RE: freeradius and ADSL-Agent-Circuit-Id
> Tim Sylvester wrote:
> > Try the following:
> >
> > Add this to the top of the Authorize section:
> >
> >
> > if ADSL-Agent-Circuit-Id {
> > update request {
> > User-Name := "%{ADSL-Agent-Circuit-Id}"
> > User-Password := "%{ADSL-Agent-Circuit-Id}"
> > }
> > }
> >
> >
>
> Thank you for taking the time to provide this detailed example. I
> should have included the previous thread where this was suggested and
> that it 'works', but also that it creates a security hole in that an
> end user could simply set their user name and password to be the same as a
> Circuit-Id, thereby taking advantage of a 'known passwords' if anyone
> knows what my circuit id's look like.
No. You should have read my message in more detail. If you look at the
example below, you will see that if someone tries to use a Username/Password
with the Circuit-Id, the authentication will fail. The second entry for in
the radcheck table requires that both the username/password and the
username/ADSL-Agent-Circuit-Id are required.
> The task is to set things up so that _only_ in the event that the
> request contains an actual ADSL-Agent-Circuit-Id attribute, that I
> don't bother trying to do chap/pap, but instead I pull everything
(Including
> Access-Accept) from the database indexed by ADSL-Agent-Circuit-Id. If
> there is no such attribute, then just proceed as normal. I can use sql
> to get a truth value wether the circuit-id is present in a non-default
> table, and I can use unlang to update the control with "Auth-Type :=
> Accept". This works and results in 'access accept' to the client. But,
> it does not get me anyway to pull attributes specific to this id and
> return them to the client.
My configuration will allow you to do what you want. Try it before
dismissing it.
> What I was talking about was perhaps using the presence of
> ADSL-Agent-Circuit-Id to decide whether to proxy the request to another
> virtual server. I could configure this virtual server to listen on
> loopback so the only way to consult it is thru the proxy, and I could
> configure the sql query used on THIS server to peform the authorization
> query. This seperation would give me the abillity to either engage
> chap/pap or not based on presence of the attribute, instead of simply
> overwriting the attribute values which doesn't address my security
> concerns. I'm still looking for a good method to accomplish this.
You are welcome to try your much more complicated method. Or you could
re-read my message and perform some actual tests before responding in
e-mail.
Tim
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and ADSL-Agent-Circuit-Id
Tim Sylvester wrote:
Try the following:
Add this to the top of the Authorize section:
if ADSL-Agent-Circuit-Id {
update request {
User-Name := "%{ADSL-Agent-Circuit-Id}"
User-Password := "%{ADSL-Agent-Circuit-Id}"
}
}
Thank you for taking the time to provide this detailed example. I
should have included the previous thread where this was suggested and
that it 'works', but also that it creates a security hole in that an end
user could simply set their user name and password to be the same as a
Circuit-Id, thereby taking advantage of a 'known passwords' if anyone
knows what my circuit id's look like.
The task is to set things up so that _only_ in the event that the
request contains an actual ADSL-Agent-Circuit-Id attribute, that I don't
bother trying to do chap/pap, but instead I pull everything (Including
Access-Accept) from the database indexed by ADSL-Agent-Circuit-Id. If
there is no such attribute, then just proceed as normal. I can use sql
to get a truth value wether the circuit-id is present in a non-default
table, and I can use unlang to update the control with "Auth-Type :=
Accept". This works and results in 'access accept' to the client. But,
it does not get me anyway to pull attributes specific to this id and
return them to the client.
What I was talking about was perhaps using the presence of
ADSL-Agent-Circuit-Id to decide whether to proxy the request to another
virtual server. I could configure this virtual server to listen on
loopback so the only way to consult it is thru the proxy, and I could
configure the sql query used on THIS server to peform the authorization
query. This seperation would give me the abillity to either engage
chap/pap or not based on presence of the attribute, instead of simply
overwriting the attribute values which doesn't address my security
concerns. I'm still looking for a good method to accomplish this.
Mike-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
send radius response without request
Is it possible to have FreeRADIUS send a radius response without first receiving a request, provided I can feed it the same information the request would have? OR Is it possible for FreeRADIUS to see the request come from one host and have the response go to another? Jake Sallee Godfather Of Bandwidth Network Engineer Fone: 254-295-4658 Phax: 254-295-4221 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius and ADSL-Agent-Circuit-Id
Try the following:
Add this to the top of the Authorize section:
authorize {
if ADSL-Agent-Circuit-Id {
update request {
User-Name := "%{ADSL-Agent-Circuit-Id}"
User-Password := "%{ADSL-Agent-Circuit-Id}"
}
}
Then, add the Circuit-IDs to radcheck:
mysql> select * from radcheck where username = "circuit-123";
++-+---++-+
| id | username| attribute | op | value |
++-+---++-+
| 226536 | circuit-123 | ADSL-Agent-Circuit-Id | == | circuit-123 |
| 226537 | circuit-123 | Cleartext-Password| := | circuit-123 |
++-+---++-+
2 rows in set (0.00 sec)
Then run a test to make sure that when using the Circuit-Id to authenticate
the device, the ADSL-Agent-Circuit-Id must be in the request.
[r...@sparky performance]# cat circuit-id.rad
User-Name = "test"
User-Password = "FreeRADIUS"
User-Name = "circuit-123"
User-Password = "circuit-123"
User-Name = ""
ADSL-Agent-Circuit-Id ="circuit-123"
User-Name = "void"
ADSL-Agent-Circuit-Id ="circuit-123"
[r...@sparky performance]#
[r...@sparky performance]# radclient -f circuit-id.rad localhost auth
FreeRADIUS
Received response ID 81, code 2, length = 20
Received response ID 165, code 3, length = 20
Received response ID 157, code 2, length = 20
Received response ID 119, code 2, length = 20
[r...@sparky performance]#
Tim
> -Original Message-
> From: freeradius-users-
> bounces+tim.sylvester=networkradius@lists.freeradius.org
> [mailto:freeradius-users-
> bounces+tim.sylvester=networkradius@lists.freeradius.org] On Behalf
> Of Mike
> Sent: Wednesday, July 28, 2010 3:37 PM
> To: FreeRadius users mailing list
> Subject: Re: freeradius and ADSL-Agent-Circuit-Id
>
>
>
> Johan Meiring wrote:
> > On 2010/07/21 11:00 AM, Alan DeKok wrote:
> >>
> >> authorize {
> >> ...
> >> if (ADSL-Agent-Circuit-Id&& \
> >> ("%{sql: select ...}")) {
> >> update control {
> >> Auth-Type := Accept
> >> }
> >>
> >> }
> >> else {
> >> reject
> >> }
> >>
> >> }
> >>
> >
> > I disagree with the logic slightly.
> > In my opinion it will also be rejected if ADSL-Agent-Circuit-Id does
> > not exist.
> >
> > As fas as I understand, the desireable result is:
> > If the ADSL-Agent-Circuit-Id does *not* exist, normal authentication
> > must happen.
> > If it *does* exist, accept or reject, depending on its value.
> >
> > Would this not work better?
> >
> > authorize {
> > ...
> > if (ADSL-Agent-Circuit-Id) {
> > if ("%{sql: select ...}") {
> > update control {
> > Auth-Type := Accept
> > }
> > }
> > else {
> > reject
> > }
> > }
> > }
> >
> >
> >
> I have been attempting to implement this advice. I can use a 'select
> count(*)' sql query and based on wether the value is 1, I can then set
> Auth-Type := Accept just like it's written above. But, there's
> additional processing that is desireable that I just can't figure out
> how to do here. Instead of just blindly setting Accept, I might want to
> proceed with having the sql module do group processing and so forth to
> finally accumulate all of the reply attributes that apply to this
> request. Maybe that reply is 'Auth-Type := Reject" but then others
> contain 'Accept' along with framed-ip-address and so forth. This would
> involve using a modified sql query in the event that
> ADSL-Agent-Circuit-Id is present, and there doesn't appear to be any
> way
> at run time to make that selection.
>
> I am getting the impression that perhaps I need to run maybe a second
> server that has it's sql configured with queries tailored for the
> presence of this attribute, and then proxy requests from the primary
> server to this one in this case. I could probably run it on lookback on
> another port so that the radius clients don't have to know anything
> about it. Still it's a bit of work but that seems to be the only way
> possible to make sql query one database if the attribute is present,
> and
> query another if it's not (or, use different queries).
>
> Would love more insight if anyone cares to share.
>
> Thank you.
>
>
>
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and ADSL-Agent-Circuit-Id
Johan Meiring wrote:
On 2010/07/21 11:00 AM, Alan DeKok wrote:
authorize {
...
if (ADSL-Agent-Circuit-Id&& \
("%{sql: select ...}")) {
update control {
Auth-Type := Accept
}
}
else {
reject
}
}
I disagree with the logic slightly.
In my opinion it will also be rejected if ADSL-Agent-Circuit-Id does
not exist.
As fas as I understand, the desireable result is:
If the ADSL-Agent-Circuit-Id does *not* exist, normal authentication
must happen.
If it *does* exist, accept or reject, depending on its value.
Would this not work better?
authorize {
...
if (ADSL-Agent-Circuit-Id) {
if ("%{sql: select ...}") {
update control {
Auth-Type := Accept
}
}
else {
reject
}
}
}
I have been attempting to implement this advice. I can use a 'select
count(*)' sql query and based on wether the value is 1, I can then set
Auth-Type := Accept just like it's written above. But, there's
additional processing that is desireable that I just can't figure out
how to do here. Instead of just blindly setting Accept, I might want to
proceed with having the sql module do group processing and so forth to
finally accumulate all of the reply attributes that apply to this
request. Maybe that reply is 'Auth-Type := Reject" but then others
contain 'Accept' along with framed-ip-address and so forth. This would
involve using a modified sql query in the event that
ADSL-Agent-Circuit-Id is present, and there doesn't appear to be any way
at run time to make that selection.
I am getting the impression that perhaps I need to run maybe a second
server that has it's sql configured with queries tailored for the
presence of this attribute, and then proxy requests from the primary
server to this one in this case. I could probably run it on lookback on
another port so that the radius clients don't have to know anything
about it. Still it's a bit of work but that seems to be the only way
possible to make sql query one database if the attribute is present, and
query another if it's not (or, use different queries).
Would love more insight if anyone cares to share.
Thank you.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Another LDAP/RADIUS integration problem.
Grr, off on a goose chase. Problem isn't in rlm_pap.c, but rlm_ldap.c.
rlm_ldap only likes the Cleartext-Password and User-Password
attributes. Would it be a bad thing to patch rlm_ldap.c to also work
with Password-With-Header? If not, then I guess I'll have to use
User-Password in the ldap dictionary and live with the suggestion
message in debug output.
!!!
!!!Replacing User-Password in config items with Cleartext-Password.
!!!
!!!
!!! Please update your configuration so that the "known good"
!!!
!!! clear text password is in Cleartext-Password, and not in
User-Password. !!!
!!!
Thanks!
Tom
On 07/28/2010 11:59 AM, Tom Leach wrote:
Alan, changing from User-Password to Password-With-Header brought back
the 'No "known good" password' error. I'm going through the rlm_pap.c
code to try to see what's going on here. I haven't found any docs yet
on what the various mapping possibilities are and what they do. Do you
have a pointer to any so I don't keep bugging you and the list?
I agree with the 'get it work, then tune it' approach. That's where I'm
at now. It's working, I'm just trying to make all the messages go away :)
Thanks!
Tom
Here is a snippet from radiusd -X:
[ldap-server1] Added Crypt-Password = 4gOgBZqZgtwIw in check items
[ldap-server1] looking for check items in directory...
[ldap-server1] userPassword -> Password-With-Header ==
"{crypt}4gOgBZqZgtwIw"
[ldap-server1] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that
the user is configured correctly?
[ldap-server1] user testuser authorized to use remote access
Date: Tue, 27 Jul 2010 09:00:23 +0200
From: Alan DeKok
Subject: Re: Another LDAP/RADIUS integration problem.
To: FreeRadius users mailing list
Message-ID: <4c4e8407.3030...@deployingradius.com>
Content-Type: text/plain; charset=ISO-8859-1
Tom Leach wrote:
Alan, I changed the ldap.attrmap file from "checkItem Crypt-Password
userPassword" to "checkItem User-Password userPassword" and it's
authenticating now, but I now have a new message in the debug output and
I'm not sure if it's a problem, suggestion, or otherwise.
It's a suggestion. But the first step was to get it to work.
I can't
change the LDAP directory to contain actual cleartext passwords, so it
may just be something that I have to live with.
Change the mapping in ldap.attrmap to:
checkItem Password-With-Header userPassword
That should *still* work, and will remove the warning.
The process here is to first get it to work, and then get it to work
better.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 63, Issue 95
Alan, changing from User-Password to Password-With-Header brought back
the 'No "known good" password' error. I'm going through the rlm_pap.c
code to try to see what's going on here. I haven't found any docs yet
on what the various mapping possibilities are and what they do. Do you
have a pointer to any so I don't keep bugging you and the list?
I agree with the 'get it work, then tune it' approach. That's where I'm
at now. It's working, I'm just trying to make all the messages go away :)
Thanks!
Tom
Here is a snippet from radiusd -X:
[ldap-server1] Added Crypt-Password = 4gOgBZqZgtwIw in check items
[ldap-server1] looking for check items in directory...
[ldap-server1] userPassword -> Password-With-Header ==
"{crypt}4gOgBZqZgtwIw"
[ldap-server1] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that
the user is configured correctly?
[ldap-server1] user testuser authorized to use remote access
Date: Tue, 27 Jul 2010 09:00:23 +0200
From: Alan DeKok
Subject: Re: Another LDAP/RADIUS integration problem.
To: FreeRadius users mailing list
Message-ID: <4c4e8407.3030...@deployingradius.com>
Content-Type: text/plain; charset=ISO-8859-1
Tom Leach wrote:
Alan, I changed the ldap.attrmap file from "checkItem Crypt-Password
userPassword" to "checkItem User-Password userPassword" and it's
authenticating now, but I now have a new message in the debug output and
I'm not sure if it's a problem, suggestion, or otherwise.
It's a suggestion. But the first step was to get it to work.
I can't
change the LDAP directory to contain actual cleartext passwords, so it
may just be something that I have to live with.
Change the mapping in ldap.attrmap to:
checkItem Password-With-Header userPassword
That should *still* work, and will remove the warning.
The process here is to first get it to work, and then get it to work
better.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Solaris 10 1.13 FreeRadius
Will LDAP failover work on Solaris 10 with FreeRadius 1.1.3 ? This is the default that comes with Solaris or do we need to upgrade FreeRadius. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Passing variables from inner tunnel
HI, Since I need to have the LDAP-UserDn in the post-auth section of the default-server is there a way to execute a LDAP query in this part? Jean -- View this message in context: http://old.nabble.com/Passing-variables-from-inner-tunnel-tp29279811p29287788.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Passing variables from inner tunnel
Hi, I think I understand the problem here, there are multiple request done to freeradius in the process of authenticating the user and since I'm trying to access the variable that was set in the previous request it is simply empty... Jean -- View this message in context: http://old.nabble.com/Passing-variables-from-inner-tunnel-tp29279811p29287687.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Passing variables from inner tunnel
newtownz wrote:
> Hi,
>
> Thank your for your answer.
>
>> Just return User-Name in the reply and do a repeat LDAP query on your
>> outer layer; doing a 'cn' lookup should be instantaneous...
>
> I'm a little puzzled on how to accomplish this!
In the "inner-tunnel" virtual server:
authorize {
...
update reply {
User-Name = "foo"
}
...
}
Also, be aware that EAP does multiple round trips. If you update
"outer.control" in one packet, that value is *not* available to the next
packet in the stream.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying creates 200 Attributes resulting in DoS warning
Marius Pesé wrote: > After spending some more time on our FreeRadius2 project it managed once > again to leave me clueless. The error message: > > WARNING: Possible DoS attack from host 196.25.xxx.xx: Too many attributes in > request (received 201, max 200 are allowed). See the "security" section of radiusd.conf. > Googleing showed that it most likely is the result of a mis-configuration in > proxy.conf. You are very likely proxying packets FROM the server TO itself, in an infinite loop. Stop that. > This is our proxy.conf without comments: Have you tried running the server in debugging mode? Do you see it proxying packets to itself in an endless loop? Does the debug log show WHY the packets were proxied? If the packets really do have more than 200 real attributes, edit radiusd.conf to allow this. If the packets have dozens of "Proxy-State" attributes, you've misconfigured the server and broken it. Configure to proxy packets to *other* RADIUS servers, not to itself. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxying creates 200 Attributes resulting in DoS warning
After spending some more time on our FreeRadius2 project it managed once again
to leave me clueless. The error message:
WARNING: Possible DoS attack from host 196.25.xxx.xx: Too many attributes in
request (received 201, max 200 are allowed).
Googleing showed that it most likely is the result of a mis-configuration in
proxy.conf.
This is our proxy.conf without comments:
proxy server {
default_fallback = no
}
home_server copy-acct-to-home-server-B {
type = acct
ipaddr = 196.25.xxx.xx
port = 1646
secret = xx
}
home_server_pool my_acct_failover {
type = fail-over
home_server = copy-acct-to-home-server-B
}
realm DEFAULT {
acct_pool = my_acct_failover
}
realm LOCAL {
}
Might look a bit odd because we played around for quite a bit. Who can spot the
fatal error?
Thanks
Marius
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Passing variables from inner tunnel
Hi, Thank your for your answer. >Just return User-Name in the reply and do a repeat LDAP query on your >outer layer; doing a 'cn' lookup should be instantaneous... I'm a little puzzled on how to accomplish this! Regards Jean -- View this message in context: http://old.nabble.com/Passing-variables-from-inner-tunnel-tp29279811p29286932.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: ASSERT FAILED threads.c[406]
On Jul 26, 2010, at 8:00 PM, Meyers, Dan wrote:
> and what's happening in
> the perl is still something I need to investigate (and is probably
> thread related), or should the fix also stop me getting unresponsive
> children in the perl accounting method?
Using threaded perl with DB is a little tricky. You have to use for each perl
thread his own separate connection to DB. You can achieve this by using sub
CLONE {} which is calling on every new thread creation, or you just can use
perl without threads.
Best Regards,
Boian Jordanov
Head of Voice Department
tel. +359 2 4004 723
tel. +359 2 4004 002
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Passing variables from inner tunnel
Hi, newtownz wrote: > > I'm trying to pass the value of LDAP-UserDn from the inner-tunnel > to the default server. I have read unlang and also tried many combinations > including update outer.control from the inner tunnel and nothing worked... > I'm pretty sure I saw this too and (was some time back) a glance over the source code gave me the impression that anything in the FreeRADIUS internal dictionary gets lost. > Here is a debug output where we can see that the User-Dn get expanded > correctly in the tunnel but is empty in the default server. > Just return User-Name in the reply and do a repeat LDAP query on your outer layer; doing a 'cn' lookup should be instantaneous...if it is not you have other bigger problems[1]. Cheers [1] obviously scalability and transaction time is not a problem as you are Exec-Program-Wait'ing a PHP script ;) -- Alexander Clouter .sigmonster says: Pretend to spank me -- I'm a pseudo-masochist! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: incorrect auth-type
Sallee, Stephen (Jake) wrote:
> You will see that the user is found and authenticated by the
> "ntlm_auth_Cru" module, however the user is still rejected bec the
> server says no auth-type was configured for the request. Any help is
> appreciated.
Yes, because you didn't put the configuration into the right place.
> I have the following lines in my users file:
> -
> DEFAULT Auth-Type := ntlm_auth
> Fall-Through = Yes
> -
>
> I also have the following in my radius.conf:
Where? The location is important. You can't just put random text
into random places, and expect it to do what you want.
> Here is the debug output:
From "-Xx". Please use *just* "-X', as suggested everywhere.
Following basic instructions is the first step to fixing the problem.
> --
> rad_recv: Access-Request packet from host 10.2.1.75 port 46841, id=239,
> length=51
> User-Name = "image"
> User-Password = "image"
> NAS-IP-Address = 10.2.1.75
> Tue Jul 27 13:01:03 2010 : Info: +- entering group authorize {...}
> Tue Jul 27 13:01:03 2010 : Info: ++[preprocess] returns ok
> Tue Jul 27 13:01:03 2010 : Info: ++- entering group ntlm_auth {...}
Hmm... you put the *authentication* configuration into the
*authorization* section.
Why?
See my web page for the *correct* configuration:
http://deployingradius.com/documents/configuration/active_directory.html
And you *deleted* "files" from the "authorize" section. This means
that the "users" file entry you posted above does *nothing*.
> PS: I know it is not best practice to specify the default auth-type but
> this is a single purpose server and I know what types of requests are
> going to come to it, anything other than what I want should be
> discarded.
(1) don't butcher the configuration.
(2) Follow the documentation
If you want to use the fail-over configuration for 2 versions of
ntlm_auth, read my web page and follow the instructions. Then, where it
says to list "ntlm_auth" in the "authenticate" section, *instead*, put:
Auth-Type ntlm_auth {
group {
ntlm_auth_Cru {
reject = 1
ok = return
}
ntlm_auth_UMHB {
reject = 1
ok = return
}
}
}
That should work.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 63, Issue 97
Please use proper etiquette on this list. Do not reply to digests (it plays havoc with threading). Do properly quote relevant material and trim the irrelevant material. Thank you. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: /etc/freeradius/radiusd.conf[236]: Error binding to port for 0.0.0.0 port 1812
--- Pada Rab, 28/7/10, Alan Buxey menulis: > Dari: Alan Buxey > Judul: Re: /etc/freeradius/radiusd.conf[236]: Error binding to port for > 0.0.0.0 port 1812 > Kepada: "FreeRadius users mailing list" > > Cc: "Edi Sujono" > Tanggal: Rabu, 28 Juli, 2010, 6:01 PM > Hi, > > > Failed binding to socket: Address already in use > > /etc/freeradius/radiusd.conf[236]: Error binding to > port for 0.0.0.0 port 1812 > > fairly obvious - somethings already running on that port. > suggest that > the system is already starting the daemon... use the system > scripts to stop > the process (eg /etc/init.d/freeradius2 > stop or such) or killall > radiusd > > netatst -anp | grep 1812 > > will show the name of the process using port 1812 > > > once nothing is on that port, you can use it with radiusd > -X > > > alan > - Yes... thank you Alan, my freeradius is now running. thanks & best regards Edi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: /etc/freeradius/radiusd.conf[236]: Error binding to port for 0.0.0.0 port 1812
Hi, > Failed binding to socket: Address already in use > /etc/freeradius/radiusd.conf[236]: Error binding to port for 0.0.0.0 port 1812 fairly obvious - somethings already running on that port. suggest that the system is already starting the daemon... use the system scripts to stop the process (eg /etc/init.d/freeradius2 stop or such) or killall radiusd netatst -anp | grep 1812 will show the name of the process using port 1812 once nothing is on that port, you can use it with radiusd -X alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
/etc/freeradius/radiusd.conf[236]: Error binding to port for 0.0.0.0 port 1812
Dear sir,
I had installed freeradius on ubuntu 9.04, but got an error when applying the
command :
freeradius -X
the result of freeradius -X command as per attachement file.
Your attention and help would be highly appreciated.
Thanks & best regards,
Edi Sujono
FreeRADIUS Version 2.1.0, for host i486-pc-linux-gnu, built on Apr 30 2009 at
07:22:56
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/sql.conf
including configuration file /etc/freeradius/sql/mysql/dialup.conf
including configuration file /etc/freeradius/sql/mysql/counter.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including dictionary file /etc/freeradius/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = no
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
shortname = "localhost"
nastype = "other"
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_o
Re: Freeradius-Users Digest, Vol 63, Issue 97
I constently get this error: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user why? On 07/28/2010 08:07 AM, freeradius-users-requ...@lists.freeradius.org wrote: Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-requ...@lists.freeradius.org You can reach the person managing the list at freeradius-users-ow...@lists.freeradius.org When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..." Today's Topics: 1. Re: SV: FR proxy to ACS and NPS with MS CHAP v2 (SagiBarOr) 2. RHDS (Natr Brazell) 3. RE: Bug #17 (MS-CHAP user names) (Garber, Neal) 4. incorrect auth-type (Sallee, Stephen (Jake)) 5. Re: RHDS (John Dennis) 6. coa proxy'ing with a NAC device (Kevin Ehlers) 7. Passing variables from inner tunnel (newtownz) -- Message: 1 Date: Tue, 27 Jul 2010 04:12:16 -0700 (PDT) From: SagiBarOr Subject: Re: SV: FR proxy to ACS and NPS with MS CHAP v2 To: freeradius-users@lists.freeradius.org Message-ID:<29275298.p...@talk.nabble.com> Content-Type: text/plain; charset=UTF-8 Thank you for the info Jan. The radiusd-x files were included in the zip files. Though I guess the other logs were overwhelming. I now posted the two log files here. The file cn-check_splitauth.log is from the first free radius. The file ldap_mschapv2.log is from the second FR server which does the MS CHAP v2 portion. Note that everything works in this confioguration. No issues. What I like the forum to advise, is what might be non std or missing in the MC CHAP v2 session, which FR overcomes it. When I replace the 2nd FR with MS NPS or Cisco NPS the authentication fails, looks like because the pwd (hash) does not match. Thnks Sagi Madsen.Jan JMD wrote: I think you need to stop the radius process and then start i with radiusd -X This will run freeradius in the window you are starting it in, in debug mode. On a Linux it will look something like this /usr/sbin/freeradius -X (Default Debian install directory) Or in a manually compiled /opt/freeradius-1.1.8/sbin/radiusd -X (My install location) And that output it comes from that is what Phil wants :) Best regards Jan Madsen -Oprindelig meddelelse- Fra: freeradius-users-bounces+jmd=kmd...@lists.freeradius.org [mailto:freeradius-users-bounces+jmd=kmd...@lists.freeradius.org] P? vegne af SagiBarOr Sendt: 15. juli 2010 09:46 Til: freeradius-users@lists.freeradius.org Emne: Re: FR proxy to ACS and NPS with MS CHAP v2 Thank you for the clarification Phil. I am not sure what "radius -x" means. I posted the two output files I have. Are these the ones? If not, pls elaborate. Note that these are the output files for the two FR servers, for which eveything is just fine. What does not work is when the second server is not FR but NPS or ACS. I hope this data will suffice to identify the issue or at least give good leads. Phil Mayers wrote: On 07/14/2010 11:17 PM, SagiBarOr wrote: Files posted. No. Post the output of "radiusd -X" to the list. We don't need anything else; just that. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html http://old.nabble.com/file/p29170161/cn-check_splitauth.log cn-check_splitauth.log http://old.nabble.com/file/p29170161/ldap_mschapv2.log ldap_mschapv2.log -- View this message in context: http://old.nabble.com/FR-proxy-to-ACS-and-NPS-with-MS-CHAP-v2-tp29132664p29170161.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ KMD A/S, Lautrupparken 40-42, DK-2750 Ballerup, CVR-nr. 26911745 KMD er medlem af IT-Branchen og Dansk Erhverv samt anmeldt til Datatilsynet som edb-servicevirksomhed. KMD er certificeret i henhold til ISO 9001:2000, med Dansk Standard som certificerende organ og er desuden Microsoft Gold Certified Partner og Certificeret SAP Hosting Center. www.kmd.dk www.kundenet.kmd.dk www.organisator.dk www.kmdinternational.com Hvis du har modtaget denne e-mail ved en fejl, bedes du venligst give mig besked herom og slette den. If you received this e-mail by mistake, please notify me and delete it. Thank you. __ KMD A/S, Lautrupparken 40-42, DK-2750 Ballerup, CVR-nr. 26911745 KMD er medlem af IT-Branchen og Dansk Erhverv samt anmeldt til Datatilsynet som edb-servicevirksomhed. KMD er certificeret i henhold til ISO 9001:2000, me
