Re: Authorization FreeRadius on Switches Extreme
Mark Ricardez Zarate wrote: Hi all I have a network with switches Extreme working with FreeRadius (Authentication), on documentation of Extreme http://www.extremenetworks.com/libraries/services/ExtremeXOSConceptsGuideSoftwareVersion12_3_rev2.zip explain that is possible implement with authorization, but I could not implement. We're not going to download a large file, and read hundreds of pages of documentation just to figure out what you did wrong. You need to explain what you tried, and what happened. Someone Know how could implement authorization with FreeRadius? or is necessary use a language Script like unlang (Perl, Python)? The server includes a *lot* of documentation which tells you how to implement authorization rules. Do you have a specific question about it? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Adding additional row to radcheck table
Hi everyone, Radcheck usually stores CAP and PASSWORD, I have added an additional value to the dictionary and wanted to add that as a row in radcheck, like IDUsername Attribute Op Value 66 b...@internet cancelled == no However when I then try to authenticate debug returns No known good password even though the Crypt-Password Attribute is still there. Deleting the line in the radcheck table and everything works again. Anybody see what I missed? Regards Marius - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding additional row to radcheck table
Marius Pesé wrote: Radcheck usually stores CAP and PASSWORD, I have added an additional value to the dictionary and wanted to add that as a row in radcheck, like IDUsername Attribute Op Value 66 b...@internet cancelled == no Which checks if the cancelled attribute exists, and if it's value is no. However when I then try to authenticate debug returns “No known good password” even though the Crypt-Password Attribute is still there. Probably because the cancelled attribute doesn't exist. Deleting the line in the radcheck table and everything works again. Anybody see what I missed? Read the documentation for the SQL module to see how it works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: usergroup problems with separate auth and accounting databases
Trey Scarborough wrote: Alan DeKok wrote: ... Let me guess... you have policies for accounting which use SQL-Group? No It breaks the Authentication when I add the Accounting configuration Fine. You have *authentication* policies which use SQL-Group. That's the issue. When there is *one* SQL module, the SQL-Group attribute refers only to it. When there are *two* SQL modules... which one does it refer to? That's the problem you're running into. The simple solution here is to use the instantiate section of radiusd.conf. List sql-acct first, and sql-auth section. That way, the SQL-Group comparison will use the sql-auth module, and not the sql-acct module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sqlcounter is not kicking users
Hello, I configured sqlcounter on my radius server and trying to limit hotspot users time. But when time expires, Max-All-Session is not kicking users. (but when they log out, then they cant log in) How can i solve this problem? I am using: Freeradius 2 CentOS 5.3 Mikrotik as NAS. My sqlcounter.conf: sqlcounter noresetcounter { counter-name = Max-All-Session-Time check-name = Max-All-Session sqlmod-inst = sql key = User-Name reset = never query = SELECT IFNULL(SUM(AcctSessionTime),0) FROM radacct WHERE UserName='%{%k}' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius problem, EAP-TTLS works fine, EAP-PEAP does not
Hi On 26 August 2010 23:35, Alan DeKok al...@deployingradius.com wrote: Jean-Yves Avenard wrote: I am running freeradius that comes installed and configured with MacOS 10.6 server. A Windows XP can connect just fine using Microsoft Protected EAP. iPhone, mac os client connect just fine using EAP-TTLS Windows 7 will connect fine using Securew2 EAP-TTLS supplicant ; but not with the default build-in PEAP. The log you posted shows a clear issue: When connecting with Windows 7, I would read: Thu Aug 26 02:21:52 2010 : Auth: rlm_opendirectory: Could not get the user's uuid. Thu Aug 26 02:21:53 2010 : Error: rlm_mschap: getUserNodeRef(): dsGetRecordList() status = 0, recCount=0 Any hint about what I should be looking at? Run the server in debugging mode (radiusd -X). Look for the above errors, and *read* the lines of text around them. Then use the information from the debug output to look the user up in OpenDirectory. Odds are that the user doesn't exist, which is why it can't get the UUID. Mind new, I'm a complete noob when it comes to radius, I only started playing with it 2 days ago. This isn't much of a RADIUS error. The user lookup in OpenDirectory fails, and the UUID wasn't found. The only issue is *who* was being looked up, and *why* the UUID wasn't found. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Allright... Here are some logs... rad_recv: Access-Request packet from host 192.168.0.20 port 65513, id=51, length=163 User-Name = host/ramon NAS-IP-Address = 192.168.0.20 NAS-Port = 0 Called-Station-Id = 00-1C-B3-AD-13-5F:HYDRIX-TEST Calling-Station-Id = C4-46-19-25-31-52 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 0Mbps 802.11 EAP-Message = 0x027e000f01686f73742f72616d6f6e Message-Authenticator = 0x4f4536256e97a2b596511e8560ef07ca +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = host/ramon, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 126 length 15 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop rlm_opendirectory: The host 192.168.0.20 does not have an access group. rlm_opendirectory: Could not get the user's uuid. ++[opendirectory] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [snip] By default it tries to connect with the computer name rather than the user name.. Going into the Advanced option, I can force the type of authentication use to User Authentication... From there it worked ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_perl error
I get this error when I run freeradius using this piece of code in my example.pl: Can't modify constant item in scalar assignment at /etc/freeradius_commu/example.pl line 60, near NULL; Execution of /etc/freeradius_commu/example.pl aborted due to compilation errors. rlm_perl: perl_parse failed: /etc/freeradius_commu/example.pl not found or has syntax errors. /etc/freeradius_commu/modules/perl[7]: Instantiation failed for module perl /etc/freeradius_commu/sites-enabled/sfrwificommu[9]: Failed to find module perl. /etc/freeradius_commu/sites-enabled/sfrwificommu[5]: Errors parsing authorize section. -Message d'origine- De : freeradius-users-bounces+aurelien.jund=sfr@lists.freeradius.org [mailto:freeradius-users-bounces+aurelien.jund=sfr@lists.freeradius.org] De la part de Bjørn Mork Envoyé : mercredi 25 août 2010 14:20 À : FreeRadius users mailing list Objet : Re: rlm_perl error JUND, Aurélien aurelien.j...@sfr.com writes: 3 hashes are given to the module and filled with value-pairs (Attribute names and values): # %RAD_CHECK Read-only Check items # %RAD_REQUEST Read-only Attributes from the request # %RAD_REPLY Read-write Attributes for the reply Why are %RAD_CHECKand %RAD_REQUEST Read-Only? I believe this is wrong. rlm_perl copies data back from all 5 hashes (RAD_REQUEST, RAD_REPLY, RAD_CHECK, RAD_REQUEST_PROXY, RAD_REQUEST_PROXY_REPLY): if ((get_hv_content(rad_request_hv, vp)) 0 ) { pairfree(request-packet-vps); request-packet-vps = vp; vp = NULL; /* * Update cached copies */ request-username = pairfind(request-packet-vps, PW_USER_NAME); request-password = pairfind(request-packet-vps, PW_USER_PASSWORD); if (!request-password) request-password = pairfind(request-packet-vps, PW_CHAP_PASSWORD); } if ((get_hv_content(rad_reply_hv, vp)) 0 ) { pairfree(request-reply-vps); request-reply-vps = vp; vp = NULL; } if ((get_hv_content(rad_check_hv, vp)) 0 ) { pairfree(request-config_items); request-config_items = vp; vp = NULL; } if (request-proxy (get_hv_content(rad_request_proxy_hv, vp) 0)) { pairfree(request-proxy-vps); request-proxy-vps = vp; vp = NULL; } if (request-proxy_reply (get_hv_content(rad_request_proxy_reply_hv, vp) 0)) { pairfree(request-proxy_reply-vps); request-proxy_reply-vps = vp; vp = NULL; } I would like to add check item and modify le request. Is there a way to make them Read-write? Try it and see if it works. Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius problem, EAP-TTLS works fine, EAP-PEAP does not
Jean-Yves Avenard wrote: Here are some logs... ... rlm_opendirectory: The host 192.168.0.20 does not have an access group. And... what does this message mean? It's an OpenDirectory error message, so find out what it means, and how to fix it. rlm_opendirectory: Could not get the user's uuid. Which looks like a direct consequence of the previous message. By default it tries to connect with the computer name rather than the user name.. Because that's what's in the RADIUS packet. If you want it to use something *other* than what's in the packet, you will need to configure the server to use the correct field. So which field do you want to use? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlcounter is not kicking users
ziko wrote: Hello, I configured sqlcounter on my radius server and trying to limit hotspot users time. But when time expires, Max-All-Session is not kicking users. (but when they log out, then they cant log in) How can i solve this problem? Use a NAS that enforces Session-Timeout. This isn't a problem on the RADIUS server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlcounter is not kicking users
Thank you for answer. I decided to use session-timeout with Max-All-Session. Session-timeout kicks users when time expires, but then they can log in again. and max-all-session ant session-timeout alliance works great :) From: Alan DeKok al...@deployingradius.com To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Fri, August 27, 2010 2:46:46 PM Subject: Re: sqlcounter is not kicking users ziko wrote: Hello, I configured sqlcounter on my radius server and trying to limit hotspot users time. But when time expires, Max-All-Session is not kicking users. (but when they log out, then they cant log in) How can i solve this problem? Use a NAS that enforces Session-Timeout. This isn't a problem on the RADIUS server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
use freeRadius client to connect a java application
Hi, In our company it's forbidden to use products with GPL License. So I ca not use Jradius client to connect my client application to a radius server. Since that FreeRadius is distributed under BSD, it's allowed to me to use this library. My queqtion is can you help me on how can I connect and authenticate my java application to a radius server using FreeRadius client?? Thanks in advance Regards Noura - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
connect java aaplication to radius server using freeradius
Hi, In our company it's forbidden to use products with GPL License. So I ca not use Jradius client to connect my client application to a radius server. Since that FreeRadius is distributed under BSD, it's allowed to me to use this library. My queqtion is can you help me on how can I connect and authenticate my java application to a radius server using FreeRadius client?? Thanks in advance Regards Noura - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
connect java aaplication to radius server using freeradius
Hi, In our company it's forbidden to use products with GPL License. So I ca not use Jradius client to connect my client application to a radius server. Since that FreeRadius is distributed under BSD, it's allowed to me to use this library. My queqtion is can you help me on how can I connect and authenticate my java application to a radius server using FreeRadius client?? Thanks in advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl error
JUND wrote: I get this error when I run freeradius using this piece of code in my example.pl: Can't modify constant item in scalar assignment at /etc/freeradius_commu/example.pl line 60, near NULL; There is no such text in the example.pl file which is included with FreeRADIUS. You have edited the file, and broken it. Please consult the Perl documentation for how to write Perl scripts. This list cannot help you learn Perl. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl error
Hi my sended mail is not delivered :( please help me 2010/8/27 Alan DeKok al...@deployingradius.com JUND wrote: I get this error when I run freeradius using this piece of code in my example.pl: Can't modify constant item in scalar assignment at /etc/freeradius_commu/ example.pl line 60, near NULL; There is no such text in the example.pl file which is included with FreeRADIUS. You have edited the file, and broken it. Please consult the Perl documentation for how to write Perl scripts. This list cannot help you learn Perl. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius problem, EAP-TTLS works fine, EAP-PEAP does not
Hi On 27 August 2010 20:46, Alan DeKok al...@deployingradius.com wrote: Jean-Yves Avenard wrote: Here are some logs... ... rlm_opendirectory: The host 192.168.0.20 does not have an access group. And... what does this message mean? It's an OpenDirectory error message, so find out what it means, and how to fix it. 192.168.0.20 is the wireless access point rlm_opendirectory: Could not get the user's uuid. Which looks like a direct consequence of the previous message. no, this is a consequence of it trying to lookup the machine name instead of the user name By default it tries to connect with the computer name rather than the user name.. Because that's what's in the RADIUS packet. If you want it to use something *other* than what's in the packet, you will need to configure the server to use the correct field. So which field do you want to use? As mentioned before; the username. You seem to miss the point that the issue occurs *only* with Win 7 clients. All other clients are fine. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius problem, EAP-TTLS works fine, EAP-PEAP does not
On 27/08/10 13:38, Jean-Yves Avenard wrote: You seem to miss the point that the issue occurs *only* with Win 7 clients. All other clients are fine. Please post the debug output of freeradius, obtained by running: radiusd -X ...for a working and failing case. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
user password question
Is there a limit to the length of the user password? I have a client trying to connect via EAP-TTLS with the password quikynikinyoky (yeah strange default password eh) but I get a Wrong MSCHAPv2 response. If I change it to a short one, unl0ck, it works.The username is macaddr...@wimax.com by default where the words macaddress are the WAN address of the client. David Peterson Engineer Wireless Connections - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius problem, EAP-TTLS works fine, EAP-PEAP does not
Jean-Yves Avenard wrote: You seem to miss the point that the issue occurs *only* with Win 7 clients. All other clients are fine. I don't really care which client it is. All that matters is: a) what data is in the packet b) what you configure the server to do with that data You have posted output from (a). That's nice. You *also* need (as I said already) to configure the server for (b). Unfortunately, the OpenDirectory module does not take any configuration. This means that you will need to edit the User-Name attribute *before* it is used by the opendirectory module. So... what *should* the User-Name look like? This is for you to decide. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user password question
David Peterson wrote: Is there a limit to the length of the user password? 128 characters. I have a client trying to connect via EAP-TTLS with the password quikynikinyoky (yeah strange default password eh) but I get a “Wrong MSCHAPv2 response”. If I change it to a short one, unl0ck, it works.The username is macaddr...@wimax.com by default where the words macaddress are the WAN address of the client. shrug Try a simpler password. Maybe it was mistyped. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Installation on debian with postgresql
Hi list, I'm trying to install freeradius 2.0.4 on debian lenny and, after some googling, I'm arrived at the freeradius wiki (wiki.freeradius.org/SQL_HOWTO) that create me some headache... Starting from say that I don't know if this can be wiki or debian problems (since, like all known, debian make modifies into all sources), I report here some consideration about that wiki page. Starting saying that on my default configuration, I haven't found the authorise {} section, but only the authorize ones, the other chapter Populating SQL, refer a table that doesn't exist on the schema.sql. I'm speaking about usergroup. A part of ask someone if can modify that page, my question is if there is a guide to the parameters that I can set to the various sql tables present on the same page. (for example like that fro the operators) Thanks, Michele - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-MSCHAPv2 and smbpasswd
I've dug around in documentation looking to find out if EAP-MSCHAPv2 can use the smbpasswd file to authenticate wireless clients. Is it possible to have the smbpasswd file authenticate EAP-MSCHAPv2 requests? Thanks! Jonathan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: How to debug rlm_perl in multithread?
Здравствуйте, Boian. Вы писали 26 августа 2010 г., 0:41:22: BJ On Aug 23, 2010, at 9:36 PM, Eugen Konkov wrote: HI, FreeRadius. when run radiusd -X it works fine. But when run in multithread (without -X) it core dump after ten or twelve queriest to radiusd. BJ Alan maybe it will be useful to add this info to doc/bugs ? BJ Eugen Please do the following: Can you be more specific on these steps please? BJ Install or ecompile your libperl with debugging symbols Use ./Configure BJ -Doptimize='-g'. Recompile rlm_perl with -g. Recompile FreeRadius with --enable-developer BJ Rebuild you rlm_perl with new libperl BJ Then start it and attach with gdb BJ When problem occurs type bt and then look at the backtrace and find the first BJ function which accepts the my_perl argument BJ And if the core happens inside Perl post the output of printf %d:%s\n, my_perl-Tcurcop-cop_line, my_perl-Tcurcop-cop_file if your perl version is BJ less than 5.10 otherwise use this printf %d:%s\n, my_perl-Icurcop-cop_line, my_perl-Icurcop-cop_file BJ This will help us to find where the problem occurs. BJ Very Important. BJ If you are using DBI and do some queries to DB, please be sure to BJ use CLONE function to initialize DBI connection to DB. please help any. -- Eugen Konkov mailto:kes-...@yandex.ru - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html BJ Best Regards, BJ Boian Jordanov BJ Head of Voice Department BJ tel. +359 2 4004 723 BJ tel. +359 2 4004 002 BJ - BJ List info/subscribe/unsubscribe? See BJ http://www.freeradius.org/list/users.html -- С уважением, Коньков mailto:kes-...@yandex.ru - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: usergroup problems with separate auth and accounting databases
Alan DeKok wrote: The simple solution here is to use the instantiate section of radiusd.conf. List sql-acct first, and sql-auth section. That way, the SQL-Group comparison will use the sql-auth module, and not the sql-acct module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks that fixed the problem I would have thought it would have been the other way sql_auth before sql-acct. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: use freeRadius client to connect a java application
Hi, In our company it's forbidden to use products with GPL License. So I ca not use Jradius client to connect my client application to a radius server. well, thats a little ridiculous as a standpoint - what about if it can give you a competitive edge? surely business is about profits and returns to eg shareholders...not about some kneee jerk reaction to software licencing models? my $0.01 alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: use freeRadius client to connect a java application
I agree :) On 8/27/2010 8:42 PM, Alan Buxey wrote: ts a little ridiculous as a standpoint - what about if it can give you a competitive edge? surely business is about profits and returns to eg shareholders...not about some kneee jerk reaction to software licencing models? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MSCHAPv2 and smbpasswd
Jonathan Black wrote: I've dug around in documentation looking to find out if EAP-MSCHAPv2 can use the smbpasswd file to authenticate wireless clients. Is it possible to have the smbpasswd file authenticate EAP-MSCHAPv2 requests? Thanks! The correct questions are: Q: Can smbpasswd file read passwords? A: Yes Q: Can EAP-MSCHAPv2 use passwords to authenticate users? A: Yes The password lookup stage is separate from the use password to do authentication for a number of reasons. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Installation on debian with postgresql
Michele Petrazzo - Unipex wrote: Hi list, I'm trying to install freeradius 2.0.4 Why? That's a very old version. on debian lenny and, after some googling, I'm arrived at the freeradius wiki (wiki.freeradius.org/SQL_HOWTO) that create me some headache... sigh Could you suggest *more* places for us to add documentation? The main web page (freeradius.org), and the other documentation that is included with the server mentions the Wiki. Why search the net for information when you can read the documentation included with the software? Starting from say that I don't know if this can be wiki or debian problems (since, like all known, debian make modifies into all sources), I report here some consideration about that wiki page. Starting saying that on my default configuration, I haven't found the authorise {} section, but only the authorize ones, What does that mean? the other chapter Populating SQL, refer a table that doesn't exist on the schema.sql. I'm speaking about usergroup. The schemas are in raddb/sql/*/dialup.conf. This is documented in raddb/sql.conf. A part of ask someone if can modify that page, my question is if there is a guide to the parameters that I can set to the various sql tables present on the same page. (for example like that fro the operators) The Wiki page you found has exactly this documentation. It explains how the tables are used. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: use freeRadius client to connect a java application
On Fri, Aug 27, 2010 at 6:05 PM, Noura Kossentini kossentini.no...@gmail.com wrote: Hi, In our company it's forbidden to use products with GPL License. Is it because you don't want the end product to use GPL? So I ca not use Jradius client to connect my client application to a radius server. Since that FreeRadius is distributed under BSD, it's allowed to me to use this library. AFAIK freeradius by itself does not have java bindings, so you can't connect it directly Have you tried http://www.google.com/search?q=radius+java http://tinyradius.sourceforge.net/ (since it's LGPL, if you use it without modification, your end product does not have to be licensed as GPL/LGPL) -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html