Escaped . does match any character
Hi All I have the following in my users file: DEFAULT User-Name =~ .+\...@example.com, Auth-Type := Accept, Proxy-To-Realm := DONOTREALM This Regexp macthes not only user...@example.com but also user...@example.com. Is this a bug, or do I have to escape the . in a different way ? Regards Matthias -- Matthias Cramer / mc322-ripe Senior Network Security Engineer iway AGPhone +41 43 500 Josefstrasse 225 Fax +41 44 271 3535 CH-8005 Zürich http://www.iway.ch/ GnuPG 1024D/2D208250 = DBC6 65B6 7083 1029 781E 3959 B62F DF1C 2D20 8250 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: customize Post-Auth-Type REJECT
easyzonecorp.net wrote:
you can not do that after Post-Auth-Type REJECT
you must do after
noresetbytescounter
read on my arti http://www.easyzonecorp.net/network/view.php?ID=1042
Freeradius unlang accept after chap reject.
and then apply it.
i know you can !!
Thx for advice. It almost helped:) I've rewrited my config to:
noresetbytescounter {
reject = 1
}
if (reject) {
update reply {
Reply-Message := You have reached your transfer
limit. Limited bandwitch
}
update control {
Auth-Type := Accept
WISPr-Bandwidth-Max-Down = 131072
WISPr-Bandwidth-Max-Up = 131072
}
}
And it works - when user reach transfer limit he gets correct reply message,
but he is rejeceted anyway. It looks like update control doesn't work.
Sending Access-Request of id 142 to xxx.xxx.xxx.xxx port 1812
User-Name = user01
User-Password = user01
NAS-IP-Address = 127.0.0.1
NAS-Port = 10
rad_recv: Access-Reject packet from host xxx.xxx.xxx.xxx port 1812, id=142,
length=119
Acct-Interim-Interval = 60
Idle-Timeout = 60
WISPr-Bandwidth-Max-Down = 1048576
WISPr-Bandwidth-Max-Up = 262144
Session-Timeout = 360
Reply-Message = You have reached your transfer limit. Limited
bandwitch
Where should I look now?
--
View this message in context:
http://old.nabble.com/customize-Post-Auth-Type-REJECT-tp27173361p27207343.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: customize Post-Auth-Type REJECT
pawel_221 wrote:
And it works - when user reach transfer limit he gets correct reply message,
but he is rejeceted anyway. It looks like update control doesn't work.
You need to change the reject return code. Do this by adding an
ok to the config:
if (reject) {
ok # over-ride reject
update reply {
Reply-Message := You have reached your transfer
limit. Limited bandwitch
}
update control {
Auth-Type := Accept
WISPr-Bandwidth-Max-Down = 131072
WISPr-Bandwidth-Max-Up = 131072
}
}
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Escaped . does match any character
Matthias Cramer wrote: Hi All I have the following in my users file: DEFAULT User-Name =~ .+\...@example.com, Auth-Type := Accept, Proxy-To-Realm := DONOTREALM This Regexp macthes not only user...@example.com but also user...@example.com. Is this a bug, or do I have to escape the . in a different way ? You may need two \\ Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: customize Post-Auth-Type REJECT
Alan DeKok-2 wrote:
pawel_221 wrote:
And it works - when user reach transfer limit he gets correct reply
message,
but he is rejeceted anyway. It looks like update control doesn't work.
You need to change the reject return code. Do this by adding an
ok to the config:
if (reject) {
ok # over-ride reject
update reply {
Reply-Message := You have reached your transfer
limit. Limited bandwitch
}
update control {
Auth-Type := Accept
WISPr-Bandwidth-Max-Down = 131072
WISPr-Bandwidth-Max-Up = 131072
}
}
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
It helped - user has rad_recv: Access-Accept packet but does'nt change
Bandwidth. User still have bandwitch which is assigned to his group.
I've tried to rewrite my config and move update control to post-auth
section. I check in post-auth secion:
if ( %{reply:Reply-Message} == LIMITED ) {
update reply {
Reply-Message := You have reached your transfer limit.
Limited bandwidth
}
update control {
Auth-Type := Accept
WISPr-Bandwidth-Max-Down = 131072
WISPr-Bandwidth-Max-Up = 131072
}
}
but it also doesn't change bandwitch. It still sends:
WISPr-Bandwidth-Max-Down = 1048576
WISPr-Bandwidth-Max-Up = 262144
But it change of course Reply-Message from LIMITED to You have reached
your transfer limit. Limited bandwidth.
I debug mode I can see:
++? if (%{reply:Reply-Message} == LIMITED ) - TRUE
++- entering if (%{reply:Reply-Message} == LIMITED ) {...}
+++[reply] returns ok
+++[control] returns ok
++- if (%{reply:Reply-Message} == LIMITED ) returns ok
Sending Access-Accept of id 151 to xxx.xxx.xxx.xxx port 59621
Acct-Interim-Interval = 60
Idle-Timeout = 60
WISPr-Bandwidth-Max-Down = 1048576
WISPr-Bandwidth-Max-Up = 262144
Session-Timeout = 360
Reply-Message = You have reached your transfer limit. Limited
bandwitch
--
View this message in context:
http://old.nabble.com/customize-Post-Auth-Type-REJECT-tp27173361p27207803.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: customize Post-Auth-Type REJECT
pawel_221 wrote: It helped - user has rad_recv: Access-Accept packet but does'nt change Bandwidth. User still have bandwitch which is assigned to his group. See man unlang. You are putting the bandwidth in the control list, not the reply list. Go fix that. And read man unlang for how the operators work. You probably want := here. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: customize Post-Auth-Type REJECT
Alan DeKok-2 wrote: pawel_221 wrote: It helped - user has rad_recv: Access-Accept packet but does'nt change Bandwidth. User still have bandwitch which is assigned to his group. See man unlang. You are putting the bandwidth in the control list, not the reply list. Go fix that. And read man unlang for how the operators work. You probably want := here. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thx a lot :) Now it works perfectly :) greetings -- View this message in context: http://old.nabble.com/customize-Post-Auth-Type-REJECT-tp27173361p27207896.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting using SQL
Hi,
I am having a problem where nothing is getting written into radacct on my
database. I can although validate a user on the database using radtest, so i
am guessing dialup.conf (which i haven't touched) is not running the
accounting section. Curently i have not added a NAS, and running locally so
i am unclear on whether this is the reason why no information is being
added?
I followed the howto on SQL from the freeradius wiki. I used the supplied
schema in the sql file, and changed sql.conf to use the database user name
and password, which i have kept to 'root' and 'password'. I have also
uncommented sql in the accounting section for radiusd.conf.
I have posted two files below: sql.conf and the default file from
sites-available. If you require any more please let me know.
Any help will be appreciated,
James
# -*- text -*-
##
## sql.conf -- SQL modules
##
## $Id$
##
#
# Configuration for the SQL module
#
# The database schemas and queries are located in subdirectories:
#
# sql/DB/schema.sql Schema
# sql/DB/dialup.conf Basic dialup (including policy) queries
# sql/DB/counter.conf counter
# sql/DB/ippool.conf IP Pools in SQL
# sql/DB/ippool.sql schema for IP pools.
#
# Where DB is mysql, mssql, oracle, or postgresql.
#
sql {
#
# Set the database to one of:
#
# mysql, mssql, oracle, postgresql
#
database = mysql
#
# Which FreeRADIUS driver to use.
#
driver = rlm_sql_${database}
# Connection info:
server = localhost
port = 3306
login = root
password = password
# Database table configuration for everything except Oracle
radius_db = radius
# If you are using Oracle then use this instead
# radius_db =
(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521))(CONNECT_DATA=(SID=your_sid)))
# If you want both stop and start records logged to the
# same SQL table, leave this as is. If you want them in
# different tables, put the start table in acct_table1
# and stop table in acct_table2
acct_table1 = radacct
acct_table2 = radacct
# Allow for storing data after authentication
postauth_table = radpostauth
authcheck_table = radcheck
authreply_table = radreply
groupcheck_table = radgroupcheck
groupreply_table = radgroupreply
# Table to keep group info
usergroup_table = radusergroup
# If set to 'yes' (default) we read the group tables
# If set to 'no' the user MUST have Fall-Through = Yes in the radreply
table
# read_groups = yes
# Remove stale session if checkrad does not see a double login
deletestalesessions = yes
# Print all SQL statements when in debug mode (-x)
sqltrace = yes
sqltracefile = ${logdir}/sqltrace.sql
# number of sql connections to make to server
num_sql_socks = 5
# number of seconds to dely retrying on a failed database
# connection (per_socket)
connect_failure_retry_delay = 60
# lifetime of an SQL socket. If you are having network issues
# such as TCP sessions expiring, you may need to set the socket
# lifetime. If set to non-zero, any open connections will be
# closed lifetime seconds after they were first opened.
lifetime = 0
# Maximum number of queries used by an SQL socket. If you are
# having issues with SQL sockets lasting too long, you can
# limit the number of queries performed over one socket. After
# max_qeuries, the socket will be closed. Use 0 for no limit.
max_queries = 0
# Set to 'yes' to read radius clients from the database ('nas' table)
# Clients will ONLY be read on server startup. For performance
# and security reasons, finding clients via SQL queries CANNOT
# be done live while the server is running.
#
#readclients = yes
# Table to keep radius client info
nas_table = nas
# Read driver-specific configuration
$INCLUDE sql/${database}/dialup.conf
}
##
#
# As of 2.0.0, FreeRADIUS supports virtual hosts using the
# server section, and configuration directives.
#
# Virtual hosts should be put into the sites-available
# directory. Soft links should be created in the sites-enabled
# directory to these files. This is done in a normal installation.
#
# $Id$
#
##
#
# Read man radiusd before editing this file. See the section
# titled DEBUGGING. It outlines a method where you can quickly
# obtain the
Using the same FreeRadius for account into MySQL for clients whith different attributes
Hi, I am using a FreeRadius server Version 1.0.1 only for accounting with Cisco gateways. Now, I want to use the same server with Dialogic gateways. Dialogic and Cisco have their own RADIUS dictionary. When I write in a MySQL database the log of accounting, how can I write for both attributes (Cisco and Dialogic)? Regards, David. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP Session resumption reply attributes
Hi, In order to also return e.g. VLAN IDs (that could be computed from the inner User-Name in a non-session-resumption enabled config), I can move the config that sets the VLAN to the outer tunnel post-auth ensure the inner tunnel sets: reply:outer User-Name to request:inner User-Name and then key my VLAN computation (in outer post-auth) from reply:User-Name. I can see other possibilities to do this (e.g. cache Tunnel-Private-Group-Id in the TLS session cache), but the above seems ok to me. Can anyone on the list spot any problems, something that I've missed / gotchas with the above? this is a fine idea - you only need to hit the handling logic post-auth (after the basic accept/reject has been done). just ensure that you dont pass this inner-id stuff back to remote proxies. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Escaped . does match any character
Hi Alan Alan DeKok wrote: Matthias Cramer wrote: I have the following in my users file: DEFAULT User-Name =~ .+\...@example.com, Auth-Type := Accept, Proxy-To-Realm := DONOTREALM This Regexp macthes not only user...@example.com but also user...@example.com. Is this a bug, or do I have to escape the . in a different way ? You may need two \\ Thanks, this solved the problem. Regards Matthias -- Matthias Cramer / mc322-ripe Senior Network Security Engineer iway AGPhone +41 43 500 Josefstrasse 225 Fax +41 44 271 3535 CH-8005 Zürich http://www.iway.ch/ GnuPG 1024D/2D208250 = DBC6 65B6 7083 1029 781E 3959 B62F DF1C 2D20 8250 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-FAST
Hello, every now and then there's a mild interest on this list about enabling EAP-FAST. In our eduroam RD group, we are currently looking into EAP-FAST, which naturally includes FreeRADIUS support. Is it worthwhile posting our results here, for others play with it as well? Or has everybody already run away from the somwhat complicated installation of EAP-FAST support in FreeRADIUS [we certainly had our difficulties...] Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't start radiusd -X ?
Zhang Shukun escribió: hi, when i want to start radius in debug mode. error happened. Failed binding to authentication address * port 1812: Address already in use /usr/local/etc/raddb/radiusd.conf[240]: Error binding to port for 0.0.0.0 port 1812 Could you tell me what's wrong? kill your radiusd instance before run another one Thanks! -- Regards, Sucan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with Freeradius + MySQL Problem....
hi, got sql defined in your authenticate section of the inner-tunnel (where EAP packets by default get proxied to) ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: customize Post-Auth-Type REJECT
pawel_221 wrote: Alan DeKok-2 wrote: pawel_221 wrote: It helped - user has "rad_recv: Access-Accept packet" but does'nt change Bandwidth. User still have bandwitch which is assigned to his group. See "man unlang". You are putting the bandwidth in the "control" list, not the "reply" list. Go fix that. And read "man unlang" for how the operators work. You probably want ":=" here. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thx a lot :) Now it works perfectly :) greetings add [RESOVLED] to your mail subject. Please. -- http://www.EasyHorpak.com - ???,???,???,?,?? http://www.EasyZoneCorp.net - ? internet ? Hotpsot ??? PPPoE ,Anti NetCut, Mac spoof http://www.thai-school.net - ,? ? EasyZone SuperLink - ?? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Major noob question about freeradius
Hi everyone maybe you can help me. I have a small network of about 10 windows XP machines. I need to set these machines up so that my users can log into any of these machines. For me the simplest solution to solve this would be a windows 2003 server domain controller. Unfortunately due to some corporate restrictions I cannot install a windows server. I was told that a Radius server could accomplish the same thing for me. Is this true? Basically I just need a way for my users to sit down at any of the windows XP workstations and log into it. I don't need anything special like roaming profiles and such. All I need is for a way for a windows user to sit down at any computer and type in a user name and password in order to gain access to use the computer. I saw the tutorials online but I don't think this is what I need. Something about setting up a VPN and adding certs and such. I need freeRadius to control access to user the computer not to gain access to a network resource. I have installed freeRadius and got it up and running on openSUSE but I am not really sure how to configure it according to what I need (if it can be done at all). Am I making sense or am I way off base? Does someone have a document I can follow that will tell me how to configure freeradius so that my windows users can authenticate against it? thanks _ Hotmail: Trusted email with powerful SPAM protection. http://clk.atdmt.com/GBL/go/196390707/direct/01/- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Major noob question about freeradius
On Mon, Jan 18, 2010 at 11:51:28AM -0700, Bryan Boone wrote: I have a small network of about 10 windows XP machines. I need to set these machines up so that my users can log into any of these machines. I was told that a Radius server could accomplish the same thing for me. Is this true? Basically I just need a way for my users to sit down at any of the windows XP workstations and log into it. I don't need anything special like roaming profiles and such. Yes, google for pGina -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Major noob question about freeradius
On Mon, Jan 18, 2010 at 10:51 AM, Bryan Boone bryan-bo...@msn.com wrote: I have a small network of about 10 windows XP machines. I need to set these machines up so that my users can log into any of these machines. For me the simplest solution to solve this would be a windows 2003 server domain controller. Unfortunately due to some corporate restrictions I cannot install a windows server. I was told that a Radius server could accomplish the same thing for me. Is this true? Bryan: I'm not the ultimate FreeRADIUS authority, but I think you'll find RADIUS is a poor solution for this, if indeed a solution at all. If you can't set up a Windows server to do this job, the best way to meet this need is to run Samba on a Linux machine. If you run it in domain control mode, it'll act very much like a Windows server for the purposes you're talking about. Check out http://samba.org/ for details on Samba. And for what it's worth I would lean toward using CentOS as the core platform (of course opinions vary on this point). The book Samba-3 by Example gives an excellent guide to the setup if you need one. It's available online at http://www.samba.org/samba/docs/man/Samba-Guide/ Good luck! E. -- Eric Swanson, swan...@technologypartnerds.com Director of Marketing Sales / Senior Technical Staff Technology Partnerds 888-NERDS-55 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Major noob question about freeradius
At 02:01 PM 1/18/2010, Eric Swanson wrote: On Mon, Jan 18, 2010 at 10:51 AM, Bryan Boone mailto:bryan-bo...@msn.combryan-bo...@msn.com wrote: For me the simplest solution to solve this would be a windows 2003 server domain controller. Unfortunately due to some corporate restrictions I cannot install a windows server. If you can't set up a Windows server to do this job, the best way to meet this need is to run Samba on a Linux machine. If you run it in domain control mode, it'll act very much like a Windows server for the purposes you're talking about. If there's a corporate restriction on installing a windows server, setting up a linux server to behave just like a windows server might also be a problem. and indeed if it's one the same network, you'll really need to get things right so that it doesn't screw anything up (such as becoming the master browser). Just be sure first :-) rick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Major noob question about freeradius
On Mon, Jan 18, 2010 at 11:29 AM, freerad...@corwyn.net wrote: At 02:01 PM 1/18/2010, Eric Swanson wrote: On Mon, Jan 18, 2010 at 10:51 AM, Bryan Boone mailto: bryan-bo...@msn.combryan-bo...@msn.com wrote: For me the simplest solution to solve this would be a windows 2003 server domain controller. Unfortunately due to some corporate restrictions I cannot install a windows server. If you can't set up a Windows server to do this job, the best way to meet this need is to run Samba on a Linux machine. If you run it in domain control mode, it'll act very much like a Windows server for the purposes you're talking about. If there's a corporate restriction on installing a windows server, setting up a linux server to behave just like a windows server might also be a problem. and indeed if it's one the same network, you'll really need to get things right so that it doesn't screw anything up (such as becoming the master browser). Indeed. Just for the sake of clarity let me break it down one more notch: - If the policy that prevents you from installing a Windows server is something like a company-wide prohibition on using closed-source software, or on spending licensing money with Microsoft, and if your network stands on its own -- then Samba is probably a great approach. Good luck. - If, as Rick suggests, the policy comes from something like a central IT department that requires you to stay out of their realm of authority, then you've got a whole mess of constraints to navigate. Good luck. Speaking for myself, I'd say the pGina approach noted above by Josip makes sense only if you've already got RADIUS infrastructure. If you're building something from scratch, Samba is a much better fit, but if pGina lets you use existing RADIUS-centric stuff you just might be well-advised to go that way. Just be sure first :-) Indeed. Also, note that this is off-topic for the list. E. -- Eric Swanson, swan...@technologypartnerds.com Director of Marketing Sales / Senior Technical Staff Technology Partnerds 888-NERDS-55 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 57, Issue 58
freeradius-users-requ...@lists.freeradius.org wrote: Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-requ...@lists.freeradius.org You can reach the person managing the list at freeradius-users-ow...@lists.freeradius.org When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. Re: Escaped . does match any character (Matthias Cramer) 2. EAP-FAST (Stefan Winter) 3. Re: Can't start radiusd -X ? (Fernando) 4. Help with Freeradius + MySQL Problem (Ale Luna) -- Message: 1 Date: Mon, 18 Jan 2010 13:50:39 +0100 From: Matthias Cramer matthias.cra...@iway.ch Subject: Re: Escaped . does match any character To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: 4b54591f.2040...@iway.ch Content-Type: text/plain; charset=UTF-8 Hi Alan Alan DeKok wrote: Matthias Cramer wrote: I have the following in my users file: DEFAULT User-Name =~ .+\...@example.com, Auth-Type := Accept, Proxy-To-Realm := DONOTREALM This Regexp macthes not only user...@example.com but also user...@example.com. Is this a bug, or do I have to escape the . in a different way ? You may need two \\ Thanks, this solved the problem. Regards Matthias -- Matthias Cramer / mc322-ripe Senior Network Security Engineer iway AG Phone +41 43 500 Josefstrasse 225 Fax +41 44 271 3535 CH-8005 Z?rich http://www.iway.ch/ GnuPG 1024D/2D208250 = DBC6 65B6 7083 1029 781E 3959 B62F DF1C 2D20 8250 -- Message: 2 Date: Mon, 18 Jan 2010 14:05:04 +0100 From: Stefan Winter stefan.win...@restena.lu Subject: EAP-FAST To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: 4b545c80.5010...@restena.lu Content-Type: text/plain; charset=iso-8859-15 Hello, every now and then there's a mild interest on this list about enabling EAP-FAST. In our eduroam RD group, we are currently looking into EAP-FAST, which naturally includes FreeRADIUS support. Is it worthwhile posting our results here, for others play with it as well? Or has everybody already run away from the somwhat complicated installation of EAP-FAST support in FreeRADIUS [we certainly had our difficulties...] Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - R?seau T?l?informatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 -- next part -- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 262 bytes Desc: OpenPGP digital signature Url : https://lists.freeradius.org/pipermail/freeradius-users/attachments/20100118/6f89fcce/attachment.bin -- Message: 3 Date: Mon, 18 Jan 2010 15:52:14 +0100 From: Fernando fber...@um.es Subject: Re: Can't start radiusd -X ? To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: 4b54759e.30...@um.es Content-Type: text/plain; charset=ISO-8859-1; format=flowed Zhang Shukun escribi?: hi, when i want to start radius in debug mode. error happened. Failed binding to authentication address * port 1812: Address already in use /usr/local/etc/raddb/radiusd.conf[240]: Error binding to port for 0.0.0.0 port 1812 Could you tell me what's wrong? kill your radiusd instance before run another one Thanks! -- Regards, Sucan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Message: 4 Date: Mon, 18 Jan 2010 12:43:54 -0300 From: Ale Luna ale-l...@argentina.com Subject: Help with Freeradius + MySQL Problem To: freeradius-users@lists.freeradius.org Cc: ale-l...@mail.com Message-ID: fc8cc3e22114199d4ad3ea77df9d4...@wmx1.argentina.com Content-Type: text/plain; charset=iso-8859-1 Hi to all I have the following problem with my FreeRADIUS 2.1.8 + MySQL 5.0.75-0ubuntu10.2 I configure my Freeradius in the most basic configuration like You recommend in your SQL HOWTO and I can Authenticate an user whit the users file and everithing runs very well with all my users Now I configure It with MySQL and My Freeradius is talking with MySQL but I Can't get an Access-Accept to my users If I run a radtest, I can have an Access-Accept but when I run with my Laptop using Windows XP SP3 I only have an Access-Reject... This is my radiusd -X output, when I run my radtest and I
RE: Major noob question about freeradius
Hi guys thanks for the info. The restrictions are licensing with a windows server. I didn't realize you could setup Samba to be a domain controller. thanks for the help. I think I will try the Samba route. thanks again. Date: Mon, 18 Jan 2010 11:39:00 -0800 Subject: Re: Major noob question about freeradius From: swan...@technologypartnerds.com To: freeradius-users@lists.freeradius.org On Mon, Jan 18, 2010 at 11:29 AM, freerad...@corwyn.net wrote: At 02:01 PM 1/18/2010, Eric Swanson wrote: On Mon, Jan 18, 2010 at 10:51 AM, Bryan Boone mailto:bryan-bo...@msn.combryan-bo...@msn.com wrote: For me the simplest solution to solve this would be a windows 2003 server domain controller. Unfortunately due to some corporate restrictions I cannot install a windows server. If you can't set up a Windows server to do this job, the best way to meet this need is to run Samba on a Linux machine. If you run it in domain control mode, it'll act very much like a Windows server for the purposes you're talking about. If there's a corporate restriction on installing a windows server, setting up a linux server to behave just like a windows server might also be a problem. and indeed if it's one the same network, you'll really need to get things right so that it doesn't screw anything up (such as becoming the master browser). Indeed. Just for the sake of clarity let me break it down one more notch: - If the policy that prevents you from installing a Windows server is something like a company-wide prohibition on using closed-source software, or on spending licensing money with Microsoft, and if your network stands on its own -- then Samba is probably a great approach. Good luck. - If, as Rick suggests, the policy comes from something like a central IT department that requires you to stay out of their realm of authority, then you've got a whole mess of constraints to navigate. Good luck. Speaking for myself, I'd say the pGina approach noted above by Josip makes sense only if you've already got RADIUS infrastructure. If you're building something from scratch, Samba is a much better fit, but if pGina lets you use existing RADIUS-centric stuff you just might be well-advised to go that way. Just be sure first :-) Indeed. Also, note that this is off-topic for the list. E. -- Eric Swanson, swan...@technologypartnerds.com Director of Marketing Sales / Senior Technical Staff Technology Partnerds 888-NERDS-55 _ Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. http://clk.atdmt.com/GBL/go/196390709/direct/01/- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS User-Name not matching
So I reverted to the default conf by copying the confs from the source
package. I was forced to alter two lines.
$diff eap.conf /etc/freeradius/eap.conf
155c155
private_key_file = ${certdir}/server.pem
---
private_key_file = ${certdir}/server.key
$diff users /etc/freeradius/users
49a50,53
user
Other then those changes all confs are at their 'factory defaults'. Yet
still I receive the access-reject packets that started this thread. radiusd
-X output is below. (note: still using default certs)
freeradius -X
FreeRADIUS Version 2.1.8, for host i486-pc-linux-gnu, built on Jan 15 2010
at 23:02:23
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/echo
including configuration file
/etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
main {
user = freerad
group = freerad
allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
prefix = /usr
localstatedir = /var
logdir = /var/log/freeradius
libdir = /usr/lib/freeradius
radacctdir = /var/log/freeradius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = /var/run/freeradius/freeradius.pid
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: Loading Realms and Home Servers
proxy server {
Re: EAP-TLS User-Name not matching
So I reverted to the default conf by copying the confs from the source
package. I was forced to alter two lines.
$diff eap.conf /etc/freeradius/eap.conf
155c155
private_key_file = ${certdir}/server.pem
---
private_key_file = ${certdir}/server.key
$diff users /etc/freeradius/users
49a50,53
user
Other then those changes all confs are at their 'factory defaults'. Yet
still I receive the access-reject packets that started this thread. radiusd
-X output is below. (note: still using default certs)
freeradius -X
FreeRADIUS Version 2.1.8, for host i486-pc-linux-gnu, built on Jan 15 2010
at 23:02:23
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/echo
including configuration file
/etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
main {
user = freerad
group = freerad
allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
prefix = /usr
localstatedir = /var
logdir = /var/log/freeradius
libdir = /usr/lib/freeradius
radacctdir = /var/log/freeradius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = /var/run/freeradius/freeradius.pid
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: Loading Realms and Home Servers
proxy server {
Re: Major noob question about freeradius
Hi, I'm not the ultimate FreeRADIUS authority, but I think you'll find RADIUS is a poor solution for this, if indeed a solution at all. I'd say the same thing - SAMBA on a Linux box will easily do this in the 'windows way'. to use FreeRADIUS to control windows login (ie system login) you need to install extra Gina things - and pGina is the best of these (though no longer developed IIRC) FreeRADIUS is the main King when it comes to network login - either 802.1X on wired, wireless (WPA/WPA2 enterprise) or even backend system for captive portal alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS User-Name not matching
hi, nostrip in the example.com in proxy.conf set the auth to LOCAL this will then get handled locally and the inner-tunnel will deal with the EAP properly. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS User-Name not matching
I edited proxy.conf to include:
realm example.com {
nostrip
}
and I edited users to read:
user Auth-Type := Local
but no beans, back to the 200+ Proxy-State attributes and a DoS. I also
tried a few capitalizations of the word 'local' just in case it was
sensitive to that, still no luck.
I'd include the radiusd -X so you could see it yourself, but it is longer
than I'm willing to set my scrollback (2000+ lines).
~Huckle Berry
On Mon, Jan 18, 2010 at 5:55 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote:
hi,
nostrip in the example.com in proxy.conf
set the auth to LOCAL
this will then get handled locally and the inner-tunnel will
deal with the EAP properly.
alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS User-Name not matching
Huckle Berry wrote:
I edited proxy.conf to include:
realm example.com http://example.com {
nostrip
}
and I edited users to read:
user Auth-Type := Local
Delete that. You don't need it.
but no beans, back to the 200+ Proxy-State attributes and a DoS.
Sorry but NOTHING in the default configuration causes the server to
proxy packets to itself.
If it is proxying packets to itself, the READ THE DEBUG OUTPUT. It
will say WHY it is proxying packets to itself. Fix that configuration
so it doesn't proxy packets to itself.
Or, post that debug output here. It will be pretty obvious what's
going wrong, and why.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS User-Name not matching
Huckle Berry wrote: Maybe proxy to itself was a bad way to describe it, you can interpret the output yourself if you'd like. I took the last 4096 lines of output ... from an endless loop which repeats the same thing. Why not send the *top* of the output, before it starts to loop back to itself? The debug output you posted does NOT match the other configs you sent. It clearly shows that the server is proxying to example.com. This happens ONLY if you add authhost to the realm configuration for example.com. The config you posted for example.com did *not* have an authhost entry. And if you had posted the *top* of the debug output, it would have included the configuration for the example.com realm. Which would have showed *why* it was proxying Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS User-Name not matching
For all I know, the top of the output could be 10,000 (or more) lines up.
Funny thing about endless loops, they tend to go on for quite a while. If
you want, I'll post my conf files, which should be the same as the top of
the output, no? The example.com realm should be in proxy.conf if you want
any other confs just ask and I will post.
$ grep -v -e \# proxy.conf
proxy server {
default_fallback = no
}
home_server localhost {
type = auth
ipaddr = 127.0.0.1
port = 1812
secret = testing123
require_message_authenticator = no
response_window = 20
zombie_period = 40
revive_interval = 120
status_check = status-server
check_interval = 30
num_answers_to_alive = 3
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server virtual.example.com {
virtual_server = virtual.example.com
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
nostrip
}
realm LOCAL {
}
Like I said before though, I am running the default config (except for the
nostrip line) so if authhost isn't set by default, I didn't add it.
~Huckle Berry
On Tue, Jan 19, 2010 at 1:40 AM, Alan DeKok al...@deployingradius.comwrote:
Huckle Berry wrote:
Maybe proxy to itself was a bad way to describe it, you can interpret
the output yourself if you'd like. I took the last 4096 lines of output
... from an endless loop which repeats the same thing.
Why not send the *top* of the output, before it starts to loop back to
itself?
The debug output you posted does NOT match the other configs you sent.
It clearly shows that the server is proxying to example.com. This
happens ONLY if you add authhost to the realm configuration for
example.com.
The config you posted for example.com did *not* have an authhost entry.
And if you had posted the *top* of the debug output, it would have
included the configuration for the example.com realm. Which would
have showed *why* it was proxying
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
