Upgrade From 1 to 2 - problem with authorize
Hi, I'm trying to upgrade my setup from freeradius 1 to freeradius 2. I've been making little changes to the config as suggested in the doc and I managed to get my setup connecting to my mssql backend. However, when I try and authorize with a user/pass, I get an error - actually more of a warning. I've Googled about but although others have had this error I haven't really seen a good explanation of why it occurs let alone how to solve. The warning is... rad_recv: Access-Request packet from host 10.152.0.7 port 20001, id=16, length=168 NAS-IP-Address = 10.152.0.7 User-Name = 9 User-Password = 9 Service-Type = Login-User NAS-Port-Type = Async Calling-Station-Id = 1002 Quintum-h323-conf-id = h323-conf-id=34616537 32353264 62350001 0008 Quintum-AVPair = h323-ivr-out=ACCESSCODE:990006 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [suffix] No '@' in User-Name = 9, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop [sql] expand: %{User-Name} - 9 [sql] sql_set_user escaped user -- '9' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT [id], UserName, Attribute, [Value], op FROM dbo.Rad_Authorize_User_Check('%{SQL-User-Name}') - SELECT [id], UserName, Attribute, [Value], op FROM dbo.Rad_Authorize_User_Check('9') query: SELECT [id], UserName, Attribute, [Value], op FROM dbo.Rad_Authorize_User_Check('9') WARNING: Found User-Password == WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See man rlm_pap for more information. [sql] User found in radcheck table rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the known good !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! +- entering group PAP {...} [pap] login attempt with password 9 [pap] Using clear text password 9 [pap] User authenticated successfully ++[pap] returns ok Login OK: [9] (from client 10.152.0.7 port 0 cli 1002) +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 16 to 10.152.0.7 port 20001 Finished request 0. Although the last line there says 'Sending Access-Accept', I do not get authorized at the NAS end. Here's how things play out on my old version 1 setup rad_recv: Access-Request packet from host 10.152.0.7:20001, id=31, length=168 NAS-IP-Address = 10.152.0.7 User-Name = 9 User-Password = 9 Service-Type = Login-User NAS-Port-Type = Async Calling-Station-Id = 1002 Quintum-h323-conf-id = h323-conf-id=34616537 32383034 62640001 0008 Quintum-AVPair = h323-ivr-out=ACCESSCODE:990006 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = 9, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 152 modcall[authorize]: module files returns ok for request 0 radius_xlat: '9' rlm_sql (sql): sql_set_user escaped user -- '9' radius_xlat: 'SELECT [id], UserName, Attribute, [Value], op FROM dbo.Rad_Authorize_User_Check('9')' rlm_sql (sql): Reserving sql socket id: 49 query: SELECT [id], UserName, Attribute, [Value], op FROM dbo.Rad_Authorize_User_Check('9') radius_xlat: 'SELECT * FROM dbo.Rad_Group_Check('9')' query: SELECT * FROM dbo.Rad_Group_Check('9') radius_xlat: '' radius_xlat: 'EXEC Rad_Authenticate @username = '9', @dialstring_from = '1002', @dialstring_to = '', @gw_session_id = '34616537 32383034 62640001 0008', @ivr_out = 'h323-ivr-out=ACCESSCODE:990006', @gw_ip = '10.152.0.7', @call_origin = '', @gw_name = '' ' query: EXEC Rad_Authenticate @username = '9', @dialstring_from = '1002', @dialstring_to = '', @gw_session_id = '34616537 32383034 62640001 0008', @ivr_out = 'h323-ivr-out=ACCESSCODE:990006', @gw_ip = '10.152.0.7',
RE: radacct and db handles
The problem is 'Reply-Msg' attribute is not recognized by the radius server becasuse it is a specific vendor attribute. Try to find the specific dictionary. From: adem...@netwizard.com.br To: t...@kalik.net; freeradius-users@lists.freeradius.org Subject: RE: radacct and db handles Date: Fri, 23 Oct 2009 12:34:05 -0200 Hi Ivan, I run Server with radiusd -X log and could'n found the same error in log. The only sql fail I found is a Msg reply field: [sql] expand: SELECT id, username, attribute, value, op FROM radrepl y WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radreply WHERE usern ame = 'alexandre' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE use rname = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = 'alexandre' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op F ROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, Value, op FROM radgro upcheck WHERE groupname = 'SUSPENSO' ORDER BY id rlm_sql: Failed to create the pair: Invalid octet string Conta Suspensa. Entre em contato com o setor financeiro. for attribute name Reply-Msg rlm_sql (sql): Error getting data from database [sql] Error retrieving check pairs for group SUSPENSO [sql] Error processing groups; rejecting user rlm_sql (sql): Released sql socket id: 2 ++[sql] returns fail -Original Message- From: Ivan Kalik [mailto:t...@kalik.net] Sent: quinta-feira, 22 de outubro de 2009 21:22 To: adem...@netwizard.com.br; FreeRadius users mailing list Subject: Re: radacct and db handles I'm installed freeradius with daloradius in a FC11 box, everything new. After some corrections everything is working, but in radius.log I receive constantly the error message below: Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 I checked my radius db and radacct table and there are many indexed and nothing I could found is the problem. It only append when I enable radius accounting in SQL. Run server in debug mode and see which queries are failing. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Infórmate, mantente en contacto y encuéntralo todo, a la vez. Con la nueva Toolbar de MSN nunca has tenido tantas ventajas en tan poco espacio. http://toolbar.es.msn.com/- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: double realm problem
i was trying to reject those double realm. but i cannot find the right syntax and/or where to put the lines. i was trying to put this lines in the user file: DEFAULT User-Name =~ /^...@company.com@.*/ Auth-Type := Reject that did not work. when putting: if (User-Name ~= /^...@company.com@.*/) { reject } in the server configuration in authorize section, i get a strange error.. i am quite new with configuring freeradius, it would be nice if someone could give me some real hint how to and where reject those double @ @ thanks in advance. -euro On Wed, Oct 7, 2009 at 5:36 PM, Alexander Clouter a...@digriz.org.ukwrote: mr typo euroregist...@gmail.com wrote: i do have a problem with our freeradius configuration and i have no idea how to solve it. we do have one realm configured domainname.com which works perfectly. every user who wants to authenticate with a different realm is proxied to an outside radius. server. the setup works fine. we do have some mobile devices who send something like: usern...@company.com@wlan.mnc003.mc usern...@company.com@Verisign... . . we send these requests to our proxy and the proxy sends it back to us, from my understanding i cant solve it with a regex in the proxy.conf, right? since the realm is just the string after the last @? anyone has an idea how i can process such request in my company.comrealm? inside the realm i strip everything out, so it should work then. Use some unlang in 'authorize' *before* you call 'suffix' that looks like: if (User-Name ~= /^(@company.com)@.*/) { User-Name := %{1} } As a side note, I currently have in proxy.conf: # blackhole routing realm myabc.com { virtual_server = auth-reject nostrip } realm ~\\.3gppnetwork\\.org$ { virtual_server = auth-reject nostrip } ...and a virtual server: server auth-reject { authorize { suffix switch %{Realm} { case NULL { update reply { Reply-Message := No Realm } } # we should not get here case DEFAULT { update reply { Reply-Message := ERROR } } # we *really* should not get here case %{config:local.MY.realm} { update reply { Reply-Message := BIG ERROR } } case { update reply { Reply-Message := Realm Blackholed } } } reject } } I would recommend you reject straight away any double realmed users as you will only find yourself later on still having to deal with misconfigured kit; pain now means a *lot* less pain later down the road in my experience. Cheers -- Alexander Clouter .sigmonster says: This Fortune Examined By INSPECTOR NO. 2-14 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Upgrade From 1 to 2 - problem with authorize
Hi, managed to get my setup connecting to my mssql backend. However, when I try and authorize with a user/pass, I get an error - actually more of a warning. I've Googled about but although others have had this error I haven't really seen a good explanation of why it occurs let alone how to solve. The warning is... the warning is fairly self-explanatory - you are using User-Password in your SQL your should be using Cleartext-Password (with correct Operator) I'm with Alan on this one - i dont know HOW the message could be any clearer!?! as for not authenticating - once again - look at your debug... here is your new server Login OK: [9] (from client 10.152.0.7 port 0 cli 1002) +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 16 to 10.152.0.7 port 20001 Finished request 0. and here is the old server Sending Access-Accept of id 31 to 10.152.0.7 port 20001 h323-return-code = h323-return-code=0 h323-billing-model = h323-billing-model=0 h323-credit-amount = h323-credit-amount=76.15 h323-currency = h323-currency=AUD Finished request 0 spot the difference? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Upgrade From 1 to 2 - problem with authorize
Robert White rwh...@globalgossip.net writes: I'm trying to upgrade my setup from freeradius 1 to freeradius 2. I've been making little changes to the config as suggested in the doc and I managed to get my setup connecting to my mssql backend. However, when I try and authorize with a user/pass, I get an error - actually more of a warning. I've Googled about but although others have had this error I haven't really seen a good explanation of why it occurs let alone how to solve. I believe the rlm_pap(5) man page explains the different password attribute and their usage pretty well. The point the server is trying to make you aware of is that you can't really do an equality check on the User-Password. The attribute received from the other end is encrypted: http://freeradius.org/rfc/rfc2865.html#User-Password That's why luser User-Password == foo is wrong. Don't do it. When you configure a user account, you will instead *set* another server configuration attribute which may be used by the authentication modules to verify the received User-Password. So you'll do luser Cleartext-Password := foo and the rlm_pap module will see both the Cleartext-Password you set and the User-Password the NAS sent and do whatever it needs to verify that they match. This concept might be even clearer if you instead configure luser Crypt-Password := aaKNIEDOaueR6 The rlm_pap will still be able to verify the received password. Sending Access-Accept of id 16 to 10.152.0.7 port 20001 Looks like your 2.x config doesn't have any reply attributes. Sending Access-Accept of id 31 to 10.152.0.7 port 20001 h323-return-code = h323-return-code=0 h323-billing-model = h323-billing-model=0 h323-credit-amount = h323-credit-amount=76.15 h323-currency = h323-currency=AUD while the 1.x config sends a number of them. Maybe that's why your NAS doesn't do what you expect, even if it gets an accept in both cases? Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unexpected Exiting normally 2.1.8?
I'm running an unreleased 'development? version of freeradius (2.1.8?). So far it is working well, but it is terminating for reasons I cannot determine. The log contains the following, Mon Oct 26 15:48:57 2009 : Info: rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked Mon Oct 26 15:48:57 2009 : Info: rlm_sql (sql): Attempting to connect to radi...@localhost:/radius Mon Oct 26 15:48:57 2009 : Info: rlm_sql_mysql: Starting connect to MySQL server for #0 Mon Oct 26 15:48:57 2009 : Info: rlm_sql_mysql: Starting connect to MySQL server for #1 Mon Oct 26 15:48:57 2009 : Info: rlm_sql_mysql: Starting connect to MySQL server for #2 Mon Oct 26 15:48:57 2009 : Info: rlm_sql_mysql: Starting connect to MySQL server for #3 Mon Oct 26 15:48:57 2009 : Info: rlm_sql_mysql: Starting connect to MySQL server for #4 Mon Oct 26 15:48:57 2009 : Info: Loaded virtual server inner-tunnel Mon Oct 26 15:48:57 2009 : Info: Loaded virtual server copy-acct-to-home-server Mon Oct 26 15:48:57 2009 : Info: Loaded virtual server copy-acct-to-radius-c Mon Oct 26 15:48:57 2009 : Info: Loaded virtual server default Mon Oct 26 15:48:57 2009 : Info: Ready to process requests. Mon Oct 26 17:57:33 2009 : Error: PROXY: Marking home server 192.168.1.226 port 1813 as zombie (it looks like it is dead). Mon Oct 26 17:58:13 2009 : Info: PROXY: Marking home server 192.168.1.226 port 1813 as dead. Mon Oct 26 20:05:36 2009 : Info: Exiting normally. The zombie messages are suspicious, since neither host is experiencing any significant load. (The zombie server is also 2.1.8. There is a 2.1.7 server as well NOT being zombied..) The exit message is much later, but no hint as to WHY it is exiting normally. Any hints would be greatly appreciated. Thanks, -craig Craig Campbell craig.campb...@ccraft.ca CampbellCraft Consulting Inc 2 Kenny Court Whitby, Ontario Canada L1R 2L8 905 922-2789 __ Information from ESET Smart Security, version of virus signature database 4546 (20091027) __ The message was checked by ESET Smart Security. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: double realm problem
mr typo euroregist...@gmail.com wrote: i was trying to reject those double realm. but i cannot find the right syntax and/or where to put the lines. i was trying to put this lines in the user file: DEFAULT User-Name =~ /^...@company.com@.*/ Auth-Type := Reject that did not work. when putting: if (User-Name ~= /^...@company.com@.*/) { reject } in the server configuration in authorize section, i get a strange error.. i am quite new with configuring freeradius, it would be nice if someone could give me some real hint how to and where reject those double @ @ In addition to my blackholing I now have added to my policy.conf file: # only needs to be close enough to catch unroutable guff validate_username { if (User-Name !~ /@/ \ || ( \ User-Name !~ /@.*@/ \ User-Name =~ /^[[:graph:]]*@([-[:alnum:]]+\.)+[[:alpha:]]{2,}$/ \ ) \ ) { ok } else { update reply { Reply-Message := Invalid User-Name Syntax } reject } } Then in your authorize section you just place 'validate_username' and it looks after everything for you. What the above bumpf does is: * permit realmless (usernames without an '@') through, these are rejected later by matching against the NULL realm (*important*) * if there is an '@' in there then it * reject's if there are two or more '@'s * reject if the *realm* is not valid, for example the realm *must* be made up of at least two parts, and the end part must be at least two characters long Hope that helps Cheers -- Alexander Clouter .sigmonster says: The best things in life are for a fee. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radacct and db handles
OK, This Reply-Msg doesnt matter, the real issue is the db handles message. I could solve this, by setting the db sessions like the number of NAS (45). From: freeradius-users-bounces+ademirk=netwizard.com...@lists.freeradius.org [mailto:freeradius-users-bounces+ademirk=netwizard.com...@lists.freeradius.o rg] On Behalf Of Santiago Balaguer García Sent: terça-feira, 27 de outubro de 2009 06:08 To: Lista de correo RADIUS Subject: RE: radacct and db handles The problem is 'Reply-Msg' attribute is not recognized by the radius server becasuse it is a specific vendor attribute. Try to find the specific dictionary. From: adem...@netwizard.com.br To: t...@kalik.net; freeradius-users@lists.freeradius.org Subject: RE: radacct and db handles Date: Fri, 23 Oct 2009 12:34:05 -0200 Hi Ivan, I run Server with radiusd -X log and could'n found the same error in log. The only sql fail I found is a Msg reply field: [sql] expand: SELECT id, username, attribute, value, op FROM radrepl y WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radreply WHERE usern ame = 'alexandre' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE use rname = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = 'alexandre' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op F ROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, Value, op FROM radgro upcheck WHERE groupname = 'SUSPENSO' ORDER BY id rlm_sql: Failed to create the pair: Invalid octet string Conta Suspensa. Entre em contato com o setor financeiro. for attribute name Reply-Msg rlm_sql (sql): Error getting data from database [sql] Error retrieving check pairs for group SUSPENSO [sql] Error processing groups; rejecting user rlm_sql (sql): Released sql socket id: 2 ++[sql] returns fail -Original Message- From: Ivan Kalik [mailto:t...@kalik.net] Sent: quinta-feira, 22 de outubro de 2009 21:22 To: adem...@netwizard.com.br; FreeRadius users mailing list Subject: Re: radacct and db handles I'm installed freeradius with daloradius in a FC11 box, everything new. After some corrections everything is working, but in radius.log I receive constantly the error message below: Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 I checked my radius db and radacct table and there are many indexed and nothing I could found is the problem. It only append when I enable radius accounting in SQL. Run server in debug mode and see which queries are failing. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Todo el espacio y cuidado que merecen tus fotos digitales lo tienes en Windows Live Fotos. ¡Pruébalo! http://www.vivelive.com/compartirfotos/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: double realm problem
hello alexander, thanks alot for this piece of code. but now i have a problem with getting this to work. in radiusd.conf i have an $INCLUDE policy.conf and in my authorize section i got the following: authorize { auth_log validate_username suffix eap { ok = return } } upon restarting i get the following: /etc/raddb/sites-enabled/eduroam[9]: Failed to find module validate_username. /etc/raddb/sites-enabled/eduroam[2]: Errors parsing authorize section. any hints? -euro On Tue, Oct 27, 2009 at 11:09 AM, Alexander Clouter a...@digriz.org.ukwrote: mr typo euroregist...@gmail.com wrote: i was trying to reject those double realm. but i cannot find the right syntax and/or where to put the lines. i was trying to put this lines in the user file: DEFAULT User-Name =~ /^...@company.com@.*/ Auth-Type := Reject that did not work. when putting: if (User-Name ~= /^...@company.com@.*/) { reject } in the server configuration in authorize section, i get a strange error.. i am quite new with configuring freeradius, it would be nice if someone could give me some real hint how to and where reject those double @ @ In addition to my blackholing I now have added to my policy.conf file: # only needs to be close enough to catch unroutable guff validate_username { if (User-Name !~ /@/ \ || ( \ User-Name !~ /@.*@/ \ User-Name =~ /^[[:graph:]]*@([-[:alnum:]]+\.)+[[:alpha:]]{2,}$/ \ ) \ ) { ok } else { update reply { Reply-Message := Invalid User-Name Syntax } reject } } Then in your authorize section you just place 'validate_username' and it looks after everything for you. What the above bumpf does is: * permit realmless (usernames without an '@') through, these are rejected later by matching against the NULL realm (*important*) * if there is an '@' in there then it * reject's if there are two or more '@'s * reject if the *realm* is not valid, for example the realm *must* be made up of at least two parts, and the end part must be at least two characters long Hope that helps Cheers -- Alexander Clouter .sigmonster says: The best things in life are for a fee. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxying requests with source port 1815?
Hi, Just experienced a bit of strange behaviour, or at least seems strange to me. One of our FR 2.1.7 boxes has been proxying access-requests with a source port of 1815, to which the authenticating server has replied to with an access-accept on port 1815, only there is no listener for port 1815 running on the box and hence fails. This was happening to ~50% of requests, but once one failed the FR box was marking the authenticator dead. It started yesterday following a FR restart for a small config change (added a client to client.conf), I restarted it about an hour ago and it seems to be behaving now. Is that as odd as it seems, or am I missing something? Thanks, Jezz. - Jezz Palmer Library Information Services Swansea University Singleton Park Swansea SA2 8PP - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: double realm problem
Hi, /etc/raddb/sites-enabled/eduroam[9]: Failed to find module validate_username. /etc/raddb/sites-enabled/eduroam[2]: Errors parsing authorize section. hmm, interesting - this looks very much like a post i made here earlier this month where 3rd-party virtual servers dont seem to pick up details from main modules and include files - my case was that Autz-Type wasnt known if i called 'users' file in my virtual-server alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying requests with source port 1815?
Palmer J.D.F. wrote: One of our FR 2.1.7 boxes has been proxying access-requests with a source port of 1815, to which the authenticating server has replied to with an access-accept on port 1815, only there is no listener for port 1815 running on the box and hence fails. This was happening to ~50% of requests, but once one failed the FR box was marking the authenticator dead. It started yesterday following a FR restart for a small config change (added a client to client.conf), I restarted it about an hour ago and it seems to be behaving now. Is that as odd as it seems, or am I missing something? I think it's a bug in 2.1.7. We should be releasing 2.1.8 to address this, and to have other minor enhancements. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to require client certificate with PEAP
Hi, If I use EAP-TLS with a self-signed client certificate, I can connect my Windows XP clients to a WLAN. If I use PEAP alone, then my Windows XP clients connect to a WLAN with an Active Directory username. I'm trying to combine both EAP-TLS and PEAP but since I'm not a radius security guru then I'll rephrase what my goal is: I simply want to *require* that all wifi clients use PEAP *AND* have a self-signed client certificate installed on their system. That way, if I want to, I can revoke the certificates from the server. The Windows native clients are configured to use: Eap type: PEAP and have both root and client certificates installed. However, if I add the EAP-TLS-Require-Client-Cert = Yes option then I get this message in the log: rlm_eap: SSL error error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate How should I configure Windows XP to send the client certificate? Thanks, Vieri PS: Here are the relevant config files and debug log: FreeRADIUS Version 2.0.5, for host x86_64-pc-linux-gnu, built on Oct 1 2008 at 12:36:40 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including configuration file /etc/raddb/snmp.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/krb5 including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/sql.conf including configuration file /etc/raddb/sql/mysql/dialup.conf including configuration file /etc/raddb/sql/mysql/counter.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/inner-tunnel including dictionary file /etc/raddb/dictionary main { prefix = /usr localstatedir = /var logdir = /var/log/radius libdir = /usr/lib64 radacctdir = /var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = /var/run/radiusd/radiusd.pid checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = yes auth_goodpass = yes } } client 10.215.146.83 { require_message_authenticator = no secret = F5jmE6xA shortname = FHMWIFI } client 10.215.146.130 { require_message_authenticator = no secret = F5jmE6x2B1_002369E349C4 shortname = FHMWIFI_2B1 } client 10.215.146.131 { require_message_authenticator = no secret = F5jmE6x2B2
Cisco AVpair(client-mac-address) and Calling-Station-Id attribute
Hello, I am using freeradius 1.1.8 with a Cisco7301 router as a NAS, but the NAS does not send the Calling-Station-Id attribute, insted it uses Cisco-AVPair = client-mac-address=000f.ea20.e1ad They have changed this attribute in modern IOS versions. I want to know if there is a possibility to rewrite the : Cisco-AVPair = client-mac-address=000f.ea20.e1ad to Calling-Station-Id = 000f.ea20.e1ad Also, i am using some other NASes that use the standart Calling-Station-Id, with the same radius. Thank You! Egi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Proxying requests with source port 1815?
Ok, thanks Alan. :) Jezz. Palmer J.D.F. wrote: One of our FR 2.1.7 boxes has been proxying access-requests with a source port of 1815, to which the authenticating server has replied to with an access-accept on port 1815, only there is no listener for port 1815 running on the box and hence fails. This was happening to ~50% of requests, but once one failed the FR box was marking the authenticator dead. It started yesterday following a FR restart for a small config change (added a client to client.conf), I restarted it about an hour ago and it seems to be behaving now. Is that as odd as it seems, or am I missing something? I think it's a bug in 2.1.7. We should be releasing 2.1.8 to address this, and to have other minor enhancements. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radacct isn´t registering FramedIpAdress (sometimes)!
Hello, It's my first time here and i'm trying to solve a big problem in my Radius server. Sometimes, and it's happening without reason, The RadAcct put 0.0.0.0 in FramedIpAdress field. I don't know why it's happening, i have others Radius servers with the same configuration, but this error occur just in this server. It's a 1.1.7 radius server. My clients are all Mikrotiks, with 3.13 version. Can anyone help me?? Thanks, Alexandre - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radacct isn´t registering FramedIpAdress (sometimes)!
Sometimes, and it's happening without reason, The RadAcct put 0.0.0.0 in FramedIpAdress field. I don't know why it's happening, i have others Radius servers with the same configuration, but this error occur just in this server. It's a 1.1.7 radius server. My clients are all Mikrotiks, with 3.13 version. Post the debug of one accounting packet when such error happens. And don't use HTML email. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco AVpair(client-mac-address) and Calling-Station-Id attribute
Egi Konomi wrote: I want to know if there is a possibility to rewrite the : Cisco-AVPair = client-mac-address=000f.ea20.e1ad to Calling-Station-Id = 000f.ea20.e1ad See the attr_filter module. Or, in 2.x, you can just use unlang to do the re-writing. Also, i am using some other NASes that use the standart Calling-Station-Id, with the same radius. So make the selection NAS-specific. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to require client certificate with PEAP
Vieri wrote: The Windows native clients are configured to use: Eap type: PEAP and have both root and client certificates installed. Are they configured to USE the client certificate? However, if I add the EAP-TLS-Require-Client-Cert = Yes option then I get this message in the log: rlm_eap: SSL error error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate How should I configure Windows XP to send the client certificate? See the XP documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radacct isn´t registering FramedIpAdres s (sometimes)!
Maybe your IP pool in NAS config. is to small to accept all connection attempts ... t_rider wrote: Hello, It's my first time here and i'm trying to solve a big problem in my Radius server. Sometimes, and it's happening without reason, The RadAcct put 0.0.0.0 in FramedIpAdress field. I don't know why it's happening, i have others Radius servers with the same configuration, but this error occur just in this server. It's a 1.1.7 radius server. My clients are all Mikrotiks, with 3.13 version. Can anyone help me?? Thanks, Alexandre - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Running Multiple Freeradius Instances
Will there be any performance issues if I run multiple instances of freeradius in the same server? Thanks, Asin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Running Multiple Freeradius Instances
Most likely not, depends if your doing a bunch of sql,perl,etc. Check out virtual servers in 2.x From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org To: freeradius-users@lists.freeradius.org Sent: Tue Oct 27 21:47:25 2009 Subject: Running Multiple Freeradius Instances Will there be any performance issues if I run multiple instances of freeradius in the same server? Thanks, Asin font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html