Re: default linelog Accounting-Request handling broken?
Josip Rodin wrote: Yes, I understood that originally. The gist of the rationale for the current behaviour is quite clear, but even so, many users would nevertheless be best served by many per-packet errors being more clearly visible, because even when they enable debug level 2+, they get a huge amount of output that is hard for them to handle. Errors don't particularly stand out in the crowd, and that isn't practical. Good point. Perhaps the best compromise for some of these issues would be what the Linux kernel folks did with WARN_ONCE() or printk_once(). I'll look into that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre-release of Version 2.1.8
On Wed, Dec 09, 2009 at 07:50:05AM +0100, Alan DeKok wrote: Then the home servers are *extremely* slow. Sending 300 packets over the course of a second or two wouldn't overload a 486. AFAIK they are not 486s :) but we're still investigating what made them so. Can any conclusions be drawn from this? I send over the detailed logs if necessary. The home servers are pathetic. Also, the proxy fail-over algorithms in 2.1.x are much better than 2.0.4. Yes, I plan to upgrade. 2.1.x did need some ironing out first, as you know :) -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Changing the format of a date attribute
Hi again all :) Patric wrote: Alan DeKok wrote: Patric wrote: Is there any way for me to get my FreeRADIUS-Acct-Session-Start-Time attribute value into that date format? http://dev.mysql.com/doc/refman/5.0/en/date-and-time-functions.html#function_from-unixtime So now I have the following: STR_TO_DATE('%{FreeRADIUS-Acct-Session-Start-Time}', '%M %d %Y %H:%i:%s')) And that converts Dec 8 2009 09:14:14 GMT into 2009-12-08 09:14:14 I have a curious problem trying to format the date field in my MySQL statement as shown above. In my sql/mysql/dialup.conf I have the following: accounting_start_query_alt = UPDATE ${acct_table_new} \ SET \ acct_start_time = STR_TO_DATE('%{FreeRADIUS-Acct-Session-Start-Time}', '%M %d %Y %H:%i:%s'), \ ... The problem with the above is that some of those formatting options ('%M %d %Y %H:%i:%s') are also defined as one-character variables, so instead of formatting the date with those options, its replacing each with the variable value, and when Im trying to end up with: 2009-12-08 09:14:14 instead Im ending up with: 2009-12-09 11:0126538264:AutoShapedVC As you can see the minutes were replaced with the Calling Station ID and the seconds were replaced with the Connect-Info... Is there any way for me to perhaps escape my format string, or some other work-around? Many thanks Patric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Possible to add a NAS in any MySQL table?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 W dniu 2009-12-09 08:42, Patric pisze: Peter Carlstedt wrote: Hello everyone, I´ve been searching the net for answers but havent´been able to find any information about how to add a NAS in the MySQL tables instead of using the clients.conf file. It is possible to use one of the tables that comes with Freeradius? If it is possible, is there any HOW to guide for it somewhere? sql.conf: - # Set to 'yes' to read radius clients from the database ('nas' table) # Clients will ONLY be read on server startup. For performance # and security reasons, finding clients via SQL queries CANNOT # be done live while the server is running. # readclients = yes # Table to keep radius client info nas_table = nas sql/${database}/dialup.conf: nas_query = SELECT id, nasname, shortname, type, secret FROM ${nas_table} Hi, so, maybe You know, Patric, how I can insert into radacct table username from inner session, not outer session? - -- pozdrawiam Maciej Łukasz Wojszkun tel. +48698611234 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJLH6VdAAoJELZ0XRdrHMhc3oUH/23EWlCo/XJrHLdPMaM0CF1V kTATI2qqdBM/+XILt6ppvRhwiGGsqNHkIK+YW3nZqKgk9tcSmWClu/ECWajXAcBT rqGy1AhJLF2gpuyRHLMGJNRSd8EXjD0iHdyKpn3o6KVuQ2SvEBP0MaxAqvbXfca4 MoJ67sw3iZ9rYBEaKTWQsL4aePvPBfAIRqmyKfBn/PQpy2VRxhCX6ttDukoScRQz Qc85men6lRfBBSRlt3H00wI0yP4uhJZf/A3dHL/xDtGGIlnoAEez6kJ6fVojKZtb f2DB+lXthFV+rFw25+YvZaV46wYk4MWuJw3b9M6nWRhvImp0Fsh95jhoS9KI298= =AhoQ -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I cant Connect to GSM Operator by using APN
On 09-12-09 2:27 PM, Tevfik Ceydeliler wrote: Hi, I have freeradius and I have a Secovid OTP server. I use free radius as proxy. When I try to connect via APN, altough OTP server accept-access , I get access-reject as final result. Can anybody say what is wrong??? This packet receives an accept: rad_recv: Access-Accept packet from host W.X.Y.Z port 1812, id=111, length=25 And this one receives a reject: rad_recv: Access-Reject packet from host W.X.Y.Z port 1812, id=105, length=25 ... Wed Dec 9 15:04:58 2009 : Auth: Login incorrect (Home Server says so): Fix the home server to send access accepts for this other user. I don't understand why you're looking at FreeRADIUS in order to debug a problem where the home server returns reject. Alan DEKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Changing the format of a date attribute
On 09-12-09 11:37 AM, Patric wrote: The problem with the above is that some of those formatting options ('%M %d %Y %H:%i:%s') are also defined as one-character variables, so instead of formatting the date with those options, its replacing each with the variable value, and when Im trying to end up with: Use %% to escape the %. That should work. e.g. ' ... %%M %%d %%Y %%H:%%i:%%s' Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Changing the format of a date attribute
Alan DeKok wrote: On 09-12-09 11:37 AM, Patric wrote: The problem with the above is that some of those formatting options ('%M %d %Y %H:%i:%s') are also defined as one-character variables, so instead of formatting the date with those options, its replacing each with the variable value, and when Im trying to end up with: Use %% to escape the %. That should work. e.g. ' ... %%M %%d %%Y %%H:%%i:%%s' Thanks Ill give that a go :) Patric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Possible to add a NAS in any MySQL table?
so, maybe You know, Patric, how I can insert into radacct table username from inner session, not outer session? Don't hijack other peoples threads. If you have something to ask - start your own. That is documented in post-auth section of inner-tunnel virtual server. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radwho and radtest
hi, I installed FreeRADIUS Version 2.1.7 from the RPM package that is included with Fedora core 12. The server starts without errors and authentication is working fine. The problem I am having is with the radwatch displays no output and radtest fails. output of the radtest - [r...@dia ~]# radtest rsa hello localhost 1812 testing123 Sending Access-Request of id 42 to ::1 port 1812 User-Name = rsa User-Password = hello NAS-IP-Address = 127.0.0.1 NAS-Port = 1812 Sending Access-Request of id 42 to ::1 port 1812 User-Name = rsa User-Password = hello NAS-IP-Address = 127.0.0.1 NAS-Port = 1812 Sending Access-Request of id 42 to ::1 port 1812 User-Name = rsa User-Password = hello NAS-IP-Address = 127.0.0.1 NAS-Port = 1812 radclient: no response from server for ID 42 socket 3 [r...@dia ~]# output of radwho - [r...@dia raddb]# radwho Login Name What TTY When FromLocation [r...@dia raddb]# [r...@dia ~]# radwatch A radiusd process already exists [r...@dia ~]# I have also attached the output of radiusd -X any help would be greatly appreciated _ Windows Live Hotmail: Your friends can get your Facebook updates, right from Hotmail®. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_4:092009FreeRADIUS Version 2.1.7, for host i386-redhat-linux-gnu, built on Sep 16 2009 at 08:28:14 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/control-socket group = radiusd user = radiusd including dictionary file /etc/raddb/dictionary main { prefix = /usr localstatedir = /var logdir =
RE: radwho and radtest
thank you alan for the quick reply. It worked just fine. Now I am still facing the problem with the radwho and radlast. Any idea Regards, Ramzi Date: Wed, 9 Dec 2009 20:00:29 + From: a.l.m.bu...@lboro.ac.uk To: rabdal...@pobox.com; freeradius-users@lists.freeradius.org Subject: Re: radwho and radtest ihi, accoridng to your output, it looks like localhost is mapping to ::1 which is the local box IPv6 address (like 127.0.0.1 is in IPv4 world) by default, FreeRADIUS wont be listing to IPv6 interface...if you configure it so that it is then this will work - otherwise change you command to eg radtest rsa hello 127.0.0.1 1812 testing123 or change your hosts file so that localhost maps to 127.0.0.1 first! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Keep your friends updated—even when you’re not signed in. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_5:092010- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho and radtest
A copy of the relevant parts of your users and clients config files would be great. If no body's logged in, it's fine if you see nothing on the radwho output On Wednesday 09 December 2009 12:41:48 pm Ramzi Abdallah wrote: hi, I installed FreeRADIUS Version 2.1.7 from the RPM package that is included with Fedora core 12. The server starts without errors and authentication is working fine. The problem I am having is with the radwatch displays no output and radtest fails. output of the radtest - [r...@dia ~]# radtest rsa hello localhost 1812 testing123 Sending Access-Request of id 42 to ::1 port 1812 User-Name = rsa User-Password = hello NAS-IP-Address = 127.0.0.1 NAS-Port = 1812 Sending Access-Request of id 42 to ::1 port 1812 User-Name = rsa User-Password = hello NAS-IP-Address = 127.0.0.1 NAS-Port = 1812 Sending Access-Request of id 42 to ::1 port 1812 User-Name = rsa User-Password = hello NAS-IP-Address = 127.0.0.1 NAS-Port = 1812 radclient: no response from server for ID 42 socket 3 [r...@dia ~]# output of radwho - [r...@dia raddb]# radwho Login Name What TTY When FromLocation [r...@dia raddb]# [r...@dia ~]# radwatch A radiusd process already exists [r...@dia ~]# I have also attached the output of radiusd -X any help would be greatly appreciated _ Windows Live Hotmail: Your friends can get your Facebook updates, right from Hotmail®. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/s ocial-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_4:0920 09 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radwho and radtest
Thank you gera, attached are copies for the users and clients.conf config files. Normally when I run radwho and radlast I am authenticated with user rsa so I should at least see my login :) Regards, Ramzi To: rabdal...@pobox.com; freeradius-users@lists.freeradius.org Subject: Re: radwho and radtest From: g...@gera.me Date: Wed, 9 Dec 2009 13:09:57 -0700 A copy of the relevant parts of your users and clients config files would be great. If no body's logged in, it's fine if you see nothing on the radwho output On Wednesday 09 December 2009 12:41:48 pm Ramzi Abdallah wrote: hi, I installed FreeRADIUS Version 2.1.7 from the RPM package that is included with Fedora core 12. The server starts without errors and authentication is working fine. The problem I am having is with the radwatch displays no output and radtest fails. output of the radtest - [r...@dia ~]# radtest rsa hello localhost 1812 testing123 Sending Access-Request of id 42 to ::1 port 1812 User-Name = rsa User-Password = hello NAS-IP-Address = 127.0.0.1 NAS-Port = 1812 Sending Access-Request of id 42 to ::1 port 1812 User-Name = rsa User-Password = hello NAS-IP-Address = 127.0.0.1 NAS-Port = 1812 Sending Access-Request of id 42 to ::1 port 1812 User-Name = rsa User-Password = hello NAS-IP-Address = 127.0.0.1 NAS-Port = 1812 radclient: no response from server for ID 42 socket 3 [r...@dia ~]# output of radwho - [r...@dia raddb]# radwho Login Name What TTY When FromLocation [r...@dia raddb]# [r...@dia ~]# radwatch A radiusd process already exists [r...@dia ~]# I have also attached the output of radiusd -X any help would be greatly appreciated _ Windows Live Hotmail: Your friends can get your Facebook updates, right from Hotmail®. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/s ocial-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_4:0920 09 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Windows Live: Friends get your Flickr, Yelp, and Digg updates when they e-mail you. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_3:092010# # Deny access for a specific user. Note that this entry MUST # be before any other 'Auth-Type' attribute which results in the user # being authenticated. # # Note that there is NO 'Fall-Through' attribute, so the user will not # be given any additional resources. # #lameuser Auth-Type := Reject # Reply-Message = Your account has been disabled. # # Deny access for a group of users. # # Note that there is NO 'Fall-Through' attribute, so the user will not # be given any additional resources. # #DEFAULTGroup == disabled, Auth-Type := Reject # Reply-Message = Your account has been disabled. # # rsa Cleartext-Password := hello Reply-Message = Hello, %{User-Name} # # # This is a complete entry for steve. Note that there is no Fall-Through # entry so that no DEFAULT entry will be used, and the user will NOT # get any attributes in addition to the ones listed here. # #steve Cleartext-Password := testing # Service-Type = Framed-User, # Framed-Protocol = PPP, # Framed-IP-Address = 172.16.3.33, # Framed-IP-Netmask = 255.255.255.0, # Framed-Routing = Broadcast-Listen, # Framed-Filter-Id = std.ppp, # Framed-MTU = 1500, # Framed-Compression = Van-Jacobsen-TCP-IP # # This is an entry for a user with a space in their name. # Note the double quotes surrounding the name. # #John Doe Cleartext-Password := hello # Reply-Message = Hello, %{User-Name} # # Dial user back and telnet to the default host for that port # #DegCleartext-Password := ge55ged # Service-Type = Callback-Login-User, # Login-IP-Host = 0.0.0.0, # Callback-Number = 9,5551212, # Login-Service = Telnet, # Login-TCP-Port = Telnet # # Another complete entry. After the user dialbk has logged in, the # connection will be broken and the user will be dialed back after which # he will get a connection to the host timeshare1. # #dialbk Cleartext-Password := callme # Service-Type = Callback-Login-User, # Login-IP-Host = timeshare1, # Login-Service = PortMaster, # Callback-Number = 9,1-800-555-1212 # # user swilson will only get a static IP number if he logs in with # a framed protocol on a terminal server in Alphen (see the huntgroups file). # #
Re: radwho and radtest
hi, got accounting details sent from NAS? why dont you run in debug mode when you are doing the tests? you can then see what is going on...and why things arent being recorded. what method of session tracking are you using? radutmp etc - check your config for the session information. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radwho and radtest
thank you alan for the quick reply. It worked just fine. Now I am still facing the problem with the radwho and radlast. Any idea Yes, you have sent an authentication request. No accounting. So there is nothing for radwho to show. It displays accounting information. In case you weren't aware, radius server doesn't generate accounting information. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radwho and radtest
thanks Ivan, when I run in debug mode I get the bellow errors ++[preprocess] returns ok [acct_unique] WARNING: Attribute NAS-Port was not found in request, unique ID MAY be inconsistent [acct_unique] Hashing ',Client-IP-Address = 193.188.129.17,NAS-IP-Address = 193.188.129.17,Acct-Session-Id = 00550003,User-Name = rsa' [acct_unique] Acct-Unique-Session-ID = cc3ac6adce99a1dd. ++[acct_unique] returns ok [suffix] No '@' in User-Name = rsa, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[files] returns noop [radutmp] expand: /var/log/radius/radutmp - /var/log/radius/radutmp [radutmp] expand: %{User-Name} - rsa rlm_radutmp: No NAS-Port seen. Cannot do anything. rlm_radumtp: WARNING: checkrad will probably not work! ++[radutmp] returns noop Date: Wed, 9 Dec 2009 21:32:55 + Subject: RE: radwho and radtest From: t...@kalik.net To: rabdal...@pobox.com; freeradius-users@lists.freeradius.org thank you alan for the quick reply. It worked just fine. Now I am still facing the problem with the radwho and radlast. Any idea Yes, you have sent an authentication request. No accounting. So there is nothing for radwho to show. It displays accounting information. In case you weren't aware, radius server doesn't generate accounting information. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Windows Live: Keep your friends up to date with what you do online. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:092010- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radwho and radtest
[acct_unique] WARNING: Attribute NAS-Port was not found in request, unique ID MAY be inconsistent ... rlm_radutmp: No NAS-Port seen. Cannot do anything. Nothing misterious in those messages. NAS is not sending NAS-Port and radutmp needs it to work. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radwho and radtest
great, then I have to contact the fortinet guys to see why this is happening Date: Wed, 9 Dec 2009 22:08:56 + Subject: RE: radwho and radtest From: t...@kalik.net To: rabdal...@pobox.com; freeradius-users@lists.freeradius.org [acct_unique] WARNING: Attribute NAS-Port was not found in request, unique ID MAY be inconsistent ... rlm_radutmp: No NAS-Port seen. Cannot do anything. Nothing misterious in those messages. NAS is not sending NAS-Port and radutmp needs it to work. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Windows Live: Keep your friends up to date with what you do online. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:092010- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho and radtest
Maybe I'm missing something, but is this shown while you do use the radtest command? If so, then it's normal that you get nothing on radwho. If you get nothing on radwho when using the NAS (and you didn't went so far from the default freeradius configuration), then indeed you still need to configure it to send accounting data to radius. On Wednesday 09 December 2009 02:58:13 pm Ramzi Abdallah wrote: thanks Ivan, when I run in debug mode I get the bellow errors ++[preprocess] returns ok [acct_unique] WARNING: Attribute NAS-Port was not found in request, unique ID MAY be inconsistent [acct_unique] Hashing ',Client-IP-Address = 193.188.129.17,NAS-IP-Address = 193.188.129.17,Acct-Session-Id = 00550003,User-Name = rsa' [acct_unique] Acct-Unique-Session-ID = cc3ac6adce99a1dd. ++[acct_unique] returns ok [suffix] No '@' in User-Name = rsa, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[files] returns noop [radutmp] expand: /var/log/radius/radutmp - /var/log/radius/radutmp [radutmp] expand: %{User-Name} - rsa rlm_radutmp: No NAS-Port seen. Cannot do anything. rlm_radumtp: WARNING: checkrad will probably not work! ++[radutmp] returns noop Date: Wed, 9 Dec 2009 21:32:55 + Subject: RE: radwho and radtest From: t...@kalik.net To: rabdal...@pobox.com; freeradius-users@lists.freeradius.org thank you alan for the quick reply. It worked just fine. Now I am still facing the problem with the radwho and radlast. Any idea Yes, you have sent an authentication request. No accounting. So there is nothing for radwho to show. It displays accounting information. In case you weren't aware, radius server doesn't generate accounting information. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Windows Live: Keep your friends up to date with what you do online. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/so cial-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:09201 0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radwho and radtest
I get this when I login to the firewall To: rabdal...@pobox.com; freeradius-users@lists.freeradius.org Subject: Re: radwho and radtest From: g...@gera.me Date: Wed, 9 Dec 2009 15:28:30 -0700 Maybe I'm missing something, but is this shown while you do use the radtest command? If so, then it's normal that you get nothing on radwho. If you get nothing on radwho when using the NAS (and you didn't went so far from the default freeradius configuration), then indeed you still need to configure it to send accounting data to radius. On Wednesday 09 December 2009 02:58:13 pm Ramzi Abdallah wrote: thanks Ivan, when I run in debug mode I get the bellow errors ++[preprocess] returns ok [acct_unique] WARNING: Attribute NAS-Port was not found in request, unique ID MAY be inconsistent [acct_unique] Hashing ',Client-IP-Address = 193.188.129.17,NAS-IP-Address = 193.188.129.17,Acct-Session-Id = 00550003,User-Name = rsa' [acct_unique] Acct-Unique-Session-ID = cc3ac6adce99a1dd. ++[acct_unique] returns ok [suffix] No '@' in User-Name = rsa, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[files] returns noop [radutmp] expand: /var/log/radius/radutmp - /var/log/radius/radutmp [radutmp] expand: %{User-Name} - rsa rlm_radutmp: No NAS-Port seen. Cannot do anything. rlm_radumtp: WARNING: checkrad will probably not work! ++[radutmp] returns noop Date: Wed, 9 Dec 2009 21:32:55 + Subject: RE: radwho and radtest From: t...@kalik.net To: rabdal...@pobox.com; freeradius-users@lists.freeradius.org thank you alan for the quick reply. It worked just fine. Now I am still facing the problem with the radwho and radlast. Any idea Yes, you have sent an authentication request. No accounting. So there is nothing for radwho to show. It displays accounting information. In case you weren't aware, radius server doesn't generate accounting information. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Windows Live: Keep your friends up to date with what you do online. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/so cial-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:09201 0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Windows Live: Keep your friends up to date with what you do online. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:092010- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radwho and radtest
I get this when I login to the firewall It would help if you wouldn't edit the debug. Post the whole thing request + processing (both for authentication and accounting). Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Testing radius server
Hi, I'm getting trouble authenticating my AP to freeradius. When I type in a password on the AP, it reaches the radius server, however the server responds with ICMP destination unreachable to the AP. I can see radius is listening to the following ports: Udp 0 0 *:radius Udp 0 0 *:radius-acct I take it the above are port 1812 and 1813 respectfully. Right? I see the Cisco AP is sending request with destination port 1812. So, any clue as to why it sending the ICMP unreachable? It seems that the port numbers are not what I think they are, but netstat identifies the two ports as radius default, so it got to be right. But I know that icmp unreachable is only sent out (in this case), if the server cannot identify the destination port number. How can I locally test that radius is serving the port above and the password. Like is there a way that I can use CLI to test the radius as if I'm the AP, but from the command line on the server? Thanks, Alex __ Information from ESET NOD32 Antivirus, version of virus signature database 4674 (20091209) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 4674 (20091209) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Testing radius server
If I recall, you said you're using an FC12. Try deactivating the FC firewall and try again. service iptables stop If it doesn't work, I would go after SELinux. Deactivating it could be helpful, at least just to give it a try. On Wednesday 09 December 2009 10:31:55 pm Alex Bahoor wrote: Hi, I'm getting trouble authenticating my AP to freeradius. When I type in a password on the AP, it reaches the radius server, however the server responds with ICMP destination unreachable to the AP. I can see radius is listening to the following ports: Udp 0 0 *:radius Udp 0 0 *:radius-acct I take it the above are port 1812 and 1813 respectfully. Right? I see the Cisco AP is sending request with destination port 1812. So, any clue as to why it sending the ICMP unreachable? It seems that the port numbers are not what I think they are, but netstat identifies the two ports as radius default, so it got to be right. But I know that icmp unreachable is only sent out (in this case), if the server cannot identify the destination port number. How can I locally test that radius is serving the port above and the password. Like is there a way that I can use CLI to test the radius as if I'm the AP, but from the command line on the server? Thanks, Alex __ Information from ESET NOD32 Antivirus, version of virus signature database 4674 (20091209) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 4674 (20091209) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Testing radius server
For testing, you can always use radtest. On Wednesday 09 December 2009 10:31:55 pm Alex Bahoor wrote: Hi, I'm getting trouble authenticating my AP to freeradius. When I type in a password on the AP, it reaches the radius server, however the server responds with ICMP destination unreachable to the AP. I can see radius is listening to the following ports: Udp 0 0 *:radius Udp 0 0 *:radius-acct I take it the above are port 1812 and 1813 respectfully. Right? I see the Cisco AP is sending request with destination port 1812. So, any clue as to why it sending the ICMP unreachable? It seems that the port numbers are not what I think they are, but netstat identifies the two ports as radius default, so it got to be right. But I know that icmp unreachable is only sent out (in this case), if the server cannot identify the destination port number. How can I locally test that radius is serving the port above and the password. Like is there a way that I can use CLI to test the radius as if I'm the AP, but from the command line on the server? Thanks, Alex __ Information from ESET NOD32 Antivirus, version of virus signature database 4674 (20091209) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 4674 (20091209) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radwho and radtest
hello Ivan attached is the complete debug log Date: Wed, 9 Dec 2009 23:28:49 + Subject: RE: radwho and radtest From: t...@kalik.net To: rabdal...@pobox.com; freeradius-users@lists.freeradius.org I get this when I login to the firewall It would help if you wouldn't edit the debug. Post the whole thing request + processing (both for authentication and accounting). Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Windows Live: Keep your friends up to date with what you do online. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:092010 putty.log Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Testing radius server
hi, sounds like your server has firewall on it - so whilst the daemon is listening locally, the firewall is rejecting the packets (that'd be the cause of the ICMP unreachable). add UDP 1812,1813 and 1814 to the firewall config... on redhat - /etc/sysconfig/iptables or use a GUI tool alternatively, the AP cannot actually reach the server because of other reasons - network topology, router/switch ACLs etc - i dont know your network alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Testing radius server
Thanks Gera, it was a fire wall issue, even though when I installed F12 I did not select firewall, but it was running. Now I know it's a config issue in the clients.conf, as radtest is failing. I set user name and password, but radius is sending a reject. This is the first time I'm using radius. So please bear with me. Can some one mail me example of the minimum required configuration that needed for the radius to work, no EAP or MSCAP ..etc. Rrgds, Alex -Original Message- From: freeradius-users-bounces+alexbahoor=sbcglobal@lists.freeradius.org [mailto:freeradius-users-bounces+alexbahoor=sbcglobal@lists.freeradius.o rg] On Behalf Of gera Sent: Wednesday, December 09, 2009 10:19 PM To: FreeRadius users mailing list Subject: Re: Testing radius server For testing, you can always use radtest. On Wednesday 09 December 2009 10:31:55 pm Alex Bahoor wrote: Hi, I'm getting trouble authenticating my AP to freeradius. When I type in a password on the AP, it reaches the radius server, however the server responds with ICMP destination unreachable to the AP. I can see radius is listening to the following ports: Udp 0 0 *:radius Udp 0 0 *:radius-acct I take it the above are port 1812 and 1813 respectfully. Right? I see the Cisco AP is sending request with destination port 1812. So, any clue as to why it sending the ICMP unreachable? It seems that the port numbers are not what I think they are, but netstat identifies the two ports as radius default, so it got to be right. But I know that icmp unreachable is only sent out (in this case), if the server cannot identify the destination port number. How can I locally test that radius is serving the port above and the password. Like is there a way that I can use CLI to test the radius as if I'm the AP, but from the command line on the server? Thanks, Alex __ Information from ESET NOD32 Antivirus, version of virus signature database 4674 (20091209) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 4674 (20091209) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Information from ESET NOD32 Antivirus, version of virus signature database 4674 (20091209) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 4674 (20091209) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html