Tee accounting via detail

[Pavel Levshin]

Hello.

I have to copy our accounting flow to multiple destinations. It can be
done with multiple detail files and multiple detail readers, each
proxying to one destination. But there are problems:

1. Detail reader can process one request from the file at a time. So, if
we have relatively slow (in terms of round-trip-time, like satellite)
link, then we cannot process packets at any reasonable speed. If RTT is
0.5s, then we cannot relay more than 2 requests per second. It is
horribly slow. Did I miss something?

2. Most of our accounting traffic should be delivered in realtime. Delay
in transmission is much worse than some degree of loss. Now, one
undelivered request may block complete detail file for some time.

3. Even when detail reader has not been blocked, it may stuck for 
poll_interval seconds when processing of detail.work has been finished. 
Even when new detail file exists.


4. Some of the destinations may not reply at all (RADIUS sniffers behave
so). We would be happy to send them a copy of each accounting request
and forget it immediately. Is it possible?



--
Pavel Levshin


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: plz help me: access-reject

[dorra aa]

> Date: Wed, 5 May 2010 11:08:28 -0400
> From: jden...@redhat.com
> To: freeradius-users@lists.freeradius.org
> Subject: Re: plz help me: access-reject
> CC: a.l.m.bu...@lboro.ac.uk
> 
> On 05/05/2010 11:01 AM, Alan Buxey wrote:
> > Hi,
> >
> >> Mr Alan i do it but always the same result:
> >> r...@pfe-laptop:/home/pfe/freeradius-server-2.1.8# radtest sonia salut 
> >> 127.0.0.1:1812 1812 testing123
> >> Sending Access-Request of id 76 to 127.0.0.1 port 1812
> >>  User-Name = "sonia"
> >>  User-Password = "salut"
> >>  NAS-IP-Address = 127.0.1.1
> >>  NAS-Port = 1812
> >> rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=76, 
> >> length=20
> >
> > are you SURE you are editing the right users file?  you havent got two 
> > copies
> > of FR installed have you ? (eg self-build and RPM) - check that
> > you dont have eg /etc/raddn/users  AND /usr/local/etc/raddb/users or such
No Sir i have only one file of users.thank you for your help.i think to install 
freeradius*.deb
> Good thought, but this person was already told to check this :-(
For John Dennis; I'm checking it form the first time.I'm not joking whith my 
work.i'm serious.Just it does not work
> -- 
> John Dennis 
> 
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  
_
Hotmail: Trusted email with Microsoft’s powerful SPAM protection.
https://signup.live.com/signup.aspx?id=60969-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Freeradius 2.1.6: Store Cisco device "enable" password inPostgresql DB

[Difan Zhao]

Thank you very much Alan! I added the "$" in the safe-characters and it
works great now. However I also added "\" but it doesn't seem to work...
My FreeRadius is also setup to handle PEAP for Windows XP PCs and they
use "domain\username" format. In debug I see:

[sql]   expand: SELECT id, UserName, Attribute, Value, Op   FROM
radcheck   WHERE Username = '%{SQL-User-Name}'   ORDER BY id -> SELECT
id, UserName, Attribute, Value, Op   FROM radcheck   WHERE Username =
'GTCORP=5Cdzhao'   ORDER BY id

As you can see the username "GTCORP\dzhao" becomes "GTCORP=5Cdzhao"...

I do have "\" in the safe-character list:

safe-characters =
"\...@abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz0123456789.-_:
/"

Any ideas? Thank you!

Difan Zhao, M.Eng
Network Engineer
difan.z...@guest-tek.com
www.guest-tek.com
Office: 403-509-1010 ext 3048
Cell: 403-689-7514
 
-Original Message-
From:
freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org
[mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradi
us.org] On Behalf Of Alan DeKok
Sent: Wednesday, May 05, 2010 1:53 AM
To: FreeRadius users mailing list
Subject: Re: Freeradius 2.1.6: Store Cisco device "enable" password
inPostgresql DB

Difan Zhao wrote:
> And it doesn't work. Then I am checking the debug and I found that the
"$" in the username was interpreted to something like "=24":

  Read raddb/sql/postgresql/dialup.conf, and look for "safe-characters"

  Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: openssl

[Josip Rodin]

On Wed, May 05, 2010 at 04:43:37PM +0200, Alan DeKok wrote:
> John Dennis wrote:
> > I have to agree with Josip that whenever possible users should be
> > directed to install pre-built packages with the advice to build it
> > yourself being dispensed only with great care.
> 
>   The Wiki could be updated to make all of that clearer, too.

If you gave some of us an account on the Wiki, you wouldn't have to worry
about that... hint hint :)

-- 
 2. That which causes joy or happiness.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: plz help me: access-reject

[John Dennis]

On 05/05/2010 11:01 AM, Alan Buxey wrote:

Hi,


Mr Alan i do it but always the same result:
r...@pfe-laptop:/home/pfe/freeradius-server-2.1.8# radtest sonia salut 
127.0.0.1:1812 1812 testing123
Sending Access-Request of id 76 to 127.0.0.1 port 1812
 User-Name = "sonia"
 User-Password = "salut"
 NAS-IP-Address = 127.0.1.1
 NAS-Port = 1812
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=76, length=20


are you SURE you are editing the right users file?  you havent got two copies
of FR installed have you ? (eg self-build and RPM) - check that
you dont have eg /etc/raddn/users  AND /usr/local/etc/raddb/users or such


Good thought, but this person was already told to check this :-(

--
John Dennis 

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: plz help me: access-reject

[Alan Buxey]

Hi,

> Mr Alan i do it but always the same result:
> r...@pfe-laptop:/home/pfe/freeradius-server-2.1.8# radtest sonia salut 
> 127.0.0.1:1812 1812 testing123
> Sending Access-Request of id 76 to 127.0.0.1 port 1812
> User-Name = "sonia"
> User-Password = "salut"
> NAS-IP-Address = 127.0.1.1
> NAS-Port = 1812
> rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=76, length=20

are you SURE you are editing the right users file?  you havent got two copies
of FR installed have you ? (eg self-build and RPM) - check that
you dont have eg /etc/raddn/users  AND /usr/local/etc/raddb/users or such

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: R: rlm_ippool: No available ip addresses in pool

[Alan DeKok]

Tabacchiera Stefano wrote:
> I've done my tests with an ad-hoc pool, with maximum_timeout set at 10 secs.
> And the results I posted came from a new test session done the day after the 
> first test.
> (24 hrs >> 10 secs)
> 
> Why that timeout doesn't apply?

  Did you set Session-Timeout?  If not, you're telling the server that
the IPs are valid forever.

> 
>>> So I need a method to avoid my pool being filled up by missing acct-stop.
>>  You were told a method which should work.  Try it.
> 
> Surely I'll switch to sql pool, but what I observe is that dbm pool are 
> useless, if I can't set a timeout *that works* on that.

SQL is usually a lot better than building the saeme
functionality on top of a DB file.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: R: rlm_ippool: No available ip addresses in pool

[Tabacchiera Stefano]

>> Ok, you're right, but in my case I know the client session can't last more 
>> than 24hrs.
>> So, for me it's ok to remove all *inactive* entries older than that.
>> 
>> But, as far as I know, this seems to be impossible with gdm pool.
>> So, what the "maximum_timeout" parameter is useful for ???

>  It sets the timeout when entries are expired.  Your tests (so you say)
>don't go for 24 hours... so that timeout doesn't apply.

Alan, that's wrong.

I've done my tests with an ad-hoc pool, with maximum_timeout set at 10 secs.
And the results I posted came from a new test session done the day after the 
first test.
(24 hrs >> 10 secs)

Why that timeout doesn't apply?


>> So I need a method to avoid my pool being filled up by missing acct-stop.
>  You were told a method which should work.  Try it.

Surely I'll switch to sql pool, but what I observe is that dbm pool are 
useless, if I can't set a timeout *that works* on that.
ST










__

La presente comunicazione ed i suoi allegati e' destinata esclusivamente 
ai destinatari. Qualsiasi suo utilizzo, comunicazione o diffusione non 
autorizzata
e' proibita. Se ha ricevuto questa comunicazione per errore, la preghiamo di 
darne 
immediata comunicazione al mittente e di cancellare tutte le informazioni
erroneamente acquisite. (Rif. D.Lgs. 196/2003). Grazie

This message and its attachments are intended only for use by the addressees. 
Any use, 
re-transmission or dissemination not authorized of it is prohibited. If you 
received 
this e-mail in error, please inform the sender immediately and delete all the 
material. 
(Rif. D.Lgs. 196/2003). Thank you.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: thx 4 openSSL & one more question

[Alan DeKok]

ds14.kornel wrote:
> Hi
> Thanks for last advices with freeradius installations + peap on debian lenny
> Now i have no problem with enabling peap :)

...
> rad_recv: Access-Request packet from host 192.168.10.50 port 2054,
> id=148, length=169
...
> Message-Authenticator = 0x2ea50a302a451ed3b32b748a23fe00e3
>   WARNING: Empty section.  Using default return values.
> No authenticate method (Auth-Type) configuration found for the request:
> Rejecting the user

  You have deleted everything from raddb/sites-enabled/

  Why?  That is breaking the server.  Stop it.  Use the default install.
 It's really not that hard.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: openssl

[Alan DeKok]

John Dennis wrote:
> I have to agree with Josip that whenever possible users should be
> directed to install pre-built packages with the advice to build it
> yourself being dispensed only with great care.

  The Wiki could be updated to make all of that clearer, too.

> It would also help if we could converge on a stable release that's
> usable for a significant duration.

  2.1.x is the "long term support" version.  Using "git" is making this
process much easier.

  2.2.0 will be the track that adds new features, like possibly RadSec,
and other interesting things.

> Users are told to run the latest
> release, which may be only a few weeks or months old which makes it
> difficult for the distribution channels for pre-built binaries to keep
> up by always having the latest release available. Since it's often the
> case the latest release is not available in the distribution channel
> users are forced into building it themselves with all the bad results
> and frustration vented here. If we had a stable release I suspect a lot
> of this frustration would be mitigated.

  Once the distributions have a stable release with OpenSSL support, the
majority of the problems should go away.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: plz help me: access-reject

[John Dennis]

On 05/05/2010 06:38 AM, dorra aa wrote:

Mr Alan i do it but always the same result:


"The definition of insanity is doing the same thing over and over and
expecting different results. "

-Benjamin Franklin


plz can you give me the steps that i may to do more then that.
plz help me. I am a beginner in that


You've been given help multiple times and for unknown reasons choose to 
ignore it.


--
John Dennis 

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: openssl

[John Dennis]

On 05/04/2010 06:21 PM, Josip Rodin wrote:

On Tue, May 04, 2010 at 09:39:30PM +0100, Alan Buxey wrote:

3.) Install the the main FreeRADIUS package from there, for example with:
 apt-get install -t lenny-backports freeradius


alternatively, grab the source and build it yourself. the choice is yours.


No, I think that is a false choice for these users. We should not be
telling random newbies to take a route that has time and time again been
demonstrated to be too complicated for them to handle, when they can easily
use a more efficient method - install safe working binaries. That also has
the benefit of keeping them in the loop for later updates from the same
reliable channel. If they explicitly tell us that they already use Debian,
then we can't have much reason to have them avoid these Debian-specific
methods that accomplish our goals - to make these people happy users of FR.

This is one fairly trivial bug, even if one knows very little about
compiling source code - one just has to google, and/or read the official
web site (wiki), and find that all they have to do is install that one
package and restart the build process, and they're good - yet numerous users
have sent an e-mail to the list saying it's been a showstopper for them.

I do not see what is there to gain by telling these people to keep using
a method they clearly do not understand enough to be able to solve a
relatively easy problem with. Sure, they can apply this quick fix now, but
will it help their FreeRADIUS experience, and in turn will it help
FreeRADIUS? Isn't it better for all to get them past the installation phase
as quickly as possible, and not have to rehash these tangential issues,
when time could be better spent educating them about core issues such as
FreeRADIUS configuration semantics, or RADIUS protocol issues?



+1

I completely agree. Building *and* installing FreeRADIUS from source 
requires technical skill that exceeds the technical competence of a 
significant proportion of the users on this list. One only needs to 
spend a short period here to see this is clearly the case.


I have to agree with Josip that whenever possible users should be 
directed to install pre-built packages with the advice to build it 
yourself being dispensed only with great care.


It would also help if we could converge on a stable release that's 
usable for a significant duration. Users are told to run the latest 
release, which may be only a few weeks or months old which makes it 
difficult for the distribution channels for pre-built binaries to keep 
up by always having the latest release available. Since it's often the 
case the latest release is not available in the distribution channel 
users are forced into building it themselves with all the bad results 
and frustration vented here. If we had a stable release I suspect a lot 
of this frustration would be mitigated.


--
John Dennis 

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

thx 4 openSSL & one more question

[ds14.kornel]

Hi
Thanks for last advices with freeradius installations + peap on debian lenny
Now i have no problem with enabling peap :)

this time I'm asking for help with some other problem:
I'm trying to enable WPA2 enterprice authentication on my accesspoints.
When trying to auth my wireless client I'm getting sth like this in log :

Wed May  5 15:09:25 2010 : Auth: Login incorrect: [karol/User-Password attribute>] (from client AP1 port 0 cli 0022431380c4)

where :
0022431380c4 is my wireless mac adress (laptop)
client AP1 is my Access Point client from clients.conf
karol - is my user from users.conf

it looks like freeradius don't want to look inside the password field 
and can't recognize a laptop ip (getting mac)


Please give me some advices - what's next ?

Here is my debug.


Kill-9:/home/kornel# freeradius -X
FreeRADIUS Version 2.1.8, for host i486-pc-linux-gnu, built on Jan  3 
2010 at 15:51:52

Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including configuration file /etc/freeradius/snmp.conf
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
main {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
 log {
stripped_names = yes
auth = yes
auth_badpass = yes
auth_goodpass = yes
 }
 security {
max_attributes = 200
reject_delay = 1
status_server = yes
 }
}
radiusd:  Loading Realms and Home Servers 
 proxy server {
retry_delay = 5
retry_count = 3
default_fallback = yes
dead_time = 120
wake_all_if_all_dead = no
 }
radiusd:  Loading Clients 
 client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
 }
* client 172.16.0.16 {--Client ip 
adress*

require_message_authenticator = no
secret = "tajne1234"
shortname = "eee"
 }
* client 192.168.10.50 {--AP ip adress*
require_message_authenticator = no
secret = "tajne1234"
shortname = "AP1"
 }
radiusd:  Instantiating modules 
 instantiate {
 Module: Linked to module rlm_exec
 Module: Instantiating exec
  exec {
wait = yes
input_pairs = "request"
shell_escape = yes
  }
 Module: Linked to module rlm_expr
 Module: Instantiating expr
 Module: Linked to module rlm_expiration
 Module: Instantiating expiration
  expiration {
reply-message = "Password Has Expired  "
  }
 Module: Linked to module rlm_logintime
 Module: Instantiating logintime
  logintime {
reply-message = "You are calling outside your allowed timespan  "
minimum-timeout = 60
  }
 }
radiusd:  Loading Virtual Servers 
server {
 modules {
 } # modules
} # server
radiusd:  Opening IP addresses and Ports 
listen {
type = "auth"
ipaddr = *
port = 1812
}
listen {
type = "acct"
ipaddr = *
port = 0
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.

*AND here is an authenticate attempt debug*

rad_recv: Access-Request packet from host 192.168.10.50 port 2054, 
id=148, length=169

User-Name = "karol"
*NAS-IP-Address = 192.168.10.50 --AP 
ip adress*

NAS-Port = 0
*Called-Station-Id = "00265abab28d"--AP 
mac adress
Calling-Station-Id = "0022431380c4"   
--Client mac adress*

NAS-Identifier = "Realtek Access Point. 8186"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020b016d617263696e
Message-Authenticator = 0x2ea50a302a451ed3b32b748a23fe00e3
  WARNING: Empty section.  Using default return values.
No authenticate method (Auth-Type) configuration found for the request: 
Rejecting the user

Failed to authenticate the user.
Login incorrect: [karol/] (from client AP1 
port 0 cli 0022431380c4)

Delaying reject 

Re: radius and fail over

[Alan DeKok]

Fabien COMBERNOUS wrote:
> In the freeradius wiki a page give informations about failover [1]. It
> explains how to setup two sql modules pointing to two dbms. But in this
> setup, the radius server is a single point of failure. How to setup two
> radius servers speaking with two dbms ?

  Configure the failover twice.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: R: rlm_ippool: No available ip addresses in

[Alan DeKok]

Tabacchiera Stefano wrote:
> Ok, you're right, but in my case I know the client session can't last more 
> than 24hrs.
> So, for me it's ok to remove all *inactive* entries older than that.
> 
> But, as far as I know, this seems to be impossible with gdm pool.
> So, what the "maximum_timeout" parameter is useful for ???

  It sets the timeout when entries are expired.  Your tests (so you say)
don't go for 24 hours... so that timeout doesn't apply.

>> The best solution would be to fix the NAS to send the packets or fix the
>> network to make sure they get delivered.
> 
> Obviously, but I can't manage over that. It's out of my control.

  And our control, too.

> So I need a method to avoid my pool being filled up by missing acct-stop.

  You were told a method which should work.  Try it.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

radius and fail over

[Fabien COMBERNOUS]

Hi there,

In the freeradius wiki a page give informations about failover [1]. It 
explains how to setup two sql modules pointing to two dbms. But in this 
setup, the radius server is a single point of failure. How to setup two 
radius servers speaking with two dbms ?


Thank you for your help.


[1] http://wiki.freeradius.org/Fail-over
--
*Fabien COMBERNOUS*
/unix system engineer/
www.kezia.com 
*Tel: +33 (0) 467 992 986*
Kezia Group
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: R: rlm_ippool: No available ip addresses in

[Tabacchiera Stefano]

>How is FreeRADIUS supposed to know when a user disconnects and frees up the
>IP address from the pool if the NAS doesn't tell it? Anything else is not
>exactly reliable. If you have a user with a long duration session that lasts
>longer than your timeout the IP could be put back into the pool when it is
>still in use.

Ok, you're right, but in my case I know the client session can't last more than 
24hrs.
So, for me it's ok to remove all *inactive* entries older than that.

But, as far as I know, this seems to be impossible with gdm pool.
So, what the "maximum_timeout" parameter is useful for ???



>The best solution would be to fix the NAS to send the packets or fix the
>network to make sure they get delivered.

Obviously, but I can't manage over that. It's out of my control.
So I need a method to avoid my pool being filled up by missing acct-stop.
Thanks again.

ST










__

La presente comunicazione ed i suoi allegati e' destinata esclusivamente 
ai destinatari. Qualsiasi suo utilizzo, comunicazione o diffusione non 
autorizzata
e' proibita. Se ha ricevuto questa comunicazione per errore, la preghiamo di 
darne 
immediata comunicazione al mittente e di cancellare tutte le informazioni
erroneamente acquisite. (Rif. D.Lgs. 196/2003). Grazie

This message and its attachments are intended only for use by the addressees. 
Any use, 
re-transmission or dissemination not authorized of it is prohibited. If you 
received 
this e-mail in error, please inform the sender immediately and delete all the 
material. 
(Rif. D.Lgs. 196/2003). Thank you.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: plz help me: access-reject

[dorra aa]

Mr Alan i do it but always the same result:
r...@pfe-laptop:/home/pfe/freeradius-server-2.1.8# radtest sonia salut 
127.0.0.1:1812 1812 testing123
Sending Access-Request of id 76 to 127.0.0.1 port 1812
User-Name = "sonia"
User-Password = "salut"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=76, length=20

plz can you give me the steps that i may to do more then that.
plz help me. I am a beginner in that

> Date: Wed, 5 May 2010 11:19:29 +0100
> From: a.l.m.bu...@lboro.ac.uk
> To: freeradius-users@lists.freeradius.org
> Subject: Re: plz help me: access-reject
> 
> Hi,
> 
> > Hi. im used freeradius 2.1.8. Please can somebody give me an example of 
> > configuration of files to do na simple test with radiusd -X.
> > because i'm testing now a local client and the result is reject. I modify 
> > onlu users and clients.conf.is that anought?
> > 
> > 1/I add on Users:
> > 
> > "sonia" Auth-Type := Local, User-Password == "salut"
> > Reply-Message = "Hello, %u",
> > Reply-Message = "are you fine, %u"
> you've already had replies about this.
> 
> this config is wrong
> 
> > I'm also trying another exemple:
> > 
> > "sonia" Cleartext-Password := "salut"
> 
> that config is correct
> 
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  
_
Your E-mail and More On-the-Go. Get Windows Live Hotmail Free.
https://signup.live.com/signup.aspx?id=60969-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: plz help me: access-reject

[Alan Buxey]

Hi,

> Hi. im used freeradius 2.1.8. Please can somebody give me an example of 
> configuration of files to do na simple test with radiusd -X.
> because i'm testing now a local client and the result is reject. I modify 
> onlu users and clients.conf.is that anought?
> 
> 1/I add on Users:
> 
> "sonia" Auth-Type := Local, User-Password == "salut"
> Reply-Message = "Hello, %u",
> Reply-Message = "are you fine, %u"
you've already had replies about this.

this config is wrong

> I'm also trying another exemple:
> 
> "sonia" Cleartext-Password := "salut"

that config is correct

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Set NoCat user class in Access-Accept

[Ana Gallardo]

Hello,

I want to send the NoCat user Class in the Access-Accept.

I don't know if I can send an attribute defined by me.

I have defined an attributed:

# cat /etc/freeradius/dictionary
$INCLUDE/usr/share/freeradius/dictionary
ATTRIBUTENoCat-User-Class3000string

And I put this attribute in the reply list with MySQL:

mysql> select * from radgroupreply;
++---+--++--+
| id | groupname | attribute| op | value|
++---+--++--+
|  6 | MEMBER| NoCat-User-Class | := | Member   |
++---+--++--+

mysql> select * from radusergroup;
+--+---+--+
| username | groupname | priority |
+--+---+--+
| ana  | CAU1  |0 |
| ana  | MEMBER|8 |
+--+---+--+

But the server don send this attribute to the user. Debug info:

rad_recv: Access-Request packet from host X port 33606, id=250, length=55
User-Name = "ana"
User-Password = "claveAna"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
+- entering group authorize {...}
sql_xlat
expand: %{User-Name} -> ana
sql_set_user escaped user --> 'ana'
expand: select shortname from nas where nasname="%{Client-IP-Address}"
-> select shortname from nas where nasname="X"
expand: /var/log/freeradius/sqltrace.sql ->
/var/log/freeradius/sqltrace.sql
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql_mysql: query:  select shortname from nas where nasname="X"
sql_xlat finished
rlm_sql (sql): Released sql socket id: 3
expand: %{sql:select shortname from nas where
nasname="%{Client-IP-Address}"} -> pcCAU1
++[request] returns notfound
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "ana", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[sql] expand: %{User-Name} -> ana
[sql] sql_set_user escaped user --> 'ana'
rlm_sql (sql): Reserving sql socket id: 2
[sql] expand: SELECT id, username, attribute, value, op  FROM
radcheck  WHERE username = BINARY '%{SQL-User-Name}'  ORDER
BY id -> SELECT id, username, attribute, value, op  FROM
radcheck  WHERE username = BINARY 'ana'  ORDER BY id
rlm_sql_mysql: query:  SELECT id, username, attribute, value, op
FROM radcheck  WHERE username = BINARY 'ana'  ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op  FROM
radreply  WHERE username = BINARY '%{SQL-User-Name}'  ORDER
BY id -> SELECT id, username, attribute, value, op  FROM
radreply  WHERE username = BINARY 'ana'  ORDER BY id
rlm_sql_mysql: query:  SELECT id, username, attribute, value, op
FROM radreply  WHERE username = BINARY 'ana'  ORDER BY id
[sql] expand: SELECT groupname  FROM radusergroup  WHERE
username = BINARY '%{SQL-User-Name}'  ORDER BY priority -> SELECT
groupname  FROM radusergroup  WHERE username = BINARY
'ana'  ORDER BY priority
rlm_sql_mysql: query:  SELECT groupname  FROM radusergroup
WHERE username = BINARY 'ana'  ORDER BY priority
[sql] expand: SELECT id, groupname, attribute,   Value,
op   FROM radgroupcheck   WHERE groupname =
'%{Sql-Group}'   ORDER BY id -> SELECT id, groupname,
attribute,   Value, op   FROM radgroupcheck   WHERE
groupname = 'CAU1'   ORDER BY id
rlm_sql_mysql: query:  SELECT id, groupname, attribute,   Value,
op   FROM radgroupcheck   WHERE groupname = 'CAU1'
ORDER BY id
[sql] expand: SELECT id, groupname, attribute,   Value,
op   FROM radgroupcheck   WHERE groupname =
'%{Sql-Group}'   ORDER BY id -> SELECT id, groupname,
attribute,   Value, op   FROM radgroupcheck   WHERE
groupname = 'MEMBER'   ORDER BY id
rlm_sql_mysql: query:  SELECT id, groupname, attribute,   Value,
op   FROM radgroupcheck   WHERE groupname =
'MEMBER'   ORDER BY id
[sql] User found in group MEMBER
[sql] expand: SELECT id, groupname, attribute,   value,
op   FROM radgroupreply   WHERE groupname =
'%{Sql-Group}'   ORDER BY id -> SELECT id, groupname,
attribute,   value, op   FROM radgroupreply   WHERE
groupname = 'MEMBER'   ORDER BY id
rlm_sql_mysql: query:  SELECT id, groupname, attribute,   value,
op   FROM radgroupreply   WHERE groupname =
'MEMBER'   ORDER BY id
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
[expiration] Checking Expiration time

plz help me: access-reject

[dorra aa]

Hi. im used freeradius 2.1.8. Please can somebody give me an example of 
configuration of files to do na simple test with radiusd -X.
because i'm testing now a local client and the result is reject. I modify onlu 
users and clients.conf.is that anought?

1/I add on Users:

"sonia" Auth-Type := Local, User-Password == "salut"
Reply-Message = "Hello, %u",
Reply-Message = "are you fine, %u"

I'm also trying another exemple:

"sonia" Cleartext-Password := "salut"
Reply-Message = "Hello, %u",
Reply-Message += "are you fine, %u"

2/And i add on Clients.conf:

client 127.0.0.1 {
secret  = testing123 # notre clé partagée
shortname   = class
nastype = other
}
when i do this command, i have:

p...@pfe-laptop:~$ sudo radtest sonia salut 127.0.0.1:1812 1812 testing123
Sending Access-Request of id 11 to 127.0.0.1 port 1812
User-Name = "sonia"
User-Password = "salut"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=11, length=20

3/The result of output radiusd -X is:

Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 38590, id=135, 
length=57
User-Name = "sonia"
User-Password = "salut"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "sonia", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may 
fail because of this.
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the request: 
Rejecting the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> sonia
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 135 to 127.0.0.1 port 38590
Waking up in 4.9 seconds.
Cleaning up request 0 ID 135 with timestamp +153
Ready to process requests.

What is the problem please
Can you help me whith a clear example
tahnk you 
_
Hotmail: Trusted email with Microsoft’s powerful SPAM protection.
https://signup.live.com/signup.aspx?id=60969-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Does freeRADIUS support RadSec

[Alan Buxey]

Hi,
> I found this draft "draft-dekok-radext-dtls-02.txt". Does freeRADIUS support 
> RadSec feature? Is there any guidance for RadSec feature?

not yet. thats why there isnt a doc to read

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius 2.1.6: Store Cisco device "enable" password in Postgresql DB

[Alan DeKok]

Difan Zhao wrote:
> And it doesn't work. Then I am checking the debug and I found that the "$" in 
> the username was interpreted to something like "=24":

  Read raddb/sql/postgresql/dialup.conf, and look for "safe-characters"

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Basic wifi config

[Alan DeKok]

Philippe Schwarz wrote:
> Ok, but it's useless only; i can keep it that way , right ?

  "useless" means "confusing, unnecessary, and extra work".

  You should delete it.

> ..>> Failed to authenticate the user.
>>   You didn't specify a password for the user.
> Oh! I should have read more carefully..
> I thought i 'd have a popup for login,pass later..

  Er... no.  The *RADIUS* server doesn't know the correct password, so
it can't authenticate the user.

> OK, but my users are stored in a LDAP/samba Backend; i'll give it a try
> soon.

  Take it one simple step at a time.  Trying to configure everything all
at once is a recipe for disaster.

> BTW, the password is one-way encrypted, and tried
> 
>  echo -n 'user::Password' | md5
> 
> and paste the md5 to the users file, and did not work..

"I did stuff not recommended anywhere and it broke".

  Don't do that.

> Maybe the null realm is the problem.

  No.  See the FAQ for an example of how to add a password.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Does freeRADIUS support RadSec

[Alan DeKok]

John wrote:
> I found this draft "draft-dekok-radext-dtls-02.txt". Does freeRADIUS
> support RadSec feature? Is there any guidance for RadSec feature?

  If it supported radsec, the configuration files would have examples.

  Radsec support should be added this year.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html