passwords don't match
### I have local unix account with a pw different than my AD password
###
### If I use local PW it auths me correctly ###
++[pap] returns reject
Failed to authenticate the user.
Login incorrect (rlm_pap: CRYPT password check failed): [myname] (from
client Ci$coSwitch port 1 cli 192.168.x.y)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> myname
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 38 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 38
Sending Access-Reject of id 218 to 10.x.y.z port 1645
Waking up in 4.9 seconds.
Cleaning up request 38 ID 218 with timestamp +3237
Ready to process requests.
-Original Message-
From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org
[mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.or
g] On Behalf Of Ivan Kalik
Sent: Thursday, October 15, 2009 10:30 AM
To: FreeRadius users mailing list
Subject: Re: PAP / ntlm_auth fails unless "DEFAULT Auth-Type =
ntlm_auth" in users.
> I've been jacking around trying to fix this for several hours - but no
> go. I've RTFM several times, and read several docs such as:
>
http://wiki.freeradius.org/Combining_authentication_of_AD_accounts_%28nt
> lm_auth%29_with_accounts_stored_elsewhere
>
>
>
> When I say "fix" - it's always been "broken" - it's never worked
without
> the DEFAULT entry in users. Most all my accounts are in AD so the
> DEFAULT works for me, but I'm using this issue as a learning
> opportunity, but instead it's just a frustration opportunity.
>
>
>
> I'll post all my confs (2.1.6) and -X output if needed, but just
looking
> for some hints to help determine why when the process fails through to
> PAP, it won't use ntlm_auth - it will only use "files"
Post the debug.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
"This email is intended to be reviewed by only the intended recipient
and may contain information that is privileged and/or confidential.
If you are not the intended recipient, you are hereby notified that
any review, use, dissemination, disclosure or copying of this email
and its attachments, if any, is strictly prohibited. If you have
received this email in error, please immediately notify the sender by
return email and delete this email from your system."
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Good number of Max Connections to run freeradius
What is a good number of max_connections on Mysql to run FreeRadius? i'm using max_connections=500 -- Att. Alisson F. Gonçalves Sistemas de Informação - UFGD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Good number of Max Connections to run freeradius
Hi, > What is a good number of max_connections on Mysql to run FreeRadius? > > i'm using > > max_connections=500 500? wowser. I use 10. i noted problems if the value was over 15 and my SQL queries are very small and short...i use the offline accounting (buffered-sql) to do the nasty long update/insert stuff. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Good number of Max Connections to run freeradius
'im using 500, and i have an error 'discarding packet' and i dont know how fix it 2009/10/15 Alan Buxey > Hi, > > What is a good number of max_connections on Mysql to run FreeRadius? > > > > i'm using > > > > max_connections=500 > > > > 500? wowser. I use 10. > > i noted problems if the value was over 15 and my SQL queries are very small > and short...i use the offline accounting (buffered-sql) to do the nasty > long > update/insert stuff. > > alan > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Att. Alisson F. Gonçalves Sistemas de Informação - UFGD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dialup_admin query problem
I am using dialup_admin 1.80 from within the current freeradius 2.1.7 release. freeradius is working fine, and some dialup_admin menu selections are working correctly. One that isn't is User Statistics. I have configured dialup admin to not use the 'totacct' table by setting "general_stats_use_totacct: no" in admin.conf When I select User Statistics, dialup_admin is still running a query for fields in the totacct table: 091015 10:08:21 22 Connect freerad...@localhost on 22 Init DB radius 22 Query EXPLAIN SELECT * FROM nas 22 Query SELECT * FROM nas 22 Init DB radius 22 Query EXPLAIN SELECT * FROM radacct WHERE acctdate >= '2009-10-08' AND acctdate <= '2009-10-15' ORDER BY connnum desc 22 Query SELECT * FROM radacct WHERE acctdate >= '2009-10-08' AND acctdate <= '2009-10-15' ORDER BY connnum desc The table name 'radacct' is correct. The query for field 'acctdate' is incorrect, that field is in 'totacct' & not present in 'radacct'. I know one solution is to set "general_stats_use_totacct: yes" & run the tot_stats scripts daily, but that it is not working with the 'radacct' table makes me concerned that I may have a configuration issue that could lead to further problems. Is there some other configuration option needed to make this work properly? TIA Linux version 2.6.27.27 (r...@darkstar) (gcc version 4.2.4) #1 SMP Wed Jul 22 07:27:34 AKDT 2009 apache 2.2.13 php 5.2.10 zend 3.3.9 mysql 5.0.67 FreeRADIUS Version 2.2.0, for host i686-pc-linux-gnu, built on Dec 5 2008 at 10:35:21 dialup_admin 1.80 -- Be Yourself @ mail.com! Choose From 200+ Email Addresses Get a Free Account at www.mail.com! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + OpenLdap + WindowsXP(Wifi)
> > Previous round trip .. > > User-Name = "kleberl" > NAS-IP-Address = 192.168.155.123 > NAS-Port-Type = Wireless-802.11 > State = 0x3cce0b1706ad36054f63eeb5f99e1a66 > > EAP-Message = > 0x029500591900170301004e6b2cc736e1b009a8b6f35c85b0f9ea9b4543a3be11f7586ffe81fb98b3eb4f61d9112c6a9a28be20ab9de173401926f7b9ee653f80ce1549b8790c6efff5a57e3d4226d46c6a6cdedcc247557cde > Message-Authenticator = 0x1270811c8796ab07c98678904e5d93c8 ... > Tue Oct 13 12:00:45 2009 : Debug: rlm_ldap: looking for check items in > directory... > Tue Oct 13 12:00:45 2009 : Debug: rlm_ldap: looking for reply items in > directory... > Tue Oct 13 12:00:45 2009 : Debug: rlm_ldap: user kleberl authorized to use > remote access ... > Tue Oct 13 12:00:45 2009 : Debug: rlm_mschap: No User-Password > configured. Cannot create LM-Password. > Tue Oct 13 12:00:45 2009 : Debug: rlm_mschap: No User-Password > configured. Cannot create NT-Password. > Tue Oct 13 12:00:45 2009 : Debug: rlm_mschap: Told to do MS-CHAPv2 for > kleberl with NT-Password > Tue Oct 13 12:00:45 2009 : Debug: rlm_mschap: FAILED: No NT/LM-Password. > Cannot perform authentication. > Tue Oct 13 12:00:45 2009 : Debug: rlm_mschap: FAILED: MS-CHAP2-Response > is incorrect Where is your password? Ldap didn't pass it back. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Several LDAP searches
> I am configuring a freeradius server (version 2.1.7). I need two listen > sections, both to authenticate users using the same LDAP server. The > thing is that I need to do different searches with different filters, > depending on which listen section is asked. What is the best way to > configure this, if there is one? I have read the documentation, the wiki > and the configuration files and I couldn't figure it out. Configure two ldap instances and use them in virtual servers listen sections point to. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
No NAS-Port seen warning
Hey, I keep getting a warning message in my Radius setup... WARNING: Attribute NAS-Port was not found in request, unique ID MAY be inconsistent This is true enough. But I am sending a slightly different attribute: 'Quintum-NAS-Port'. Do I have control over this 'NAS-Port prefix? Or can I make rlm_acct_unique look for Quintum-NAS-Port instead of just NAS-Port? Any help appreciated. Thanks, Rob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Check_item still wraps at 4gb
Good Day. Hopying I can get some help. I have been trying for years now too simply cap users based on data transferred above 4gb. It has only been now that I discovered , where the problem lies. I can log data over 4gb no issue, nas sends gigawords to radius and gets inserted into db no probs. However, my data counter fails to authenticate customers properly is any accounts are set to above 4Gb. And I found why. It seems that the "check_item" still wraps at 4gb! How can I solve this? Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : Re: Re : Re: Freeradius2 configuration challenges ( Binding IP address & failure of radtest
Hi Everyone I think I am getting ahead but now I got the following error: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. I was just trying to setup PAP (testuser) on the radius Would you know what the error could be ? Thx - Message d'origine - De: adai...@vl.videotron.ca Date: Mercredi, 14 Octobre 2009, 21:16 Objet: Re : Re: Re : Re: Freeradius2 configuration challenges ( Binding IP address &failure of radtest À: FreeRadius users mailing list > Thanks John for your patience ! > I appreciate your explanation and will double check everything > > Al > > - Message d'origine - > De: John Dennis > Date: Mercredi, 14 Octobre 2009, 16:19 > Objet: Re: Re : Re: Freeradius2 configuration challenges ( > Binding IP address & failure of radtest > À: FreeRadius users mailing list us...@lists.freeradius.org> > > On 10/14/2009 03:45 PM, adai...@vl.videotron.ca wrote: > > > Thanks John for the quick reply on my questions, > > > > > > I already checked on Red_Hat_FAQ and I have not seen any > > answers to my challenges ! > > > > Did you read the section" > > How do I start and stop the FreeRADIUS service? > > > > Because it's obvious you've got two radius servers running. > You > > can't > > have the radius server running as a daemon *and* run another > > copy in the > > foreground with -X. If you want to run a copy in the > foreground > > you > > *must* stop any existing copies from running first. The only > way > > you can > > have another copy running is if you enabled the service for > boot > > start > > up with chkconfig or manually started it with > /usr/sbin/service > > or your > > manually executed /usr/sbin/radiusd. > > > > -- > > John Dennis > > > > Looking to carve out IT costs? > > www.redhat.com/carveoutcosts/ > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No NAS-Port seen warning
Robert White wrote: Hey, Or can I make rlm_acct_unique look for Quintum-NAS-Port instead of just NAS-Port? Yup, just update modules/acct_unique HTH Patric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
