Escaped . does match any character
Hi All I have the following in my users file: DEFAULT User-Name =~ .+\...@example.com, Auth-Type := Accept, Proxy-To-Realm := DONOTREALM This Regexp macthes not only user...@example.com but also user...@example.com. Is this a bug, or do I have to escape the . in a different way ? Regards Matthias -- Matthias Cramer / mc322-ripe Senior Network Security Engineer iway AGPhone +41 43 500 Josefstrasse 225 Fax +41 44 271 3535 CH-8005 Zürich http://www.iway.ch/ GnuPG 1024D/2D208250 = DBC6 65B6 7083 1029 781E 3959 B62F DF1C 2D20 8250 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: customize Post-Auth-Type REJECT
easyzonecorp.net wrote: you can not do that after Post-Auth-Type REJECT you must do after noresetbytescounter read on my arti http://www.easyzonecorp.net/network/view.php?ID=1042 Freeradius unlang accept after chap reject. and then apply it. i know you can !! Thx for advice. It almost helped:) I've rewrited my config to: noresetbytescounter { reject = 1 } if (reject) { update reply { Reply-Message := You have reached your transfer limit. Limited bandwitch } update control { Auth-Type := Accept WISPr-Bandwidth-Max-Down = 131072 WISPr-Bandwidth-Max-Up = 131072 } } And it works - when user reach transfer limit he gets correct reply message, but he is rejeceted anyway. It looks like update control doesn't work. Sending Access-Request of id 142 to xxx.xxx.xxx.xxx port 1812 User-Name = user01 User-Password = user01 NAS-IP-Address = 127.0.0.1 NAS-Port = 10 rad_recv: Access-Reject packet from host xxx.xxx.xxx.xxx port 1812, id=142, length=119 Acct-Interim-Interval = 60 Idle-Timeout = 60 WISPr-Bandwidth-Max-Down = 1048576 WISPr-Bandwidth-Max-Up = 262144 Session-Timeout = 360 Reply-Message = You have reached your transfer limit. Limited bandwitch Where should I look now? -- View this message in context: http://old.nabble.com/customize-Post-Auth-Type-REJECT-tp27173361p27207343.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: customize Post-Auth-Type REJECT
pawel_221 wrote: And it works - when user reach transfer limit he gets correct reply message, but he is rejeceted anyway. It looks like update control doesn't work. You need to change the reject return code. Do this by adding an ok to the config: if (reject) { ok # over-ride reject update reply { Reply-Message := You have reached your transfer limit. Limited bandwitch } update control { Auth-Type := Accept WISPr-Bandwidth-Max-Down = 131072 WISPr-Bandwidth-Max-Up = 131072 } } Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Escaped . does match any character
Matthias Cramer wrote: Hi All I have the following in my users file: DEFAULT User-Name =~ .+\...@example.com, Auth-Type := Accept, Proxy-To-Realm := DONOTREALM This Regexp macthes not only user...@example.com but also user...@example.com. Is this a bug, or do I have to escape the . in a different way ? You may need two \\ Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: customize Post-Auth-Type REJECT
Alan DeKok-2 wrote: pawel_221 wrote: And it works - when user reach transfer limit he gets correct reply message, but he is rejeceted anyway. It looks like update control doesn't work. You need to change the reject return code. Do this by adding an ok to the config: if (reject) { ok # over-ride reject update reply { Reply-Message := You have reached your transfer limit. Limited bandwitch } update control { Auth-Type := Accept WISPr-Bandwidth-Max-Down = 131072 WISPr-Bandwidth-Max-Up = 131072 } } Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html It helped - user has rad_recv: Access-Accept packet but does'nt change Bandwidth. User still have bandwitch which is assigned to his group. I've tried to rewrite my config and move update control to post-auth section. I check in post-auth secion: if ( %{reply:Reply-Message} == LIMITED ) { update reply { Reply-Message := You have reached your transfer limit. Limited bandwidth } update control { Auth-Type := Accept WISPr-Bandwidth-Max-Down = 131072 WISPr-Bandwidth-Max-Up = 131072 } } but it also doesn't change bandwitch. It still sends: WISPr-Bandwidth-Max-Down = 1048576 WISPr-Bandwidth-Max-Up = 262144 But it change of course Reply-Message from LIMITED to You have reached your transfer limit. Limited bandwidth. I debug mode I can see: ++? if (%{reply:Reply-Message} == LIMITED ) - TRUE ++- entering if (%{reply:Reply-Message} == LIMITED ) {...} +++[reply] returns ok +++[control] returns ok ++- if (%{reply:Reply-Message} == LIMITED ) returns ok Sending Access-Accept of id 151 to xxx.xxx.xxx.xxx port 59621 Acct-Interim-Interval = 60 Idle-Timeout = 60 WISPr-Bandwidth-Max-Down = 1048576 WISPr-Bandwidth-Max-Up = 262144 Session-Timeout = 360 Reply-Message = You have reached your transfer limit. Limited bandwitch -- View this message in context: http://old.nabble.com/customize-Post-Auth-Type-REJECT-tp27173361p27207803.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: customize Post-Auth-Type REJECT
pawel_221 wrote: It helped - user has rad_recv: Access-Accept packet but does'nt change Bandwidth. User still have bandwitch which is assigned to his group. See man unlang. You are putting the bandwidth in the control list, not the reply list. Go fix that. And read man unlang for how the operators work. You probably want := here. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: customize Post-Auth-Type REJECT
Alan DeKok-2 wrote: pawel_221 wrote: It helped - user has rad_recv: Access-Accept packet but does'nt change Bandwidth. User still have bandwitch which is assigned to his group. See man unlang. You are putting the bandwidth in the control list, not the reply list. Go fix that. And read man unlang for how the operators work. You probably want := here. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thx a lot :) Now it works perfectly :) greetings -- View this message in context: http://old.nabble.com/customize-Post-Auth-Type-REJECT-tp27173361p27207896.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting using SQL
Hi, I am having a problem where nothing is getting written into radacct on my database. I can although validate a user on the database using radtest, so i am guessing dialup.conf (which i haven't touched) is not running the accounting section. Curently i have not added a NAS, and running locally so i am unclear on whether this is the reason why no information is being added? I followed the howto on SQL from the freeradius wiki. I used the supplied schema in the sql file, and changed sql.conf to use the database user name and password, which i have kept to 'root' and 'password'. I have also uncommented sql in the accounting section for radiusd.conf. I have posted two files below: sql.conf and the default file from sites-available. If you require any more please let me know. Any help will be appreciated, James # -*- text -*- ## ## sql.conf -- SQL modules ## ## $Id$ ## # # Configuration for the SQL module # # The database schemas and queries are located in subdirectories: # # sql/DB/schema.sql Schema # sql/DB/dialup.conf Basic dialup (including policy) queries # sql/DB/counter.conf counter # sql/DB/ippool.conf IP Pools in SQL # sql/DB/ippool.sql schema for IP pools. # # Where DB is mysql, mssql, oracle, or postgresql. # sql { # # Set the database to one of: # # mysql, mssql, oracle, postgresql # database = mysql # # Which FreeRADIUS driver to use. # driver = rlm_sql_${database} # Connection info: server = localhost port = 3306 login = root password = password # Database table configuration for everything except Oracle radius_db = radius # If you are using Oracle then use this instead # radius_db = (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521))(CONNECT_DATA=(SID=your_sid))) # If you want both stop and start records logged to the # same SQL table, leave this as is. If you want them in # different tables, put the start table in acct_table1 # and stop table in acct_table2 acct_table1 = radacct acct_table2 = radacct # Allow for storing data after authentication postauth_table = radpostauth authcheck_table = radcheck authreply_table = radreply groupcheck_table = radgroupcheck groupreply_table = radgroupreply # Table to keep group info usergroup_table = radusergroup # If set to 'yes' (default) we read the group tables # If set to 'no' the user MUST have Fall-Through = Yes in the radreply table # read_groups = yes # Remove stale session if checkrad does not see a double login deletestalesessions = yes # Print all SQL statements when in debug mode (-x) sqltrace = yes sqltracefile = ${logdir}/sqltrace.sql # number of sql connections to make to server num_sql_socks = 5 # number of seconds to dely retrying on a failed database # connection (per_socket) connect_failure_retry_delay = 60 # lifetime of an SQL socket. If you are having network issues # such as TCP sessions expiring, you may need to set the socket # lifetime. If set to non-zero, any open connections will be # closed lifetime seconds after they were first opened. lifetime = 0 # Maximum number of queries used by an SQL socket. If you are # having issues with SQL sockets lasting too long, you can # limit the number of queries performed over one socket. After # max_qeuries, the socket will be closed. Use 0 for no limit. max_queries = 0 # Set to 'yes' to read radius clients from the database ('nas' table) # Clients will ONLY be read on server startup. For performance # and security reasons, finding clients via SQL queries CANNOT # be done live while the server is running. # #readclients = yes # Table to keep radius client info nas_table = nas # Read driver-specific configuration $INCLUDE sql/${database}/dialup.conf } ## # # As of 2.0.0, FreeRADIUS supports virtual hosts using the # server section, and configuration directives. # # Virtual hosts should be put into the sites-available # directory. Soft links should be created in the sites-enabled # directory to these files. This is done in a normal installation. # # $Id$ # ## # # Read man radiusd before editing this file. See the section # titled DEBUGGING. It outlines a method where you can quickly # obtain the
Using the same FreeRadius for account into MySQL for clients whith different attributes
Hi, I am using a FreeRadius server Version 1.0.1 only for accounting with Cisco gateways. Now, I want to use the same server with Dialogic gateways. Dialogic and Cisco have their own RADIUS dictionary. When I write in a MySQL database the log of accounting, how can I write for both attributes (Cisco and Dialogic)? Regards, David. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP Session resumption reply attributes
Hi, In order to also return e.g. VLAN IDs (that could be computed from the inner User-Name in a non-session-resumption enabled config), I can move the config that sets the VLAN to the outer tunnel post-auth ensure the inner tunnel sets: reply:outer User-Name to request:inner User-Name and then key my VLAN computation (in outer post-auth) from reply:User-Name. I can see other possibilities to do this (e.g. cache Tunnel-Private-Group-Id in the TLS session cache), but the above seems ok to me. Can anyone on the list spot any problems, something that I've missed / gotchas with the above? this is a fine idea - you only need to hit the handling logic post-auth (after the basic accept/reject has been done). just ensure that you dont pass this inner-id stuff back to remote proxies. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Escaped . does match any character
Hi Alan Alan DeKok wrote: Matthias Cramer wrote: I have the following in my users file: DEFAULT User-Name =~ .+\...@example.com, Auth-Type := Accept, Proxy-To-Realm := DONOTREALM This Regexp macthes not only user...@example.com but also user...@example.com. Is this a bug, or do I have to escape the . in a different way ? You may need two \\ Thanks, this solved the problem. Regards Matthias -- Matthias Cramer / mc322-ripe Senior Network Security Engineer iway AGPhone +41 43 500 Josefstrasse 225 Fax +41 44 271 3535 CH-8005 Zürich http://www.iway.ch/ GnuPG 1024D/2D208250 = DBC6 65B6 7083 1029 781E 3959 B62F DF1C 2D20 8250 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-FAST
Hello, every now and then there's a mild interest on this list about enabling EAP-FAST. In our eduroam RD group, we are currently looking into EAP-FAST, which naturally includes FreeRADIUS support. Is it worthwhile posting our results here, for others play with it as well? Or has everybody already run away from the somwhat complicated installation of EAP-FAST support in FreeRADIUS [we certainly had our difficulties...] Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't start radiusd -X ?
Zhang Shukun escribió: hi, when i want to start radius in debug mode. error happened. Failed binding to authentication address * port 1812: Address already in use /usr/local/etc/raddb/radiusd.conf[240]: Error binding to port for 0.0.0.0 port 1812 Could you tell me what's wrong? kill your radiusd instance before run another one Thanks! -- Regards, Sucan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with Freeradius + MySQL Problem....
hi, got sql defined in your authenticate section of the inner-tunnel (where EAP packets by default get proxied to) ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: customize Post-Auth-Type REJECT
pawel_221 wrote: Alan DeKok-2 wrote: pawel_221 wrote: It helped - user has "rad_recv: Access-Accept packet" but does'nt change Bandwidth. User still have bandwitch which is assigned to his group. See "man unlang". You are putting the bandwidth in the "control" list, not the "reply" list. Go fix that. And read "man unlang" for how the operators work. You probably want ":=" here. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thx a lot :) Now it works perfectly :) greetings add [RESOVLED] to your mail subject. Please. -- http://www.EasyHorpak.com - ???,???,???,?,?? http://www.EasyZoneCorp.net - ? internet ? Hotpsot ??? PPPoE ,Anti NetCut, Mac spoof http://www.thai-school.net - ,? ? EasyZone SuperLink - ?? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Major noob question about freeradius
Hi everyone maybe you can help me. I have a small network of about 10 windows XP machines. I need to set these machines up so that my users can log into any of these machines. For me the simplest solution to solve this would be a windows 2003 server domain controller. Unfortunately due to some corporate restrictions I cannot install a windows server. I was told that a Radius server could accomplish the same thing for me. Is this true? Basically I just need a way for my users to sit down at any of the windows XP workstations and log into it. I don't need anything special like roaming profiles and such. All I need is for a way for a windows user to sit down at any computer and type in a user name and password in order to gain access to use the computer. I saw the tutorials online but I don't think this is what I need. Something about setting up a VPN and adding certs and such. I need freeRadius to control access to user the computer not to gain access to a network resource. I have installed freeRadius and got it up and running on openSUSE but I am not really sure how to configure it according to what I need (if it can be done at all). Am I making sense or am I way off base? Does someone have a document I can follow that will tell me how to configure freeradius so that my windows users can authenticate against it? thanks _ Hotmail: Trusted email with powerful SPAM protection. http://clk.atdmt.com/GBL/go/196390707/direct/01/- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Major noob question about freeradius
On Mon, Jan 18, 2010 at 11:51:28AM -0700, Bryan Boone wrote: I have a small network of about 10 windows XP machines. I need to set these machines up so that my users can log into any of these machines. I was told that a Radius server could accomplish the same thing for me. Is this true? Basically I just need a way for my users to sit down at any of the windows XP workstations and log into it. I don't need anything special like roaming profiles and such. Yes, google for pGina -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Major noob question about freeradius
On Mon, Jan 18, 2010 at 10:51 AM, Bryan Boone bryan-bo...@msn.com wrote: I have a small network of about 10 windows XP machines. I need to set these machines up so that my users can log into any of these machines. For me the simplest solution to solve this would be a windows 2003 server domain controller. Unfortunately due to some corporate restrictions I cannot install a windows server. I was told that a Radius server could accomplish the same thing for me. Is this true? Bryan: I'm not the ultimate FreeRADIUS authority, but I think you'll find RADIUS is a poor solution for this, if indeed a solution at all. If you can't set up a Windows server to do this job, the best way to meet this need is to run Samba on a Linux machine. If you run it in domain control mode, it'll act very much like a Windows server for the purposes you're talking about. Check out http://samba.org/ for details on Samba. And for what it's worth I would lean toward using CentOS as the core platform (of course opinions vary on this point). The book Samba-3 by Example gives an excellent guide to the setup if you need one. It's available online at http://www.samba.org/samba/docs/man/Samba-Guide/ Good luck! E. -- Eric Swanson, swan...@technologypartnerds.com Director of Marketing Sales / Senior Technical Staff Technology Partnerds 888-NERDS-55 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Major noob question about freeradius
At 02:01 PM 1/18/2010, Eric Swanson wrote: On Mon, Jan 18, 2010 at 10:51 AM, Bryan Boone mailto:bryan-bo...@msn.combryan-bo...@msn.com wrote: For me the simplest solution to solve this would be a windows 2003 server domain controller. Unfortunately due to some corporate restrictions I cannot install a windows server. If you can't set up a Windows server to do this job, the best way to meet this need is to run Samba on a Linux machine. If you run it in domain control mode, it'll act very much like a Windows server for the purposes you're talking about. If there's a corporate restriction on installing a windows server, setting up a linux server to behave just like a windows server might also be a problem. and indeed if it's one the same network, you'll really need to get things right so that it doesn't screw anything up (such as becoming the master browser). Just be sure first :-) rick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Major noob question about freeradius
On Mon, Jan 18, 2010 at 11:29 AM, freerad...@corwyn.net wrote: At 02:01 PM 1/18/2010, Eric Swanson wrote: On Mon, Jan 18, 2010 at 10:51 AM, Bryan Boone mailto: bryan-bo...@msn.combryan-bo...@msn.com wrote: For me the simplest solution to solve this would be a windows 2003 server domain controller. Unfortunately due to some corporate restrictions I cannot install a windows server. If you can't set up a Windows server to do this job, the best way to meet this need is to run Samba on a Linux machine. If you run it in domain control mode, it'll act very much like a Windows server for the purposes you're talking about. If there's a corporate restriction on installing a windows server, setting up a linux server to behave just like a windows server might also be a problem. and indeed if it's one the same network, you'll really need to get things right so that it doesn't screw anything up (such as becoming the master browser). Indeed. Just for the sake of clarity let me break it down one more notch: - If the policy that prevents you from installing a Windows server is something like a company-wide prohibition on using closed-source software, or on spending licensing money with Microsoft, and if your network stands on its own -- then Samba is probably a great approach. Good luck. - If, as Rick suggests, the policy comes from something like a central IT department that requires you to stay out of their realm of authority, then you've got a whole mess of constraints to navigate. Good luck. Speaking for myself, I'd say the pGina approach noted above by Josip makes sense only if you've already got RADIUS infrastructure. If you're building something from scratch, Samba is a much better fit, but if pGina lets you use existing RADIUS-centric stuff you just might be well-advised to go that way. Just be sure first :-) Indeed. Also, note that this is off-topic for the list. E. -- Eric Swanson, swan...@technologypartnerds.com Director of Marketing Sales / Senior Technical Staff Technology Partnerds 888-NERDS-55 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 57, Issue 58
freeradius-users-requ...@lists.freeradius.org wrote: Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-requ...@lists.freeradius.org You can reach the person managing the list at freeradius-users-ow...@lists.freeradius.org When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. Re: Escaped . does match any character (Matthias Cramer) 2. EAP-FAST (Stefan Winter) 3. Re: Can't start radiusd -X ? (Fernando) 4. Help with Freeradius + MySQL Problem (Ale Luna) -- Message: 1 Date: Mon, 18 Jan 2010 13:50:39 +0100 From: Matthias Cramer matthias.cra...@iway.ch Subject: Re: Escaped . does match any character To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: 4b54591f.2040...@iway.ch Content-Type: text/plain; charset=UTF-8 Hi Alan Alan DeKok wrote: Matthias Cramer wrote: I have the following in my users file: DEFAULT User-Name =~ .+\...@example.com, Auth-Type := Accept, Proxy-To-Realm := DONOTREALM This Regexp macthes not only user...@example.com but also user...@example.com. Is this a bug, or do I have to escape the . in a different way ? You may need two \\ Thanks, this solved the problem. Regards Matthias -- Matthias Cramer / mc322-ripe Senior Network Security Engineer iway AG Phone +41 43 500 Josefstrasse 225 Fax +41 44 271 3535 CH-8005 Z?rich http://www.iway.ch/ GnuPG 1024D/2D208250 = DBC6 65B6 7083 1029 781E 3959 B62F DF1C 2D20 8250 -- Message: 2 Date: Mon, 18 Jan 2010 14:05:04 +0100 From: Stefan Winter stefan.win...@restena.lu Subject: EAP-FAST To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: 4b545c80.5010...@restena.lu Content-Type: text/plain; charset=iso-8859-15 Hello, every now and then there's a mild interest on this list about enabling EAP-FAST. In our eduroam RD group, we are currently looking into EAP-FAST, which naturally includes FreeRADIUS support. Is it worthwhile posting our results here, for others play with it as well? Or has everybody already run away from the somwhat complicated installation of EAP-FAST support in FreeRADIUS [we certainly had our difficulties...] Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - R?seau T?l?informatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 -- next part -- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 262 bytes Desc: OpenPGP digital signature Url : https://lists.freeradius.org/pipermail/freeradius-users/attachments/20100118/6f89fcce/attachment.bin -- Message: 3 Date: Mon, 18 Jan 2010 15:52:14 +0100 From: Fernando fber...@um.es Subject: Re: Can't start radiusd -X ? To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: 4b54759e.30...@um.es Content-Type: text/plain; charset=ISO-8859-1; format=flowed Zhang Shukun escribi?: hi, when i want to start radius in debug mode. error happened. Failed binding to authentication address * port 1812: Address already in use /usr/local/etc/raddb/radiusd.conf[240]: Error binding to port for 0.0.0.0 port 1812 Could you tell me what's wrong? kill your radiusd instance before run another one Thanks! -- Regards, Sucan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Message: 4 Date: Mon, 18 Jan 2010 12:43:54 -0300 From: Ale Luna ale-l...@argentina.com Subject: Help with Freeradius + MySQL Problem To: freeradius-users@lists.freeradius.org Cc: ale-l...@mail.com Message-ID: fc8cc3e22114199d4ad3ea77df9d4...@wmx1.argentina.com Content-Type: text/plain; charset=iso-8859-1 Hi to all I have the following problem with my FreeRADIUS 2.1.8 + MySQL 5.0.75-0ubuntu10.2 I configure my Freeradius in the most basic configuration like You recommend in your SQL HOWTO and I can Authenticate an user whit the users file and everithing runs very well with all my users Now I configure It with MySQL and My Freeradius is talking with MySQL but I Can't get an Access-Accept to my users If I run a radtest, I can have an Access-Accept but when I run with my Laptop using Windows XP SP3 I only have an Access-Reject... This is my radiusd -X output, when I run my radtest and I
RE: Major noob question about freeradius
Hi guys thanks for the info. The restrictions are licensing with a windows server. I didn't realize you could setup Samba to be a domain controller. thanks for the help. I think I will try the Samba route. thanks again. Date: Mon, 18 Jan 2010 11:39:00 -0800 Subject: Re: Major noob question about freeradius From: swan...@technologypartnerds.com To: freeradius-users@lists.freeradius.org On Mon, Jan 18, 2010 at 11:29 AM, freerad...@corwyn.net wrote: At 02:01 PM 1/18/2010, Eric Swanson wrote: On Mon, Jan 18, 2010 at 10:51 AM, Bryan Boone mailto:bryan-bo...@msn.combryan-bo...@msn.com wrote: For me the simplest solution to solve this would be a windows 2003 server domain controller. Unfortunately due to some corporate restrictions I cannot install a windows server. If you can't set up a Windows server to do this job, the best way to meet this need is to run Samba on a Linux machine. If you run it in domain control mode, it'll act very much like a Windows server for the purposes you're talking about. If there's a corporate restriction on installing a windows server, setting up a linux server to behave just like a windows server might also be a problem. and indeed if it's one the same network, you'll really need to get things right so that it doesn't screw anything up (such as becoming the master browser). Indeed. Just for the sake of clarity let me break it down one more notch: - If the policy that prevents you from installing a Windows server is something like a company-wide prohibition on using closed-source software, or on spending licensing money with Microsoft, and if your network stands on its own -- then Samba is probably a great approach. Good luck. - If, as Rick suggests, the policy comes from something like a central IT department that requires you to stay out of their realm of authority, then you've got a whole mess of constraints to navigate. Good luck. Speaking for myself, I'd say the pGina approach noted above by Josip makes sense only if you've already got RADIUS infrastructure. If you're building something from scratch, Samba is a much better fit, but if pGina lets you use existing RADIUS-centric stuff you just might be well-advised to go that way. Just be sure first :-) Indeed. Also, note that this is off-topic for the list. E. -- Eric Swanson, swan...@technologypartnerds.com Director of Marketing Sales / Senior Technical Staff Technology Partnerds 888-NERDS-55 _ Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. http://clk.atdmt.com/GBL/go/196390709/direct/01/- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS User-Name not matching
So I reverted to the default conf by copying the confs from the source package. I was forced to alter two lines. $diff eap.conf /etc/freeradius/eap.conf 155c155 private_key_file = ${certdir}/server.pem --- private_key_file = ${certdir}/server.key $diff users /etc/freeradius/users 49a50,53 user Other then those changes all confs are at their 'factory defaults'. Yet still I receive the access-reject packets that started this thread. radiusd -X output is below. (note: still using default certs) freeradius -X FreeRADIUS Version 2.1.8, for host i486-pc-linux-gnu, built on Jan 15 2010 at 23:02:23 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel main { user = freerad group = freerad allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { prefix = /usr localstatedir = /var logdir = /var/log/freeradius libdir = /usr/lib/freeradius radacctdir = /var/log/freeradius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = /var/run/freeradius/freeradius.pid checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: Loading Realms and Home Servers proxy server {
Re: EAP-TLS User-Name not matching
So I reverted to the default conf by copying the confs from the source package. I was forced to alter two lines. $diff eap.conf /etc/freeradius/eap.conf 155c155 private_key_file = ${certdir}/server.pem --- private_key_file = ${certdir}/server.key $diff users /etc/freeradius/users 49a50,53 user Other then those changes all confs are at their 'factory defaults'. Yet still I receive the access-reject packets that started this thread. radiusd -X output is below. (note: still using default certs) freeradius -X FreeRADIUS Version 2.1.8, for host i486-pc-linux-gnu, built on Jan 15 2010 at 23:02:23 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel main { user = freerad group = freerad allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { prefix = /usr localstatedir = /var logdir = /var/log/freeradius libdir = /usr/lib/freeradius radacctdir = /var/log/freeradius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = /var/run/freeradius/freeradius.pid checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: Loading Realms and Home Servers proxy server {
Re: Major noob question about freeradius
Hi, I'm not the ultimate FreeRADIUS authority, but I think you'll find RADIUS is a poor solution for this, if indeed a solution at all. I'd say the same thing - SAMBA on a Linux box will easily do this in the 'windows way'. to use FreeRADIUS to control windows login (ie system login) you need to install extra Gina things - and pGina is the best of these (though no longer developed IIRC) FreeRADIUS is the main King when it comes to network login - either 802.1X on wired, wireless (WPA/WPA2 enterprise) or even backend system for captive portal alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS User-Name not matching
hi, nostrip in the example.com in proxy.conf set the auth to LOCAL this will then get handled locally and the inner-tunnel will deal with the EAP properly. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS User-Name not matching
I edited proxy.conf to include: realm example.com { nostrip } and I edited users to read: user Auth-Type := Local but no beans, back to the 200+ Proxy-State attributes and a DoS. I also tried a few capitalizations of the word 'local' just in case it was sensitive to that, still no luck. I'd include the radiusd -X so you could see it yourself, but it is longer than I'm willing to set my scrollback (2000+ lines). ~Huckle Berry On Mon, Jan 18, 2010 at 5:55 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: hi, nostrip in the example.com in proxy.conf set the auth to LOCAL this will then get handled locally and the inner-tunnel will deal with the EAP properly. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS User-Name not matching
Huckle Berry wrote: I edited proxy.conf to include: realm example.com http://example.com { nostrip } and I edited users to read: user Auth-Type := Local Delete that. You don't need it. but no beans, back to the 200+ Proxy-State attributes and a DoS. Sorry but NOTHING in the default configuration causes the server to proxy packets to itself. If it is proxying packets to itself, the READ THE DEBUG OUTPUT. It will say WHY it is proxying packets to itself. Fix that configuration so it doesn't proxy packets to itself. Or, post that debug output here. It will be pretty obvious what's going wrong, and why. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS User-Name not matching
Huckle Berry wrote: Maybe proxy to itself was a bad way to describe it, you can interpret the output yourself if you'd like. I took the last 4096 lines of output ... from an endless loop which repeats the same thing. Why not send the *top* of the output, before it starts to loop back to itself? The debug output you posted does NOT match the other configs you sent. It clearly shows that the server is proxying to example.com. This happens ONLY if you add authhost to the realm configuration for example.com. The config you posted for example.com did *not* have an authhost entry. And if you had posted the *top* of the debug output, it would have included the configuration for the example.com realm. Which would have showed *why* it was proxying Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS User-Name not matching
For all I know, the top of the output could be 10,000 (or more) lines up. Funny thing about endless loops, they tend to go on for quite a while. If you want, I'll post my conf files, which should be the same as the top of the output, no? The example.com realm should be in proxy.conf if you want any other confs just ask and I will post. $ grep -v -e \# proxy.conf proxy server { default_fallback = no } home_server localhost { type = auth ipaddr = 127.0.0.1 port = 1812 secret = testing123 require_message_authenticator = no response_window = 20 zombie_period = 40 revive_interval = 120 status_check = status-server check_interval = 30 num_answers_to_alive = 3 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server virtual.example.com { virtual_server = virtual.example.com } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover nostrip } realm LOCAL { } Like I said before though, I am running the default config (except for the nostrip line) so if authhost isn't set by default, I didn't add it. ~Huckle Berry On Tue, Jan 19, 2010 at 1:40 AM, Alan DeKok al...@deployingradius.comwrote: Huckle Berry wrote: Maybe proxy to itself was a bad way to describe it, you can interpret the output yourself if you'd like. I took the last 4096 lines of output ... from an endless loop which repeats the same thing. Why not send the *top* of the output, before it starts to loop back to itself? The debug output you posted does NOT match the other configs you sent. It clearly shows that the server is proxying to example.com. This happens ONLY if you add authhost to the realm configuration for example.com. The config you posted for example.com did *not* have an authhost entry. And if you had posted the *top* of the debug output, it would have included the configuration for the example.com realm. Which would have showed *why* it was proxying Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html