RE: Check_item still wraps at 4gb
>> I have been trying for years now too simply cap users based on data >> transferred above 4gb. >> >> It has only been now that I discovered , where the problem lies. > >>> RADIUS supports 32-bit integers. Not 64-bit integers. > >> How can I solve this? > >>> Patch the code to use 64-bit counters. > I know it is expected to be a programmer to use open source software, but > unfortunately I am not one. :/ > I do find it strange that only parts of freeradius seems compatible with > the >> 4gb figures. > > I have since employed a work around that now uses gigs as check item and > not > bytes, however this blows my reply item out the water. Ok, so counter module can't handle returning two attributes in the reply (gigawords and octets). But perl can. Counting can be done by the sql module (to avoid overhead for connecting to the database in perl) and result (counted gigawords and octets) passed to perl for some very basic calculations. You will need more knowledge to construct counter queries oin sql than for programming in perl. > Any advise on what ISP's use as a radius solution? Freeradius. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Check_item still wraps at 4gb
>>Marcel Grandemange wrote: > I have been trying for years now too simply cap users based on data > transferred above 4gb. > > It has only been now that I discovered , where the problem lies. >> RADIUS supports 32-bit integers. Not 64-bit integers. > How can I solve this? >> Patch the code to use 64-bit counters. I know it is expected to be a programmer to use open source software, but unfortunately I am not one. :/ I do find it strange that only parts of freeradius seems compatible with the > 4gb figures. I have since employed a work around that now uses gigs as check item and not bytes, however this blows my reply item out the water. Thank You for info, I am at least glad I have finally found the problem. Any advise on what ISP's use as a radius solution? >> Alan DeKok. __ Information from ESET NOD32 Antivirus, version of virus signature database 4515 (20091016) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Check_item still wraps at 4gb
Marcel Grandemange wrote: > I have been trying for years now too simply cap users based on data > transferred above 4gb. > > It has only been now that I discovered , where the problem lies. RADIUS supports 32-bit integers. Not 64-bit integers. > How can I solve this? Patch the code to use 64-bit counters. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: segfault when rlm_perl used
Здравствуйте, FreeRadius! Вы писали 16 октября 2009 г., 18:03:17: > On Oct 16, 2009, at 2:57 PM, Michael Chernyakhovsky wrote: >> Oct 13 21:58:53 rs kernel: radiusd[11441]: segfault at 20004 ip >> b7478636 sp b502bcb0 error 4 in rlm_perl-2.1.7.so[b73cb000+15b000] >> Oct 14 22:09:56 rs kernel: radiusd[17687]: segfault at 8 ip b731e35d >> sp b6f61ce0 error 4 in rlm_perl-2.1.7.so[b71fd000+15b000] >> Oct 14 22:14:06 rs kernel: radiusd[18374]: segfault at 8 ip b73d735d >> sp b701ace0 error 4 in rlm_perl-2.1.7.so[b72b6000+15b000] >> Oct 15 18:07:58 rs kernel: radiusd[23858]: segfault at 8 ip b745935d >> sp ae89cce0 error 4 in rlm_perl-2.1.7.so[b7338000+15b000] >> Oct 15 18:08:56 rs kernel: radiusd[23896]: segfault at c ip b74d400e >> sp ae919c90 error 4[b73b5000+15b000] >> Oct 15 18:09:55 rs kernel: radiusd[24042]: segfault at 8 ip b736935d >> sp b07acce0 error 4 in rlm_perl-2.1.7.so[b7248000+15b000] > Could you include the output of gdb, as suggested in doc/bugs? Bug 31 created: https://bugs.freeradius.org/bugzilla/show_bug.cgi?id=31 > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html -- С уважением, Михаил Черняховский, НП "Магинфоцентр", г. Магнитогорск. тел. (3519) 49-69-00, моб. +7 902 896 2872 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Several virtual servers with different log files?
> Hi, I have a freeRadius 2.1.7 server with three virtual servers > listening to different kinds of clients. I would like to know whether it > is possible to define different log files for these virtual servers, > instead of the global log file defined in radiusd.conf. > > Reading the README file inside the sites-available directory, it seems > that it is not possible to define a 'log' section in a virtual server. It's documented in log section. Only requests line is below debug enabling example. It should be above. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to disable threads in 2.1.7
From the man page for radiusd, the -s option specifies, "Some systems have issues with threading, however, so running in "single server" mode may help to address those issues." I cannot help but wonder if in fact others have been seeing this, and just opted for -s and less efficiency. At this point all the (troubled) server receives are accounting packets It then relays these packets to two (2) other radius servers, and processed them according to acct_users, which in turn runs a script for Stop packets. Thus far, only running an external script has been identified (thanks Alan) as creating child processes of radiusd. I really would LOVE for this to be a configuration error on my part, but so far I cannot locate one. Thanks, -craig - Original Message - From: "Phil Mayers" To: "FreeRadius users mailing list" Sent: Friday, October 16, 2009 8:52 AM Subject: Re: How to disable threads in 2.1.7 Craig Campbell wrote: I was hoping to build a version that could fork children, but not spawn threads. Not possible. You could run lots of copies with a single thread bound to different UDP ports, and load-balance them somehow. I cannot explain why apparently no one else is seeing the issue I am chasing. As far as I can tell, my configuration is quite basic. The fact that it's not happening for anyone else would tend to indicate it's specific to your system. We fork processes on accounting in some of our virtual servers, and this doesn't happen. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Information from ESET Smart Security, version of virus signature database 4514 (20091016) __ The message was checked by ESET Smart Security. http://www.eset.com __ Information from ESET Smart Security, version of virus signature database 4514 (20091016) __ The message was checked by ESET Smart Security. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Several virtual servers with different log files?
Francisco Javier Valdera Garcia wrote: > Hi, I have a freeRadius 2.1.7 server with three virtual servers > listening to different kinds of clients. I would like to know whether it > is possible to define different log files for these virtual servers, > instead of the global log file defined in radiusd.conf. No. As always, patches are welcome. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to disable threads in 2.1.7
Craig Campbell wrote: > I was hoping to build a version that could fork children, but not spawn > threads. The server can "exec" child shell scripts. It *cannot* run multiple RADIUS servers as child processes. > There are known 'challenges' in using the fork command in multi threaded > environments. (As opposed to a process that forks children for > different processing branches.) A couple of years ago I had an > extremely challenging time modifying an existing threaded application to > additionally fork off children to perform certain other tasks. The challenge is in ensuring that the right thread catches the right child exit. If you run the server with "radiusd -s", it won't spawn threads. > The issue I am seeing of stranded/hung children looks similar (that is > not to say I have caught the culprit... just suspicion at this point). > The issue seems to happen only sometimes during bursts of increased > load. (Same as my previous experience.) It may be a race condition under heavy load. But I don't see why... the thread that forks then waits for the child to exit, and grabs the exit code. This should ensure that the child dies, rather than staying as a zombie. > If I were to GUESS, at this point I'd look for interrupts that result in > children when mute locks are in place and unintentionally inherited by > the child process. Except that the server doesn't fork... and continue running. It forks, and immediately exec's the shell script. If the shell script fails to be executed, the child *still* dies. The child doesn't obtain *or* check mutexes in between the fork() and exec(). It does almost *nothing*, as there is only a 100 lines of code between the fork() and exec() > (My solution was to acquire ALL locks before a fork, > then have the child and parent clear them all after) - see man > pthread_atfork section: RATIONALE if you have access to a Linux system). That is for long-running children. We don't do that. > I cannot explain why apparently no one else is seeing the issue I am > chasing. As far as I can tell, my configuration is quite basic. Kernel bugs? Possible race conditions in the code? > I am now trying a run with the -s option but, if successful, it won't > tell us much about why. If it works... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : Re: Re : Re: Re : Re: Freeradius2 configuration challenges ( Binding IP address & failure of radtest
Thanks John for being so helpful ! I will try to check evrything and review the recommended website Have a great day ! Al - Message d'origine - De: John Dennis Date: Vendredi, 16 Octobre 2009, 8:02 Objet: Re: Re : Re: Re : Re: Freeradius2 configuration challenges ( Binding IP address & failure of radtest À: FreeRadius users mailing list > On 10/15/2009 10:22 PM, adai...@vl.videotron.ca wrote: > > Hi Everyone > > I think I am getting ahead but now I got the following error: > > > > [pap] WARNING! No "known good" password found for the > user. Authentication may fail because of this. > > ++[pap] returns noop > > No authenticate method (Auth-Type) configuration found for the > request: Rejecting the user > > Failed to authenticate the user. > > > > > > I was just trying to setup PAP (testuser) on the radius > > > > Would you know what the error could be ? > > You have to configure FreeRADIUS to tell it where to find users > and > their passwords. Are they in the FreeRADIUS users file? Are they > system > users with login accounts? Are they in an ldap directory? Are > they in a > SQL database? > > If you're trying to just confirm PAP is working then have you > read and > followed the example here: > > http://deployingradius.com/documents/configuration/pap.html > > BTW, deployingradius.com is the only other web site besides the > FreeRADIUS site and it's wiki that is recommended because it's > run by > Alan DeKok the principal developer of FreeRADIUS. Other web > sites tend > to have out of date information or erroneous information. > > Also, note that the users file is read upon server start up, if > you > modify the users file (or any other file read by the server) > you'll have > to restart the server to see the change. There are other ways to > get the > server to reload it's files but since you're new to this we're > going to > keep it simple. As a side note, one advantage of using LDAP or > SQL as > your backend data source is you can add, remove, and edit the > data in > the backend and the FreeRADIUS server will immediately see the > change > without having to do anything special, thus you can immediately > see one > disadvantage of user data stored in files as opposed to a > dynamic backend. > > -- > John Dennis > > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Several virtual servers with different log files?
Hi, I have a freeRadius 2.1.7 server with three virtual servers listening to different kinds of clients. I would like to know whether it is possible to define different log files for these virtual servers, instead of the global log file defined in radiusd.conf. Reading the README file inside the sites-available directory, it seems that it is not possible to define a 'log' section in a virtual server. Thanks for the help, Francisco Javier Valdera. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to disable threads in 2.1.7
Craig Campbell wrote: I was hoping to build a version that could fork children, but not spawn threads. Not possible. You could run lots of copies with a single thread bound to different UDP ports, and load-balance them somehow. I cannot explain why apparently no one else is seeing the issue I am chasing. As far as I can tell, my configuration is quite basic. The fact that it's not happening for anyone else would tend to indicate it's specific to your system. We fork processes on accounting in some of our virtual servers, and this doesn't happen. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to disable threads in 2.1.7
I was hoping to build a version that could fork children, but not spawn threads. There are known 'challenges' in using the fork command in multi threaded environments. (As opposed to a process that forks children for different processing branches.) A couple of years ago I had an extremely challenging time modifying an existing threaded application to additionally fork off children to perform certain other tasks. The issue I am seeing of stranded/hung children looks similar (that is not to say I have caught the culprit... just suspicion at this point). The issue seems to happen only sometimes during bursts of increased load. (Same as my previous experience.) If I were to GUESS, at this point I'd look for interrupts that result in children when mute locks are in place and unintentionally inherited by the child process. (My solution was to acquire ALL locks before a fork, then have the child and parent clear them all after) - see man pthread_atfork section: RATIONALE if you have access to a Linux system). I cannot explain why apparently no one else is seeing the issue I am chasing. As far as I can tell, my configuration is quite basic. I am now trying a run with the -s option but, if successful, it won't tell us much about why. Thanks for all the assistance, -craig - Original Message - From: "Alan DeKok" To: "FreeRadius users mailing list" Sent: Friday, October 16, 2009 8:15 AM Subject: Re: How to disable threads in 2.1.7 Craig Campbell wrote: So I cannot have multi processes without having threads as well? What does that mean? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Information from ESET Smart Security, version of virus signature database 4514 (20091016) __ The message was checked by ESET Smart Security. http://www.eset.com __ Information from ESET Smart Security, version of virus signature database 4514 (20091016) __ The message was checked by ESET Smart Security. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to disable threads in 2.1.7
On Friday 16 October 2009 13:27:28 John Dennis wrote: > On 10/16/2009 08:15 AM, Alan DeKok wrote: > >What does that mean? > > That was strange :-) Our two responses were word for word identical and > almost at the same time > > When I was a kid and two people said the same thing at the same time it > became a race to see who would say this next: > > "Jinx! You owe me a bottle of Coke." > > often followed by: > > "No backs. No takes. No refunds. No penny tax." Where I'm from we say different things when that happens, but I heard that same thing from a old loony in the Spielberg's "Always" movie :D . > > so ... > > Jinx! You owe me a bottle of Coke. :-) :-) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Several LDAP searches
Ivan Kalik escribió: I am configuring a freeradius server (version 2.1.7). I need two listen sections, both to authenticate users using the same LDAP server. The thing is that I need to do different searches with different filters, depending on which listen section is asked. What is the best way to configure this, if there is one? I have read the documentation, the wiki and the configuration files and I couldn't figure it out. Configure two ldap instances and use them in virtual servers listen sections point to. Thanks for the help, but I'm pretty new at freeRadius, can anyone tell me how do I do this? http://wiki.freeradius.org/Rlm_sql#Instances Same applies to ldap or any other module. If you are using groups: http://wiki.freeradius.org/Rlm_ldap#Group_Support Ivan Kalik Kalik Informatika ISP Thanks a lot, Ivan, it worked like a charm :D. Greetings, Francisco Javier. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to disable threads in 2.1.7
On 10/16/2009 08:15 AM, Alan DeKok wrote: What does that mean? That was strange :-) Our two responses were word for word identical and almost at the same time When I was a kid and two people said the same thing at the same time it became a race to see who would say this next: "Jinx! You owe me a bottle of Coke." often followed by: "No backs. No takes. No refunds. No penny tax." so ... Jinx! You owe me a bottle of Coke. :-) :-) -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to disable threads in 2.1.7
Craig Campbell wrote: > So I cannot have multi processes without having threads as well? What does that mean? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to disable threads in 2.1.7
On 10/16/2009 08:03 AM, Craig Campbell wrote: So I cannot have multi processes without having threads as well? What does that mean? -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to disable threads in 2.1.7
So I cannot have multi processes without having threads as well? - Original Message - From: "Ivan Kalik" To: "FreeRadius users mailing list" Sent: Friday, October 16, 2009 7:57 AM Subject: Re: How to disable threads in 2.1.7 I am trying to build a version of 2.1.7 without threads (trying to debug an abandoned child process issue). on a redhat AS5 Linux system You don't build it without threads, you start it without threads. See man radiusd. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Information from ESET Smart Security, version of virus signature database 4514 (20091016) __ The message was checked by ESET Smart Security. http://www.eset.com __ Information from ESET Smart Security, version of virus signature database 4514 (20091016) __ The message was checked by ESET Smart Security. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: segfault when rlm_perl used
On Oct 16, 2009, at 2:57 PM, Michael Chernyakhovsky wrote: Oct 13 21:58:53 rs kernel: radiusd[11441]: segfault at 20004 ip b7478636 sp b502bcb0 error 4 in rlm_perl-2.1.7.so[b73cb000+15b000] Oct 14 22:09:56 rs kernel: radiusd[17687]: segfault at 8 ip b731e35d sp b6f61ce0 error 4 in rlm_perl-2.1.7.so[b71fd000+15b000] Oct 14 22:14:06 rs kernel: radiusd[18374]: segfault at 8 ip b73d735d sp b701ace0 error 4 in rlm_perl-2.1.7.so[b72b6000+15b000] Oct 15 18:07:58 rs kernel: radiusd[23858]: segfault at 8 ip b745935d sp ae89cce0 error 4 in rlm_perl-2.1.7.so[b7338000+15b000] Oct 15 18:08:56 rs kernel: radiusd[23896]: segfault at c ip b74d400e sp ae919c90 error 4[b73b5000+15b000] Oct 15 18:09:55 rs kernel: radiusd[24042]: segfault at 8 ip b736935d sp b07acce0 error 4 in rlm_perl-2.1.7.so[b7248000+15b000] Could you include the output of gdb, as suggested in doc/bugs? Best Regards, Boian Jordanov R&D Expert Orbitel - Next Generation Telecom tel. +359 2 4004 723 tel. +359 2 4004 002 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re : Re: Re : Re: Freeradius2 configuration challenges ( Binding IP address & failure of radtest
On 10/15/2009 10:22 PM, adai...@vl.videotron.ca wrote: Hi Everyone I think I am getting ahead but now I got the following error: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. I was just trying to setup PAP (testuser) on the radius Would you know what the error could be ? You have to configure FreeRADIUS to tell it where to find users and their passwords. Are they in the FreeRADIUS users file? Are they system users with login accounts? Are they in an ldap directory? Are they in a SQL database? If you're trying to just confirm PAP is working then have you read and followed the example here: http://deployingradius.com/documents/configuration/pap.html BTW, deployingradius.com is the only other web site besides the FreeRADIUS site and it's wiki that is recommended because it's run by Alan DeKok the principal developer of FreeRADIUS. Other web sites tend to have out of date information or erroneous information. Also, note that the users file is read upon server start up, if you modify the users file (or any other file read by the server) you'll have to restart the server to see the change. There are other ways to get the server to reload it's files but since you're new to this we're going to keep it simple. As a side note, one advantage of using LDAP or SQL as your backend data source is you can add, remove, and edit the data in the backend and the FreeRADIUS server will immediately see the change without having to do anything special, thus you can immediately see one disadvantage of user data stored in files as opposed to a dynamic backend. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
segfault when rlm_perl used
Hi, i build FR 2.1.7 on slackware 13.0 (glibc-2.9) with perl 5.10.0. every time, i kill radiusd, message like radiusd[5754]: segfault at 0 ip b73e2213 sp bfb86dac error 4 in libc-2.9.so[b736b000+15a000] appears in the log. This is not good bad, but worst when radiusd crashed on run-time. Then in logs appears message like: Oct 13 21:58:53 rs kernel: radiusd[11441]: segfault at 20004 ip b7478636 sp b502bcb0 error 4 in rlm_perl-2.1.7.so[b73cb000+15b000] Oct 14 22:09:56 rs kernel: radiusd[17687]: segfault at 8 ip b731e35d sp b6f61ce0 error 4 in rlm_perl-2.1.7.so[b71fd000+15b000] Oct 14 22:14:06 rs kernel: radiusd[18374]: segfault at 8 ip b73d735d sp b701ace0 error 4 in rlm_perl-2.1.7.so[b72b6000+15b000] Oct 15 18:07:58 rs kernel: radiusd[23858]: segfault at 8 ip b745935d sp ae89cce0 error 4 in rlm_perl-2.1.7.so[b7338000+15b000] Oct 15 18:08:56 rs kernel: radiusd[23896]: segfault at c ip b74d400e sp ae919c90 error 4[b73b5000+15b000] Oct 15 18:09:55 rs kernel: radiusd[24042]: segfault at 8 ip b736935d sp b07acce0 error 4 in rlm_perl-2.1.7.so[b7248000+15b000] when i comment out all "perl" statement in config, any segfault ("in rlm_perl-2.1.7.so" and "in libc-2.9.so") disappears. Regards, Michael. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to disable threads in 2.1.7
> I am trying to build a version of 2.1.7 without threads (trying to debug > an abandoned child process issue). on a redhat AS5 Linux system You don't build it without threads, you start it without threads. See man radiusd. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to disable threads in 2.1.7
I am trying to build a version of 2.1.7 without threads (trying to debug an abandoned child process issue). on a redhat AS5 Linux system Every configure option I try seems to be ignored. In config.log I find entries like, Using built-in specs. Target: x86_64-redhat-linux Configured with: ../configure --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --enable-shared --enable-threads=posix --enable-checking=release --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-libgcj-multifile --enable-languages=c,c++,objc,obj-c++,java,fortran,ada --enable-java-awt=gtk --disable-dssi --enable-plugin --with-java-home=/usr/lib/jvm/java-1.4.2-gcj-1.4.2.0/jre --with-cpu=generic --host=x86_64-redhat-linux Thread model: posix I have tried the following options for configure, all with no apparent luck, ./configure --with-threads=no ./configure --disable-threads ./configure --enable-threads=NO ./configure --enable-threads=no --with-threads=no --disable-threads --disable-thread --with-thread=no ./configure --disable-threads --disable-thread ./configure --disable-pthreads --disable-thread ./configure --disable-pthreads --disable-thread Has anyone determined how to disable threads? Thanks, -craig Craig Campbell craig.campb...@ccraft.ca CampbellCraft Consulting Inc 2 Kenny Court Whitby, Ontario Canada L1R 2L8 905 922-2789 __ Information from ESET Smart Security, version of virus signature database 4514 (20091016) __ The message was checked by ESET Smart Security. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy based on Multiple Realms
> Perfect, I think that is exactly what I want, but I'm hoping you might be > able to help me with the syntax. I am trying this, but is doesn't seem to > work: > > # - From the proxy.conf file: > realm host { > if ( Stripped-User-Name =~ ".*\.domain\.name" ) { > pool = adradius > nostrip > } > } You can't use unlang in proxy.conf file. Use it in virtual server configuration (authorize section). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Users and groups with Microsoft AD
> I've tried searching the web before actually submitting this post in order > to cover all angles. I know it's possible for freeradius to authenticate > against Microsoft AD groups, users, etc. However, is it possible to > authenticate by combining groups? In other words, can freeradius > authenticate against users AND groups? I would like to say only members > of > computers AND users are allowed to authenticate against freeradius while > all > others are rejected. > > Is this even possible? Or, is there something about using peap and > combining > groups that will not allow this to occur? Currently I'm running > freeradius > 2.1.6 on freebsd 7.2 and windows 2003. Yes. Configure AD as ldap server in raddb/modules/ldap and use group membership queries (Ldap-Group). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy based on Multiple Realms
Perfect, I think that is exactly what I want, but I'm hoping you might be able to help me with the syntax. I am trying this, but is doesn't seem to work: # - From the proxy.conf file: realm host { if ( Stripped-User-Name =~ ".*\.domain\.name" ) { pool = adradius nostrip } } Thanks Bob On Thu, Oct 15, 2009 at 3:38 PM, Alan Buxey wrote: > Hi, > > What I want to do is proxy requests based on being in multiple realms. > For > > example: > > Realm1/username.Realm2 > > so long as the second part with always be username.realm2 (and you dont get > into user.name.realm2 then you can use 2.1.x with unlang to configure what > you need. you need to use a decent regex parttern to match > > $1/[string].$2(in fact, you can simply ignore $1 as it will always > be host/ if dealing with type of traffic i expect)...and then you can > simply > set the proxy-to-realm to be equal to the $2 value. > > however, this is not a trivial 'it'll just work' and the realm details > might not be the sites real NAI realm (as it might be an internal AD realm > that has no basis on real world name, for example). > > PS in eduroam we only allow the authentication of users via RFC NAI values > - > this stops this nasty machine authentication mess (which most RADIUS > servers > will not be able to handle) - i guess this is a demonstration of FR > power/flexibility > rather than common use :-) > > alan > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re : Re: Re : Re: Freeradius2 configuration challenges ( Binding IP address & failure of radtest
> Hi Everyone > I think I am getting ahead but now I got the following error: > > [pap] WARNING! No "known good" password found for the user. > Authentication may fail because of this. > ++[pap] returns noop > No authenticate method (Auth-Type) configuration found for the request: > Rejecting the user > Failed to authenticate the user. > > > I was just trying to setup PAP (testuser) on the radius > > Would you know what the error could be ? Where is your password supposed to be? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help on adding value to mysql
Hello to all, I've freeradius installed on a CentOS 4.5: freeradius-1.1.5-0. I would like to add a new field to my radacct table to log a new value taken from sip/ser accounting. Until here ok, It's sufficient to alter the table, add the value into proper dictionary and alter the sql inserts to add the value. What I would like to do is to modify the value BEFORE insert it into mysql. The detail-file logs the following value: (...) Sip-Translated-Request-ID = "sip:@:;transport=udp" (...) Also I would like to add to MySQL (radacct) the Sip-Translated-Request-ID field, BUT ONLY the . I should execute a sort of regexp or something that gives me the following result, for example: Sip-Translated-Request-ID = `echo "sip:@:;transport=udp" | awk -F@ '{ print $2 }' | awk -F: '{ print $1 }'` This would return me only the IP-ADDRESS to add within '%{Sip-Translated-Request-ID}'. Can someone help me a little bit? Thank's Simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Several LDAP searches
Ivan Kalik wrote: I am configuring a freeradius server (version 2.1.7). I need two listen sections, both to authenticate users using the same LDAP server. The thing is that I need to do different searches with different filters, depending on which listen section is asked. What is the best way to configure this, if there is one? I have read the documentation, the wiki and the configuration files and I couldn't figure it out. Configure two ldap instances and use them in virtual servers listen sections point to. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks for the help, but I'm pretty new at freeRadius, can anyone tell me how do I do this? Greetings, Francisco Javier Valdera. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html