Re: default linelog Accounting-Request handling broken?
Josip Rodin wrote: Yes, I understood that originally. The gist of the rationale for the current behaviour is quite clear, but even so, many users would nevertheless be best served by many per-packet errors being more clearly visible, because even when they enable debug level 2+, they get a huge amount of output that is hard for them to handle. Errors don't particularly stand out in the crowd, and that isn't practical. Good point. Perhaps the best compromise for some of these issues would be what the Linux kernel folks did with WARN_ONCE() or printk_once(). I'll look into that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre-release of Version 2.1.8
On Wed, Dec 09, 2009 at 07:50:05AM +0100, Alan DeKok wrote: Then the home servers are *extremely* slow. Sending 300 packets over the course of a second or two wouldn't overload a 486. AFAIK they are not 486s :) but we're still investigating what made them so. Can any conclusions be drawn from this? I send over the detailed logs if necessary. The home servers are pathetic. Also, the proxy fail-over algorithms in 2.1.x are much better than 2.0.4. Yes, I plan to upgrade. 2.1.x did need some ironing out first, as you know :) -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Changing the format of a date attribute
Hi again all :)
Patric wrote:
Alan DeKok wrote:
Patric wrote:
Is there any way for me to get my FreeRADIUS-Acct-Session-Start-Time
attribute value into that date format?
http://dev.mysql.com/doc/refman/5.0/en/date-and-time-functions.html#function_from-unixtime
So now I have the following:
STR_TO_DATE('%{FreeRADIUS-Acct-Session-Start-Time}', '%M %d %Y %H:%i:%s'))
And that converts Dec 8 2009 09:14:14 GMT into 2009-12-08 09:14:14
I have a curious problem trying to format the date field in my MySQL
statement as shown above.
In my sql/mysql/dialup.conf I have the following:
accounting_start_query_alt = UPDATE ${acct_table_new} \
SET \
acct_start_time = STR_TO_DATE('%{FreeRADIUS-Acct-Session-Start-Time}',
'%M %d %Y %H:%i:%s'), \
...
The problem with the above is that some of those formatting options ('%M
%d %Y %H:%i:%s') are also defined as one-character variables, so instead
of formatting the date with those options, its replacing each with the
variable value, and when Im trying to end up with:
2009-12-08 09:14:14
instead Im ending up with:
2009-12-09 11:0126538264:AutoShapedVC
As you can see the minutes were replaced with the Calling Station ID and
the seconds were replaced with the Connect-Info...
Is there any way for me to perhaps escape my format string, or some
other work-around?
Many thanks
Patric
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Possible to add a NAS in any MySQL table?
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
W dniu 2009-12-09 08:42, Patric pisze:
Peter Carlstedt wrote:
Hello everyone,
I´ve been searching the net for answers but havent´been able to find
any information about how to add a NAS in the MySQL tables instead of
using the clients.conf file. It is possible to use one of the tables
that comes with Freeradius?
If it is possible, is there any HOW to guide for it somewhere?
sql.conf:
-
# Set to 'yes' to read radius clients from the database ('nas'
table)
# Clients will ONLY be read on server startup. For performance
# and security reasons, finding clients via SQL queries CANNOT
# be done live while the server is running.
#
readclients = yes
# Table to keep radius client info
nas_table = nas
sql/${database}/dialup.conf:
nas_query = SELECT id, nasname, shortname, type, secret FROM
${nas_table}
Hi,
so, maybe You know, Patric, how I can insert into radacct table username
from inner session, not outer session?
- --
pozdrawiam
Maciej Łukasz Wojszkun
tel. +48698611234
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJLH6VdAAoJELZ0XRdrHMhc3oUH/23EWlCo/XJrHLdPMaM0CF1V
kTATI2qqdBM/+XILt6ppvRhwiGGsqNHkIK+YW3nZqKgk9tcSmWClu/ECWajXAcBT
rqGy1AhJLF2gpuyRHLMGJNRSd8EXjD0iHdyKpn3o6KVuQ2SvEBP0MaxAqvbXfca4
MoJ67sw3iZ9rYBEaKTWQsL4aePvPBfAIRqmyKfBn/PQpy2VRxhCX6ttDukoScRQz
Qc85men6lRfBBSRlt3H00wI0yP4uhJZf/A3dHL/xDtGGIlnoAEez6kJ6fVojKZtb
f2DB+lXthFV+rFw25+YvZaV46wYk4MWuJw3b9M6nWRhvImp0Fsh95jhoS9KI298=
=AhoQ
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I cant Connect to GSM Operator by using APN
On 09-12-09 2:27 PM, Tevfik Ceydeliler wrote: Hi, I have freeradius and I have a Secovid OTP server. I use free radius as proxy. When I try to connect via APN, altough OTP server accept-access , I get access-reject as final result. Can anybody say what is wrong??? This packet receives an accept: rad_recv: Access-Accept packet from host W.X.Y.Z port 1812, id=111, length=25 And this one receives a reject: rad_recv: Access-Reject packet from host W.X.Y.Z port 1812, id=105, length=25 ... Wed Dec 9 15:04:58 2009 : Auth: Login incorrect (Home Server says so): Fix the home server to send access accepts for this other user. I don't understand why you're looking at FreeRADIUS in order to debug a problem where the home server returns reject. Alan DEKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Changing the format of a date attribute
On 09-12-09 11:37 AM, Patric wrote:
The problem with the above is that some of those formatting options ('%M
%d %Y %H:%i:%s') are also defined as one-character variables, so instead
of formatting the date with those options, its replacing each with the
variable value, and when Im trying to end up with:
Use %% to escape the %. That should work. e.g.
' ... %%M %%d %%Y %%H:%%i:%%s'
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Changing the format of a date attribute
Alan DeKok wrote:
On 09-12-09 11:37 AM, Patric wrote:
The problem with the above is that some of those formatting options ('%M
%d %Y %H:%i:%s') are also defined as one-character variables, so instead
of formatting the date with those options, its replacing each with the
variable value, and when Im trying to end up with:
Use %% to escape the %. That should work. e.g.
' ... %%M %%d %%Y %%H:%%i:%%s'
Thanks Ill give that a go :)
Patric
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Possible to add a NAS in any MySQL table?
so, maybe You know, Patric, how I can insert into radacct table username from inner session, not outer session? Don't hijack other peoples threads. If you have something to ask - start your own. That is documented in post-auth section of inner-tunnel virtual server. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radwho and radtest
hi,
I installed FreeRADIUS Version 2.1.7 from the RPM package that is included with
Fedora core 12. The server starts without errors and authentication is working
fine. The problem I am having is with the radwatch displays no output and
radtest fails.
output of the radtest
-
[r...@dia ~]# radtest rsa hello localhost 1812 testing123
Sending Access-Request of id 42 to ::1 port 1812
User-Name = rsa
User-Password = hello
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
Sending Access-Request of id 42 to ::1 port 1812
User-Name = rsa
User-Password = hello
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
Sending Access-Request of id 42 to ::1 port 1812
User-Name = rsa
User-Password = hello
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
radclient: no response from server for ID 42 socket 3
[r...@dia ~]#
output of radwho
-
[r...@dia raddb]# radwho
Login Name What TTY When FromLocation
[r...@dia raddb]#
[r...@dia ~]# radwatch
A radiusd process already exists
[r...@dia ~]#
I have also attached the output of radiusd -X
any help would be greatly appreciated
_
Windows Live Hotmail: Your friends can get your Facebook updates, right from
Hotmail®.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_4:092009FreeRADIUS Version 2.1.7, for host i386-redhat-linux-gnu, built on Sep 16 2009
at 08:28:14
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/control-socket
group = radiusd
user = radiusd
including dictionary file /etc/raddb/dictionary
main {
prefix = /usr
localstatedir = /var
logdir =
RE: radwho and radtest
thank you alan for the quick reply. It worked just fine. Now I am still facing the problem with the radwho and radlast. Any idea Regards, Ramzi Date: Wed, 9 Dec 2009 20:00:29 + From: a.l.m.bu...@lboro.ac.uk To: rabdal...@pobox.com; freeradius-users@lists.freeradius.org Subject: Re: radwho and radtest ihi, accoridng to your output, it looks like localhost is mapping to ::1 which is the local box IPv6 address (like 127.0.0.1 is in IPv4 world) by default, FreeRADIUS wont be listing to IPv6 interface...if you configure it so that it is then this will work - otherwise change you command to eg radtest rsa hello 127.0.0.1 1812 testing123 or change your hosts file so that localhost maps to 127.0.0.1 first! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Keep your friends updated—even when you’re not signed in. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_5:092010- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho and radtest
A copy of the relevant parts of your users and clients config files would be great. If no body's logged in, it's fine if you see nothing on the radwho output On Wednesday 09 December 2009 12:41:48 pm Ramzi Abdallah wrote: hi, I installed FreeRADIUS Version 2.1.7 from the RPM package that is included with Fedora core 12. The server starts without errors and authentication is working fine. The problem I am having is with the radwatch displays no output and radtest fails. output of the radtest - [r...@dia ~]# radtest rsa hello localhost 1812 testing123 Sending Access-Request of id 42 to ::1 port 1812 User-Name = rsa User-Password = hello NAS-IP-Address = 127.0.0.1 NAS-Port = 1812 Sending Access-Request of id 42 to ::1 port 1812 User-Name = rsa User-Password = hello NAS-IP-Address = 127.0.0.1 NAS-Port = 1812 Sending Access-Request of id 42 to ::1 port 1812 User-Name = rsa User-Password = hello NAS-IP-Address = 127.0.0.1 NAS-Port = 1812 radclient: no response from server for ID 42 socket 3 [r...@dia ~]# output of radwho - [r...@dia raddb]# radwho Login Name What TTY When FromLocation [r...@dia raddb]# [r...@dia ~]# radwatch A radiusd process already exists [r...@dia ~]# I have also attached the output of radiusd -X any help would be greatly appreciated _ Windows Live Hotmail: Your friends can get your Facebook updates, right from Hotmail®. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/s ocial-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_4:0920 09 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radwho and radtest
Thank you gera, attached are copies for the users and clients.conf config
files. Normally when I run radwho and radlast I am authenticated with user rsa
so I should at least see my login :)
Regards,
Ramzi
To: rabdal...@pobox.com; freeradius-users@lists.freeradius.org
Subject: Re: radwho and radtest
From: g...@gera.me
Date: Wed, 9 Dec 2009 13:09:57 -0700
A copy of the relevant parts of your users and clients config files would be
great.
If no body's logged in, it's fine if you see nothing on the radwho output
On Wednesday 09 December 2009 12:41:48 pm Ramzi Abdallah wrote:
hi,
I installed FreeRADIUS Version 2.1.7 from the RPM package that is included
with Fedora core 12. The server starts without errors and authentication
is working fine. The problem I am having is with the radwatch displays no
output and radtest fails.
output of the radtest
-
[r...@dia ~]# radtest rsa hello localhost 1812 testing123
Sending Access-Request of id 42 to ::1 port 1812
User-Name = rsa
User-Password = hello
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
Sending Access-Request of id 42 to ::1 port 1812
User-Name = rsa
User-Password = hello
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
Sending Access-Request of id 42 to ::1 port 1812
User-Name = rsa
User-Password = hello
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
radclient: no response from server for ID 42 socket 3
[r...@dia ~]#
output of radwho
-
[r...@dia raddb]# radwho
Login Name What TTY When FromLocation
[r...@dia raddb]#
[r...@dia ~]# radwatch
A radiusd process already exists
[r...@dia ~]#
I have also attached the output of radiusd -X
any help would be greatly appreciated
_
Windows Live Hotmail: Your friends can get your Facebook updates, right
from Hotmail®.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/s
ocial-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_4:0920
09
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_
Windows Live: Friends get your Flickr, Yelp, and Digg updates when they e-mail
you.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_3:092010#
# Deny access for a specific user. Note that this entry MUST
# be before any other 'Auth-Type' attribute which results in the user
# being authenticated.
#
# Note that there is NO 'Fall-Through' attribute, so the user will not
# be given any additional resources.
#
#lameuser Auth-Type := Reject
# Reply-Message = Your account has been disabled.
#
# Deny access for a group of users.
#
# Note that there is NO 'Fall-Through' attribute, so the user will not
# be given any additional resources.
#
#DEFAULTGroup == disabled, Auth-Type := Reject
# Reply-Message = Your account has been disabled.
#
#
rsa Cleartext-Password := hello
Reply-Message = Hello, %{User-Name}
#
#
# This is a complete entry for steve. Note that there is no Fall-Through
# entry so that no DEFAULT entry will be used, and the user will NOT
# get any attributes in addition to the ones listed here.
#
#steve Cleartext-Password := testing
# Service-Type = Framed-User,
# Framed-Protocol = PPP,
# Framed-IP-Address = 172.16.3.33,
# Framed-IP-Netmask = 255.255.255.0,
# Framed-Routing = Broadcast-Listen,
# Framed-Filter-Id = std.ppp,
# Framed-MTU = 1500,
# Framed-Compression = Van-Jacobsen-TCP-IP
#
# This is an entry for a user with a space in their name.
# Note the double quotes surrounding the name.
#
#John Doe Cleartext-Password := hello
# Reply-Message = Hello, %{User-Name}
#
# Dial user back and telnet to the default host for that port
#
#DegCleartext-Password := ge55ged
# Service-Type = Callback-Login-User,
# Login-IP-Host = 0.0.0.0,
# Callback-Number = 9,5551212,
# Login-Service = Telnet,
# Login-TCP-Port = Telnet
#
# Another complete entry. After the user dialbk has logged in, the
# connection will be broken and the user will be dialed back after which
# he will get a connection to the host timeshare1.
#
#dialbk Cleartext-Password := callme
# Service-Type = Callback-Login-User,
# Login-IP-Host = timeshare1,
# Login-Service = PortMaster,
# Callback-Number = 9,1-800-555-1212
#
# user swilson will only get a static IP number if he logs in with
# a framed protocol on a terminal server in Alphen (see the huntgroups file).
#
#
Re: radwho and radtest
hi, got accounting details sent from NAS? why dont you run in debug mode when you are doing the tests? you can then see what is going on...and why things arent being recorded. what method of session tracking are you using? radutmp etc - check your config for the session information. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radwho and radtest
thank you alan for the quick reply. It worked just fine. Now I am still facing the problem with the radwho and radlast. Any idea Yes, you have sent an authentication request. No accounting. So there is nothing for radwho to show. It displays accounting information. In case you weren't aware, radius server doesn't generate accounting information. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radwho and radtest
thanks Ivan, when I run in debug mode I get the bellow errors
++[preprocess] returns ok
[acct_unique] WARNING: Attribute NAS-Port was not found in request, unique ID
MAY be inconsistent
[acct_unique] Hashing ',Client-IP-Address = 193.188.129.17,NAS-IP-Address =
193.188.129.17,Acct-Session-Id = 00550003,User-Name = rsa'
[acct_unique] Acct-Unique-Session-ID = cc3ac6adce99a1dd.
++[acct_unique] returns ok
[suffix] No '@' in User-Name = rsa, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
++[files] returns noop
[radutmp] expand: /var/log/radius/radutmp - /var/log/radius/radutmp
[radutmp] expand: %{User-Name} - rsa
rlm_radutmp: No NAS-Port seen. Cannot do anything.
rlm_radumtp: WARNING: checkrad will probably not work!
++[radutmp] returns noop
Date: Wed, 9 Dec 2009 21:32:55 +
Subject: RE: radwho and radtest
From: t...@kalik.net
To: rabdal...@pobox.com; freeradius-users@lists.freeradius.org
thank you alan for the quick reply. It worked just fine. Now I am still
facing the problem with the radwho and radlast. Any idea
Yes, you have sent an authentication request. No accounting. So there is
nothing for radwho to show. It displays accounting information. In case
you weren't aware, radius server doesn't generate accounting information.
Ivan Kalik
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_
Windows Live: Keep your friends up to date with what you do online.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:092010-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radwho and radtest
[acct_unique] WARNING: Attribute NAS-Port was not found in request, unique ID MAY be inconsistent ... rlm_radutmp: No NAS-Port seen. Cannot do anything. Nothing misterious in those messages. NAS is not sending NAS-Port and radutmp needs it to work. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radwho and radtest
great, then I have to contact the fortinet guys to see why this is happening Date: Wed, 9 Dec 2009 22:08:56 + Subject: RE: radwho and radtest From: t...@kalik.net To: rabdal...@pobox.com; freeradius-users@lists.freeradius.org [acct_unique] WARNING: Attribute NAS-Port was not found in request, unique ID MAY be inconsistent ... rlm_radutmp: No NAS-Port seen. Cannot do anything. Nothing misterious in those messages. NAS is not sending NAS-Port and radutmp needs it to work. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Windows Live: Keep your friends up to date with what you do online. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:092010- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho and radtest
Maybe I'm missing something, but is this shown while you do use the radtest
command? If so, then it's normal that you get nothing on radwho.
If you get nothing on radwho when using the NAS (and you didn't went so far
from the default freeradius configuration), then indeed you still need to
configure it to send accounting data to radius.
On Wednesday 09 December 2009 02:58:13 pm Ramzi Abdallah wrote:
thanks Ivan, when I run in debug mode I get the bellow errors
++[preprocess] returns ok
[acct_unique] WARNING: Attribute NAS-Port was not found in request, unique
ID MAY be inconsistent [acct_unique] Hashing ',Client-IP-Address =
193.188.129.17,NAS-IP-Address = 193.188.129.17,Acct-Session-Id =
00550003,User-Name = rsa' [acct_unique] Acct-Unique-Session-ID =
cc3ac6adce99a1dd.
++[acct_unique] returns ok
[suffix] No '@' in User-Name = rsa, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
++[files] returns noop
[radutmp] expand: /var/log/radius/radutmp - /var/log/radius/radutmp
[radutmp] expand: %{User-Name} - rsa
rlm_radutmp: No NAS-Port seen. Cannot do anything.
rlm_radumtp: WARNING: checkrad will probably not work!
++[radutmp] returns noop
Date: Wed, 9 Dec 2009 21:32:55 +
Subject: RE: radwho and radtest
From: t...@kalik.net
To: rabdal...@pobox.com; freeradius-users@lists.freeradius.org
thank you alan for the quick reply. It worked just fine. Now I am still
facing the problem with the radwho and radlast. Any idea
Yes, you have sent an authentication request. No accounting. So there is
nothing for radwho to show. It displays accounting information. In case
you weren't aware, radius server doesn't generate accounting information.
Ivan Kalik
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
_
Windows Live: Keep your friends up to date with what you do online.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/so
cial-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:09201
0
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radwho and radtest
I get this when I login to the firewall
To: rabdal...@pobox.com; freeradius-users@lists.freeradius.org
Subject: Re: radwho and radtest
From: g...@gera.me
Date: Wed, 9 Dec 2009 15:28:30 -0700
Maybe I'm missing something, but is this shown while you do use the radtest
command? If so, then it's normal that you get nothing on radwho.
If you get nothing on radwho when using the NAS (and you didn't went so far
from the default freeradius configuration), then indeed you still need to
configure it to send accounting data to radius.
On Wednesday 09 December 2009 02:58:13 pm Ramzi Abdallah wrote:
thanks Ivan, when I run in debug mode I get the bellow errors
++[preprocess] returns ok
[acct_unique] WARNING: Attribute NAS-Port was not found in request, unique
ID MAY be inconsistent [acct_unique] Hashing ',Client-IP-Address =
193.188.129.17,NAS-IP-Address = 193.188.129.17,Acct-Session-Id =
00550003,User-Name = rsa' [acct_unique] Acct-Unique-Session-ID =
cc3ac6adce99a1dd.
++[acct_unique] returns ok
[suffix] No '@' in User-Name = rsa, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
++[files] returns noop
[radutmp] expand: /var/log/radius/radutmp - /var/log/radius/radutmp
[radutmp] expand: %{User-Name} - rsa
rlm_radutmp: No NAS-Port seen. Cannot do anything.
rlm_radumtp: WARNING: checkrad will probably not work!
++[radutmp] returns noop
Date: Wed, 9 Dec 2009 21:32:55 +
Subject: RE: radwho and radtest
From: t...@kalik.net
To: rabdal...@pobox.com; freeradius-users@lists.freeradius.org
thank you alan for the quick reply. It worked just fine. Now I am still
facing the problem with the radwho and radlast. Any idea
Yes, you have sent an authentication request. No accounting. So there is
nothing for radwho to show. It displays accounting information. In case
you weren't aware, radius server doesn't generate accounting information.
Ivan Kalik
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
_
Windows Live: Keep your friends up to date with what you do online.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/so
cial-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:09201
0
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_
Windows Live: Keep your friends up to date with what you do online.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:092010-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radwho and radtest
I get this when I login to the firewall It would help if you wouldn't edit the debug. Post the whole thing request + processing (both for authentication and accounting). Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Testing radius server
Hi, I'm getting trouble authenticating my AP to freeradius. When I type in a password on the AP, it reaches the radius server, however the server responds with ICMP destination unreachable to the AP. I can see radius is listening to the following ports: Udp 0 0 *:radius Udp 0 0 *:radius-acct I take it the above are port 1812 and 1813 respectfully. Right? I see the Cisco AP is sending request with destination port 1812. So, any clue as to why it sending the ICMP unreachable? It seems that the port numbers are not what I think they are, but netstat identifies the two ports as radius default, so it got to be right. But I know that icmp unreachable is only sent out (in this case), if the server cannot identify the destination port number. How can I locally test that radius is serving the port above and the password. Like is there a way that I can use CLI to test the radius as if I'm the AP, but from the command line on the server? Thanks, Alex __ Information from ESET NOD32 Antivirus, version of virus signature database 4674 (20091209) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 4674 (20091209) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Testing radius server
If I recall, you said you're using an FC12. Try deactivating the FC firewall and try again. service iptables stop If it doesn't work, I would go after SELinux. Deactivating it could be helpful, at least just to give it a try. On Wednesday 09 December 2009 10:31:55 pm Alex Bahoor wrote: Hi, I'm getting trouble authenticating my AP to freeradius. When I type in a password on the AP, it reaches the radius server, however the server responds with ICMP destination unreachable to the AP. I can see radius is listening to the following ports: Udp 0 0 *:radius Udp 0 0 *:radius-acct I take it the above are port 1812 and 1813 respectfully. Right? I see the Cisco AP is sending request with destination port 1812. So, any clue as to why it sending the ICMP unreachable? It seems that the port numbers are not what I think they are, but netstat identifies the two ports as radius default, so it got to be right. But I know that icmp unreachable is only sent out (in this case), if the server cannot identify the destination port number. How can I locally test that radius is serving the port above and the password. Like is there a way that I can use CLI to test the radius as if I'm the AP, but from the command line on the server? Thanks, Alex __ Information from ESET NOD32 Antivirus, version of virus signature database 4674 (20091209) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 4674 (20091209) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Testing radius server
For testing, you can always use radtest. On Wednesday 09 December 2009 10:31:55 pm Alex Bahoor wrote: Hi, I'm getting trouble authenticating my AP to freeradius. When I type in a password on the AP, it reaches the radius server, however the server responds with ICMP destination unreachable to the AP. I can see radius is listening to the following ports: Udp 0 0 *:radius Udp 0 0 *:radius-acct I take it the above are port 1812 and 1813 respectfully. Right? I see the Cisco AP is sending request with destination port 1812. So, any clue as to why it sending the ICMP unreachable? It seems that the port numbers are not what I think they are, but netstat identifies the two ports as radius default, so it got to be right. But I know that icmp unreachable is only sent out (in this case), if the server cannot identify the destination port number. How can I locally test that radius is serving the port above and the password. Like is there a way that I can use CLI to test the radius as if I'm the AP, but from the command line on the server? Thanks, Alex __ Information from ESET NOD32 Antivirus, version of virus signature database 4674 (20091209) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 4674 (20091209) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radwho and radtest
hello Ivan attached is the complete debug log Date: Wed, 9 Dec 2009 23:28:49 + Subject: RE: radwho and radtest From: t...@kalik.net To: rabdal...@pobox.com; freeradius-users@lists.freeradius.org I get this when I login to the firewall It would help if you wouldn't edit the debug. Post the whole thing request + processing (both for authentication and accounting). Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Windows Live: Keep your friends up to date with what you do online. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:092010 putty.log Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Testing radius server
hi, sounds like your server has firewall on it - so whilst the daemon is listening locally, the firewall is rejecting the packets (that'd be the cause of the ICMP unreachable). add UDP 1812,1813 and 1814 to the firewall config... on redhat - /etc/sysconfig/iptables or use a GUI tool alternatively, the AP cannot actually reach the server because of other reasons - network topology, router/switch ACLs etc - i dont know your network alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Testing radius server
Thanks Gera, it was a fire wall issue, even though when I installed F12 I did not select firewall, but it was running. Now I know it's a config issue in the clients.conf, as radtest is failing. I set user name and password, but radius is sending a reject. This is the first time I'm using radius. So please bear with me. Can some one mail me example of the minimum required configuration that needed for the radius to work, no EAP or MSCAP ..etc. Rrgds, Alex -Original Message- From: freeradius-users-bounces+alexbahoor=sbcglobal@lists.freeradius.org [mailto:freeradius-users-bounces+alexbahoor=sbcglobal@lists.freeradius.o rg] On Behalf Of gera Sent: Wednesday, December 09, 2009 10:19 PM To: FreeRadius users mailing list Subject: Re: Testing radius server For testing, you can always use radtest. On Wednesday 09 December 2009 10:31:55 pm Alex Bahoor wrote: Hi, I'm getting trouble authenticating my AP to freeradius. When I type in a password on the AP, it reaches the radius server, however the server responds with ICMP destination unreachable to the AP. I can see radius is listening to the following ports: Udp 0 0 *:radius Udp 0 0 *:radius-acct I take it the above are port 1812 and 1813 respectfully. Right? I see the Cisco AP is sending request with destination port 1812. So, any clue as to why it sending the ICMP unreachable? It seems that the port numbers are not what I think they are, but netstat identifies the two ports as radius default, so it got to be right. But I know that icmp unreachable is only sent out (in this case), if the server cannot identify the destination port number. How can I locally test that radius is serving the port above and the password. Like is there a way that I can use CLI to test the radius as if I'm the AP, but from the command line on the server? Thanks, Alex __ Information from ESET NOD32 Antivirus, version of virus signature database 4674 (20091209) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 4674 (20091209) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Information from ESET NOD32 Antivirus, version of virus signature database 4674 (20091209) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 4674 (20091209) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
