error message connection to MySQL. (Error Message :rlm_sql (sql): There are no DB handles to use! skipped 5, tried to connect 0)
Hi,
I try to authenticate freeradius 2.1.8 using mysql5.0.26.
Information of my system:
1. OS is SuSE Linux SLES10 SP2.
2. I have installed following RPM for FreeRadius 2.1.8:
#rpm -qa |grep freeradius
freeradius-server-utils-2.1.8-1.1
freeradius-client-libs-1.1.6-4.1
freeradius-server-2.1.8-1.1
freeradius-client-devel-1.1.6-4.1
freeradius-server-devel-2.1.8-1.1
freeradius-client-1.1.6-4.1
freeradius-server-debuginfo-2.1.8-1.1
freeradius-server-libs-2.1.8-1.1
3. installed following MySQL RPM:
# rpm -qa |grep mysql
apache2-mod_auth_mysql-3.0.0-14.2
mysql-5.0.26-12.18
mysql-shared-5.0.26-12.18
perl-DBD-mysql-3.0002-15.2
php5-mysql-5.2.5-9.5
mysql-client-5.0.26-12.18
I have successfully installed the RPM for freeradius and test for
authentication using file users is successful.
When I tried to authenticate via MySQL, it failed. There is no connection
record to MySQL in log file of MySQL.
Searching the WWW, I found out there is a RPM named freeradius-mysql* for
Red Hat FC. There is no such RPM for SuSE in download website of
freeradius.org.
Is corresponding RPM required for SLES10SP2? Where to download? Or, such
functionality is already included in one of my installed RPM?
Terminal 1 message:
# radtest user1 test1 localhost 1812 RAD7429secret
Sending Access-Request of id 250 to 127.0.0.1 port 1812
User-Name = user1
User-Password = test1
NAS-IP-Address = 158.182.158.61
NAS-Port = 1812
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=250,
length=20
Terminal 2 message:
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 32768, id=250,
length
=57
User-Name = user1
User-Password = test1
NAS-IP-Address = 158.182.158.61
NAS-Port = 1812
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-deta
il-%Y%m%d - /var/log/radius/radacct/127.0.0.1/auth-detail-20100428
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
exp
ands to /var/log/radius/radacct/127.0.0.1/auth-detail-20100428
[auth_log] expand: %t - Wed Apr 28 20:38:07 2010
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = user1, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[sql] expand: %{User-Name} - user1
[sql] sql_set_user escaped user -- 'user1'
rlm_sql (sql): Ignoring unconnected handle 4..
rlm_sql (sql): Ignoring unconnected handle 3..
rlm_sql (sql): Ignoring unconnected handle 2..
rlm_sql (sql): Ignoring unconnected handle 1..
rlm_sql (sql): Ignoring unconnected handle 0..
rlm_sql (sql): There are no DB handles to use! skipped 5, tried to connect 0
++[sql] returns fail
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - user1
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 250 to 127.0.0.1 port 32768
Waking up in 4.9 seconds.
Cleaning up request 0 ID 250 with timestamp +10
Ready to process requests.
---
Cheers,
Joe
__ Information from ESET Smart Security, version of virus signature
database 5066 (20100427) __
The message was checked by ESET Smart Security.
http://www.eset.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Segmentation fault
Hello again list,
Thanks for the prompt reply on my previous inquiry regarding the
compiling error. Worked perfectly with a new checkout.
A new problem has arrived though. I am trying to do some authentication
on the WiMAX platform.
radiusd: FreeRADIUS Version 2.2.0, for host x86_64-unknown-linux-gnu,
built on Apr 27 2010 at 08:06:03
Everything seems to be working fine.
Client sends access request.
server sends challenge.
This happens back and forth as it should, the user is identified and the
final challenges are ment to be exchanged:
Wed Apr 28 09:04:01 2010 : Info: (6) [ttls] Got tunneled Access-Accept
Wed Apr 28 09:04:01 2010 : Info: (6) [ttls] Got MS-CHAP2-Success,
tunneling it to the client in a challenge.
Followed by
Sending Access-Challenge of id 39 to 192.168.106.11 port 1812
EAP-Message =
0x0107005f1580005517030100503aaea6b28c1d5d90e71ec96d69f5846508965193166f92b750af976df6b0363867e15725dfc8a2370622601bc3e9487f6aa9843bf2e469cc773c7e9815c52e15755de3a962215e0674d1368fbab98f24
Message-Authenticator = 0x
State = 0x912a18ab942d0dffd8d9c931385c748e
Wed Apr 28 09:04:01 2010 : Info: (6) Finished request 6.
Wed Apr 28 09:04:01 2010 : Debug: Going to the next request
Wed Apr 28 09:04:01 2010 : Debug: Waking up in 3.9 seconds.
rad_recv: Access-Request packet from host 192.168.106.11 port 1812,
id=40, length=194
User-Name = {am=1}15a251baf3194e3ca5681323e8284...@domain.tld
EAP-Message = 0x020700061500
Message-Authenticator = 0xfbce37cd2ed55658b94dbf0312e430fb
NAS-Identifier = AAALAB
NAS-IP-Address = 192.168.106.11
Calling-Station-Id = 00-12-CF-C7-4D-A8
WiMAX-BS-Id = 0x002f01010101
NAS-Port-Type = 27
Framed-MTU = 2000
Service-Type = Framed-User
WiMAX-GMT-Timezone-offset = 0
State = 0x912a18ab942d0dffd8d9c931385c748e
Wed Apr 28 09:04:01 2010 : Info: (7) +- entering group authorize {...}
Wed Apr 28 09:04:01 2010 : Info: (7) ++[preprocess] returns ok
Wed Apr 28 09:04:01 2010 : Info: (7) ++[wimax] returns ok
Wed Apr 28 09:04:01 2010 : Info: (7) ++[chap] returns noop
Wed Apr 28 09:04:01 2010 : Info: (7) ++[mschap] returns noop
Wed Apr 28 09:04:01 2010 : Info: (7) [suffix] Looking up realm
domain.tld for User-Name =
{am=1}15a251baf3194e3ca5681323e8284...@domain.tld
Wed Apr 28 09:04:01 2010 : Info: (7) [suffix] Found realm domain.tld
Wed Apr 28 09:04:01 2010 : Info: (7) [suffix] Adding Stripped-User-Name
= {am=1}15a251baf3194e3ca5681323e82848a0
Wed Apr 28 09:04:01 2010 : Info: (7) [suffix] Adding Realm = nextnet.no
Wed Apr 28 09:04:01 2010 : Info: (7) [suffix] Authentication realm is LOCAL.
Wed Apr 28 09:04:01 2010 : Info: (7) ++[suffix] returns ok
Wed Apr 28 09:04:01 2010 : Info: (7) [eap] EAP packet type response id 7
length 6
Wed Apr 28 09:04:01 2010 : Info: (7) [eap] Continuing tunnel setup.
Wed Apr 28 09:04:01 2010 : Info: (7) ++[eap] returns ok
Wed Apr 28 09:04:01 2010 : Info: (7) Found Auth-Type = EAP
Wed Apr 28 09:04:01 2010 : Info: (7) +- entering group authenticate {...}
Wed Apr 28 09:04:01 2010 : Info: (7) [eap] Request found, released from
the list
Wed Apr 28 09:04:01 2010 : Info: (7) [eap] EAP/ttls
Wed Apr 28 09:04:01 2010 : Info: (7) [eap] processing type ttls
Wed Apr 28 09:04:01 2010 : Info: (7) [ttls] Authenticate
Wed Apr 28 09:04:01 2010 : Info: (7) [ttls] processing EAP-TLS
Wed Apr 28 09:04:01 2010 : Info: (7) [ttls] Received TLS ACK
Wed Apr 28 09:04:01 2010 : Info: (7) [ttls] ACK handshake is finished
Wed Apr 28 09:04:01 2010 : Info: (7) [ttls] eaptls_verify returned 3
Wed Apr 28 09:04:01 2010 : Info: (7) [ttls] eaptls_process returned 3
Segmentation fault
Any ideas why radiusd is segfaulting?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault
Kristoffer Milligan wrote: Thanks for the prompt reply on my previous inquiry regarding the compiling error. Worked perfectly with a new checkout. A new problem has arrived though. I am trying to do some authentication on the WiMAX platform. ... Wed Apr 28 09:04:01 2010 : Info: (7) [ttls] eaptls_process returned 3 Segmentation fault Any ideas why radiusd is segfaulting? It works for me. I suggest: $ make distclean $ ./configure $ make again. The internal code has changed quite a bit. Maybe you're running into a situation where it's using two different versions of the code at the same time. If that still SEGVs, see doc/bugs Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem building on Debian 5.0.4 / 2.6.24-etchnhalf.1-686
Hi all I am having problems building FR 2.1.8 on Debian 5.0.4 I have followed the process: Building Debian packages $ tar zxf freeradius-server-2.X.Y.tar.gz $ cd freeradius-server-2.X.Y $ fakeroot dpkg-buildpackage -b -uc ... All looks well until gcc -o .libs/radclient .libs/radclient.o /home/tim/freeradius-server-2.1.8/src/lib/.libs/libfreeradius-radius.so -lnsl -lresolv -lpthread -Wl,--rpath -Wl,/usr/lib/freeradius creating radclient /usr/bin/libtool --mode=compile gcc -g -O2 -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wca st-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls - Wundef -I/home/tim/freeradius-server-2.1.8/src -DHOSTINFO=\i486-pc-linux-gnu\ -DRADIUSD_VERSION=\2.1.8\ -DOPENSSL_NO_KRB5 -c radmin.c gcc -g -O2 -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-str ings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/home/tim/freeradius-se rver-2.1.8/src -DHOSTINFO=\i486-pc-linux-gnu\ -DRADIUSD_VERSION=\2.1.8\ -DOPENSSL_NO_KRB5 -c radmin.c -fPIC -DPIC -o .libs/radmin.o radmin.c:55: warning: function declaration isn't a prototype radmin.c: In function 'main': radmin.c:437: warning: implicit declaration of function 'using_history' radmin.c:437: warning: nested extern declaration of 'using_history' radmin.c:438: warning: implicit declaration of function 'rl_bind_key' radmin.c:438: warning: nested extern declaration of 'rl_bind_key' radmin.c:438: error: 'rl_insert' undeclared (first use in this function) radmin.c:438: error: (Each undeclared identifier is reported only once radmin.c:438: error: for each function it appears in.) radmin.c:530: warning: implicit declaration of function 'add_history' radmin.c:530: warning: nested extern declaration of 'add_history' make[5]: *** [radmin.lo] Error 1 make[5]: Leaving directory `/home/tim/freeradius-server-2.1.8/src/main' make[4]: *** [common] Error 2 make[4]: Leaving directory `/home/tim/freeradius-server-2.1.8/src' make[3]: *** [all] Error 2 make[3]: Leaving directory `/home/tim/freeradius-server-2.1.8/src' make[2]: *** [common] Error 2 make[2]: Leaving directory `/home/tim/freeradius-server-2.1.8' make[1]: *** [all] Error 2 make[1]: Leaving directory `/home/tim/freeradius-server-2.1.8' make: *** [build-arch-stamp] Error 2 dpkg-buildpackage: failure: debian/rules build gave error exit status 2 wendolene:/home/tim/freeradius-server-2.1.8# uname -a Linux wendolene 2.6.24-etchnhalf.1-686 #1 SMP Thu Feb 25 05:42:02 UTC 2010 i686 GNU/Linux wendolene:/home/tim/freeradius-server-2.1.8# less /etc/deb debconf.confdebian_version wendolene:/home/tim/freeradius-server-2.1.8# less /etc/debian_version wendolene:/home/tim/freeradius-server-2.1.8# Any ideas please? I have googled for days on this Cheers Rgds Tim -- With Best Regards Tim Robinson, Director TxRx Communications Ltd +44 1256 810630 http://www.txrxcomms.co.uk Registered in England 6260998 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem building on Debian 5.0.4 / 2.6.24-etchnhalf.1-686
Tim Robinson wrote: Hi all I am having problems building FR 2.1.8 on Debian 5.0.4 radmin.c:437: warning: implicit declaration of function 'using_history' $ apt-get install libreadline libreadline-dev Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dan Schaffer is not in the office
I will be out of the office starting 04/28/2010 and will not return until 05/03/2010. I will respond to your message when I return. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error logs on freeradius 2.1.8
Hi, I know some os the thread almost similar to my problem, but let me send some logs from my freeradius logs. Tue Apr 27 17:59:44 2010 : Info: WARNING: Child is hung for request 383. Tue Apr 27 17:59:44 2010 : Info: WARNING: Child is hung for request 382. Tue Apr 27 17:59:45 2010 : Info: WARNING: Child is hung for request 379. Tue Apr 27 17:59:46 2010 : Info: WARNING: Child is hung for request 383. Tue Apr 27 17:59:48 2010 : Info: WARNING: Child is hung for request 377. Then Error: Discarding duplicate request from client auths2 port 61015 - ID: 221 due to unfinished request 385 Then Error: WARNING: Unresponsive child for request 384, in module sql2_redundant component accounting Then Error: rlm_sql_oracle: execute query failed in sql_query: ORA-03113: end-of-file on communication channel Error: rlm_sql_oracle: OCI_SERVER_NOT_CONNECTED I hope you could help me were to start to debug and solve the problem. Allen B. Umlas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R: R: R: NAS-Identifier and radgroupcheck table
Hmm... that will cause all of the users to be rejected. Delete it. Yes I follow this howto http://wiki.freeradius.org/SQL_Huntgroup_HOWTO and, *DEFAULT Auth-Type := Reject That's not necessary. It should be deleted from the page. Thanks -- Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error message connection to MySQL. (Error Message :rlm_sql (sql): There are no DB handles to use! skipped 5, tried to connect 0)
You very helpfully deleted all the interesting information from the debug log (please always post the full log). But you can do this yourself. Take a look at sql initialization section and see what it's saying about initializing the sql driver, in this case it should be rlm_sql_mysql, that should answer most of your questions. As to whether rlm_sql_mysql is in a different RPM, I can't help you as I don't know Debian packaging, but it's easy to tell if one of the RPM's you did install installed it, just looking in the freeradius library directory (which is defined at the top of the main freeradius config file (probably /etc/raddb/radiusd.conf) -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy EAP - TLS Nesting.
brisston...@free.fr wrote: I have some troubles to proxy PEAP requests to (internal) virtual server : I have one proxy server (with realms define in proxy.conf file) that forward the request internally to a virtual server define in site-enabled directory. Why is there a need to proxy the PEAP packets? For basic authentication request (PAP, CHAP, MSCHAP, ...) , authentication is successful, but with PEAP it doesn't work (work with EAP-TTLS). I have this error message : Multiple levels of TLS nesting is invalid. sigh Deleting all of the other messages doesn't help. Are you sure it's just PEAP (MSCHAP), and not PEAP-TLS? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem building on Debian 5.0.4 / 2.6.24-etchnhalf.1-686
On Wed, Apr 28, 2010 at 09:43:50AM +0100, Tim Robinson wrote: I am having problems building FR 2.1.8 on Debian 5.0.4 $ tar zxf freeradius-server-2.X.Y.tar.gz Any ideas please? I have googled for days on this In all your googling you managed to miss the simple fact that you don't actually have to do any of this because it's been done already? :o http://packages.debian.org/lenny-backports/freeradius http://wiki.debian.org/Backports -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error logs on freeradius 2.1.8
Oninz Unix wrote: I know some os the thread almost similar to my problem, but let me send some logs from my freeradius logs. Tue Apr 27 17:59:44 2010 : Info: WARNING: Child is hung for request 383. Tue Apr 27 17:59:44 2010 : Info: WARNING: Child is hung for request 382. Tue Apr 27 17:59:45 2010 : Info: WARNING: Child is hung for request 379. Tue Apr 27 17:59:46 2010 : Info: WARNING: Child is hung for request 383. Tue Apr 27 17:59:48 2010 : Info: WARNING: Child is hung for request 377. ... Error: WARNING: Unresponsive child for request 384, in module sql2_redundant component accounting ... I hope you could help me were to start to debug and solve the problem. You have a firewall between the RADIUS server and database. The firewall is dropping the RADIUS - database TCP connections. I have *no* idea why anyone thinks this is a good idea. The firewall (if any) should be configured to allow ANY TCP (RADIUS - DB : port). But many people create rules allowing only established TCP connections, and then the firewall helpfully loses track of which sessions are established. Stop breaking your network. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_python and dynload problem
Aurélien Geron wrote: Basically, if I understand correctly, his idea is to have the python fellows declare the proper dependencies in every *.so file, so that the libpython2.5.so.1 file gets loaded automatically when the math module (or any other dynamic module) gets loaded. Maybe that's the ideal solution, I really don't know. But it seems to me that we should try to fix freeRADIUS so that it works around this bug before python dependencies are fixed (it make take a while or even never happen). So I thing the only short-medium-term solution is to use LINKFORSHARED linker options. Thanks for reading this huge message. I hope we can beat this bug. OK. I'll see about putting that fix into 2.1.9. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Capturing Access-Reject data in the radpostauth table
Aaron Paetznick wrote:
I'd consider capturing the whole thing, but I'd be happy with just the
rlm_pap: CLEAR TEXT password check failed part. Do I have access to
that level of info from within rlm_sql?
Look at Module-Failure-Message. It's populated by the PAP module with
the various reasons for reject.
e.g., for testing:
post-auth {
...
update reply {
Reply-Message += You got: %{Module-Failure-Message}
}
...
}
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
After edit mschap file module by uncommented line containing ntlm_auth =, i
used a AP Cisco client from freeradius to test with test aaa group radius
user userpass new-code
User define in user files work fine, but user on AD don't.
In freeradius using the test bellow, I can access users on AD.
r...@m:~# ntlm_auth --request-nt-key --domain=XXX --username=
password:
NT_STATUS_OK: Success (0x0)
Why is not working ntlm_auth for ms-chap ?
thanks
r...@mhvrad01:/usr/local/etc/raddb# radiusd -X
FreeRADIUS Version 2.1.8, for host i686-pc-linux-gnu, built on Apr 28 2010
at 12:00:46
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/perl
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/cui
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/ntlm_auth
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file
/usr/local/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/unix
including configuration file /usr/local/etc/raddb/modules/otp
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file
/usr/local/etc/raddb/sites-enabled/control-socket
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
main {
allow_core_dumps = no
}
including dictionary file /usr/local/etc/raddb/dictionary
main {
prefix = /usr/local
localstatedir = /usr/local/var
logdir = /usr/local/var/log/radius
libdir = /usr/local/lib
radacctdir = /usr/local/var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
RE: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
Why is not working ntlm_auth for ms-chap ? It would be easier to answer your question if you included the debug output for a rejected request as opposed to just the startup messages.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
Pedro Alves wrote: User define in user “files” work fine, but user on AD don’t. In freeradius using the test bellow, I can access users on AD. Have you followed the Active Directory howto on http://deployingradius.com? r...@mhvrad01:/usr/local/etc/raddb# radiusd -X ... Ready to process requests. ... and the server doesn't receive any packets. We can't help you debug an issue if you don't show us what's happening. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy EAP - TLS Nesting.
Hi thanks for your reply.
I have to proxy all authentication request to virtual server (not just PEAP). We
have differents kind of internals users (student, staff, guest, ...). Each of
them is managed by one virtual server associated to one realm, example : for the
student :
realm student.university.fr {
virtual_server = student
}
server student {
}
I can only specify one IP adresse and one port in NAS configuration (wired dot1x
and wireless network) and I will use the proxy port (1812).
Maybe there is another method to do that... But I think that use a proxy is the
best way.
Selon Alan DeKok al...@deployingradius.com:
brisston...@free.fr wrote:
I have some troubles to proxy PEAP requests to (internal) virtual server :
I have one proxy server (with realms define in proxy.conf file) that
forward the
request internally to a virtual server define in site-enabled directory.
Why is there a need to proxy the PEAP packets?
For basic authentication request (PAP, CHAP, MSCHAP, ...) , authentication
is
successful, but with PEAP it doesn't work (work with EAP-TTLS). I have this
error message : Multiple levels of TLS nesting is invalid.
sigh Deleting all of the other messages doesn't help.
Are you sure it's just PEAP (MSCHAP), and not PEAP-TLS?
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
Hello Again.
This is the test with local user:
AP#test aaa group radius userlocal localpass new-code
Trying to authenticate with Servergroup radius
User successfully authenticated
rad_recv: Access-Request packet from host xx.xx.xx.xx port 1645, id=174,
length=53
User-Password = localpass
User-Name = userlocal
NAS-IP-Address = xx.xx.xx.xx
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = local01, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry local01 at line 79
[files] expand: Ola, %{User-Name} - Ola, local01
++[files] returns ok
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
User-Password in the request is correct.
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 174 to 10.1.3.17 port 1645
Reply-Message = Ola, local01
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 5 ID 174 with timestamp +416
Ready to process requests.
This is the test with AD user:
AP#test aaa group radius userad userpass new-code
Trying to authenticate with Servergroup radius
User rejected
rad_recv: Access-Request packet from host xx.xx.xx.xx port 1645, id=175,
length=52
User-Password = userpass
User-Name = userad
NAS-IP-Address = xx.xx.xx.xx
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = radius, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - radius
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 6 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 6
Sending Access-Reject of id 175 to 10.1.3.17 port 1645
Waking up in 4.9 seconds.
Cleaning up request 6 ID 175 with timestamp +531
Ready to process requests.
-Original Message-
From: freeradius-users-bounces+pedrojmalves=gmail@lists.freeradius.org
[mailto:freeradius-users-bounces+pedrojmalves=gmail@lists.freeradius.org]
On Behalf Of Alan DeKok
Sent: quarta-feira, 28 de Abril de 2010 16:40
To: FreeRadius users mailing list
Subject: Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
Pedro Alves wrote:
User define in user “files” work fine, but user on AD don’t.
In freeradius using the test bellow, I can access users on AD.
Have you followed the Active Directory howto on
http://deployingradius.com?
r...@mhvrad01:/usr/local/etc/raddb# radiusd -X
...
Ready to process requests.
... and the server doesn't receive any packets.
We can't help you debug an issue if you don't show us what's happening.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_python and dynload problem
Alan DeKok wrote: Aurélien Geron wrote: Basically, if I understand correctly, his idea is to have the python fellows declare the proper dependencies in every *.so file, so that the libpython2.5.so.1 file gets loaded automatically when the math module (or any other dynamic module) gets loaded. Maybe that's the ideal solution, I really don't know. But it seems to me that we should try to fix freeRADIUS so that it works around this bug before python dependencies are fixed (it make take a while or even never happen). So I thing the only short-medium-term solution is to use LINKFORSHARED linker options. Thanks for reading this huge message. I hope we can beat this bug. OK. I'll see about putting that fix into 2.1.9. Alan DeKok. That's great, thanks a lot Alan. If I can be of any help (for example, for testing), please let me know. Aurélien Geron - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy Accounting Records only to another MySQL Server
Accounting methods The following accounting logging methods are supported by the server Local 'detail' files Local 'wtmp' and 'utmp' files Proxy to another RADIUS server Replicate to one or more RADIUS servers SQL (Oracle, MySQL, PostgreSQL, Sybase, IODBC, etc) from http://freeradius.org/features.html Hi All, Is it possible to have a freeradius box, that use a local copy of mysql for everything except accounting. The accouting records would be written via a proxy to another MySQL box? If so where do i configure it? Thanks, -Eric- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy Accounting Records only to another MySQL Server
I think I answered my own question. Its all in proxy.conf This looks like exactly what I need to scale out my freeradius servers and leverage my MySQL - Master- Master backend. From: eric.hernan...@allegiantair.com To: freeradius-users@lists.freeradius.org Date: 04/28/2010 09:38 AM Subject:Proxy Accounting Records only to another MySQL Server Sent by:freeradius-users-bounces +eric.hernandez=allegiantair@lists.freeradius.org Accounting methods The following accounting logging methods are supported by the server Local 'detail' files Local 'wtmp' and 'utmp' files Proxy to another RADIUS server Replicate to one or more RADIUS servers SQL (Oracle, MySQL, PostgreSQL, Sybase, IODBC, etc) from http://freeradius.org/features.html Hi All, Is it possible to have a freeradius box, that use a local copy of mysql for everything except accounting. The accouting records would be written via a proxy to another MySQL box? If so where do i configure it? Thanks, -Eric- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.htmlinline: graycol.gif- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Capturing Access-Reject data in the radpostauth table
%{Module-Failure-Message} seems to be empty for me. Is there a
scope/prefix I should try?
--Aaron
On 4/28/2010 9:37 AM, Alan DeKok wrote:
Aaron Paetznick wrote:
I'd consider capturing the whole thing, but I'd be happy with just the
rlm_pap: CLEAR TEXT password check failed part. Do I have access to
that level of info from within rlm_sql?
Look at Module-Failure-Message. It's populated by the PAP module with
the various reasons for reject.
e.g., for testing:
post-auth {
...
update reply {
Reply-Message += You got: %{Module-Failure-Message}
}
...
}
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Writing Accounting Detail log to DataBase
Dear All, I want to know how can I insert accounting detail log to Mysql database. Thanks . - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Writing Accounting Detail log to DataBase
Nasser Heidari wrote: Dear All, I want to know how can I insert accounting detail log to Mysql database. Read raddb/sql.conf Look for sql in raddb/sites-enabled See the Wiki for SQL. This is documented in many, many, places. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Capturing Access-Reject data in the radpostauth table
Aaron Paetznick wrote:
%{Module-Failure-Message} seems to be empty for me. Is there a
scope/prefix I should try?
Hmm... it *should* be there along with the packet attributes.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
Pedro Alves wrote: This is the test with AD user: AP#test aaa group radius userad userpass new-code Trying to authenticate with Servergroup radius User rejected rad_recv: Access-Request packet from host xx.xx.xx.xx port 1645, id=175, length=52 User-Password = userpass User-Name = userad NAS-IP-Address = xx.xx.xx.xx So... you're not doing MS-CHAP. Why is this message useful? Again... the Active Directory howto you were pointed to *documents* this. Go read it and follow the steps. If you don't follow the documentation, you probably won't be able to solve the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy EAP - TLS Nesting.
brisston...@free.fr wrote: I have to proxy all authentication request to virtual server (not just PEAP). We have differents kind of internals users (student, staff, guest, ...). Each of them is managed by one virtual server associated to one realm, example : for the student : So... are you sure it's just PEAP (MSCHAP), and not PEAP-TLS? I can only specify one IP adresse and one port in NAS configuration (wired dot1x and wireless network) and I will use the proxy port (1812). Maybe there is another method to do that... But I think that use a proxy is the best way. You've described your configuration at a *very* high level. I still have no idea what you're trying to do, or what is actually happening in your system. Perhaps explaining things in detail would help, or showing the output of debug mode as suggested in the FAQ, README, INSTALL, man page, web page, configuration files, and daily on this list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Capturing Access-Reject data in the radpostauth table
Huh. Here's my complete SQL query:
postauth_query = INSERT INTO ${postauth_table} \
(username, pass, reply, authdate, message,
nasipaddress) \
VALUES ( \
'%{User-Name}', \
'%{%{User-Password}:-%{Chap-Password}}', \
'%{reply:Packet-Type}', '%S', \
'%{Module-Failure-Message}', \
'%{NAS-IP-Address}')
I did not add this yet:
post-auth {
...
update reply {
Reply-Message += You got: %{Module-Failure-Message}
}
...
}
Do I need that entry in the post-auth block? %{Module-Failure-Message}
doesn't seem to be available by default in rlm_sql.
--Aaron
On 4/28/2010 2:57 PM, Alan DeKok wrote:
Aaron Paetznick wrote:
%{Module-Failure-Message} seems to be empty for me. Is there a
scope/prefix I should try?
Hmm... it *should* be there along with the packet attributes.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Capturing Access-Reject data in the radpostauth table
Aaron Paetznick wrote:
Huh. Here's my complete SQL query:
postauth_query = INSERT INTO ${postauth_table} \
(username, pass, reply, authdate, message,
nasipaddress) \
VALUES ( \
'%{User-Name}', \
'%{%{User-Password}:-%{Chap-Password}}', \
'%{reply:Packet-Type}', '%S', \
'%{Module-Failure-Message}', \
Uh... did you update your schema to have a message colummn?
'%{NAS-IP-Address}')
I did not add this yet:
post-auth {
...
update reply {
Reply-Message += You got: %{Module-Failure-Message}
}
...
}
I said that was for testing. Did you try it for testing?
It's an example of using the attribute... you *will* need to make sure
you use it in the appropriate manner for what you want.
See man unlang for documentation on what the aboce example does.
Hint: it doesn't have anything to do with SQL.
Do I need that entry in the post-auth block? %{Module-Failure-Message}
doesn't seem to be available by default in rlm_sql.
I have no idea what this means.
Module-Failure-Message is an attribute... just like anything else. If
you can figure out out to store attributes into SQL, you can store
Module-Failure-Message in SQL.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Capturing Access-Reject data in the radpostauth table
On 4/28/2010 3:23 PM, Alan DeKok wrote:
Uh... did you update your schema to have a message colummn?
Yes, I have extended my radpostauth table with columns to hold the
message and the nasipaddress. It is working perfectly if I use
'%{reply:Reply-Message}', but it is always empty if I use
'%{Module-Failure-Message}' in the same INSERT. This is why I'm
confirming if I should have access to '%{Module-Failure-Message}' within
rlm_sql.
Module-Failure-Message is an attribute... just like anything else. If
you can figure out out to store attributes into SQL, you can store
Module-Failure-Message in SQL.
This is not true, at least in my case. See above. Maybe I need to take
extra steps to expose that attribute in another part of the config, or
maybe I need to reference it with some sort of prefix, I don't know.
That's why I'm asking.
--Aaron
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Capturing Access-Reject data in the radpostauth table
Aaron Paetznick wrote:
On 4/28/2010 3:23 PM, Alan DeKok wrote:
Uh... did you update your schema to have a message colummn?
Yes, I have extended my radpostauth table with columns to hold the
message and the nasipaddress. It is working perfectly if I use
'%{reply:Reply-Message}', but it is always empty if I use
'%{Module-Failure-Message}' in the same INSERT. This is why I'm
confirming if I should have access to '%{Module-Failure-Message}' within
rlm_sql.
If it exists, yes. It's added by the PAP module for authentication
rejects. For authentication success... there's no failure message.
This is not true, at least in my case. See above. Maybe I need to take
extra steps to expose that attribute in another part of the config, or
maybe I need to reference it with some sort of prefix, I don't know.
That's why I'm asking.
I did explain that...
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem building on Debian 5.0.4 / 2.6.24-etchnhalf.1-686
Alan Thanks! That did the trick. It was actually libreadline5 etc but you got me in the right direction. I tried to add this to the wiki but could not find a way to get a login... Much appreciated your speedy response anyhow. Cheers Tim On 28/04/2010 09:50, Alan DeKok wrote: Tim Robinson wrote: Hi all I am having problems building FR 2.1.8 on Debian 5.0.4 radmin.c:437: warning: implicit declaration of function 'using_history' $ apt-get install libreadline libreadline-dev Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- With Best Regards Tim Robinson, Director TxRx Communications Ltd +44 1256 810630 Registered in England 6260998 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Capturing Access-Reject data in the radpostauth table
I'm sorry, your explanation wasn't clear to me. How can I expose
Module-Failure-Message to or reference Module-Failure-Message within
rlm_sql?
This, also, didn't work for me:
post-auth {
...
Post-Auth-Type REJECT {
update reply {
Reply-Message += You got:
%{Module-Failure-Message}
}
attr_filter.access_reject
sql
}
...
}
--Aaron
On 4/28/2010 4:11 PM, Alan DeKok wrote:
If it exists, yes. It's added by the PAP module for authentication
rejects. For authentication success... there's no failure message.
This is not true, at least in my case. See above. Maybe I need to take
extra steps to expose that attribute in another part of the config, or
maybe I need to reference it with some sort of prefix, I don't know.
That's why I'm asking.
I did explain that...
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error logs on freeradius 2.1.8
Alan DeKok wrote: Oninz Unix wrote: I know some os the thread almost similar to my problem, but let me send some logs from my freeradius logs. Tue Apr 27 17:59:44 2010 : Info: WARNING: Child is hung for request 383. Tue Apr 27 17:59:44 2010 : Info: WARNING: Child is hung for request 382. Tue Apr 27 17:59:45 2010 : Info: WARNING: Child is hung for request 379. Tue Apr 27 17:59:46 2010 : Info: WARNING: Child is hung for request 383. Tue Apr 27 17:59:48 2010 : Info: WARNING: Child is hung for request 377. ... Error: WARNING: Unresponsive child for request 384, in module sql2_redundant component accounting ... I hope you could help me were to start to debug and solve the problem. You have a firewall between the RADIUS server and database. The firewall is dropping the RADIUS - database TCP connections. I have *no* idea why anyone thinks this is a good idea. The firewall (if any) should be configured to allow ANY TCP (RADIUS - DB : port). But many people create rules allowing only established TCP connections, and then the firewall helpfully loses track of which sessions are established. Stop breaking your network. Somewhat off topic, but relevant. This is a generic problem with firewalls, and there appears to be no solution which the security paranoid will accept. If you think this is bad, try working with a mob who insist on dropping all ICMP traffic (including frag required) at some or all firewalls. Firewalls are normally configured to drop any established connection from the tables where no traffic is sent for a configurable time. This is to stop the tables growing uncontrollably. If you are in this unfortunate position your only solution is to enable TCP keepalive on all connections, and reduce the TCP keepalive timer to below the firewall's connection drop timer. -- REALITY.SYS not found: Universe halted. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
Correct. Just use JRadiusSimulator to make MS-CHAP and work fine. Thanks -Original Message- From: freeradius-users-bounces+pedrojmalves=gmail@lists.freeradius.org [mailto:freeradius-users-bounces+pedrojmalves=gmail@lists.freeradius.org ] On Behalf Of Alan DeKok Sent: quarta-feira, 28 de Abril de 2010 20:59 To: FreeRadius users mailing list Subject: Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP Pedro Alves wrote: This is the test with AD user: AP#test aaa group radius userad userpass new-code Trying to authenticate with Servergroup radius User rejected rad_recv: Access-Request packet from host xx.xx.xx.xx port 1645, id=175, length=52 User-Password = userpass User-Name = userad NAS-IP-Address = xx.xx.xx.xx So... you're not doing MS-CHAP. Why is this message useful? Again... the Active Directory howto you were pointed to *documents* this. Go read it and follow the steps. If you don't follow the documentation, you probably won't be able to solve the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Is this Install Guide Complete?
I have a server that is running a relatively clean install of Ubuntu 9.10 Server. Due to the known licensing issue restrictions I cannot simply use the debian freeradius package. I would like to know if the following outline would install freeradius with support for SSL on my server. Comments from those who actually run freeradius on Ubuntu 9.10 server would be appreciated. $cd ~ $apt-get source freeradius $cd ./freeradius-2.1.0+dfsg [change ./debian/rules as follows: change --without-rlm_eap_tls \ --without-rlm_eap_ttls \ --without-rlm_eap_peap \ to --with-rlm_eap_tls \ --with-rlm_eap_ttls \ --with-rlm_eap_peap \ change --without-openssl \ to --with-openssl \ ] [change ./debian/control add 'libssl-dev' to the end of the line that starts 'Build-Depends:' ] $fakeroot dpkg-buildpackage -b -uc $sudo dpkg -i ../freeradius_2.1.0-0_i386.deb These have been the instructions that I have garnered from the Internet at large, yet I doubt they are complete. Is there anything the freeradius community would like to add? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
